Learning Material with Go Learn, Focus on Information Security and Product Management
Welcome to comprehensive hub for mastering both Information Security and Product Management. Explore essential knowledge in Information Security, including threat identification, risk management, and standards. Simultaneously, dive into the world of Product Management with in-depth resources on market research, product development, user experience design, and strategic planning.
Information Security Topics
Secure knowledge with extensive Information Security resources. Learn the fundamentals to crack the interview. (click on topic to view)
General Security Terms and Defination
What is Information Security?
Information security is a set of practices to keep the data secure fromunauthorized access and unauthorized alterations. Its main aim is to protect the confidentiality, integrity and availability ofthe data.
What is Cyber Security?
Cybersecurity is the practice of protecting systems, applications,networks and data from malicious attacks.
These attacks could be malicious attacks, phishing attacks, etc. Cybersecurity is the subset of information security.
What is Network Security?
Network security is the practice of securing the integrity of thenetwork and an organization’s IT infrastructure from unauthorized access andattacks. Network security is the subset of cybersecurity.
What is the difference between Information Security and Cyber Security?
The difference between information security and cybersecurity:In information security, we talk about physical and digital data. In cybersecurity, we talk about digital data.
What is an Event?
Any observable occurrence in a system or a network is event.
What is a security incident?
Any event, that leads to violation of an organization’s security policies and puts sensitive data at risk of exposure.
Example – Data breach, Malware infection, Unauthorized access.
What is security breach?
If a security incident results in unauthorized access to data, then it is a security breach.
What is a data breach?
A data breachis a security violation, in which sensitive data is copied or stolen by an unauthorized individual.
What is a Policy?
Adocument that states in writing how an organization plans to protect itsphysical and IT assets. It is mandatory and sets direction.
What is a Procedure?
Step bystep instructions.
What is a Standard?
Followed for best practices. Ex- ISO 27001
What are Guidelines?
gives an overview of how to perform the task. Add-ons, discretionary.
What is a Framework?
A generalguideline that an organization can adopt. Ex – NIST
Gap Assessment – Review of existing securitycontrols against a standard
Compliance Audit- Verification that all securitycontrols are in place.
Security Audit- Verification that the controls areimplemented
Vulnerability scanning- Testing internal and externalinterfaces.
Penetration testing- Attempt to penetrate defense of anorganization.
Ad hoc testing- Search for less obviousvulnerabilities. Performed by experts.
Social Engineering- Gaining unauthorized access throughthe human element.
Keywords:
Entry-level:
Information security, Cybersecurity, Network security, Security incident, Data breach
Mid-level:
Security posture, Threat intelligence, Zero trust architecture, Security orchestration, Cyber resilience
Threat, Vulnerability, Risk and Impact
What is a threat?
Any incident that has potential to harm the system.
External threats- Malware, Data Theft
Internal Threats- Unauthorized access
Physical Threat- Disasters
Environmental Threats- Power failure
What is athreat-agent?
A specific object, person who poses danger to your organization (by carrying outan attack). If a hacker carries out a DDoS attack, he’s a threat agent.
Interception – Attack on Confidentiality – it means some unauthorizedentity has gained access to an asset. Ex - eavesdropping
Interruption – Attack on Availability – it means an asset is lost,unavailable or unusable. Ex – Erasure of a program/file.
Modification – Attack on Integrity – If an unauthorized entity not onlyaccesses, but also tampers with an asset. Ex – changing values in a database.
Fabrication – Attack on Authenticity – A situation in which newadditional data is generated.
What is Vulnerability?
Any weakness/fault in a system that can lead to an exposure.
Vulnerability isa weakness which allows an attacker to reduce a system's information assurance.
For example – antivirus out of date, unlocked doors.
What is Risk?
Risk isthe likelihood of any threat exploiting a vulnerability and causing an unwantedimpact on the organization.
For example – theft, fraud, social engineering, environmental disasters.
Risk = Threat x Vulnerability
Types of Risks
Compliance Risk – Non-compliance with regulations.
Financial Risk – Penalties, Overdraft charges
Legal Risk – Contract Violation
Business Risk – Loss of key staff
Reputational Risk – Negative Media
Operational Risk – Utility Failures (power, air, water)
Technological Risk – Data Corruption
What are the information security impacts on an organization?
Financialloss, Reputational Damage, Loss of Privacy.
Give a threat, risk,vulnerability example:
Threat – Anew incident that has potential to harm the system.
Vulnerability – Any weakness/fault in a system that can lead to anexposure.
Risk - Risk is the likelihood ofany threat exploiting a vulnerability and causing an unwanted impact on the organization.
What is Impact?
Impact is the magnitude of harm caused to an organization by the threatexercising a vulnerability.
Keywords:
Entry-level:
Threat agent, Vulnerability assessment, Risk calculation (Risk = Threat x Vulnerability), Impact analysis, Common vulnerabilities
Mid-level:
Advanced Persistent Threats (APTs), Vulnerability management lifecycle, Quantitative risk analysis, Residual risk, Threat modeling
CIA - Confidentiality, Integrity and Availability
What is CIA Triad?
A model that forms the security posture of an organization.
CIA stands for Confidentiality, Integrity and Availability.
Confidentiality is the property that data is not disclosed tounauthorized entities.
Ensuring confidentiality – Data Encryption, 2 Factor Authentication.
Integrity is the property of safeguarding the accuracy and completenessof data. To ensure data is free from modifications.
Ensuring Integrity – Using a Hash Function
Availability is the property that data is available whenever andwherever required to the authorized users.
Ensuring Availability - Redundant systems, backup and recovery processes, and incident response plans.
What is privacy?
An individual’s right to keep his data to himself/herself.
Keywords:
Entry-level:
CIA triad definition, Data encryption, Access control, Data backup, System availability
Mid-level:
Information classification, Data integrity verification, High availability systems, Non-repudiation, Defense-in-depth
Risk Assessment
What is Risk Assessment?
Riskassessment is to determine where the risks lie and how big they are. (what ismy risk?)
It is a systematic process that involves identifying, evaluating andcontrolling risks.
Determining likelihood and impact on the organization.
Types of risk assessment
1. Qualitative Risk Assessment
2. Quantitative Risk Assessment
Steps of Risk Assessment:
Identify the hazards.
Assess the risks – determine who might be harmed and how.
Evaluate the risks and take precaution.
Record your findings.
Review the controls and update if necessary.
The 9 Steps to Risk Assessment are:
- System Categorization
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Determination
- Result Documentation
1. System Categorization
The boundaries of the IT system are identified as well as resources and informationthat constitute the system. Understanding the hardware, software.
A good picture of IT system environment.
2. Threat Identification
The potential threat that can trigger or exploit a vulnerability.
A threat statement that consists of list of threat sources that couldexploit system vulnerabilities.
3. Vulnerability Identification
Identifyvulnerabilities from previous risk assessment documents, audit reports,security review reports. Also by VA & PT.
A list of vulnerabilities that could be exploited by potential threat sources.
4. Control Analysis
Analyse the controls that have been implemented or are planned for implementation tominimize the likelihood of a threat exercising a vulnerability. Development of a security checklist or use of an available checklist will behelpful in analysing controls in a systematic and efficient manner. Technical controls – safeguards incorporated into computer h/w , s/w. Non-Technical controls – Management and Operational controls.
List of current or planned controls.
5. Likelihood Determination
Indicates the probability of a potential vulnerability being exercised by a potentialthreat source.
Likelihood rating - Categorized into high, medium, low.
6. Impact Analysis
To examine the adverse impact resulting from a threat exercising a vulnerability.
To examine the magnitude of the impact.
7. Risk Determination
Todetermine the level of risk to the IT system using Risk Level Matrix
Risk Likelihood X Risk Impact
High Likelihood, High Impact = High Risk (Mitigate)
High Likelihood, Low Impact = Medium Risk (Control)
Low Likelihood, High Impact = Medium Risk (Share)
Low Likelihood, Low Impact = Low Risk (Accept)
Risk Level (High, Medium, Low)
8. Control Determination
Controls that could mitigate or eliminateidentified risks are provided.
Recommendation of controls.
9. Result Documentation
Once therisk assessment is completed, results should be documented in an officialreport.
A report that describes the risks and vulnerabilities,measures the risks and provides recommendations for control implementation.
A risk assessment is done when
- New processess are introduced in the workflow
- Exisiting process is updated
- New hazards arise
Generic phases of Risk Assessment
Phase 1: ProjectDefinition
Phase 2: ProjectPreparation
Phase 3: Data Gathering
Phase 4: Risk Analysis
Phase 5: Risk Mitigation
Phase 6: Risk reportingand resolution
Likelihood – chance/possibility ofan event occurring.
Keywords:
Entry-level:
Risk identification, Qualitative risk assessment, Asset inventory, Threat identification, Control analysis
Mid-level:
Quantitative risk assessment, Risk assessment methodologies (e.g., OCTAVE, FAIR), Vulnerability scoring (e.g., CVSS), Risk matrices, Scenario-based risk assessment
Risk Management
What is Risk Management?
Understanding of the risksto its assets and having an approach to address those risks.
The total process ofidentifying, controlling and minimizing risks to a level proportional to thevalue of the assets protected.
The goal of Risk Management is to protect the organizations and their abilityto perform their mission.
Steps of the Risk Management Process
- Identify the risk
- Monitor the risk
- Analyse the risk
- Prioritize the risk
- Treat the risk
Risk Management has 3 parts -
1. Risk Assessment – Determining where the risks lie.
2. Risk Mitigation – The act of reducing risks by implementingappropriate reduction controls.
3. Evaluation and Assessment – Risk mgt is continuous and evolving, sopast year’s risk mgt efforts would be assessed and evaluated.
What is Data Encryption?
The conversion of plaintext to cipher text. It basically converts data from a readable form to anencoded version which can only be decoded by the entity having access todecryption key.
What is ReactiveRisk Management?
It tries to reduce thedamage of potential threats and speed up the organization’s recovery from them,but assumes those threats will happen eventually.
Steps:
- Protect human life
- Contain the damage
- Assess the damage
- Determine the cause of damage
- Repair the damage
- Review response and update policies and controls.
What is Proactive Risk Management?
It identifies threats andprevents them from happening ever in the first place.
Keywords:
Entry-level:
Risk management process, Risk acceptance, Risk avoidance, Risk transfer, Risk monitoring
Mid-level:
Enterprise Risk Management (ERM), Risk appetite and tolerance, Key Risk Indicators (KRIs), Integrated risk management, Risk management frameworks
Risk Mitigation
What is risk mitigation?
The actof reducing risk by implementing appropriate risk reduction controls iscalled risk mitigation.
While it is impossible to prevent all threats, risk mitigation helps to reducethe chances of a threat exploiting a vulnerability.
Risk Acceptance – When the cost of thecontrol is higher than the impact of the risk, the risk is accepted.
Risk Avoidance – Eliminate the risk cause. Ex – shutdown the system whenand where risks detected.
Transfer Risk – Transferring the risk-oriented tasks to third parties.Ex – Buying Insurance.
Reduce Risk – Implementing Controls
Risk Mitigation Activities:
1. Prioritize Actions ranking from high to low.
2. Evaluate Recommended Control Options from risk assessment report and create a list of feasible controls.
3. Conduct Cost Benefit Analysis
4. Select Controls
5. Assign Responsibility to the responsible persons
6. Develop Safeguard Implementation Plan
7. Implement Selected Controls
Keywords:
Entry-level:
Control implementation, Risk reduction strategies, Safeguard selection, Cost-benefit analysis, Mitigation prioritization
Mid-level:
Compensating controls, Risk treatment plans, Residual risk management, Continuous risk mitigation, Security control optimization
Control and Control types
What is a control?
A controlis a safeguard to reduce the chances of a threat exploiting avulnerability.
A control is any administrative, managerial, technical, or legal method used tominimize information security risk. For example, implementing company-widesecurity awareness training to minimize the risk of a social engineering attackon your network, information systems.
A control objective is a desired result by implementing controls.
Types of Control,
Controls can be classified into 3 broad categories:
- Technical Controls: implemented as a system (hardware/software) Ex – Firewall, antivirus.
- Operational Controls: implemented by people rather than system. Ex – Security guard.
- Managerial Controls: implemented by management assigning roles and responsibilities policies
Preventive controls attempt toprevent an incident from occurring. Ex – IPS, Cryptography
Detective controls attempt to detect incidents after they have occurred.Ex – Internal Audit, IDS
Corrective controls attempt to reverse the impact of an incident. Ex –Patch mgt, updated policies.
Deterrent controls attempt to psychologically discourage individuals from causing an incident. Ex – policies, procedures, standards.
Keywords:
Entry-level:
Preventive controls, Detective controls, Corrective controls, Administrative controls, Technical controls
Mid-level:
Compensating controls, Deterrent controls, Recovery controls, Operational controls, Physical controls
AAA and Risk concept
What is non-repudiation?
It meansa user cannot deny having performed a transaction.
It is a method by which the sender of data is provided with proof of deliveryand the receiver of data is provided with sender’s identity, so neither of themcan deny having p erformed the transaction.
What is identification?
Identification is the process by which a subject professes an identity and accountability is initiated. After identification the process of AAA is initiated. Ex – Typing in a username.
What is Authentication?
The process of verifying that the claimed identity is valid.
What is Authorization?
Done after authentication, determines what users can and cannot access.
What is Accounting?
Record-keeping of authorized user’s activities on a network.
Authentication, Authorization and Accounting is referred to as AAA.
What is Accountability?
The state of being answerable to the actions and decisions that have been assigned.
What is Access Control?
Access control is determined by the following terms -
Role Management – determines who can access the data.
Rule Management – determines up to what extent can a user access the data.
What is a Threat vector?
It describes where a threat originates and the path it takes to reach the target. Ex – Email Attachment.
What is Risk Capacity?
The maximum amount of risk an organization can absorb inpursuit of its objectives. (Ability to take risks).
What is Risk Appetite?
The amount of risk that an entity is willing to accept in pursuitof its objectives. (Willingness to take risks).
What is Risk tolerance?
Defines limits orboundaries of the risk.
What is Risk Owner?
An accountable point of contact at the senior leadership level who co-ordinatesefforts to mitigate and manage risks. Ex- Chief Risk Officer
Risk Custodian?
IT Team
What is Risk Evaluation?
Comparing the risk against the risk criteria to determine the significance of risk.
What is Inherent Risk?
A risk without any security controls in place and with no attempt at mitigation.
Ex- A computer system susceptible to malware without any antivirus softwareinstalled.
What is Residual Risk?
The Risk that remains even after applying all intended controls.
Residual Risk = Inherent Risk – Impact of Controls
What is secondary risk?
A risk that arises as a result of an action taken to mitigate an existing risk.
What is Contingency Plan?
Plan used to manage primary and secondary risks.
What is Fallback Plan?
Plan used to manage Residual Risk.
What is Current Risk?
The risk that exists under current levels of controls.
Keywords:
Entry-level:
Authentication, Authorization, Accounting, Non-repudiation basics, Access control models
Mid-level:
Multi-factor authentication, Attribute-based access control, Federated identity management, Digital signatures for non-repudiation, Privileged Access Management (PAM)
What is NIST?
What is NIST?
National Institute for standards and technology.
It is a non-regulatory federal agency for developing and promoting standards andtechnologies to enhance productivity and improve quality of life.
NIST developed a Risk Management Framework (RMF) to improve informationsecurity and strengthen risk management process in an organization.
NIST RMF Steps
1. Prepare: Establish content for managing risks.
2. Categorize Information System: Define sensitivity of information
3. Select controls and tailor the controls as needed to reduce risk toan acceptable level based on risk assessment.
4. Implement the controls
5. Assess the controls to determine if the controls are implementedcorrectly and producing the desired outcomes and satisfying the securityrequirements.
6. Authorize the information system
7. Monitor the security state.
SP 800-12 : An introduction toComputer Security.
SP 800-18 : Guide for developingsecurity plans for information technology systems.
SP 800-26 : Security self-assessmentguide for information technology systems.
SP 800-30 : Risk management guide forIT systems.
The purpose of special publication 800-30 is to provide guidance for conductingrisk assessments of federal information systems and organizations, amplifyingthe guidance in SP 800-39.
What is Information Asset Profiling?
Classification of Information Assets to ensure CI of data.
What is NIST CSF?
Drafted by the National Institute of Standards and Technology(NIST), The NIST cybersecurity framework is a powerful tool to organize andimprove your cybersecurity program.
The Core Functions of NIST CSF are:
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
6 Steps of IAP
1. CaptureBackground Information
2. Define the information asset
3. Identify the asset owner
4. Identify containers
5. Identify Security Requirements
6. Determine information asset valuation.
What is Data Sensitivity?
It deals with confidentiality majorly, information that should be protectedfrom unauthorized access. Ex – PII
What is Data Criticality?
It deals with Availability mainly. Level of importance of data to the success of thebusiness.
What is asset container?
Any type of asset where an information asset is stored, processed or transmitted.
What is Information Asset Owner?
Individuals who have the primary responsibility of data protection.
What is Information Asset Custodian?
Individuals who have the responsibility of protection of an information asset as it isstored, transported or processed.
Potential Scenarios
Owner and custodian are same
Owner and custodian are different
Many different owners and custodians
Keywords:
Entry-level:
NIST Cybersecurity Framework, Framework Core (Identify, Protect, Detect, Respond, Recover), NIST standards and guidelines, NIST SP 800 series, Risk Management Framework (RMF) basics
Mid-level:
NIST SP 800-53 controls, NIST SP 800-171 compliance, NIST Privacy Framework, Mapping NIST to other frameworks, Implementing NIST in cloud environments
ISO-27001
International Standard for Organization.
ISO 27001 is the leading international standard developed to helporganizations, of any size or industry, to protect their information in asystematic and cost-effective way, through the adoption of an ISMS i.e.Information Security Management System.
What is ISMS?
Information Security Management System is a set of policiesand procedures for systematically managing an organization’s sensitive data.
In ISO 27001,
Clauses – 10 (4-10)
Controls – 114
Domains – 14
Clauses
1. Scope
2. Normative References
3. Terms and Definitions
(CLPSOPI)
4. Context of organization
4.1 Understanding the organization and its content.
4.2 Understanding the needs of expected parties.
4.3 Determining scope ofISMS
4.4 ISMS – establish, implement, maintain and continually improve an ISMS
Determine internal and external issues and establish, implement, maintain and continually improve anISMS.
5. Leadership
5.1 Leadership and Commitment
5.2 Policy
5.3 Organizational Roles, Responsibilities and Authority
Top management should make sure responsibilities and authority is communicated.
6. Planning
6.1 Actions to Address risksand opportunities
6.1.1 General
6.1.2 Information Security Risk Assessment
6.1.3 Information Security Risk Treatment
6.2 Information Security Objectives and planning to achieve them
Define Risk, Risk Acceptance criteria, identify, assess, analyse and Information Securityobjectives should be in line with Information Security Policy.
7. Support
7.1 Resources (organization should provide resources for ISMS)
7.2 Competence (Appropriate training)
7.3 Awareness (of Information security policy)
7.4 Communication (what, when, with, how to communicate)
7.5 Documented Information
7.5.1 General
7.5.2 Creating and Updating
7.5.3 Control of documented information
Organization should provide resources for ISMS and Appropriate training should be done.
8. Operation
8.1 Operational Planning and Control
8.2 Information Security Risk Assessment
8.3 Information Security Risk Treatment
Documented information of risk assessment and treatment should be retained.
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal Audit
9.3 Management Review
Evaluating the ISperformance and effectiveness of ISMS. Conducting internal audits at plannedintervals.
10. Improvement
10.1 Non-Conformity and Corrective Action
10.2 Continual Improvement
In ISO 27001, there are – 14 Domains, 35 Control Objectives
Domains = I O H A A C P O C S S I I C
1. Information Security Policies
2. Organization of Information Security
3. Human Resources Security
4. Asset management
5. Access Control
6. Cryptography
7. Physical and Environmental Security
8. Operations Security
9. Communications Security
10. System Acquisition, Development and Maintenance
11. Supplier Relationship
12. Information Security for incident management
13. Information Security aspect for Business Continuity
14. Compliance
Control and Control Objectives.
A.5 Information Security Policies
A.5.1 Management Direction forInformation Security
Review policy at planned intervals, making policy forInformation Security
A.6 Organization of Information Security
A.6.1 Internal Organization
A.6.2 Mobile Devices and Teleworking
It includes Segregation of duties, mobile devicepolicy and teleworking.
A.7 Human Resources Security
A.7.1 Priorto employment
A.7.2During Employment
A.7.3 Termination and change ofemployment
It includes Screening (Background Verification), Termsand Conditions of Employment, Training and termination or change ofresponsibilities.
A.8 Asset Management
A.8.1Responsibility of Assets
A.8.2Information Classification
A.8.3 MediaHandling
Its aim is to identify organizational assets anddefine appropriate protection responsibilities
It includes classification of information, labellingof information and handling of assets.
A.9 Access Control
A.9.1 BusinessRequirements of Access Control
A.9.2 UserAccess Management
A.9.3 UserResponsibilities
A.9.4System and Application Access Control
It includes access review, password management systemand removal of access rights.
It limits access to information and information processingfacilities.
A.10 Cryptography
A.10.1 CryptographicControls
A.10.2 KeyManagement
To make proper use of cryptography to ensure CIA ofinformation.
A.11 Physical and Environmental Security
A.11.1 Secure Areas
A.11.2 Equipment
It includes controls like physical security whichensure prevention of unauthorized physical access to the organization’sinformation and securing offices, rooms and facilities.
A.12 Operations Security
A.12.1Operational procedures and responsibility
A.12.2 Protection from Malware
A.12.3 Backup
A.12.4 Logging and Monitoring
A.12.5 Control of OperationalSoftware
A.12.6 Technical VulnerabilityManagement
A.12.7 Information Systems AuditConsiderations
It includes controls like Backup, Logging andMonitoring, Technical Vulnerability Management and ensures correct and secureoperations of information processing facilities.
A.13 Communications Security
A.13.1 Network SecurityManagement
A.13.2Information Transfer
It includes network controls, segregation of networksand ensure protection of information in network. Information transfer ensuresprotection of information transferred within an organization or with anyexternal entity.
A.14 System Acquisition, Development and Maintenance
A.14.1 SecurityRequirements of Information Systems
A.14.2Security in Development and Support Processes
A.14.3 TestData
It includes test data to ensure the protection of dataused for testing.
A.15 Supplier Relationship
A.15.1Information Security in Supplier Relationship
A.15.2Supplier Service Deliver management
It includes Information Security in SupplierRelationship to ensure protection of the organization’s assets that isaccessible by suppliers.
A.16 Information Security Incident management
A.16.1 Management ofinformation security incidents and improvements.
To ensure a consistent and effective approach to themanagement of information security
incidents, including communication on security eventsand weaknesses.
A.17 Information Security Aspect of BusinessContinuity Management
A.17.1 InformationSecurity Continuity
A.17.2Redundancies
It ensures availability of information processingfacilities.
A.18 Compliance
A.18.1Compliance with legal and contractual requirements.
A.18.2Information security reviews.
It includes protection of records i.e records will beprotected from loss, destruction, unauthorized access in accordance withregulatory business requirements.
What is ISO 27001:2022?
1. Total 93 controls
2. No controls were deleted.
3. 57 Controls merged into 24.
4. 11 new controls
4 Categories:
1. Organizational Controls (37)
Ex -Threat Intelligence, Information Security for Cloud Services
2. People Controls (8)
3. Physical Controls (14)
Ex – Physical Security Monitoring
4. Technological Controls (34)
Ex – Data Mashing, Secure Coding
What is the difference between IS0 27001 and ISO27002?
ISO 27001: Companies can get certified only against ISO 27001. It does not explain how the controls can be implemented.
ISO 27002: It is just a supporting standard containing details of controls and how to implement them. It does explain how the controls can be implemented.What is ISO 27001?
Keywords:
Entry-level:
Information Security Management System (ISMS), ISO 27001 clauses, Statement of Applicability (SoA), PDCA cycle in ISO 27001, ISO 27001 certification process
Mid-level:
ISO 27001 risk assessment methodology, Integrating ISO 27001 with other standards, ISO 27001 internal auditing, Continuous improvement in ISMS, ISO 27001 for cloud security
DRP (Disaster Recovery Plan) and BCP (Business Continuity Plan)
What is Disaster Recovery Planning?
It deals with restoring tothe normal business operations after a disruption. Information Security and Cyber Security Assurance is achieved byimplementing security controls. As an information security professional youmust be able to compare types of security controls. You must be able to definehow frameworks influence the selection and configuration controls
What is Business Continuity Plan (BCP)?
A BCP is a comprehensive document that outlines how an organization will resume critical business operations after a disruptive event.
It defines strategies for minimizing downtime, protecting essential assets, and ensuring the organization can continue functioning effectively during and after a crisis.
A well-developed BCP should address various potential disruptions, such as natural disasters, cyberattacks, power outages, and equipment failures.
Recovery Time Objective (RTO):
The RTO is a target timeframe that defines the acceptable amount of time it can take for an organization to resume critical business operations after a disruption.
It's essentially the answer to the question: "How long can we afford to be down?"
The RTO is a critical metric for businesses to consider, as longer downtime can lead to significant revenue losses, reputational damage, and customer dissatisfaction.
Recovery Point Objective (RPO):
The RPO defines the maximum tolerable amount of data loss that can occur due to a disruptive event.
It's essentially the answer to the question: "How much data can we afford to lose?"
The RPO depends on the criticality of the data and how often backups are performed. Organizations with frequently changing data might have a lower RPO, requiring more frequent backups.
Relationship Between BCP, RTO, and RPO:
The BCP serves as the overarching framework that outlines the strategies for achieving the RTO and RPO objectives.
The RTO and RPO are specific targets defined within the BCP to guide recovery efforts.
By understanding the acceptable downtime and data loss (RTO and RPO), organizations can develop a BCP that prioritizes resources and recovery procedures for critical functions.
Here's an example to illustrate:
A company's BCP might identify their online store as a critical function.
They might set an RTO of 4 hours for restoring the online store after a system failure.
Additionally, the RPO could be set to 1 hour, meaning they can tolerate losing up to 1 hour of sales data in the worst-case scenario.
In conclusion, BCP, RTO, and RPO are all crucial concepts for ensuring business continuity and minimizing the impact of disruptions. By understanding these terms and implementing them effectively, organizations can be better prepared to recover from unexpected events and maintain operational resilience.
In the context of cloud systems, the 3-2-1 backup rule is a best practice for data protection. It's a simple yet effective strategy to ensure redundancy and minimize the risk of data loss due to hardware failures, software errors, or even accidental deletions. Here's a breakdown of the 3-2-1 rule:
3 Copies:
Maintain at least three copies of your critical data.
This includes the original data stored in the cloud system (copy 1) and two additional backups (copies 2 and 3).
2 Different Media:
Don't store all your backups in the same place or on the same type of media.
This ensures that even if one storage location or media type fails, you still have other copies intact. Here are some examples of different media types:
Local storage (hard drive, SSD)
Remote cloud storage (different cloud provider)
Tape backups
1 Off-site Location:
At least one of your backups (copy 2 or copy 3) should be stored in a physically separate location from your primary data and the other backup.
This protects your data from disasters that could affect your main location, such as fires, floods, or natural disasters. Off-site storage options include:
Secondary cloud storage with a different provider
Physical storage at a remote facility
Benefits of 3-2-1 Backup Rule:
Enhanced Data Security: By having multiple copies of your data, you're less vulnerable to data loss from various threats.
Improved Disaster Recovery: In case of a disaster, you can quickly restore your data from the off-site backup, minimizing downtime and data loss.
Cloud-Specific Considerations:
While the core principles of the 3-2-1 rule remain the same, cloud storage offers some unique advantages and considerations:
Cloud Storage as Primary Data Location: Many organizations use cloud storage as their primary data storage location (copy 1).
Cloud Backup Services: Many cloud storage providers offer built-in backup functionalities or integrate with third-party backup services. These can automate the backup process and simplify implementing the 3-2-1 rule.
Cloud Security: While the cloud offers scalability and convenience, it's still crucial to consider cloud security best practices to protect your data stored in the cloud.
In essence, the 3-2-1 backup rule provides a robust framework for data protection in cloud systems. By following this strategy, you can significantly reduce the risk of data loss and ensure the availability of your critical information.
Keywords:
Entry-level:
Business Impact Analysis (BIA), Recovery Time Objective (RTO), Recovery Point Objective (RPO), Disaster Recovery Plan components, Business Continuity Plan elements
Mid-level:
Crisis management, IT service continuity, DRP/BCP testing and exercises, Cloud-based disaster recovery, Supply chain continuity
What is IT Audit?
What is IT Audit?
IT Auditing is the process of collecting and evaluating evidences to determine whether an organization:
1. Safeguards assets(s/w, h/w, people)
2. Maintains data integrity
3. Adheres to compliances.
IT Audit is done to find if there is a policy in place, the controls comply with the policy and adhere to standards and compliances.
What is Audit Criteria?
Set of policies, procedures and requirements used as a reference against which audit evidence is compared.
Audit Objective – what is to be accomplished by audit
Audit Scope – describes extent and boundaries ofaudit
Audit Plan – All the activities of audit are mentioned along with the auditor’s name and department to be audited and timing of audits.
Audit Program – The complete audit cycle or blueprintof audits.
Keywords:
Entry-level:
IT audit objectives, Audit planning, Audit evidence collection, Audit reporting, Basic audit tools and techniques
Mid-level:
IT audit frameworks (e.g., COBIT), Continuous auditing, Data analytics in IT audits, IT compliance audits, Auditing emerging technologies
TPRM (Third Party Risk Management)
What is TPRM?
TPRM stands for Third-Party Risk Management. It's a process organizations use to identify, assess, and mitigate risks associated with their interactions with third-party vendors, suppliers, and partners.
Key Steps in a TPRM Process:
1. Identify Third Parties: Create a comprehensive inventory of all third parties your organization interacts with.
2. Risk Assessment: Evaluate the potential risks associated with each third party based on factors like their industry, security practices, and access to your data.
3. Due Diligence: Conduct thorough due diligence on high-risk vendors to assess their security posture, financial stability, and regulatory compliance.
4. Contract Negotiation: Include clauses in contracts that address risk mitigation strategies and hold third parties accountable for security breaches.
5. Ongoing Monitoring: Continuously monitor the performance and security posture of your third parties. This might involve periodic assessments, security audits, and performance reviews.
Here's a breakdown of why TPRM is important:
Increased Reliance on Third Parties: Modern businesses rely heavily on third parties for various services, from software and technology providers to logistics and manufacturing partners.
Potential Security Threats: Breaches or vulnerabilities within a third party can expose your organization's sensitive data or disrupt your operations.
Regulatory Compliance: Many regulations require organizations to manage third-party risks to ensure data privacy and security.
Financial and Reputational Risks: Failures or incidents involving third parties can lead to financial losses and reputational damage for your organization.
Overall, TPRM is a critical practice for organizations of all sizes in today's interconnected business environment. By implementing a robust TPRM program, you can protect your organization from potential threats, ensure compliance, and build stronger partnerships with your third parties.
Keywords:
Entry-level:
Third-party risk assessment, Vendor due diligence, Contract review basics, Vendor inventory management, Third-party incident response
Mid-level:
Third-party risk quantification, Continuous third-party monitoring, Fourth-party risk management, Third-party security ratings, Vendor risk management platforms
ITGC and ITAC
What is ITGC?
It stands for IT General Controls. There are 6 ITGC controls:
1. Logical Access Controls (Security policy , SOD)
2. Change management
3. SDLC
4. Backup and Recovery
5. Physical Security (Deter, Delay, Detect, Assess, Respond)
6. Operations Control
What is ITAC?
It stands for IT Application controls.
Automated Controls (such as verification of entered data)
1. Input Controls: Integrity of data entered
2. Processing Controls: To ensure process is complete,accurate and authorized.
3. Output Controls: Compare output result with intended result.
Keywords:
Entry-level:
IT General Controls (ITGC) components, Application controls basics, Segregation of duties, Change management controls, Backup and recovery controls
Mid-level:
ITGC in cloud environments, Automated application controls, Continuous controls monitoring, ITGC and ITAC integration, ITGC and ITAC in DevOps environments
GDPR (General Data Protection Regulation)
What is GDPR?
It stands for General Data Protection Regulation.
GDPR aims towards protecting the personal data of a data subject residing in EU(European Union) / EEA (European Economic Area).
Data Object: Natural Person whose data is beingused.
Data Controller: One who decides what is going to happen with that data.
Data Processor: Who processes the data at the direction of controller.
GDPR is important to understand various aspects of privacy and handling of personal data.
Organizations need to take GDPR seriously as monetary finesare huge
Tier 1: €10 million or 2% of annual global turnover whicheveris high
Tier 2: €20 million or 4% of annual global turnover whicheveris high
There are 8 Data Rights of GDPR – (I ARERDOA)
1. The Right to Information
2. The Right of Access
3. The Right to Rectification
4. The Right to Erasure
5. The Right to Restrict Processing
6. The Right to Data Portability
7. The Right to Object
8. The Right to Avoid Automated Processing
There are 7 Data Protection Principles -
1. Lawfulness, fairness and transparency.
2. Purpose limitation.
3. Data minimisation.
4. Accuracy.
5. Storage limitation.
6. Integrity and confidentiality (security)
7. Accountability.
What is Supervisory Authority?
An independent public authority established by a memberstate.
What is DPIA?
A DPIA is a prior written assessment that describes a process designed to identify risks arising out of the processing of personal data andto minimise these risks as early as possible.
What is Data Breach Management?
72 hours notification to Supervisory Authority
Keywords:
Entry-level:
GDPR principles, Data subject rights, Personal data and special categories, Data Protection Officer (DPO) role, Data breach notification
Mid-level:
Data Protection Impact Assessment (DPIA), Cross-border data transfers, GDPR compliance in cloud services, Privacy by design and default, GDPR enforcement and fines
SOX (Sarbanes-Oxley Act)
What is SOX?
In information security, SOX refers to the Sarbanes-Oxley Act of 2002. It's a United States law that aims to prevent corporate fraud and financial reporting errors by emphasizing internal controls and corporate governance.
Here's a breakdown of SOX and its impact on information security:
Key Provisions of SOX:
Increased Corporate Accountability: The act places greater responsibility on CEOs and CFOs for the accuracy of financial reports. This includes ensuring proper internal controls are in place to safeguard financial data.
Internal Controls Reporting: Publicly traded companies are required to maintain a strong system of internal controls and report on their effectiveness annually. This report is called an Internal Controls Report (ICR).
Independent Audits: SOX mandates independent audits of a company's financial statements and internal controls. This helps identify weaknesses and ensure compliance.
Impact on Information Security:
Focus on Data Security: SOX compliance requires companies to have strong data security practices in place. This includes protecting financial data from unauthorized access, modification, or deletion.
IT Infrastructure Security: The security of IT infrastructure that stores and processes financial data becomes critical under SOX. This might involve measures like access controls, encryption, and intrusion detection systems.
Improved Risk Management: SOX encourages a more proactive approach to risk management, including identifying and mitigating cybersecurity risks that could impact financial reporting.
Overall, SOX plays a significant role in information security by requiring companies to prioritize the protection of financial data and implement robust internal controls.
Keywords:
Entry-level:
SOX Section 302 and 404, Internal controls over financial reporting, SOX compliance requirements, Role of IT in SOX compliance, SOX documentation and testing
Mid-level:
IT controls maturity assessment, Continuous controls monitoring for SOX, SOX compliance in cloud environments, Integrating SOX with other compliance frameworks, Automated SOX testing and reporting
COBIT (Control Objectives for Information and related Technology)
What is COBIT?
COBIT stands for Control Objectives for Information and related Technology. It is a framework created by the ISACA (Information SystemsAudit and Control Association) for IT governance and management.
It was designed to be a supportive tool for managers—and allows bridging the crucial gap between technical issues, business risks, and control requirements.
COBIT is essential to developing, controlling, and maintaining risk and security for enterprises around the world, regardless ofyour industry.
5 Principles of COBIT 5
1. Meeting stakeholder needs
2. Covering the Enterprise end-to-end
3. Single integrated Framework
4. Holistic approach of 7 enterprise Enablers
5. Separating governance from management
7 Enablers of COBIT 5 (i.e. Governance Enablers)
1. Principles, policies and frameworks
2. Processes
3. Organisational structures
4. Culture, ethics and behaviours
5. Information
6. Service infrastructure and applications
7. People skills and competencies
Keywords:
Entry-level:
COBIT framework overview, COBIT principles, COBIT enablers, IT governance vs. IT management, COBIT process assessment model
Mid-level:
COBIT implementation methodology, Integrating COBIT with other frameworks, COBIT for risk management, COBIT for information security, COBIT maturity model
HIPAA (Health Insurance Portability and Accountability Act)
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act, a United States law enacted in 1996. Here's a breakdown of its key provisions:
Portability:
HIPAA ensures individuals can keep their health insurance coverage if they change or lose their jobs.
This provision helps prevent people from being denied coverage due to pre-existing medical conditions.
Accountability:
HIPAA establishes national standards for protecting individuals' protected health information (PHI).
PHI includes any individually identifiable information relating to a person's past, present, or future physical or mental health, the provision of healthcare to the individual, or payment for the provision of healthcare to the individual.
The HIPAA Privacy Rule outlines specific requirements for covered entities (health plans, healthcare providers, and healthcare clearinghouses) regarding the use and disclosure of PHI.
The HIPAA Security Rule mandates security measures to protect electronic PHI (ePHI).
Benefits of HIPAA:
Protects patient privacy: HIPAA safeguards sensitive medical information from unauthorized access or disclosure.
Promotes trust in the healthcare system: Patients can feel more confident sharing their health information with healthcare providers knowing it's protected.
Standardizes data practices: HIPAA establishes uniform guidelines for handling PHI across the healthcare industry.
Key Components of HIPAA:
1. Privacy Rule: Defines how covered entities can use and disclose PHI, and patients' rights to access and control their health information.
2. Security Rule: Sets standards for protecting the confidentiality, integrity, and availability of ePHI.
3. Enforcement Rule: Outlines how the Department of Health and Human Services (HHS) enforces HIPAA regulations.
4. E-Health Provisions: Address the use and transmission of electronic health information.
Importance of HIPAA:
HIPAA plays a crucial role in safeguarding patient privacy and ensuring trust in the healthcare system. By understanding and complying with HIPAA regulations, healthcare providers can protect sensitive medical information and avoid potential penalties.
Keywords:
Entry-level:
Protected Health Information (PHI), HIPAA Privacy Rule, HIPAA Security Rule, Business Associate Agreements, HIPAA training requirements
Mid-level:
HIPAA risk analysis, HIPAA in cloud computing, HIPAA compliance audits, HIPAA and emerging technologies (IoT, AI), HIPAA enforcement and penalties
HI-TRUST (Health Information Trust Alliance)
What is HITrust?
HITrust, short for Health Information Trust Alliance, is an organization focused on information security in the healthcare industry. They are not directly involved in information security themselves, but rather create a framework and resources to help organizations achieve and demonstrate a strong information security posture.
Here's a breakdown of what HITrust offers:
HITRUST CSF (Common Security Framework): This is a certifiable framework that outlines security controls and best practices for healthcare organizations. It incorporates elements from various established frameworks like ISO, NIST, and HIPAA, specifically addressing the security needs of patient health information (PHI).
HITRUST CSF Assurance Programs: These programs allow healthcare organizations to undergo assessments by qualified security professionals to validate their compliance with the HITRUST CSF. This can help organizations gain trust from patients, partners, and regulators.
Resources and Education: HITrust offers various resources and educational programs to help healthcare organizations understand and implement the HITRUST CSF effectively.
Benefits of using HITrust:
Improved Security: By implementing the HITRUST CSF, healthcare organizations can strengthen their security posture and protect sensitive patient data.
Compliance: The framework helps organizations comply with various healthcare-related regulations, including HIPAA.
Reduced Risk: A strong security posture can help mitigate the risk of data breaches and cyberattacks.
Increased Trust: Demonstrating HITRUST compliance can build trust with patients, partners, and regulators.
Overall, HITrust plays a vital role in ensuring the security and privacy of patient health information in the healthcare industry.
Keywords:
Entry-level:
HITRUST CSF overview, HITRUST assessment process, HITRUST certification levels, HITRUST domains, Mapping HITRUST to other frameworks
Mid-level:
HITRUST inheritance, HITRUST for third-party assurance, Continuous compliance with HITRUST, HITRUST in cloud environments, HITRUST for emerging technologies
PCI-DSS (Payment Card Industry Data Security Standard)
What is PCI-DSS?
It stands for Payment Card Industry Data Security Standard.
It is an information security standard for organizations thatstore or process credit or debit card details.
It enhances a cardholder’s data security.
All businesses regardless of size must follow PCI DSS requirements if they accept credit card payments from the five major brands –MasterCard, Visa, JCB, American Express, Discover (PCI Council)
PA-DSS is Payment Applications – Data Security Standard.
PCI-PTS is Payment Card Industry – Pin Transaction Security.
PCI Compliance Certification is valid for one year only.
PCI-DSS self-assessment should be done annually.
6 Principles and 12 Requirements of PCI-DSS
1. Build and maintain a secure network
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data
Protect stored cardholder data.
Encrypt transmission of cardholder data across open/publicnetworks.
3. Maintain a vulnerability management program
Use and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
4. Implement strong access control measures
Restrict access to cardholder data by business need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
5. Regularly monitor and test networks
Track and monitor all the accesses to the network resourcesand cardholder data.
Regularly test secure networks and processes.
6. Maintain an information security policy
Maintain a policy that addresses information security for employees and contractors.
Entities in Payment Ecosystem
1. Cardholder
2. Issuer/Issuing Bank (Bank of cardholder/user)
3. Merchant
4. Acquirer (Bank which pays the merchant)
5. Payment Brands (Transfer data between the issuing bank and merchant)
Merchant Levels
Level 1: Minimum 6 million transactions per year
Level 2: 1.5 – 6 million transactions per year
Level 3: 20k – 1.5 million transactions per year
Level 4: < 20k transactions per year
QSA: Qualified Security Assessor reviews the merchant
SAQ: Self-Assessment Questionnaire (Filled Annually)
NSS: Network Security Scan (Quarterly)
Keywords:
Entry-level:
PCI-DSS requirements, Cardholder data environment, PCI-DSS compliance levels, Self-Assessment Questionnaires (SAQs), PCI-DSS testing procedures
Mid-level:
PCI-DSS in cloud environments, Point-to-Point Encryption (P2PE), Tokenization in PCI-DSS, PCI Software Security Framework, PCI-DSS compliance automation