Unit 32.

Information security assurance

Introduction
Read the texts below and then do the assignments that follow it.

EUROCACS: UNDERSTAND YOUR AUDIT & WHO CONDUCTS IT

Dan Raywood, Contributing Editor, Infosecurity Magazine

In a talk at the ISACA EuroCACS Conference in Munich, London Chapter

director external relations Raef Meeuwisse described a situation where he had
completed a third party audit of a company, and how many of the ‘mega-breaches’
occur because companies fail on the basic.

He said that every major cyber-breach was down to three major or critical
security safeguards which were either not in place, or were not fit for purpose. He
asked: “Why is it we can identify problems, but not get buy-in to get these fixed?
“Organizations often spend a fortune on layers of security in one direction.
but leave other potential attack vectors open. No security department says ‘we’re
not particularly good’, they always believe they are doing a great job under the
particular circumstances. In my top ten someone said that they were surprised
security culture was not in there, and if there is a sharing culture you can enforce a
good security practice, if not it goes the other way.”
He said that when auditing cybersecurity, you learn where the gaps are, and
it is rare that the company security function already fully and correctly understands
their own status. “Intelligent hackers are also looking for those gaps, and the
purpose of an audit is to find out those gaps first so they can be addressed,” he
said. “One key thing missing in most organizations: they usually don’t have an
independent annual audit, robustly checking what they’re doing by an audit entity
with nothing to lose or gain from the outcome. Unless that happens, an
organization will have no clarity over their real security position.”
Meeuwisse said that the point of an audit is to check that firstly, the security
function is providing the right processes and procedures, and secondly that the
business is following those procedures. "Unless you do a regular audit, you cannot
check that the right things are happening".
He recommended that businesses recognize the symptoms of failure, and
while security knows there are unresolved gaps, often nothing is done to fix it.
“Finding gaps is important and using a framework is straight-forward, but
remember if you’re auditing cybersecurity you don’t take accountability and
responsibility for what they are not letting you check on,” he argued. “You can
only be responsible for the scope that has been approved. If that audit scope has
significant gaps, undetected problems will continue to be present and cause you
problems later on.”

1. Open the abbreviations. What stands behind the concepts?

ISACA; CACS

2. Answer the questions:

1) What was Raef Meeuwisse’s talk at the ISACA EuroCACS Conference in
Munich devoted to?
2) Why did Raef Meeuwisse’s criticize the major security safeguards applied in an
organizations?
3) What role does security culture play in an organization?
4) Why is cybersecurity audit so important according to the author?
5) Why does the author treat intelligent hackers with independent auditors?
6) What is the key mission of the organization in terms of cybersecurity?
7) What is the essence of an audit?
8) What does the author recommend? Can you agree with him?
9) What are the traps and pitfalls of cyber security audit?

3. Summarise the information about the role of information security in

modern business.
4. Comment on the following ideas of the author:

 "Unless you do a regular audit, you cannot check that the right things are
happening".
 “Finding gaps is important and using a framework is straight-forward, but
remember if you’re auditing cybersecurity you don’t take accountability and
responsibility for what they are not letting you check on,”
 Text 1
1. Before you read the text, say what you know about cybersecurity
assurance.
2. Explain what the following terms and topic-related words mean: factual
security risks; forensic investigation/examination; cyber risk management;
audit universe.
3. Make sure you know how to pronounce the following words:
assurance; factual; to validate; requisite degree; to mandate; an audit
committee; an enterprise; overarching management systems; legally
privileged; sovereignty; prerogative; cyberwarfare; precedence; de-
perimeterized audit universe; reliance.

1. Read the texts below and then do the assignments that follow it.

Cybersecurity Assurance
Cybersecurity includes an adequate and reasonable level of assurance, which
completes the security perspective when combined with governance and
management. Information security assurance and cybersecurity assurance require
a comprehensive set of controls as well as audit and review, including
investigation and forensic examination. In a broader sense of the word, assurance
ensures that cybersecurity is designed, implemented, maintained and transformed
in a manner that is consistent with all aspects of GRC.
In information security, assurance requires a set of controls that covers risk
as well as management processes. These controls are supported by appropriate
metrics and indicators for security goals and factual security risk.
Cybersecurity audits and informal reviews (including CSAs) are ongoing
activities that form part of overall organizational security controls and
practices. Investigation and forensics are more directly related to actual attacks
and breaches or other incidents indicating the need for action. Audit differs in
scope from investigative and forensic work.

Auditing and Reviewing Cybersecurity

Cybersecurity should be reviewed frequently to validate the overall control
set in terms of design and effectiveness. Reviews range from, to full-scale audits of
all cybersecurity arrangements within the enterprise. The complete audit and
review universe is distributed across three lines of defense, i.e., the three defined
the informal assessment of specific practices or solutions instances providing
assurance. This provides the requisite degree of independence needed in a review.
As an example, cybersecurity solutions implemented by ISMs are usually reviewed
and tested independently by internal audit.
As the first line of defense, management itself is assumed to have a strong
business interest in providing adequate and comprehensive cybersecurity at all
levels. Responsibility and accountability for cybersecurity may be delegated from
top management to specialized functions. Controls and associated metrics and
indicators as well as regular reviews serve as management instruments for
identifying weaknesses or deficiencies. The implicit expectation is that the first
line of defense will further identify necessary improvements to cybersecurity in the
GRC space.
Risk management, the second line of defense, is designed to evaluate
independently any known or emerging risk relating to cybersecurity. This is
usually effected through use of appropriate tools and methods for risk
identification, analysis and treatment. As a result of the mandated independence,
risk management may inform and assess management decisions, but it should not
replace or overrule these decisions.
The third line of defense, internal audit, is independent by definition,
inasmuch as internal auditors set their own audit programs and decide
independently on the scope of cybersecurity audits. This includes the usual
separate reporting line to the audit committee within the enterprise. The third line
of defense is often instrumental in performing investigative or forensic work.
The transformational aspect of cybersecurity is often embedded in
overarching management systems operated by the enterprise. These include the
ISMS,30 IT service management31 or business continuity management system
(BCMS).32 Typical management systems share a common plan-do-check-act
(PDCA) cycle for continuously improving their respective capabilities and
providing assurance. In practice, it may be convenient for managers and
reviewers to align their assurance work to existing management cycles and
(re)certifications.

Audit Universe
The cybersecurity audit universe includes all control sets, management
practices and GRC provisions in force at the enterprise level. In some cases, the
extended audit universe may include third parties bound by a contract containing
audit rights. However, there are significant boundaries and limitations for audits:
• Corporate sphere of influence/control vs. private sphere of control—In
most enterprises, end users may engage in activities that are only partially covered
by the business purpose. This includes the use of private IT devices and
nonstandard applications. In these cases, audit limitations are imposed due to the
fact that private data and private activity are usually legally privileged (unless
users have opted into disclosure and auditability).
• Internal IT infrastructure vs. external infrastructure — As a rule, the use of
IT extends beyond the internal organizational network, as in traveling-use or
home-use settings. While this may create additional cybersecurity risk, it has
become common practice in most enterprises. Audit limitations and boundaries
exist through network ownership (third-party-owned and -operated networks are
not accessible) and various intermediaries (e.g., Internet service providers [ISPs],
cloud service providers) that usually do not permit external audits.
• Corporate sovereignty vs. legal provisions — In some audit contexts,
specific legal provisions that restrict audit activities or prescribe certain audit
practices may apply. Enterprises under a national security prerogative may be
subject to certain audit limitations, such as in investigative and forensics work. In
suspected cases of cyberwarfare or serious cybercrime, audit activity may be
constrained by the precedence of law enforcement.

The de-perimeterized audit universe is less accessible than might be required

to obtain reasonable assurance in cybersecurity. The audit approach to
cybersecurity arrangements must be indirect (around the system) in many
instances. Organizational networks denote those areas of the overall IT
environment that are completely within the enterprise sphere of control. Both home
and public networks may be audited only by analyzing data and information flow
(including attack and breach data) between these networks and enterprise
networks. For home networks, it is strongly recommended that end users working
from home be encouraged to opt in to extended audit rights spanning their private
IT environment. Similar opt-in clauses should be in force for mobile devices.
As an alternative, the audit universe may be extended by reliance on the
work of others. While strict rules apply in practice, there are various security-
related standards that may deliver partial assurance over otherwise restricted areas
of the IT environment. Examples include ISMS certification reports, ISAE 3402
reports or published regulatory review results. Cybersecurity auditors should
identify and categorize audit areas where reliance on the work of others makes
sense.

BASIC VOCABULARY
1. Find in the text English equivalents for the following Russian words and
word combinations.
Требовать полный набор элементов управления; экспертная оценка; быть в
соответствии с чем-либо; покрывать риск; соответствующие параметры и
показатели; общие организационные меры контроля и практики в области
безопасности; утверждать (придать законную силу) ч-л; передавать
полномочия; заниматься расследованием или экспертной работой;
пространство аудита; вовлекать в деятельность; быть вовлеченным/
принимать участие в аудите.

2. Give Russian equivalents for the following English words all found in the
text above:

management processes; to be supported by; ongoing activities; to full-scale audits;

comprehensive cybersecurity; audit limitations; internal audit; respective
capabilities; to be legally privileged; associated metrics and indicators; to provide
assurance; the de-perimeterized audit universe; to span private IT environment.

3. Make up situations of your own using the following:

a) Auditing and Reviewing Cybersecurity
b) Audit Universe
c) forensic examination
d) engage in activities
e) providing assurance
4. Match the following terms in column A to their definitions in column B

A B
1) digital economy a) economy have a high level of gross domestic
product per capita, as well as a very significant
degree of industrialization
https://www.unescwa.org/
2) advanced b) private network meant for the exclusive use of the
organization and its associates
economies
www.businessdictionary.com
3) emerging c) Oral or written recommendation by a satisfied
 economies customer to the prospective customers of a good
or service.
www.businessdictionary.com
4) viral marketing d) restriction on the free international exchange of
goods or services.
www.businessdictionary.com
5) word-of-mouth e) the worldwide network of economic activities,
commercial transactions and professional
interactions that are enabled by information and
communications technologies
techtarget.com
6) trade barrier f) economy that promises huge potential for growth
but also pose significant political, monetary, and
social risks
www.businessdictionary.com
7) intranet g) Explosive growth in sales, or spread of product
information through customer contact (referrals)
http://www.businessdictionary.com

5. Form partnerships as they occur in the text

1) trade a) marketplace;
2) fast-changing b) shifts
3) obsolete c) integrated enterprise
d) rival
4) two-way f) barriers
5) an unencumbered g) means
6) globally h) communication
7) market i) structure
8) digital

a) Translate the above word combinations into Russian.

b) Use these expressions in sentences of your own.

6. Complete the collocations from the text.

 A)
a) to share …
b) to encourage …
c) to facilitate …
d) to double the size of …
e) to generate …
f) to raise …
g) to spring into …
h) to adapt to …
i) to lack the visionary …
j) to mirror …
k) to marshal …

B)

a) … playing field
b) … market linkages
c) … policies
d) … decision-making
e) …structure
f) … marketing
g) … communication
h) an … rival

7. Fill in the gaps using the words and phrases given in the box.

administrative vulnerabilities disrupted assessment deliver malicious

target shared secure strategy
initiative framework determine underpin

INFORMATION ASSURANCE PROFESSIONALS – YOU ARE COMPETENT, BUT

ARE YOU CERTIFIED?

The UK Cyber Security Strategy, published in November 2011 by The Cabinet Office,
states that one of the government’s key objectives is to encourage, support and develop
education for information assurance (IA) professionals. I am delighted to say that The APM
Group has been appointed by CESG, the UK’s National Technical Authority for Information
Assurance, to develop and ______ (1) a new certification scheme for people working in
government IA roles.
 The scheme has been developed because the government wants to ______ (2) the huge
economic and social benefits represented by cyberspace. We also need to ensure that our cyber
activities are not ______(3) by attacks. Staying secure in cyberspace can seem complex,
difficult and expensive. There are over 20,000 ______(4) emails on UK government networks
each month, and 1,000 of these deliberately ______(5) the government. These kinds of attacks
are increasing: the number of emails with malicious content detected by government networks in
the whole of 2010 was double the number seen in 2009.
Without a clear and ______(6) understanding of the nature and scale of threats, the
case for investing in protection and prevention can be undermined. Information assurance
therefore plays an important role in reducing our ______(7) in cyberspace. We need cross-
cutting knowledge, skills and capabilities to ______(8) all our cybersecurity objectives to take
advantage of the economic and social opportunities represented by cyberspace.
Part of the government’s ______(9) is to develop information assurance professionals
so the UK continues to retain an edge in this area, together with the underlying research and
development to keep producing innovative solutions. A key ______(10) is to drive up the
skills levels of information assurance and cybersecurity professionals. Specialist training and
certification has been developed to meet these objectives.
CESG has developed a ______(11) for certifying information assurance specialists who
meet competency and skill requirements for specified IA roles. The APM Group is one of the
organizations to be awarded the status of Certification Body by CESG to help develop the new
certification scheme. The other two are BCS and an IISP consortium – each has its own style of
assessment. The APM Group certification process is entirely online, making the application and
______(12) process easy. We have developed a secure ______(13) system accredited by
CESG on which to run the scheme. The origins of the new certification scheme are rooted in
the IISP and SFIA frameworks, which ______(14) competence in all areas of information
assurance.
The purpose of certification is to enable better matching between public sector
requirements for information assurance specialists and the competencies of the staff or
contractors undertaking common IA roles. The six roles are:
 IA accreditor
 IA auditor
 Communications security officer/crypto custodian
 IT security officer/information security system manager/information security system officer
 Security and information risk advisor
 Security architect

What are the benefits for Information Assurance Community?

Answer: Benefits for Information Assurance Community

The certification process will give information assurance specialists the opportunity to
have their competence independently verified. The IA role definitions will also help people plan
their professional development. The APM Group has a long history of working with the Office of
Government Commerce – now part of The Cabinet Office – to deliver its qualification schemes
for project, program and service management specialists.
I believe the introduction of the information assurance certification scheme is timely and
appropriate. It is our mission to help knowledge-based workers prove their knowledge and
extend their skills, so we’ll be aiming to set high standards that will become the industry
benchmark.
We are not aware of anything like this scheme anywhere else in the world, so we hope the
UK is regarded as the leader in this field. With the huge talent and skill available from CESG
and GCHQ in the world of IT and security, the UK should be justly proud of this initiative.
We’re all working together to improve the overall competence of information assurance and
security in the world.

8. Give your opinion. What to learn from this article?

SKYBOX SECURITY INTRODUCES CHANGE ASSURANCE/TRACKING
According to Gidi Cohen, the firm's CEO, the update to Skybox View 5.0
demonstrates his firm's growing focus on integrating the business processes of
security teams and IT operations to improve the overall security profile of a
business.
"Managing change in the IT environment is now a major issue as far as IT
security professionals are concerned" he told Infosecurity, adding that, by
supporting a high degree of automation, Skybox View has become a very cost-
effective offering.
According to Cohen, managing IT security systems in today's major
organisations is now a full-time job and, because of this, IT security managers and
their teams need to take a flexible approach to managing changes in their systems.
Against this backdrop, he says, IT managers need to adopt a risk analysis and risk
modelling approach to developing their IT security systems.
"This approach really does work. We are seeing a number of enterprises
adopting risk modelling and attack simulations when planning their IT security
systems and deployments", he said.
Cohen says that a manual approach to updating security technology in a
major enterprise creates its own risks, as the IT team becomes distracted by
stocktaking on networks, diverting resources away from strategic security tasks.
 The solution, says Skybox's CEO, is to move over to automated risk
modelling tools that can provide a complete and accurate picture of the
organisation' network, making it possible to simulate attack scenarios and compare
possible responses.
https://www.infosecurity-magazine.com/news/skybox-security-introduces-change/

9.Translate the following text into English, paying special attention to English
equivalents of the following topic-related words:

противостояние киберугрозам; защита информации; случайное / намеренное

падение сервера; инструменты обеспечения безопасности; слабые /
серьезно уязвимые пароли; настройка VPN-соединения; шифровать
внутренний сетевой трафик; несанкционированное проникновение;
отсеивать значительную часть угроз; лазейка

МАЛЫЙ БИЗНЕС СТАЛ ГЛАВНОЙ ЦЕЛЬЮ ХАКЕРОВ

Малый и средний бизнес наиболее уязвимы для атак хакеров. Причинами часто являются
слабые пароли, человеческий фактор и устаревшее оборудование и ПО.
Малый бизнес стал приоритетом хакеров
Малый бизнес уделяет недостаточное внимание противостоянию
киберугрозам. К таким выводам на основе результатов целого ряда
исследований пришли эксперты издания Entrepreneur. В материале,
посвященном проблемам защиты небольших компаний от посягательств
хакеров, они отмечают, что примерно 43% всех кибератак направлены
именно на малый бизнес. Это объясняется тем, что они обладают
определенной ценностью в глазах преступников, но при этом уделают
меньше внимания собственной безопасности, чем крупные корпорации.
Последствия таких атак становятся для небольших компаний
фатальными. По данным Национального альянса по кибербезопасности, 60%
предприятий малого и среднего бизнеса закрываются в течение полугода
после нападения хакеров.
«Предпринимателям следует понимать, что проблема защиты
информации существует вне зависимости от размера бизнеса. Иначе об этом
придется узнать на собственном печальном опыте — в момент случайного
или намеренного падения единственного сервера баз данных или
зашифрованного компьютера с важной финансовой информацией», —
говорит системный инженер Fortinet Вячеслав Гордеев.
Для защиты бизнеса лучше нанять специалистов
В первую очередь, эксперты рекомендуют обратить внимание на
инструменты обеспечения безопасности, связанные с защитой паролей. По
оценкам Deloitte, до 90% паролей слишком слабые и серьезно уязвимы.
Планы киберпреступников помогут разрушить как подбор надежных
паролей, так и эффективное управление ими и частые обновления.
Другим важным фактором является настройка VPN-соединения,
которая будет шифровать внутренний сетевой трафик. Аналитики также
предлагают не скупиться на инвестициях в антивирусное ПО и брандмауэры,
которые в одиночку не защитят от несанкционированного проникновения,
но хотя бы отсеют значительную часть угроз.
Помимо этого, не стоит скупиться на оборудовании и программном
обеспечении. Старая техника и аппаратные средства дают
киберпреступникам больше лазеек. А от надежности и качества ПО зависят
хранения данных, управление проектами и другие ИТ-компоненты
предприятия.
Не стоит забывать и о необходимости инвестиций в образование
сотрудников. Десятки исследований доказали, что за значительной частью
успешных атак стоят человеческие ошибки.
«Разобраться в различных технологиях и средствах защиты
информации предприниматель, конечно, может и самостоятельно, —
отмечает Вячеслав Гордеев. — Но куда эффективнее будет наем
соответствующего работника. А если направление защиты информации
будет признано критичным, то сразу двух. Благодаря этому бизнес-
подразделения смогут заниматься развитием непосредственно бизнеса».
http://safe.cnews.ru/news/top/2018-01-25_nadezhnye_paroli_i_vpn_zashchityat_malyj_biznes_ot
 10.Using the key vocabulary, speak about:
a) Digital economic environment;
b) Globally integrated enterprises;
c) Edge-based organizations;

BACK TO THE TEXT

1. Answer the questions:

1) What level of assessment does cybersecurity include?
2) What does information security assurance require?
3) What role do cybersecurity audits and informal reviews play in overall
organizational security controls?
4) Why should cybersecurity be reviewed regularly?
5) What does complete audit and review cover?
6) What is assessed at the first line of defense?
7) What is the importance of the first line of defense?
8) What understood as the second line of defense?
9) Why is the 3d line of defense considered in independent by definition?
10) What does the transformational aspect consist in? What does it include?
11) How do management systems differ from each other in practice?
12) How does the author define the concept of cyber audit Universe?
13) Which boundaries or limitations for audit can be set?
14) What does the international IT infrastructure mean?
15) What can restrict audit activities in terms of corporate sovereignty?
16) What can help to obtain reasonable assurance security?
17) How can public / home networks be controlled?
18) What are the regulations to provide at least partial assurance over
restricted IT environment?
2. Explain what the following words and phrases from the text mean.
 an adequate and reasonable level of assurance
 factual security risk
 the informal assessment of specific practices or solutions
 to full-scale audits
 the requisite degree of independence
 internal audit
 the first /second /third line of defense
 the mandated independence
 overarching management systems
 business continuity management system
 traveling-use
 corporate sovereignty
 the de-perimeterized audit universe
 private IT environment

3. How many parts do you think the text falls into? Give a heading to each of
them.
4. Make an outline of the text. Remember to make up a list of key vocabulary
referring to each part of your outline.
5. Summarise the text using the topic-related vocabulary.

Text 2
Read the text below and then do the assignments that follow.
SECURITY AUDIT POLICY IS ESSENTIAL IN ENSURING NETWORK
SECURITY
Rupesh Kumar Director, Lepide Software
Large organizations may have hundreds of servers and thousands of
computers as clients of those servers. Ensuring the security of such a vast array of
computers and the data stored thereon is a big challenge for IT administrators.
 When it comes to network security, many organizations still seem to invest a
fortune in traditional security solutions such as firewalls, antivirus, data encryption
and so forth. These methods have proven reasonably effective in network security,
but nonetheless many security breaches still occur. One of the reasons is that these
traditional security solutions focus on external threats. When the origin of the
threat is internal, such network security solutions may not be of great help.
Another point to take into account is regulatory compliance. If you operate
in an industry vertical where you have to consider regulatory compliance, having
the means to protect only against external threats can result in audit failure and
significant financial penalties. To stay complaint in the face of such audits you
need to plan a 360-degree defense approach which gives equal weight to both
internal and external threats and also looks at the problem from an auditing
perspective.
Having understood the importance of internal security, the question is, what
can be done to ensure security against internal threats, such as those caused by
legitimate employees, delegated users Organizations using Microsoft technology
can use Active Directory and Group Policy Objects to centrally enforce strong
security policy through user rights and permissions governing access to resources
and data. However, as important as it is to implement such policy, it is equally
important to track its effectiveness through proper auditing.
Devising a strong audit policy goes a long way in ensuring security against
internal threats. A well planned and meticulously deployed audit policy can ward
off a number of threats originating from unauthorized access by internal staff,
password guesses, unwanted changes, incorrect permission assignment and even
accidental changes and deletion.
However, organizations’ auditing strategies must take into account all
resources and each user’s activity to minimize the probability of a security breach.
But as you might have surmised, it’s inefficient for an organization to invest in that
kind of resource to track each and every change without using any specialized
software. Looking at the issue at a more micro level, audit logs remain scattered
around the network in various servers and client systems. Also, each event
generates numerous lines of logs, and the total logs generated in a day could be too
much to flip through manually.
Considering these issues, the objective should be to analyze security risks
meticulously and devise a differential auditing strategy with an emphasis on
vulnerable resources. Audit only what is required or where threat perception is
more than any other resource. Also, consolidate all logs in a centralized database.
This will minimize the chances of log deletion or manipulation and will also make
it easier to process the logs and present them in a format which can be easily
analyzed to take informative decisions. Taking these factors into account, you can
design an effective auditing policy to tighten Windows environment security.
https://www.infosecurity-magazine.com/opinions/security-audit-policy-essential/

Assignments:
1. In the text, find information relating to the following:
a) security audit; b) security audit policy.

2. Using the information from the text, speak about

 the necessity of regulatory compliance;
 the importance of internal security;
 organizations’ auditing strategies.
3. Consider the basic network security policy components: external and
internal threats; data encryption; effective methods in network security; the
investments into security; Microsoft technology.
4. Explain what the following words and phrases from the text mean:
 network security
 to operate in an industry vertical
 legitimate employees
 delegated users
 enforce strong security policy through user rights and permissions
  a differential auditing strategy
 vulnerable resources
5. Make an outline of the text. Remember to make up a list of key
vocabulary referring to each part of your outline.
6. Summarise the text using the topic-related vocabulary
7. Do you agree with the following statements from the text? Give reasons
for your answer.
a) … a vast array of computers and the data stored thereon is a big challenge
for IT administrators;
b) When the origin of the threat is internal, such network security solutions
may not be of great help.
c) A well planned and meticulously deployed audit policy can ward off a
number of threats originating from unauthorized access by internal staff…
d) … it’s inefficient for an organization to invest in that kind of resource to
track each and every change without using any specialized software.
e) Audit only what is required or where threat perception is more than any
other resource.
8. Prove that using Microsoft technology organizations can use Active
Directory and Group Policy Objects to centrally enforce strong security policy.
9. Consider a 360-degree defense approach. If necessary find more information
in other sources.
Text 3
1. Read the following text and then do the assignments that follow.
ISACA: Auditing Cyber Security
Александр Кузнецов
Ассоциация ISACA выпустила достойный внимания всех аудиторов и,
на мой взгляд, еще и ИБ-специалистов документ «Auditing Cyber Security:
Evaluating Risk and Auditing Controls» и связанную с ним памятку «10 Things
Auditors Should Know ABOUT CYBER SECURITY».
 На мой взгляд, это один из первых документов, где данная ассоциация,
профилирующая в первую очередь на аудите, говорит не об аудите
информационной безопасности организации (IS Audit), этого термина в
материалах ISACA очень и очень много, а об аудите кибербезопасности
организации (Auditing Cyber Security).
Приятно видеть, что аудит, а точнее сказать его результаты,
представлены как возможность получения ответов на крайне важные
вопросы (другой вариант получения данных ответов – это оценка рисков):
- куда лучше всего инвестировать в области обеспечения кибербезопасности
организации (финансовая составляющая);
- правильные ли суммы инвестируются в область обеспечения
кибербезопасности организации;
- есть ли необработанные риски в области кибербезопасности организации;
- уже вложенные финансовые инвестиции на сегодняшней используются
разумно или нет;
- как конкуренты работают в данном направлении, и на что они тратят в
части обеспечения кибербезопасности своих организаций?
Я позволю себе сказать, что только за счет обозначения данных
вопросов документ ценен с точки зрения расширения взгляда на знакомый
всем термин, который очень часто рассматривается просто как
необходимость «формального ежегодного проекта».
В продолжении вопроса инвестиций приводится крайне интересная
диаграмма, которая датируется 2013 годам, но до этого мне она не
попадалась, а в разрезе актуальности вопроса инвестиций в область
кибербезопасности организации, приведу ее здесь:
10 вещей, которые аудитор должен знать о кибербезопасности,
включены (я бы даже сказал, не должен знать, а должен понимать и
расставлять с учетом них акценты при проведении аудита):
 1. Усиливать существующие платформы и руководства (речь об увязке
материалов из публикаций серий NIST, ISO, COBIT 5 и др., т.е. о
комплексном взгляде на проблематику, а не через призму только одного
«учения»).
2. Рассматривать вопросы перспективного законодательства (т.е.
понимать не только текущую, но будущую картину в регуляторной сфере, в
т.ч. в международном масштабе; приятно видеть, что в памятке «10 Things
…» Россия отмечена как одна из стран, с интересами которой нужно
считаться).
3. Помнить, что все риски субъективны (речь о том, чтобы не тратить
время на угрозы и уязвимости, которые не создают реальные риски для
организации).
 4. Помнить, что пользователи всегда были и будут самым большим
источником рисков (приоритет должен отдаваться работе с людьми
(обучению и повышению осведомленности)).
5. Помнить, что базовые меры защиты информации до сих пор
актуальны (это аналогично спорту /физкультуре /фитнесу есть базовые
упражнения, доказавшие свою результативность и эффективность).
6. Осознавать необходимость политики реагирования на инциденты ИБ
и планов по их тестированию (подтверждается тенденция и развитие области
Incident Response).
7. Осознать, что стратегия кибербезопасности должна быть в стиле
Agile, т.к. окружающий ландшафт постоянно "мутирует" (гибкие подходы к
управлению – это реальность, а не экзотика).
8. Понимать, что осведомленность зависит от правильных тренингов
(на мой взгляд, бессмысленно ожидать каких-либо действий от людей,
особенно правильных действий, если им не донесли что это такое).
9. Осознавать, что все взаимодействует со всем.
10. Быть осведомленными о техниках кражи учетных данных, в данном
случае о credentials (например: pass-the-hash, key logging, passing tickets, token
impersonation, man-in-the-middle attacks).

1. a) Make a gist of the above text. b) Make an outline of it. c) Make up a list of
key vocabulary to be used in your rendering. d) Render the text in English using
your outline and your list of the key vocabulary.

Reading 1
24X7 SOCS: THE ANSWER TO ALL MONITORING AND LOGGING NEEDS?

Noreen Beg compliance service delivery lead at Nettitude

Monitoring and logging are crucial aspects of cyber assurance strategies that have
been around for many years, however, the reality that cyber-attacks and breaches now
happen to anyone and everyone is inevitably bringing the need for round the clock
‘situational awareness’ to the fore.
The SOC (Security Operations Centre) provides a centralized hub for
organizational logging and monitoring which can either be conducted in-house or
outsourced to provide visibility over technical and security issues.
Asking the right questions
Most organizations believe that simply by having a 24x7 SOC in place, they have
enhanced security and are better protected against threats and vulnerabilities, yet this can
potentially lead to a false sense of security. On the one hand, having dedicated analysts
watching the environment continuously has obvious benefits, given cyber-attackers are
unlikely to keep regular working hours; on the other hand, is this the overriding factor
that will help to detect and react to a breach in the best possible manner?
The reality is that a 24x7 SOC is in itself, not the primary indicator of success. The
questions that need to be addressed are ‘how good is the SOC?’ and ‘how can it be
measured?’ A SOC needs to be operating at the best of its ability, maturing well and
constantly updating with emerging threat intelligence, to include not just the latest threats
but also innovative ways of detecting them. An effective SOC should not be a standalone
department, it needs full interaction with a comprehensive cyber security assurance
program for optimal results.
Cyber security awareness & threat intelligence
The main areas that are often discussed around the capability of a SOC are:
technology, people, process and information. Threat intelligence (TI) is another vital
component in the context of assurance; in other words, having the confidence that an
incident will be detected and effectively dealt with when it arises.
Accurate TI is crucial when detecting threat actors and activity. One of the first
challenges faced by any monitoring and logging solution is the sheer amount of logs and
data that organizations will need to deal with. Effective TI should help accomplish the
following:
Identify threat actors: Knowing the enemy is vital for all organizations.
Identifying who potential adversaries are, but also how they operate and how they are
likely to strike is invaluable intelligence
Understand the context of risk: A SOC must know what the business’s critical
assets are, where they are located and what vulnerabilities there may be in order to
effectively monitor them
An effective SOC must use TI to inform, shape and define the service being
provided. This should ideally be supported by a red team (made up of penetration testing
experts) that is fully integrated with the SOC, as an organization with no experience of
attacks is unlikely to have an accurate understanding of the capabilities they need to
defend their networks. There are four key considerations for those looking to implement a
SOC:
 1. Information: All SIEM platforms correlate and take in data from log
sources. How these are tuned, which ones are used, how effective they are at detecting
the type of activity they’re trying to detect are all important. Incorporating information
about the environment (key assets, vulnerabilities, threats etc.) is also vital
2. People: When addressing personnel within the SOC, it is important to
recruit based on experience and certification, but also to assess capability. Although it
may be tempting to employ entry-level candidates, an experienced team with a variety of
skill sets and experience is ideal. Members of the team should also support the maturity
process by helping to develop processes with regards to environmental tuning, and be
regularly trained and assessed to support the day-to-day running of the SOC
3. Tools/Systems: The SOC tool set should be far more than just a SIEM
platform (although this is a key element). The addition of host based agents, network
captures, TI products, honeypots and so on, is as significant. How effective and
intelligent the SOC toolset is and how effectively it is used will directly impact its
utilization. The SOC platform should not be considered a single or standalone SIEM
product that will protect organizational security in its entirety. The initiative should be
taken to see what other tools can be used in conjunction to generate more intelligent
alarms and events
4. Processes: When a threat is detected, a set process must be in place with an
efficient escalation plan, which must be regularly assessed to ensure maximum efficiency

Before a company decides that a 24x7 service is the key requirement of their SOC,
they must bear in mind that there may be some significant hurdles to overcome in order
to achieve this. Ultimately, a 24x7 service alone is no guarantee of a higher level of
assurance. If a SOC is working to the optimal standards outlined above, there may be
little need to for a 24x7 service, as genuine threats would be correctly detected, classified
and acted upon.
https://www.infosecurity-magazine.com/opinions/24x7-socs-the-answer-to-all/

Reading 2
BEST PRACTISE GUIDE OFFERS BOARD SECURITY ADVICE
Dan Raywood Contributing Editor, Infosecurity Magazine
A best practice guide on cybersecurity basics for boards of directors has been
launched.
After cybersecurity issues were rated by the World Economic Forum as one of the
top three risks for 2017, the World Economic Forum Future of Digital Economy and
Society System Initiative has released a whitepaper to help boards understand the risks
they are facing.
The guide claimed that “cyber resilience and cyber risk management are critical
challenges for most organizations today”, but those organizations do not feel they are
equipped with the tools to manage cyber risks with the same level of confidence that they
manage other risks, and that emerging leading practices have not yet become part of the
standard set of board competencies.
“Beyond individual organizations, cyber risk is a systemic challenge and cyber
resilience a public good,” the report said. “In the coming years, several billions of
everyday devices will be connected. As our virtual and physical worlds merge, the stakes
are increased. This will require two things: 1) a significantly increased number of
organizations adopting, sharing and iterating current leading practices; and 2) cross-
sectoral collaboration to develop the new practices that will be required to deal with the
unique attributes of managing cyber risks of physical assets.”
The report is intended to be a framework and set of tools that boards of directors
can “use to smoothly integrate cyber risk and resilience into business strategy, so that
their companies can innovate and grow securely and sustainably.”
Speaking at the launch of the Global Risks Report, Richard Samans, managing
director and member of the managing board of the World Economic Forum, said that
with the risk of cybersecurity increasing, the best practice handbook is a year-long project
intended to make sure the board are up-to-date in order to “manage this critical risk as
IoT is only going to get more serious so this is a boardroom issue, but the problem is
more boardrooms are not equipped to carry out their duty so that the organization that
they are governing has the right strategy and has the right tools and the right people in
place.”
Asked if leadership is struggling to know what to do in the new environment,
Samans said: “The world is moving very rapidly. Take cybersecurity: this has just
rocketed up to become an existential issue in the last few years, so you cannot expect that
most boards of directors are equipped for this.
“You can imagine being in that position; you have a gnawing sense of
responsibility and there is a need for frameworks, and not just waiting for an international
treaty or a formal code to be established, but we need to be more agile, rapid, flexible and
purpose-built in our behavior.”
The whitepaper proposes ten “board principles for cyber resilience”:
Principle 1 – Responsibility for cyber resilience: The board as a whole takes
ultimate responsibility for oversight of cyber risk and resilience.
Principle 2 – Command of the subject: Board members receive cyber resilience
orientation upon joining the board and are regularly updated on recent threats and trends.
Principle 3 – Accountable officer: The board ensures that one corporate officer is
accountable for reporting on the organization’s capability to manage cyber resilience and
progress in implementing cyber resilience goals.
Principle 4 – Integration of cyber resilience: Board ensures that management
integrates cyber resilience and cyber risk assessment into overall business strategy and
into enterprise-wide risk management.
Principle 5 – Risk appetite: The board annually defines and quantifies business
risk tolerance relative to cyber resilience, and ensures that this is consistent with
corporate strategy and risk appetite.
 Principle 6 – Risk assessment and reporting: The board holds management
accountable for reporting a quantified and understandable assessment of cyber risks,
threats and events as a standing agenda item during board meetings.
Principle 7 – Resilience plans: Support for the officer accountable for cyber
resilience by the creation, implementation, testing and ongoing improvement of cyber
resilience plans.
Principle 8 – Community: Encourages management to collaborate with other
stakeholders in order to ensure systemic cyber resilience
Principle 9 – Review: Carrying out a formal, independent cyber resilience review
of the organization annually.
Principle 10 – Effectiveness: to review its own performance in the implementation
of these principles.
In an email to Infosecurity, ISF managing director Steve Durbin said that the
principles touch upon a number of the key focus areas for a board to best infuse a culture
of security and risk appetite internally within an organization, albeit at a high level, the
principles certainly touch upon a number of the key focus areas for a board to best infuse
a culture of security and risk appetite internally within an organization.
He said: “I’ve been saying for a number of years that information risk must be
elevated to a board-level issue and given the same attention afforded to other risk
management practices. Organizations face a daunting array of challenges interconnected
with cybersecurity: the insatiable appetite for speed and agility, the growing dependence
on complex supply chains, and the rapid emergence of new technologies.
“Cybersecurity chiefs must drive collaboration across the entire enterprise,
bringing business and marketing needs into alignment with IT strategy. IT must
transform the security conversation so it will resonate with leading decision-makers while
also supporting the organization’s business objectives.
“Frankly, every organization, no matter their size, must assume they will
eventually incur severe impacts from unpredictable cyber threats. Planning for resilient
incident response in the aftermath of a breach is imperative. Traditional risk management
is insufficient. It’s important to learn from the cautionary tales of past breaches, not only
to build better defenses, but also better responses.”
https://www.infosecurity-magazine.com/news/best-practise-guide-board-security/