Review Exercises

1. Security Framework & Governance

A security framework is like a blueprint for designing, implementing, and maintaining
cybersecurity. It provides best practices to protect an organization from cyber threats.

 Information Security Governance ensures that security aligns with business goals. It
involves:
o Policies & rules
o Risk management
o Compliance with laws
 Who plans it?
o Executives (CIO, CISO) set security goals.
o IT & security teams implement controls.
o HR & Legal ensure compliance with laws.

2. Where to Find Security Frameworks?

Security administrators can find established frameworks at:

 NIST (National Institute of Standards and Technology) – U.S. security standards.

 ISO 27000 series – International cybersecurity standards.
 CIS (Center for Internet Security) Controls – Best practices to stop cyber threats.

3. What is the ISO 27000 Series?

It’s a global standard for information security management. The main standards include:

 ISO 27001 – The Core (Rules for securing information & getting certified).
 ISO 27002 – Best Practices (How to apply security controls).
 ISO 27005 – Risk Management (Identifying and reducing risks).
 ISO 27017 & 27018 – Cloud Security & Privacy (Protecting cloud environments).
 ISO 27701 – Privacy Protection (Extends 27001 to include privacy laws like GDPR).
 ISO 27799 – Healthcare Security (Protecting medical data).

4. Issues with Adopting a Security Framework

  Cost – Expensive for small businesses.
 Complexity – Requires trained staff to implement.
 Compliance Burden – Some industries require strict adherence, which can slow
operations.

5. NIST Computer Security Resource Center Documents

NIST provides guidelines for organizations to build security frameworks. Some important
documents:

 NIST SP 800-53 – Security controls for federal agencies.

 NIST SP 800-61 – Incident response guidance.
 NIST Cybersecurity Framework (CSF) – A flexible security framework for all
industries.

6. Benefits of Federal Security Standards for Private

Companies
 Proven best practices – Federal standards are well-tested.
 Improved security – Reduces risk of cyberattacks.
 Regulatory compliance – Helps meet legal requirements.

7. Web Resources for Best Practices

Organizations can develop their security frameworks using:

 NIST (nist.gov) – Official government cybersecurity guides.

 CIS (cisecurity.org) – Secure system configurations.
 OWASP (owasp.org) – Web security best practices.

8. Security Controls
Three main types of controls:

 Management Controls – Policies, security governance (e.g., risk assessment policies).

 Operational Controls – Day-to-day procedures (e.g., security training, audits).
  Technical Controls – Hardware/software protections (e.g., firewalls, encryption).

9. Policy vs. Standard vs. Practice

 Policy – High-level rules (e.g., Acceptable Use Policy).
 Standard – Specific security guidelines (e.g., Password complexity rules).
 Practice – How policies and standards are applied in daily operations.

Types of Security Policies:

1. Enterprise-wide (Covers the whole company, e.g., Data Protection Policy).

2. Issue-specific (Covers a specific area, e.g., Email Use Policy).
3. System-specific (Covers a particular system, e.g., Database Access Policy).

Examples:

 Web Use? Internet Usage Policy.

 Email? Email Security Policy.
 Office Equipment? Personal Use Policy.

10. Responsibilities in Technology Management

 CIO & IT Security Team – Manage security technology.
 Managers & HR – Enforce security policies.

11. Contingency Planning vs. Routine Planning

 Contingency Planning – Prepares for unexpected security incidents (cyberattacks,
power outages).
 Routine Planning – Handles daily operations (maintenance, backups).

Key components of Contingency Planning:

1. Incident Response (IR) Plan – Handles cyberattacks in real time.

2. Disaster Recovery (DR) Plan – Restores IT systems after failure.
3. Business Continuity (BC) Plan – Ensures the business keeps running after a disaster.
12-14. When to Use IR, DR, BC Plans?
 Incident Response (IR) Plan – Used during a cyberattack (e.g., hacking, malware).
 Disaster Recovery (DR) Plan – Used after an IT failure (e.g., system crash,
ransomware).
 Business Continuity (BC) Plan – Used for long-term recovery (ensuring business
survival).

15. Business Impact Analysis (BIA)

BIA identifies critical functions and measures potential damage from a disaster.

Key Elements:

1. Critical business processes (e.g., online banking for a bank).

2. Recovery time objectives (RTO) – How fast systems must be restored.
3. Financial & operational impact assessment.

16. Pipkin’s Three Categories of Incident Indicators

1. Possible – Early warning signs (e.g., suspicious emails).
2. Probable – Stronger indicators (e.g., malware detected).
3. Definite – Confirmed attack (e.g., data breach).

17. Containment in Security Planning

 Stopping an attack before it spreads (e.g., isolating an infected server).

Why is it Important in Planning?

1️Minimizes Damage – Stops threats before they escalate.

2️Prevents Data Loss – Protects sensitive information.
3️Ensures Business Continuity – Keeps systems running.
4️Speeds Up Recovery – Helps in faster incident resolution.
5️Reduces Costs – Prevents financial and reputational losses.
18. When to Involve Law Enforcement?
 If a cybercrime is serious (e.g., data theft, hacking).
 Issues with law enforcement:
o Could expose sensitive company data.
o Investigations take time.

19. After-Action Review (AAR)

An After-Action Review (AAR) is a structured evaluation conducted after a security incident,
cyberattack, or major event to assess what happened, what went well, and what needs
improvement.
When is it Performed?
🔹 After security incidents (e.g., data breaches, malware outbreaks).
🔹 After cyber drills or incident response tests.
🔹 After major IT changes (e.g., new security policies).
Why is it Done?
✅ Identify weaknesses in security measures.
✅ Learn from mistakes to prevent future incidents.
✅ Improve response strategies for quicker mitigation.
✅ Enhance team coordination and decision-making.

20. Six Contingency Strategies

1. Hot Site – Fully operational backup site (used for critical operations).
2. Warm Site – Partially equipped backup site (used for moderate downtime).
3. Cold Site – Basic office space with no equipment (used for extreme emergencies).
4. Remote journaling– Off-site/cloud storage of critical data.
5. Time-share– Agreement with another company to share facilities in case of disaster.
6. Mobile Sites – Portable recovery centers with IT setup.

Exercises
5. Classify Incidents vs. Disasters 🚨

Incident or Law
Scenario Steps to Restore Operations
Disaster? Enforcement?
a. Hacker deletes Restore backups, strengthen security, Maybe (if data
Incident
files investigate breach theft)
b. Fire damages Incident Replace hardware, assess damage, ensure No
 Incident or Law
Scenario Steps to Restore Operations
Disaster? Enforcement?
computers fire safety
Activate Business Continuity Plan
c. Tornado takes
Disaster (BCP), use backup power, relocate if No
out power
needed
d. Employees go Hire temporary staff, negotiate, adjust
Disaster No
on strike workloads
e. Employee steals Incident (but Investigate, recover server or use
Yes
a server serious!) backups, restrict access

Case Exercises
1. --------------------------------------------------------------------------------------------------------------------------------
1. First note Charlie should write?
🚨 "Assess current risks and weaknesses!"
2. What else should be on Charlie’s list?
✅ Identify critical systems & backup plans.
✅ Set up disaster recovery (DR) & business continuity (BCP) plans.
✅ Regularly test and update plans.
✅ Train employees on emergency procedures.
✅ Secure important data (backups, encryption, cybersecurity measures).
3. How to convince others about continuity planning?
💡 Use these appeals:
 Risk avoidance: "Disasters can cost millions; preparation saves money."
 Legal compliance: "Many laws require companies to have backup plans."
 Reputation protection: "Customers lose trust if we fail during a crisis."
 Competitive advantage: "Prepared companies recover faster and stay ahead."
2. --------------------------------------------------------------------------------------------------------------------------------
1. Should SLS adjust policies to fit France's culture?
🌍 Yes, ethically it's right to respect local norms and expectations. Good policies should align with
both company values and cultural differences.
2. If SLS gives better benefits in France, should they do the same elsewhere?
⚖️Ethically, yes, if fairness is a core value—but it depends on financial and legal factors. If not
possible everywhere, they should at least explain why and look for ways to support employees
fairly.