Professional Documents
Culture Documents
Unit32-Cybersecurity Assurance
Unit32-Cybersecurity Assurance
Unit32-Cybersecurity Assurance
He said that every major cyber-breach was down to three major or critical
security safeguards which were either not in place, or were not fit for purpose. He
asked: “Why is it we can identify problems, but not get buy-in to get these fixed?
“Organizations often spend a fortune on layers of security in one direction.
but leave other potential attack vectors open. No security department says ‘we’re
not particularly good’, they always believe they are doing a great job under the
particular circumstances. In my top ten someone said that they were surprised
security culture was not in there, and if there is a sharing culture you can enforce a
good security practice, if not it goes the other way.”
He said that when auditing cybersecurity, you learn where the gaps are, and
it is rare that the company security function already fully and correctly understands
their own status. “Intelligent hackers are also looking for those gaps, and the
purpose of an audit is to find out those gaps first so they can be addressed,” he
said. “One key thing missing in most organizations: they usually don’t have an
independent annual audit, robustly checking what they’re doing by an audit entity
with nothing to lose or gain from the outcome. Unless that happens, an
organization will have no clarity over their real security position.”
Meeuwisse said that the point of an audit is to check that firstly, the security
function is providing the right processes and procedures, and secondly that the
business is following those procedures. "Unless you do a regular audit, you cannot
check that the right things are happening".
He recommended that businesses recognize the symptoms of failure, and
while security knows there are unresolved gaps, often nothing is done to fix it.
“Finding gaps is important and using a framework is straight-forward, but
remember if you’re auditing cybersecurity you don’t take accountability and
responsibility for what they are not letting you check on,” he argued. “You can
only be responsible for the scope that has been approved. If that audit scope has
significant gaps, undetected problems will continue to be present and cause you
problems later on.”
ISACA; CACS
"Unless you do a regular audit, you cannot check that the right things are
happening".
“Finding gaps is important and using a framework is straight-forward, but
remember if you’re auditing cybersecurity you don’t take accountability and
responsibility for what they are not letting you check on,”
Text 1
1. Before you read the text, say what you know about cybersecurity
assurance.
2. Explain what the following terms and topic-related words mean: factual
security risks; forensic investigation/examination; cyber risk management;
audit universe.
3. Make sure you know how to pronounce the following words:
assurance; factual; to validate; requisite degree; to mandate; an audit
committee; an enterprise; overarching management systems; legally
privileged; sovereignty; prerogative; cyberwarfare; precedence; de-
perimeterized audit universe; reliance.
1. Read the texts below and then do the assignments that follow it.
Cybersecurity Assurance
Cybersecurity includes an adequate and reasonable level of assurance, which
completes the security perspective when combined with governance and
management. Information security assurance and cybersecurity assurance require
a comprehensive set of controls as well as audit and review, including
investigation and forensic examination. In a broader sense of the word, assurance
ensures that cybersecurity is designed, implemented, maintained and transformed
in a manner that is consistent with all aspects of GRC.
In information security, assurance requires a set of controls that covers risk
as well as management processes. These controls are supported by appropriate
metrics and indicators for security goals and factual security risk.
Cybersecurity audits and informal reviews (including CSAs) are ongoing
activities that form part of overall organizational security controls and
practices. Investigation and forensics are more directly related to actual attacks
and breaches or other incidents indicating the need for action. Audit differs in
scope from investigative and forensic work.
Audit Universe
The cybersecurity audit universe includes all control sets, management
practices and GRC provisions in force at the enterprise level. In some cases, the
extended audit universe may include third parties bound by a contract containing
audit rights. However, there are significant boundaries and limitations for audits:
• Corporate sphere of influence/control vs. private sphere of control—In
most enterprises, end users may engage in activities that are only partially covered
by the business purpose. This includes the use of private IT devices and
nonstandard applications. In these cases, audit limitations are imposed due to the
fact that private data and private activity are usually legally privileged (unless
users have opted into disclosure and auditability).
• Internal IT infrastructure vs. external infrastructure — As a rule, the use of
IT extends beyond the internal organizational network, as in traveling-use or
home-use settings. While this may create additional cybersecurity risk, it has
become common practice in most enterprises. Audit limitations and boundaries
exist through network ownership (third-party-owned and -operated networks are
not accessible) and various intermediaries (e.g., Internet service providers [ISPs],
cloud service providers) that usually do not permit external audits.
• Corporate sovereignty vs. legal provisions — In some audit contexts,
specific legal provisions that restrict audit activities or prescribe certain audit
practices may apply. Enterprises under a national security prerogative may be
subject to certain audit limitations, such as in investigative and forensics work. In
suspected cases of cyberwarfare or serious cybercrime, audit activity may be
constrained by the precedence of law enforcement.
BASIC VOCABULARY
1. Find in the text English equivalents for the following Russian words and
word combinations.
Требовать полный набор элементов управления; экспертная оценка; быть в
соответствии с чем-либо; покрывать риск; соответствующие параметры и
показатели; общие организационные меры контроля и практики в области
безопасности; утверждать (придать законную силу) ч-л; передавать
полномочия; заниматься расследованием или экспертной работой;
пространство аудита; вовлекать в деятельность; быть вовлеченным/
принимать участие в аудите.
2. Give Russian equivalents for the following English words all found in the
text above:
A B
1) digital economy a) economy have a high level of gross domestic
product per capita, as well as a very significant
degree of industrialization
https://www.unescwa.org/
2) advanced b) private network meant for the exclusive use of the
organization and its associates
economies
www.businessdictionary.com
3) emerging c) Oral or written recommendation by a satisfied
economies customer to the prospective customers of a good
or service.
www.businessdictionary.com
4) viral marketing d) restriction on the free international exchange of
goods or services.
www.businessdictionary.com
5) word-of-mouth e) the worldwide network of economic activities,
commercial transactions and professional
interactions that are enabled by information and
communications technologies
techtarget.com
6) trade barrier f) economy that promises huge potential for growth
but also pose significant political, monetary, and
social risks
www.businessdictionary.com
7) intranet g) Explosive growth in sales, or spread of product
information through customer contact (referrals)
http://www.businessdictionary.com
1) trade a) marketplace;
2) fast-changing b) shifts
3) obsolete c) integrated enterprise
d) rival
4) two-way f) barriers
5) an unencumbered g) means
6) globally h) communication
7) market i) structure
8) digital
B)
a) … playing field
b) … market linkages
c) … policies
d) … decision-making
e) …structure
f) … marketing
g) … communication
h) an … rival
7. Fill in the gaps using the words and phrases given in the box.
The UK Cyber Security Strategy, published in November 2011 by The Cabinet Office,
states that one of the government’s key objectives is to encourage, support and develop
education for information assurance (IA) professionals. I am delighted to say that The APM
Group has been appointed by CESG, the UK’s National Technical Authority for Information
Assurance, to develop and ______ (1) a new certification scheme for people working in
government IA roles.
The scheme has been developed because the government wants to ______ (2) the huge
economic and social benefits represented by cyberspace. We also need to ensure that our cyber
activities are not ______(3) by attacks. Staying secure in cyberspace can seem complex,
difficult and expensive. There are over 20,000 ______(4) emails on UK government networks
each month, and 1,000 of these deliberately ______(5) the government. These kinds of attacks
are increasing: the number of emails with malicious content detected by government networks in
the whole of 2010 was double the number seen in 2009.
Without a clear and ______(6) understanding of the nature and scale of threats, the
case for investing in protection and prevention can be undermined. Information assurance
therefore plays an important role in reducing our ______(7) in cyberspace. We need cross-
cutting knowledge, skills and capabilities to ______(8) all our cybersecurity objectives to take
advantage of the economic and social opportunities represented by cyberspace.
Part of the government’s ______(9) is to develop information assurance professionals
so the UK continues to retain an edge in this area, together with the underlying research and
development to keep producing innovative solutions. A key ______(10) is to drive up the
skills levels of information assurance and cybersecurity professionals. Specialist training and
certification has been developed to meet these objectives.
CESG has developed a ______(11) for certifying information assurance specialists who
meet competency and skill requirements for specified IA roles. The APM Group is one of the
organizations to be awarded the status of Certification Body by CESG to help develop the new
certification scheme. The other two are BCS and an IISP consortium – each has its own style of
assessment. The APM Group certification process is entirely online, making the application and
______(12) process easy. We have developed a secure ______(13) system accredited by
CESG on which to run the scheme. The origins of the new certification scheme are rooted in
the IISP and SFIA frameworks, which ______(14) competence in all areas of information
assurance.
The purpose of certification is to enable better matching between public sector
requirements for information assurance specialists and the competencies of the staff or
contractors undertaking common IA roles. The six roles are:
IA accreditor
IA auditor
Communications security officer/crypto custodian
IT security officer/information security system manager/information security system officer
Security and information risk advisor
Security architect
9.Translate the following text into English, paying special attention to English
equivalents of the following topic-related words:
3. How many parts do you think the text falls into? Give a heading to each of
them.
4. Make an outline of the text. Remember to make up a list of key vocabulary
referring to each part of your outline.
5. Summarise the text using the topic-related vocabulary.
Text 2
Read the text below and then do the assignments that follow.
SECURITY AUDIT POLICY IS ESSENTIAL IN ENSURING NETWORK
SECURITY
Rupesh Kumar Director, Lepide Software
Large organizations may have hundreds of servers and thousands of
computers as clients of those servers. Ensuring the security of such a vast array of
computers and the data stored thereon is a big challenge for IT administrators.
When it comes to network security, many organizations still seem to invest a
fortune in traditional security solutions such as firewalls, antivirus, data encryption
and so forth. These methods have proven reasonably effective in network security,
but nonetheless many security breaches still occur. One of the reasons is that these
traditional security solutions focus on external threats. When the origin of the
threat is internal, such network security solutions may not be of great help.
Another point to take into account is regulatory compliance. If you operate
in an industry vertical where you have to consider regulatory compliance, having
the means to protect only against external threats can result in audit failure and
significant financial penalties. To stay complaint in the face of such audits you
need to plan a 360-degree defense approach which gives equal weight to both
internal and external threats and also looks at the problem from an auditing
perspective.
Having understood the importance of internal security, the question is, what
can be done to ensure security against internal threats, such as those caused by
legitimate employees, delegated users Organizations using Microsoft technology
can use Active Directory and Group Policy Objects to centrally enforce strong
security policy through user rights and permissions governing access to resources
and data. However, as important as it is to implement such policy, it is equally
important to track its effectiveness through proper auditing.
Devising a strong audit policy goes a long way in ensuring security against
internal threats. A well planned and meticulously deployed audit policy can ward
off a number of threats originating from unauthorized access by internal staff,
password guesses, unwanted changes, incorrect permission assignment and even
accidental changes and deletion.
However, organizations’ auditing strategies must take into account all
resources and each user’s activity to minimize the probability of a security breach.
But as you might have surmised, it’s inefficient for an organization to invest in that
kind of resource to track each and every change without using any specialized
software. Looking at the issue at a more micro level, audit logs remain scattered
around the network in various servers and client systems. Also, each event
generates numerous lines of logs, and the total logs generated in a day could be too
much to flip through manually.
Considering these issues, the objective should be to analyze security risks
meticulously and devise a differential auditing strategy with an emphasis on
vulnerable resources. Audit only what is required or where threat perception is
more than any other resource. Also, consolidate all logs in a centralized database.
This will minimize the chances of log deletion or manipulation and will also make
it easier to process the logs and present them in a format which can be easily
analyzed to take informative decisions. Taking these factors into account, you can
design an effective auditing policy to tighten Windows environment security.
https://www.infosecurity-magazine.com/opinions/security-audit-policy-essential/
Assignments:
1. In the text, find information relating to the following:
a) security audit; b) security audit policy.
1. a) Make a gist of the above text. b) Make an outline of it. c) Make up a list of
key vocabulary to be used in your rendering. d) Render the text in English using
your outline and your list of the key vocabulary.
Reading 1
24X7 SOCS: THE ANSWER TO ALL MONITORING AND LOGGING NEEDS?
Monitoring and logging are crucial aspects of cyber assurance strategies that have
been around for many years, however, the reality that cyber-attacks and breaches now
happen to anyone and everyone is inevitably bringing the need for round the clock
‘situational awareness’ to the fore.
The SOC (Security Operations Centre) provides a centralized hub for
organizational logging and monitoring which can either be conducted in-house or
outsourced to provide visibility over technical and security issues.
Asking the right questions
Most organizations believe that simply by having a 24x7 SOC in place, they have
enhanced security and are better protected against threats and vulnerabilities, yet this can
potentially lead to a false sense of security. On the one hand, having dedicated analysts
watching the environment continuously has obvious benefits, given cyber-attackers are
unlikely to keep regular working hours; on the other hand, is this the overriding factor
that will help to detect and react to a breach in the best possible manner?
The reality is that a 24x7 SOC is in itself, not the primary indicator of success. The
questions that need to be addressed are ‘how good is the SOC?’ and ‘how can it be
measured?’ A SOC needs to be operating at the best of its ability, maturing well and
constantly updating with emerging threat intelligence, to include not just the latest threats
but also innovative ways of detecting them. An effective SOC should not be a standalone
department, it needs full interaction with a comprehensive cyber security assurance
program for optimal results.
Cyber security awareness & threat intelligence
The main areas that are often discussed around the capability of a SOC are:
technology, people, process and information. Threat intelligence (TI) is another vital
component in the context of assurance; in other words, having the confidence that an
incident will be detected and effectively dealt with when it arises.
Accurate TI is crucial when detecting threat actors and activity. One of the first
challenges faced by any monitoring and logging solution is the sheer amount of logs and
data that organizations will need to deal with. Effective TI should help accomplish the
following:
Identify threat actors: Knowing the enemy is vital for all organizations.
Identifying who potential adversaries are, but also how they operate and how they are
likely to strike is invaluable intelligence
Understand the context of risk: A SOC must know what the business’s critical
assets are, where they are located and what vulnerabilities there may be in order to
effectively monitor them
An effective SOC must use TI to inform, shape and define the service being
provided. This should ideally be supported by a red team (made up of penetration testing
experts) that is fully integrated with the SOC, as an organization with no experience of
attacks is unlikely to have an accurate understanding of the capabilities they need to
defend their networks. There are four key considerations for those looking to implement a
SOC:
1. Information: All SIEM platforms correlate and take in data from log
sources. How these are tuned, which ones are used, how effective they are at detecting
the type of activity they’re trying to detect are all important. Incorporating information
about the environment (key assets, vulnerabilities, threats etc.) is also vital
2. People: When addressing personnel within the SOC, it is important to
recruit based on experience and certification, but also to assess capability. Although it
may be tempting to employ entry-level candidates, an experienced team with a variety of
skill sets and experience is ideal. Members of the team should also support the maturity
process by helping to develop processes with regards to environmental tuning, and be
regularly trained and assessed to support the day-to-day running of the SOC
3. Tools/Systems: The SOC tool set should be far more than just a SIEM
platform (although this is a key element). The addition of host based agents, network
captures, TI products, honeypots and so on, is as significant. How effective and
intelligent the SOC toolset is and how effectively it is used will directly impact its
utilization. The SOC platform should not be considered a single or standalone SIEM
product that will protect organizational security in its entirety. The initiative should be
taken to see what other tools can be used in conjunction to generate more intelligent
alarms and events
4. Processes: When a threat is detected, a set process must be in place with an
efficient escalation plan, which must be regularly assessed to ensure maximum efficiency
Before a company decides that a 24x7 service is the key requirement of their SOC,
they must bear in mind that there may be some significant hurdles to overcome in order
to achieve this. Ultimately, a 24x7 service alone is no guarantee of a higher level of
assurance. If a SOC is working to the optimal standards outlined above, there may be
little need to for a 24x7 service, as genuine threats would be correctly detected, classified
and acted upon.
https://www.infosecurity-magazine.com/opinions/24x7-socs-the-answer-to-all/
Reading 2
BEST PRACTISE GUIDE OFFERS BOARD SECURITY ADVICE
Dan Raywood Contributing Editor, Infosecurity Magazine
A best practice guide on cybersecurity basics for boards of directors has been
launched.
After cybersecurity issues were rated by the World Economic Forum as one of the
top three risks for 2017, the World Economic Forum Future of Digital Economy and
Society System Initiative has released a whitepaper to help boards understand the risks
they are facing.
The guide claimed that “cyber resilience and cyber risk management are critical
challenges for most organizations today”, but those organizations do not feel they are
equipped with the tools to manage cyber risks with the same level of confidence that they
manage other risks, and that emerging leading practices have not yet become part of the
standard set of board competencies.
“Beyond individual organizations, cyber risk is a systemic challenge and cyber
resilience a public good,” the report said. “In the coming years, several billions of
everyday devices will be connected. As our virtual and physical worlds merge, the stakes
are increased. This will require two things: 1) a significantly increased number of
organizations adopting, sharing and iterating current leading practices; and 2) cross-
sectoral collaboration to develop the new practices that will be required to deal with the
unique attributes of managing cyber risks of physical assets.”
The report is intended to be a framework and set of tools that boards of directors
can “use to smoothly integrate cyber risk and resilience into business strategy, so that
their companies can innovate and grow securely and sustainably.”
Speaking at the launch of the Global Risks Report, Richard Samans, managing
director and member of the managing board of the World Economic Forum, said that
with the risk of cybersecurity increasing, the best practice handbook is a year-long project
intended to make sure the board are up-to-date in order to “manage this critical risk as
IoT is only going to get more serious so this is a boardroom issue, but the problem is
more boardrooms are not equipped to carry out their duty so that the organization that
they are governing has the right strategy and has the right tools and the right people in
place.”
Asked if leadership is struggling to know what to do in the new environment,
Samans said: “The world is moving very rapidly. Take cybersecurity: this has just
rocketed up to become an existential issue in the last few years, so you cannot expect that
most boards of directors are equipped for this.
“You can imagine being in that position; you have a gnawing sense of
responsibility and there is a need for frameworks, and not just waiting for an international
treaty or a formal code to be established, but we need to be more agile, rapid, flexible and
purpose-built in our behavior.”
The whitepaper proposes ten “board principles for cyber resilience”:
Principle 1 – Responsibility for cyber resilience: The board as a whole takes
ultimate responsibility for oversight of cyber risk and resilience.
Principle 2 – Command of the subject: Board members receive cyber resilience
orientation upon joining the board and are regularly updated on recent threats and trends.
Principle 3 – Accountable officer: The board ensures that one corporate officer is
accountable for reporting on the organization’s capability to manage cyber resilience and
progress in implementing cyber resilience goals.
Principle 4 – Integration of cyber resilience: Board ensures that management
integrates cyber resilience and cyber risk assessment into overall business strategy and
into enterprise-wide risk management.
Principle 5 – Risk appetite: The board annually defines and quantifies business
risk tolerance relative to cyber resilience, and ensures that this is consistent with
corporate strategy and risk appetite.
Principle 6 – Risk assessment and reporting: The board holds management
accountable for reporting a quantified and understandable assessment of cyber risks,
threats and events as a standing agenda item during board meetings.
Principle 7 – Resilience plans: Support for the officer accountable for cyber
resilience by the creation, implementation, testing and ongoing improvement of cyber
resilience plans.
Principle 8 – Community: Encourages management to collaborate with other
stakeholders in order to ensure systemic cyber resilience
Principle 9 – Review: Carrying out a formal, independent cyber resilience review
of the organization annually.
Principle 10 – Effectiveness: to review its own performance in the implementation
of these principles.
In an email to Infosecurity, ISF managing director Steve Durbin said that the
principles touch upon a number of the key focus areas for a board to best infuse a culture
of security and risk appetite internally within an organization, albeit at a high level, the
principles certainly touch upon a number of the key focus areas for a board to best infuse
a culture of security and risk appetite internally within an organization.
He said: “I’ve been saying for a number of years that information risk must be
elevated to a board-level issue and given the same attention afforded to other risk
management practices. Organizations face a daunting array of challenges interconnected
with cybersecurity: the insatiable appetite for speed and agility, the growing dependence
on complex supply chains, and the rapid emergence of new technologies.
“Cybersecurity chiefs must drive collaboration across the entire enterprise,
bringing business and marketing needs into alignment with IT strategy. IT must
transform the security conversation so it will resonate with leading decision-makers while
also supporting the organization’s business objectives.
“Frankly, every organization, no matter their size, must assume they will
eventually incur severe impacts from unpredictable cyber threats. Planning for resilient
incident response in the aftermath of a breach is imperative. Traditional risk management
is insufficient. It’s important to learn from the cautionary tales of past breaches, not only
to build better defenses, but also better responses.”
https://www.infosecurity-magazine.com/news/best-practise-guide-board-security/