‫‪Security & Policies‬‬

‫‪By: Eng. Maryam Gaber‬‬

‫هذا الملف أمانة و ال أسمح بنشره اال بعد الرجوع لصاحبته‬

 Chapter 8
Communications and Operations Security

Communication and operations security focuses on Information technology (IT) and

Security functions including:
1. Standard operating procedures
2. Change management
3. Malware protection
4. Data replication
5. Secure management
6. Activity monitoring
▪ These functions are carried out by IT and information security data custodians (e.g.,
network administrations security engineers)

Standard Operating Procedures (SOPs)

SOPs are detailed explanations of how to perform a task
▪SOPs provide; standardized direction, improved communication, reduced training
time and improved work consistency
▪Effective SOPs include:
1. Who performs the task
2. What materials are necessary
3. Where the task takes place
4. When the task will be performed
5. How the person will execute the task

SOPs Documentation
▪SOPs should be properly documented to protect the company
▪ A critical task/business process is only known by one employee and is not
documented, if that employee becomes unavailable, the organization could be
seriously injured
▪Documented SOPs standardize the target process and provide sufficient information
▪ Someone with limited experience can successfully perform the procedure
unsupervised
▪SOPs should be written in detail by someone with sufficient experience of the
targeted process
Authorizing SOP Documentation
• Reviewed
The reviewer should check the SOP for clarity and reliability

• Verified
The verifier should test the procedure and ensure they are correct and not missing any
steps

• Authorized (before publication)

The process owner is responsible for authorization, publication and distribution of the
document.

Protecting SOP Documentation

The integrity of the SOP document should be protected through:
▪Access controls
▪ Should be applied to protect the procedure document from any tampering/altering
▪Version controls
▪ Employees should use the latest revision of the procedure

Developing SOPs
SOPs should be:
▪Concise & clear
▪Logical step-by-step order
▪Plain language format
▪Exceptions are noted and explained
▪Warnings are clear and standout
Choosing the format of a SOP is based on: ▪
• How many decisions the user will make
• How many steps are in the procedure

Developing SOPs Methods

There are four common SOP formats:

1.Simple step
▪ Procedure contains less than 10 steps
▪ Does not involve many decisions
2. Hierarchical / 3. Graphic
▪ Procedure contains more than 10 steps
▪ Does not involve many decisions

4. Flowchart
▪ Procedure can contain any number of steps
▪ Involves many decisions

Operational Change Control

Change control: An internal procedure in which authorized changes are made to software,
hardware, network access privileges, or business processes.
▪ Managing change allows organizations to be productive and spend less time in crisis mode.
▪ Example: An operating system fails to be updated completely to the new version nor is it
still original version, this results in an unstable platform hindering the productivity of the
entire company.

The change control process:

1. Submitting a Request For Change (RFC)
2. Developing a change control plan
3. Communicating change
4. Implementing & monitoring change

Submitting a Request for Change (RFC)

The first phase of the change control process is an RFC submission
The RFC should include:
1. Description of the proposed change
2. Justification why the change should be implemented
3. Impact of not implementing the change
4. Alternatives
5. Cost
6. Resource requirements and timeframe
The change is then evaluated and if approved, it will be implemented

Developing a Change Control Plan

Once the change is approved, the next step is to develop a change control plan
The change control plan should include:
1. Security reviews to ensure no new vulnerabilities are introduced
2. Implementation instructions
3. Rollback and/or recovery options
4. Post implementation monitoring
Communicating Change
Change must be communicated to all relevant parties (employees, managers)
There are two main categories of messages that are communicated:

1.Messages about the change, which should include:

▪ Current situation ▪ The need for change ▪ What the change is, how it will change and when

2.Messages how the change will impact employees

▪ Impact on day-to-day activities of the employees ▪ Implication on job security

Implementing & Monitoring Change

Change can be unpredictable
▪ If possible, change should be applied to a test environment to check and monitor its
impact.
▪ A plan must be in place to roll back or recover from failed implementation
Note:
• All actions and steps taken to implement the change should be recorded and
documented
• Change should be continuously monitored for any flaws and unexpected impacts

Patching
▪ Patch is software or code designed to fix a problem
▪ Applying security patches is the primary method of fixing security vulnerabilities in
software
▪ Patches need to be applied quickly to prevent attackers from exploiting code and
information
Patch Management: The process of scheduling, testing, approving, and applying security
patches
▪ Patching can be unpredictable and disruptive
▪ User should be notified of potential downtime due to patch installation

Malware Protection
Malware (malicious software) is designed to:
1. Disrupt computer operation 2. Gather sensitive information
3. Gain unauthorized access to computer systems and mobile devices
▪Malware can infect system by being bundled with other programs or self-replicated
▪Most malware typically requires user interaction such as:
1. Clicking an email attachment 2. Downloading a file from the Internet
Different Types of Malware
Malware can be categorized as:
▪ Viruses: malicious code that attaches to become part of another program
▪ Worm: a piece of code that spreads from one computer to another without requiring a
host file
▪ Trojans: malicious code that masks itself as a legitimate kind application
Bots: Snippets of code designed to automate tasks and respond to instructions
▪ Ransomware: a type of malware that take computer or its data as hostage

▪ Rootkits: a set of software tools that hides its presence on the computer, using some of the
lower layers of the operating system or the device basic input/output system (BIOS) with
privileged access permissions.
▪ Spyware/adware: general term describing software that tracks Internet activity and
searches without user knowledge

How is Malware Controlled?

Prevention controls: Stop an attack before it occurs
▪ Disable remote desktop connection
▪ Configure the firewall to restrict access
▪ Disallow users to install software on company device

Detection controls: Identify the presence of malware, alert the user, and prevent the
malware from carrying out its mission
Detection controls include the following:
▪ Real-time firewall detection of suspicious file downloads.
▪ Real-time firewall detection of suspicious network connections.

What Is Antivirus Software?

Antivirus software is used to detect, contain, and in some cases eliminate malicious software
Most AV software employs two techniques:
1.Signature-based recognition (virus code)
2.Behavior-based (heuristic) recognition (Disabling security controls, registering for
AutoStart)

AV software is not 100% effective due to three factors

1.The volume of new malware
2.Single-instance malware (never been seen before)
3.Blended threats (malware put together)

Data Replication
The impact of malware, hardware failure, accidental deletion is reduced by effective:
▪Data Replication: Is the process of copying data to a second location that is available for
immediate use (Moving data between a company’s sites)
▪Data backup: is the process of copying/storing data that can be restored to its original
location in case the original is lost or damaged.
▪Replicating and backing up data protects data’s integrity and availability
Recommended Backup/Replication Strategy?
▪ Decision to backup/replicate and how often should be based on the impact of not being
able to access the data
Several factors should be considered when the strategy is designed:
▪ Reliability is vital
▪ Speed and efficiency
▪ Simplicity and ease of use
▪ Cost

Note: Backed-up or replicated data should be stored in a off-site location, secure from theft,
the elements, and natural disasters.

The Importance of Testing

The value of the backup or replication is the assurance that running a restore operation will
yield success and that the data will once again be available for production and business-
critical application systems.
The accessibility or restore strategy must be:
▪ Carefully designed ▪ Tested before being approved ▪ Documented

Securing Messaging
▪ Emails take complex routes with processing and sorting at several locations before arriving
at its destination ▪ It’s hard to tell if someone has read or manipulated your message in
transit *making it an insecure way to transmit information
▪ Email is an effective way to spread malware and attack/penetrate organizations
Malware is spread in emails through:
▪ Attachments
▪ Hyperlinks
▪ Email hoax: Email containing false information (such as virus warnings) asking user to
perform actions that can be damaging
Email users and employees should:
▪ Be careful of attachments, hyperlinks and spam emails
▪ Not access personal email accounts from corporate networks

Securing Messaging
The three most common user errors/mistakes that impact the confidentiality of email are:
1.Hitting the wrong button
▪ Using “reply all” as instead of “reply” or “forward” instead of “reply”
2.Sending an e-mail to the wrong e-mail address
▪ Sending to the wrong address because it is close to the intended recipient’s address
(especially with the use of autocomplete addresses)
3.Forwarding an email with the entire string
▪ Leaving a third person with information discussed in earlier e-mails that should have been
private.
Are E-Mail Servers at Risk? Email servers are hosts that deliver, forward, store emails
Compromising the e-mail server can happen by:
▪ Relay abuse: using mail servers to distribute spam/malware
▪ DDoS attack: an attack against the availability of the email service

• In a response to the deluge/flood of spam and email malware distribution,

blacklisting has become a standard practice.
• Blacklisting is used to deny emails coming from a specified IP address, domain name
or email address that is known for spam/malware.

Activity Monitoring and Log Analysis

Logs are used to record events occurring within an organization’s systems and networks Log
management activities include:
1. Configure log sources, log generations, storage & security
2. Perform analysis of log data
3. Initiate appropriate responses to identified events
4. Manage the long-term storage of log data

Data logs should be selected based on their ability to:

1. Identify suspicious activity and attacks
2. Help understand normal activity
3. Provide operational oversight/mistake
4. Provide a record of activity

Analyzing Logs
Data log analysis can be a reliable way to discover, potential threats, malicious activity and
provide operational oversight.
Log analysis techniques include:
▪ Correlation: ties individual log entries together based on related information
▪ Sequencing: examines activity based on patterns
▪ Signature: compares log data to “known bad” activity
▪ Trend analysis: identifies activity overtime that alone might seem normal
 Chapter 9: Access Control Management
Access controls: Security features that govern how users and processes communicate and
interact with systems and resources.
Three common attributes of access controls
1. Identification scheme – identifies unique records in the set, subject supplies identifier
to the object
2. Authentication method – how identification is proven to be genuine
3. Authorization method – the process of assigning authenticated subjects the
permission to carry out a specific operation.

What Is a Security Posture?

The security posture of an organization determines the default settings for ccess controls
Access controls can be:
• Technical (such as firewalls or passwords),
• Administrative (such as separation of duties or dual controls), or
• Physical (such as locks, bollards, or turnstiles).
Two fundamental security postures:
1-Open :
• which implements the “default allow” model
• means that access, not explicitly forbidden, is permitted.
2-Secure:
• which implements the “default deny” model
• means that access, not explicitly permitted, is forbidden.

Default allow versus default deny

Default allow
▪ By default, no security is deployed, everyone can do everything
▪ Easier to deploy, works out-of-the-box
▪ No security

Default deny
▪ Aka (also known as) “deny all”
▪ Access is unavailable by default until the appropriate control is altered to allow access

Notes:
▪ Determining who to grant access should be based on the security principle of need-to-
know.
▪ The level of access required should be based on the security principle of least
privilege.
▪ Need-to-know means that the subject has a demonstrated and authorized reason for
being granted access to information.
▪ Once a need-to-know has been established, least privilege is the principle of only
assigning required object access permissions
Principle of Least Privilege
Definition: The least amount of permissions granted users that still allow them to perform
whatever business tasks they have been assigned, and no more.

Need-to-know
Definition: Having a demonstrated and authorized reason for being granted access to
information
Should be made a part of the company’s culture
Should be incorporated in security training curriculum

How Is Identity Verified?

First step to granting access is user identification
Authentication: Subject must supply verifiable credentials offered referred as factors:
▪Single-factor authentication: When only one factor is presented. The most common method
of single-factor authentication is the password.
▪Multifactor authentication: When two or more factors are presented
▪ Factor 1: Something you know (password), Factor 2: Something you have (smart card).
▪Multilayer authentication: When two or more of the same type of factors are presented.
▪ Factor 1: Somethings you know (username, password and security question)

Three categories of factors

1. Knowledge: Something you know
▪Password or PIN: Passwords are the most commonly used single-factor network
authentication method.
The authentication strength of a password is a function of its length, complexity, and
unpredictability.
▪Answer to a question: Common examples are mother’s maiden name and favorite
color.

2. Possession: Something you have :

▪ One-time passcodes (OTP): is a set of characteristics that can be used to prove a subject’s
identity one time and one time only
▪ Memory cards: is an authentication mechanism that holds user information within a
magnetic strip and relies on a reader to process the information.
▪ Smart cards: Instead of a magnetic strip, it has a microprocessor and integrated circuits.
▪ Out-of-band communication requires communication over a channel that is distinct from
the first factor.

3. Inherence: Something you are

▪ Biometric identification: is the identification of humans by distinctive, measurable
characteristics or traits.
A biometric identification system scans an attribute of a person and compares it to a record
that was created in an earlier enrollment process.
▪ Anatomical attributes: include fingerprint, finger scan, palm scan, hand geometry, retina
scan, iris scan, facial scan, and DNA.
▪ Physiological attributes: includes handwriting, keyboard dynamics, and voice print.

What Is Authorization?
▪ The process of assigning authenticated subjects’ permission to carry out a specific
operation. Three primary authorization models
1. Object capability : Used programmatically and based on a combination of a unforgettable
reference and an operational message
2. Security labels : Mandatory access controls embedded in object and subject properties
3. Access Control Lists : Used to determine access based on some criteria such as a user ID,
group membership, classification, location, address, and date

Categories of access control lists:

▪MAC (Mandatory Access Control): Data is classified, and employees are granted access
according to the sensitivity of information
▪DAC (Discretionary Access Control): Data owners decide who should have access to what
information
▪RBAC (Role-based Access Control): Access is based on positions (roles) within an
organization
▪Rule-based access control: Access is based on criteria that is independent of the user or
group account

Infrastructure Access Controls

▪ Include physical and logical network design, border devices, communication
mechanisms, and host security settings.
▪ Infrastructure Access Controls Include physical and logical network design, border
devices, communication mechanisms, and host security settings
▪ Segmentation provides the flexibility to implement a variety of services,
authentication requirements, and security controls.
▪ Network segmentation: The process of logically grouping network assets, resources,
and applications
Type of network segmentation
▪ Enclave network:
A segment of an internal network that requires a higher degree of protection. Internal
accessibility is further restricted through the use of firewalls, VPNs, VLANs, and network
access control (NAC) devices.
▪ Trusted network:
The internal network that is accessible to authorized users. External accessibility is restricted
through the use of firewalls, VPNs, and IDS/IPS devices. Internal accessibility may be
restricted through the use of VLANs and NAC device
▪ Semi-trusted network, perimeter network, or DMZ :
A network that is designed to be Internet accessible. Hosts such as web servers and email
gateways are generally located in the DMZ. Internal and external accessibility is restricted
through the use of firewalls, VPNs, and IDS/IPS devices
▪ Guest network:
A network that is specifically designed for use by visitors to connect to the Internet. There is
no access from the Guest network to the internal trusted network
▪ Untrusted network A network outside your security controls. The Internet is an untrusted
network.

What Is Layered Border Security?

Layered security is to have different types of security measures designed to work in tandem
(‫ )واحد بعد األخر‬with a single focus – to protect internal network from external threats.

Layered border security access controls include:

▪Firewall devices ▪Intrusion detection systems (IDSs)
▪Intrusion prevention systems (IPSs)
▪Content filtering and whitelisting/blacklisting
▪Border device administration and management

Firewall devices:
Firewalls are devices or software that control the flow of traffic between networks.
▪Firewalls are responsible for examining network entry and exit requests and enforcing
organizational policy.
▪Firewalls are a mandatory security control for any network connected to an untrusted
network such as the Internet.
▪Without a properly configured firewall, a network is completely exposed and could
potentially be compromised within minutes, if not seconds
▪The rule set is used by the firewall to evaluate ingress (incoming) and egress (outgoing)
network traffic.

▪Intrusion detection systems (IDSs)

▪IDSs passive devices designed to analyze network traffic in order to detect unauthorized
access or malicious activity.
▪Most IDSs use multiple methods to detect threats.
▪Signature-based detection, Anomaly-based detection
▪If suspicious activity is detected, IDSs generate an onscreen, email, and/or text alert.

▪Intrusion prevention systems (IPSs)

are active devices that sit inline with traffic flow and can respond to identified threats by
disabling the connection, dropping the packet, or deleting the malicious content
There are four types of IDS/IPS technologies:
1-Network-based IDS/IPS
▪ Monitors network traffic for particular network segments or devices and analyzes
the network and application protocol activity to identify suspicious activity
2. Wireless IDS/IPS ▪ Monitors wireless network traffic and analyzes it to identify suspicious
activity involving the wireless networking protocols themselves
3. Network behavior analysis IDS/IPS
▪ Examines network traffic to identify threats that generate unusual traffic flows, such as
distributed denial of service (DDoS) attacks, certain forms of malware, and policy
violations.
4-Host-based IDS/IPS
▪ Monitors the characteristics of a single host and the events occurring within that
host for suspicious activity

IDS/IPS has four decision states.

1. True positive occurs when the IDS/IPS correctly identifies an issue.
2. True negative occurs when the IDS/IPS correctly identifies normal traffic.
3. False positive occurs when the IDS/IPS incorrectly identifies normal activity as an issue.
4. False negative occurs when the IDS/ISP incorrectly identifies an issue as normal activity.

Content filtering and whitelisting/blacklisting

The filters can be supplemented by self-generated, open source, or subscription based IP
whitelists and/or blacklists.
Whitelists: are addresses (IP and/or Internet domain names) of known “good” sites to which
access should be allowed.
Content-filtering applications can be used to restrict access by content category (such as
violence, gaming, shopping, or pornography), time factors, application type, bandwidth use,
and media.
Border device administration and management

It is a 24/7/365 responsibility.
▪ On a daily basis, performance needs to be monitored to enable potential resource issues to
be identified and addressed before components become overwhelmed.
▪ Logs and alerts must be monitored and analyzed to identify threats—both successful and
unsuccessful.
▪ Administrators need to be on the watch for security patches and apply them expediently.
Remote Access
▪Users who have a demonstrated business-need to access the corporate network remotely
and are authorized to do so must be given that privilege
▪Not all employees should be given this privilege by default ▪Remote access activities should
be monitored and audited
▪The organization’s business continuity plan must account for the telecommuting
environment

Remote access technologies

1-Virtual Private Networks (VPNs)
▪ Secure tunnel for transmitting data over unsecure network, such as the Internet

2- Remote access portals

▪ Offers access to one or more applications through a single centralized interface

Remote Access Authentication and Authorization

▪ Whenever feasible, organizations should implement mutual authenticationto allow
verification for remote access user.
▪ Network access control (NAC) systems can be used to “check” a remote access device
based on defined criteria before it is allowed to connect to the infrastructure.

Teleworking Access Controls

▪ Teleworking(‫ )العمل عن بعد‬allows employees to work offsite, often from their home

User Access Controls

▪ The objective of User Access Controls is to ensure authorized users can access information
and resources while unauthorized users cannot access information and resources
▪ Users should have access only to information they need to do their job and no more

Administrative account controls

1-Segregation of duties ‫الفصل بين الواجبات‬
• Segregation of duties requires that tasks be assigned to individuals in a manner such
that no one individual can control process from start to finish.
• i.e., one to configure the firewall and one to load the configuration into the
production environment.
2-Dual control
• Dual control requires that two individuals must both complete their half of a specific
task.
• i.e., Two separate keys to unlock a door. Each key is assigned to an individual user.

What Types of Access Should Be Monitored?

Mining log data results in a wealth of information that can be used to protect your
organization.
Log data offers clues about activities that have unexpected and possibly harmful
consequences, including the following:
▪ At-risk events, such as unauthorized access, malware, data leakage, and suspicious activity
▪ Oversight events, such as reporting on administrative activity, user management, policy
changes, remote desktop sessions, configuration changes, and unexpected access
▪ Security-related operational events, such as reporting on patch installation, software
installation, service management, reboots bandwidth utilization, and DNS/DHCP traffic
Three categories of user access should be logged and analyzed:
1-Successful access
▪ record of user activity ▪ Reporting should include date, time, and action
2-Failed access
▪ indicative of either unauthorized attempts or authorized user issues ▪Privileged operations
▪ Compromise or misuse of administrator accounts can have disastrous consequences.
3-Privileged operations
▪ Compromise or misuse of administrator accounts can have disastrous consequences.

Is Monitoring Legal?
▪Employees should have no expectation of privacy while on company time or when using
company resources
Courts have favored an employer’s right to protect their interests over individual privacy
rights because:
1. Actions were taken at the employer’s place of work
2. Equipment used – including bandwidth – was company-provided
3. Monitoring the work also helps ensure the quality of work
4. The employer has the right to protect property from theft and/or fraud

Courts indicate that monitoring is acceptable if it is reasonable:

▪ Justifiable if serving a business purpose
▪ Policies are set forth to define what privacy employees should expect while on company
premises
▪ Employees are made aware of what monitoring means are deployed

Note:
▪ Acceptable use agreement should include a clause informing users that the company will
and does monitor system activity
▪ Users must agree to company policies when logging on

Chapter 10:
Information Systems Acquisition, Development, and Maintenance

System Security Requirements

▪ Security must be taken into account from the genesis/beginning of the project.
▪ Retroactively attempting to inject security back into existing code usually either does
not work or ends up creating new vulnerabilities and/or instability in the code.

What Is SDLC? Systems development lifecycle (SDLC) provides a standard process for any
system development
 There are five phases in the SDLC according to NIST
1. Initiation phase
▪ Establishes the need for a system and documents its purpose
▪ Information system is evaluated for security requirements,
▪ Project managers and developers must consider the security implications while taking
decisions, throughout the development
2. Development /acquisition phase
▪ The system is designed, purchased, programmed, or developed
▪ Risk assessment is iterative, Whenever new functionality is added, risk assessment should
be done.
▪ Security controls must be tested to ensure that they perform as intended.

3. Implementation phase
▪ The system is tested and retested, and any modifications are applied until it is accepted
▪ Design reviews and system testing must be done before placing the system for operation
▪ Final task is authorization- by the designee or system owner- this process is known as
certification and accreditation (C&A)
▪ The authorization officials depend on security plan, risk assessment reports and test
results.

4. Operational phase
▪ The system in put into production-should include monitoring, auditing, testing

5. Disposal phase
▪ Ensure the orderly termination of the system
▪ Configuration management and change control processes are done ( need for any change
and how to do it).
▪ Periodic testing and evaluation
▪ No retirement age for code!!
▪ System normally evolve from one generation to another, based on changing requirements
/improvements.

Software Releases
Alpha phase : Initial release of software for testing
▪ Can be unstable
Beta phase :Software is complete and ready for usability testing
▪ Release candidate (RC)
Hybrid of beta and final release version
Has the potential of being final release unless significant issues are identified
▪ General availability or go live
General availability or go live:
▪ Software has been made commercially available
Software Updates
▪Updates are different from security patches
▪Security patches are designed to address a specific vulnerability
▪Updates include functional enhancements and new features
▪Updates should be thoroughly tested
▪A documented rollback strategy should exists before applying any updates

Software Updates vs patches

▪ Updates are different from security patches
▪ Security patches are designed to address a specific vulnerability
▪ Updates include functional enhancements and new features
Software Updates
▪ A documented rollback strategy should exist before applying any updates
▪ If update required a system reboot, it should be delayed until the reboot has the least
impact on business operations.

Testing Environment Concerns

▪ Companies SHOULD have a test environment
▪ The closer to the live environment the test environment is, the more expensive it is, but
the more accurate the testing will be.
▪ Testing environment should be 100% segregated from the live network
▪ Live data should NEVER be used in a test environment
▪ De-identified or dummy data should be used in place of live data

Secure Code
Two types of code :
1-Insecure code (referred as “sloppy code”)
2-Secure code ▪ Deploying secure code is responsibility of the systems’ owner

The Open Web Application Security Project (OWASP)

▪ Online community that produces freely-available articles, methodologies,
documentation, tools, and technologies in the field of web application security.
▪ Open community dedicated to enabling organizations to develop, purchase, and maintain
applications that can be trusted

Every 3 years, OWASP releases the top 10 most critical web application security flaws/risks
at 2013:
▪ Injection
▪ Input validation
▪ Dynamic data verification
▪ Output validation
▪ Broken authentication and session management
Injection
▪ The attacker’s untrusted data can trick the interpreter into executing an unintended
command or accessing data without proper authorization.
▪ Preventing injection requires keeping untrusted data separate from commands and
queries.
Input validation
▪ Input validation is the process of validating all the input to an application before using
it. This includes correct syntax, length, characters, and ranges.
▪ The objective of input validation is to evaluate the format of entered information and,
when appropriate, deny the input.
▪ Input validation would look at how many and what type of characters are entered in
the field. This strategy is known as whitelist or positive validation.
Dynamic data verification
▪ Dynamic data is defined as data that changes as updates become available
▪ Example: A simple example of this is the exchange rate for a particular currency.
These values continually change, and using the correct value is critical.
▪ If the transaction involves a large sum, the difference can translate into a fair amount
of money!
Output validation
▪ Output validation is the process of validating (and in some cases, masking) the output
of a process before it is provided to the recipient.
▪ Example: would be substituting asterisks for numbers on a credit card receipt.
▪ Output validation controls what information is exposed or provided.

Broken authentication and session management

▪ If session management assets such as user credentials and session IDs are not properly
protected, the session can be hijacked or taken over by a malicious intruder.
▪ A critical security design requirement must be strong authentication and session
management controls.
A common control for protecting authentication credentials and session IDs is encryption.

Cryptography
Cryptography: The process that takes plain text and turns it into ciphertext
▪ Encryption is the conversion of plain text into what is known as cipher text using an
algorithm called a cipher.
▪ Decryption, the inverse of encryption, is the process of turning cipher text back into
readable plain text.
▪ Ciphertext: Text that cannot be read unless you apply the correct algorithm and
predetermined value

▪ The predetermined value is also referred to as a key

Encryption/Decryption algorithms:

1-Symmetric key
Uses a single secret key that must be shared in advance and kept private.
2. Asymmetric key Also known as public key
▪ Uses two different but mathematically related keys.
▪ One is called public and the other one private

3-Hashing
▪ The process of creating a numeric value that represents the original text.
▪ A hash function (such as SHA or MD5) takes a variable size input and produces a fixed size
output.
▪ The output is referred to as a hash value, message digest (MD), or fingerprint
▪ It is a one-way process.
▪ Provides integrity but not confidentiality and authentication

4-Digital signature:
▪ A hash value that has been encrypted with the sender’s private key.
▪ Ensures data integrity
▪ Does not insure data confidentiality.
▪ provide authenticity/ nonrepudiation

5-A digital certificate

A file that verifies the identity of a device or user.

Public Key Infrastructure (PKI)

▪ Framework and services used to create, distribute, manage, and revoke public keys
PKI is made up of multiple components
1. Certification Authority (CA)
Issues and maintains Digital certificates
2. Registration Authority (RA)
Performs the administrative functions, including verifying the identity of users and
organizations requesting a digital certificate, renewing certificates, and revoking
certificates
3. Client nodes
Interfaces to users, devices, and applications to access PKI functions.
4. Digital certificate
▪ A digital certificate acts like an identification card, driver's license, passport.
▪ Contains public key of certificate holder, serial number, name, validity period, name of
certificate issuer, digital signature, algorithm id.
 Chapter 11: Information Security Incident Management

▪ In general terms, incident management is defined as a predicable response to

damaging situations.
▪ It is vital that organizations have the practiced capability to respond quickly, minimize
harm, comply with breach-related state laws and federal regulations, and maintain
their calm in the face of an unsettling and unpleasant experience.
Organizational Incident Response
• The right time to develop an Incident Response plan is before an incident occurs Incident
preparedness includes having policies, strategies, plans, and procedures

The benefits of having a practiced incident response capability include the following:
• Calm and systematic response
• Minimization of loss or damage
• Protection of affected parties
• Compliance with laws and regulations
• Preservation of evidence
• Integration of lessons learned
• Lower future risk and exposure

What Is an Incident?
Information security incident is an adverse event that threatens business security and/or
disrupts service.
Difference between security incident and disaster.
▪ Incident is related to loss of confidentiality, integrity, or availability (CIA).
▪ Disaster is an event that results in widespread damage or destruction, loss of life
Every organization should be familiar with and prepared to respond to the following core
group of attacks.

Intentional unauthorized access or use

Occurs when an insider or an intruder gains logical or physical access without permission.

Denial of service (DoS) attacks

Prevents or impairs the normal authorized functionality of the organization’s networks,
systems, or applications by exhausting resources or in some way obstructs or overloads the
communication channel.

Malware
▪ Code that is covertly inserted into another program with the intent of gaining
authorized access or causing harm.
▪ Examples: Virus, Keylogger, Worm, Remote access, Trojan horse, Ransomware,
Spyware, Rootkit, Adware
Inappropriate usage
Occurs when authorized user performs actions that violate company policy, agreement, law,
or regulation.

Incident Severity Levels

Three severity levels
▪ Level 1
▪ Incidents that could cause significant harm
▪ Examples: Compromise of (customer information, company website), theft
or loss of any device or media on any device that contains legally protected
information, DoS.
▪ Level 2
▪ Compromise of or unauthorized access to noncritical systems or information.
▪ Malware detected on multiple systems.
▪ Level 3
▪ Situations that can be contained and resolved by the information system
custodian, data/process owner, or HR personnel.
▪ Examples: - User access to content or sites restricted by policy.

What Is an Incident Response Program (IRP)

▪ Composed of policies, plans, procedures, and people
▪ An incident response plan (IRP) is a roadmap of reporting, responding, and recovery
actions.
▪ Incident response procedures are detailed steps needed to implement the plan.
Activities in the IRP
➢ Preparation
➢ Detection and investigation
➢ Initial response
➢ Containment
➢ Eradication and recovery
➢ Notification
➢ Closure and post-incident activity
➢ Documentation and evidence-handling requirements

Preparation includes developing internal incident response capabilities, establishing external

contracts and relationships, defining legal and regulatory requirements, training personnel,
and testing plans and procedures.
Detection and investigation include establishing processes and a knowledge base to
accurately detect and assess precursors and indicators.
▪ A precursor is a signal or warning that an incident may occur in the future.
▪ An indicator is practical or verifying evidence that an incident may have occurred or
may be occurring now. Indicators are sometimes referred to as IOCs (indicators of
compromise).
 ▪ Initial response include incident declaration, internal notification, activation of an
incident response team, and/or designated incident handlers, and prioritization of
response activities.
▪ Containment includes taking the steps necessary to prevent the incident from
spreading, and as much as possible limit the potential for further damage.
▪ Eradication and recovery include the elimination of the components of the incident
(for example, malicious code, compromised passwords), restoring normal operations
and addressing the vulnerabilities related to the exploit or compromise.
▪ Notification includes the steps taken to notify state and federal agencies, affected
parties, victims, and the public-at-large ‫الجمهور بوجه عام‬.
▪ Closure and post-incident activity include incident summary, information sharing,
documentation of “lessons learned,” plan and procedure updates, and policy updates
and risk reviews, as applicable.
▪ Documentation and evidence-handling requirements include the recording of facts,
observations, participants, actions taken, forensic analysis, and evidence chain of
custody. Although the primary reason for gathering evidence during an incident is to
resolve the incident, it may also be needed for subsequent risk assessments,
notifications, and legal proceedings.
Key Incident Management Personnel
▪ Incident response coordinator (IRC)
▪ Central point of contact for all incidents
▪ Verifies and logs the incident.
▪ Designated incident handlers (DIHs)
Senior-level personnel who have crisis management and communication skills,
experience, and knowledge to handle an incident
▪ Incident response team (IRT)
Trained team of professionals that provide services through the incident lifecycle
Communicating Incidents
Throughout the incident lifecycle, there is frequently the need to communicate with outside
parties, including law enforcement, insurance companies, legal counsel ‫مستشار قانوني‬, forensic
specialists, vendors, external victims, and other IRTs.
Investigation and Evidence Handling
Incidents should be thoroughly documented.
Documenting Incidents
The initial documentation should create an incident profile.
The profile should include the following:
▪ How was the incident detected?
▪ What is the scenario for the incident?
▪ What time did the incident occur?
▪ Who or what reported the incident?
▪ Who are the contacts for involved personnel?
▪ A brief description of the incident
▪ Snapshots of all on-scene conditions.
Working with law enforcement
▪ Depending on the incident it may be necessary to contact local, state, or federal law
enforcement.
➢ The IRT team should be acquainted with applicable law enforcement
representatives
▪ Incident handlers that perform forensic analysis should be familiar with forensic
principles, guidelines, procedures, tools, and techniques.

Understanding Forensic Analysis

Digital Forensic is the use of scientific methods, technologies or expertise to investigate
crimes or examine electronic evidence that might be presented in a court of law.

The process of digital forensic includes:

▪ Collection
▪ Examination
▪ Analysis
▪ Reporting
Chain of custody
▪ A process that tracks the movement of evidence through its collection,
safeguarding, and analysis.
▪ It is a process used to prove that evidence has not been altered.
▪ Applies to physical, digital, and forensic evidence.
▪ Evidence should be stored in a secure location.

Investigation and Evidence Handling

To maintain an evidentiary chain, a detailed log should be maintained that includes the
following information:
1. Where and when (date and time) evidence was discovered
2. Identifying information such as the location, serial number, model number, hostname,
media access control (MAC) address, and/or IP address
3. Name, title, and phone number of each person who discovered, collected, handled, or
examined the evidence
4. Where evidence was stored/secured and during what time period
5. If the evidence has changed custody, how and when the transfer occurred (include
shipping numbers, and so on).

Storing and Retaining Evidence

▪ It is not unusual to retain/hold all evidence for months or years after the incident
ends. Evidence, logs, and data associated with the incident should be placed in
tamper-resistant containers, grouped together, and put in a limited-access location.
▪ Only incident investigators, executive management, and legal counsel should have
access to the storage facility.
Data Breach Notification Requirements
Definition: A data breach is widely defined as an incident that results in compromise,
unauthorized disclosure, unauthorized acquisition, unauthorized access, or unauthorized use
or loss of control of legally protected PII (Personally identifiable information), including the
following:
▪ Any information that can be used to distinguish or trace an individual’s identity, such
as name, SSN, date and place of birth, mother’s maiden name, or biometric records.
▪ Any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information.
▪ Information that is standing alone is NOT generally considered personally identifiable,
because many people share the same trait, such as first or last name, country, state,
ZIP Code, age(without birthdate), gender, race, or job position.

Chapter 12: Business Continuity Management

Emergency Preparedness

Disaster
Any event that results in damage or destruction, loss of life, or drastic change to the
environment.
▪ In a business context, a disaster is an unplanned event that has the potential to
disrupt the delivery of mission-critical services and functions, risk the welfare ‫ رفاهية‬of
employees, customers, or business partners, and/or cause significant financial harm.
▪ The goal of emergency preparedness is to protect life and property.
▪ Disasters are unplanned; however, they should not be unanticipated.

The disaster causes by environmental, operational, accidental, or willful.

1. Environmental events: include severe weather, earthquakes, tornados, fire, flood, air
contaminants, and public health emergencies.
2. Operational issues: include failures or misconfiguration of equipment, disruption of
communication systems, unavailability of third-party systems or personnel, and
degradation of power.
3. Accidents: include nuclear, biological, or hazardous chemical exposure, explosions,
and user or operator error.
4. Willful damage: includes terrorism, sabotage, civil disturbances, war, workplace
violence, and cybercrime.

Resilient organization
Is the one has the capability to quickly adapt and recover from known or unknown change to
the environment.
▪ Resilience doesn’t just happen. It requires management support, investment, planning,
and layers of preparation.
 ▪ The ability to respond quickly, decisively and effectively to unforeseen and
unpredictable forces is now an enterprise imperative.
▪ Business disruption has an economic and societal ripple effect
▪ Emergency preparedness is a civic duty and regulatory requirement

Business Continuity Risk Management

▪ Continuity planning: is the business practice of ensuring the execution of essential
functions.
▪ Risk management
▪ Risk management as the process of identifying, analyzing, assessing, and
communicating risk and accepting, avoiding, transferring, or controlling it to an
acceptable level considering associated costs and benefits of any actions taken.
▪ Risk management for continuity of operations requires the organizations to:
1. Identify the threats that can disrupt operations. (Threat assessment)
2. Determine the risk. (Risk assessment)
3. Assess the impact on the company. (Business impact assessment)
▪ Business continuity threat assessment: Identify viable threats and predict the
likelihood of occurrence.
▪ Business continuity risk assessment: Evaluates the sufficiency of controls/measures
to prevent a threat from occurring or to minimize its impact.
Notes:
▪ A business continuity threat can best be defined as a potential danger to the
organization.
▪ Threats can be business specific, local, regional, national, or even global.
▪ The objective of a business continuity threat assessment is to identify viable threats
and predict the likelihood of occurrence.
▪ Threat modeling takes into account historical and predictive geographic,
technological, physical, environmental, third-party, and industry factors such as the
following:
▪ What type of disasters have occurred in the community or at this location?
▪ What can happen due to the geographic location?
▪ What could cause processes or information systems to fail?

Business Continuity Risk Assessment

The business continuity risk assessment evaluates the sufficiency of controls to prevent a
threat from occurring or to minimize its impact.
The outcome is the residual risk associated with each threat/risk.
▪ Residual risk is defined as the level of risk after controls and safeguards have been
implemented.
▪ The residual risk level provides management with an accurate description of what
happens if the threat is exercised under current conditions.
▪ Inherited risk is the level of risk before security controls are applied.
Residual risk scenarios

Business Impact Analysis(What Is a Business Impact Assessment (BIA)?

Identify essential services/processes and recovery timeframes
*It is a multistep collaborative activity that involves business process owners, stakeholders,
and corporate officers.
A BIA incorporates three metrics
1. The recovery point objective (RPO)
▪ Refers to the last point in time that a valid replication was made, and data
can be restored from.
2. The recovery time objective (RTO)
▪ The amount of time a business has to restore its processes at an
acceptable level after a disaster to avoid intolerable consequences
associated with the disruption.
3. The maximum tolerable downtime (MTD)
▪ The maximum length of time a business function can be disturbed
without causing significant harm to the business.

Business Continuity Plan (BCP)

The objective of business continuity planning is to ensure the organization has the capability
to respond and recover from a disaster.

Components/Phases of Business Continuity Plan:

1. Response plans (focus on the initial and near-term response and include such
elements as authority, plan activation, notification, communication, evacuation,
relocation, coordination with public authorities, and security).
2. Contingency plans (focus on immediate, near-term, and short-term alternate
workforce and business processes)
3. Recovery plans (focus on the immediate, near-term, and short-term recovery of
information systems, infrastructure, and facilities)
4. Resumption plans (guide the organization back to normalcy)
Business continuity management involves the entire organization
▪ Board of Directors provides oversight and guidance, authorizes the related policy, and
is legally accountable for the actions of the organization
▪ Executive management provides leadership
▪ Business Continuity Team (BCT) has the authority to make decisions related to disaster
preparation, response, and recovery

Disaster Response Plan

Addresses what should be done immediately following a significant incident
▪ Defines who has the authority to declare a disaster.
▪ Defines who has the authority to contact external entities.
▪ Defines evacuation procedures.
▪ Defines emergency communication & notification procedures.
▪ Upon declaration of a disaster, all BCT members should report to a designated
command and control center.
Occupant emergency Plan (OEP)
Describes evacuation and shelter-in-place procedures in the event of a threat or incident to
the health and safety of personnel.

Relocation strategies
▪ Hot site
▪ Fully operational location with redundant equipment and ready to move into.
▪ The data has been streamed to the site on a real-time basis or close to real
time.
▪ Warm site
▪ Workspace that is partially equipped with information systems and
telecommunications equipment
▪ *Configured to support operations including communications capabilities,
peripheral devices, power.
▪ Spare computers may be located there that then would need to be configured
in the event of a disaster
▪ Data must be restored.
▪ Cold site
▪ Backup facility equipped with power and secure access
▪ *There is no staged equipment.
▪ Mobile site
▪ Self-contained unit.
▪ Equipped with the required hardware, software, and peripherals
▪ Data needs to be restored.
 Operational Contingency Plan
Addresses how an organization’s essential business processes will be delivered during
the recovery process.

Example:
▪ Physical access to facilities at a maximum-security prison is regulated by a biometric
fingerprint access control system. The access control system is managed and
monitored by an information system. The back-end information system becomes
unavailable due to power loss.
▪ The business contingency procedure would address an alternate method to lock and
unlock doors. This may be a physical key or perhaps an access code. In either case,
knowing where the key is or what the code is would be essential to operations.

The Disaster Recovery Plan

Recovery strategies
▪ The path to bringing the company back to a normal business environment.
▪ In the disaster recovery plan, the organization begins the process of restoring or
replacing damaged infrastructure, information systems, and facilities.
▪ A plan should be in place that breaks down each category of recovery to the overall
recovery effort to simplify the daunting recovery process:
1. Mainframe recovery
2. Network recovery
3. Communications recovery
4. Infrastructure recovery
5. Facilities recovery

1. Mainframe recovery is specific to the restoration a mainframe computer (or equivalent

capability) and corresponding data processing.
2. Network recovery is specific to information systems (servers, workstations, mobile
devices, applications, data stores, and supporting utilities) and includes the restoration of
functionality and data.
3. Communications recovery encompasses internal and external transmission systems,
including local area network (LAN), wide area network (WAN) and Internet connectivity.
4. Infrastructure recovery involves those systems providing a general operating
environment, including environmental and physical controls.
5. Facilities recovery addresses the need to repair, rebuild or relocate the physical place.

The Resumption Plan

▪ The objective is to transition to normal operations
▪ Two major activities with this phase:
1. Validation Verifying recovered systems are operating correctly.
2. Deactivation The official notification that the organization is no longer
operating in emergency or disaster mode
Business Continuity Plan (BCP) Testing and Maintenance
▪ Proactive testing of the plan is essential.
▪ Until tested, the plan is theoretical at best
▪ The tests should prove that the procedures and the plan are:
1. Relevant
2. Operable under adverse conditions
3. Accurate
▪ Tests are used to discover errors and inadequacies
Three standard testing methodologies
1-Tabletop exercise
▪ Focuses on participant readiness)
Can be conducted:
1-Structured review: Focuses on a specific procedure or set of procedures
2-Simulation :A facilitator presents a scenario and asks the exercise participants’
questions related to the scenario, including decisions to be made, procedures to use, roles,
responsibilities, timeframes.
2. Functional exercises
• Allow personnel to validate plans, procedures, resource availability, and
participant readiness.)
3. Full-scale testing (specific scenario), can be expensive and risky

Business continuity plan audit

▪ Evaluation of how the business continuity program in its entirety is being managed
▪ Auditors must be independent.
▪ Auditors will look at the quality and effectiveness of the organization’s BCP process
and determine whether the testing program is sufficient.
At a minimum, you can anticipate they will ask the following questions:
▪ Is there a written business continuity policy and plan?
▪ Has the business continuity policy and plan been approved by the Board of Directors?
▪ How often is it reviewed and/or reauthorized?
▪ What training has the user community had?
▪ Are the results documented?

Business Continuity Plan (BCP) Maintenance

▪ Business environments are dynamic: The plan should be reviewed and edited regularly to
match the changes that occur in the company and/or the industry in which the company
is involved
▪ The plan cannot be reviewed without the risk assessment being reviewed as well.
▪ Responsibility for maintaining the plan should be assigned to a specific role such as the
Information Security Officer (ISO).
 Chapter 13: Regulatory Compliance for Financial Institutions

Intro
▪ A financial institution’s most significant asset is not money: It’s information about
money, transactions and customers.
▪ Protection of those information assets is necessary to establish the required trust for
the institution to conduct business.
▪ Institutions have a responsibility to protect their client’s information and privacy from
harm such as fraud ‫ تزوير‬and ID theft.

Who regulates banking and financial services in Saudi Arabia?

The Kingdom of Saudi Arabia has two regulators with responsibility for the authorization and
supervision of banks, insurance companies and other financial institutions
1. The Saudi Central Bank ‫( البنك المركزي السعودي‬SAMA), formerly known as
Saudi Arabian Monetary Agency ‫مؤسسة النقد العربي السعودي‬
2. Capital Market Authority ‫( هيئة السوق المالية‬CMA)

Responsibilities of SAMA
The SAMA regulates the following entities:
1. Conventional banks (deposit takers)
2. Insurance companies that engage in any insurance and re-insurance activities,
including general insurance, health insurance and protection and savings insurance.
3. Finance companies ‫ شركات التمويل‬that engage in real estate finance ‫التمويل العقاري‬, production
asset finance ‫تمويل أصول اإلنتاج‬, small and medium enterprise finance, finance lease ‫اإليجار‬
‫التمويلي‬, credit card finance, consumer finance, micro finance and any other finance
activity approved by the SAMA.
Notes:
▪ Given that the above entities are regulated by the SAMA, no banking business,
insurance or re-insurance activity or finance activity may be engaged in Saudi
Arabia without obtaining a license from the SAMA.
▪ It is strictly prohibited to conduct any of the activities listed above without
obtaining a license from the SAMA.
▪ The CMA regulates financial institutions that conduct securities business ‫أعمال‬
‫“( األوراق المالية‬Authorized Persons”).
▪ Securities business such as stocks and bonds ‫األسهم والسندات‬
▪ Such Authorized Persons include investment banks, asset managers, brokers
‫ سماسرة‬and financial advisers.

Duties of CMA
▪ The CMA is entrusted with the following duties:
1. Regulate and develop the capital market and promote appropriate standards and
techniques for all sections and entities involved in Securities Trade Operations.
 2. Protect investors and the public from unfair and unsound practices involving fraud,
deceit ‫خداع‬, cheating, manipulation, and inside information trading.
3. Maintain fairness, efficiency, and transparency in transactions of securities.
4. Develop appropriate measures to reduce risks pertaining to transactions of securities.
5. Develop, regulate, and monitor the issuance of securities and under-trading
transactions.
6. Regulate and monitor the activities of entities working under CMA.
7. Regulate and monitor full disclosure of information related to securities and issuers.

Cyber Security Framework

▪ SAMA established a Cyber Security Framework to enable Financial Institutions
regulated by SAMA (member organizations) to effectively identify and address risks
related to cyber security in Financial Sector.
▪ Cyber Security Framework is a set of guidelines for protecting computers, networks,
programs and data from cybersecurity risks.
▪ All the financial institutions regulated by SAMA must follow the cyber security
framework.
▪ The implementation of the Framework at the Member Organization will be subject to
a periodic self-assessment.
▪ The self-assessment will be performed by the Member Organization based on a
questionnaire.
▪ The self-assessments will be reviewed and audited by SAMA to determine the level of
compliance with the Framework and the cyber security maturity level of the Member
Organization
Components of cyber security framework:
▪ Cyber security leadership and Governance
▪ Cyber security risk management and compliance
▪ Cyber security operations and technology
▪ Third party cyber security
A. Cyber security leadership and Governance
Aims to develop and maintain the cyber security policy and to execute the cyber security
activities across the Member Organization.
1. Cyber Security Governance :To direct and control the overall approach to cyber security
within the Member Organization.
2. Cyber Security Strategy :To ensure that cyber security initiatives and projects within the
Member Organization contribute to the Member Organization’s strategic objectives and are
aligned with the Banking Sector’s cyber security strategy.
3. Cyber Security Policy :To document the Member Organization’s commitment and
objectives of cyber security, and to communicate this to the relevant stakeholders.
4. Cyber Security Roles and Responsibilities :To ensure that relevant stakeholders are aware
of the responsibilities with regard to cyber security and apply cyber security controls
throughout the Member Organization.
5. Cyber Security in Project Management To ensure that the all the Member Organization’s
projects meet cyber security requirements.
7. Cyber Security Awareness To create a cyber security risk-aware culture where the
Member Organization’s staff, third parties and customers make effective risk-based
decisions which protect the Member Organization’s information.
8. Cyber Security Training To ensure that staff of the Member Organization are equipped
with the skills and required knowledge to protect the Member Organization’s information
assets and to fulfil their cyber security responsibilities.

B. Cyber Security Risk Management and Compliance

1. Cyber Security Risk Management
• To ensure cyber security risks are properly managed to protect the confidentiality,
integrity and availability of the Member Organization’s information assets, and to
ensure the cyber security risk management process is aligned with the Member
Organization’s enterprise risk management process.
2. Regulatory Compliance
• To comply with regulations affecting cyber security of the Member Organization.
3. Compliance with (inter)national industry standards
• To comply with mandatory (inter)national industry standards such as:
EMV (Europay, MasterCard and Visa) technical standard;
SWIFT Customer Security Controls Framework.
4. Cyber Security Review
• To ascertain whether the cyber security controls are securely designed and
implemented, and the effectiveness of these controls is being monitored.
5. Cyber Security Audits
• To ascertain with reasonable assurance whether the cyber security controls are
securely designed and implemented, and whether the effectiveness of these controls
is being monitored.
• The cyber security status of the Member Organization’s information assets should be
subject to thorough, independent and regular cyber security audits performed in
accordance with generally accepted auditing standards and SAMA cyber security
framework.

C. Cyber Security Operations and Technology

In order to safeguard the protection of the operations and technology of the Member
Organization's information assets and its staff, third parties and customers, the Member
Organizations have to ensure that security requirements for their information assets and the
supporting processes are defined, approved and implemented.
1. Human Resources
• To ensure that Member Organization staff’s cyber security responsibilities are
embedded in staff agreements and staff are being screened before and during their
employment lifecycle.
2. Physical Security
• To prevent unauthorized physical access to the Member Organization information
assets and to ensure its protection.
• The Member Organization should ensure all facilities which host information assets
are physically protected against intentional and unintentional security events.
3. Asset Management
• To support the Member Organization in having an accurate and up-to-date inventory
and central insight in the physical / logical location and relevant details of all available
information assets, in order to support its processes, such as financial, procurement,
IT and cyber security processes.
4. Cyber Security Architecture
• To support the Member Organization in achieving a strategic, consistent, cost
effective and end-to-end cyber security architecture.
5. Identity and Access Management
• To ensure that the Member Organization only provides authorized and sufficient
access privileges to approved users.
6. Application Security
• To ensure that sufficient cyber security controls are formally documented and
implemented for all applications, and that the compliance is monitored and its
effectiveness is evaluated periodically within the Member Organization.
7. Change Management
• To ensure that all change in the information assets within the Member Organization
follow a strict change control process.
8. Infrastructure Security
• To support that all cyber security controls within the infrastructure are formally
documented and the compliance is monitored and its effectiveness is evaluated
periodically within the Member Organization.
9. Cryptography
• To ensure that access to and integrity of sensitive information is protected and the
originator of communication or transactions can be confirmed.
10. Bring Your Own Device (BYOD)
• To ensure that business and sensitive information of the Member Organization is
securely handled by staff and protected during transmission and storage, when using
personal devices.
11. Secure Disposal of Information Assets
▪ To ensure that the Member Organization’s business, customer and other sensitive
information are protected from leakage or unauthorized disclosure when disposed.
12. Payment Systems
• To ensure the Member Organization safeguards the confidentiality and integrity of
shared banking systems.
13. Electronic Banking Services
• To ensure the Member Organization safeguards the confidentiality and integrity of the
customer information and transactions.
14. Cyber Security Event Management
• To ensure timely identification and response to anomalies or suspicious events within
regard to information assets.
15. Cyber Security Incident Management
• To ensure timely identification and handling of cyber security incidents in order to
reduce the (potential) business impact for the Member Organization.
16. Threat Management
• To obtain an adequate understanding of the Member Organization’s emerging threat
posture.
17. Vulnerability Management
• To ensure timely identification and effective mitigation of application and
infrastructure vulnerabilities in order to reduce the likelihood and business impact for
the Member Organization.

D. Third Party Cyber Security

When Member Organizations do rely on, or have to deal with third party services, it is key to
ensure the same level of cyber security protection is implemented at the third party, as
within the Member Organization.
Third Parties in this Framework are defined as, information services providers, outsourcing
providers, cloud computing providers, vendors, suppliers, governmental agencies, etc.
1. Contract and Vendor Management
• To ensure that the Member Organization’s approved cyber security requirements are
appropriately addressed before signing the contract, and the compliance with the
cyber security requirements is being monitored and evaluated during the contract life-
cycle.
2. Outsourcing
• To ensure that the Member Organization’s cyber security requirements are
appropriately addressed before, during and while exiting outsourcing contracts.
3. Cloud Computing
• To ensure that all functions and staff within the Member Organization are aware of
the agreed direction and position on hybrid and public cloud services, the required
process to apply for hybrid and public cloud services, the risk appetite on hybrid and
public cloud services and the specific cyber security requirements for hybrid and
public cloud services.

Chapter 14: Regulatory Compliance for the Healthcare Sector

SeHE and Scope
▪ Saudi Health Information Exchange (SeHE) is a collection of polices that regulat and
protect, the flow of the health information in Saudi Arabia.
▪ The Saudi Ministry of Health (MOH) is responsible for monitoring and maintenance of
policies.
SeHE applies to all individuals and organizations that have access to Saudi Health
Information Exchange health records, including:
▪ Participating Healthcare Subscriber (PHCS)
▪ PHCS Business Associates
▪ Any subcontractors of Business Associates that perform functions or provide
services involving the use and disclosure of Personal Health Information (PHI).
▪ Any Saudi Health Information Exchange Infrastructure Service Provider
▪ Any other subcontractors of the Saudi Health Information Exchange.

SeHE, Purpose of Use Policy

The purpose of SeHE is to define permissible/allowable uses of the Health Information
Exchange (HIE) systems which include:
1. Treatment
2. Public Health
3. Healthcare Operations
4. Education
5. Payment

Personal Health Information (PHI) will primarily be made available on the SeHE for
purposes of:
▪ Treatment
• Providing healthcare services in regular and emergency cases.
▪ Public Health
• Monitor populations or sub-populations for significant health
events.
• Protection of the public in a situation in which there is
considered to be a significant risk.
▪ Healthcare Operations
• To ensure quality, safety, equity and cost-effectiveness of
healthcare services
▪ Education
• To support learning, research and professional development.
▪ Payment
• Enabling the availability of resources or funding or permissions
for providing healthcare services to the Subject of Care.

The purpose of SeHE, security policy is to ensure that the information security is conducted
in a manner that:
1. Protects PHI
2. Supports:Availability-Confidentiality-Integrity-Accountability-
Accountability means that people will be held responsible for their
actions and for how they perform their duties.
▪ HIE systems infrastructure security requires:
▪ Physical Security
▪ Access Control
▪ Classification of data
▪ Supervision of those with access
All HIE systems infrastructure systems SHALL be managed in accordance with one of
standard:
▪ ISO 27000
▪ SAS70/ SSAE 16
▪ All HIE systems’ communications must be encrypted.
▪ All HIE systems must have contingency and disaster recovery plans.

Data retention/holding requirement:

▪ PHI is retained indefinitely
▪ Data may allow amendment or replacement for corrections
▪ Data SHALL NOT be deleted at any time

SeHE, Identity Management Policy

▪ Purpose of Identity Management Policy:
▪ Ensure that the identities of the individuals and entities interacting with HIE
systems are assured to enable a data processing system to recognize entities.
▪ Digital certificates used for authentication or digital signatures SHALL be issued by the
National Center for Digital Certification.
▪ Proof of Identity for individuals include:
▪ Valid government issued photographic identification (i.e. passport, driver’s
license, military ID, national ID, or Residency Permit for Non-Saudi)
▪ HIE identification must be revocable.
▪ Proof of Identity for health provider organizations include:
▪ Attestation/verification on company letter head signed by company officer.

SeHE, Authentication Policy

Purpose of Authentication Policy:Ensure that systems and individuals interacting with HIE
systems are known through the process of reliable security identification of subjects.
▪ Accessing HIE systems requires unique identification of the individuals, systems, and
Organizations.
▪ Remote access requires multi-factor authentication.
▪ The user identity, role, and affiliation must be checked for both
revocation/cancellation and expiration.
▪ If any have been revoked or have expired, use would be denied.
▪ Inactive session should be logged off automatically no more than 30 minutes.
▪ Temporary access must be provided in emergency situations to unauthorized users.
▪ Emergency access requires audits and review.
SeHE, Consent and Access Control Policy
Purpose of Consent/Approval and Access Control Policy:
▪ Define who and how individuals and systems can access HIE systems’ data.
▪ Ensure that the resources of a data processing system can be accessed only by authorized
users.
▪ Define the circumstances in which a Subject of Care can permit or withhold the use and
disclosure of HIE accessible health information.

Consent:
• Access to personal health information (PHI) through HIE systems requires verification of
consents.
• The provider seeking access to HIE systems SHOULD have a treatment relationship with
the Subject of Care.
• HIE committees MAY define the specific information/documents that should be made
available by HIE systems.
• If the Subject of Care opted out of HIE, accessing all relevant documents should be
restricted.
• Sensitive PHI is present in the health record of the HIE system SHOULD only be disclosed
to relevant physicians.

Access Control
• Accessing information/documents in HIE systems SHALL enforce protections associated
with content marked as sensitive.
• Sensitive personal health information/documents must be classified to reflect proper
restriction.
• Sensitive personal health information SHALL be restricted to specialized care providers
as identified by their provider role.

SeHE, Audit Policy

Purpose of Audit Policy: Ensure that the security and confidentiality of subject of care data
transmitted through HIE systems is protected through privacy/security audits.
▪ All activities related to access, creation, modification and deletion of electronic PHI
should be accurately recorded.
▪ Logs SHALL be reviewed on a regular basis, at least quarterly.
▪ Detect improper use based on audit criteria developed in advance.
▪ Anomalies SHALL be documented and appropriate mitigating actions must be
taken and documented.
▪ Documentation be retained a minimum of ten years.
▪ Access to audit logs is restricted to approved privacy and security officers.
SeHE, Breach Notification Policy
▪ Purpose of Breach Notification Policy
• Define policy surrounding identification, investigation, notification, and mitigation
of a breach within the HIE systems.
▪ Access Monitoring
• Participating Healthcare Subscriber (PHCS) privacy and security officer(s) SHALL
review access to the HIE system and report any suspicious activity.
▪ Events Notification
• PHCS privacy and security officer(s) SHALL communicate the review of the
Reportable Event to HIE within two (2) business days of notification.
▪ Reportable Event Review and Breach Investigation
• The type of the breach and content of the report will determine the proper actions.
• Breach Investigation SHALL be completed within (30) days of receiving the
reportable event.
▪ Notification of Privacy Breach
The PHCS is responsible for notifying any Subject of Care who’s PHI has been breached
within (10-30) days following discovery of the breach.

Chapter 15: PCI Compliance for Merchants

Protecting Cardholder Data

▪ Payment cards companies developed the Payment Card Industry Data Security Standard
(PCI DSS) in order to:
▪ Protect cardholders against misuse of their personal information and to minimize
payment card channel losses.
▪ Payment Cards examples: Visa, MasterCard, Discover, JCB International and American
Express
▪ In this chapter, we are going to examine the PCI DSS, version 3.0.4

PCI DSS applies to all system components where account data is stored, processed or
transmitted.
▪ Account data
▪ Cardholder data plus sensitive authentication data.
▪ System components
▪ Any network component, server, or application that is included in, or connected to,
the cardholder data environment.
▪ Cardholder data environment
▪ The people, processes, and technology that handle cardholder data or sensitive
authentication data.
The following elements located on the front of a credit card:
1. Embedded microchip: contains the same information as the
magnetic stripe.
2. Primary account number (PAN).
3. Expiration date.
4. Cardholder name.

The following elements on the back of a credit card:

1. Magnetic stripe (mag stripe)—The magnetic stripe contains
encoded data required to authenticate, authorize, and process
transactions.
2. CVV2/CVC2/CID—All refer to card security codes (Verification
Numbers) for the different payment brands.

This system may be variously called

▪ CVV2 (Visa)
▪ CVC2 (MasterCard)
▪ CID (American Express)

What Is the PCI DSS Framework?

The PCI DSS framework includes:
1. Stipulations/Condition regarding storage, transmission, and processing of payment card
data
2. Six core principles
• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
3. Required technical and operational security controls
4. Testing requirements
5. Certification process
The 12 PCI Top Level Requirements
The PCI DSS consists of 6 core principles, accompanied by the following 12 requirements:

PCI Compliance
▪ Compliance with PCI standards is not a government regulation or law.
▪ Complying with the PCI standards is a contractual obligation that applies to all entities
involved in the payment card channel, including merchants, processors, financial
institutions, and service providers, as well as all other entities that store, process, or
transmit cardholder data and/or sensitive authentication data.
▪ It’s mandated by the payment card brands to accept card payments and/or be part of the
payment system.
▪ Merchants are required to comply with PCI DSS
▪ A merchant is defined as any entity that accepts American Express, Discover, JCB,
MasterCard, or Visa payment cards as payment for goods and/or services (including
donations)
▪ Effectively, any company, organization, or individual that accepts card payments is
a merchant.

PCI compliance validation is composed of four levels, based on the number of transactions
processed per year and whether those transactions are performed from a physical location or
over the Internet.
▪ Level 1
▪ Processes more than 6 million Visa payment card transactions annually.
▪ Level 2
▪ Processing 1 million to 6 million Visa transactions per year.
▪ Level 3
▪ Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions
per year.
▪ Level 4
▪ Any merchant processing fewer than 20,000 Visa e-commerce transactions
per year, and all other merchants—regardless of acceptance channel—
processing up to 1 million Visa transactions per year.
What Is a Data Security Compliance Assessment?
Compliance Assessment is an annual onsite evaluation of compliance with the PCI DSS
conducted by either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA)
• Qualified Security Assessors (QSAs) are organizations/companies that have been
qualified by the PCI Council to have their employees assess compliance to the
PCI DSS standard.
• Internal Security Assessors (ISAs) are sponsor companies that their internal
assessors have been qualified by the council to perform internal assess for their
own company.

▪ Assessment process begins with documenting the PCI DSS cardholder environment
and confirming the scope of the assessment
▪ QSA/ISA will conduct an initial assessment (GAP assessment) identify areas of
noncompliance and provide remediation recommendations.
▪ Post-remediation, the QSA/ISA will conduct the assessment.

Compliance Assessment
➢ Compliance Assessment: On-Site evaluation of compliance with PCI-DSS
➢ Create Report on Compliance (ROC) document
➢ Assessment Methodology
▪ Observe system settings
▪ Observe processes and actions that use cardholder data
▪ Review documentations
▪ Interview system users
▪ Run test data through system (Sampling)\

Report on Compliance
ROC standard template includes the following:
▪ Section 1: Executive Summary
▪ Section 2: Description of Scope of Work and Approach Taken
▪ Section 3: Details About Reviewed Environment
▪ Section 4: Contact Information and Report Date
▪ Section 5: Quarterly Scan Results
▪ Section 6: Findings and Observations
▪ Compensating Controls Worksheets (if Applicable)
• Worksheets that give an organizations an alternative to security
requirements that cannot be met and provide suggestions to
mitigate/control the risk associated with the original requirements.
What Is the SAQ?
Self Assessment Questionnaire (SAQ):A validation tool for merchants that are not required
to submit to an onsite data security assessment
There are two parts to the SAQ:
▪ The controls questionnaire and
▪ Self-certified attestation/ confirmation.
• In order to achieve compliance in question, the response to each question must
either be “yes” or an explanation of a compensating control.
• *If an entity cannot provide affirmative responses, it is still required to submit an
SAQ.
• To complete the validation process, the entity submits the SAQ and an
accompanying Attestation/confirmation of Compliance stating that it is or is not
compliant with the PCI DSS.
• If the attestation indicates noncompliance, a target date for compliance along with
an action plan needs to be provided.
Are There Penalties for Noncompliance?
Three type of fines
1-PCI noncompliance: Noncompliance penalties are discretionary/open and can vary greatly,
depending on the circumstances.
2. Account Data Compromise Recovery (ADCR) for compromised domestic-issued cards.
3. Data Compromise Recovery Solution (DCRS) for compromised international-issued cards.

In addition, the entity may be liable for the following penalties:

▪ All fraud losses perpetrated using the account numbers associated with the
compromise.
▪ Cost of reissuance of cards associated with the compromise
▪ Any fraud prevention/detection costs incurred by credit card issuers associated with
the compromise.
▪ Increased transaction fees.
Note: Fine paid by issuing bank. May be passed on to merchant.

****
Good Luck
Maryam Gaber