You will focus on security frameworks and controls, along with the core components of the confidentiality, integrity, and availability (CIA) triad. You’ll learn about Open Web Application Security Project (OWASP) security principles and security audits.
Learning Objectives
- Define and describe the purpose of security frameworks and controls.
- Describe the CIA triad.
- Explain the National Institute of Standards and Technology (NIST) frameworks.
- Identify security principles.
- Examine how businesses use security frameworks and controls to protect business operations.
- Define security audits.
- Explore common elements of internal security audits.
- More about frameworks and controls
- The CIA triad: Confidentiality, integrity, and availability
- NIST frameworks
- OWASP principles and security audits
- Video: OWASP security principles
- Reading: More about OWASP security principles
- Video: Wajih: Stay up-to-date on the latest cybersecurity threats
- Video: Plan a security audit
- Video: Complete a security audit
- Reading: More about security audits
- Practice Quiz: Test your knowledge: OWASP principles and security audits
- Quiz: Portfolio Activity: Conduct a security audit
- Reading: Portfolio Activity Exemplar: Conduct a security audit
- Review: Security frameworks and controls
More about frameworks and controls
Video: Welcome to module 2
As a security analyst, your job is to help keep people and organizations safe from cyber threats. Breaches that affect customers’, vendors’, and employees’ data can cause significant damage to people’s financial stability and their reputations.
The NIST Cybersecurity Framework is a valuable tool for security analysts. The framework provides a set of guidelines for mitigating organizational cybersecurity risks and ensuring the protection and compliance of customer tools and personal work devices.
In the following section of the course, you will learn more about security frameworks, controls, and design principles, and how they can be applied to security audits to help protect organizations and people.
Welcome back!
As a security analyst, your job isn’t just
keeping organizations safe. Your role is much
more important. You’re also helping
to keep people safe. Breaches that affect
customers’, vendors’, and employees’ data can
cause significant damage to people’s financial stability
and their reputations. As an analyst, your
day-to-day work will help keep people
and organizations safe. In this section of the course, we’ll discuss security
frameworks, controls, and design principles in more
detail, and how they can be applied to security
audits to help protect organizations
and people. Keeping customer
information confidential is a crucial part of my
daily work at Google. The NIST Cybersecurity Framework plays a large part in this. The framework ensures the
protection and compliance of customer tools and
personal work devices through the use of
security controls. Welcome to the world of security
frameworks and controls. Let’s get started!
Video: Frameworks
Organizations use security frameworks to create security policies and processes to protect against a variety of threats, risks, and vulnerabilities. Security frameworks are guidelines for building plans to help mitigate risks and threats to data and privacy, such as social engineering attacks and ransomware.
Security also involves the physical space, which is why many organizations have plans to maintain safety in the work environment. For example, access to a building may require using a key card or badge.
Other security frameworks provide guidance for how to prevent, detect, and respond to security breaches. This is particularly important when trying to protect an organization from social engineering attacks like phishing that target their employees.
People are the biggest threat to security. So frameworks can be used to create plans that increase employee awareness and educate them about how they can protect the organization, their co-workers, and themselves.
Educating employees about existing security challenges is essential for minimizing the possibility of a breach. Providing employee training about how to recognize red flags, or potential threats, is essential, along with having plans in place to quickly report and address security issues.
As a security analyst, it will be important for you to understand and implement the plans your organization has in place to keep the organization, its employees, and the people it serves safe from social engineering attacks, breaches, and other harmful security incidents.
Coming up, we’ll review and discuss security controls, which are used alongside frameworks to achieve an organization’s security goals.
Cybersecurity Frameworks Tutorial
What are cybersecurity frameworks?
Cybersecurity frameworks are sets of guidelines and best practices that organizations can use to improve their cybersecurity posture. They provide a structured approach to managing cybersecurity risks and help organizations to identify, protect, detect, respond to, and recover from cyber attacks.
There are a number of different cybersecurity frameworks available, including:
- NIST Cybersecurity Framework (CSF)
- ISO/IEC 27001
- COBIT 5 for Information Security
- CIS Controls
- Risk Management Framework for Information Systems (RMF)
Each of these frameworks has its own strengths and weaknesses, and the best framework for an organization will depend on its specific needs and requirements.
Benefits of using cybersecurity frameworks
There are a number of benefits to using cybersecurity frameworks, including:
- Reduced risk: Frameworks can help organizations to identify and mitigate cybersecurity risks.
- Improved compliance: Many frameworks are aligned with industry regulations and standards, which can help organizations to achieve compliance.
- Enhanced efficiency: Frameworks can help organizations to streamline their cybersecurity operations and improve efficiency.
- Improved communication: Frameworks can help organizations to communicate their cybersecurity posture to stakeholders in a clear and concise way.
How to use cybersecurity frameworks
To use a cybersecurity framework, organizations should typically follow these steps:
- Select a framework: Choose a framework that is aligned with the organization’s needs and requirements.
- Assess the current state of the organization’s cybersecurity: Conduct an assessment to identify the organization’s current cybersecurity posture and any areas for improvement.
- Develop a plan to implement the framework: Based on the assessment, develop a plan to implement the framework’s guidelines and best practices.
- Implement the plan: Implement the plan and make necessary adjustments as needed.
- Monitor and improve: Continuously monitor the organization’s cybersecurity posture and make improvements to the framework’s implementation as needed.
Example of using a cybersecurity framework
The NIST Cybersecurity Framework (CSF) is a popular cybersecurity framework that can be used by organizations of all sizes and industries. The CSF is based on three core principles:
- Risk management: The CSF helps organizations to identify, assess, and manage cybersecurity risks.
- Integrated approach: The CSF emphasizes the importance of an integrated approach to cybersecurity, considering both technical and non-technical controls.
- Cybersecurity lifecycle: The CSF is aligned with the cybersecurity lifecycle, which includes the following phases: identify, protect, detect, respond, and recover.
To use the CSF, organizations should begin by assessing their current cybersecurity posture. This can be done using the CSF’s self-assessment tool. Once the assessment is complete, organizations can develop a plan to implement the CSF’s guidelines and best practices.
For example, an organization may identify that it needs to improve its password management practices. To address this, the organization could implement the following CSF controls:
- PR.AC-1: Implement a password policy that requires strong passwords and regular password changes.
- PR.AC-2: Implement multi-factor authentication for all users.
- PR.AC-3: Educate employees about password security best practices.
By implementing these controls, the organization can improve its password management practices and reduce its risk of being compromised by a password attack.
Conclusion
Cybersecurity frameworks are a valuable tool that can help organizations to improve their cybersecurity posture and reduce their risk of cyber attacks. By selecting the right framework and implementing its guidelines and best practices, organizations can protect their data, systems, and people from a wide range of cybersecurity threats.
In an organization, plans
are put in place to protect against a variety of threats,
risks, and vulnerabilities. However, the requirements
used to protect organizations and
people often overlap. Because of this, organizations
use security frameworks as a starting point to create their own security
policies and processes. Let’s start by quickly
reviewing what frameworks are. Security frameworks are
guidelines used for building plans to help mitigate risks and threats to data and privacy, such as social engineering
attacks and ransomware. Security involves more than
just the virtual space. It also includes the physical, which is why many
organizations have plans to maintain safety
in the work environment. For example, access
to a building may require using a
key card or badge. Other security
frameworks provide guidance for how to prevent, detect, and respond
to security breaches. This is particularly important when trying to protect
an organization from social engineering attacks like phishing that target
their employees. Remember, people are the
biggest threat to security. So frameworks can be used to
create plans that increase employee awareness and
educate them about how they can protect
the organization, their co-workers,
and themselves. Educating employees about
existing security challenges is essential for minimizing the
possibility of a breach. Providing employee
training about how to recognize red flags, or
potential threats, is essential, along with
having plans in place to quickly report and
address security issues. As an analyst, it will be important for you
to understand and implement the plans
your organization has in place to keep
the organization, its employees, and
the people it serves safe from social
engineering attacks, breaches, and other harmful
security incidents. Coming up, we’ll review and discuss security
controls, which are used alongside frameworks to achieve an organization’s
security goals.
Video: Controls
Summary:
Security controls are safeguards designed to reduce specific security risks. Three common types of controls are encryption, authentication, and authorization.
- Encryption is the process of converting data from a readable format to an encoded format. This helps to ensure confidentiality of sensitive data.
- Authentication is the process of verifying who someone or something is. This can be done through basic methods such as usernames and passwords, or more advanced methods such as multi-factor authentication and biometrics.
- Authorization refers to the concept of granting access to specific resources within a system. This helps to ensure that only authorized users have access to sensitive data.
Security controls are an important part of a core security model known as the CIA triad, which stands for confidentiality, integrity, and availability. The CIA triad is a framework that security teams use to protect their organizations from a variety of security threats.
Additional notes:
The video also mentions that a lack of proper controls can lead to significant financial impacts and damage to reputation. This is because organizations can be held liable for data breaches, and their customers may lose trust in them if their data is compromised.
It is also important to note that social engineering attacks can be used to exploit security controls. For example, vishing attacks can be used to trick users into revealing their passwords or other sensitive information. Organizations should educate their employees about social engineering attacks and how to avoid them.
Cybersecurity Controls Tutorial
What are cybersecurity controls?
Cybersecurity controls are safeguards designed to reduce specific security risks. They can be technical, administrative, or physical, and they can be implemented at different layers of an organization’s IT infrastructure.
Some common examples of cybersecurity controls include:
- Technical controls: Firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), encryption, and multi-factor authentication (MFA).
- Administrative controls: Security policies and procedures, employee training, and risk assessments.
- Physical controls: Access control systems, security cameras, and environmental controls (e.g., temperature and humidity control).
Benefits of cybersecurity controls
Cybersecurity controls can provide a number of benefits for organizations, including:
- Reduced risk: Controls can help to reduce the organization’s risk of being compromised by cyber attacks.
- Improved compliance: Many controls are aligned with industry regulations and standards, which can help organizations to achieve compliance.
- Enhanced protection: Controls can help to protect the organization’s data, systems, and people from a wide range of cybersecurity threats.
How to implement cybersecurity controls
To implement cybersecurity controls, organizations should typically follow these steps:
- Identify the organization’s security risks: Conduct a risk assessment to identify the organization’s current cybersecurity posture and any areas for improvement.
- Select the appropriate controls: Choose controls that are aligned with the organization’s needs and requirements.
- Implement the controls: Implement the controls in a way that is effective and efficient.
- Monitor and improve: Continuously monitor the organization’s cybersecurity posture and make adjustments to the controls as needed.
Example of implementing a cybersecurity control
One common cybersecurity control is encryption. Encryption can be used to protect data at rest (e.g., data stored on hard drives) and data in transit (e.g., data sent over the internet).
To implement encryption, organizations can use a variety of tools and technologies. For example, organizations can use software to encrypt their hard drives and email communications. Organizations can also use hardware encryption devices, such as self-encrypting drives (SEDs).
Once encryption is implemented, it is important to manage the encryption keys properly. Encryption keys should be stored securely and should only be accessible to authorized personnel.
Conclusion
Cybersecurity controls are an essential part of any organization’s cybersecurity strategy. By implementing the appropriate controls, organizations can reduce their risk of being compromised by cyber attacks and protect their data, systems, and people from a wide range of cybersecurity threats.
Additional tips
- When selecting cybersecurity controls, it is important to consider the organization’s specific needs and requirements. There is no one-size-fits-all solution.
- Controls should be implemented in a layered approach. This means using a variety of controls to protect data and systems from different types of attacks.
- Controls should be monitored and updated on a regular basis. This is necessary to ensure that the controls are effective against the latest cyber threats.
- Employees should be trained on cybersecurity controls and how to use them properly. Employees are the first line of defense against cyber attacks.
While frameworks
are used to create plans to address security risks, threats, and vulnerabilities, controls are used to
reduce specific risks. If proper controls
are not in place, an organization could face
significant financial impacts and damage to their reputation because of exposure to risks including trespassing, creating
fake employee accounts, or providing free benefits. Let’s review the
definition of controls. Security controls are safeguards designed to reduce
specific security risks. In this video, we’ll
discuss three common types of controls: encryption, authentication,
and authorization. Encryption is the process
of converting data from a readable format
to an encoded format. Typically, encryption
involves converting data from plaintext
to ciphertext. Ciphertext is the
raw, encoded message that’s unreadable to
humans and computers. Ciphertext data cannot
be read until it’s been decrypted into its
original plaintext form. Encryption is used to ensure confidentiality of
sensitive data, such as customers’
account information or social security numbers. Another control that
can be used to protect sensitive data is
authentication. Authentication is the process of verifying who someone
or something is. A real-world example
of authentication is logging into a website with
your username and password. This basic form of
authentication proves that you know the username and password and should be allowed
to access the website. More advanced methods
of authentication, such as multi-factor
authentication, or MFA, challenge the user to demonstrate that they
are who they claim to be by requiring both a password and an additional form
of authentication, like a security
code or biometrics, such as a fingerprint, voice, or face scan. Biometrics are unique
physical characteristics that can be used to verify
a person’s identity. Examples of biometrics
are a fingerprint, an eye scan, or a palm scan. One example of a social
engineering attack that can exploit
biometrics is vishing. Vishing is the exploitation of electronic voice
communication to obtain sensitive information or to impersonate a known source. For example, vishing could
be used to impersonate a person’s voice to steal their identity and
then commit a crime. Another very important security
control is authorization. Authorization refers
to the concept of granting access to specific
resources within a system. Essentially, authorization
is used to verify that a person has permission
to access a resource. As an example, if
you’re working as an entry-level security analyst for the federal government, you could have
permission to access data through the deep web or other internal data that is only accessible if you’re
a federal employee. The security controls
we discussed today are only one element of a core security model
known as the CIA triad. Coming up, we’ll talk more
about this model and how security teams use it to
protect their organizations.
Reading: The relationship between frameworks and controls
Reading
Previously, you learned how organizations use security frameworks and controls to protect against threats, risks, and vulnerabilities. This included discussions about the National Institute of Standards and Technology’s (NIST’s) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), as well as the confidentiality, integrity, and availability (CIA) triad. In this reading, you will further explore security frameworks and controls and how they are used together to help mitigate organizational risk.
Frameworks and controls
Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.
Security controls are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a control that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.
Specific frameworks and controls
There are many different frameworks and controls that organizations can use to remain compliant with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of frameworks, are also explained.
Cyber Threat Framework (CTF)
According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors’ many tactics and techniques.
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001
An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.
Controls
Controls are used alongside frameworks to reduce the possibility and impact of a security threat, risk, or vulnerability. Controls can be physical, technical, and administrative and are typically used to prevent, detect, or correct security issues.
Examples of physical controls:
- Gates, fences, and locks
- Security guards
- Closed-circuit television (CCTV), surveillance cameras, and motion detectors
- Access cards or badges to enter office spaces
Examples of technical controls:
- Firewalls
- MFA
- Antivirus software
Examples of administrative controls:
- Separation of duties
- Authorization
- Asset classification
To learn more about controls, particularly those used to protect health-related assets from a variety of threat types, review the U.S. Department of Health and Human Services’ Physical Access Control presentation.
Key takeaways
Cybersecurity frameworks and controls are used together to establish an organization’s security posture. They also support an organization’s ability to meet security goals and comply with laws and regulations. Although these frameworks and controls are typically voluntary, organizations are strongly encouraged to implement and use them to help ensure the safety of critical assets.
Practice Quiz: Test your knowledge: More about frameworks and controls
How do security frameworks enable security professionals to help mitigate risk?
They are used to establish guidelines for building security plans.
Security frameworks are used to establish guidelines for building security plans that enable security professionals to help mitigate risk.
AI assistant
Security frameworks enable security professionals to help mitigate risk by providing guidelines for building security plans. These plans can be used to identify, assess, and manage cybersecurity risks. Frameworks can also help security professionals to refine elements of a core security model known as the CIA triad, which stands for confidentiality, integrity, and availability.
The CIA triad is a framework that security teams use to protect their organizations from a variety of security threats. Confidentiality refers to the need to protect data from unauthorized access. Integrity refers to the need to ensure that data is accurate and complete. Availability refers to the need to ensure that data and systems are accessible to authorized users when needed.
Security frameworks can help security professionals to mitigate risk by providing guidance on how to implement controls that protect the confidentiality, integrity, and availability of data and systems. For example, frameworks can provide guidance on how to implement encryption to protect data confidentiality, how to implement authentication and authorization controls to protect data integrity and availability, and how to implement incident response plans to recover from security incidents.
Here are some specific examples of how security frameworks enable security professionals to help mitigate risk:
- Security frameworks can help security professionals to identify and assess cybersecurity risks. For example, the NIST Cybersecurity Framework (CSF) includes a number of controls that can be used to identify and assess cybersecurity risks, such as the PR.PL-1 control, which requires organizations to develop a risk management plan.
- Security frameworks can help security professionals to implement controls that protect the confidentiality, integrity, and availability of data and systems. For example, the ISO/IEC 27001 framework includes a number of controls that can be used to protect data confidentiality, such as the A.10.1 control, which requires organizations to implement access control mechanisms.
- Security frameworks can help security professionals to refine elements of a core security model known as the CIA triad. For example, the COBIT 5 for Information Security framework includes a number of processes that can be used to improve the confidentiality, integrity, and availability of data and systems, such as the APO10 process, which focuses on managing information security risks.
Overall, security frameworks are a valuable tool that can help security professionals to mitigate risk by providing guidance on how to identify, assess, and manage cybersecurity risks, implement controls that protect the confidentiality, integrity, and availability of data and systems, and refine elements of a core security model known as the CIA triad.
Competitor organizations are the biggest threat to a company’s security.
False
People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach.
AI assistant
False.
Competitor organizations are one of the biggest threats to a company’s security, but they are not the biggest. The biggest threat to a company’s security is its own employees.
Employees can pose a security threat in a number of ways, including:
- Negligence: Employees may accidentally expose sensitive data to unauthorized individuals or systems.
- Malicious intent: Employees may intentionally steal or sabotage sensitive data, either for their own personal gain or to benefit a competitor.
- Social engineering attacks: Employees may be tricked into revealing sensitive information to attackers.
Other threats to a company’s security include:
- Cybercriminals: Cybercriminals use a variety of techniques to attack companies, including malware, phishing attacks, and denial-of-service attacks.
- Hackers: Hackers are skilled individuals who attack companies for a variety of reasons, including personal challenge, financial gain, or political activism.
- Nation-states: Nation-states may attack companies to steal sensitive data or disrupt their operations.
Companies can mitigate security risks by implementing a variety of security controls, such as:
- Educating employees about security best practices: Employees should be trained on how to identify and avoid social engineering attacks, and how to handle sensitive data securely.
- Implementing strong security policies and procedures: Companies should have clear policies and procedures in place to govern how employees access and use sensitive data.
- Using security technologies: Companies should use security technologies such as firewalls, intrusion detection systems, and encryption to protect their data and systems from attack.
By taking these steps, companies can reduce their risk of being compromised by security threats.
Fill in the blank: Security controls are safeguards designed to reduce _ security risks.
specific
Security controls are safeguards designed to reduce specific risks.
AI assistant
Security controls are safeguards designed to reduce specific security risks.
Security controls are implemented to protect specific assets, such as data, systems, or people, from specific threats, such as malware, phishing attacks, or unauthorized access. For example, a company might implement encryption to protect its customer data from unauthorized access, or it might implement multi-factor authentication to protect its systems from unauthorized login attempts.
There is no one-size-fits-all approach to security controls. The specific controls that an organization implements will depend on its specific needs and requirements. However, all security controls should be designed to reduce specific security risks.
Here are some examples of specific security risks:
- Data breaches
- Malware infections
- Phishing attacks
- Unauthorized access to systems and data
- Denial-of-service attacks
- Sabotage
Security controls can be implemented to reduce the risk of all of these threats and more. By implementing appropriate security controls, organizations can protect their assets and reduce their risk of being compromised by security incidents.
A security analyst works on a project designed to reduce the risk of vishing. They develop a plan to protect their organization from attackers who could exploit biometrics. Which type of security control does this scenario describe?
Authentication
This describes authentication, which is the process of implementing controls to verify who someone or something is before granting access to specific resources within a system.
AI assistant
The type of security control that the security analyst in the scenario you described is developing is authentication.
Authentication is the process of verifying who someone or something is. In this case, the security analyst is developing a plan to protect the organization from attackers who could exploit biometrics, which are unique physical characteristics that can be used to verify a person’s identity.
One example of an authentication control that the security analyst could develop is multi-factor authentication (MFA). MFA requires users to provide two or more factors of authentication to verify their identity. For example, a user might be required to enter a password and a code from their phone.
Another example of an authentication control that the security analyst could develop is biometric authentication. Biometric authentication uses a person’s unique physical characteristics to verify their identity. For example, a user might be required to scan their fingerprint or retina.
By implementing authentication controls, the security analyst can help to protect the organization from vishing attacks, in which attackers attempt to trick users into revealing sensitive information. For example, an attacker might try to trick a user into revealing their password by pretending to be a customer service representative. However, if the organization requires MFA, the attacker would be unable to log in to the user’s account even if they had the user’s password.
Authentication controls are an important part of any organization’s security strategy. By implementing appropriate authentication controls, organizations can protect their assets and reduce their risk of being compromised by cyber attacks.
The CIA triad: Confidentiality, integrity, and availability
Video: Explore the CIA triad
The CIA triad is a security model that helps organizations protect their sensitive assets and data from threats, risks, and vulnerabilities. It consists of three core principles: confidentiality, integrity, and availability.
Confidentiality means that only authorized users can access specific assets or data. Integrity means that the data is correct, authentic, and reliable. Availability means that the data is accessible to those who are authorized to access it.
As an entry-level security analyst, you will use the CIA triad to help protect your organization in a variety of ways. For example, you may be involved in developing and implementing security policies and procedures, designing and maintaining security systems, and monitoring for and responding to security incidents.
Here are some specific examples of how you might use the CIA triad to protect an organization:
- Confidentiality: You might be involved in implementing encryption to protect sensitive data, or in developing and implementing access control policies to restrict who can access certain systems or data.
- Integrity: You might be involved in developing and implementing data integrity checks, or in monitoring for and responding to unauthorized changes to data.
- Availability: You might be involved in designing and maintaining redundant systems and backups, or in developing and implementing disaster recovery plans.
The CIA triad is a fundamental concept in information security, and it is important for all security professionals to understand and apply it in their work.
Explore the CIA triad in Cybersecurity
The CIA triad is a core security model that helps organizations protect their sensitive assets and data from threat actors. The three letters in the CIA triad stand for confidentiality, integrity, and availability.
Confidentiality means that only authorized users can access specific assets or data. Sensitive data should be available on a “need to know” basis, so that only the people who are authorized to handle certain assets or data have access.
Integrity means that the data is correct, authentic, and reliable. Determining the integrity of data and analyzing how it’s used will help you, as a security professional, decide whether the data can or cannot be trusted.
Availability means that the data is accessible to those who are authorized to access it. Inaccessible data isn’t useful and can prevent people from being able to do their jobs. As a security professional, ensuring that systems, networks, and applications are functioning properly to allow for timely and reliable access, may be a part of your everyday work responsibilities.
Here are some examples of how the CIA triad can be used in cybersecurity:
- Confidentiality:
- Using encryption to protect sensitive data at rest and in transit
- Implementing access control policies to restrict who can access certain systems or data
- Using multi-factor authentication to add an extra layer of security to logins
- Integrity:
- Using data integrity checks to ensure that data has not been tampered with
- Monitoring for and responding to unauthorized changes to data
- Implementing a backup and restore strategy to recover from data loss or corruption
- Availability:
- Designing and maintaining redundant systems and backups
- Implementing disaster recovery plans to minimize downtime in the event of a disruption
- Using load balancing to distribute traffic across multiple servers
The CIA triad is a fundamental concept in cybersecurity, and it is important for all security professionals to understand and apply it in their work.
Here are some tips for exploring the CIA triad in cybersecurity:
- Start by understanding the basics of each component of the CIA triad. What does each component mean? What are some examples of threats to each component?
- Think about how the CIA triad applies to your organization. What are your organization’s most sensitive assets and data? What are the biggest threats to those assets and data?
- Identify areas where your organization can improve its security posture in relation to the CIA triad. For example, do you have encryption in place to protect all of your sensitive data? Do you have access control policies in place to restrict who can access certain systems or data? Do you have a backup and restore strategy in place?
- Develop and implement a plan to improve your organization’s security posture in relation to the CIA triad. This plan should include specific actions that you will take, and timelines for completing those actions.
- Continuously monitor and review your organization’s security posture to identify and address any new threats or vulnerabilities. The CIA triad is a dynamic model, and it is important to keep your security posture up-to-date with the latest threats and trends.
By exploring the CIA triad in cybersecurity, you can help your organization protect its sensitive assets and data from a variety of threats, risks, and vulnerabilities.
Fill in the blank: The CIA triad is a model that helps inform how organizations consider _____ when setting up systems and security policies.
risk
The confidentiality, integrity, availability (CIA) triad is a model that helps inform how organizations consider risk when setting up systems and security policies.
Great to see you again! While working as an entry-level security
analyst, your main responsibility is to help protect your organization’s sensitive
assets and data from threat actors. The CIA triad is a core security
model that will help you do that. In this video, we’ll explore the CIA
triad and discuss the importance of each component for keeping an organization safe
from threats, risks, and vulnerabilities. Let’s get started! The CIA triad is a model that
helps inform how organizations consider risk when setting up systems and
security policies. As a reminder, the three letters
in the CIA triad stand for confidentiality, integrity, and
availability. As an entry-level analyst, you’ll
find yourself constantly referring to these three core principles as you
work to protect your organization and the people it serves. Confidentiality means that only authorized
users can access specific assets or data. Sensitive data should be available
on a “need to know” basis, so that only the people who are authorized to
handle certain assets or data have access. Integrity means that the data is correct,
authentic, and reliable. Determining the integrity of data and
analyzing how it’s used will help you, as a security professional, decide whether
the data can or cannot be trusted. Availability means that the data
is accessible to those who are authorized to access it. Inaccessible data isn’t useful and can prevent people from
being able to do their jobs. As a security professional, ensuring
that systems, networks, and applications are functioning
properly to allow for timely and reliable access, may be a part of
your everyday work responsibilities. Now that we’ve defined the CIA triad and
its components, let’s explore how you might use the CIA
triad to protect an organization. If you work for an organization that has
large amounts of private data like a bank, the principle of confidentiality
is essential because the bank must keep people’s personal and
financial information safe. The principle of integrity
is also a priority. For example,
if a person’s spending habits or purchasing locations change dramatically,
the bank will likely disable access to the account until they
can verify that the account owner, not a threat actor, is actually
the one making purchases. The availability principle
is also critical. Banks put a lot of effort
into making sure that people can access their account
information easily on the web. And to make sure that information is
protected from threat actors, banks use a validation process to help
minimize damage if they suspect that customer accounts have been compromised. As an analyst,
you’ll regularly use each component of the triad to help protect your
organization and the people it serves. And having the CIA triad
constantly in mind, will help you keep sensitive data and
assets safe from a variety of threats, risks, and vulnerabilities including
the social engineering attacks, malware, and
data theft we discussed earlier. Coming up, we’ll explore specific
frameworks and principles that will also help you protect your organization from
threats, risks, and vulnerabilities. See you soon!
Reading: Use the CIA triad to protect organizations
Reading
Previously, you were introduced to the confidentiality, integrity, and availability (CIA) triad and how it helps organizations consider and mitigate risk. In this reading, you will learn how cybersecurity analysts use the CIA triad in the workplace.
The CIA triad for analysts
The CIA triad is a model that helps inform how organizations consider risk when setting up systems and security policies. It is made up of three elements that cybersecurity analysts and organizations work toward upholding: confidentiality, integrity, and availability. Maintaining an acceptable level of risk and ensuring systems and policies are designed with these elements in mind helps establish a successful security posture, which refers to an organization’s ability to manage its defense of critical assets and data and react to change.
Confidentiality
Confidentiality is the idea that only authorized users can access specific assets or data. In an organization, confidentiality can be enhanced through the implementation of design principles, such as the principle of least privilege. The principle of least privilege limits users’ access to only the information they need to complete work-related tasks. Limiting access is one way of maintaining the confidentiality and security of private data.
Integrity
Integrity is the idea that the data is verifiably correct, authentic, and reliable. Having protocols in place to verify the authenticity of data is essential. One way to verify data integrity is through cryptography, which is used to transform data so unauthorized parties cannot read or tamper with it (NIST, 2022). Another example of how an organization might implement integrity is by enabling encryption, which is the process of converting data from a readable format to an encoded format. Encryption can be used to prevent access and ensure data, such as messages on an organization’s internal chat platform, cannot be tampered with.
Availability
Availability is the idea that data is accessible to those who are authorized to use it. When a system adheres to both availability and confidentiality principles, data can be used when needed. In the workplace, this could mean that the organization allows remote employees to access its internal network to perform their jobs. It’s worth noting that access to data on the internal network is still limited, depending on what type of access employees need to do their jobs. If, for example, an employee works in the organization’s accounting department, they might need access to corporate accounts but not data related to ongoing development projects.
Key takeaways
The CIA triad is essential for establishing an organization’s security posture. Knowing what it is and how it’s applied can help you better understand how security teams work to protect organizations and the people they serve.
Practice Quiz: Test your knowledge: The CIA triad
What is the CIA triad?
A foundational security model used to set up security policies and systems
The CIA triad is a foundational security model used to set up security policies and systems. The core principles of the model are confidentiality, integrity, and availability.
AI assistant
The CIA triad is a foundational security model used to set up security policies and systems. The three letters in the CIA triad stand for confidentiality, integrity, and availability.
Confidentiality means that only authorized users can access specific assets or data. Integrity means that the data is correct, authentic, and reliable. Availability means that the data is accessible to those who are authorized to access it.
The CIA triad is a simple but powerful model that can be used to guide security decisions at all levels of an organization. For example, when designing a new system, security professionals will consider the CIA triad to ensure that the system is designed to protect confidentiality, integrity, and availability.
Here are some examples of how the CIA triad can be used in cybersecurity:
- Confidentiality:
- Using encryption to protect sensitive data at rest and in transit
- Implementing access control policies to restrict who can access certain systems or data
- Using multi-factor authentication to add an extra layer of security to logins
- Integrity:
- Using data integrity checks to ensure that data has not been tampered with
- Monitoring for and responding to unauthorized changes to data
- Implementing a backup and restore strategy to recover from data loss or corruption
- Availability:
- Designing and maintaining redundant systems and backups
- Implementing disaster recovery plans to minimize downtime in the event of a disruption
- Using load balancing to distribute traffic across multiple servers
The CIA triad is a fundamental concept in cybersecurity, and it is important for all security professionals to understand and apply it in their work.
Which element of the CIA triad specifies that only authorized users can access specific information?
Confidentiality
Confidentiality specifies that only authorized users can access specific information.
AI assistant
The element of the CIA triad that specifies that only authorized users can access specific information is confidentiality.
Confidentiality is the assurance that sensitive information is only accessible to authorized individuals. It is important to protect confidentiality because unauthorized access to sensitive information can lead to a variety of negative consequences, such as financial loss, reputational damage, and even identity theft.
There are a variety of ways to protect confidentiality, such as:
- Encryption: Encryption is the process of scrambling data so that it can only be read by authorized individuals.
- Access control: Access control is the process of restricting who can access certain systems and data.
- Multi-factor authentication: Multi-factor authentication adds an extra layer of security to logins by requiring users to provide two or more factors of authentication, such as a password and a one-time code.
Organizations can also implement policies and procedures to help protect confidentiality, such as:
- Requiring employees to sign confidentiality agreements
- Educating employees about the importance of confidentiality and how to protect it
- Monitoring employee access to systems and data
By taking steps to protect confidentiality, organizations can help to reduce the risk of unauthorized access to sensitive information.
A security analyst discovers that certain data is inaccessible to authorized users, which is preventing these employees from doing their jobs efficiently. The analyst works to fix the application involved in order to allow for timely and reliable access. Which element of the CIA triad does this scenario describe?
Availability
This scenario describes availability. Availability specifies that data is accessible to authorized users.
AI assistant
The element of the CIA triad that the scenario describes is availability.
Availability is the assurance that authorized users can access information and systems when they need them. In the scenario, the data is inaccessible to authorized users, which is preventing them from doing their jobs efficiently. This means that the availability of the data is compromised.
The security analyst is working to fix the application involved in order to allow for timely and reliable access. This is an important step in ensuring the availability of the data.
Here are some other examples of availability issues:
- A system outage that prevents users from accessing systems and data
- A denial-of-service attack that makes a website or application unavailable
- A ransomware attack that encrypts data and demands a ransom payment to decrypt it
Organizations can take a variety of steps to improve availability, such as:
- Implementing redundant systems and backups
- Designing systems to be scalable and able to handle increased traffic
- Implementing disaster recovery plans to minimize downtime in the event of a disruption
- Using load balancing to distribute traffic across multiple servers
- Monitoring systems and networks for potential problems
By taking steps to improve availability, organizations can help to ensure that authorized users have access to the information and systems they need to do their jobs.
Fill in the blank: According to the CIA triad, _ refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.
Integrity
According to the CIA triad, integrity refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.
AI assistant
According to the CIA triad, integrity refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.
Integrity is one of the three core components of the CIA triad, which is a security model that helps organizations protect their sensitive assets and data from threat actors. The other two components of the CIA triad are confidentiality and availability.
Integrity is important because it ensures that organizations can trust their data. If data is not accurate, authentic, or reliable, it can lead to a variety of problems, such as bad decision-making, financial losses, and even legal liability.
There are a variety of ways to protect integrity, such as:
- Using data integrity checks to ensure that data has not been tampered with
- Monitoring for and responding to unauthorized changes to data
- Implementing a backup and restore strategy to recover from data loss or corruption
Organizations can also implement policies and procedures to help protect integrity, such as:
- Requiring employees to follow data entry procedures
- Conducting regular audits of data systems and processes
- Educating employees about the importance of data integrity and how to protect it
By taking steps to protect integrity, organizations can help to ensure that their data is accurate, authentic, and reliable.
NIST frameworks
Video: NIST frameworks
The NIST Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a widely respected and essential framework for maintaining security regardless of the organization you work for.
The CSF consists of five important core functions:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The CSF can be used to protect against threats, risks, and vulnerabilities by providing a framework for developing plans to handle incidents appropriately and quickly. It can also be used to develop plans to protect against specific threats, such as ransomware or supply chain attacks.
The NIST CSF is used by organizations of all sizes and in all industries. It is also used by the US federal government.
In the video example, the NIST CSF was used to respond to a high-risk notification that a workstation had been compromised. The security professional followed the core functions of the CSF to identify the workstation, block the unknown device, remove the infected workstation, detect any additional threat actor behavior, investigate the incident, and recover any affected files or data.
The NIST CSF is a valuable tool for security professionals to help them protect their organizations from cyber threats.
NIST Frameworks Tutorial
NIST frameworks are a set of cybersecurity standards and guidelines developed by the National Institute of Standards and Technology (NIST). These frameworks are designed to help organizations of all sizes and industries manage and reduce cybersecurity risk.
The two most popular NIST frameworks are the NIST Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53.
NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a widely respected and essential framework for maintaining security regardless of the organization you work for.
The CSF consists of five important core functions:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The CSF can be used to protect against threats, risks, and vulnerabilities by providing a framework for developing plans to handle incidents appropriately and quickly. It can also be used to develop plans to protect against specific threats, such as ransomware or supply chain attacks.
NIST Special Publication (SP) 800-53
NIST Special Publication (SP) 800-53 is a framework for protecting the security of information systems within the federal government. It provides a unified framework for protecting the confidentiality, integrity, and availability (CIA triad) of information systems.
SP 800-53 is not mandatory for private sector organizations, but it is widely adopted as a best practice. It is also a requirement for organizations that contract with the federal government.
SP 800-53 contains a set of security controls that can be implemented to protect information systems. These controls are organized into 17 categories, including access control, awareness and training, audit and accountability, configuration management, incident response, and risk assessment.
How to Use NIST Frameworks
To use NIST frameworks, organizations should first identify their cybersecurity risks. Once they have identified their risks, they can develop plans to mitigate those risks using the guidance provided in the frameworks.
NIST frameworks can be used to develop a variety of cybersecurity plans, including:
- Incident response plans
- Risk management plans
- Security awareness and training plans
- System security plans
NIST frameworks can also be used to assess the effectiveness of an organization’s cybersecurity program.
Benefits of Using NIST Frameworks
There are many benefits to using NIST frameworks, including:
- NIST frameworks are widely accepted and respected.
- NIST frameworks are based on best practices.
- NIST frameworks are flexible and can be adapted to meet the needs of any organization.
- NIST frameworks are free to use.
Conclusion
NIST frameworks are a valuable tool for organizations of all sizes and industries to help them manage and reduce cybersecurity risk. The NIST Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-53 are the two most popular NIST frameworks.
Organizations can use NIST frameworks to develop a variety of cybersecurity plans, including incident response plans, risk management plans, security awareness and training plans, and system security plans. NIST frameworks can also be used to assess the effectiveness of an organization’s cybersecurity program.
Welcome back. Before
we get started, let’s quickly review the
purpose of frameworks. Organizations use frameworks as a starting point to develop
plans that mitigate risks, threats, and vulnerabilities to sensitive data and assets. Fortunately, there are
organizations worldwide that create frameworks
security professionals can use to develop those plans. In this video, we’ll
discuss two of the National Institute of
Standards and Technology, or NIST’s frameworks
that can support ongoing security efforts for
all types of organizations, including for profit and
nonprofit businesses, as well as government agencies. While NIST is a US
based organization, the guidance it provides
can help analysts all over the world understand how to implement essential
cybersecurity practices. One NIST framework that we’ll discuss throughout
the program is the NIST Cybersecurity
Framework, or CSF. The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. This framework is widely
respected and essential for maintaining security
regardless of the organization you work for. The CSF consists of five important core
functions, identify, protect, detect,
respond, and recover, which we’ll discuss in
detail in a future video. For now, we’ll focus on how the CSF benefits
organizations and how it can be used to
protect against threats, risks, and vulnerabilities by providing a workplace example. Imagine that one
morning you receive a high-risk notification that a workstation has
been compromised. You identify the workstation, and discover that there’s an unknown device
plugged into it. You block the unknown
device remotely to stop any potential threat and
protect the organization. Then you remove the
infected workstation to prevent the spread
of the damage and use tools to detect any additional
threat actor behavior and identify the unknown device. You respond by investigating the incident to determine
who used the unknown device, how the threat occurred, what was affected, and where
the attack originated. In this case, you discover
that an employee was charging their infected phone using a USB port on their work laptop. Finally, you do your best to recover any files or data that were affected and
correct any damage the threat caused to
the workstation itself. As demonstrated by
the previous example, the core functions of
the NIST CSF provide specific guidance and direction for security
professionals. This framework is used to
develop plans to handle an incident appropriately
and quickly to lower risk, protect an organization
against a threat, and mitigate any potential
vulnerabilities. The NIST CSF also expands
into the protection of the United States
federal government with NIST special publication,
or SP 800-53. It provides a unified
framework for protecting the security of
information systems within the federal government, including the
systems provided by private companies for
federal government use. The security
controls provided by this framework are
used to maintain the CIA triad for those systems
used by the government. Isn’t it amazing how all of these frameworks and
controls work together. We’ve discussed some really
important security topics in this video that will be very useful for you as you continue your
security journey. Because they’re core elements
of the security profession, the NIST CSF is a useful framework that most security professionals
are familiar with, and having an
understanding of the NIST, SP 800-53 is crucial if you have an interest in working for the US
federal government. Coming up, we’ll
continue to explore the five NIST CSF functions and how organizations use them
to protect assets and data.
Video: Explore the five functions of the NIST Cybersecurity Framework
The five core functions of the NIST Cybersecurity Framework (CSF) are:
- Identify: This function is about understanding the organization’s cybersecurity risks and how they could impact its people and assets.
- Protect: This function is about implementing safeguards to mitigate cybersecurity threats and protect the organization’s assets.
- Detect: This function is about identifying potential cybersecurity incidents and improving monitoring capabilities to increase the speed and efficiency of detections.
- Respond: This function is about ensuring that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
- Recover: This function is about returning affected systems back to normal operation.
All five functions are essential for organizations to have effective cybersecurity strategies in place. Security incidents are going to happen, but an organization must have the ability to quickly recover from any damage caused by an incident to minimize their level of risk.
Here are some examples of how each function can be used to improve an organization’s security:
- Identify: A security analyst could monitor systems and devices on the organization’s internal network to identify potential security issues.
- Protect: A security team could implement policies and procedures to train employees on cybersecurity best practices and deploy security tools to mitigate threats.
- Detect: A security analyst could review a new security tool’s setup to make sure it’s flagging low, medium, or high risk, and then alerting the security team about any potential threats or incidents.
- Respond: A security analyst could work with a team to collect and organize data to document an incident and suggest improvements to processes to prevent the incident from happening again.
- Recover: A security analyst could work with their security team to restore systems, data, and assets that have been affected by an incident like a breach.
The NIST CSF is a valuable framework for organizations of all sizes and industries to help them manage and reduce cybersecurity risk.
Explore the five functions of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a widely respected and essential framework for maintaining security regardless of the organization you work for.
The CSF consists of five important core functions:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Here is a more detailed exploration of each function:
Identify
The Identify function is about understanding the organization’s cybersecurity risks and how they could impact its people and assets. This includes identifying threats, vulnerabilities, and assets, and assessing the risks associated with them.
Protect
The Protect function is about implementing safeguards to mitigate cybersecurity threats and protect the organization’s assets. This includes implementing security policies and procedures, training employees on cybersecurity best practices, and deploying security tools.
Detect
The Detect function is about identifying potential cybersecurity incidents and improving monitoring capabilities to increase the speed and efficiency of detections. This includes monitoring systems and networks for suspicious activity, and using security tools to detect known threats.
Respond
The Respond function is about ensuring that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process. This includes developing and implementing incident response plans, and conducting post-incident reviews to learn from mistakes.
Recover
The Recover function is about returning affected systems back to normal operation. This includes restoring systems and data, and communicating with stakeholders about the incident and its resolution.
How to use the NIST CSF
The NIST CSF can be used by organizations of all sizes and industries to improve their cybersecurity posture. To use the CSF, organizations should first identify their cybersecurity risks. Once they have identified their risks, they can develop plans to mitigate those risks using the guidance provided in the CSF.
The NIST CSF can be used to develop a variety of cybersecurity plans, including:
- Incident response plans
- Risk management plans
- Security awareness and training plans
- System security plans
The NIST CSF can also be used to assess the effectiveness of an organization’s cybersecurity program.
Conclusion
The NIST CSF is a valuable tool for organizations of all sizes and industries to help them manage and reduce cybersecurity risk. By understanding and implementing the five functions of the CSF, organizations can improve their ability to protect their assets, detect and respond to incidents, and recover from attacks.
Hello again!
I’m excited you’re here. We have so much to discuss. Previously, we covered the uses and benefits of the NIST CSF. In this video, we’ll
focus specifically on the five core functions of
the NIST CSF framework. Let’s get started. NIST CSF focuses on five
core functions: identify, protect, detect,
respond, and recover. These core functions help organizations manage
cybersecurity risks, implement risk
management strategies, and learn from
previous mistakes. Basically, when it comes
to security operations, NIST CSF functions are key for making sure
an organization is protected against
potential threats, risks, and vulnerabilities. So let’s take a little
time to explore how each function can be used to improve an
organization’s security. The first core function is identify, which is related
to the management of cybersecurity risk
and its effect on an organization’s
people and assets. For example, as a
security analyst, you may be asked to monitor
systems and devices in your organization’s internal
network to identify potential security issues The second core function is
protect, which is the strategy used to protect an organization through the implementation
of policies, procedures, training, and tools that help mitigate
cybersecurity threats. For example, as a
security analyst, you and your team
might encounter new and unfamiliar
threats and attacks. For this reason, studying
historical data and making improvements to policies and procedures is essential. The third core function
is detect, which means identifying potential
security incidents and improving monitoring
capabilities to increase the speed and
efficiency of detections. For example, as an analyst, you might be asked to review a new security tool’s setup to
make sure it’s flagging low, medium, or high risk, and then alerting the
security team about any potential threats
or incidents. The fourth function is
respond, which means making sure that the proper procedures
are used to contain, neutralize, and analyze security
incidents, and implement improvements
to the security process. As an analyst, you could be working with a team
to collect and organize data to document
an incident and suggest improvements to processes to prevent the incident
from happening again. The fifth core function is recover, which is the process of returning affected systems
back to normal operation. For example, as an
entry-level security analyst, you might work with
your security team to restore systems, data, and assets, such as financial or legal
files, that have been affected by an
incident like a breach. We’ve covered a lot of
information in this video. Hopefully, it helped you understand the value
of learning about the NIST CSF and its
five core functions. From proactive to reactive
measures, all five functions are essential for making sure
that an organization has effective security
strategies in place. Security incidents
are going to happen, but an organization must have the ability to
quickly recover from any damage caused by an incident to minimize their level of risk. Coming up, we’ll discuss security principles that
work hand-in-hand with NIST frameworks
and the CIA triad to help protect critical
data and assets.
Practice Quiz: Test your knowledge: NIST frameworks
What is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)?
Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk
The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
AI assistant
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a set of standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk.
The CSF is a framework that organizations can use to improve their cybersecurity posture. It is not a required framework, but it is widely respected and used by organizations of all sizes and industries.
The CSF consists of five core functions:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Organizations can use the CSF to develop a variety of cybersecurity plans, including incident response plans, risk management plans, security awareness and training plans, and system security plans.
The CSF is a valuable tool for organizations of all sizes and industries to help them manage and reduce cybersecurity risk.
Fill in the blank: The five core functions that make up the CSF are: identify, protect, detect, _, and recover.
respond
The five core functions that make up the CSF are: identify, protect, detect, respond, and recover.
AI assistant
The five core functions that make up the CSF are: identify, protect, detect, respond, and recover.
The respond function is about ensuring that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process. This includes developing and implementing incident response plans, and conducting post-incident reviews to learn from mistakes.
Here is a brief summary of each of the five core functions:
- Identify: Understand the organization’s cybersecurity risks and how they could impact its people and assets.
- Protect: Implement safeguards to mitigate cybersecurity threats and protect the organization’s assets.
- Detect: Identify potential cybersecurity incidents and improve monitoring capabilities to increase the speed and efficiency of detections.
- Respond: Ensure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
- Recover: Return affected systems back to normal operation.
The NIST CSF is a valuable framework for organizations of all sizes and industries to help them manage and reduce cybersecurity risk.
Fill in the blank: The CSF _ function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.
identify
The CSF identify function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.
AI assistant
The CSF detect function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.
The detect function is about identifying potential cybersecurity incidents and improving monitoring capabilities to increase the speed and efficiency of detections. This includes monitoring systems and networks for suspicious activity, and using security tools to detect known threats.
Here are some examples of activities that organizations can do to implement the detect function:
- Monitor network traffic for anomalous activity
- Use security tools to detect malware and other malicious software
- Monitor system logs for signs of suspicious activity
- Implement security information and event management (SIEM) tools to collect and analyze security data
- Conduct regular security assessments to identify and address vulnerabilities
By implementing the detect function, organizations can improve their ability to identify and respond to cybersecurity incidents before they cause damage.
What does a security analyst’s work involve during the CSF recover function?
Return affected systems back to normal operation
During the recover function, a security analyst’s work involves returning affected systems back to normal operation.
AI assistant
A security analyst’s work during the CSF recover function involves returning affected systems back to normal operation. This may include:
- Restoring systems and data from backups
- Cleaning and disinfecting infected systems
- Removing compromised accounts and permissions
- Changing passwords and other security credentials
- Implementing additional security controls to prevent future incidents
- Communicating with stakeholders about the incident and its resolution
Security analysts may also be involved in developing and implementing recovery plans, and conducting post-incident reviews to learn from mistakes.
Here are some specific examples of tasks that a security analyst might perform during the recover function:
- Restore servers and workstations from backups
- Update system software and security patches
- Change passwords for all users and systems
- Implement additional security controls, such as firewalls and intrusion detection systems
- Investigate the incident to determine how it occurred and what can be done to prevent it from happening again
- Communicate with stakeholders about the incident and its resolution
The recover function is an important part of the NIST CSF because it helps organizations to minimize the impact of cybersecurity incidents and get back to business as quickly as possible. Security analysts play a vital role in the recover function by helping to restore affected systems, investigate the incident, and learn from mistakes.
OWASP principles and security audits
Video: OWASP security principles
As a security analyst, it is important to understand how to protect an organization’s data and assets. The following OWASP security principles can be used to help security teams minimize threats and risks:
- Minimize the attack surface area: This means reducing the number of potential vulnerabilities that an attacker could exploit. Examples of ways to minimize the attack surface area include disabling unused software features, restricting access to certain assets, and establishing complex password requirements.
- Least privilege: This means giving users the least amount of access necessary to perform their job duties. This helps to reduce the damage that could be caused in the event of a security breach.
- Defense in depth: This means having multiple security controls in place to protect against different types of attacks. Examples of security controls include multi-factor authentication, firewalls, and intrusion detection systems.
- Separation of duties: This means dividing tasks among different people so that no one person has too much power. This helps to prevent fraud and illegal activity.
- Keep security simple: Security controls should be easy to understand and implement. Avoid overly complex solutions that can be difficult to manage.
- Fix security issues correctly: When a security incident occurs, it is important to identify the root cause and take steps to fix it. This may involve patching vulnerabilities, implementing new security controls, or educating employees about security best practices.
By understanding and applying these principles, security teams can help to protect their organizations from a wide range of threats.
OWASP security principles are a set of guidelines that can be used to help organizations improve the security of their web applications. These principles are based on the OWASP Top 10, which is a list of the most common and critical web application security risks.
The OWASP security principles are as follows:
- Minimize the attack surface area: This means reducing the number of potential entry points for attackers. This can be done by disabling unused features, removing unnecessary services, and keeping software up to date.
- Least privilege: This means giving users the least amount of access necessary to perform their job duties. This helps to reduce the damage that could be done if an attacker gains access to a user’s account.
- Defense in depth: This means using multiple security controls to protect against attacks. This could include firewalls, intrusion detection systems, and input validation.
- Separation of duties: This means dividing tasks among different people so that no one person has too much power. This helps to prevent fraud and abuse.
- Keep security simple: Security controls should be easy to understand and implement. Avoid overly complex solutions that can be difficult to manage.
- Fix security issues correctly: When a security issue is found, it is important to fix it correctly. This may involve patching vulnerabilities, implementing new security controls, or educating employees about security best practices.
Tutorial on how to apply OWASP security principles:
- Identify your organization’s assets. What are the most important systems and data that you need to protect? Once you have identified your assets, you can start to assess the risks that they face.
- Implement security controls to mitigate the risks. The OWASP security principles can help you to identify the appropriate security controls for your organization. For example, you can use least privilege to reduce the access that users have to your systems. You can also use defense in depth to implement multiple security controls to protect against attacks.
- Monitor your systems for security incidents. It is important to monitor your systems for security incidents so that you can respond to them quickly. You can use a variety of tools and techniques to monitor your systems, such as intrusion detection systems and log analysis tools.
- Educate your employees about security best practices. Employees are often the weakest link in the security chain. It is important to educate your employees about security best practices so that they can help to protect your organization from attack.
Benefits of applying OWASP security principles:
- Reduced risk of security breaches: By applying OWASP security principles, you can reduce the risk of security breaches. This is because OWASP security principles are based on the most common and critical web application security risks.
- Improved compliance: Many industry regulations require organizations to implement certain security controls. OWASP security principles can help you to comply with these regulations.
- Increased customer confidence: Customers are more likely to do business with organizations that they trust to protect their data. By applying OWASP security principles, you can demonstrate to your customers that you are committed to protecting their data.
By applying OWASP security principles, organizations can improve the security of their web applications and reduce the risk of security breaches.
It’s important to
understand how to protect an organization’s
data and assets because that will be part of your role as a security analyst. Fortunately, there
are principles and guidelines that can
be used, along with NIST frameworks and
the CIA triad, to help security teams
minimize threats and risks. In this video, we’ll
explore some Open Web Application Security
Project, or OWASP, security principles that are useful to know as an
entry-level analyst. The first OWASP principle is to minimize the attack
surface area. An attack surface refers to all the potential
vulnerabilities that a threat actor
could exploit, like attack vectors,
which are pathways attackers use to penetrate
security defenses. Examples of common
attack vectors are phishing emails and
weak passwords. To minimize the attack surface and avoid incidents
from these types of vectors, security teams might
disable software features, restrict who can access
certain assets, or establish more complex
password requirements. The principle of least privilege means making sure
that users have the least amount of access required to perform
their everyday tasks. The main reason for
limiting access to organizational
information and resources is to
reduce the amount of damage a security
breach could cause. For example, as an
entry-level analyst, you may have access to log data, but may not have access to
change user permissions. Therefore, if a threat actor compromises
your credentials, they’ll only be able to gain limited access to digital
or physical assets, which may not be
enough for them to deploy their intended attack. The next principle we’ll
discuss is defense in depth. Defense in depth means that
an organization should have multiple security controls that address risks and threats
in different ways. One example of a
security control is multi-factor
authentication, or MFA, which requires users to take an additional step beyond simply entering their username and password to gain access
to an application. Other controls
include firewalls, intrusion detection systems, and permission
settings that can be used to create multiple
points of defense, a threat actor must get through to breach an organization. Another principle is
separation of duties, which can be used to
prevent individuals from carrying out fraudulent
or illegal activities. This principle means that
no one should be given so many privileges that
they can misuse the system. For example, the person
in a company who signs the paychecks shouldn’t also be the person who prepares them. Only two more principles
to go! You’re doing great. Keep security simple is the next principle.
As the name suggests, when implementing
security controls, unnecessarily complicated
solutions should be avoided because they
can become unmanageable. The more complex the
security controls are, the harder it is for people
to work collaboratively. The last principle is to fix
security issues correctly. Technology is a great tool, but can also present challenges. When a security incident occurs, security professionals
are expected to identify the root cause quickly. From there, it’s
important to correct any identified
vulnerabilities and conduct tests to ensure that
repairs are successful. An example of an issue
is a weak password to access an organization’s wifi because it could
lead to a breach. To fix this type
of security issue, stricter password policies
could be put in place. I know we’ve covered a lot, but understanding these
principles increases your overall security knowledge and can help you stand out
as a security professional.
Reading: More about OWASP security principles
Reading
Previously, you learned that cybersecurity analysts help keep data safe and reduce risk for an organization by using a variety of security frameworks, controls, and security principles. In this reading, you will learn about more Open Web Application Security Project, recently renamed Open Worldwide Application Security Project® (OWASP), security principles and how entry-level analysts use them.
Security principles
In the workplace, security principles are embedded in your daily tasks. Whether you are analyzing logs, monitoring a security information and event management (SIEM) dashboard, or using a vulnerability scanner, you will use these principles in some way.
Previously, you were introduced to several OWASP security principles. These included:
- Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat actor could exploit.
- Principle of least privilege: Users have the least amount of access required to perform their everyday tasks.
- Defense in depth: Organizations should have varying security controls that mitigate risks and threats.
- Separation of duties: Critical actions should rely on multiple people, each of whom follow the principle of least privilege.
- Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security difficult.
- Fix security issues correctly: When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.
Additional OWASP security principles
Next, you’ll learn about four additional OWASP security principles that cybersecurity analysts and their teams use to keep organizational operations and people safe.
Establish secure defaults
This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.
Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.
Don’t trust services
Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.
Avoid security by obscurity
The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016):
The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.
Key takeaways
Cybersecurity professionals are constantly applying security principles to safeguard organizations and the people they serve. As an entry-level security analyst, you can use these security principles to promote safe development practices that reduce risks to companies and users alike.
Video: Wajih: Stay up-to-date on the latest cybersecurity threats
Wajih is a security engineer at Google working in the digital forensics department. He does not have a background in cybersecurity, but he was able to get into the field by leveraging his previous experiences and learning the fundamentals.
Here are some tips from Wajih on how to get into cybersecurity:
- Don’t be afraid to start from scratch. You don’t need a degree in cybersecurity to get into the field. There are many resources available to help you learn the fundamentals, such as online courses, books, and articles.
- Find a mentor. A mentor can help you learn the ropes and navigate the cybersecurity industry.
- Network with other cybersecurity professionals. Attend conferences, meetups, and online forums to connect with other people in the field.
- Don’t be overwhelmed. There are many different specializations within cybersecurity. It’s impossible to know everything about everything. Start by focusing on one or two areas that you’re interested in.
- Be persistent. Cybersecurity is a challenging field, but it’s also very rewarding. Don’t give up if you don’t get your dream job right away. Keep learning and keep applying.
Wajih also emphasizes the importance of staying up to date on the latest cybersecurity trends. He recommends reading online articles and attending conferences to learn about new threats and vulnerabilities.
Overall, Wajih’s message is that it’s possible to get into cybersecurity, even if you don’t have a background in the field. Just be willing to learn, network, and be persistent.
[MUSIC] My name is Wajih and I’m a security engineer at Google working
in the digital forensics department. Do you need a background in cybersecurity? No you don’t. My past experiences is working at
a water park as a snow cone machine guy. I worked at a movie theater selling
popcorn in concession stands. During my undergrad, I was a bio
major at first like my freshman year. I met someone in a bus who was
mentioning about this cool cybersecurity startup that
just sounded really cool. Some strategies I leveraged to
keep up to date on the latest cybersecurity trends is going on
online forums such as Medium to research different security trends and
topics. I personally use Medium a lot
as I could filter by the tag of like I want to find articles
related to cybersecurity and or I want to find articles
related to cloud security. Based off their filtering algorithm,
I just go on and see like what other people are talking about and
then that’s what helps me keep up to date. If it’s more of like networking that
you’re looking forward to, then I highly recommend just
going out to those like conferences. My advice for people wanting to get into
cybersecurity is don’t be too overwhelmed with trying to understand every single
specialization within cybersecurity. There’s so much going on within the
cybersecurity field in terms of trends and it’s nice to stay up to
date with all of those but sometimes you need to take a step back and
prioritize what subjects within cybersecurity you
are staying most up to date like on. I love this job. I love the challenges. I feel like there is a shortage in
cybersecurity professionals out there from just past experiences, hearing from other
friends in computer science fields. Most of them say that oh it’s too hard,
too complicated to get in. Don’t listen to those people. I encourage you to push through. It’s definitely well worth it. First just get the fundamentals down and
be persistent.
Video: Plan a security audit
Internal security audits are reviews of an organization’s security controls, policies, and procedures against a set of expectations. They are used to help improve an organization’s security posture and help organizations avoid fines from governing agencies due to a lack of compliance.
The first two elements of an internal security audit are:
- Establishing the scope and goals: The scope refers to the specific criteria of the audit, such as people, assets, policies, procedures, and technologies that might impact an organization’s security posture. The goals are an outline of the organization’s security objectives, or what they want to achieve in order to improve their security posture.
- Completing a risk assessment: A risk assessment is focused on identifying potential threats, risks, and vulnerabilities. This helps organizations consider what security measures should be implemented and monitored to ensure the safety of assets.
Entry-level analysts may be asked to review and understand the scope and goals of the audit, or to analyze details provided in the risk assessment to consider what types of controls and compliance regulations need to be in place.
In the next video, the instructor will discuss the last three elements of an internal security audit: controls assessment, compliance assessment, and communicating results to stakeholders.
To plan a security audit in cybersecurity, you should follow these steps:
- Establish the scope and goals of the audit. What do you want to achieve with the audit? What specific areas of your security program do you want to assess? Once you have a clear understanding of the scope and goals, you can develop a plan to achieve them.
- Identify the assets to be audited. What assets do you need to protect? This could include your physical infrastructure, data, software, and intellectual property.
- Identify the threats and risks to your assets. What are the potential threats to your assets? What are the risks associated with those threats?
- Identify the controls in place to mitigate the risks. What controls do you have in place to protect your assets from the identified threats and risks?
- Develop an audit plan. The audit plan should outline the steps that will be taken to assess the controls in place to mitigate the risks. This should include the following:
- Audit schedule: When will the audit be conducted?
- Audit team: Who will be involved in the audit?
- Audit methodology: What methods will be used to assess the controls?
- Audit reporting: How will the results of the audit be reported?
- Communicate the audit plan to stakeholders. It is important to communicate the audit plan to all stakeholders, including management, staff, and customers. This will help to ensure that everyone is aware of the audit and its goals.
Here are some additional tips for planning a security audit:
- Get buy-in from management. It is important to have the support of management before conducting a security audit. This will help to ensure that the audit is given the resources it needs to be successful.
- Engage a qualified auditor. If you do not have the expertise to conduct a security audit yourself, you should consider engaging a qualified auditor. This will help to ensure that the audit is conducted thoroughly and professionally.
- Be objective. It is important to be objective when conducting a security audit. This means avoiding any bias or personal opinions.
- Be comprehensive. The audit should be comprehensive enough to cover all of the critical areas of your security program.
- Be timely. The audit should be conducted on a regular basis to ensure that your security program is effective and up-to-date.
By following these steps, you can develop a comprehensive and effective security audit plan.
Now that we’ve covered
different frameworks, controls, security principles, and compliance regulations,
the question is: How do they all work together? The answer to that question is by conducting security audits. A security audit is a review of an organization’s
security controls, policies, and procedures
against a set of expectations. There are two main types of security audits:
external and internal. We’ll focus on internal
security audits because those are the types of audits that
entry-level analysts might be asked to contribute to. An internal security audit is typically conducted by a team of people that might include an organization’s
compliance officer, security manager, and other
security team members. Internal security audits
are used to help improve an organization’s security
posture and help organizations avoid fines from governing agencies due to a
lack of compliance. Internal security audits help security teams identify
organizational risk, assess controls, and
correct compliance issues. Now that we’ve discussed the
purposes of internal audits, let’s cover some common
elements of internal audits. These include
establishing the scope and goals of the audit, conducting a risk assessment of the organization’s assets, completing a
controls assessment, assessing compliance, and communicating
results to stakeholders. In this video, we’ll cover the first two elements, which are a part of the audit
planning process: establishing the
scope and goals, then completing a
risk assessment. Scope refers to the
specific criteria of an internal security audit. Scope requires organizations
to identify people, assets, policies, procedures, and technologies that might impact an organization’s
security posture. Goals are an outline of the organization’s
security objectives, or what they want to achieve in order to improve
their security posture. Although more senior-level
security team members and other stakeholders
usually establish the scope and goals
of the audit, entry-level analysts might be asked to review and understand the scope and goals in order to complete other
elements of the audit. As an example, the scope of this audit involves
assessing user permissions; identifying existing
controls, policies, and procedures;
and accounting for the technology currently in
use by the organization. The goals outlined include implementing core
functions of frameworks, like the NIST CSF; establishing policies
and procedures to ensure compliance; and strengthening
system controls. The next element is
conducting a risk assessment, which is focused on identifying potential threats, risks,
and vulnerabilities. This helps
organizations consider what security measures should be implemented and monitored to ensure the safety of assets. Similar to establishing
the scope and goals, a risk assessment is oftentimes completed by managers
or other stakeholders. However, you might
be asked to analyze details provided in
the risk assessment to consider what types of controls and
compliance regulations need to be in place to help improve the organization’s
security posture. For example, this
risk assessment highlights that there
are inadequate controls, processes, and procedures in place to protect the
organization’s assets. Specifically, there is a
lack of proper management of physical and digital assets, including employee equipment. The equipment used to store data is not
properly secured. And access to private
information stored in the organization’s
internal network likely needs more robust
controls in place. Now that we’ve discussed the initial planning elements of an internal security audit, coming up, we’ll focus on
the last three elements.
Video: Complete a security audit
In this video, the focus is on the final elements of an internal security audit, particularly for entry-level analysts. The process begins with a review of the audit’s scope, goals, and risk assessment. Analysts need to ask critical questions about the audit’s purpose, asset vulnerability, and control effectiveness. The subsequent steps involve:
- Controls Assessment: This includes categorizing controls into administrative (related to human aspects), technical (hardware/software solutions), and physical (measures to prevent physical access).
- Compliance Assessment: Evaluating whether the organization is adhering to relevant compliance regulations, such as GDPR and PCI DSS.
- Communication: Communicating audit results and recommendations to stakeholders, summarizing audit scope, identifying risks, and offering security improvement suggestions.
Internal security audits help identify gaps and security measures within organizations, enabling them to improve their security posture. Completing these audits can also be valuable for one’s professional portfolio.
Tutorial: Complete a Security Audit in Cybersecurity
A security audit is a systematic review and evaluation of an organization’s security posture. It helps organizations to identify and mitigate security risks, and to ensure that their security controls are effective. Security audits can be conducted internally or by external third-party auditors.
To complete a security audit, follow these steps:
- Define the scope of the audit. What assets will be audited? What types of security controls will be reviewed? What time period will be covered?
- Gather information. This includes reviewing security policies and procedures, interviewing staff, and examining system logs.
- Assess security risks and vulnerabilities. Identify potential threats to the organization’s assets, and evaluate the effectiveness of the security controls in mitigating those threats.
- Make recommendations. Based on the findings of the audit, develop recommendations for improving the organization’s security posture.
- Implement the recommendations. The organization should prioritize and implement the recommendations in a timely manner.
Here are some additional tips for conducting a security audit:
- Involve key stakeholders. The security audit should be a collaborative effort involving all relevant stakeholders, such as IT staff, management, and end users.
- Use a variety of audit techniques. There are a variety of audit techniques that can be used, such as interviews, surveys, documentation reviews, and technical testing.
- Be objective and thorough. The audit should be conducted in an objective and thorough manner. Auditors should avoid making assumptions or relying on hearsay.
- Document the findings and recommendations. The findings and recommendations of the audit should be documented in a clear and concise report.
Here is a sample security audit checklist:
- Security policies and procedures
- Are there documented security policies and procedures in place?
- Are the policies and procedures comprehensive and up-to-date?
- Are the policies and procedures communicated to and understood by staff?
- Access control
- Are there appropriate access controls in place for all systems and data?
- Are access controls reviewed and updated on a regular basis?
- System security
- Are all systems properly configured and secured?
- Are security patches and updates applied promptly?
- Are systems monitored for suspicious activity?
- Data security
- Are sensitive data encrypted?
- Are data backups performed regularly and stored securely?
- Is data access restricted to authorized personnel?
- Incident response
- Is there an incident response plan in place?
- Are staff trained on the incident response plan?
- Is the incident response plan tested on a regular basis?
This checklist is just a starting point. The specific areas that are audited will vary depending on the organization’s needs and risk profile.
Conclusion
Security audits are an essential part of any cybersecurity program. By regularly conducting security audits, organizations can identify and mitigate security risks, and ensure that their security controls are effective.
Previously, we discussed the initial
planning elements of an internal security audit. In this video, we’ll cover the final
elements that an entry-level analyst might be asked to complete. As a reminder, the planning elements
of internal security audits include establishing the scope and
goals, then conducting a risk assessment. The remaining elements are completing
a controls assessment, assessing compliance, and
communicating results. Before completing these last three
elements, you’ll need to review the scope and goals, as well as the risk assessment,
and ask yourself some questions. For example: What is the audit meant to achieve?
Which assets are most at risk? Are current controls sufficient
to protect those assets? If not, what controls and compliance
regulations need to be implemented? Considering questions like
these can support your ability to complete the next element:
a controls assessment. A controls assessment involves
closely reviewing an organization’s existing assets, then evaluating
potential risks to those assets, to ensure internal controls and
processes are effective. To do this, entry-level analysts
might be tasked with classifying controls into the following categories:
administrative controls, technical controls, and physical controls. Administrative controls are related to
the human component of cybersecurity. They include policies and
procedures that define how an organization manages data, such as the implementation
of password policies. Technical controls are hardware and software solutions
used to protect assets, such as the use of intrusion detection
systems, or IDS’s, and encryption. Physical controls refer to measures
put in place to prevent physical access to protected assets, such as
surveillance cameras and locks. The next element is determining whether or not the organization is adhering to
necessary compliance regulations. As a reminder,
compliance regulations are laws that organizations must follow to ensure
private data remains secure. In this example, the organization conducts
business in the European Union and accepts credit card payments. So they need to adhere to the GDPR and Payment Card Industry Data
Security Standard, or PCI DSS. The final common element of an internal
security audit is communication. Once the internal security
audit is complete, results and recommendations need to be
communicated to stakeholders. In general, this type of communication
summarizes the scope and goals of the audit. Then, it lists existing risks and notes how
quickly those risks need to be addressed. Additionally, it identifies
compliance regulations the organization needs to adhere to and
provides recommendations for improving the organization’s
security posture. Internal audits are a great way to
identify gaps within an organization. When I worked at a previous company,
my team and I conducted an internal password audit and found that
many of the passwords were weak. Once we identified this issue,
the compliance team took the lead and began enforcing stricter
password policies. Audits are an opportunity to
determine what security measures an organization has in place and
what areas need to be improved to achieve the organization’s
desired security posture. Security audits are quite involved, yet
of extreme value to organizations. Later in the course, you’ll have an opportunity to complete
elements of an internal security audit for a fictional company, which you can
include in your professional portfolio.
Reading: More about security audits
Reading
Previously, you were introduced to how to plan and complete an internal security audit. In this reading, you will learn more about security audits, including the goals and objectives of audits.
Security audits
A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations. Audits are independent reviews that evaluate whether an organization is meeting internal and external criteria. Internal criteria include outlined policies, procedures, and best practices. External criteria include regulatory compliance, laws, and federal regulations.
Additionally, a security audit can be used to assess an organization’s established security controls. As a reminder, security controls are safeguards designed to reduce specific security risks.
Audits help ensure that security checks are made (i.e., daily monitoring of security information and event management dashboards), to identify threats, risks, and vulnerabilities. This helps maintain an organization’s security posture. And, if there are security issues, a remediation process must be in place.
Goals and objectives of an audit
The goal of an audit is to ensure an organization’s information technology (IT) practices are meeting industry and organizational standards. The objective is to identify and address areas of remediation and growth. Audits provide direction and clarity by identifying what the current failures are and developing a plan to correct them.
Security audits must be performed to safeguard data and avoid penalties and fines from governmental agencies. The frequency of audits is dependent on local laws and federal compliance regulations.
Factors that affect audits
Factors that determine the types of audits an organization implements include:
- Industry type
- Organization size
- Ties to the applicable government regulations
- A business’s geographical location
- A business decision to adhere to a specific regulatory compliance
To review common compliance regulations that different organizations need to adhere to, refer to the reading about controls, frameworks, and compliance.
The role of frameworks and controls in audits
Along with compliance, it’s important to mention the role of frameworks and controls in security audits. Frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the international standard for information security (ISO 27000) series are designed to help organizations prepare for regulatory compliance security audits. By adhering to these and other relevant frameworks, organizations can save time when conducting external and internal audits. Additionally, frameworks, when used alongside controls, can support organizations’ ability to align with regulatory compliance requirements and standards.
There are three main categories of controls to review during an audit, which are administrative and/or managerial, technical, and physical controls. To learn more about specific controls related to each category, click the following link and select “Use Template.”
Link to template: Control categories
OR
If you don’t have a Google account, you can download the template directly from the following attachment
Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made up of the following areas of focus:
Identify the scope of the audit
- The audit should:
- List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)
- Note how the audit will help the organization achieve its desired goals
- Indicate how often an audit should be performed
- Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees
Complete a risk assessment
- A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).
Conduct the audit
- When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.
Create a mitigation plan
- A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.
Communicate results to stakeholders
- The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization’s level of risk, and compliance regulations and standards the organization needs to adhere to.
Key takeaways
In this reading you learned more about security audits, including what they are; why they’re conducted; and the role of frameworks, controls, and compliance in audits.
Although there is much more to learn about security audits, this introduction is meant to support your ability to complete an audit of your own for a self-reflection portfolio activity later in this course.
Resources for more information
Resources that you can explore to further develop your understanding of audits in the cybersecurity space are:
Practice Quiz: Test your knowledge: OWASP principles and security audits
A security analyst disables certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization. Which OWASP security principle does this scenario describe?
Minimize the attack surface
This scenario describes minimizing the attack surface.
AI assistant
The OWASP security principle that describes the scenario of a security analyst disabling certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization is Minimize the attack surface.
The attack surface is the set of all possible entry points into a system that an attacker could use to gain unauthorized access. By disabling unused features and interfaces, the security analyst is reducing the number of potential entry points for attackers.
The other OWASP security principles are:
- Fix security issues correctly: This principle emphasizes the importance of thoroughly understanding and resolving security vulnerabilities.
- Defense in depth: This principle recommends using multiple layers of security controls to protect systems and data.
- Separation of duties: This principle states that different users should have different privileges, and that no user should have more privileges than necessary.
While all of these principles are important for cybersecurity, the principle of minimizing the attack surface is most directly related to the scenario described in the question.
Fill in the blank: A security _ is a review of an organization’s security controls, policies, and procedures against a set of expectations.
audit
A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations.
AI assistant
The answer is audit.
A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations. The goal of a security audit is to identify any weaknesses in the organization’s security posture and to recommend improvements.
Security audits can be conducted internally or by an external third-party auditor. Internal audits are typically conducted on a regular basis, such as annually or quarterly. External audits are often conducted in response to a specific security incident or as part of a compliance requirement.
Security audits are an important part of any cybersecurity program. By regularly conducting security audits, organizations can identify and mitigate security risks, and ensure that their security controls are effective.
Here are some of the benefits of conducting a security audit:
- Identify and mitigate security risks
- Ensure compliance with regulations
- Improve the organization’s security posture
- Build trust with customers and partners
If you are responsible for the security of an organization, it is important to consider conducting regular security audits.
A security professional closely examines their organization’s network, then evaluates potential risks to the network. Their goal is to ensure internal safeguards and processes are effective. What security concept does this scenario describe?
Controls assessment
This scenario describes a controls assessment. A controls assessment involves closely reviewing an organization’s existing assets, then evaluating potential risks to those assets in order to ensure internal controls and processes are effective.
AI assistant
The security concept that describes the scenario of a security professional closely examining their organization’s network to evaluate potential risks to the network and ensure internal safeguards and processes are effective is controls assessment.
Controls assessment is the process of evaluating the effectiveness of security controls in place to protect an organization’s assets. This includes identifying and assessing all security controls, evaluating their effectiveness against identified risks, and recommending improvements.
Controls assessment is an important part of any cybersecurity program. By regularly assessing the effectiveness of security controls, organizations can identify and mitigate security risks, and ensure that their security controls are effective.
The other security concepts listed in the question are:
- Security recommendations: This refers to the process of developing and recommending security solutions to address identified risks.
- Compliance regulations: This refers to the process of ensuring that an organization’s security measures comply with applicable regulations.
- Communicating results: This refers to the process of communicating the results of a security assessment to stakeholders.
While all of these security concepts are important, controls assessment is the most directly related to the scenario described in the question.
A security professional is asked to communicate the results of an internal security audit to stakeholders. What should be included in that communication?
- A summary of the audit’s scope and goals
- A recommendation about how to improve the organization’s security posture
- A list of risks and compliance requirements that need to be addressed
AI assistant
The three things that should be included in a communication about the results of an internal security audit to stakeholders are:
- A summary of the audit’s scope and goals: This should include the areas of the organization that were audited and the objectives of the audit.
- A recommendation about how to improve the organization’s security posture: This should be based on the findings of the audit and should include specific steps that the organization can take to improve its security.
- A list of risks and compliance requirements that need to be addressed: This should include the most critical risks that were identified during the audit, as well as any compliance requirements that the organization needs to meet.
In addition to these three things, it may also be helpful to include the following information in the communication:
- An overview of the audit methodology: This can help stakeholders to understand how the audit was conducted and how the findings were derived.
- A detailed list of findings and recommendations: This can be provided in an appendix or as a separate document.
- A timeline for implementing the recommendations: This can help stakeholders to prioritize the recommendations and to track progress on implementing them.
It is important to communicate the results of a security audit to stakeholders in a clear and concise manner. The communication should be tailored to the audience and should avoid using technical jargon. It is also important to be realistic about the organization’s ability to implement all of the recommendations immediately.
Quiz: Portfolio Activity: Conduct a security audit
Reading
Activity Overview
In part one of this activity, you will conduct an internal security audit, which you can include in your cybersecurity portfolio. To review the importance of building a professional portfolio and options for creating your portfolio, read Create a cybersecurity portfolio.
As a reminder, audits help ensure that security checks are made, to monitor for threats, risks, or vulnerabilities that can affect an organization’s business continuity and critical assets.
Be sure to complete this activity and answer the questions that follow before moving on. The next course item will provide you with a completed exemplar to compare to your own work.
Scenario
Review the following scenario. Then complete the step-by-step instructions.
This scenario is based on a fictional company:
Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location, which serves as their main office, a storefront, and warehouse for their products. However, Botium Toy’s online presence has grown, attracting customers in the U.S. and abroad. As a result, their information technology (IT) department is under increasing pressure to support their online market worldwide.
The manager of the IT department has decided that an internal IT audit needs to be conducted. She expresses concerns about not having a solidified plan of action to ensure business continuity and compliance, as the business grows. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to internally processing and accepting online payments and conducting business in the European Union (E.U.).
The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, listing assets currently managed by the IT department, and completing a risk assessment. The goal of the audit is to provide an overview of the risks and/or fines that the company might experience due to the current state of their security posture.
Your task is to review the IT manager’s scope, goals, and risk assessment report. Then, perform an internal audit by completing a controls and compliance checklist.
Step-By-Step Instructions
Follow the instructions to complete each step of the activity. Then, answer the 5 questions at the end of the activity before going to the next course item to compare your work to the completed exemplar.
Step 1: Access supporting materials
The following supporting materials will help you complete this activity. Keep materials open as you proceed to the next steps.
To use the supporting materials for this course item, click the links.
Links to supporting materials:
Step 2: Conduct the audit: Controls and compliance checklist
Conduct the next step of the security audit by completing the controls and compliance checklist.
To complete the checklist, open the supporting materials provided in Step 1. Then:
- Review the scope, goals, and risk assessment report details, with a focus on:
- The assets currently managed by the IT department
- The bullet points under “Additional comments” in the Risk assessment section
- Consider information provided in the scenario, the scope, goals, and risk assessment report, as well as details provided in other documents linked within the checklist.
- Then, review the question in the controls and compliance sections of the checklist and select “yes” or “no” to answer the question in each section (note: the recommendations section is optional).*
To use the supporting materials for this step, click the following link.
Link to supporting materials: Controls and compliance checklist
Pro Tip: Save a copy of your work
Finally, be sure to download and save a copy of your completed activity to your own device. You can upload it to the portfolio platform of your choice, then share with potential employers to help demonstrate your knowledge and experience.
Be sure to address the following elements in your completed activity:
Controls and compliance checklist
- “Yes” or “no” is selected to answer the question related to each control listed
- “Yes” or “no” is selected toanswer the question related to each compliance best practice
- A recommendation is provided for the IT manager (optional)
Step 3: Assess your activity
The following is a self-assessment for your controls and compliance checklist. You will use these statements to review your own work. The self-assessment process is an important part of the learning experience because it allows you to objectively assess your security audit.
There are a total of 5 points possible for this activity and each statement is worth 1 point. The items correspond to each step you completed for the activity.
To complete the self-assessment, first open your controls assessment and compliance checklist. Then respond yes or no to each statement.
When you complete and submit your responses, you will receive a percentage score. This score will help you confirm whether you completed the required steps of the activity. The recommended passing grade for this project is at least 80% (or 4/5 points). If you want to increase your score, you can revise your project and then resubmit your responses to reflect any changes you made. Try to achieve at least 4 points before continuing on to the next course item.
Reading: Portfolio Activity Exemplar: Conduct a security audit
Reading
Completed Exemplar
o review the exemplar for this course item, click the following link and select Use Template.
Link to exemplar:
Assessment of Exemplar
Compare the exemplar to your completed activity. Review your work using each of the criteria in the exemplar. What did you do well? Where can you improve? Use your answers to revise your project as needed and guide you as you continue to progress through the certificate program.
Note: The exemplar represents one possible way to complete the activity. Yours will likely differ in certain ways. What’s important is that your activity demonstrates your ability to select controls that Botium Toys does or does not need to implement and compliance best practices that the company needs to adhere to in order to mitigate risks and avoid fines.
Review: Security frameworks and controls
Video: Wrap-up
In this video, you learned about different security concepts that can help an organization protect its data and assets. You covered the following topics:
- Security frameworks: These frameworks help organizations protect their critical information.
- Security controls: These controls protect against risks, threats, and vulnerabilities. This includes the CIA triad, which is a core security model, and two NIST frameworks: the CSF and S.P. 800-53.
- OWASP secure design principles: These principles help organizations design secure software.
- Security audits: These audits help organizations identify and address security risks.
Security professionals use these concepts to protect organizations’ assets, data, systems, and people.
In the next section of the course, you will learn about specific security tools that security analysts use to improve an organization’s security posture.
Great job! Now you’ve had an opportunity to
learn more about security concepts that can help an organization protect
data and assets. We’ve covered quite a bit, but it will all be valuable
knowledge for you as you continue along your journey
into the security profession. We started by defining what
security frameworks are, and how they help organizations protect critical information. We also explored
security controls and the important role they play in protecting against risks, threats, and
vulnerabilities. This included a discussion
of the CIA triad, which is a core security model,
and two NIST frameworks: the CSF and S.P. 800-53. Then, we covered some of OWASP’s
secure design principles. We ended by introducing
security audits with a focus on the elements of an
internal audit that you may be asked to complete
or contribute to. Security professionals use
the concepts we discussed to help protect
organizations’ assets, data, systems, and people. As you continue along your journey into the
security profession, a lot of these concepts
will come up repeatedly. What we’re doing
now is giving you a foundational understanding of security practices and topics that will help you
along the way. In the next section
of the course, we’ll discuss specific
security tools you may one day
use as an analyst. We’ll cover how they’re
used to improve an organization’s
security posture and how they can help
you achieve your goal of keeping organizations
and people safe. I’m excited to continue this journey with
you. See you soon!
Reading: Glossary terms from module 2
Reading
Terms and definitions from Course 2, Module 2
Asset: An item perceived as having value to an organization
Attack vectors: The pathways attackers use to penetrate security defenses
Authentication: The process of verifying who someone is
Authorization: The concept of granting access to specific resources in a system
Availability: The idea that data is accessible to those who are authorized to access it
Biometrics: The unique physical characteristics that can be used to verify a person’s identity
Confidentiality: The idea that only authorized users can access specific assets or data
Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies
Detect: A NIST core function related to identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections
Encryption: The process of converting data from a readable format to an encoded format
Identify: A NIST core function related to management of cybersecurity risk and its effect on an organization’s people and assets
Integrity: The idea that the data is correct, authentic, and reliable
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53: A unified framework for protecting the security of information systems within the U.S. federal government
Open Web Application Security Project/Open Worldwide Application Security Project (OWASP): A non-profit organization focused on improving software security
Protect: A NIST core function used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats
Recover: A NIST core function related to returning affected systems back to normal operation
Respond: A NIST core function related to making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
Security audit: A review of an organization’s security controls, policies, and procedures against a set of expectations
Security controls: Safeguards designed to reduce specific security risks
Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy
Security posture: An organization’s ability to manage its defense of critical assets and data and react to change
Threat: Any circumstance or event that can negatively impact assets
Quiz: Module 2 challenge
What is the purpose of a security framework?
Build plans to help mitigate risks and threats to data and privacy
AI assistant
The purpose of a security framework is to build plans to help mitigate risks and threats to data and privacy.
A security framework is a set of guidelines and best practices that organizations can use to develop and implement a security program. It helps organizations to identify, assess, and manage security risks. A security framework can also help organizations to comply with security regulations.
There are many different security frameworks available, such as the NIST Cybersecurity Framework (CSF), the ISO 27001 framework, and the COBIT framework. Each framework has its own strengths and weaknesses, and the best framework for an organization will depend on its specific needs.
Security frameworks are important because they can help organizations to reduce their risk of cyberattacks. By following the guidelines in a security framework, organizations can identify and address security vulnerabilities before they are exploited by attackers.
Here are some of the benefits of using a security framework:
- Improved security posture: Security frameworks can help organizations to improve their security posture by helping them to identify and address security risks.
- Reduced risk of cyberattacks: By following the guidelines in a security framework, organizations can reduce their risk of being attacked by cybercriminals.
- Improved compliance: Security frameworks can help organizations to comply with security regulations, such as HIPAA and PCI DSS.
- Increased customer confidence: Customers are more likely to trust organizations that have implemented a security framework.
If you are responsible for the security of an organization, I recommend that you consider implementing a security framework. There are many different frameworks available, so you can choose one that is right for your organization’s needs.
Fill in the blank: A security professional uses _ to convert data from a readable format to an encoded format.
encryption
AI assistant
The answer is encryption.
Encryption is the process of converting data from a readable format to an encoded format. This is done to protect the data from unauthorized access. Encryption is used in a variety of applications, including data storage, data transmission, and email communication.
Security professionals use encryption to protect data from unauthorized access. For example, a security professional might encrypt data that is stored on a server or that is transmitted over a network. Encryption can also be used to protect data from being stolen from a lost or stolen device.
There are many different encryption algorithms available, each with its own strengths and weaknesses. The best encryption algorithm for a particular application will depend on the specific security requirements.
Here are some examples of how encryption is used in the real world:
- Banks use encryption to protect customer financial data.
- Hospitals use encryption to protect patient medical records.
- E-commerce companies use encryption to protect customer credit card information.
- Email providers use encryption to protect email messages from being intercepted.
Encryption is an important security tool that can help to protect data from unauthorized access. If you are responsible for the security of data, I recommend that you consider using encryption to protect it.
Which of the following characteristics are examples of biometrics? Select all that apply.
Eye scan, Fingerprint, Palm scan
AI assistant
The following characteristics are examples of biometrics:
- Eye scan
- Fingerprint
- Palm scan
Passwords are not considered biometrics because they are not unique to each individual.
Biometrics are unique physical or behavioral characteristics that can be used to identify individuals. They are often used for security purposes, such as unlocking doors or accessing computer systems.
Here are some other examples of biometrics:
- Facial recognition
- Voice recognition
- DNA analysis
- Handwriting analysis
- Gait analysis
Biometrics are becoming increasingly popular because they are a more secure way to identify individuals than passwords. Passwords can be easily forgotten or stolen, but biometrics are much more difficult to forge or replicate.
Biometrics are also being used in a variety of other applications, such as healthcare, marketing, and entertainment. For example, biometrics can be used to track patient progress in healthcare, to target advertising to specific consumers, and to authenticate users for online games and other digital media.
You work as a security analyst for a supply chain organization and need to confirm all inventory data is correct, authentic, and reliable. Which core principle of the CIA triad are you using?
Integrity
AI assistant
The core principle of the CIA triad that you are using is integrity.
Integrity means that data is accurate and complete, and has not been tampered with.
The other principles of the CIA triad are:
- Confidentiality: Data is protected from unauthorized access.
- Availability: Data is accessible to authorized users when they need it.
In the context of supply chain inventory data, integrity is important because it ensures that the data is accurate and reliable. This is important for making informed decisions about production, shipping, and other supply chain operations.
There are a number of ways to ensure the integrity of supply chain inventory data, such as:
- Using strong access controls to restrict access to the data.
- Implementing data logging and auditing to track changes to the data.
- Using encryption to protect the data from unauthorized access.
- Regularly backing up the data in case of corruption or loss.
By taking these steps, you can help to ensure that the integrity of your supply chain inventory data is maintained.
Which of the following statements accurately describe the CSF?
- The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
- The detect function of the CSF involves improving monitoring capabilities to increase the speed and efficiency of detections.
- Restoring affected files or data is part of the recover function of the CSF.
AI assistant
The following statements accurately describe the CSF:
- The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
- The detect function of the CSF involves improving monitoring capabilities to increase the speed and efficiency of detections.
- Restoring affected files or data is part of the recover function of the CSF.
The identify function of the CSF involves developing an understanding of the organization’s assets, risks, and vulnerabilities.
Here is a summary of the five functions of the CSF:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Take appropriate actions to take back control of systems and assets, and to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
- Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
The CSF is a valuable tool for organizations of all sizes to help them manage their cybersecurity risk. It is important to note that the CSF is a voluntary framework, but it is based on best practices and standards that are widely accepted by the cybersecurity community.
A security team establishes controls, including permission settings that will be used to create multiple security points that a threat actor must get through to breach their organization. Which OWASP principle does this scenario describe?
Defense in depth
AI assistant
The OWASP principle that the scenario describes is defense in depth.
Defense in depth is a security strategy that involves multiple layers of security controls to protect an organization from cyberattacks. The goal is to make it more difficult and time-consuming for attackers to breach the organization’s systems and data.
In the scenario you described, the security team is establishing multiple security points that a threat actor must get through to breach the organization. This is an example of defense in depth because it makes it more difficult for attackers to succeed.
Other examples of defense in depth controls include:
- Firewalls
- Intrusion detection systems
- Access control lists
- Data encryption
- Security awareness training
By implementing a defense in depth strategy, organizations can make it more difficult and costly for attackers to succeed. This can help to protect the organization’s systems, data, and people from cyberattacks.
Here are some of the benefits of using defense in depth:
- It makes it more difficult for attackers to breach the organization’s systems and data.
- It reduces the risk of a single security failure compromising the entire organization.
- It can help to identify and detect attacks more quickly.
- It can help to contain and mitigate the damage caused by an attack.
If you are responsible for the security of an organization, I recommend that you implement a defense in depth strategy. This will help to protect your organization from a wide range of cyberattacks.
What are some of the primary objectives of an internal security audit? Select three answers.
- Avoid fines due to a lack of compliance
- Help security teams identify organizational risk
- Improve security posture
AI assistant
The following are some of the primary objectives of an internal security audit:
- Help security teams identify organizational risk: Internal security audits can help organizations to identify and assess their security risks. This information can then be used to develop and implement risk mitigation strategies.
- Improve security posture: Internal security audits can help organizations to improve their security posture by identifying and addressing security gaps and vulnerabilities.
- Avoid fines due to a lack of compliance: Internal security audits can help organizations to ensure that they are in compliance with relevant security regulations. This can help to avoid fines and other penalties.
Other objectives of an internal security audit may include:
- Assess the effectiveness of security controls: Internal security audits can help organizations to assess the effectiveness of their security controls. This information can then be used to improve the effectiveness of the security program.
- Identify areas for improvement: Internal security audits can help organizations to identify areas where their security program can be improved. This information can then be used to develop and implement improvement plans.
- Provide assurance to management: Internal security audits can provide assurance to management that the organization’s security program is effective and that the organization is in compliance with relevant security regulations.
Internal security audits are an important part of a comprehensive security program. By regularly conducting internal security audits, organizations can identify and address security risks, improve their security posture, and avoid fines due to a lack of compliance.
Fill in the blank: The planning elements of an internal security audit include establishing scope and _, then conducting a risk assessment.
goals
AI assistant
The planning elements of an internal security audit include establishing scope and goals, then conducting a risk assessment.
The scope of the audit should define the areas of the organization that will be audited. The goals of the audit should define what the auditors hope to achieve by conducting the audit. The risk assessment should identify and assess the security risks that the organization faces.
Once the scope, goals, and risk assessment have been completed, the auditors can begin the audit process. The audit process typically involves gathering evidence, evaluating the evidence, and reporting the findings.
Here are some of the benefits of conducting an internal security audit:
- Improved security posture: Internal security audits can help organizations to improve their security posture by identifying and addressing security gaps and vulnerabilities.
- Reduced risk of cyberattacks: By improving their security posture, organizations can reduce their risk of being attacked by cybercriminals.
- Increased compliance: Internal security audits can help organizations to ensure that they are in compliance with relevant security regulations.
- Improved understanding of security risks: Internal security audits can help organizations to better understand the security risks that they face. This information can then be used to develop and implement risk mitigation strategies.
If you are responsible for the security of an organization, I recommend that you consider conducting regular internal security audits. This can help to improve your organization’s security posture, reduce the risk of cyberattacks, and increase compliance with security regulations.
A security analyst performs an internal security audit. They review their company’s existing assets, then evaluate potential risks to those assets. Which aspect of a security audit does this scenario describe?
Completing a controls assessment
AI assistant
The aspect of a security audit that the scenario describes is assessing risks.
Assessing risks is an important part of any security audit. It involves identifying and evaluating the threats, vulnerabilities, and impacts that could affect the organization’s assets.
The security analyst in the scenario is reviewing the company’s existing assets and evaluating potential risks to those assets. This is an example of risk assessment.
Once the risk assessment is complete, the security analyst will need to develop and implement risk mitigation strategies. This may involve implementing new security controls, updating existing security controls, or training employees on security best practices.
Risk assessment is an ongoing process. The security analyst should periodically review the organization’s assets and risks to ensure that the risk mitigation strategies are effective.
Here are some of the benefits of assessing risks:
- Helps to identify and prioritize security risks
- Helps to develop and implement effective risk mitigation strategies
- Helps to improve the organization’s security posture
- Helps to reduce the risk of cyberattacks
If you are responsible for the security of an organization, I recommend that you regularly assess your organization’s risks. This can help to improve your organization’s security posture and reduce the risk of cyberattacks.
What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.
- Strategies for improving security posture
- A summary of the goals
- Existing risks that need to be addressed now or in the future
AI assistant
The following information is typically communicated to stakeholders after completion of an internal security audit:
- Existing risks that need to be addressed now or in the future: This information helps stakeholders to understand the security risks that the organization faces and to prioritize risk mitigation efforts.
- Strategies for improving security posture: This information helps stakeholders to develop and implement plans to improve the organization’s security posture.
- A summary of the goals: This information helps stakeholders to understand the purpose of the audit and the results that were achieved.
Other information that may be communicated to stakeholders after completion of an internal security audit includes:
- Recommendations for improving the security program: This information can help stakeholders to identify and implement improvements to the organization’s security program.
- Observations about the effectiveness of security controls: This information can help stakeholders to assess the effectiveness of the organization’s security controls and to identify any areas where improvement is needed.
- Compliance status: This information can help stakeholders to ensure that the organization is in compliance with relevant security regulations.
It is important to note that the specific information that is communicated to stakeholders will vary depending on the organization’s needs and the scope of the audit.
Here are some of the benefits of communicating the results of an internal security audit to stakeholders:
- Helps to raise awareness of security risks
- Helps to build support for security initiatives
- Helps to improve the organization’s security posture
- Helps to ensure compliance with security regulations
If you are responsible for conducting internal security audits, I recommend that you communicate the results of your audits to stakeholders. This can help to improve the organization’s security posture and reduce the risk of cyberattacks.