Module 1: Introduction to asset security

What do you picture when you
think about the security field? This might make you think of a dark room
with people hunched over their computers. Maybe you picture a person in a lab
carefully analyzing evidence. Or, maybe you imagine a guard standing
watch in front of a building. The truth is,
no matter what thoughts cross your mind, all of these examples are part
of the wide world of security. Hi, my name is Da’Queshia. I have worked as a security engineer for
four years. I’m excited to be your instructor for
this course and share some of my experience with you. At Google, I’m part of a diverse team
of security professionals who all have different backgrounds and
unique perspectives. For example,
in my role, I work to secure Gmail. Part of my daily activities include
developing new security features and fixing vulnerabilities in the application
to make email safer for our users. Some members of my team began working in
security after graduating from college. Many others found their way into the field
after years of working in another industry. Security teams come in all
different shapes and sizes. Each member of a team has a role to play. While our specific functions
within the group differ, we all share the same objective:
protecting valuable assets from harm. Accomplishing this mission involves
a combination of people, processes, and tools. In this course, you’ll learn
about each of these in detail. First, you’ll be introduced to
the world of asset security. You’ll learn about the variety of
assets that organizations protect and how these factor into a company’s
overall approach to security. Then, you’ll begin exploring
the security systems and controls that teams use to proactively
protect people and their information. All systems have weaknesses
that can be improved upon. When those weaknesses are neglected or
ignored, they can lead to serious problems. In this section of the course,
you’ll focus on common vulnerabilities in systems and the ways security teams
stay ahead of potential problems. Finally, you’ll learn about
the threats to asset security. You’ll also be introduced to the threat
modeling process that security teams use to stay one step ahead
of potential attacks. In this field, we try to do everything possible to avoid
being put in a compromised position. By the end of this course, you’ll have
a clearer picture of the ways people, processes, and technology work together
to protect all that’s important. Throughout the course, you’ll also get an idea of the exciting
career opportunities available to you. Security truly is
an interdisciplinary field. Your background and
perspective is an asset. Whether you’re a recent college
graduate or starting a new career path, the security field presents
a wide range of possibilities. So what do you say? Are you ready to go on
this journey with me?

Hi. My name is Da’Queshia. I’m a security engineer. That basically means
I work securing Google’s products so users
like you aren’t vulnerable. Before I entered cybersecurity, I worked installing Internet. I also worked at a chip factory. I worked in fast food. I sold shoes at the mall. I did a lot of things
before I made it here. A lot of what I learned
in my past jobs I actually use every day. Some of it is my soft skills
like time management, people skills, and
communication. As a new cybersecurity analyst, it’s important to be able to
communicate, take feedback, and feel uncomfortable, not
with the people around you, but with the problems
you’re trying to solve because sometimes it requires you to think outside of the box and be challenged. I would describe my job as a Google security guard because I work on the Gmail
security team, it’s my job to protect Gmail. Some of those threats are people who are sending
you bad emails, who are trying to get
your user credentials or get you to click
on a phishing link. When it comes to
vulnerabilities, some of those could be something like unsanitized input, which can lead to trouble. My typical work day starts
like everyone else. I check my emails and then from there I go
into my bug queue; it’s essentially when
people tell me there’s a problem with
one of our products. I start doing a little
bit of research and then I like to explore the
bug a little bit more. I like to figure out if
this can break this, can it also break this, and if it can, what
else can I do with it? Then from there, I look for a solution to make
sure that I fix that hole and then any other holes that we might
have in our security. Some of the things
you learned about in this course is threat modeling, and that’s something
I use every day. Whenever I get a
bug, it’s part of my job to figure
out the attack tree and what type of vectors we use to take advantage
of vulnerabilities. No one is born
knowing everything. I know that sounds really
cliche or like super obvious, but it helps me
because it helps put some perspective the time and effort that everyone has to put in in order to
learn something new. So be patient with yourself. Don’t let anyone discourage
you from cybersecurity. Taking this course is one step closer to getting
into your goal. Don’t get discouraged
now. Keep going.

We all depend on technology so
much nowadays. Examples of this are all around us. Personal devices, like smartphones, help
keep us in touch with friends and families across the globe. Wearable technologies help us achieve
personal goals and be more productive. Businesses have also come to embrace
technology in everyday life. From streamlining operations to
automating processes, our world is more connected because of technology. The more we rely on technology,
the more information we share. As a result, an enormous amount
of data is created every day. This huge surge in
data creation presents unique challenges. As businesses become more
reliant on technology, cybercriminals become more sophisticated
in how they affect organizations. Data breaches are becoming increasingly
serious due to all the sensitive data businesses are storing. One positive aspect of these challenges is
a growing need for individuals like you! Security is a team effort. Unique perspectives, like yours,
are an asset to any organization. A team filled with diverse backgrounds,
cultures, and experiences is more likely to
solve problems and be innovative. As breach after breach hits the
headlines, it’s clear that organizations need more professionals focused on security. Companies around the globe are working
hard to keep up with the demands of a rapidly changing digital landscape. As the environment continues to transform,
the more your personal experience is valuable. In this section, we’ll start by
exploring how assets, threats, and vulnerabilities factor
into security plans. After that, we’ll discuss
the use of asset inventories in protecting the wide range of
assets that companies have. Then, we’ll consider the challenges in
this rapidly changing digital world. And finally, you’ll gain an understanding
of the building blocks of a security plan: its policies, standards, and procedures. We’ll examine the NIST Cybersecurity
Framework that companies use to create security plans that protect
their customers and their brands. I hope you’re as excited to go on
this journey into this world of security as I am. Now, let’s get started!

The What, Why, and How of Asset Security in Cybersecurity

Welcome, fellow security warriors! Today, we’ll delve into the realm of asset security, a cornerstone of any robust cybersecurity defense.

What are assets?

In the digital arena, assets are anything that holds value and can be compromised, impacting your organization’s operations, reputation, or finances. They include:

• Data: Customer records, financial information, intellectual property – the lifeblood of your business.
• Hardware: Servers, laptops, mobile devices – gateways to your sensitive information.
• Software: Applications, operating systems, cloud platforms – the tools that keep things running.
• Networks: The intricate web connecting your assets, a potential vulnerability if not secured.
• People: Your employees, contractors, even customers – insiders who can be unknowingly manipulated.

Why is asset security crucial?

Imagine a fortress. Strong walls and vigilant guards protect your valuables. But if you don’t know what’s inside, hidden weaknesses can be exploited. That’s why asset security is vital:

• Prevents breaches: By knowing your assets, you can identify and prioritize vulnerabilities before attackers do.
• Minimizes damage: If a breach occurs, you can quickly isolate compromised assets and prevent widespread harm.
• Ensures compliance: Regulations often mandate asset identification and protection, and neglecting them can lead to hefty fines.
• Optimizes resources: You can focus your security efforts on the assets that matter most, saving time and money.

How do we achieve asset security?

Building your asset security fortress involves several steps:

1. Discovery:

• Inventory everything: Conduct a thorough sweep, identifying all hardware, software, and data assets. Don’t forget cloud resources and shadow IT!
• Classify assets: Categorize them based on their criticality and sensitivity. Customer data is likely more crucial than printers, right?
• Document vulnerabilities: Scan your assets for known weaknesses and prioritize patching based on risk.

2. Protection:

• Implement access controls: Granular permissions limit who can access what, preventing unauthorized use.
• Secure configurations: Harden your systems and applications against common attack methods. Think strong passwords and encryption!
• Monitor and detect: Continuously scan for suspicious activity and have a plan to respond swiftly to potential incidents.

3. Resilience:

• Backup and recovery: Regularly back up your critical assets to ensure you can bounce back from attacks or disasters.
• Incident response plan: Define clear procedures for identifying, containing, and recovering from breaches. Practice makes perfect!
• Awareness and training: Educate your employees about cyber threats and how to identify and report suspicious activity.

Remember, asset security is an ongoing journey, not a destination. Regularly review your inventory, adapt to new threats, and embrace a culture of continuous improvement. By fortifying your assets, you’ll build a resilient digital fortress that can withstand even the fiercest cyber storms.

Bonus tips:

• Automate tasks: Leverage tools to automate asset discovery, vulnerability scanning, and patching for efficiency.
• Integrate with SIEM: Connect your asset inventory to your Security Information and Event Management (SIEM) system for centralized monitoring and incident response.
• Stay informed: Keep yourself updated on the latest cyber threats and vulnerabilities to adapt your defenses accordingly.

Painting a portrait.
Perfecting a new basketball move. Playing a solo on guitar.
They all share something in common. Can you guess what it is? If you thought “practice,”
you’re absolutely correct! It takes time, dedication, and
focus to improve these skills. The security profession is no different. Planning for the future is a core skill that you’ll
need to practice all the time in security. We all deal with uncertainty by trying
to solve problems before they arise. For example, if you’re going on a trip, you might think about the length
of the trip and how much to pack. Maybe you’re traveling somewhere cold.
You might bring coats and sweaters to help keep you warm. We all want to feel the security of
knowing that there’s a plan if something goes wrong. Businesses are no different.
Just like you, organizations try their best to
plan ahead by analyzing risk. Security teams help companies
by focusing on risk. In security, a risk is anything that
can impact the confidentiality, integrity, or availability of an asset. Our primary focus as security
practitioners is to maintain confidentiality, integrity,
and availability, which are the three
components of the CIA triad. The process of security risk planning is
the first step toward protecting these cornerstones. Each organization has their own unique
security plan based on the risk they face. Thankfully, you don’t need to be familiar
with every possible security plan to be a good security practitioner. All you really need to know are the basics
of how these plans are put together. Security plans are based on
the analysis of three elements: assets, threats, and vulnerabilities. Organizations measure security risk by
analyzing how each can have an effect on confidentiality, integrity, and
availability of their information and systems. Basically, they each represent the what,
why, and how of security. Let’s spend a little time exploring
each of these in more detail. As you might imagine, an asset is
an item perceived as having value to an organization. This often includes a wide range of
things. Buildings, equipment, data, and people are all examples of assets
that businesses want to protect. Let’s examine this idea more by
analyzing the assets of a home. Inside a home, there’s a wide
range of assets, like people and personal belongings. The outside structure of a home is made
of assets too, like the walls, roof, windows, and doors. All of these assets have value, but they
differ in how they might be protected. Someone might place a lower priority
on protecting the outside walls than on the front door, for example. This is because a burglar is more likely
to enter through the front door than a wall. That’s why we have locks. With so many types of assets to think of, security plans need to
prioritize resources. After all,
no matter how large a security team is, it would be impossible to monitor every
single asset at all hours of the day. Security teams can prioritize
their efforts based on threats. In security,
a threat is any circumstance or event that can negatively impact assets. Much like assets,
threats include a wide range of things. Going back to the example of a home, a threat can be a burglar
who’s trying to gain access. Burglars aren’t the only type of threat
that affect the security of windows and doors. What if either broke by accident? Strong winds can blow the door
open during a bad storm. Or, kids playing with a ball nearby
can accidentally damage a window. If any of these thoughts crossed your mind,
great job! You’re already demonstrating
a security mindset. The final element of a security plan that
we’re going to cover are vulnerabilities. In security, a vulnerability is a weakness
that can be exploited by a threat. A weak lock on a front door, for example, is a vulnerability that can
be exploited by a burglar. And old, cracked wood is a different
vulnerability on that same front door that can increase the chances of storm damage. In other words, think of vulnerabilities
as flaws within an asset. Assets can have many different types of
vulnerabilities that are an easy target for attackers. We’ll explore different
types of threats and vulnerabilities in greater detail later. For now, just understand that security
teams need to account for a wide range of assets, threats, and vulnerabilities
to effectively plan for the future.

What are the elements of security risk planning? Select three answers.

Assets, Vulnerabilities, Threats

Security risk planning involves the analysis of three elements: assets, threats, and vulnerabilities. An asset is an item perceived as having value to an organization, such as a cash register and the money inside it.

I’m Tri, a security engineer at Google. My department is Detection and Response. Let’s see,
what does my everyday look like? Well, of course I have the free lunch
and coffee, which is nice. And then I finally get to my desk
and I open up the SIEM to see what kind of exciting events
are there for me to look into and what threats there could be out there
for me to analyze. Also, I work on improving our analysis
for detection of potential threats. So my security passion
developed at a young age. I was a victim of a hack,
believe it or not. After school every day at that time
I would go home and play a computer game. One day I got home, I brought it up
and it said, “Your CD key is in use by…”, and then it gave some strange name there
that I didn’t recognize. At first I felt shocked. I had bought this game myself
and somebody stole my CD key, but it did provide me this motivation
to start to learn how to defend myself. For example,
I learned about manual removal of malware, and that became one of my favorite topics. Also, for fun,
I started doing some white hat hacker activity against some of my friends. Asset security is a very important field, and there’s many varieties of assets
that you could be looking into to protect. My favorite part is building
the detections that actually have the potential
to catch malicious behavior. In asset management security,
you have the ability to accurately inventory all of the assets
which include IP, user data, employee machines,
and to make sure you have a security posture
that’s on par with what you need. There’s always new technology
coming on the scene, new hardware, and we are responsible for understanding
what potential new threats are out there. Problem
solving ability and creative thinking is important in cybersecurity
because there’s always complex problems, and people need to be able to think
outside of the box, think creatively, and think holistically as they approach their solutions to mitigate risks. Cybersecurity is a noble occupation. Many things can happen. Many bad
things can happen on the Internet, but we can be there to stand up against it and we can be there
to do something about it. We can be there to protect our users,
or family members, or friends. That responsibility is heavy. But also, of course, it’s
a very important mission. And I am proud to
be within the security team.

Security Starts with Asset Classification: Your Cybersecurity Foundation

In the ever-evolving landscape of cybersecurity, where threats lurk around every corner, defense starts with a crucial step: asset classification. It’s the foundation upon which you build your security posture, the first line of defense against ever-hungry attackers.

Imagine a bank vault. Before you install fancy locks and alarms, you need to know what treasures you’re protecting, right? That’s exactly what asset classification does for your organization’s digital assets.

What are assets?

Think beyond just servers and software. Your assets are anything that holds value to your organization, anything whose compromise could disrupt operations, damage reputation, or cause financial harm. They can be:

• Tangible: Servers, laptops, mobile devices, buildings, even that old printer in the corner.
• Intangible: Data (customer records, financial information, intellectual property), brand reputation, employee know-how, and even your online presence.

Why classify? It’s all about prioritization.

Classifying your assets helps you understand their relative importance and vulnerability. It’s like sorting your prized possessions – some might deserve a bank vault, while others are fine in a drawer.

Classification methods:

There are different ways to classify assets, but some common approaches include:

• Confidentiality: Public, internal, confidential, and restricted. Public assets are like the newspapers everyone reads, while restricted ones are top-secret documents.
• Impact: High, medium, low. Imagine the chaos if your customer database is breached compared to losing a company blog post.
• Value: Critical, important, moderate, low. This might be based on financial worth or the asset’s role in core operations.

Benefits of classification:

• Focused security: Allocate resources efficiently, protecting the crown jewels first.
• Informed decisions: Make data-driven choices about security controls and investments.
• Compliance adherence: Meet regulatory requirements that often mandate asset classification.
• Reduced risk: Identify and address vulnerabilities before they become exploited.

Now, let’s get practical!

Here’s a step-by-step guide to implementing asset classification:

1. Inventory: Discover and document all your assets, leaving no digital stone unturned. Think of it as a treasure hunt!

2. Assess: Analyze each asset’s value, impact, and confidentiality using the chosen classification scheme.

3. Label: Clearly mark assets with their classification level, raising awareness and ensuring proper handling.

4. Maintain: This is an ongoing process, not a one-time thing. Regularly review and update your inventory as assets evolve.

5. Train: Educate your team about asset classification and its importance in safeguarding the organization’s treasures.

Remember, asset classification is a continuous journey, not a destination. Embrace it as a powerful tool to prioritize, protect, and ultimately, secure your organization’s vital assets.

By following these steps and staying vigilant, you’ll be well on your way to building a robust cybersecurity defense, one classified asset at a time.

Bonus tip: Leverage technology! Asset management tools can automate much of the heavy lifting, freeing you to focus on strategic security decisions.

So, what are you waiting for? Grab your metaphorical magnifying glass and start unearthing the true value of your digital treasures. With asset classification as your guide, you’ll be well-equipped to navigate the ever-changing cybersecurity landscape and keep your organization safe and sound.

It can be really stressful when you have trouble
finding something important. You’re late to an appointment
and can’t find your keys! We all find ourselves in situations like these
at one time or another. Believe it or not, organizations deal with the same kind of trouble. Take a few seconds to
think of the number of important assets
you have nearby. I’m thinking of my phone, wallet, and keys, for example. Next, imagine that
you’ve just joined a security team for a
small online retailer. The company has been growing
over the past few years, adding more and more customers. As a result, they’re expanding
their security department to protect the increasing
numbers of assets they have. Let’s say each of you are
responsible for 10 assets. That’s a lot of assets! Even in this small
business setting, that’s an incredible amount of things that need protecting. A fundamental truth
of security is you can only protect the
things you account for. Asset management
is the process of tracking assets and the
risks that affects them. All security plans revolve
around asset management. Recall that assets include any item perceived as having
value to an organization. Equipment, data, and
intellectual property are just a few of the wide range of assets businesses
want to protect. A critical part of every organization’s security plan is keeping track of its assets. Asset management starts with
having an asset inventory, a catalog of assets that
need to be protected. This is a central part of protecting
organizational assets. Without this record,
organizations run the risk of losing track of
all that’s important to them. A good way to think of asset inventories is as a
shepherd protecting sheep. Having an accurate
count of the number of sheep help in a lot of ways. For example, it
will be easier to allocate resources, like
food, to take care of them. Another benefit of
asset inventory might be that you’d get an alert if one of them goes missing. Once more, think of the important assets
you have nearby. Just like me, you’re
probably able to rate them according to
the level of importance. I would rank my wallet ahead
of my shoes, for example. In security, this practice is known as asset classification. In general, asset classification is the practice of labeling assets based on the sensitivity and importance to
an organization. Organizations label
assets differently. Many of them follow a basic
classification scheme: public, internal-only, confidential, and restricted. Public assets can be
shared with anyone. Internal-only can be
shared with anyone in the organization but should
not be shared outside of it. And confidential assets
should only be accessed by those working
on a specific project. Assets classified
as restricted are typically highly sensitive
and must be protected. Assets with this label are
considered need-to-know. Examples include
intellectual property and health or
payment information. For example, a growing
online retailer might mark internal emails about a new product as
confidential because those working on the new product
should know about it. They might also
label the doors at their offices with
the restricted sign to keep everyone out who doesn’t have a specific reason
to be in there. These are just a couple of
everyday examples that you may be familiar with from
your prior experience. For the most part, classification
determines whether an asset can be disclosed,
altered, or destroyed. Asset management is a
continuous process, one that helps uncover unexpected gaps in security
for potential risks. Keeping track of all
that’s important to a organization is an essential
part of security planning.

Fill in the blank: _____ assets are often highly sensitive and considered need-to-know.

Restricted

Restricted assets are often highly sensitive and considered need-to-know.

Welcome back! We’ve covered
a lot of information so far. I hope you’re having as much fun exploring the role
of security as I am! We’ve explored what
organizational assets are and why they
need protection. You’ve also gotten a sense of the tremendous amount of
assets security teams protect. Previously, we began examining security
asset management and the importance of
keeping track of everything that’s important
to an organization. Security teams classify
assets based on value. Next, let’s expand our security mindset and
think about this question. What exactly is valuable
about an asset? These days, the answer
is often information. Most information is
in a digital form. We call this data. Data is information
that is translated, processed, or stored
by a computer. We live in a connected world. Billions of devices around
the world are linked to the internet and are exchanging data with each
other all the time. In fact, millions of pieces of data are being passed to
your device right now! When compared to
physical assets, digital assets have
additional challenges. What you need to understand
is that protecting data depends on where that data
is and what it’s doing. Security teams protect data in three different states: in use, in transit, and at rest. Let’s investigate this
idea in greater detail. Data in use is data being
accessed by one or more users. Imagine being at a
park with your laptop. It’s a nice sunny day, and you stop at a bench to
check your email. This is an example
of data in use. As soon as you log in, your inbox is considered
to be in use. Next, is data in transit. Data in transit is data
traveling from one point to another. While you’re
signed into your account, a message from one of
your friends appears. They sent you an
interesting article about the growing
security industry. You decide to reply, thanking them for
sending this to you. When you click send, this is now an example
of data in transit. Finally, there’s data at rest. Data at rest is data not
currently being accessed. In this state, data is typically stored on a physical device. An example of data at
rest would be when you finish checking your email
and close your laptop. You then decide to pack up and go to a nearby
cafe for breakfast. As you make your way from
the park towards the cafe, the data in your
laptop is at rest. So now that we understand
these states of data, let’s connect this back
to asset management. Earlier, I mentioned that
information is one of the most valuable assets
that companies can have. Information security,
or InfoSec, is the practice of keeping data in all states away from
unauthorized users. Weak information security
is a serious problem. It can lead to things
like identity theft, financial loss, and
reputational damage. These events have potential
to harm organizations, their partners, and
their customers. And there’s more to consider in your work as a security analyst. As our digital world
continually changes, we are adapting our
understanding of data at rest. Physical devices like
our smartphones more commonly store
data in the cloud, meaning that our information
isn’t necessarily at rest just because our phone
is resting on a table. We should always be mindful of new vulnerabilities as our world becomes increasingly connected. Remember, protecting data depends on where the data
is and what it’s doing. Keeping track of information
is part of the puzzle that companies solve when considering their security plan. Understanding the
three states of data enable security teams to analyze risk and determine an asset management plan
for different situations.

The only type of data that security teams must protect is data in use.

False

Security teams are responsible for protecting data in all states: in use, in transit, and at rest.

Elements of a Security Plan in Cybersecurity

In the ever-evolving digital landscape, where cyber threats are constantly on the rise, having a robust security plan is no longer a luxury, it’s a necessity. A well-defined security plan acts as a roadmap, guiding your organization in identifying, mitigating, and responding to cyber threats. It’s not simply a document, but a dynamic framework that requires continuous improvement and adaptation.

What is a Security Plan?

A security plan is a comprehensive document that outlines the strategies and procedures your organization will implement to protect its critical assets, including data, systems, and applications. It should be tailored to your specific needs and risk profile, and address all aspects of your security posture, from access control and incident response to risk assessment and employee training.

Essential Elements of a Security Plan:

1. Policies:

• Purpose: Policies serve as the foundation of your security plan, outlining the overall principles and expectations for cybersecurity within your organization.
• Key components: Acceptable Use Policy (AUP), Data Protection Policy, Password Policy, Incident Response Policy, etc.
• Example: An acceptable use policy (AUP) defines the permitted and prohibited activities for users accessing your organization’s resources, such as email, internet usage, and data handling.

2. Standards:

• Purpose: Standards provide specific technical specifications and guidelines for implementing your security policies. They ensure consistency and effectiveness in your security controls.
• Key components: Password complexity standards, encryption standards, data classification standards, etc.
• Example: The National Institute of Standards and Technology (NIST) publishes security standards and guidelines that organizations can adopt, such as NIST Special Publication 800-53 for security controls.

3. Procedures:

• Purpose: Procedures provide step-by-step instructions for performing specific security tasks and responding to incidents. They ensure clear and consistent execution of security measures.
• Key components: Procedures for incident reporting, password reset, data backup, system access control, etc.
• Example: A procedure for incident reporting should detail the steps employees should take if they suspect a security breach, including who to contact and what information to provide.

4. Risk Assessment:

• Purpose: Regularly evaluating your security posture and identifying potential risks is crucial for prioritizing your resources and focusing your efforts on the most critical areas.
• Key components: Identifying assets, vulnerabilities, threats, and potential impacts.
• Example: Conducting a penetration test can help you identify vulnerabilities in your systems and applications before attackers exploit them.

5. Incident Response:

• Purpose: Having a well-defined incident response plan ensures you are prepared to react quickly and effectively to security breaches. It minimizes damage and restores operations as quickly as possible.
• Key components: Defining roles and responsibilities, communication protocols, containment and eradication procedures, post-incident review and analysis.
• Example: An incident response plan should outline the steps to be taken in case of a data breach, such as isolating the affected systems, notifying relevant authorities, and communicating with impacted individuals.

6. Training and Awareness:

• Purpose: Educating your employees about cybersecurity best practices is essential for reducing human error and promoting a culture of security within your organization.
• Key components: Training on phishing awareness, password hygiene, data security, and incident reporting.
• Example: Conducting regular phishing simulations can help employees identify and avoid malicious emails.

Additional Considerations:

• Compliance Requirements: Ensure your security plan adheres to any relevant industry regulations or compliance requirements.
• Continuous Improvement: Regularly review and update your security plan to adapt to changes in your organization and the evolving threat landscape.
• Testing and Validation: Regularly test your security controls and procedures to identify and address any weaknesses.
• Communication and Collaboration: Foster open communication and collaboration across all levels of your organization to promote security awareness and ensure everyone is on the same page.

Conclusion:

By implementing a robust security plan with these essential elements, you can significantly improve your organization’s security posture and proactively protect your critical assets from cyber threats. Remember, security is an ongoing process, not a one-time event. By continuously monitoring, evaluating, and improving your security plan, you can ensure your organization remains resilient in the face of ever-evolving cyber threats.

Security is all about people,
processes, and technology. It’s a team effort, and
I mean that literally. Protecting assets extends
well beyond one person or a group of people in an IT department. The truth of the matter is
that security is a culture. It’s a shared set of values that
spans all levels of an organization. These values touch everyone, from
employees, to vendors, to customers. Protecting digital and physical assets
requires everyone to participate, which can be a challenge. That’s what security plans are for! Plans come in many shapes and sizes, but
they all share a common goal: to be prepared for risks when they happen. Placing the focus on people is what leads
to the most effective security plans. Considering the diverse backgrounds and
perspectives of everyone involved ensures that no one is left out
when something goes wrong. We talked earlier about the risk
as being anything that can impact the confidentiality, integrity,
or availability of an asset. Most security plans address
risks by breaking them down according to categories and factors. Some common risk categories might include,
the damage, disclosure, or loss of information. Any of these can be due to factors
like the physical damage or malfunctions of a device. There are also factors like attacks and
human error. For example, a new school teacher may be
asked to sign a contract before their first day of class. The agreement may warn against some
common risks associated with human error, like using a personal email to
send sensitive information. A security plan may require that all
new hires sign off on this agreement, effectively spreading the values
that ensure everyone’s in alignment. This is just one example of the types and
causes of risk that a plan might address. These things vary widely
depending on the company. But how these plans are communicated
is similar across industries. Security plans consist of three
basic elements: policies, standards, and procedures. These three elements are how
companies share their security plans. These words tend to be used
interchangeably outside of security, but you’ll soon discover that they each
have a very specific meaning and function in this context. A policy in security is a set of rules
that reduce risk and protects information. Policies are the foundation
of every security plan. They give everyone in and out of
an organization guidance by addressing questions like,
what are we protecting and why? Policies focus on the strategic side
of things by identifying the scope, objectives, and
limitations of a security plan. For instance,
newly hired employees at many companies are required to sign off on
acceptable use policy, or AUP. These provisions outline secure ways
that an employee may access corporate systems. Standards are the next part. These have a tactical function, as they
concern how well we’re protecting assets. In security, standards are references
that inform how to set policies. A good way to think of standards is
that they create a point of reference. For example, many companies use the
password management standard identified in NIST Special Publication 800-63B
to improve their security policies by specifying that employees’ passwords
must be at least eight characters long. The last part of a plan is its procedures. Procedures are step-by-step instructions
to perform a specific security task. Organizations usually keep multiple
procedure documents that are used throughout the company, like how
employees can choose secure passwords, or how they can securely reset
a password if it’s been locked. Sharing clear and actionable procedures
with everyone creates accountability, consistency, and
efficiency across an organization. Policies, standards, and
procedures vary widely from one company to another because they are tailored
to each organization’s goals. Simply understanding the structure
of security plans is a great start. For now, I hope you have a clearer
picture of what policies, standards, and procedures are, and how they are essential
to making security a team effort.

What primary elements do security plans include? Select three answers.

Policies, Standards, Procedures

Security plans include three basic elements: policies, standards, and procedures. Policies are a set of rules that reduce risk and protect information. Standards are references that inform how to set policies. Procedures are step-by-step instructions for performing a security task.

Understanding the NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a voluntary framework that helps organizations manage and reduce cybersecurity risks. It provides a common language and approach for organizations to assess their cybersecurity posture, identify and prioritize risks, and implement appropriate safeguards.

Why is the NIST Cybersecurity Framework Important?

In today’s digital world, cybersecurity threats are constantly evolving. Organizations of all sizes need a comprehensive approach to managing cybersecurity risks. The NIST Cybersecurity Framework provides a proven framework that can be used by any organization, regardless of size or industry.

The Five Core Functions of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework is organized around five core functions:

1. Identify: Identify and prioritize assets and understand the potential threats they face.
2. Protect: Protect assets from unauthorized access, use, disclosure, disruption, modification, or destruction.
3. Detect: Detect security events as early as possible.
4. Respond: Respond to security events quickly and effectively.
5. Recover: Recover from security events and restore normal operations.

The Three Tiers of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework also defines three tiers of maturity:

1. Tier 1 – Partial: Organizations in Tier 1 have taken some steps to manage cybersecurity risks, but they have not fully implemented all of the necessary controls.
2. Tier 2 – Risk-Informed: Organizations in Tier 2 have a more mature cybersecurity program and have implemented controls based on their risk assessment.
3. Tier 3 – Repeatable: Organizations in Tier 3 have a highly mature cybersecurity program and can proactively identify and address threats.

The Five Profiles of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework also defines five profiles:

1. Basic: This profile is designed for organizations with a low-risk profile.
2. Targeted: This profile is designed for organizations with a moderate-risk profile.
3. Informative: This profile is designed for organizations with a high-risk profile.
4. Risk-Managed: This profile is designed for organizations that are required to comply with specific regulations.
5. Adaptive: This profile is designed for organizations that are constantly evolving and changing.

How to Get Started with the NIST Cybersecurity Framework

The NIST Cybersecurity Framework website provides a wealth of resources to help organizations get started, including:

• Getting Started Guide: This guide provides an overview of the framework and how to get started.
• Framework Reference: This document provides detailed information on each of the framework’s components.
• Implementation Guides: These guides provide specific guidance on how to implement the framework in different industries and sectors.
• Case Studies: These case studies illustrate how organizations are using the framework to improve their cybersecurity posture.

Additional Resources

• The NIST Cybersecurity Framework website: https://www.nist.gov/cyberframework
• The NIST Cybersecurity Framework Quick Start Guide: https://www.nist.gov/cyberframework/getting-started/quick-start-guide
• The NIST Cybersecurity Framework Implementation Guides: https://www.nist.gov/cyberframework/getting-started

Conclusion

The NIST Cybersecurity Framework is a valuable tool that can help organizations manage and reduce cybersecurity risks. By following the framework’s guidance, organizations can improve their cybersecurity posture and protect their critical assets.

Next Steps

• Download the NIST Cybersecurity Framework and review the core functions, tiers, and profiles.
• Assess your organization’s current cybersecurity posture.
• Develop a plan to implement the NIST Cybersecurity Framework in your organization.
• Seek help from a qualified cybersecurity professional if needed.

By taking these steps, you can start to improve your organization’s cybersecurity posture and protect your assets from cyber threats.

Having a plan is just one
part of securing assets. Once the plan is in action, the other
part is making sure everyone’s following along. In security, we call this compliance. Compliance is the process of
adhering to internal standards and external regulations. Small companies and large organizations
around the world place security compliance at the top of their list of priorities. At a high-level, maintaining trust,
reputation, safety, and the integrity of your data are just a few
reasons to be concerned about compliance. Fines, penalties, and
lawsuits are other reasons. This is particularly true for companies in highly regulated industries,
like health care, energy, and finance. Being out of compliance with
a regulation can cause long lasting financial and reputational effects that
can seriously impact a business. Regulations are rules
set by a government or other authority to control
the way something is done. Like policies,
regulations exist to protect people and their information, but on a larger scale. Compliance can be a complex process
because of the many regulations that exist all around the world. For our purpose, we’re going to focus
on a framework of security compliance, the U.S. based NIST Cybersecurity Framework. Earlier in the program, you learned
the National Institute of Standards and Technology, or NIST. One of the primary roles of NIST is to
openly provide companies with a set of frameworks and security standards that
reflect key security related regulations. The NIST Cybersecurity Framework
is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
Commonly known as the CSF, this framework was developed to help
businesses secure one of their most important assets, information. The CSF consists of three main components:
the core, it’s tiers, and it’s profiles. Let’s explore each of these together to build a better understanding
of how NIST’s CSF is used. The core is basically a simplified
version of the functions, or duties, of a security plan. The CSF core identifies five
broad functions: identify, protect, detect, respond, and recover. Think of these categories of
the core as a security checklist. After the core, the next NIST
component we’ll discuss is its tiers. These provide security
teams with a way to measure performance across each of
the five functions of the core. Tiers range from Level-1 to Level-4. Level-1, or passive, indicates a function
is reaching bare minimum standards. Level-4, or adaptive, is an indication that a function
is being performed at an exemplary standard. You may have noticed that CSF tiers
aren’t a yes or no proposition; instead, there’s a range of values. That’s because tiers are designed as
a way of showing organizations what is and isn’t working with their security plans. Lastly, profiles are the final
component of CSF. These provide insight into
the current state of a security plan. One way to think of profiles is like
photos capturing a moment in time. Comparing photos of the same
subject taken at different times can provide useful insights. For example, without these photos, you
might not notice how this tree has changed. It’s the same
with NIST profiles. Good security practice is about
more than avoiding fines and attacks. It demonstrates that you care
about people and their information. Before we go, let’s visit the core’s
functions one more time to look at where we’ve been and where we’re going. The first function is identify.
Our previous discussions on asset management and
risk assessment relates to that function. Coming up, we’re going to focus on many
of the categories of the second function, the protect function.
Meet you there!

"Identify" and "Detect" are two of the five NIST Cybersecurity Framework (CSF) core functions. What are the other three? Select all that apply.

Protect, Respond, Recover

The five NIST Cybersecurity Framework (CSF) core functions are identify, protect, detect, respond, and recover. The core is a simplified version of the functions or duties of a security plan. Think of these functions as a checklist for reducing security risk.

Well done! You made it to
the end of this section! Being a security practitioner takes commitment
and a desire to learn. A big part of the job
involves keeping current with best practices and
emerging trends. Thinking back on my own journey into the world of security, I’m so proud of you for
your continued commitment. We’ve covered a lot of
material this week, and this is a good time to
reflect and look back on the key concepts
we explored together. We covered the
building blocks of organizational risk management: assets, threats, and
vulnerabilities. We also spent some
time demonstrating the importance of
asset inventories. It’s much easier to protect
company assets if you know where they are and
who’s responsible for them. After that, we
moved on to explore the challenges in a rapidly
changing digital world. Part of protecting
data in this world is understanding if it’s in use, in transit, or at rest. Finally, in our
high-level exploration of policies, standards, and procedures, we talked about how each of them factor into
achieving security goals. There’s no one-size-fits-all approach to
achieving security. While exploring the NIST
Cybersecurity Framework, you gained an
appreciation of how it supports good
security practices. Attackers are also constantly
building their skills and finding new ways to break through the defenses we put up. Remember, the landscape
is always changing. There’s always more
to learn if you want to be a good security
practitioner. Next up, we’re going to expand our security mindset
by learning more about the different systems
security teams use to protect
organizational assets. I’m looking forward to it!