CYBER SECURITY

UNIT - 1
PLANNING FOR CYBER SECURITY
Cybersecurity

Technologies, Process, Practices to Protect information, networks,

computer systems, appliances, programs to collect process, store and transport
information from attack, damage and unauthorized access.

It includes:

Activities  Protect vital information.

Technologies  Protect information.

Processes  Create, manage, share and store information.

Practices  To ensure information is protected and managed.

Objectives

Preserves  Confidentiality, Integrity, Availability

Confidentiality

Data is not disclosed to system entities,unless they have been authorized

to know the data.

Integrity

Data has not been changed, destroyed or lost, by unauthorized or

accidental manner.

Availability

System is available if it provides services according to the system design

whenever user request them.

Non-repudiation
 Assurance that the sender of information is provided with proof of
delivery and the recipient is provided with proof of the senders, identity. So
neither/nor can later deny having processed the information.

Authenticity

Verifying that users are who they say they are and that each input arriving
at the system come from a trusted source.

Accountability

Property of a system or system resource ensuring that the actions of a

system entity may be traced uniquely to that entity.

Definitions

Risk

 A measure of the extent to which an entity is threatened.

 By circumstances, event or function of

1) the adverse impact that arise in the circumstances or event occurs.

2) the likelihood of occurrence.

Asset

 Data Contained in information system

 services provided by system,
 system capability

1) Processing power

2) Communication band width

 Item of system equipment

 Facility that houses system with Operation and equipment

Threat
 Violation of security that exits when there is a circumstances, capability,
an action or an event that breach security and cause harm

Vulnerability

 A flaw or weakness in a system design, implementation, or operation and

management
 Exploited to violate the systems security policy.

Practices & Standards

1) ISF(Information security and forum) – 2016

 Standard of Good practice for information security

2) ISO(Information organization for standardization) – 2013

ISO 27002: code of practice for information security controls.

3) NIST (National Institutional of Standards and Technology) - 2017

 Framework for improving critical infrastructure cybersecurity.

4) CIS(Center for Internet Security) - 2018

 Critical security controls

 Cyber Defense version 7

5) ISACA (Information systems Audit and control association) – 2012

COBIT 5 for information security

6) PCI (Payment card industry security standard council) - 2016

Data security standard V.32. Requirements and security assessment

procedure 2016.
 Security Governance Principles
X.1054
Provides concepts, guidance on principles and processes for information
security governance.

Lists six principles

1) Establish Organization wide information security

 Top level management

 Ensures information security serves overall business objectives.

2) Adopt risk-based approach

 Allocation of resources and budgets based on risk.

3) Set the direction of investments

 Information Security is integrated with existing process

4) Ensure conformance with internal & External Requirements

External Requirements:

Legislation and regulation standards leading to certification and

contractual requirements.

Internal Requirements:

Organizational goals and requirements.

5) Security-Positive environment for all stakeholders

 supporting security education training & awareness programmes.

6) Review performance in relation to business outcomes

 Reviews of performance measurement program for monitoring audit and

improvement
 Links information security performance to Business performance.
 Security Governance Components

 Strategic planning  Enterprise, IT, cybersecurity or information

security
 Organizational structure
 Establishment of roles and responsibilities
 Integration with the enterprise architecture
 Documentation of security objectives in policies and guidance

Enterprise Strategic planning

 Defining long term goals and objectives for an organization.

 Development of plans to achieve these goals and objectives

IT Strategic planning

1) Two- to five-year business and technology outlook

 IT subject experts are recruited for shaping the organization in next 5

years

2) Strategic deep dive

 Team identifies areas that require more in-depth analysis.

3) Current-state assessment

 Paying special attention to the key drives.

4) Imperatives, roadmaps, and finances

 Discussion of strategic objectives, budget & investment plan.

5) Governance process and decision making:

 Many decisions made the organization to implement one-year strategic

objectives.

6) Regular reviews:
  Monthly reviews to ensure that plan and decisions are followed.

Information Security Strategic Planning

Alignment of information security management & operation with

enterprise and IT strategic planning.

Organizational structure

Depends on the size of the organization, its type (e.g.,Gov. agency,

business, non-profit), organizations degree of dependence on IT.

Roles & Responsibilities

 Key aspect of security governance

 Defining roles of responsibilities of executives related to Information
Security

C-Level executives

High ranking executives

Officers hold c-level positions

Set company strategy, make decision and ensure the day-to-day

operations.

CEO (Chief Executive Officer)

Responsible for success or failure of the organization. Overseeing the

entire operation at a high level.

COO (Chief Operating Officer)

Overseas the Organizations Day to day operations on behalf of the CEO,

Creating policies and strategies.

CIO (Chief Information officer)

In charge of IT Strategy and the computer, network & Third-party

CSO (Chief Security Officer)

Tasked with ensuring data & systems security

CRO (Chief Risk Officer)

 Charged with assessing and mitigating competitive, regulatory &

technological threats.
 Chief Privacy officer (CPO)
 To protect employee and customer data from unauthorized access

Information Security architecture

 Provides information of how Security Capabilities are placed & used

in enterprise
 Architectures Allocates security requirements and controls to common
services.
 It determines on what circumstances and on which security controls
apply to information systems

Policies and Guidance

NIST SP 800-53

Defines an information Security Policy as an aggregate of directives, rule

and Practices that prescribes how an organization manages, protects and
distributes information.

Security Governance Approach

Effective cyber security governance requires the development and clear

documentation of a framework

Security Governance framework.

Tasks
1) Appoint a single executive to be responsible for security governance.

Duties

 Implementing the framework.

 Developing and monitoring an information security strategy.

2) Communicate to top executives the objectives of the security governance

framework.

3) Ensure Integration of security architecture with the enterprise architecture.

4) The Governing body enables to evaluate the operation of the information

security strategy

5) Regularly review the organization's risk appetite

6) Approve the IS strategy, policy, and architecture.

Information Risk Management

NIST - SP_800-37 states that risk management includes a disciplined,

structured and flexible process for Organizational

 asset valuation
 Security and privacy control selection.
 Implementation and assessment
 system and Control authorization.
 Continuous monitoring

X-1055 Risk Management Process

Iterative process
Steps

 Asses risk based on assets, threats, vulnerabilities and exciting controls.

 Determine impact and likelihood and then the level of risk
 Identify security controls to reduce risk
 Allocate resources, roles, and responsibilities and implement controls.
 Monitor and evaluate risk treatment effectiveness.

ISO 27005

Information security Risk Management

Process consists of no. of activities.

 Context establishment.
 Risk assessment treatment, acceptance, Communication & consultation,
monitoring & review.

ASSET IDENTIFICATION

First step is to determine values for the organization assets.

Asset is anything value to the business that requires protection, including hardware, software,
information and business assets.
Hardware Assets include servers, workstations, laptops, mobile devices, removable media,
networking and telecommunication equipment and peripheral equipment.

Key Concerns:

1. Loss of a device through theft or damage

2. Lack of availability
3. Device malfunction

Asset Valuation includes:

1. Replacement cost of the hardware

2. Disruption losses and recovery expenses

Software Assets include Applications, operating systems, other system software, Data base
Management software, File System and client – server software.

Other software includes Virtual Machine, Container Virtualization, Software

defined networking (SDN), Network Function Virtualization (NFV).

Information Assets comprise the information stored in data base and file
systems both on premises and remotely in the cloud.
Types of Information
 Communication data
 Routing information
 Subscriber information
 Blacklist information
 Registered service information
 Operational information
 Trouble information
 Configuration information
 Customer information
 Billing information
 Customer calling patterns
 Customer geographic information
 Traffic statistical information
 Contracts and agreements
 System documentation
 Research information
 User manuals
Business Assets includes
 Human resources
 Business Processes
 Physical plant