A Suggestions for Critical Thinking Exercises

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

APPENDIX A

Suggestions for Critical Thinking Exercises

Throughout the book, you have been presented with opportunities to challenge yourself with Critical Thinking Exercises. The answers to these questions are not right or wrong; they are intended to stimulate your thinking about information assurance.

Chapter 1

1. An organization is considering developing an encryption policy in its organization. The penetration tester from the team starts documenting specific products and configurations to put into the policy. Should the policy contain these details?

a. Typically not. A policy is an overarching governance document developed to reflect senior management’s position on a topic. While an encryption standard may include specific products and configurations, a policy would merely mention that the organization will follow organizational encryption standards. This helps ensure the policies remain enforceable while allowing the agility to change products or configurations if needed.

2. An organization is considering placing all its policies, procedures, standards, and guidance in a single handbook so executive management has to sign off only once. What are the advantages and disadvantages to this approach?

a. The sole advantage is found in only needing the senior leadership approval once for the entire handbook. The issue is that as soon as a single part of the handbook is outdated, the entire handbook is outdated. Keeping a comprehensive handbook updated is also challenging because every version changes the entire context of the handbook. A better approach is to use a modular approach with tiered approvals. For example, policies are approved only by senior leadership, but they are scoped and written to last five years or longer. Standards and procedures may be approved by relevant experts such as IT standards by the CIO. Guidance could be developed and approved by almost any line manager throughout the organization. If a cohesive and modular naming framework is designed and implemented, this delegated approach of governance can be quite effective.

Chapter 2

1. An organization’s board of directors has recently experienced a substantial change in leadership. The new members of the board have demanded an external audit for internal control and information assurance. What should the president or leader of the organization be prepared to provide to ensure the board is comfortable with the audit results?

a. The president should understand the organization and the business or mission of the organization and how it relates to information assurance. The audit will most likely focus on internal controls that include regulatory requirements and separation of duties to prevent fraud. The audit will also cover how well the organization has identified its critical assets, services, and vulnerabilities. An organization that has not considered information assurance as part of its core culture and operations will experience a difficult audit.

2. The senior leadership of a large organization has never considered the need for information assurance in the organization’s operations. After a series of attacks have crippled similar competitors, senior leadership is now concerned about information assurance. The information technology staff (both in-house and outsourced) has assured senior leadership repeatedly that there is nothing to worry about. Are they right?

a. The senior leaders of the organization should demand an information assurance function be developed and a permanent information assurance program be established. The information assurance program’s primary responsibility will be to enable the mission of the organization while bringing visibility into the risk the organization is assuming. The information assurance program will be authorized to perform risk assessments against both in-house and outsourced IT to provide unbiased risk information to senior leadership and the board of directors if necessary.

Chapter 3

1. What assets or services do you think your organization considers critical for success? What is your organization’s responsibility for those assets or services and how are they are currently protected? How do you know an appropriate level of due diligence and due care is being practiced in relation to your organization’s use of information systems and data?

a. Occasionally, organizations overlook the exposure that may come from lax or negligent information assurance practices. Significant fines may be levied on organizations that do not protect sensitive information such as personally identifiable information or sensitive financial information. As information technology is becoming more ambiguous, a material finding in an information system is almost certainly going to relate to an internal control failure in a financial or management system. If your organization has not considered an industry-specific information assurance framework, why not? Consider the laws, regulations, and agreements that govern the work performed and determine whether frameworks exist. These frameworks can provide a starting point for determining the assurance of your organization’s use of information technology.

2. A member of your team informs you that the organization can purchase insurance for breaches of personally identifiable information (PII) and financial data such as credit card information. The insurance will cost less than the information assurance program proposed by the CISO. Would you purchase the insurance at the expense of an information assurance program?

a. If you would purchase the insurance, it is important to understand the insurance will cover only monetary exposure. Often, this covers only the expenses related to credit monitoring or identity theft mitigation. However, this will never cover the loss of reputation, the damage caused to an individual whose identity has been stolen, or business partners who are now sullied by a breach. While cybersecurity or breach insurance can be an important part of any risk management program, it cannot be relied upon to protect your organization in the same manner as an information assurance program can. Additionally, breach insurance providers require a functioning information assurance program before providing coverage.

3. A breach has occurred, and according to the organization’s web site privacy policy and terms of service, your customers agreed to whatever level of security the organization deemed sufficient and reasonable. Is the organization protected from retaliation from customers or other entities?

a. Several legal cases in the past several years have shown courts look at information assurance from a due diligence and due care standpoint. Customers have an expectation of protection and privacy from online retailers and therefore even though they may agree to the terms of service, courts can determine the organization is not meeting a common “reasonable” industry safeguard.

Chapter 4

1. An executive receives an e-mail from a known colleague with an urgent message about the financial state of their organization attached in a PDF. What should the executive do? The executive is unaware of any financial problems with the organization, and the executive didn’t request this information.

a. This may be a spear phishing e-mail. Opening the attachment or following links in the e-mail may lead the executive to compromise their system. Once compromised, that system can be used to launch further attacks against the organization and business partners. The prudent approach is to ensure end-point protection by making sure that your antivirus, anti-malware, and operating system patches are up-to-date. The organization should use security awareness training that includes content related to phishing and spear phishing. Next, the executive should ensure they are logged into their system only with a limited user account. If the executive constantly uses an administrator account, they are opening themselves up for attack because every action performed, including opening the e-mail, is performed at the administrator level of access, which can modify the system. Finally, the executive should call the party with a known good phone number to ensure they did send this information. If they did not, the executive may want to contact local law enforcement and determine whether they can assist in determining who is targeting the organization. The willingness and ability of law enforcement varies greatly by country and district. In almost all cases, the cost of determining who launched the attack greatly exceeds the costs associated with preventing successful spear phishing attacks.

2. An organization has always kept a decentralized information technology infrastructure, which has led to servers under desks, coat closets arbitrarily being turned into wiring closets, and numerous portable hard drives floating around the organization. What could happen if the organization needed to institute a reduction in force because of changing market conditions? What can an organization do to prevent the risk of these changes?

a. Decentralized IT is often controlled at the whim of whoever possesses it. Therefore, if a rumor is started that a layoff is coming, some employees may be inclined to start copying organizational information to external drives so it can be taken for use at their next job. Worse, employees could start thinking about how to sabotage the organization should they get fired. Any information technology under their control is a possible target. Without understanding the assets of the organization, the controls in place, or how to gracefully remove employees, the organization is at risk of data exfiltration and sabotage. To prevent these actions, the organization should consider centralizing at least the data managed by the organization with tight controls around the access. The organization may also want to ensure any nondisclosure agreements (if any) are enforced during the transition period. Finally, before making any announcements, the organization may want to consider implementing a data loss prevention tool to help reduce the amount of data lost. The best way to avoid loss is to start with an environment that can withstand a layoff. This means a centralized IT infrastructure with tight controls around administrative access and production systems. It also means logging and strong IAAA to ensure accountability for actions. Finally, employees should be screened prior to hire and be required to sign nondisclosure agreements.

3. An organization’s web site has been collecting the actions of users for several years now. The web site was a social media overnight success, and the organization never got around to completing a privacy statement or terms of service. The organization has been selling the demographic information to advertisers and market researchers as part of its core business for more than a year now. The organization receives a legal summons related to privacy concerns of the site. What could have been done in the beginning to prevent the legal exposure?

a. In the United States, the terms of service and a privacy policy are commonly used with web sites such as social media and other sites that collect personally identifiable information (PII). These agreements explain how an organization will use the information and what, if any, expectation of privacy the end user has. While not completely bullet-proof, these documents when used properly can substantially reduce the amount of legal exposure because there is not a perception of deception. In other countries, such as the EU, the Data Protection Directive drives the requirements for collecting and handling PII. Organizations must understand the environments they operate in and the legal jurisdictions they must comply with. A list of privacy laws by state and country is available in Appendix F.

4. What information does your organization use, and what requirements must be met to ensure the confidentiality, integrity, and availability of the information? What drives these requirements for your organization?

a. While some information may seem clear, like PII, other information, such as an executive’s calendar, may not. What requirements does the CEO of a business have for his calendar? Is there an expectation of confidentiality, or could it be made public with no recourse? How about the integrity of the calendar? Does it need to be 100 percent correct every time, and is it okay if anyone can make changes to it without permission? What about availability? Can it go down for a week at a time without notice and not have an impact on the organization? This is a simple example of something that may seem trivial (a calendar), but upon further analysis can have a substantial impact on how an organization operates.

5. Your organization has a web site used for advertising your products or services around the world. The site is used only for disseminating information about your organization and its mission. What requirements (if any) should be in place regarding confidentiality, integrity, and availability?

a. Some would say there are no security requirements because “it is just a web site.” However, they would be mistaken. What happens if the web site goes down when a large prospective client is searching for information about your products or services? What happens if an attacker defaces your web page or changes information about your products or services pricing and the same prospective client is reviewing the information? Clearly, there are impacts associated with integrity and availability that must be addressed. How about confidentiality? Well, since the entire purpose of the web presence is to spread information, there isn’t one in this specific case. Executives and senior leadership must be aware that just because something isn’t confidential doesn’t mean it doesn’t impact the organization and therefore require information assurance.

b. The prospective client places a large order over the phone. When the person arrives to deliver the product or service, the client states they never placed the order, and they must have been the victim of identity fraud. They then demand a full refund, and you end up assuming the wasted costs of the order. What could the organization do in the future to help ensure this doesn’t happen again?

c. The concept of trust leads organizations to take unwarranted risks that can have lasting impacts. In this scenario, the order process lacked any form of identification and nonrepudiation. Organizations cannot be expected to perform a full background check on every customer, but in this case the organization could have performed more due diligence because of the size of the order. Implementing a nonrepudiation process as part of the process for ordering a certain size or volume would have given the organization a chance to prove the client placed the order and was therefore responsible and accountable to pay for it.

Chapter 5

1. A chief information security officer (CISO) continuously reports issues of risk to senior management even though they continue to deny requests for resources to mitigate the risk. The CISO holds a CISSP. Why is the CISO continuing to report the risk if the board has not done anything about it in the past?

a. The CISO has an ethical responsibility. In accordance with the ISC² ethics, he must “ensure all stakeholders are well-informed on the status of assignments and advise cautiously when required.” Additionally, the CISO is bound by the following: “Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.”

2. An organization has decided they need a chief security officer to help determine the best way to implement the information assurance strategy of the organization. What certifications might best determine a strategic information assurance individual?

a. The (ISC)² CISSP and the ISACA CISM are the best certifications to review. While the certification is no guarantee of success, it is a statement of accomplishment and minimum knowledge acquired by the individual.

Chapter 6

1. Why is the planning phase extremely important for an organization?

a. The planning phase will determine control selection, implementation, and ultimately resource costs. Improper planning can lead to substantial rework, which can increase the cost and delay the schedule of implementing effective security for an organization.

2. Should all controls be subject to the ongoing Check phase?

a. Yes, however they do not need to be subject at the same frequency. Some controls, such as, policy may need to be reviewed only on an annual basis or even longer. Controls such as patch management and IT network inventory should be conducted on a more frequent basis such as daily or weekly. Finally, some controls, such as the network intrusion system, should be monitored in as near real time as possible.

Chapter 7

1. What laws, regulations, or standards does your organization need to comply with?

a. This is a complex answer since it depends largely on the country, industry, and, in some cases, the local laws of the organization. For example, social media companies have discovered that while they may have started in one country, they are now subject to several differing national and international laws because they have allowed people from those countries to join their services. Senior leaders and executives must ensure their information technology activities are consistent with the requirements of international law and local law. Engaging legal counsel early in the process helps ensure compliance.

2. An organization’s medical information site is tracking individuals and using information about searches and personal information entered to develop individual profiles for marketing. The web site does not inform visitors they are being tracked and their information is being collected. Which OECD principle has been violated, and what can the organization do to remedy the situation?

a. The Purpose Specification Principle has been violated. It states the following: “Personal data should be collected for purposes specified not later than at the time of data collection. Subsequent use is limited to the fulfillment of the stated purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.” The organization should explicitly inform each user how their information will be used and give the user an opportunity to opt in to the process.

Chapter 8

1. An organization has never had a formalized information assurance program. What kind of an approach is most likely currently occurring, and what are the advantages and disadvantages of the approach?

a. If the organization has not established a top-down approach for information assurance, by default the organization is operating in a bottom-up fashion at best! While there are a few advantages of the bottom-up approach, including lower initial cost, lower organizational friction, and less management involvement, there are also several disadvantages. The disadvantages include little visibility into the risk of operations, unknown spending and performance of security functions, and possible legal exposure because of noncompliance of IT activities. The organization should consider implementing an information assurance program with a top-down approach. Doing so provides an opportunity for greater risk management and visibility while being able to standardize across the organization with tools, techniques, and risk management processes.

2. An organization operates out of the European Union but wants to use a cloud provider based in the United States to store and process healthcare information about people living in the European Union. What laws, regulations, and rules must the organization be aware of?

a. The organization must first be aware of any EU laws, rules, or regulations related to the proposed activities. Since the organization is somehow connected to healthcare, EU health record and privacy laws should also be considered. Minimally, the EU’s Data Protection Directive should be addressed. Finally, because the cloud provider is in the United States, the organization should be aware of the jurisdiction the United States may have over the data and whether federal or even state laws apply to how they are using the cloud in the United States.

3. An organization currently has a web site that processes personally identifiable information (PII) for a client. A network engineer points out a vulnerability in the web site that will cost US$125,000 to mitigate. Currently, the system is operating in the United States, and it would be subject to breach notification laws. What is the best approach to ensure return on investment?

a. According to the Ponemon Institute, the cost per person for a breach in 2011 was US$194 per an individual. Therefore, from a purely financial perspective, the cost trade-off can be realized at the size of the database. If there are more than 645 individuals ($125,000 / $194 = 645), then it makes good financial sense to implement the change. What about the loss of confidence and trust? What about consumer backlash? What if these records are held as part of a business contract and the organization’s actions may tarnish a business partner? These are additional nonfinancial implications that must be addressed prior to understanding the full exposure and full return of the requested investment.

Chapter 9

1. An organization is thinking about moving its core infrastructure into the cloud. It makes extremely good financial sense. What actions must a prudent executive or senior leader take to ensure the financial windfall isn’t caused by security shortcomings?

a. The executive must think about this from several angles. First, there must be a question about the cost of the secure “pipes” needed to connect an organization to its cloud provider. An organization may have had a data center nearby that allowed for fast and secure speeds at low costs. Another question, what visibility into risk does the present operation provide, and what will the cloud provider bring? If currently the organization has insight into server risk, database risk, and workstation risk, will the cloud provider deliver the same insight or less? Finally, what due diligence must the organization conduct to ensure initial security of the provider and ongoing security? What are the costs associated with performing audits or accepting risk for noncompliant activities of the cloud provider?

2. An organization is thinking of collaborating with another to perform some data processing. Your organization has a top-down centralized approach to information assurance while it seems the organization you want to collaborate with has a bottom-up decentralized approach to security. Should you be concerned about this difference in cultures?

a. The short answer is “yes.” The prospective partner may have varying security practices throughout their organization. An answer from one person regarding security may not be the same as another, and getting an authoritative answer about the security posture of the partner may be almost impossible. This could still be a salvageable relationship if the partner can provide information about security around the functions you are interested in and give assurances that your information and processing will never leave the safeguards described.

Chapter 10

1. Within your organization, do you use marking methods to determine sensitive information or information critical to business? If so, what automated means do you have to ensure sensitive information is not leaked?

a. Organizations use their own style of classification and markings. For example, the terms confidential, embargoed, close hold, and limited official use only roughly mean the same thing in terms of handling the information. It is important that organizations understand not only what markings they use internally but also what their business partners may use as well. If both parties are not aware of what each other’s markings mean in terms of handling and distribution, one party may inadvertently leak sensitive information of the other. Organizations should ensure they have a clear understanding of their own information assurance requirements and those of their business partners. Automation of data leak prevention is complex. Several systems and vendors exist that provide the capability of preventing and detecting data loss and leakage. Most of these systems rely on an extensive training period and ongoing human support to be effective.

2. Consider the sensitive information in your organization and its life cycle. Where does the data reside at rest? On hard drives? In the cloud? Where does the data reside in transit? Over the mobile phone network? Over the open Internet? Over your network? What protections do you know are in place for each of the mediums you identified to protect sensitive information?

a. Data at rest is most often referred to data on a hard drive or some form of virtual storage. Data at rest should be encrypted if there are any confidentiality or privacy concerns. In the event the drive is lost, stolen, or accessed by someone without authorization, the information will be much harder to read. Additionally, data in transit should be encrypted. Several protocols and methods exist to ensure data is encrypted over “open” communication lines. The most commonly used is SSL over HTTP (the HTTPS seen in the URL bar of many browsers when accessing secure sites such as banking). IPSec VPN solutions offer a nearly always-on encryption for untrusted links between points. Users concerned about the integrity of data may also want to “hash” and “salt” the data. This process uses complex mathematical operations to determine a single unique operational output for a given file or piece of information. Only the exact file or information can produce that output again.

Chapter 11

1. A CIO has just implemented a new dashboard for the organization. As part of the dashboard, the IT employees and senior management can review the vulnerability status of all IT network assets. Is this dashboard giving a holistic view of risk for the organization?

a. Probably not unless the only business or mission the organization has is to patch vulnerable systems. Different systems, servers, desktops, and cloud providers support different data and different missions. Therefore, through the categorization process, some information must be deemed more critical than others. This information and the systems processing, storing, or transmitting this information are of higher impact to the organization and therefore should be protected and prioritized above all others. Additionally, numerous quantities of paper and off-network records may exist. Where is the assessment of security for those assets? An IT network monitoring dashboard could be green and then a box of personally identifiable information (PII) could be lost, and the organization will need to recover. Understanding exactly what automated tools are telling the organization and what they are not is critical to understanding risk.

2. An organization has approximately 20,000 workstations and 5,000 servers around the world. A new zero-day vulnerability has been published that affects 90 percent of the systems including servers. Zero-day vulnerabilities are recently discovered, previously unknown system or software weaknesses. How should the organization go about prioritizing mitigation efforts?

a. It is highly unlikely an organization would be able to push out a patch to all its systems without severely impacting network resources or possibly crippling production systems if pushed without testing. Therefore, a staged rollout would most likely take place. Additionally, the patch should be tested in testing and staging environments to determine whether any possible side effects occur because of the patch. The categorization (classification) process should identify the most critical and valuable assets to the organization, and those should be targeted for remediation first, followed by moderate or sensitive operations and, finally, everything else. If the exposure is severe, the organization may even shut down or isolate some of its network until it can free the resources to patch it.

Chapter 12

1. An organization has had more than a dozen personal health information (PHI) breaches in the past year. The organization has a policy in place that stipulates sensitive information is not to be e-mailed or transmitted outside of the organization. The human resources department has just enabled a new “work from home” telework policy. However, individuals have complained ever since the start of the telework program because they are unable to take information with them to work on at remote locations. How can the organization address this issue with policies, standards, procedures, and guidelines?

a. The organization can start with a policy that clearly states management’s expectations to comply with protecting PHI and clearly identify what PHI is. Next, they can develop standards depicting what technologies are appropriate for processing, storing, transmitting, and protecting PHI. The standards will probably define mandatory encryption requirements for portable media, data in transit, and strong physical protections for printed data. Finally, procedures will be created to explain exactly how a person can use the encryption tools and standards indicated in several different manners such as e-mail, portable media, or locking up a box of PHI in the trunk of a vehicle.

2. An organization has a clear policy creation mechanism, and the organization’s information assurance team has ensured every specification and requirement is incorporated into the organization’s policy. The organization routinely evaluates the policy every six months to determine whether updates are needed. A breach just occurred, and the encryption policy needs to be updated to include a new standard; however, the next update window won’t happen for five months. Additionally, the policy review process is cumbersome and time-consuming because every department in the organization must review and approve of the policies being created. What could the organization do to help streamline this process?

a. The obvious answers may seem to be speed up the process and cut through the red tape; however, these are often easier said than done because most of the checks and balances put into place in the policy creation process are there for a reason. A more agile approach would be to rewrite the policy at a high level, which would authorize specific information assurance–related standards and procedures. The policy could then delegate the creation and approval of the standards and procedures to the chief information security officer or the chief information officer. In doing so, the standards could be rapidly updated in the event a standard or a procedure changed without the need of updating the entire organization’s policy. Additionally, the officers could be granted authority through the policy to issue interim policies by memo in the event of an emergency or if urgent action is required. The key is to ensure interim policies are updated into the organization’s final policy.

Chapter 13

1. Consider an organization with several different levels of management and a decentralized information technology infrastructure. Marketing has its own information technology as does manufacturing and finance. What is the best approach when hiring new employees in any area to ensure they understand their information assurance responsibilities?

a. Much like policies, organizations should have high-level expectations and requirements for information assurance. Each component may then have additional requirements for suitability and access to information. The choice to have a decentralized organization is a choice to accept greater complexity in policy and the resulting implementation of solutions. Therefore, the employee may have one agreement for the organization and another for the specific area they are working in. If an employee is transferred or receives additional responsibilities in another component, they will need to sign additional agreements stating they understand the new security requirements.

2. An EU-based organization operating in the United States has knowingly allowed its employees to use personal information technology to process, store, and transmit organizational information. The organization is now being sued in a U.S. court, and all information of the organization is subject to legal hold. What must be done with the information on employees’ personal devices?

a. In most situations, the personal devices must be imaged in a forensically sound matter to ensure the information on the device is available for discovery. This may bring up personal information on the device that is not owned by the organization but could be interpreted by the courts or counsel to be of value and relevance to the discovery. Organizations should consider carefully if they should allow organizational information onto employees or nonorganizational devices. If they allow the information on personal devices, they should have the employee sign an agreement that states the employee understands the device’s full contents may be seized and searched should a discovery action deem it necessary.

3. Recent malware attacks encrypt the storage of computers and devices for ransom. How would an organization handle this situation with information on an employee personal (BYOD) device?

a. As in the prior example, the first priority must be the protection of the organization’s information. The organization should have agreements in place that ensure access and control over the personal device. If these agreements are not in place, the owner of the personal device may refuse to turn the device over for analysis. Once obtained, the device should be analyzed by a qualified mobile device forensic expert. If the information has been backed up off the device, the most straightforward approach may be to initialize the device and restore the information. If the information has not been archived, the organization may need to consider further action. Depending on the value of the information, the organization may decide to re-create the information or attempt to defeat the encryption. Paying the ransom to decrypt the device may not always result in getting the information back. The organization should learn from this incident and evolve to ensure information is replicated or backed up when it is created. Additionally, sufficient controls must be in place to protect these storage locations to ensure they are not subject to encryption malware.

Chapter 14

1. An organization chooses to have its CIO be the accreditation official for all its information systems. What are the strengths and weaknesses of this approach?

a. The CIO most likely has the best combination of overarching information technology and organizational strategy; this combination makes the CIO an attractive candidate for the role of the accreditation official. However, the CIO is often not the program, mission, or business owner who will be impacted by an information system security failure! The organization may want to consider who really needs to know the risk of an information system. In addition, ask yourself, are the business or mission lines of an organization comfortable with the CIO making security funding and risk management decisions on their behalf? While the CIO may initially sound like an appealing choice for an accreditation official, in many organizations the program manager or the head of a business line is being asked to accredit systems since that person will be held accountable for a system failure.

2. Within an organization, who is best suited to determine the independence of the certifier?

a. While operational independence should be a minimum requirement of the certifier, the independence should ultimately be decided by the role that must manage and accept the risk. In most cases, this will be the accreditation official. If the accreditation official is comfortable with little separation between the certifier and the system they are reviewing, then the certifier may not need to be independent at all. Organizations must be careful, however, because several industries and standards require independence of the certifier.

Chapter 15

1. A cloud CRM provider verbally promises state-of-the-art security and protection of all organizational information. What can the organization do to ensure the cloud provider is keeping its word? What other concerns should the organization have?

a. Organizations must look at service providers with even more rigor than internal operations. Many cloud providers have a “take it or leave it” approach with a “one size fits all” approach to services. In these situations, organizations must be willing to accept the terms and the resulting risk to the organization. Cloud providers may try to indemnify themselves against any action to minimize their exposure to their customers’ actions and breaches. Organizations should be concerned with where their information will be processed, stored, and transmitted. The geolocation of their systems has far-reaching legal jurisdiction implications. If the information is hosted in a country with weak penalties for theft of intellectual property or breaches, the organization may be at greater risk of compromise. Finally, how much information about the information assurance practices of the provider is available? Has it been independently assessed and evaluated to determine its accuracy? If the accuracy and independence of an assessment are questionable, the organization may be better off seeking another provider.

2. An organization currently allows employees to use their personal devices for organizational work. Because of the openness of this policy, the organization now has almost every modern operating system and every mobile device imaginable operating on its network. Network utilization is extremely high, the help desk is unable to provide effective resolution of support calls because of the variation of platforms, and information assurance incidents are on the rise. What can the organization do to help reign in this environment?

a. The organization should start by determining what work is critical to the organization and how people are achieving that mission. This can be through interviews, surveys, and system information showing various technologies and approaches to accomplish the work. Once the present landscape is understood, the organization needs to set forth its objectives for changing its operating mode. The organization may desire fewer incidents, higher help-desk resolution, and less bandwidth saturation. Through change management, people need to be informed of these objectives and why they are not only good for the organization but also for the employees in the long term. Once the objectives have been communicated, the organization should plan to standardize configurations. The organization in consultation with the information assurance team should pick the best operating systems, devices, platforms, and services for the organization. Next, they need to map out the level of effort to migrate from the existing situation to the new desired end goal. They need to understand people will need training on new systems and ways of doing business; additionally, processes will need to be updated to ensure the new approved platforms and services can achieve processes currently existing under services which may be phased out. Finally, configuration management should ensure standard baselines are established for all approved services, devices, and platforms. These configurations should be developed in consultation with the information assurance team to ensure security controls are included and maintained.

3. An organization wants to develop a new information system that will process and store personally identifiable information and some health-related information about individuals. The organization works primarily in the United Kingdom and the United States. In a general sense, what requirements should an information assurance team be focusing on during the requirements gathering phase?

a. The organization should always determine what regulatory or legal obligations they need to fulfill when developing or modifying a system. In this case, personally identifiable information and health information were identified. Additionally, the United States and the United Kingdom were mentioned as potential areas for information processing, storage, and transmission. Therefore, the information assurance team should consider the Health Information Protection and Portability Act (HIPAA) in the United States and the Data Protection Act in the United Kingdom. Both require the organization to perform a variety of notification tasks but also require the implementation of safeguards to protect sensitive information. Encryption would undoubtedly be a requirement for data at rest and data in transit for the system. Additionally, strong policies and procedures for handling the data regardless of its stage in its life cycle will need to be addressed. The information assurance team will need to ensure the requirements are captured, and then ensure that as part of information assurance testing these capabilities are tested to ensure they are operating as intended. Any failure of these controls should be analyzed to determine residual risk and mitigation options.

Chapter 16

1. An organization is renting office space and has noticed several new building maintenance personnel requesting access above and below the organization’s server room. An employee thinks she saw one of them plugging a cable into a “box” in the server room when she was in the room trying to get a system to restart. What should the organization do?

a. The organization may be at great risk of a social engineering attack. An attacker may be impersonating maintenance personnel to gain access to information systems and the organization’s valuable information. Additionally, the attacker may be trying to sabotage the information infrastructure of the organization. The solution to this issue has multiple parts. First, the organization’s management should confirm with the building’s owner and manager that maintenance was indeed ongoing and requested in the area. Additionally, the organization may want to request an authorized roster of maintenance personnel, if possible, and challenge the maintenance personnel when they arrive. The employee who saw them possibly plugging a cable into something in the server room should be interviewed and encouraged to share as much as possible about the event. If there is evidence of an intrusion, local law enforcement should be called and asked to assist. The organization should then consider its physical access control plan and determine whether additional controls are necessary to reduce the likelihood of intrusion. The network and assets should be scanned for vulnerabilities, and any unauthorized or unknown devices found on the network should be located and identified.

2. An organization has just finished implementing its contingency plan. It has a large data center and has installed several generators, fuel tanks, two power supplies from MEGA Power Company, and UPS devices. After installing the new UPS devices, the organization also noted it needed to update its chillers because the UPS systems were generating more heat than the chillers could cool. Once the chillers were finished being installed, the senior leadership of the organization announced they were prepared for the worst! Are they correct?

a. In the event of an emergency, there are several critical flaws with the approach outlined. First, the dual power supplies are provided by the same company and are likely sourced from the same grid and power generation facilities. In the event one power source failed, the other would likely fail as well. If both power supplies failed, the UPS systems would maintain systems long enough for the generators to power on. The generators would likely provide enough power to power the computer systems, the UPS, and the old HVAC system. Unless the new HVAC’s power consumption was considered and the generators were determined to be sufficient, or new generators were acquired, they may not be large enough to power all the equipment and the chillers. In the event of an emergency, this organization would likely need to power down some systems and keep only the most essential ones running. Rigorous and routine testing of contingency plans would help ensure employees understood what to do during emergencies. Additionally, inclusion of the information assurance team during the change management process would have helped catch the changing power and cooling dynamics.

Chapter 17

1. An organization wishes to instill a culture of information assurance throughout its operations. What is the best AT&E level to focus on for all employees?

a. If cultural information assurance excellence is truly a goal for the organization, it will need to focus on the training aspect of the AT&E approach with special attention to ensure the education portion is championed as well. The organization will need to start with awareness and determine how well the existing workforce understands information assurance and the need for risk management in an organization. Once an established awareness foundation is present, the organization needs to focus on rewarding further training and education. This is commonly done with incentive rewards and performance management metrics. For example, if a system administrator successfully completed a relevant information security certification, they would receive a cash award. Education is a much more strategic and lengthy process. Organizations should select individuals who have strategic influence in the organization and allow them to complete higher educational research and degrees related to information assurance and then have them lead the organization in designing, implementing, and testing the organization’s training and awareness activities.

2. An organization has spent significant resources on several tools and technologies designed to prevent spear phishing attacks. While the number of successful attacks has certainly decreased, the organization is still unhappy with the number of successful attacks. It seems to take only one attack to take down a significant portion of the network for a day or longer. Worse, when the antiphishing technology is configured for aggressive detection, legitimate business information is falsely captured and must be manually reviewed before release. The operations manager is suggesting buying more hardware and technology to further inspect e-mail as it comes into the organization, and the CISO is suggesting a targeted awareness and training campaign focused on spear phishing. Which is the best approach?

a. In this situation, if technology is failing, it is time to turn to the people. Remember, information assurance focuses not only on technology but also on people and processes! The CISO’s approach of a targeted spear phishing awareness and training campaign is a prudent approach. Technology is often a “cat and mouse” game. Attackers build a sophisticated piece of malware, and security engineers build a sophisticated way to defend against it. The attacker then builds another form of sophisticated malware, and the security engineers counter that. This escalation is constantly occurring in not only technology but in social engineering as well. Organizations need to find the correct balance of people, processes, and technology to manage their risk posture. In this situation, technology is already in place and now needs to be balanced with people and processes. The CISO’s approach will provide awareness to people and provide training for secure processes to review e-mail for suspicious attachments. The awareness portion should mention the technologies used to help with phishing, while training should cover how to use the technology most effectively to prevent successful phishing. Finally, to enhance the awareness and training, the CISO may consider how to prevent phishing attacks in the employees’ personal lives.

Chapter 18

1. An organization is changing the way it works. For the past ten years, the organization has operated out of a downtown office, and all employees were expected to report onsite for work. Because of the increased costs of real estate, the executive management has identified substantial savings if all employees worked remotely from their homes and the organization maintained only a small office for meetings and executives downtown. The organization has never allowed outside access to its networks and has never allowed equipment off-premises prior to this change. Now, employees are being issued laptops, tablets, and smartphones to do their work. What preventive information assurance controls and tools should the organization be concerned with as part of this change?

a. One of the first areas to consider is the change in physical security. Whereas before, all information was kept in the downtown office location, now the information has the potential to be seen in a home office, kitchen, coffee shop, taxi cab, doctor’s office, or just about anywhere an employee can get connectivity. The organization must ensure employees have received sufficient training to understand which information is sensitive and which information may be worked on in a public or pseudo-public location. The organization must also consider the fact that people will have access to its technology and data who did not before. For example, how many employees will allow their children or spouses to use the newly issued tablet for personal use? What about the laptop that was left open and connected to the Internet that a family member used to “just quickly check e-mail?”

Because of the nature of an unsecured environment, additional technical controls such as the time before a system locks may need to be considered. From an information technology perspective, most of the employees will now be working over public and insecure Internet service providers. These service providers often have little interest in providing security service, just uptime and throughput for their customers. Does the organization have a robust VPN solution that can handle the capacity of a full workforce working concurrently? Does the VPN enforce strong certified encryption? Can the VPN solution use multifactor authentication, and will it work for all platforms such as smartphones, tablets, and laptops? The organization may need to consider how its PKI is implemented and how it will integrate into the VPN solution.

IT support is a critical aspect of this proposed change. How will users be serviced by the IT department? If the VPN is down, how will users get serviced? Will they need to bring their systems in? Will the organization allow untrusted and risky desktop control software freely available on the Web? How will the help desk validate an individual when they call in and request a password reset? Will employees be allowed to print information at home? If so, how will the organization ensure the information is stored in accordance with the company’s policies?

Finally, how will the organization keep the tablets, smartphones, and laptops patched and up to date? Will the organization trust unsigned updates from any update server on the Internet? Will it require updates be provided through a central trusted patching software server? What if a system has been offline for a long time and is requesting to connect back to the network with months of patches needed and no antivirus updates? Can the organization quarantine the device and determine whether it has not been infected? Seemingly simple culture changes can have a dramatic impact on the information assurance operations and planning of an organization. Information assurance teams must be at the table when changes are being discussed. This is the hallmark of excellent change management.

2. In addition to a near 100 percent remote working situation, the organization decides it is also going to outsource several business functions to cloud Software as a Service (SaaS) providers. One function the organization wants to move first is e-mail. The organization has a statutory requirement to ensure all e-mail is encrypted with a U.S. FIPS 140-2 validated encryption process. What precautions should the organization take prior to committing to an e-mail cloud provider?

a. As part of system development or acquisition, the organization must fundamentally understand what its information assurance requirements are for the functions and data being entrusted to the cloud provider. The information assurance team should be a critical partner in ensuring any laws, regulations, certifications, and attestations are included in any procurement action. Cloud providers may offer a one-size-fits-all or a take-it-or-leave-it solution. The inflexibility of the cloud provider does not need to kill a move to the cloud, but rather the organization must determine whether it is willing to use a compensating control to achieve the desired result. For example, assume the cloud provider refuses to meet the FIPS requirement for encryption. The organization could choose to implement an e-mail client that will enforce the encryption of e-mail using the organization’s existing PKI infrastructure. Therefore, the organization can get the benefits of the cloud e-mail provider while still maintaining the requirement to encrypt all organizational e-mail. This may mean configuration changes for the employees of the organization, and it may also mean they will need training to ensure they understand how the encryption works and what to do if they lose their keys.

Chapter 19

1. An organization has recently acquired a contract that involves processing and storing sensitive information for a government client. The organization uses a decentralized approach to information technology, often letting employees purchase whatever systems they like and connecting them to the organization’s network. Given the new contract, what access control changes, if any, should the organization consider?

a. The organization most likely is following a decentralized access control approach to accommodate the decentralized information technology approach. The organization must consider which employees and functions will be involved in the new contract. Once these employees are identified, they should be either issued new equipment that conforms to mandatory access control or role-based access control. If new equipment is not feasible, the organization should consider strong configuration management to ensure the existing equipment can be configured to support mandatory access control or role-based access control. Information assurance awareness and training programs should be updated to include the new responsibilities of the organization and the expectations of all roles involved in the new contract.

2. Given the cost and resources involved in mandatory access control, why would an organization consider implementing it instead or other less expensive options?

a. Certain businesses and industries will benefit greatly from mandatory access control. The most common explanations of mandatory access control often discuss military situations with different levels of classified information and compartmentalization. While these scenarios are typical, there are numerous other examples in which mandatory access control makes sense.

Consider a large law firm working on cases for hundreds of clients. The law firm has an obligation to ensure it does not engage in a conflict of interest between its clients. If all attorneys can see all information or give discretionary access to information, the firm will have a difficult time explaining how it remains impartial. However, if the firm uses mandatory access control and requires all case and client materials to be stored and accessed through a strict permissions program, it will be able to provide confidence that while large, its attorneys are impartial to other work ongoing in the firm.

Another industry that may benefit from mandatory access control is research and development. As in the military, some research projects are divided up or “compartmentalized” so one person is unable to know the entire project completely. Mandatory access control provides a way to ensure only those with “need to know” can access information to do their job. In implementing mandatory access control, the organization now needs to concern itself only with those issuing the access. Tight monitoring of those individuals through auditing, rotation of duties, and forced time off can help ensure a robust approach to control information leakage.

Chapter 20

1. A CISO decides to deploy a honeypot with a baseline configuration on it into the wild to determine what vulnerabilities exist. What are the advantages and disadvantages to this approach?

a. The primary advantage is the CISO will learn about the attack methods used to attack the configuration and also most likely what vulnerabilities the baseline configuration has. This could save assessment work and also provide a sense of “validation” that the configuration is safe for use. These advantages are typically outweighed by the disadvantages of this approach. By placing the standard configuration in the wild, Internet attackers now can begin to dismantle the configuration’s security and weaknesses. Once an attacker discovers the system is a honeypot and contains a standard configuration, they may decide they want to attack the organization further and will have more information to work with. If set up poorly and interconnected with production systems, the honeypot may even be used as a staging ground to compromise the production environment.

2. The CIO of an organization is trying to prioritize the information assurance workload of the organization. The CIO has asked the CISO to take vulnerability scanner output and add it to the organization’s dashboard. The CIO then tasks the organization’s system owners to correct the most “critical” vulnerabilities first. Is this the most prudent plan to minimize risk in the organization?

a. If all systems have an identical impact and threat exposure, then the CIO’s approach is the best approach. If a single system has a unique impact or threat exposure, then the dashboard will be incorrect. The CIO must be able to direct resources to the highest-risk systems. If only vulnerability information is collected, the CIO is directing resources to the systems with the greatest vulnerability. This could mean directing all resources to a test or low-impact system with a critical vulnerability when a moderate impact system with a moderate vulnerability is more likely to be attacked and harm the organization. To be useful, monitoring tools and methods must be combined with accurate information about threats and impact.

Chapter 21

1. An organization is struggling. After years of investing in research and development, a competitor appears to have stolen design documents for the organization’s flagship product. The organization’s CISO has been asked to give a presentation to the board regarding the best metrics to monitor to prevent information leakage in the future. What information assurance metrics should the CISO propose?

a. The CISO should propose information assurance metrics focused on preventive and detective information assurance controls. For example, the CISO may recommend monitoring:

• Percentage of research and development (R&D) networks encrypted with US FIPS 140-2 validated encryption

• Percentage of R&D servers and databases encrypted with US FIPS 140-2 encryption

• Percentage of R&D employees who have successfully passed information assurance awareness training in the past year

• Percentage of R&D employees who have a successfully adjudicated background investigation

• Percentage of R&D functions analyzed for separation of duties and least privilege

• Percentage of systems successfully implementing mandatory access control

• Percentage of R&D systems successfully utilizing two factor authentications with nonrepudiation

• Percentage of R&D systems and networks with functioning intrusion detection/prevention system

2. A CIO wants to ensure she is investing properly in information assurance. What metrics should her CISO advise her to monitor?

a. The CISO should propose metrics that show a proactive stance in regard to information assurance but also metrics that may indicate information assurance is not being implemented well. Suggested metrics could include the following:

• Percentage of systems fully integrated into the organization’s SIEM

• Percentage of systems compliant with the organization’s continuous monitoring plan

• Percentage of systems with High or Moderate risks aged beyond 30 days

• Total estimated monetary exposure for an information system processing financial information or personally identifiable information

• Number of open incidents and the risk severity of incidents per system, business/mission line, and system owner in the past 30 days

• Number of detected but failed attacks against the organization’s systems

• Percentage of system development and maintenance devoted to information assurance activities

• Estimated cost avoidance based on implementing information assurance controls

Chapter 22

1. An organization is using a cloud-based system for hosting its sensitive information in the form of customer lists and personally identifiable information. They are using Software as a Service (SaaS) customer relationship management (CRM) platform to manage their sales. Lately, their customers have been complaining about receiving calls from a competitor in another country with detailed information about their purchase histories and relationship with the organization. What is the incident response approach the organization should take?

a. Cloud computing is a perfect example for planning and preparation. If the organization has not explicitly stated its requirements for accessing the cloud provider’s information systems, then the provider is not likely to provide any information about vulnerabilities and threats outside of a court order. If the organization has ensured access language and audit or penetration test clauses were included in the contract, they can begin testing to determine whether the cloud provider breached their information. If the organization did an excellent job in preparation, they would ensure any cloud provider system that processed, stored, or transmitted the organization’s data would provide system feeds to the organization’s SIEM. In any event, the organization certainly has an uphill climb. Instead of working with an internal team of system owners and administrators who all want a resolution to the problem and lessons learned, the organization will likely now be engaging with a cloud provider who wants to protect their reputation and not impact the operations of their systems for other customers. This puts the organization at a great disadvantage in terms of detection, containment, eradication, and reporting. These risks must be clearly identified by the information assurance team and the incident-handling team prior to any engagement with a cloud provider.

2. An organization has adopted a bring-your-own-device (BYOD) approach for mobile devices such as smartphones and tablets. An employee’s tablet has been identified as an unauthorized bridge between the organization’s secure network and the public Internet. The organization’s incident-handling team is baffled as to how this could happen and attempts to call the employee and retrieve the device. The employee refuses to provide the device and cites their right to privacy and their ownership of the device. The owner states that they have sensitive personal information on the device and under no circumstance will they allow the organization to search the device. What can the organization do in this situation?

a. Preparation is again the key! If the organization has a clear BYOD policy and a signed rules of behavior agreement that states any device that processes, stores, or transmits the organization’s data is subject to seizure and search, then the organization has reasonable grounds to seize and examine the device. Without the policy and signed agreement, the organization is left largely to the whims of the employee or the expensive and time-consuming route of legal action. Much like the cloud provider, the user may have different motivations for keeping information on the device private. In this situation, the user may have chosen not to participate in the BYOD program if they knew their device would be subject to examination and the organization would not be dealing with this specific incident. This leaves the incident-handling team with little to work with and a possible hostile employee. The incident-handling team will struggle during the containment and eradication phase because it has only a portion of the problem to analyze. The organization will also now need to determine whether other BYOD devices may have been affected in a similar fashion but may be met with the same resistance by every device owner.

Chapter 23

1. A manager suspects an employee may be using an organizational computer to view and download illegal materials. The manager has asked the information technology manager for advice regarding her suspicions about these materials. The IT manager states he can change the password to the user’s account, and they can log in together over the weekend while the worker is out and view materials on the workstation. Is this an acceptable approach to determine whether criminal activity is occurring on the organization’s computer?

a. This approach would lead to failure. If the manger believes the employee is committing a crime, they should call in a forensics examiner who can make a forensically sound image of the system suitable as evidence for the criminal system. Additionally, the manager needs to be aware of any legal considerations surrounding the search and seizure of an employee’s computer. A consultation with legal counsel is advised. While some legal systems afford no privacy to workers, others require a stringent documented approach before reviewing the computer of an employee. Once the legal requirements have been satisfied, the manager must ensure they have a forensics examiner who is certified and experienced in the technology, industry, and legal system the worker’s computer is in. Finally, the examiner must be beyond reproach in credibility and following the rules of evidence. If the examiner can’t prove the integrity of the chain of evidence and defend her professional opinions, the evidence may be thrown out or suppressed. The manager should also be aware of any requirements to notify law enforcement. Certain types of crimes against children must be reported immediately to law enforcement in some legal systems.

2. An organization is experiencing a loss of information. They find the source of the leak and grow frustrated. While the organization knows who is leaking the information, they are not sure how. The organization has blocked the use of all external media such as USB drives, CDs, and DVDs. It has also developed data loss prevention tools and procedures to prevent information from leaking outside the organization through e-mail. It has also implemented web site filtering so employees cannot use unauthorized web mail or file-sharing services. The only thing in common with the leaked information is that it coincided with new updates to images and pictures on the organization’s public web site. What could be causing the leak?

a. Based on the information provided, an attacker was most likely using stenography to hide information in images. These images were then posted on the public web site where those who didn’t know wouldn’t notice the difference in the images. The attacker would know to download the images and extract the information from them.

Chapter 24

1. An organization has begun developing its business continuity plan. The organization is small and manufactures packaging for a variety of cosmetic products. The roles of CIO and the CFO are assigned to the same person who has been nominated to lead the task of business continuity. What are the strengths and weaknesses of this approach?

a. Smaller organizations must blend roles and functions to ensure they can meet operational demands while not overspending in personnel. The CIO/CFO choice has many strengths, including knowledge of the financial aspects of the organization and the IT capabilities of the organization. A problem with blending roles is the possibility of conflicts between the roles. For example, a fiscally conservative CFO who is assigned CIO tasks will consider information technology a cost center just like facilities and plumbing. If the CFO is enamored with technology, they may view it as more of a “strategic investment” center and attempt to leverage IT as a core element of the organization’s business. Understanding the motivations and limitations of blending roles will greatly assist the senior management of the organization plan for disasters. Without the presence of an impartial risk management function like a CRO or properly defined CISO, the CFO/CIO may not take into account all aspects of the business continuity process. Areas such as facilities, employee protection, and partnering with local emergency responders may be overlooked. The organization may be best served by employing a continuity planning professional to assist the CFO/CIO.

2. Why should information assurance place such an emphasis on crisis management and business continuity when disaster recovery is an IT function?

a. Information assurance as described by the MSR model is mission focused. Therefore, without an understanding of the mission, directing resources and prioritizing recovery strategies will be misguided and at worse cause more harm than good. Crisis management and business continuity may or may not impact information systems. For example, an active shooter on the campus of an organization may initially appear to have zero impact on information technology, but no employee will be working on their workstation if they know an active shooter is present on campus. Another example is a pandemic. This occurs when a biological incident such as a debilitating strain of the flu incapacitates a large amount of personnel and impacts work. In this situation, IT system functionality such as help desk may need to be redirected to another geographical location not impacted by the illness. Finally, the mission or business of an organization is what ultimately matters. Information technology serves only to advance the business or mission. If the mission or business is not impacted by an IT outage, then no action may be necessary, and on the contrary, the organization may want to review why that information system was operational in the first place.

Chapter 25

1. An organization has performed a BIA and discovered 90 percent of its services and data have an RTO of ten days and an RPO of one day. The remaining ten percent of its services and data have an RTO of 30 minutes and an RPO of zero. What is the best strategy for the organization to back up this information?

a. The organization has a demanding RTO and RPO for ten percent of its data and services. For this critical data and services, the organization should consider SAN storage with redundant features such as RAID and hot-site mirroring of data. For the remaining 90 percent of data and services, the organization should consider slower but more cost-efficient backup technologies such as tape or even cloud backup. Many cloud providers offer backups for as little as US$0.01 per gigabyte per month, with a recovery time of a few days.

2. How can organizations ensure their backup information is protected and the integrity of the backup is assured?

a. Organizations must employ backup recovery testing and hashing to meet the requested objectives. Backup recovery testing consists of selectively restoring information to a test system or in some cases a production system and then verifying the restored information is accurate. Some backup software suites have testing modules that compare the integrity of a selected file with the integrity of the backup device or tape. The integrity is confirmed through hashing. Hashing provides proof that the files are identical.

Chapter 26

1. A U.S.-based healthcare clinic consists of an owner who is the head doctor of the practice, a physician’s assistant, an office manager, a few nurses, and a couple assistants. Who is responsible for ensuring ePHI security and privacy?

a. In short, the answer is everyone; however, ultimately the doctor who owns the practice is responsible for what happens to the information collected. Since the practice is in the United States, HIPAA and state data privacy laws apply. A single breach of unencrypted information could spell the end of this small practice if it does not have sufficient cash reserves to pay the fine and possible lawsuits for identity theft.

2. Assuming a clinic uses ePHI within the scope of the UK’s data protection law, what technical controls should the clinic consider implementing to ensure the confidentiality and privacy of its records?

a. Encryption is by far the best solution to help protect sensitive information from confidentiality breaches. Encryption for data at rest should include whole drive or whole device encryption, which protects the information when the device is off or when the wrong authentication is used with the device. Encryption in transit is equally important. Many web pages can use Secure Sockets Layer (SLL) to encrypt information; additionally, the clinic should ensure any transmission of information through insecure means such as standard e-mail is enhanced with the use of compensating controls such as file encryption and session encryption.

Chapter 27

1. An executive of a small business is worried about attacks and breaches. He accepts credit cards and has a web presence for ordering and accounting. He currently has all his information systems on a single Internet connection and is worried about hackers. What can the executive do to help mitigate his concerns?

a. The executive should start by understanding the basic requirements for information assurance. Simple actions, such as putting the payment system on a separate network connection if possible and implementing more stringent controls on that network should be taken. Additionally, the small business owner may consider reaching out to CISOs in the industry to see whether any are willing to volunteer some time to help understand the basics of information assurance. Some programs exist, such as the CISO-in-residence program based at the Maryland Center for Entrepreneurship. The program allows small organizations to utilize the knowledge and expertise of a CISO as if they were on full time. Additionally, organizations such as (ISC)² require their members to maintain professional experience through training and volunteer service. The executive could reach out and determine whether a CISSP, CSSLP, CISM, or SSCP would be willing to give him an overview of information assurance risks.

2. A large retailer has just experienced a breach. The CIO has explained to the board of directors that this will never happen again because the credit card issues are requiring the customers to move to “chip and PIN” technology for their credit cards. Is he right?

a. Rarely will a technology solution solve fraud problems. Fraud has always been a challenge for businesses and will remain so. While chip and PIN offers additional protection, the credit card still contains the magnetic strip the customer can use, and the retailer’s technology may not be ready to accept chip and PIN. Additionally, is the retailer ready to turn customers away who forget their PIN instead of swiping the mag stripe? That’s not likely; the organization would be better served evaluating their information assurance program to determine where proactive assurance measures such as integrity checks and scanning failed to detect the breach and the attackers. If the attackers were detected, did the information assurance team have the authority to change the system or were they siloed and used only as “advisors?”

Chapter 28

1. The accountants at an energy company have been to a technology presentation about the “cloud” and Infrastructure as a Service (IaaS). They come into the CIO’s office and tell him he can cut his costs by significant margins if they use only IaaSX (the cloud offering from the provider). The CIO is responsible for maintaining a large number of natural gas pipeline control networks in addition to the ICS operating several large refineries. Should he agree with the accountants? Is there another answer he should provide?

a. This scenario is a common situation in organizational risk management. A stakeholder comes to the table with a valid concern or option (such as saving money); however, they may not know the rational for doing things a certain way. Is the IaaS cheaper because of lowered SLAs, increased latency, increased downtime, or by using common carrier communication paths that are not secure or private. The IaaS provider may have a valid solution the CIO could use, but until a full parity analysis has been performed with an assessment by an information assurance team, it is premature to expect to save any money or defray any risk.

2. A heating, ventilation, and air-conditioning company has just installed a state-of-the-art environmental system for an organization. As part of the purchase, the organization is going to receive one year of monitoring and efficiency reporting for free. The vendor requests to have the new equipment connected to the network and be given a domain admin account. The vendor says it needs the admin account so it can access the environmental control servers any time and perform repairs or maintenance. The CISO is discussing the request with the facilities manager. What response should she provide?

a. The vendor is attempting to connect new devices to the network and also gain domain admin credentials. This combination could spell absolute disaster in many situations. While the vendor employees may be familiar with the configuration and operation of their product, they are most likely not security experts as evidenced by their request. The organization should consider logically or physically separating the vendor’s equipment and granting only limited rights to the servers and equipment the vendor is using. If the vendor proposes using web-based services or needs a database, the organization needs to weigh the risk trade-offs between granting the access to a server vs. standing up another server for the environmental systems. The organization must also be aware of the challenges of now maintaining two networks (local or physical) and ensuring both are monitored and protected commensurate with risk. Finally, the organization may want to consider a background investigation for the vendor or any person they propose will have access to the organization’s network. Nondisclosure agreements and organizational conflict of interest statements should be signed by the vendor.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for A Suggestions for Critical Thinking Exercises

Create new playlist

Sign In

Sign Up

APPENDIX A

Suggestions for Critical Thinking Exercises

Table of Contents for
A Suggestions for Critical Thinking Exercises