CYB IV

CYB 4301, Cybersecurity and Crime 1

Course Learning Outcomes for Unit IV At the end of this unit, you should be able to:

7. Analyze information security governance. 7.1 Explain information security governance. 7.2 Categorize the threats to an organization.

Required Unit Resources Chapter 7: Corporate Information Security and Privacy Regulation (ULO 7.1)

Chapter 8: Federal Government Information Security and Privacy Regulations (ULO 7.2)

Chapter 13: Information Security Governance (ULO 7.2)

Unit Lesson Lesson: Information Security (IS) Governance (ULO 7.1, 7.2)

Information Security (IS) Governance IS, Governance, Documentation, and Policy

A great place to begin is establishing a good understanding of IS governance. Just as the executive and management teams govern an organization, technologists govern the information systems and data needed to drive the wheels of modern commerce. Modern organizations must not only deliver capabilities, goods, and services at scale and efficiently, they must also protect these critical assets from attack and compromise. The real purpose of IS governance is to help fulfill the goals or mission of the organization. But how does governance work? Here, we return to the foundational principles of confidentiality (including privacy), integrity, and availability, or the C-I-A triad. Through strategic, tactical, and operational planning focused on the C-I-A triad, an organization’s chief information officer (CIO) and chief information security officer (CISO) execute the IT/IS functions. The CIO and CISO carry out their duties through IS governance documents that define the organization’s IS goals, how data is protected, compliance with legal and regulatory requirements, and ensure stakeholders are meeting their responsibilities (Grama, 2022). IS governance is documented in policies, standards (including baselines), procedures, and guidelines. You are likely familiar with a common IS policy, the Acceptable Use Policy (AUP). Grama (2022) outlined the policy development process, consisting of a cycle of policy development, stakeholder review, managerial approval, communication of the policy, documenting compliance and exceptions, building continued awareness, and maintenance and review. This policy lifecycle is instrumental to developing good, achievable policies that serve the needs of the organization. The lifecycle also provides a logical and repeatable framework. Other important IS governance policies include authentication/password, data retention/destruction, intellectual property, on/off boarding, and security awareness training. Organizations that create and maintain sound policies and procedures are often successful in meeting their goals and mission.

Federal Government Security and Privacy Regulations

UNIT IV STUDY GUIDE

Information Security Governance

CYB 4301, Cybersecurity and Crime 2

UNIT x STUDY GUIDE

Title

The federal government is a very large entity, entrusted by the American people to carry out the business of the nation. Similarly to the private sector, information technology and systems are the engine of efficiency and the key to a modern society. The federal government faces many unique challenges including attacks by hackers and other nation states. Famously, former Secretary of Defense Leon Panetta warned that cyberwar could manifest as a digital Pearl Harbor (Grama, 2022). Although Sec Panetta did not coin the term cyberwar, his 2012 remarks illuminated the cyber conflict in a way that it had not been previously. Thankfully, the federal government has many tools at its disposal, including the National Security Agency (NSA), the U.S. Cyber Command, and strong governance in place to meet the multitude of threats. One such policy is FISMA of 2014. FISMA is an overarching governance tool and even defines information security. FISMA has many important components including six key elements: the responsibilities of all federal agencies, an independent annual review of IS programs, empowering the NIST to develop IS standards, granting oversight to the Office of Management and Budget (OMB) and DHS, recognizing that NSSs require special treatment and security based on risk, and establishing a centralized federal security incident response center. FISMA annual reporting includes interesting findings of note to cybersecurity professionals. For example, in 2018, the report highlighted issues with asset management, authorization, mobile device management, privileged network access, intrusion detection, and data protection (Office of Management and Budget, 2018). To be sure, these findings do not represent quick or easy fixes. These are the hard problems faced by cyber professionals in industry and in government.

Corporate Information Security and Privacy Regulation Like the federal government, private industry is also faced with challenges in managing information technology and information security. Sometimes, these challenges are brought to the forefront of the American people’s attention. Such was the case with the financial scandals of the early 2000s. Among several high-profile scandals, Enron stands apart for the sheer magnitude of financial wrong-doing and accounting fraud. Enron, once the darling of Wall Street, declared bankruptcy in 2001. Enron has become the face of corporate fraud and greed, even more than 20 years later. Mismanagement and misrepresentation in government filings painted a picture of success and profit, but Enron had lost billions in shareholder investments through the late 1990s. To keep the stock price artificially high, Enron’s management resorted to fraudulent activity to hide the true nature of the losses (Grama, 2022). Once the truth and the extent of the fraud became known, the U.S. government reformed the financial services sector leading to increased reporting and regulation, laying the groundwork for accurate and legally required financial reporting. The Sarbanes-Oxley Act of 2002, or SOX, was perhaps the most tangible outcome of the financial reforms and included the most extensive and sweeping changes to the financial sector in a generation. SOX is not for the fainthearted, with 11 statutory titles. Of interest to information security professionals are the compliance and reporting aspects that require information technology support. Speaking of compliance, you will play a large role in ensuring your organization complies with legal and regulatory requirements, including the proof of that compliance in the form of record-keeping and document retention technologies, as well as ensuring IT/IS systems are functioning as intended and safeguarded from fraud and attacks. Fortunately, you will have security frameworks like COBIT, COSO, ISO/IEC, NIST, and others. Your job will be to use the best framework for your industry and to ensure that your findings are interoperable with that of other organizations. Finally, while governance is a critically important part of the overall picture, for the cybersecurity professional it comes down to knowing if, how, and when your systems are vulnerable. Much of your time effort will be spent “thinking about, documenting, and responding to vulnerabilities and threats” (Jones & Bartlett Learning, 2022).

Conclusion In this unit, you learned about information security governance and the challenges for information security professionals in government service, the role of the NIST in defining information security standards, the need

CYB 4301, Cybersecurity and Crime 3

UNIT x STUDY GUIDE

Title

to protect NSSs, the Federal Information Systems Management Act (FISMA) of 2014, corporate security and privacy regulations, including the reformations of the early 2000-2010s period, and you learned about compliance and security controls. According to a Threat Intelligence Researcher for Kela, the U.S. is the most ransomware targeted country in the world. Kela found that 40% of all known ransomware and extortion attacks impacted US companies (Borochov, 2022). Remember that the ransomware lifecycle is comprised of 6 phases: Infiltrate, Activate, Encrypt, Demand, Decide, and Recover (Galliano, 2022). The Encrypt phase begins after the attacker’s ransomware (malicious code) has been awakened from dormancy and the adversary’s attack has been initiated. Ransomware is effective because malicious logic employs encryption to hold an organization’s data hostage. While the encryption methodology may differ (e.g., type, what is targeted, scope) a common approach is to encrypt individual files, drives, and even network shares. Increasingly, ransomware targets backup systems that make recovery possible and may encrypt or delete backups to prevent that recovery. Successfully ransomware attacks will leave the victim with a range of poor options to choose from: data loss, extortion under threat of the release of sensitive data, or paying the ransom.

References Borochov, S. (2022, October 31). Ransomware victims and network access in 2022. Kela. https://ke-

la.com/blog/?utm_medium=email Galliano, J. (2022). The 6 Stages of the Ransomware Lifecycle. Grama, J. L. (2022). Legal and privacy issues in information security (3rd ed.). Jones and Bartlett.

https://online.vitalsource.com/#/books/9781284231465 Jones & Bartlett Learning. (2022). Lab 5: Cataloging threats and vulnerabilities, lab access for legal and

privacy issues in information security (3rd ed.). Jones & Bartlett. https://jbl-lti.hatsize.com/labguide Office of Management and Budget (OMB). (2018). FISMA FY 2018 annual report to Congress, Table 15 FY

2017 - FY 2018 CAP goal summary. https://www.whitehouse.gov/wp- content/uploads/2019/08/FISMA-2018-Report-FINAL-to-post.pdf

CYB 4301, Cybersecurity and Crime 1

Course Learning Outcomes for Unit IV At the end of this unit, you should be able to:

7. Analyze information security governance. 7.1 Explain information security governance. 7.2 Categorize the threats to an organization.

Required Unit Resources Chapter 7: Corporate Information Security and Privacy Regulation (ULO 7.1)

Chapter 8: Federal Government Information Security and Privacy Regulations (ULO 7.2)

Chapter 13: Information Security Governance (ULO 7.2)

Unit Lesson Lesson: Information Security (IS) Governance (ULO 7.1, 7.2)

Information Security (IS) Governance IS, Governance, Documentation, and Policy

A great place to begin is establishing a good understanding of IS governance. Just as the executive and management teams govern an organization, technologists govern the information systems and data needed to drive the wheels of modern commerce. Modern organizations must not only deliver capabilities, goods, and services at scale and efficiently, they must also protect these critical assets from attack and compromise. The real purpose of IS governance is to help fulfill the goals or mission of the organization. But how does governance work? Here, we return to the foundational principles of confidentiality (including privacy), integrity, and availability, or the C-I-A triad. Through strategic, tactical, and operational planning focused on the C-I-A triad, an organization’s chief information officer (CIO) and chief information security officer (CISO) execute the IT/IS functions. The CIO and CISO carry out their duties through IS governance documents that define the organization’s IS goals, how data is protected, compliance with legal and regulatory requirements, and ensure stakeholders are meeting their responsibilities (Grama, 2022). IS governance is documented in policies, standards (including baselines), procedures, and guidelines. You are likely familiar with a common IS policy, the Acceptable Use Policy (AUP). Grama (2022) outlined the policy development process, consisting of a cycle of policy development, stakeholder review, managerial approval, communication of the policy, documenting compliance and exceptions, building continued awareness, and maintenance and review. This policy lifecycle is instrumental to developing good, achievable policies that serve the needs of the organization. The lifecycle also provides a logical and repeatable framework. Other important IS governance policies include authentication/password, data retention/destruction, intellectual property, on/off boarding, and security awareness training. Organizations that create and maintain sound policies and procedures are often successful in meeting their goals and mission.

Federal Government Security and Privacy Regulations

UNIT IV STUDY GUIDE

Information Security Governance

CYB 4301, Cybersecurity and Crime 2

UNIT x STUDY GUIDE

Title

The federal government is a very large entity, entrusted by the American people to carry out the business of the nation. Similarly to the private sector, information technology and systems are the engine of efficiency and the key to a modern society. The federal government faces many unique challenges including attacks by hackers and other nation states. Famously, former Secretary of Defense Leon Panetta warned that cyberwar could manifest as a digital Pearl Harbor (Grama, 2022). Although Sec Panetta did not coin the term cyberwar, his 2012 remarks illuminated the cyber conflict in a way that it had not been previously. Thankfully, the federal government has many tools at its disposal, including the National Security Agency (NSA), the U.S. Cyber Command, and strong governance in place to meet the multitude of threats. One such policy is FISMA of 2014. FISMA is an overarching governance tool and even defines information security. FISMA has many important components including six key elements: the responsibilities of all federal agencies, an independent annual review of IS programs, empowering the NIST to develop IS standards, granting oversight to the Office of Management and Budget (OMB) and DHS, recognizing that NSSs require special treatment and security based on risk, and establishing a centralized federal security incident response center. FISMA annual reporting includes interesting findings of note to cybersecurity professionals. For example, in 2018, the report highlighted issues with asset management, authorization, mobile device management, privileged network access, intrusion detection, and data protection (Office of Management and Budget, 2018). To be sure, these findings do not represent quick or easy fixes. These are the hard problems faced by cyber professionals in industry and in government.

Corporate Information Security and Privacy Regulation Like the federal government, private industry is also faced with challenges in managing information technology and information security. Sometimes, these challenges are brought to the forefront of the American people’s attention. Such was the case with the financial scandals of the early 2000s. Among several high-profile scandals, Enron stands apart for the sheer magnitude of financial wrong-doing and accounting fraud. Enron, once the darling of Wall Street, declared bankruptcy in 2001. Enron has become the face of corporate fraud and greed, even more than 20 years later. Mismanagement and misrepresentation in government filings painted a picture of success and profit, but Enron had lost billions in shareholder investments through the late 1990s. To keep the stock price artificially high, Enron’s management resorted to fraudulent activity to hide the true nature of the losses (Grama, 2022). Once the truth and the extent of the fraud became known, the U.S. government reformed the financial services sector leading to increased reporting and regulation, laying the groundwork for accurate and legally required financial reporting. The Sarbanes-Oxley Act of 2002, or SOX, was perhaps the most tangible outcome of the financial reforms and included the most extensive and sweeping changes to the financial sector in a generation. SOX is not for the fainthearted, with 11 statutory titles. Of interest to information security professionals are the compliance and reporting aspects that require information technology support. Speaking of compliance, you will play a large role in ensuring your organization complies with legal and regulatory requirements, including the proof of that compliance in the form of record-keeping and document retention technologies, as well as ensuring IT/IS systems are functioning as intended and safeguarded from fraud and attacks. Fortunately, you will have security frameworks like COBIT, COSO, ISO/IEC, NIST, and others. Your job will be to use the best framework for your industry and to ensure that your findings are interoperable with that of other organizations. Finally, while governance is a critically important part of the overall picture, for the cybersecurity professional it comes down to knowing if, how, and when your systems are vulnerable. Much of your time effort will be spent “thinking about, documenting, and responding to vulnerabilities and threats” (Jones & Bartlett Learning, 2022).

Conclusion In this unit, you learned about information security governance and the challenges for information security professionals in government service, the role of the NIST in defining information security standards, the need

CYB 4301, Cybersecurity and Crime 3

UNIT x STUDY GUIDE

Title

to protect NSSs, the Federal Information Systems Management Act (FISMA) of 2014, corporate security and privacy regulations, including the reformations of the early 2000-2010s period, and you learned about compliance and security controls. According to a Threat Intelligence Researcher for Kela, the U.S. is the most ransomware targeted country in the world. Kela found that 40% of all known ransomware and extortion attacks impacted US companies (Borochov, 2022). Remember that the ransomware lifecycle is comprised of 6 phases: Infiltrate, Activate, Encrypt, Demand, Decide, and Recover (Galliano, 2022). The Encrypt phase begins after the attacker’s ransomware (malicious code) has been awakened from dormancy and the adversary’s attack has been initiated. Ransomware is effective because malicious logic employs encryption to hold an organization’s data hostage. While the encryption methodology may differ (e.g., type, what is targeted, scope) a common approach is to encrypt individual files, drives, and even network shares. Increasingly, ransomware targets backup systems that make recovery possible and may encrypt or delete backups to prevent that recovery. Successfully ransomware attacks will leave the victim with a range of poor options to choose from: data loss, extortion under threat of the release of sensitive data, or paying the ransom.

References Borochov, S. (2022, October 31). Ransomware victims and network access in 2022. Kela. https://ke-

la.com/blog/?utm_medium=email Galliano, J. (2022). The 6 Stages of the Ransomware Lifecycle. Grama, J. L. (2022). Legal and privacy issues in information security (3rd ed.). Jones and Bartlett.

https://online.vitalsource.com/#/books/9781284231465 Jones & Bartlett Learning. (2022). Lab 5: Cataloging threats and vulnerabilities, lab access for legal and

privacy issues in information security (3rd ed.). Jones & Bartlett. https://jbl-lti.hatsize.com/labguide Office of Management and Budget (OMB). (2018). FISMA FY 2018 annual report to Congress, Table 15 FY

2017 - FY 2018 CAP goal summary. https://www.whitehouse.gov/wp- content/uploads/2019/08/FISMA-2018-Report-FINAL-to-post.pdf