Domain 4 - Agenda

Enterprise Architecture
Hardware, Software, and Environmental Controls
Networks, Virtualization, and Cloud Computing
Project Management and Enterprise Resiliency
Data Life Cycle Management and System Development Life Cycle
Emerging Trends in Technology
Information Security Concepts, Frameworks, and Standards
Information Security, Data Privacy, and Data Protection
 Objectives
➢ Discuss the phases involved in the data management life cycle.

➢ Describe the goal of effective data management.

➢ Explain how data loss can be prevented using specialized solutions.

➢ Identify the six phases of the System Development Life Cycle (SDLC).

➢ Explain the key security tasks to perform during the SDLC.

Emerging Trends in Technology and Risk Practitioner’s
Role
Pressure to implement new technology is often influenced by:
• Inflated expectations of its utility and maturity.
• A focus on product functionality without attention paid to security.

It is the job of the risk practitioner to consider the risk and potential controls for technologies that may
present value to the enterprise.

Risk Management for Emerging Technologies

Emerging technologies often provide indicators years in advance of their potential.

A well-managed change control process ensures that new technologies are not implemented until the
security team has been able to:
• Validate the security impact of the change.
• Enable appropriate controls.
Emerging Trends in Technology and Risk Practitioner’s
Role - 2
Role of a Risk Practitioner
The risk practitioner should:
• Evaluate and assess the approach of the enterprise to accepting new technologies.
• Evaluate and assess the attitude of the security and IT operations teams toward reviewing and
securing the new technologies.
• Get the attention and support of senior management by leading the effort to demonstrate how
new technologies can be safely incorporated into the enterprise.
 Omnipresent Connectivity
People today tend to be constantly connected through:
• Smartphones
• Other mobile devices

The ability to connect at all times and in all places has led to demonstrable changes in how
people behave.
 Bring Your Own Device (BYOD)
The average knowledge worker today has personal devices that meet or exceed the capabilities of
typical procured equipment:
• Smartphones
• Tablets
• Laptops
Meanwhile, enterprises are discovering that there may be direct cost benefits to allowing workers
to bring their own devices to work by reducing the need for large procurements of equipment.
• BYOD can be an attractive option for enterprises that want to connect with workers in a more
dynamic economy.
 Internet of Things (IoT)
IoT devices:
• Are interrelated, internet-connected systems that transfer data over a wireless network.
• Can be anything from light bulbs to climate control systems or appliances.
• Tend to prioritize functionality.
• May make little or no provision for security.
 Omnipresent Connectivity and Risk Management
For the risk practitioner, omnipresent connectivity means that it is harder to safeguard
information because people are:
• Able to share things.
• Inclined to share things.

Due to omnipresent connectivity, sensitive information might be recorded or photographed,

either by an intentional act or by malware that may be unknowingly installed on user’s mobile
devices.

The consequences of a data breach or other security event due to BYOD remain primarily
applicable to the enterprise. Users bringing their own devices to work should be:
• Subject to controls.
• Allowed access to organizational data only through risk-aligned channels, such as remote
desktops.
• Restricted to perform certain activities through organizational equipment.
 Omnipresent Connectivity and Risk Management - 2
With regards to the use of IoT devices, the risk practitioner should:
• Anticipate the appeal of smart devices.
• Inquire about any IoT plans or implementations already in place.
• Bring together facilities and information security staff before smart devices are deployed.
• Encourage the use of the SDLC for IoT projects.
 Massive Computing Power
• Even though there is direct risk associated with moving to the cloud, the massive computing
power assembled by cloud architectures has implications beyond assigning accountability in
the event of disruptions.
• As networking has expanded and gotten both faster and cheaper, it has become increasingly
easy to connect multiple computers in ways that allow them to collaboratively process the
same data in complex transactions.
• This connectivity advantage coincides with an increase in capability on a per-processor basis, as
multi-core processors have become standard and operating systems have gained the ability to
leverage much larger amounts of memory.
• For many enterprises, transitions to the cloud mean:
• More easily predicted and controlled hardware utilization costs.
• Smaller IT staffing requirements, and greater business flexibility.
• The combination of these factors, along with virtualization, is what makes cloud computing
possible.
 Technologies in Massive Computing Power
Decryption
Organizations frequently rely on encryption to safeguard their data should an unauthorized third-party:
• Gain physical access to a device.
• Successfully authenticate to a user network.

Traditionally, encryption has been considered secure because the computing power needed to break it
was beyond reach. Today, it cannot be taken for granted that data is safe simply because it is
encrypted with a mathematical key.

The ability to rapidly provision computing power through cloud providers has made individuals or
groups use computers to attempt to break encryption by finding the mathematical key to unlock the
encryption key with pattern analysis and brute-force attacks.
 Technologies in Massive Computing Power - 2
Deepfakes
• False audio and video can now be created using digitally manufactured imitations of a person based on
samples. It is possible to digitally detect these “deepfakes,” but doing so takes considerable
expertise.

• Risk practitioners operating in high-risk environments can guard against deepfakes misdirecting
operations through a combination of security awareness and administrative controls.

• For instance, requiring that a particular transaction not only have the verbal approval of the CEO
but also written approval from another executive, or using a dedicated callback number to obtain
confirmation after receiving initial outreach, can help inoculate an organization against this kind of
technical deception.
 Technologies in Massive Computing Power - 3
Big Data
Proliferation of devices and computing power in an environment of omnipresent connectivity has led to
an enormous expansion in the volume of data.

Analysis of these vast amounts of data has in turn shifted from delivering competitive advantage to being
a necessary precondition of business for many organizations.

Accumulation of substantial volumes of data have implications for privacy. Finding the right experts
to design effective data analytics is a growing concern and retaining data beyond its intended use can
result in reputational risk as well as fines or penalties for breach of contract under conditions where
retention of data was explicitly limited to particular periods.
 Blockchain
Capability has emerged to store data in blocks that are chained together, maintaining a timeline of
transactions that allows the history of data to be determined without centralized processing.

• The "blockchain" structure makes:

• Falsifying an entry exceedingly difficult.
• Each entry contain its own digital hash as well as the hash of the block before it.

• Blockchain has been:

• Implemented in pseudo-currencies based on cryptography (e.g. Bitcoin, Ethereum).
• Touted as a way to revolutionize banking, healthcare, property titles, and even voting.

• Risk practitioners in industries affected by blockchain should take care to remain apprised of what
developments are underway.
 Artificial Intelligence
• A computer could be called intelligent when it was able to engage in behavior indistinguishable
from a human.
• Today, it is capable of accomplishing tasks that mimic human behavior within narrow constraints.

➢ Risk Practitioners Consider:

• Distinctions between human and rational response.
• Any rules that can be positively verified can likely be exploited by those with intent and awareness.

Improvement Warning:
• Where “improvement” is poorly or incorrectly defined, iteration aimed at refining outcomes may
result in lasting deviation from goals.
• Heuristic systems used in intrusion detection and prevention are particular areas of concern for
machine learning (ML), where an errant determination that malicious traffic is normal could result in
willful blindness to an intrusion underway.
 Domain 4 - Agenda

Enterprise Architecture
Hardware, Software, and Environmental Controls
Networks, Virtualization, and Cloud Computing
Project Management and Enterprise Resiliency
Data Life Cycle Management and System Development Life Cycle
Emerging Trends in Technology
Information Security Concepts, Frameworks, and Standards
Information Security, Data Privacy, and Data Protection
 Objectives
➢ Discuss the information security principles, concepts, frameworks, and standards.

➢ Explain the CIA Triad and its components.

➢ Discuss segregation of duties, cross-training, and job rotation.

➢ Describe access control and the IAAA concepts.

➢ Discuss the concept and types of encryption.

 Information Security Principles, Concepts,
Frameworks, and Standards
Objective: Risk management goal:
Ensure technology used in the enterprise is adequately protected, secure, and reliable.
The risk practitioner should ensure the risk assessment and response program:
Evaluates new technology
Provides effecttive advice on how to deploy and use it within the boundaries of risk tolerance

Information Security Principles

When organizations deploy new technology, risk practitioners should consider:
• Training for users and administrators
• Creation of policies and procedures
• Inclusion of systems in backup schemes and continuity plans
• Assignment of risk ownership
• Consent of information owners for any technology that may handle sensitive information
• Review of legal or regulatory requirements
• Assignment of responsibility for monitoring and reporting on proper technology use
 Information Security Principles, Concepts,
Frameworks, and Standards - 2
Information Security Concepts
IT risk is often linked to information security.
Some enterprises are able to quantify risk with a high level of accuracy while in others, the term “risk”
may be poorly understood.
Because it is based on concepts such as likelihood and impact, risk can be hard to quantify.
The predicted impact of an undesired event usually looks at only direct, immediate effects. However,
actual events may have repercussions that affect tangential aspects of the business or are discovered
long after the event has occurred.

Information Security Standards and Frameworks

Standards and frameworks can assist in the effective implementation of information security principles
and concepts.
• Standards are prescriptive requirements against which organizations can be certified compliant.
• Frameworks define outcomes that should be achieved for good results, without specifying how these
outcomes must be met or providing a means of certification.
 The CIA Triad – An Overview
Risk practitioners can evaluate information systems and data sources on three principles:
• Confidentiality
• Integrity
• Availability

An evaluation based on the CIA triad helps identify if and how a compromise or failure would
affect the enterprise.

The risk practitioner should understand what CIA is and how the three principles are related to each
other.
 Components of CIA Triad
The different components of the CIA triad, as well as two associated concepts are:

Confidentiality
• It refers to the secrecy and privacy of data.
• A breach of confidentiality means the improper release of information, such as disclosure to an
internal or external recipient not authorized to access it.
Integrity
It refers to protection against improper modification, exclusion, or destruction of information.
It applies to actions taken by both authorized and unauthorized users, as well as processes or
activities operating on the system.
Availability
• It refers to providing timely and reliable access to information.
• Timely access to data is important to business processes.
• In industrial control systems operating machinery or regulating power generation, near-real-
time availability may be essential for safety and proper system operations.
 Components of CIA Triad - 2
Nonrepudiation
Refers to a positive guarantee that a given action was carried out by a given individual or process
and is an important part of tracing responsibility and enforcing accountability.
Originates from a combination of confidentiality and integrity.

System Authorization
• Many enterprises use a form of objective assessment and formal acceptance of risk associated
with the installation and operation of information systems. This culminates in the explicit
authorization of a system to operate prior to it being allowed to do so.
• It is referred to as certification and accreditation (C&A) or assessment and authorization (A&A).
 Segregation of Duties
Segregation of Duties (SoD) is a basic internal control that prevents or detects errors and
irregularities by assigning separate individuals responsibility for initiating and recording
transactions and the custody of assets.
 Cross-Training and Job Rotation
Enterprises can train multiple people with the same skills, so that any of a number of individuals
can step in to fill a vital role as needed.

Cross-training: Team members are trained in one another’s roles.

Enterprises can change who is involved in which roles at which times.

Job rotation: Place people in different roles than usual to allow independent verification.
 Quiz
Amir and Sara are reviewing the authentication mechanisms used by Horizon Bank. Amir is
particularly interested in how reliable log data might be when it presents information on which
users performed certain activities.

A. Confidentiality

B. Availability

C. Nonrepudiation

D. Integrity
 Quiz
Amir and Sara are reviewing the authentication mechanisms used by Horizon Bank. Amir is
particularly interested in how reliable log data might be when it presents information on which
users performed certain activities.

A. Confidentiality

B. Availability

C. Nonrepudiation

D. Integrity
 Access Control
Managing access to information systems and data is one of the most challenging aspects of
information security. Access control is commonly addressed through the combination of four
concepts:

Identification
It is possible to track and log activity on a per-user basis by assigning a unique identifier to every
individual, device, or process that has access to a system. Identification may be done on a self-
assigned or centrally managed basis.

Authentication
Authentication is the process of validating an identity once it is presented. The purpose of
authentication is to ensure that one person cannot spoof an identity or masquerade as another
user, which includes prevention of ID sharing by more than one person.
 Access Control - 2
Authorization
After successful authentication, the system can provide the user with appropriate levels of access.
Authorization refers to the privileges or permissions the person will have, which may include read-
only, write-only, read/write, create, update, delete, or full control over data.

Accountability
Accountability refers to the behavior of users being traceable back to them on an identity basis.
Typically accomplished through auditing, accountability relies on systems logging or recording
activity on a system in a manner that indicates the user IDs responsible for the activity.
 Encryption – An Overview
What encryption is and how it relates to information risk.

What is encryption?
Encryption is a mathematical means of altering data from a readable form (plaintext or cleartext)
into an unreadable form (ciphertext), in a manner that can be reversed by someone who has
access to the appropriate key—a numeric value that reverses the mathematics to recreate the
original form.

Why is encryption used?

The foremost use of encryption is to protect the confidentiality of data by making data unreadable
to anyone who is unauthorized.
Encryption can in some cases also be combined with a different mathematical transformation to
create digital signatures that provide nonrepudiation.
 Encryption – An Overview - 2
What is the main risk related to encryption?
The risk practitioner should understand that encryption is a control that operates on a fail-
secure and not a fail-safe basis: if keys are corrupted or lost, encrypted data may not be
recoverable.

This feature, which is intentional, is the basis for ransomware attacks, in which threat actors
use encryption to lock up organizational data and withhold the key until a ransom is paid.
 Encryption
The science of creating encryption is called cryptography, while the broader study of creating and
solving cryptographic puzzles is called cryptology.
• Encryption comes in two basic forms:

Symmetric Cryptography
The most common symmetric key cryptographic system in use today is the Advanced Encryption
Standard (AES).
AES supports key lengths of 128, 192, or 256 bits.
Applications:
• File transfer
• Content presentation
• VPN creation
 Encryption - 2
Symmetric Cryptography
How it works:
Data sender must deliver keys to data receiver to decrypt the message. It requires a variety of
physical (out-of-band) methods, after which updated keying information can be sent periodically
via an existing secure channel.

Disadvantages:
• Brokering a secured connection is difficult when users are unknown or connections are
dynamic.
• It can’t identify the creator of a message if all participants used the same key.
• The solution to provide distinct keys to participant pairs is not scalable.
 Encryption - 3
Asymmetric Cryptography
Based on the Diffie-Hellman model (1976), asymmetric cryptography uses two mathematically
related keys per user:

➢ Public Key:
▪ Shared openly with others
▪ Used to encrypt messages — only the corresponding private key can decrypt them

➢ Private Key:
▪ Kept secret by the owner
▪ Used to decrypt messages encrypted with the matching public key

Advantages:
• Scales easily, because each user can generate keys independently.
• Only intended recipients can open messages, as long as their private keys remain secret.
 Public Key Encryption
Message Integrity and Hashing Algorithms
Purpose:
Cryptologists developed hashing to reduce data size and computational load needed for detecting
errors or tampering in earlier systems.
How it works:
Hashing mathematically transforms input data into a fixed-length message digest using an
algorithm that is:
• Predictable
• Repeatable
• Fully dependent on the content
The output is always the same hash value for the same input, regardless of message size.
Why it matters:
Older systems suffered from:
• Slow processing, Signal interference ➤ Leading to errors
• Hashing fixes this by offering a fast, consistent way to verify message integrity.
 Public Key Encryption - 2
A digital signature combines:
• A hash function (for integrity)
• Public key encryption (for authenticity)

It allows the receiver to verify:

• Message Integrity
The message was not changed, because the hash of the received message matches the hash
(digest) sent with it.
• Sender Authenticity
The message was truly sent by the claimed sender, because:
– The digital signature was created using the sender’s private key
– And it can be verified only with the sender’s public key
 Public Key Encryption - 3
Certificates
Certificates link public keys with specific owners through the endorsement of a trusted third party
called a Certificate Authority (CA).
The CA:
• Verifies the person’s or organization’s identity
• Issues a certificate that confirms the public key belongs to them
• The format used is based on the X.509 standard, which allows certificates to work across
different browsers, systems, and software — even if issued by different CAs.
 Quiz
Amin wants Salma to send him a segregation of duties matrix that Horizon Bank policy
considers confidential. Fortunately, all staff members have asymmetric key pairs in order
to facilitate secure communication.
Which key should Salma use to encrypt the message?

A. Amin’s Public Key

B. Amin’s Private Key

C. Salma’s Public Key

D. Salma’s Private Key

 Quiz
Amin wants Salma to send him a segregation of duties matrix that Horizon Bank policy
considers confidential. Fortunately, all staff members have asymmetric key pairs in order
to facilitate secure communication.
Which key should Salma use to encrypt the message?

A. Amin’s Public Key

B. Amin’s Private Key

C. Salma’s Public Key

D. Salma’s Private Key

 Domain 4 - Agenda

Enterprise Architecture
Hardware, Software, and Environmental Controls
Networks, Virtualization, and Cloud Computing
Project Management and Enterprise Resiliency
Data Life Cycle Management and System Development Life Cycle
Emerging Trends in Technology
Information Security Concepts, Frameworks, and Standards
Information Security, Data Privacy, and Data Protection
 Objectives
➢ Discuss how human users are more vulnerable to the tactics of threat actors.

➢ Explain the purpose of risk awareness training.

➢ Describe the role of risk practitioners in reviewing the scope of risk awareness and training programs.

➢ Explain the importance of privacy and data protection.

➢ List the principles of data protection.

➢ Elaborate on the key concepts of data privacy.

➢ Discuss how risk can be managed to maintain data privacy.

 Risks Associated with Technology Awareness
The familiarity with technology that people bring to their workplaces may reduce operation
training costs and help boost productivity. It also creates risk.

As barriers to entry into the computing workspace have fallen, so have barriers to becoming cyber
threat actors.

Vulnerable Human Users

Current threat actors have correctly identified human users as the weakest link in the information
security foundation of modern enterprises.
While security technology has improved dramatically, threats targeting humans—such as social
engineering, data theft, ransom, and exploitation—have increased unchecked, making users
more vulnerable than ever.

• Employees who are used to freely sharing on social media and personal networks may
unintentionally make information more available than authorized by company policy, or look for
ways around security measures that they find inconvenient for their work style.
 Risks Associated with Technology Awareness - 2
Phishing Email and Phone
When people receive realistic-looking emails or phone calls that pretend to be from internal
support or security services and are asked to take a specific action immediately, many
individuals are likely to follow the instructions without verifying.

• Even worse, due to inadequate Segregation of Duties (SoD) and poor implementation of least
privilege principles, these users often have access permissions that allow them to cause serious
harm within the organization's systems.

By the time these unwitting accomplices to cyber-attacks become aware of what has happened,
organizations may be facing:
• Permanent loss of data
• Damage to reputation
• Unauthorized transfers of funds
• Liability damages to third parties whose data has been stolen
 Information Security Awareness Training
Need for Information Security Awareness
To counter the threats of realistic-looking emails or phone calls, enterprises need to
educate and train their workforce on proper principles of information and cybersecurity.

The main focus is on resisting social engineering techniques used by unauthorized individuals
to trick users into performing actions that support malicious goals.

These actions are often simple — such as clicking a link, providing a phone number, or opening an
attachment — but they fit into larger plans, potentially:
• Deploying malware
• Taking over user accounts
• Gaining deeper access into the organization without being detected
 Information Security Awareness Training - 2
Purpose of Information Security Awareness
Making human users more resilient to the tactics of threat actors is a major goal of security
awareness and training programs — but it’s not the only goal.

Human users are the first line of defense. When properly trained, their judgment can help
identify attacks in progress, even if they are not directly targeted.

By alerting internal response teams, these resilient users help build a resilient workforce,
which ultimately improves overall information and cybersecurity across the organization.
 Role of Risk Practitioners
Risk practitioners should review the scope of information security training and awareness
programs against identified threats faced by the organization.

At a minimum, the program should address these three things:

• Threats from social engineering, including deceptive emails (phishing) and calls or voicemails
(vishing), form the principal threat vector for attacks targeting human users.

• Methods of alerting internal security response capabilities, such as an IT service desk or incident
response team, to ensure prompt notification and response to any threat events.

• Policies and regulatory requirements specific to the enterprise or its business sector.
 Quiz
Social engineering uses information gathered about a person to create a sense of
familiarity or urgency. This makes the victim more likely to take action for the attacker’s
benefit—something they wouldn’t normally do.

Which of the following sources is most often used in social engineering?

A. Social Media

B. Friends and Coworkers

C. The individual’s mail or correspondence

D. HR Records
 Quiz
Social engineering uses information gathered about a person to create a sense of
familiarity or urgency. This makes the victim more likely to take action for the attacker’s
benefit—something they wouldn’t normally do.

Which of the following sources is most often used in social engineering?

A. Social Media

B. Friends and Coworkers

C. The individual’s mail or correspondence

D. HR Records
 Privacy and Data Protection – An Overview
Privacy and data protection are increasingly important to enterprises.

At the same time, numerous jurisdictions have established strong laws and regulations related to
data.

Among the most impactful is the European Union General Data Protection Regulation (GDPR).
It establishes seven key principles:

• Lawfulness, Fairness, Transparency

• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Accountability
 Data Protection - Key Concepts
An effective privacy program should establish clear lines of responsibility and accountability that
include data privacy concepts in a manner appropriate for the legal and business contexts in
which the organization operates.

Privacy vs. Confidentiality

At its essence, privacy is very similar to confidentiality: the goal is to ensure that no one gets
access to information that should not have it.
What distinguishes privacy from confidentiality in practice is that an individual identified by
information subject to privacy controls – the subject – has rights regarding the handling and
retention of that data even if that person is not the data owner.
This distinction establishes several concepts specific to privacy that deserves the risk practitioner’s
awareness, which is also reflected in the seven principles of General Data Protection Regulation
(GDPR).
 Data Protection - Key Concepts - 2
Informed Consent
Data subject to privacy regulations should be collected, used, and retained with the informed
consent of the subject.
A signed consent form is typically part of the process but may not unto itself be enough to
establish informed consent.
In addition, there may need to be a process for revocation of consent.

Privacy Impact Assessment

Organizations conduct privacy impact assessments (PIAs) to identify and manage risks related
to privacy whenever personal information is collected.
The PIA typically covers how information is used, shared, and maintained.
Similar to a risk assessment, a PIA accounts for the effects of a compromise on the subject rather
than impact to the enterprise.
Risk practitioners dealing with data subject to privacy regulations should be familiar with the PIAs
conducted before collecting the data as a first step towards ensuring that adequate protective
measures are in place.
 Data Protection - Key Concepts - 3
Minimization
Many enterprises accumulate considerable data and retain it without limit.
Risk practitioners should understand that this data, which may be viewed as an asset, is also a
potential disaster for enterprises subject to strong privacy regulations should a data breach occur.
Privacy is best assured when only data that is expressly needed and relevant for a justified
purpose is collected.

Destruction
Just as data should only be collected when necessary, it should generally be destroyed once its
purpose is concluded.
Destruction can be complicated because some types of data must be retained for specific periods
according to law or regulation, and contractual obligations may also impose specific parameters
for destruction.
In this case, it is important to implement access restrictions to the data.
Risk practitioners should account for destruction requirements and ensure that there are
methods to carry out destruction as well as processes to verify that it has occurred as planned.
 Risk Management in a Privacy Context
Following are the recommendations for risk management in a privacy context.

Risk practitioners assessing systems that handle sensitive personal information should consult
with organizational privacy officers or privacy experts to ensure correct measures are in place
for the contexts and use cases under consideration.

Access to information subject to privacy considerations should be limited to individuals as per

valid business needs and the principle of least privilege.

Strong authentication is highly recommended for access to systems hosting data covered by
privacy law, and this data should be encrypted at rest and in transit, with identification and
nonrepudiation of sending authorities.

Where specific jurisdictional security requirements exist, risk practitioners should ensure
that these are addressed by appropriate security controls.
 Risk Management in a Privacy Context
Ali is reviewing datasets collected from job applicants to the European branches of
Centurion Bank by the applicant tracking system, recruiters, and verification teams.
While looking for duplicate datasets and access, Ali is surprised to find that the contact
information for all denied applicants is set to actively replicate to marketing’s outreach
mailing list and to sales’ lead generation and tracking database.

Which principle is most likely being violated?

A. Data minimization and accuracy

B. Lawfulness, fairness, transparency and purpose limitation

C. Storage limitation

D. Integrity and confidentiality

 Risk Management in a Privacy Context
Ali is reviewing datasets collected from job applicants to the European branches of
Centurion Bank by the applicant tracking system, recruiters, and verification teams.
While looking for duplicate datasets and access, Ali is surprised to find that the contact
information for all denied applicants is set to actively replicate to marketing’s outreach
mailing list and to sales’ lead generation and tracking database.

Which principle is most likely being violated?

A. Data minimization and accuracy

B. Lawfulness, fairness, transparency and purpose limitation

C. Storage limitation

D. Integrity and confidentiality