Discussion

IT for Management: On-Demand Strategies for Performance, Growth, and Sustainability

Twelfth Edition

Turban, Pollard, Wood

Chapter 5

Data Privacy and Cyber Security

Learning Objectives (1 of 5)
2
Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Data Privacy Concerns and Regulations
Data privacy is the right to self-determine what information about you is made accessible, to whom, when, and for what use or purpose
It centers around the following four main concerns:
How data are shared with third parties
How data are collected and stored
How data are used
How data are regulated
3
Copyright ©2021 John Wiley & Sons, Inc.

3

Confused, Concerned, and Out of Control
Copyright ©2021 John Wiley & Sons, Inc.
4

Copyright ©2021 John Wiley & Sons, Inc.
5
Privacy paradox is the disconnect between how important people say their online privacy is versus how they actually behave in real life.

U.S. Consumer Protection Data Privacy Regulations
U.S. Federal consumer protection data privacy regulations currently in place include:
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act
Privacy Protection Act of 1980
Driver’s Privacy Protection Act (DPPA)
Fair Credit Reporting Act
All 50 U.S. states have adopted data breach notification laws. At least 35 states and Puerto Rico have data disposal laws and 25 states have enacted data privacy laws
6
Copyright ©2021 John Wiley & Sons, Inc.

European Union’s General Data Protection Rules (GDPR)
The GDPR is an EU-wide consumer Bill of Rights enacted in May 2018.
It empowers EU consumers by forcing retailers, marketers, and others to explicitly tell consumers how they are collecting, using, and storing consumers’ personal data.
Companies that violate the GDPR face a maximum fine of $23 million (€20 million) or 4% of their annual global turnover, whichever is larger.
7
Copyright ©2021 John Wiley & Sons, Inc.

The EU-U.S. Privacy Shield
The EU does not consider the data privacy laws currently in place in the United States to be adequate, so U.S. businesses must work around this requirement by adhering to the EU-U.S. Privacy Shield.
The EU-U.S. and Swiss-U.S. Privacy Shields are designed to provide companies on both sides of the Atlantic with a mechanism to comply with GDPR data protection requirements.
8
Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations: Questions
What are the four main concerns of data privacy?
Why is it important for you to know how your online data is handled?
What is the name of the phenomenon where users are concerned about data privacy, but their behaviors contradict these concerns?
Who has responsibility for data privacy laws at the U.S. federal level?
Name three U.S. consumer protection data privacy regulations.
What is the name of the new California data protection law?
Is an EU citizen who does not live in the EU protected under the GDPR?
Why is the United States not considered part of the GDPR?
What is the name of the mechanism that brings the United States under the jurisdiction of the GDPR?
9
Copyright ©2021 John Wiley & Sons, Inc.

9

Learning Objectives (2 of 5)
10
Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Cyberattacks and Cyberthreat Terminology (1 of 2)
Cyberattack is an actual attempt to expose, alter, disable, destroy, steal, or gain unauthorized access to a computer system, infrastructure, network, or any other smart device.
Cyber threat is the method used to commit a cyberattack that seeks to damage data, steal sensitive data, or disrupt digital life in general.
Cyber security is the discipline dedicated to protecting information and systems used to process and store it from attack, damage, or unauthorized access.
11
Copyright ©2021 John Wiley & Sons, Inc.

Cyberattacks and Cyberthreat Terminology (2 of 2)
Data breach is the successful retrieval of sensitive information by an unauthorized individual, group, or software system.
Vulnerability is a gap in IT security defenses of a network, system, or application that can be exploited by a cyber threat to gain unauthorized access.
Attack vector is a path or means by which a computer criminal can gain access to a computer or network server in order to deliver a malicious outcome.
12
Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.
13

Copyright ©2021 John Wiley & Sons, Inc.
14

Unintentional Cyber Threats
The causes for these unintentional cyber threats fall into three major categories:
Human error can occur in the design of the hardware or information system; during programming, testing, or data entry; neglecting to change default passwords or failing to manage patches
Environmental hazards include volcanoes, earthquakes, blizzards, floods, power failures or strong fluctuations, fires, defective heating, ventilation and HVAC systems, explosions, radioactive fallout, and water-cooling- system failures.
Computer systems failures can occur as the result of poor manufacturing, defective materials, or poor maintenance.
15
Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber Threats
Intentional security breaches are overt and direct actions designed to disrupt a system and include data theft such as inappropriate use of data; theft of computer time; theft of equipment and/or software; deliberate manipulation in handling, entering, programming, processing, or transferring data; sabotage; malicious damage to computer resources; destruction from malware and similar attacks; and miscellaneous computer abuses and Internet fraud
16
Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Hacking
Hacking is broadly defined as intentionally accessing a computer without authorization or exceeding authorized access. There are three types of hackers.
Hacktivist: is short for hacker-activist, or someone who performs hacking to promote awareness, or otherwise support a social, political, economic, or other cause.
Copyright ©2021 John Wiley & Sons, Inc.
17

Intentional Cyber Threats: Social Engineering
A hacker’s clever use of deception or manipulation of people’s tendency to trust, be helpful, or simply follow their curiosity on social media.
In a phishing attack, the attacker sends an e-mail to gain the victim’s trust by evoking a sense of curiosity, urgency or fear, to steal confidential information. This is done by the attacker posing as a known person or legitimate organization.
18
Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyberthreats: Spear Phishing
Spear phishers often target select groups of people with something in common
Trick user into opening an infected email
Emails sent that look like the real thing
Confidential information extracted through seemingly legitimate website requests for passwords, user IDs, PINs, account numbers, and so on.

19
Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Malware
Types of intrusive software:
Cookie
Spamware
Adware
Spyware
Types of hostile malware:
Zero-Day
Backdoor
Rootkit
Boot Record Infector
File Infector
Keylogger
Virus
Worm
Trojan
RATS
20
Copyright ©2021 John Wiley & Sons, Inc.
Refers to various levels of intrusive or malicious software that can run undetected in the background on an IS or personal computer.

Intentional Cyber threats: Botnets
The term botnet is derived from the words robot and network.
Cyber criminals use trojan viruses to breach the security of several user computers, take control of each computer and organize all of the infected machines into a network of “bots” they can remotely control for malicious purposes.
Botnets are typically used to send spam and phishing e-mails and launch DDoS attacks.
21
Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Ransomware and Cryptojacking
Ransomware is designed to block access to a computer system until a sum of money has been paid. Ransomware works by first infiltrating a computer with malware and then encrypting all the files on the disk.
Cryptojacking is a ransomware-like scheme to use other people’s devices without their consent or knowledge to secretly syphon off cryptocurrency at the victim’s expense.
SQL Injection is one of the most dangerous vulnerabilities of a network app since attackers can use SQL injection to bypass application security measures. The intent is to execute SQL code inside an app or Web page for personal gain or simply to be destructive.
22
Copyright ©2021 John Wiley & Sons, Inc.

Intentional Cyber threats: Man-in-the-middle (MitM)
MitM attacks occur when cyber criminals insert themselves between two-parties in a transaction with the intention of stealing data.
Copyright ©2021 John Wiley & Sons, Inc.
23

Intentional Cyber threats: Denial of Service Attacks
Copyright ©2021 John Wiley & Sons, Inc.
24

Intentional Cyber threats: Insider Threats
Internal threats and misuse of privileges threats are a major challenge largely due to the many ways an employee or contractor can carry out malicious activities
Data tampering is a common means of cyberattack
Refers to an attack during which someone enters false or fraudulent data into a computer, or changes/deletes existing data
Data tampering is extremely serious because it may not be detected; the method often used by insiders and fraudsters

25
Copyright ©2021 John Wiley & Sons, Inc.

Cyber Threats: Intentional/Unintentional
Physical theft or loss is the threat of an information asset going missing, whether through negligence or malice
Miscellaneous errors: The main concern related to this source of cyberthreat is a shortage of capacity that prevents information from being available where and when needed.

26
Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.
27

Copyright ©2021 John Wiley & Sons, Inc.
28

High Profile and Under the Radar Attacks
Advanced Persistent Threats (APT)
Launched by attacker through phishing to again access to enterprise’s network
Designed for long-term espionage
Profit-motivated cybercriminals often operate in stealth mode to continue long-term activities
Hackers and hacktivists, commonly with personal agendas, carry out high-profile attacks to further their causes.
Anonymous and LulzSec are two hacker groups who have committed daring data breaches, data compromises, data leaks, thefts, threats, and privacy invasions.

29
Copyright ©2021 John Wiley & Sons, Inc.

How Much Does a Cyberattack Really Cost an Organization?
In 2019 the global average total cost of a data breach was $3.92 million.
The average size of a data breach was 25,575 records, the cost per record lost was $150 and it took an average of 279 days for companies to identify and contain a breach.
Companies in the United States reported the highest average cost of a breach at $8.19 million and health care had the highest industry average cost of $6.45 million.
30
Copyright ©2021 John Wiley & Sons, Inc.

Extent and Cost of Cyberattacks and Cyberthreats: Questions
Define and give an example of an intentional threat and an unintentional threat.
Why might management not treat cyberthreats as a top priority?
Describe the differences between distributed denial-of-service (DDoS), telephony denial-of-service (TDoS), and permanent denial-of-service (PDoS).
List and define three types of malware.
What are the risks caused by data tampering?
Define what a trojan is and explain why it is dangerous.
Why are MitM attacks on the rise? How might companies guard against MitM attacks?
What is cryptojacking? How can you protect yourself from being a victim of cryptojacking?
31
Copyright ©2021 John Wiley & Sons, Inc.

31

Learning Objectives (3 of 5)
32
Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Cyberattack Targets and Consequences
Managers make the mistake of underestimating IT vulnerabilities and threats and appear detached from the value of confidential data (even high-tech companies).
Targets for cyberattacks include weak passwords; critical infrastructure; theft of IP; identity theft; shadow IT; bring your own device (BYOD) and social media.
33
Copyright ©2021 John Wiley & Sons, Inc.

Weak Passwords and Critical Infrastructure
Weak Passwords: The capture and misuse of credentials, such as user’s IDs and passwords, is one of the foundation skills hackers use them execute numerous types of cyberthreats, such as phishing, leaving organizations open to data breaches
Critical infrastructure: Systems and assets, whether physical or virtual, so vital to a country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters
Industroyer: A new form of malware developed to target critical infrastructure in the energy sector
34
Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.
35

35

Theft of Intellectual Property
Intellectual Property is a work or invention that is the result of creativity that has commercial value.
Includes copyrighted property such as a blueprint, manuscript or a design, and is protected by law from unauthorized use by others.
Intellectual property can represent more than 80% of a company’s value.
Losing customer data to hackers can be costly and embarrassing but losing intellectual property, commonly known as trade secrets, could threaten a company’s existence.
36
Copyright ©2021 John Wiley & Sons, Inc.

Identity Theft
Thefts where individuals’ Social Security and credit card numbers are stolen and used by thieves.
Made worse by electronic sharing and databases
Shadow IT (stealth IT) introduces security risks when unsupported hardware and software used by individuals or departments circumvent IT security measures that apply to approved technology
Copyright ©2021 John Wiley & Sons, Inc.
37

Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD): employees providing their own (mobile) devices for business purposes to reduce expenses through cut purchase and maintenance costs.
Roughly 87% of U.S. organizations are using or planning to use BYOD
Cuts business costs by not having to purchase and maintain employees’ mobile devices
Security risk: mobile devices rarely have strong authentication, access controls, and encryption even though they connect to mission-critical data and cloud services. Could also be lost or stolen.

38
Copyright ©2021 John Wiley & Sons, Inc.

Social Media Attacks
Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack for organized criminal networks.
Facebook recently reported that it disabled almost 1.3 billion fake accounts
Twitter suspended 70 million accounts
LinkedIn openly admitted they have no reliable system for identifying and counting duplicate or fraudulent accounts.

39
Copyright ©2021 John Wiley & Sons, Inc.

Networks and Services Increase Exposure to Risk
Time-to-exploitation is the elapsed time between when vulnerability is discovered and when it is exploited
When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, patches are released by the vendor or security organization
Patch is a software program that users download and install to fix a vulnerability.

40
Copyright ©2021 John Wiley & Sons, Inc.

Cyberattack Targets and Consequences: Questions
What is a critical infrastructure?
List three types of critical infrastructures.
How do social network and cloud computing increase vulnerability?
Why are patches and service packs needed?
Why is it important to protect IP?
How are the motives of hacktivists and APTs different?
Explain why data on laptops and computers need to be encrypted.
Explain how identity theft can occur.
41
Copyright ©2021 John Wiley & Sons, Inc.

41

Learning Objectives (4 of 5)
42
Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Defending Against Cyberattacks
and Managing Risk
To effectively guard against cyberattacks, top management must sponsor and promote security initiatives and fund them as a top priority
The first step in a cyber security initiative is to choose a cyber defense strategy
Then adopt risk mitigation strategies specific to different types of assets and
Deploy robust security measures that are not just the responsibility of IT and top management, but the ongoing duty of everyone in an organization
43
Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.
44

Cyber Defense Strategies
The primary objective of IT security management is to defend all the components of an information system.
To do this a company must gather strategic and tactical intelligence to develop a customized cybersecurity defense.
Strategic intelligence informs HOW an organization will defend itself.
Tactical intelligence informs WHAT an organization needs to do when it is attacked.
45
Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.
46

Managing Risk
Risk is a situation involving exposure to danger.
Risks mitigation is the action taken to reduce threats and ensure resiliency.
Copyright ©2021 John Wiley & Sons, Inc.
47

Securing Systems: Cyber Defense Tools
Antivirus Software: Anti-malware tools are designed to detect malicious codes and prevent users from downloading them
Intrusion Detection Systems (IDSs): An IDS scans for unusual or suspicious traffic.
Intrusion Prevention Systems (IPSs): An IPS is designed to take immediate action— such as blocking specific IP addresses—whenever a traffic-flow anomaly is detected.
IP Intelligence Services: IP intelligence service providers can help organizations significantly reduce malicious network activity
48
Copyright ©2021 John Wiley & Sons, Inc.

Protecting Against Malware Reinfection, Signatures, Mutations, and Variants
Attempts to remove the malware can fail and the malware may reinfect the host for two reasons:
Malware is captured in backups or archives
Malware infects removable media
Malware signature is a unique value that indicates the presence of malicious code.
Zero-day exploits—malware so new their signatures are not yet known
49
Copyright ©2021 John Wiley & Sons, Inc.

Protect Mobile Devices
Mobile biometrics, such as voice and fingerprint biometrics, can significantly improve the security of physical devices
Voice biometrics is an effective authentication solution across a wide range of consumer devices including smartphones, tablets, and TVs
Rogue application monitoring is used to detect and destroy malicious applications
Mobile kill switch or remote wipe capability as well as encryption are needed in the event of loss or theft of a device
Encryption is process of converting information or data into a code and is essential to prevent unauthorized access to sensitive information transmitted online
50
Copyright ©2021 John Wiley & Sons, Inc.

Becoming IT Resilient
IT resilience is the ability to protect data and apps from any planned or unplanned disruption to eliminate the risk of downtime to maintain a seamless customer experience.
Copyright ©2021 John Wiley & Sons, Inc.
51

Backup and Recovery
An effective IT resilience strategy should consist of four elements:
Availability—keep customers continuously connected to their data and apps.
Mobility—be able to move apps and workloads while keeping them fully protected.
Agility—maintain the freedom to choose your own cloud and be able to move to, from and between clouds.
Training—IT and non-IT employees must understand their roles in case of a disruption or disaster and been trained in how to respond.
52
Copyright ©2021 John Wiley & Sons, Inc.

Copyright ©2021 John Wiley & Sons, Inc.
53

Business Continuity Planning (1 of 3)
Business continuity refers to maintaining business functions or restoring them quickly when there has been a major disruption.
The plan covers business processes, assets, human resources, business partners, and more.
Each function in the business should have a feasible backup plan.
54
Copyright ©2021 John Wiley & Sons, Inc.

Business Continuity Planning (2 of 3)
To supplement and strengthen a business continuity plan the following strategies can be put in place to help reduce the impact of a disaster or disruption:
Direct individual employees to make regular off-site backups of their files that can be accessed remotely with a secure username and password
Deploy a cloud-based Email Continuity Solution to provide uninterrupted access to e-mail.
Make sure you have cross-device software compatibility so that business can continue on employee mobile devices.
Unify communications on a secure off-site cloud server that will keep operating in the event of a power outage, natural disaster or other disruptions.
55
Copyright ©2021 John Wiley & Sons, Inc.

Business Continuity Planning (3 of 3)
To supplement and strengthen a business continuity plan the following strategies can be put in place to help reduce the impact of a disaster or disruption (cont.):
Establish a service-level agreement with your provider that offers fast support, emergency backup and routing to alternative servers when necessary.
Put processes in place to ensure that IT teams can act quickly without approvals in case of a disaster or disruption.
Make sure enough resources are allocated in the IT budget for adequate business continuity and disaster recovery services
56
Copyright ©2021 John Wiley & Sons, Inc.

Disaster Recovery Services
Set up a secure, off-site disaster recovery space. The three types of sites are:
Hot site: all the necessary equipment including office space, furniture, communications capabilities and computer equipment
Warm site: a fully equipped physical data center, but it has no customer data
Cold site: provides office space but requires the customer to provide and install the equipment needed to continue operations
57
Copyright ©2021 John Wiley & Sons, Inc.

Defending Against Cyberattacks and
Managing Risk: Questions
Explain why it is becoming more important for organizations to make cyber risk management a high priority?
Name three IT defense tools.
What is the purpose of rogue application monitoring?
Why is a mobile kill switch or remote wipe capability an important part of managing cyber risk?
Why does an organization need to have a business continuity plan?
Name the three essential cybersecurity defenses.
What is the difference between hot, warm, and cold sites?
When and why do companies impose do-not-carry rules?
58
Copyright ©2021 John Wiley & Sons, Inc.

Learning Objectives (5 of 5)
59
Copyright ©2021 John Wiley & Sons, Inc.

Data Privacy Concerns and Regulations

Extent and Cost of Cyberattacks and Cyberthreats

Cyberattack Targets and Consequences

Defending Against Cyberattacks and Managing Risk

Regulatory Controls, Frameworks and Models

Regulatory Controls, Frameworks, and Models
General defense controls are established to protect the system regardless of the specific application.
Application defense controls are safeguards that are intended to protect specific applications.
Copyright ©2021 John Wiley & Sons, Inc.
60

Physical controls
Physical controls protect physical computer facilities and resources. Appropriate physical security may include several physical controls such as:
Appropriate design of the data center (noncombustible and waterproof).
Shields against electromagnetic fields.
Emergency power shutoff and backup batteries.
Properly designed and maintained air-conditioning systems.
Motion detector alarms that detect physical intrusion.
Badges for authorized persons.
61
Copyright ©2021 John Wiley & Sons, Inc.

Access controls
Access controls dictates who is authorized to use an organization’s computing resources. Restricted access is achieved through a two-step process of
user authentication to identify different users on the network and
user authorization that grants or denies specific access permissions.
Data security controls are needed to protect sensitive data throughout the five stages of its lifecycle from creation to disposal.
Communications controls restrict access to devices on the network to endpoint devices that comply with the organization’s security policy and secure the flow of data across networks.
62
Copyright ©2021 John Wiley & Sons, Inc.

Administrative controls
Administrative controls deal with issuing guidelines and monitoring compliance with an organization’s security guidelines.
Examples of administrative controls are:
Appropriately select, train, and supervise employees, especially in accounting and information systems
Foster company loyalty
Require periodic modification of access controls, such as passwords
Perform periodic random audits of the system
63
Copyright ©2021 John Wiley & Sons, Inc.

Application Defense Controls
An application defense control is a security practice that blocks or restricts unauthorized apps from executing in ways that put data at risk.
Application controls include:
Completeness checks to ensure records processing from start to finish
Validity checks to ensure only valid data is input or processed
Authentication to identify users
Authorization to ensure appropriate permissions
Input controls to ensure data integrity of all data entered
64
Copyright ©2021 John Wiley & Sons, Inc.

Auditing Information Systems
Auditing is an additional layer of controls or safeguards.
Auditing a website is a good preventive measure to manage the legal risk.
Auditing e-commerce is also more complex since, in addition to the website, one needs to audit order taking, order fulfillment, and all support systems.
65
Copyright ©2021 John Wiley & Sons, Inc.

Government Regulations
As cyber threats continue to evolve and gain momentum in other industries, more and more legislative bills are being proposed
The Federal Information Security Management Act (FISMA) that requires federal agencies to develop, document, and implement an information security and protection program
In 2019, at least 43 U.S. states introduced bills that dealt significantly with cyber security. Of these, 31 states enacted cyber security legislation
66
Copyright ©2021 John Wiley & Sons, Inc.

Risk Management and IT Governance Frameworks
Two widely accepted frameworks that guide risk management and IT governance are:
Enterprise Risk Management Framework ERM is a risk-based approach to managing an enterprise developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
The COBIT 2019 Framework. COBIT 2019 is a globally recognized governance framework that integrates security, risk management, and IT governance developed by ISACA—the International Systems Audit and Control Association (www.isaca.org)
67
Copyright ©2021 John Wiley & Sons, Inc.

Enterprise Risk Management Framework
Copyright ©2021 John Wiley & Sons, Inc.
68

The COBIT 2019 Framework
Copyright ©2021 John Wiley & Sons, Inc.
69

Industry Security Standards
Industry groups impose their own standards to protect their customers and their members’ brand images and revenues.
One example is the Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard, American Express, and Discover.
PCI is required for all members, merchants, or service providers that store, process, or transmit cardholder data.
70
Copyright ©2021 John Wiley & Sons, Inc.

IT Security Defense-In-Depth Model
The Defense-in-Depth Model is based upon the premise that no organization can ever be fully protected by a single layer of security. However, when there are multiple levels of security defenses in place the gaps created by a single level of security can be effectively eliminated.
Copyright ©2021 John Wiley & Sons, Inc.
71

Copyright ©2021 John Wiley & Sons, Inc.
72

Defense-in-Depth Model: Step 1
Gain Senior Management Commitment and Support
IT security is best when it is top-driven.
Senior managers decide how stringent information security policies and practices should be to comply with laws and regulations.
Other factors influencing information security policies are a corporation’s culture and how valuable their data are to criminals.
73
Copyright ©2021 John Wiley & Sons, Inc.

Defense-in-Depth Model: Step 2
Develop Acceptable Use Policies and IT Security Training
An acceptable use policy (AUP) explains what management has decided are acceptable and unacceptable activities, and the consequences of noncompliance.
Rules about tweets, texting, social media, e-mail, applications, and hardware should be treated as extensions of other corporate policies—such as physical safety, equal opportunity, harassment, and discrimination.
74
Copyright ©2021 John Wiley & Sons, Inc.

Defense-in-Depth Model: Step 3
Create and Enforce IT Security Procedures and Enforcement
Define enforcement procedures
Designate and empower an internal incident response team (IRT)
Define notification procedures
Define a breach response communications plan
Monitor information and social media sources
75
Copyright ©2021 John Wiley & Sons, Inc.

Defense-in-Depth Model: Step 4
Implement Security Tools: Hardware and Software
The selection of hardware and software defenses is based on risk, security budget, AUP, and secure procedures.
Technology defense mechanisms need to be:
able to provide strong authentication and access control of industrial grade
appropriate for the types of networks and operating systems
installed and configured correctly
tested rigorously
maintained regularly
76
Copyright ©2021 John Wiley & Sons, Inc.

Regulatory Controls, Frameworks and Models: Questions
What is the purpose of general defense controls?
What is the purpose of application defense controls?
Name the five major categories of general controls.
Name four application controls.
Explain authentication and name two methods of authentication.
What are the six major objectives of a defense strategy?
What is the purpose of the PCI DSS?
What are the major elements in COBIT 2019?
What four components comprise the IT security defense-in-depth model?
77
Copyright ©2021 John Wiley & Sons, Inc.

Copyright
Copyright © 2021 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
78
Copyright ©2021 John Wiley & Sons, Inc.

78