PLEASE ASSIGN THE SAME WRITER WHO DID 63564 AND 62922 please answer the questions and will send you a response from another student so you can do the second part of the task feel free to send it anytime before the due date
Instructions Cybersecurity Frameworks Ed Moore Lecture Outline Faculty of Arts | Department of Security Studies and Criminology 2 What is a Cybersecurity Framework? Types of Cybersecurity Frameworks Implementation Examples What is a Cybersecurity Framework 3 What is a Cyber Security Framework? A cyber security framework is a set of policies and procedures that are defined by leading cybersecurity organisations to enhance cybersecurity strategies in other enterprise environments Most cyber security frameworks comprise a system of standards, guidelines and best practices to manage risks that arise in the digital world Some frameworks target specific industries while others are more generic Frameworks are designed to give security managers a reliable, systematic way to mitigate cyber risk no matter how complex the environment is In some industries cyber security frameworks are mandatory whereas other may only be strongly encouraged 4 Confidentiality, Integrity & Availability (CIA) Confidentiality Measures designed to prevent sensitive information from reaching the wrong people Integrity Maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle Availability Ensure the data is accessible to those who should be able to access it when they need it 5 Types of frameworks 6 Types of frameworks Control frameworks A control framework is a framework that organises an organisation’s internal controls. It covers: Identification of baseline controls Assess the state of technical capabilities Prioritise the implementation of controls Development of an initial roadmap for the security team Program frameworks Program frameworks is a framework used to strengthen and secure the of a system. It includes: Assessment of the overall security of a program Building a comprehensive security program Measure the maturity and conduct industry comparisons Simplify (quantify) communications with business leaders 7 Types of frameworks Risk Frameworks A risk framework is a framework that is used by organisations to assess and control risks within the business. It helps organisations prioritise security activities to be more cost and time effective. It includes: Defining key process steps for assessing and managing risk Structure the risk management program Identify, measure, and quantify risk Prioritise risk activities 8 Implementation 9 Implementation Benefits Common Language Adaptable Collaboration Opportunities Ability to Demonstrate Due Care Easily Maintain Compliance Secure Supply Chain Cost Efficiency 10 Implementation Tiers Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture. They have little awareness of organizational risk and any plans implemented are often done inconsistently. Tier 2: Risk informed organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans, and have the proper resources to protect themselves but haven't quite gotten to a proactive point. Tier 3: The third tier is called repeatable, meaning that an organization has implemented CSF standards company-wide and are able to repeatedly respond to crises. Policy is consistently applied, and employees are informed of risks. Tier 4: Called adaptive, this tier indicates total adoption of the CSF. Adaptive organizations aren't just prepared to respond to threats—they proactively detect threats and predict issues based on current trends and their IT architecture. 11 Defense in depth Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack. Also referred to as the “castle approach” Improves the ability to detect and prevent attacks The concept is to “harden” a companies’ network Hackers will lose momentum over time Provides IT professionals time to detect and response to an active attack 12 Approaches to security management Top-down Starts at the top and pushed down to employees from management People with responsibility to protect assets (senior management) drive the program Senior Management ensure funding and resource are in place and enforce rules and policies Ideal way to implement a security policy Bottom-up Staff members (often a security or IT team) develop a security program without proper management support or direction Responsibility of the security program is handed to IT department only Far less effective 13 Frameworks 14 Frameworks Essential Eight Released by the Australian Signals Directorate (ASD) to be a baseline to secure an organisation against the most basic forms of attack It is suggested that by implementing the “Essential Eight”, a company should be able to prevent 85% of attacks (which largely leverage these basic attacks. The eight tips provided in this framework are: Application whitelisting Patching applications Configure Microsoft Office macro settings User application hardening Restrict administrative privileges Patch Operating System Daily backups 15 Frameworks PCI DSS Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that target any company that handles payment card transactions This standard is applied to any company (regardless of size) that accepts, transmits or stores any cardholder information As with many other certifications, compliance must be validated by an external assessor Merchants get put into “levels” based on the number of transactions they process annually LevelDescription 1Merchants processing over 6 million card transactions per year. 2Merchants processing 1 to 6 million transactions per year. 3Merchants processing 20,000 to 1 million transactions per year. 4Merchants handling fewer than 20,000 transactions per year. 16 Frameworks PCI DSS - Requirements Install and maintain a firewall to protect cardholder information Change vendor supplied defaults for system passwords Encryption of stationary credit card information Encryption of credit card information in transit Regular anti-virus updates Development and maintenance of secure systems Restriction of access to information (“Need to know”) Reviews of access to system components Restricting physical access to data Detailed logging mechanisms Testing the security of systems Maintaining an information security policy 17 Frameworks Information Security Manual The information security manual is a document released by the Australian Signals Directorate The manual focuses on minimising risk from threats and protecting information and assets It discusses different attack vectors such as: Social engineering against high ranking employees (CTO, CEO, etc) Physical security of assets Personnel security Communications infrastructure Mobile device management Software development Database security 18 Frameworks NIST The NIST Cybersecurity framework is a voluntary framework provided by the NIST organisation outlining best practices to manage cybersecurity-related risk. It is designed to provide resilience to critical infrastructure and other services critical to national security. Can also be applied to other industries to provide a high level of protection 19 Frameworks RACGP The Royal Australian College of General Practitioners has released a set of standards and guidelines to guide organisations storing sensitive medical data It focuses on identifying the risks associated with the storage of medical data It also provides some similar guidelines to the NIST framework with regards to business continuity 20 Frameworks ISO27001 A standard produced by the ISO organisation Focuses around risk management and security policy Main sections are: Risk assessment Security policy Organisation of information security Asset management Physical and environmental management Access control Incident management Business continuity Compliance 21 Frameworks CobiT COBIT stands for Control Objectives for Information and Related Technology The framework created by the ISACA (Information Systems Audit and Control Association) who is a world recognised IT governance body Currently more than 110,000 bodies holding qualification worldwide COBIT 4.1 is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks The framework outlines a set of generic processes for the management and governance of IT systems. 22 Frameworks Coso The COSO framework was designed by a group of 5 organisations specialising in auditing and accounting It is a joint initiative of the five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence The five components work to support the achievement of an entity’s mission, strategies and related business objectives. The components work to establish the foundation for internal control within the The various risks facing the company are identified and assessed routinely. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across the company. The entire system of internal control is monitored continuously and problems are addressed timely. 23 Frameworks ITIL Information Technology Infrastructure Library (ITIL) is a set of processes for aligning IT services with the needs of the business Series of five books that outline various processes and stages of the IT service lifecycle. Helps businesses with the following tasks: Manage risk Strengthen customer relations Improve cost-effectiveness Stabilise IT environments 24 Frameworks Six Sigma Six sigma is a process aims to minimise costs through poor quality Originally designed by Mikel Harry at Motorola in the late 1970s Sigma levels are related to the percentage yield (non-faulty products) After implementing six sigma into other areas, Motorola saw: “a 58% reduction in the cost of quality, a 40% reduction in errors, and a 60% reduction in the time it took to design a new product ” This concept works for manufacturing and other areas but not IT. Due to the huge numbers of transactions we see in IT, it demands a higher standard that six sigma (outlined by Pyzdek, 1999) 10,800,000 healthcare claims would be mishandled 18,900 U.S savings bonds would be lost every month 54,000 checks would be lost each night by a single bank Sigma levelFaults / million 1691,462 2308,538 366,807 46,210 5233 63.4 70.019 25 Frameworks Cmmi Capability Maturity Model Integration (CMMI) helps assess the quality and capability businesses Originally developed for the U.S Department of Defense to assess their software contractors CMMI best practices focus on what needs to be done to improve performance Outlines file “maturity levels” that demonstrate a visible path for improvement 26 The end 27 Resource List http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx https://www.simplilearn.com/cobit-5-overview-and-key-features-of-tutorial-video https://securitycommunity.tcs.com/infosecsoapbox/articles/2018/08/09/defense-depth-%E2%80%93-what-strategy-follow https://info.knowledgeleader.com/bid/161685/what-are-the-five-components-of-the-coso-framework https://www.cio.com/article/2439501/infrastructure-it-infrastructure-library-itil-definition-and-solutions.html https://scm.ncsu.edu/scm-articles/article/six-sigma-where-is-it-now http://www.primvis.com/service-1/ https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework/ https://www.techrepublic.com/article/nist-cybersecurity-framework-the-smart-persons-guide/ https://securesense.ca/what-cybersecurity-framework-important-your-organization/ https://www.cyber.gov.au/publications/essential-eight-explained https://preyproject.com/blog/en/cybersecurity-frameworks-101/ https://originit.co.nz/the-strongroom/five-most-common-security-frameworks-explained/