Hi there, glad to have you back! You’re halfway done with the first course,
so you’re making great progress. In this section, we’ll discuss how organizations protect
themselves from threats, risks, and vulnerabilities by covering key principles
such as: frameworks, controls, and ethics. To help you better understand how this
relates to the role of a security analyst, we’ll use an analogy. Imagine you want to plant a garden.
You research, plan, prepare, and purchase materials while
considering all the things that could potentially present a risk to your garden. You establish a plan to pull weeds,
spray for bugs, and water your plants regularly
to prevent issues or incidents. But as the days go by,
unexpected problems arise. The weather has been unpredictable and pests have been aggressively
trying to infiltrate your garden. You start implementing better ways to
safeguard your garden by installing a surveillance camera,
building a fence, and covering your plants with a canopy to
keep your garden healthy and growing. Now that you have a better idea
about the threats to your garden and how to keep your plants safe, you establish better policies and
procedures to continuously monitor and safeguard your garden. In this way, security resembles a garden. It’s an evolving industry that will
challenge you to make continuous improvements to policies and procedures
that help protect your organization and the people it serves. To that end, we’ll
introduce security frameworks and controls and
explain why they’re important. We’ll also cover core components and
specific examples of frameworks and controls, including the Confidentiality,
Integrity, and Availability Triad, or CIA Triad. We’ll end with the discussion
about the ethics of security and share a few notable ethical
concerns in the security field. Evolving security practices may
seem a little abstract, but many of us use them every day. For example, I use security keys,
which are a type of security control, as a second form of authentication
to access my accounts. The keys ensure that only
I can access my accounts, even if a password has been compromised. By improving confidentiality, they also assure me that the integrity
of my accounts is intact. Having processes and procedures in
place to organize security efforts and make informed decisions is important for
any organization. I’m so excited to get started,
and I hope you are too!

What are security frameworks and controls?

Security frameworks and controls are essential for managing security for all types of organizations. Security frameworks provide a structured approach to implementing a security lifecycle, while security controls are safeguards designed to reduce specific security risks.

What is the security lifecycle?

The security lifecycle is a constantly evolving set of policies and standards that define how an organization manages risks, follows established guidelines, and meets regulatory compliance, or laws. The security lifecycle typically includes the following phases:

1. Risk assessment: This phase involves identifying and assessing the organization’s security risks.
2. Risk mitigation: This phase involves implementing controls to reduce the organization’s security risks.
3. Monitoring and remediation: This phase involves monitoring the organization’s security posture and implementing changes as needed.
4. Audit and compliance: This phase involves ensuring that the organization is meeting its security compliance requirements.

What are the core components of security frameworks?

Security frameworks have four core components:

1. Identifying and documenting security goals: This involves identifying the organization’s security goals and documenting them in a way that is clear and concise.
2. Setting guidelines to achieve security goals: This involves developing policies and procedures that will help the organization achieve its security goals.
3. Implementing strong security processes: This involves implementing the policies and procedures that have been developed.
4. Monitoring and communicating results: This involves monitoring the organization’s security posture and communicating the results to stakeholders.

What are some well-known security frameworks?

There are many well-known security frameworks, including:

• The Information Security Management System (ISMS) is a framework that helps organizations manage their information security risks.
• The Payment Card Industry Data Security Standard (PCI DSS) is a framework that helps organizations protect cardholder data.
• The Health Insurance Portability and Accountability Act (HIPAA) is a framework that helps organizations protect patient health information.
• The General Data Protection Regulation (GDPR) is a framework that helps organizations protect the personal data of European citizens.

What are some security controls?

There are many different types of security controls, including:

• Access controls: These controls restrict who can access what data and systems.
• Authentication controls: These controls verify the identity of users before they are allowed access to systems and data.
• Authorization controls: These controls determine what users are allowed to do once they have been authenticated.
• Auditing controls: These controls track user activity and can be used to identify security breaches.
• Data encryption: This process scrambles data so that it cannot be read without the correct decryption key.
• Disaster recovery: This process ensures that the organization can recover from a disaster, such as a data breach or cyberattack.

How are security frameworks and controls used together?

Security frameworks and controls are used together to create a comprehensive security program. The framework provides the structure and the controls provide the specific measures that are needed to mitigate risks.

The specific security frameworks and controls that are used will vary depending on the organization’s specific needs and requirements. However, all organizations should have a security program that includes a framework and controls that are appropriate for their size, industry, and risk profile.

Imagine you’re working as a
security analyst and receive multiple alerts about suspicious
activity on the network. You realize that you’ll need to implement additional security
measures to keep these alerts from becoming serious incidents. But
where do you start? As an analyst, you’ll
start by identifying your organization’s
critical assets and risks. Then you’ll implement the necessary frameworks
and controls. In this video, we’ll discuss
how security professionals use frameworks to continuously
identify and manage risk. We’ll also cover how to use security controls to manage
or reduce specific risks. Security frameworks
are guidelines used for building plans to help mitigate risks and
threats to data and privacy. Security frameworks provide
a structured approach to implementing a
security lifecycle. The security lifecycle is a constantly evolving
set of policies and standards that define how an organization
manages risks, follows established guidelines, and meets regulatory
compliance, or laws. There are several
security frameworks that may be used to manage different types
of organizational and regulatory compliance risks. The purpose of security
frameworks include protecting personally identifiable
information, known as PII, securing financial information, identifying security weaknesses, managing organizational risks, and aligning security
with business goals. Frameworks have four
core components and understanding them
will allow you to better manage potential risks. The first core component is identifying and documenting
security goals. For example, an organization
may have a goal to align with the E.U.’s General
Data Protection Regulation, also known as GDPR. GDPR is a data protection
law established to grant European
citizens more control over their personal data. A security analyst may be
asked to identify and document areas where an organization is out of compliance with GDPR. The second core
component is setting guidelines to achieve
security goals. For example, when implementing guidelines to achieve
GDPR compliance, your organization
may need to develop new policies for how to handle data requests from
individual users. The third core component
of security frameworks is implementing strong
security processes. In the case of GDPR, a security analyst working for a social media company
may help design procedures to ensure
the organization complies with verified
user data requests. An example of this type
of request is when a user attempts to update or delete
their profile information. The last core component of security frameworks is monitoring and
communicating results. As an example, you may monitor your organization’s
internal network and report a potential security
issue affecting GDPR to your manager or
regulatory compliance officer. Now that we’ve introduced the four core components
of security frameworks, let’s tie them all together. Frameworks allow analysts
to work alongside other members of the
security team to document, implement, and use the policies and procedures that
have been created. It’s essential for an entry-level
analyst to understand this process because
it directly affects the work they do and how they
collaborate with others. Next, we’ll discuss
security controls. Security controls are safeguards designed to reduce
specific security risks. For example, your company may have a guideline
that requires all employees to complete a privacy training to reduce
the risk of data breaches. As a security analyst, you may use a software
tool to automatically assign and track which employees have completed
this training. Security frameworks
and controls are vital to managing
security for all types of organizations and
ensuring that everyone is doing their part to maintain
a low level of risk. Understanding their
purpose and how they are used allows analysts to support an organization’s
security goals and protect the
people it serves. In the following videos, we’ll discuss some
well-known frameworks and principles that
analysts need to be aware of to minimize risk
and protect data and users.

• What is secure design?

Secure design is the practice of building systems and applications with security in mind from the start. This means considering security risks and vulnerabilities at every stage of the development process, from requirements gathering to deployment.

• Why is secure design important?

Secure design is important because it can help to prevent security vulnerabilities from being introduced into systems and applications. This can help to protect organizations from cyberattacks, data breaches, and other security incidents.

• What are the principles of secure design?

There are many principles of secure design, but some of the most important include:

* **Defense in depth:** This principle states that security should be layered, with multiple layers of protection in place. This makes it more difficult for attackers to exploit vulnerabilities.
* **Least privilege:** This principle states that users should only be given the permissions they need to do their jobs. This helps to reduce the risk of unauthorized access to sensitive data.
* **Fail-safe defaults:** This principle states that systems and applications should be configured with the most secure settings by default. This helps to prevent attackers from exploiting default configurations.
* **Code review:** This process involves having an independent reviewer examine code for security vulnerabilities. This can help to identify and fix vulnerabilities before they are exploited.
* **Vulnerability scanning:** This process involves using automated tools to scan systems and applications for known vulnerabilities. This can help to identify vulnerabilities that need to be fixed.

• How to implement secure design?

There are many ways to implement secure design. Some of the most common methods include:

* **Using security frameworks and standards:** There are many security frameworks and standards available that can help organizations to implement secure design. Some of the most popular frameworks include the NIST Cybersecurity Framework and the ISO/IEC 27001 standard.
* **Conducting security assessments:** Security assessments can help organizations to identify and fix security vulnerabilities. There are many different types of security assessments available, such as penetration testing and vulnerability scanning.
* **Training employees:** Employees should be trained on security best practices. This training should cover topics such as password security, social engineering, and phishing.
* **Monitoring systems and applications:** Systems and applications should be monitored for security threats. This monitoring can be done using automated tools or manual processes.

• Conclusion

Secure design is an important part of any organization’s cybersecurity strategy. By following the principles of secure design, organizations can help to prevent security vulnerabilities from being introduced into systems and applications. This can help to protect organizations from cyberattacks, data breaches, and other security incidents.

What is the CIA triad?

A foundational cybersecurity model

The CIA (confidentiality, integrity, and availability) triad is a foundational cybersecurity model that helps inform how organizations consider risk when setting up systems and security policies.

Hi, welcome back! Previously, we
discussed frameworks and controls in general. In this video,
you’ll learn about specific frameworks and
controls that organizations can voluntarily use to minimize risks to their data
and to protect users. Let’s get started! The CIA triad is a foundational model that helps inform how
organizations consider risk when setting up systems
and security policies. CIA stands for confidentiality, integrity, and availability. Confidentiality means that
only authorized users can access specific
assets or data. For example, strict
access controls that define who should and should
not have access to data, must be put in place to ensure confidential data remains safe. Integrity means the data is correct, authentic,
and reliable. To maintain integrity, security professionals
can use a form of data protection like encryption to safeguard data from
being tampered with. Availability means data is accessible to those who are
authorized to access it. Let’s define a term
that came up during our discussion of the CIA triad: asset. An asset is an item perceived as having
value to an organization. And value is determined by the cost associated with the
asset in question. For example, an application
that stores sensitive data, such as social security
numbers or bank accounts, is a valuable asset
to an organization. It carries more risk
and therefore requires tighter security
controls in comparison to a website that shares
publicly available news content. As you may remember, earlier in the course, we discussed frameworks
and controls in general. Now, we’ll discuss a specific
framework developed by the U.S.-based National Institute of Standards
and Technology: the Cybersecurity
Framework, also referred to as the NIST CSF. The NIST Cybersecurity
Framework is a voluntary framework that
consists of standards, guidelines, and best practices to manage cybersecurity risk. It’s important to become
familiar with this framework because security teams use it as a baseline to manage
short and long-term risk. Managing and mitigating
risks and protecting an organization’s assets from threat actors are key goals
for security professionals. Understanding the
different motives a threat actor may have, alongside identifying
your organization’s most valuable assets
is important. Some of the most
dangerous threat actors to consider are
disgruntled employees. They are the most dangerous
because they often have access to sensitive information and know where to find it. In order to reduce
this type of risk, security professionals would use the principle of availability, as well as organizational
guidelines based on frameworks to ensure staff members can only access the data they need to
perform their jobs. Threat actors originate
from all across the globe, and a diverse workforce
of security professionals helps organizations identify
attackers’ intentions. A variety of perspectives
can assist organizations in understanding and mitigating the impact of
malicious activity. That concludes our
introduction to the CIA triad and
NIST CSF framework, which are used to
develop processes to secure organizations and
the people they serve. You may be asked in
an interview if you know about security
frameworks and principles. Or you may be asked to
explain how they’re used to secure
organizational assets. In either case,
throughout this program, you’ll have multiple
opportunities to learn more about them and apply what we’ve discussed
to real-world situations. Coming up, we’ll discuss the ethics of security.
See you soon!

Hello, my name is Heather and I’m the Vice President of
Security Engineering at Google. PII has been an important
topic on the internet since the beginning of the internet. And we have been talking about
increasingly sophisticated ways to protect that data over time. When we think about collecting
PII on behalf of another person, we should make sure we’re very
deliberate about how it’s handled and where it’s stored, and that we understand
where it’s stored all the time. Depending on what kind of role you’re in, you might also need to protect that
data to comply with regulation or law. And so, it’s important to understand
how the data relates to some of those obligations. If an organization fails
to meet their obligations, a number of things might happen. First, you might see a government
regulator become more interested in understanding the practices around
how a company is handling data. Secondly, consumers, customers,
businesses may actually begin to directly inquire of the company
how they’re handling data. And this may become part of
the customer relationship and increasingly important if
that data is very sensitive. And third,
the last consequence is legal action. And it’s not uncommon for
us to see victims of cybersecurity incidents now suing companies for
mishandling their data. You can keep up to date with compliance,
regulation and laws around PII by consulting the relevant website in the
jurisdiction that you have a question for. Many government websites now
post the laws, regulations, and compliance requirements for
data that’s being handled. The regulations and laws that govern how
PII can be handled are very complex, all over the world, countries, states, counties are regulating
it at different levels. It’s important to understand and
to be aware that these laws exist. However, if you need to ask
a question about a specific law, it’s important to seek advice from legal
counsel for that particular jurisdiction. It may be very different than
the jurisdiction that you’re in.

• Cybersecurity ethics is a branch of applied ethics that examines moral, legal, and social issues at the intersection of computer/information and communication technologies.
• Cybersecurity professionals have a responsibility to protect the confidentiality, integrity, and availability of information.
• This means that they should not misuse their access to information, they should not intentionally introduce vulnerabilities into systems, and they should take steps to prevent unauthorized access to systems.
• Cybersecurity professionals should also be aware of the laws that apply to their work, and they should not violate those laws.
• In some cases, there may be ethical dilemmas in cybersecurity. For example, a cybersecurity professional may be asked to break into a system to test its security. In this case, the professional would need to weigh the ethical implications of their actions before making a decision.

Here are some specific ethical principles that cybersecurity professionals should follow:

• Confidentiality: Cybersecurity professionals should keep information confidential that they have been entrusted with, such as passwords, personal data, and trade secrets.
• Integrity: Cybersecurity professionals should ensure that information is not modified or destroyed without authorization.
• Availability: Cybersecurity professionals should ensure that information is accessible to authorized users when they need it.
• Accountability: Cybersecurity professionals should be held accountable for their actions, both good and bad.
• Transparency: Cybersecurity professionals should be transparent about their work, and they should be willing to explain their decisions to others.

Cybersecurity ethics is an important field, and it is essential for cybersecurity professionals to be aware of the ethical implications of their work. By following the ethical principles outlined above, cybersecurity professionals can help to protect the confidentiality, integrity, and availability of information.

In security, new technologies
present new challenges. For every new security incident or
risk, the right or wrong decision isn’t always clear. For example, imagine that you’re working
as an entry-level security analyst and you have received a high risk alert. You investigate the alert and discover data has been
transferred without authorization. You work diligently to identify
who made the transfer and discover it is one of
your friends from work. What do you do? Ethically, as a security professional,
your job is to remain unbiased and maintain security and confidentiality. While it’s normal to
want to protect a friend, regardless of who the user in question may
be, your responsibility and obligation is to adhere to the policies and
protocols you’ve been trained to follow. In many cases, security teams are
entrusted with greater access to data and information than other employees. Security professionals must respect that
privilege and act ethically at all times. Security ethics are guidelines for making appropriate decisions
as a security professional. As another example, if you as an analyst
have the ability to grant yourself access to payroll data and can give yourself
a raise, just because you have access to do so, does that mean you should? The answer is no. You should never abuse the access
you’ve been granted and entrusted with. Let’s discuss ethical principles that
may raise questions as you navigate solutions for mitigating risks. These are confidentiality,
privacy protections, and laws. Let’s begin with the first ethical
principle, confidentiality. Earlier we discussed confidentiality
as part of the CIA triad. Now let’s discuss how confidentiality
can be applied to ethics. As a security professional,
you’ll encounter proprietary or private information, such as PII. It’s your ethical duty to keep that
information confidential and safe. For example, you may want to help
out a coworker by providing computer system access outside of
properly documented channels. However, this ethical violation can
result in serious consequences, including reprimands, the loss of
your professional reputation, and legal repercussions for
both you and your friend. The second ethical principle to
consider is privacy protections. Privacy protection means safeguarding
personal information from unauthorized use. For example,
imagine you receive a personal email after hours from your manager requesting
a colleague’s home phone number. Your manager explains that they can’t
access the employee database at the moment, but they need to discuss
an urgent matter with that person. As a security analyst, your role is to
follow the policies and procedures of your company, which in this example, state
that employee information is stored in a secure database and should never be
accessed or shared in any other format. So, accessing and sharing the employee’s
personal information would be unethical. In situations like this,
it can be difficult to know what to do. So, the best response is to
adhere to the policies and procedures set by your organization. A third important ethical principle
we must discuss is the law. Laws are rules that
are recognized by a community and enforced by a governing entity. For example, consider a staff
member at a hospital who has been trained to handle PII,
and SPII for compliance. The staff member has files with
confidential data that should never be left unsupervised, but
the staff member is late for a meeting. Instead of locking the files
in a designated area, the files are left on the staff
member’s desk, unsupervised. Upon the employee’s return,
the files are missing. The staff member has just violated
multiple compliance regulations, and their actions were unethical and illegal,
since their negligence has likely resulted in the loss of private patient and
hospital data. As you enter the security field, remember
that technology is constantly evolving, and so are attackers’ tactics and
techniques. Because of this, security professionals
must continue to think critically about how to respond to attacks. Having a strong sense of ethics can guide
your decisions to ensure that the proper processes and procedures are followed to mitigate
these continually evolving risks.

Hi, I’m Holly and I’m a Cloud Security Architect
with Google Cloud. At the beginning of
my adult career, I sold hosiery while I
was going to school. That led me into an opportunity
to work in banking, which then led me into an opportunity to work
in telecommunications. From there I managed
to get myself into a security vendor
and learn security. Part of the way
that I was able to change from my original half
of my tech career being a database administrator
to getting into cybersecurity was through
getting certificates like you’re doing today. Those really helped me
gain credibility with potential employers
when I didn’t have the experience in
this particular field yet. Ethics are really the
crux of cybersecurity, you need to be able to
be ethical in all of your actions in order to be a
cybersecurity professional. Examples of unethical
behavior are usually honestly just
slight laziness, people taking shortcuts
and not really thinking about the
consequences of their actions. So, certainly when people
share passwords to systems or give out
private information, or look into systems for their own personal information or purposes about people they
know or about celebrities. One of the most difficult
situations that I ever faced in my technology career related to ethics was shortly after 9/11, my boss’s boss’s boss came to me with a bunch of keywords
that were clearly related to the attack in New York and asked me to
query the database that I administered that had everybody’s
text messages in it for the entire
telecommunications company without anything in writing
and without a court order. I was in a very uncomfortable
position to tell someone that much senior than me that I wasn’t
comfortable doing that. I suggested that he bring
something in writing to me to do that and he found someone else
who did it for him. When you’re faced with one of
these difficult decisions, it’s good to think
about what would be the consequences
of your decision. My encouragement to those
of you out here taking this program is that
the rewards that you get from helping to protect
your company or your users or your organization from cyber
criminals is really great. We get to be the
good guys and help protect our industry and our customers from cyber attacks and cyber criminals.
That’s rewarding.

• Introduction

Cybersecurity is the practice of protecting systems, networks, and data from unauthorized access, use, disclosure, disruption, modification, or destruction. Cybersecurity professionals play a critical role in protecting the confidentiality, integrity, and availability of information.

Ethics is the study of what is right and wrong. In the context of cybersecurity, ethics refers to the moral principles that guide the behavior of cybersecurity professionals. Ethical behavior is essential for building trust and credibility in the cybersecurity community.

• Why is ethics important in cybersecurity?

There are many reasons why ethics is important in cybersecurity. Here are a few of the most important reasons:

* **To protect privacy and confidentiality.** Cybersecurity professionals have access to sensitive information, such as personal data and financial records. It is important for them to protect this information from unauthorized access and disclosure.
* **To prevent fraud and theft.** Cybersecurity professionals can help to prevent fraud and theft by identifying and patching security vulnerabilities. They can also help to educate users about cybersecurity best practices.
* **To maintain public trust.** When cybersecurity professionals act unethically, it can damage public trust in the entire cybersecurity community. This can make it more difficult to protect people and organizations from cyber attacks.
* **To set a good example.** Cybersecurity professionals are role models for others. When they act ethically, they set a good example for others to follow. This can help to create a more ethical and responsible cybersecurity community.

• What are some ethical considerations for cybersecurity professionals?

There are many ethical considerations for cybersecurity professionals. Here are a few of the most important considerations:

* **Confidentiality.** Cybersecurity professionals should keep confidential information confidential. This includes information that they have been entrusted with, as well as information that they have learned about in the course of their work.
* **Integrity.** Cybersecurity professionals should ensure that information is not modified or destroyed without authorization. They should also take steps to prevent unauthorized access to information.
* **Availability.** Cybersecurity professionals should ensure that information is accessible to authorized users when they need it. They should also take steps to prevent denial-of-service attacks.
* **Accountability.** Cybersecurity professionals should be held accountable for their actions, both good and bad. They should be willing to take responsibility for their mistakes and to learn from them.
* **Transparency.** Cybersecurity professionals should be transparent about their work. They should be willing to explain their decisions to others and to answer questions about their work.

• How can cybersecurity professionals stay ethical?

There are many things that cybersecurity professionals can do to stay ethical. Here are a few tips:

* **Get training on ethical hacking and security awareness.** This training will help you to understand the ethical implications of your work.
* **Adopt a code of ethics.** A code of ethics can help you to stay on track and to make ethical decisions.
* **Consult with a mentor or ethics advisor.** If you are faced with an ethical dilemma, you can consult with a mentor or ethics advisor for guidance.
* **Speak up if you see something wrong.** If you see a colleague or supervisor behaving unethically, you should speak up.

• Conclusion

Ethics is an important part of cybersecurity. Cybersecurity professionals should always strive to act ethically in the course of their work. By doing so, they can help to protect people and organizations from cyber attacks, build trust and credibility in the cybersecurity community, and set a good example for others.

You are now better prepared
to understand and help make decisions regarding
assessing and managing risks. Let’s review what we’ve covered. We discussed security
frameworks and controls and how
they’re used to develop processes and procedures that protect organizations and
the people they serve. We also discussed core
components of frameworks, such as identifying
security goals and establishing guidelines
to achieve those goals. Then, we introduced specific
frameworks and controls, including the CIA triad
and the NIST CSF, and how they are
used to manage risk. And finally, we discussed
security ethics, including common
ethical issues to consider, such as
confidentiality, privacy protections, and laws. You’re almost there, only one more section to go
in this course. Coming up, you’ll learn
about common tools and programming languages used by security analysts to protect
organizational operations. Hope you’re as excited
as I am to keep going!