SlideShare a Scribd company logo

crisc_wk_6.pptx

D
dotco

The document discusses various topics related to project management, enterprise resiliency, data classification, system development life cycle, and emerging technology trends. It provides details on project risk management, tools like Earned Value Analysis and Gantt charts, business continuity and disaster recovery plans, data classification steps, SDLC methodologies like waterfall and agile, and emerging trends like bring your own device policies.

Education
1 of 33
Project Management Project Risk: • Unclear or ever-changing requirements - scope creep. • Unavailability of adequate resources for management of project • Unrealistic project deadlines may impact the quality of the project. • Unavailability of monitoring and controlling process. • Lack of support from senior management. Risk Assessment • What level of confidentiality and availability is required for the system? • Impact of any laws or regulation on the project (for example: privacy laws). • Architectural and technological risk. • Use of a secure information systems development process. • Security training for the developers and staff members Project Closeout • Final phase of a project management is project closeout which involves recording all deliverables, centralized documentation and handing over the project to the client or the team responsible for overseeing its operations. • It also includes evaluating the project performance and recording the lessons learned to improve the future projects.
Project Management Project Management Tools • Earned Value Analysis • Earned Value Analysis (EVA) is a method of measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. • Critical Path Methodology (CPM) • The Critical Path Method (CPM) is used to estimate the duration of the project. • A critical path is determined by identifying the longest path of dependent activities. • The time required to finish the critical path is the shortest possible time required for finishing the project. • Slack time is the time that acts as a buffer or extra time, and an activity can be delayed up to the limit of the slack time without impacting the overall project completion date. • Project managers concentrate on activities with zero slack time (that is, those on the critical path), and if the critical path duration can be reduced then it will help to minimize the overall project duration. • Program Evaluation and Review Technique (PERT) • Like CPM, PERT is also a technique used to estimate project duration. • The difference between PERT and CPM is that while CPM considers only a single scenario, PERT considers three different scenarios (optimistic (best), pessimistic (worst), and normal (most likely)) and on the basis of those three scenarios, a single critical path is arrived at. • PERT is considered more accurate and appropriate than CPM for calculating estimates of project duration.
Project Management Gantt Chart • Gantt charts are a technique to monitor the progress of a project. • Gantt charts are used to determine the status of the project, such as whether the project is delayed, ahead of schedule, or on schedule. • Gantt charts are used for tracking and monitoring achievements of milestones. Role of risk practitioner in project management • Risk practitioner should be involved from the initial stages of the project. • Project planning should also consider different risk applicable to the projects. • Risk practitioner should discuss with project manager various risk scenarios that can impact the project objectives. He should also be involved in monitoring the progress of the project.
Enterprise Resiliency • ability to adapt quickly to disruptions while maintaining ongoing business operations and safeguarding people, assets, and brand equity overall. • Two fundamental aspects of enterprise resiliency is business continuity and disaster recovery. • Business continuity plan is defined as laid down processes to prevent, mitigate and recover from disruption. • Disaster recovery plan is a subset of overall business continuity plan. • While goal of BCP is to prevent and mitigation the incident, goal of DR is to restore operations in case business operations are down due to incident. • BCP is a continuous process of implementing various control to prevent or mitigate the impact of incident whereas disaster recovery is activated only when preventive measures have been failed and business processes are impacted due to incident.
Enterprise Resiliency Phases • Initial phase is to conduct the risk assessment and business impact analysis to understand the critical processes and assets of the organization. • To develop and document a response and recovery strategy • Training the staff on response and recovery procedure • Testing the response and recovery plans • Auding the response and recovery plans Before developing a detailed BCP, it is important to conduct the business impact analysis. BIA helps to determine incremental cost of losing different systems. On the basis of BIA, recovery efforts required for the system is determined.
Enterprise Resiliency Phases • Initial phase is to conduct the risk assessment and business impact analysis to understand the critical processes and assets of the organization. • To develop and document a response and recovery strategy • Training the staff on response and recovery procedure • Testing the response and recovery plans • Auding the response and recovery plans • Before developing a detailed BCP, it is important to conduct the business impact analysis. • BIA helps to determine incremental cost of losing different systems. On the basis of BIA, recovery efforts required for the system is determined. • The plan should be well documented and written in simple language that should be understandable to all. • Interviewing the key personnel to determine their understanding of the BCP will help the auditor to evaluate the clarity and simplicity of the BCP. • The plan should clearly document the responsibilities and accountability of each individual responsible for specific tasks in the event of a disaster. • It is recommended to have a single continuity plan for the whole organization. In case the BCP is maintained unit-wise, it should be ensured that all the plans have a uniform approach and are linked to one another, wherever required. • It is very important that each plan has a uniform structure and language and that plans are consistent with one another. IT plans and procedures must be consistent with, and support, the BCP. A copy of the BCP should be kept at an offsite location.
Enterprise Resiliency Backup • For critical and time-sensitive data, shadow file processing is recommended. • In shadow file processing, exact duplicates of files are maintained, preferably at a remote site. • Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive transaction processing. • It is important to ensure that the offsite location is not subject to the same risks as the primary site. • If both the primary site and the offsite location operate from the same place, a disaster may put both of them out of action, which could have an adverse impact on business continuity. • The involvement of process owners is very important in identifying critical processes, their dependencies, and the required level of the RTO. • Business continuity plans should be written and maintained by representatives from all relevant functional units. • The protection of human life is a critical factor in any business continuity procedure. This takes precedence over all other elements. • RTO (Recovery Time Objective): maximum time allowed to recover business or IT systems. For example, an RTO of 2 hours indicates that an organization will not be overly impacted if its system is down for up to 2 hours. • RPO (Recovery Point Objective): amount of data loss or system inaccessibility (measured in time) that an organization can withstand. For example, an RPO of 2 hours indicates that an organization will not be overly impacted if it loses data for up to 2 hours.
Recovery Objectives • in the case of critical systems, generally, the RTO and RPO is zero, or near zero. • A low RTO indicates that a system should be resumed at the earliest possible juncture. • To achieve this objective, organizations need to invest heavily in redundancy. A hot site is ideal where the RTO is lower. This will be a costly affair. • On the other hand, if the RTO is high, this indicates that systems are not that critical, and that an organization can afford downtime to some extent. An organization need not invest in redundancy for systems with a high RTO. A cold site is ideal where the RTO is higher. • A low RPO indicates that data loss should be at a minimum. • They should invest heavily in data backup management. • Data mirroring or data synchronization is an ideal technique where the RPO is zero or very low. • Hence, for a low RPO, data maintenance costs will be higher compared with a high RPO. • A low RTO/RPO indicates that disaster tolerance is low, that is, the organization cannot tolerate system downtime.
Incident Response Plan and Procedures • A well-defined incident management process will yield far better results in reducing the business disruptions as compared to unorganized incident management processes. • Organization can effectively handle any unanticipated events. • Organization will have robust detection techniques and processes for timely identification of incidents. • Organization will have well defined criteria for defining severity of the incident and appropriate escalation process. • Availability of experienced and well-trained staff for effective handling of the incidents • Organization will have well defined communication channels for timely communication with respect to incidents to different stakeholders and external parties. • Organization will have well defined process to analyze the root cause of incident and addressing the gaps to prevent the reoccurrence. Security Incident and Event Management (SIEM) • Security Incident and Event Management (SIEM) system collects the data from various sources and analyses the same for possible security events. • The SIEM system has capability to detect the attacks by signature or behavior (heuristics) based analysis. • SIEM is the most effective method to determine the aggregate risk from different sources.
Incident Response Plan and Procedures Characteristics of effective SIEM: • It has ability to consolidate and correlate inputs from different systems. • It has ability to identify incidents. • It has ability to notify staff. • It has ability to prioritize incidents based on possible impact. • It has ability to track the status of each incident. • It has ability to integrate with other IT systems.
Data Classification Data Classification: • Classification of assets based on its criticality to the business. • Asset can be classified as confidential data, private data, or public data. • This classification helps the organization to provide appropriate level of protection to the assets. More resources should be utilized for protection of confidential data as compared to public data. Steps of data classification: • Create inventory of all the information assets of the organization. • Establish ownership for each information assets – Asset owner • Determine value of the assets that needs protection. • Classify the information assets based on its valuation. • Implement level of protection according to the level of classification.
Data Classification Security managers need to ensure that the requirements of the data owners are properly identified and appropriately addressed in the information classification policy. Security managers need to ensure that classification policy should be made available to all the users. Content of classification policy should be part of security awareness program. Benefits of classification: • Classification helps to reduce the risk of under protection of assets. • Assets are protected in proportion to their criticality. • Classification helps to reduce the cost of over protection of assets.
Data Life Cycle Management Phases of data life cycle • Data Creation • Storage • Use • Sharing • Archival • Destruction • Most important role of a risk practitioner is to ensure that data is appropriately protected at all the times. • Data access is provided on need to know basis only (i.e. least privilege). • Defined termination process to ensure immediate revocation of all access rights of a terminated or resigned employee. • Periodic access to user access rights to ensure that rights are available for current users only. • Implement appropriate level of encryption for critical data at rest as well as in transit. Encryption such as transport layer security (TLS) should be employed for web browsers as secure socket layer (SSL) is no longer considered as secure. • Segmentation or isolation is the best way to limit the exposure of critical data. • Effective isolation can be implemented by way of network segmentation through firewall, VLANs or other technologies. • Install anti-malware software and signature files for the same should be updated on daily basis.
Data Life Cycle Management • Different data validation checks such as: range checks format checks special character checks size checks reasonableness checks. • Data validation can be either with whitelist of allowed data (i.e. only predefined values are allowed) or blacklist of prohibited date (i.e. except for few blacklisted data all other data is allowed). • Whitelisting approach is more preferable where input data is generally static and do not change too often) whereas blacklisting approach is more prevalent where range of valid value is broad and cannot be restricted. • Data loss prevention software have capability to control the movement and sharing of the data in accordance with data classification policy. • DLP software monitor the activities of the end devices and controls the data flow. DLP also facilitates the compliance reporting. • Most effective method for protecting the data stored on a USB or a mobile device is to encrypt the data. • Data should be retained in a hygienic condition as long as required by business or regulation requirements. • Data redundancy arises when the same data is stored at different places in a database. This causes problems in data update or data deletion or data modification or otherwise managing the data. • Data normalization is the process of reducing redundant data and thereby making databases more structured.
System Life Cycle Development • A system development methodology is a structure that organizations use for the design, development, and implementation of new systems. • SDLC models • Traditional waterfall • This approach is useful when prototypes are required to understand the design and requirements of the proposed system. • It works well when requirements are well defined and do not undergo frequent changes. • Agile development • Agile means "the ability to move quickly and easily". • In the Agile method, programmers do not spend much time on documentation. They can write a program straight away. • The objective of the Agile approach is to produces releasable software in short iterations without giving much importance to formal paper-based deliverables. • SDLC Phases • Phase 1 – Initiation/ Feasibility :Objective, purpose and scope of the system is discussed, finalized and documented. • Phase 2 – Development / Acquisition: In this phase, alternatives are evaluated and the system is developed or acquired from a third party. • Phase 3 – Implementation In this phase, the system is tested and migration activities are carried out. • Phase 4 – Operations / Maintenance: In this phase, regular updates and maintenance is carried out for upkeep of the system. • Phase 5 - Disposal In this phase: obsolete systems are discarded by moving, archiving, discarding or destroying information and sanitizing the hardware and software.
System Life Cycle Development • Risk practitioners should be involved in all the above phases of SDLC and security requirements should be integrated into all SDLC phases. • Performing risk assessments at each stage of the system development life cycle (SDLC) is the most cost- effective way to address the flaws at the earliest. • Software reengineering is the process of updating a system to enhance the system functionality to make the system better and more efficient. • Reverse engineering is the process of the detailed analysis and study of a system with the objective to develop a similar system. • Changeover is the process of shifting to a new system and stopping the use of the old systems. • Parallel changeover • In this method, the new and old systems are operated in parallel for some time. Once the users are confident about the new system; the old system may be discontinued. • Phased changeover • In this method, changes are implemented in a phased manner. • The system is broken into different phases and each old phase is gradually replaced by a new phase. • Abrupt changeover • In this method, a new system is implemented from a cut-off date and the old system is completely discontinued once the new system is implemented. • This process is also known as direct cutover. This is considered the riskiest approach with no scope for rollback if the new system fails.
System Accreditation and Certification • Certification and accreditation (C&A) is a process for implementing any formal process. • Certification is comprehensive evaluation of the process or system typically measured against some defined norms or standards. • Accreditation is the formal declaration by a neutral third party that the certification program is administered in a way that meets the relevant norms or standards of certification program. • With respect to information security, system accreditation is process of approving the security and control functionality of the system and authorizing its implementation by a senior manager. • By accrediting a system, manager accepts the associated risk of the system.
Continuous Auditing Techniques Integrated test facility • In an ITF, a fictitious entity is created in the production environment. • The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness. • Processed results and expected results are evaluated to check the proper functioning of systems. System control audit review file • In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis. • SCARFs record transactions above a specified limit or deviation-/exception related transactions. • These transactions are then reviewed by auditor. • SCARFs are useful when regular processing cannot be interrupted. Snapshot technique • This technique captures the snaps or pictures of the transaction as they are processed at different stages in the system. • Details are captured both before execution and after the execution of the transaction. The correctness of the transaction is verified by validating the before processing and after-processing snaps of the transactions. • Snapshot is useful when an audit trail is required. Audit hook • Audit hooks are embedded in application system to capture exceptions. • The auditor can set different criteria to capture the exceptions or suspicious transactions. • Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
Emerging trends in technology • Bring your own device (BYOD) • organizations should have approved BYOD policy. • organization cannot escape their liability even if the data is leaked through personal device of the employees. • Periodic awareness training for use of BYOD should be organized. • In case corporate data is stored on personal devices, data is properly encrypted and remote data wipe facility should have been enabled to wipe out all data in case device is lost or stolen. • Virtualized Desktop for BYOD • In a virtualized desktop setup, user can access their respective desktop from any remote location. • The Internet of Things (IoT) • IoT is a concept wherein devices have the ability to communicate and transfer data with each other without any human interference. Alexa or google assistance • Risk practitioner should consider the following risks with respect to IoT: • The impact of IoT on the health and safety of human life • Regulatory compliance with respect to the use of IoT • The impact of IoT on user privacy • The impact of IoT on device vulnerabilities
Information Security Principles • Risk practitioner need to have sufficient knowledge about technology to evaluate the new technology and to provide effective advice about deployment of technology within acceptable risk boundaries. • Risk practitioner need to provide special attention to older systems (i.e. legacy systems) as their original design may not support the current security standards. It may not be feasible to replace or upgrade the legacy systems due to heavy dependency on the system. For such cases, risk practitioner needs to ensure that appropriate compensating controls are in place. • Segregation of duties is the process of assigning responsibility for different functions of a job to separate individuals so as to prevent or detect the irregularities and fraud. • SoD also includes two people to participate in a task simultaneously which is also known as dual control. • Implementing a role based access is a preventive method to address the risk of violation of segregation of duties. • Job rotation and mandatory vacation plays a dual role of improving employee’s productivity as well as helps to detect fraud or other irregularities.
Factor of Authentication • Something you know (for example, a password, PIN, or some other personal information) • Something you have (for example, a token, one-time password, or smart card) • Something you are (for example, biometric features, such as fingerprint, iris scan, or voice recognition) • Biometric verification is a process through which a person can be uniquely identified and authenticated by verifying one or more of their biological features. Examples of these biometric identifiers include a palm, hand geometry, fingerprints, retina and iris patterns, voice, and DNA. • Retina scan is considered the most accurate and reliable identifier with the lowest FAR. • Doshi, Hemang . CRISC Exam Study Guide : Aligned with latest CRISC Review Manual (2021) (p. 439). Kindle Edition. • Two-factor authentication means the use of two authentication methods from the preceding list. • Biometrics – accuracy measure • False acceptance rate (FAR): This is the rate of acceptance of a false person (that is, an unauthorized person). • False rejection rate (FRR): This is the rate of rejection of the correct person (that is, an authorized person). • Cross error rate (CER) or equal error rate (EER): This is the rate at which the FAR and FRR are equal. A biometric system with the lowest CER or EER is the most effective system. • FAR and FRR are inversely proportionate. An increase in the FAR will result in a decrease in the FRR and vice versa.
Factor of Authentication Types of biometric attacks • Replay attack: In a replay attack, the attacker makes use of residual biometric characteristics (such as fingerprints left on a biometric device) to get unauthorized access. • Brute-force attack: In a brute-force attack, the attacker sends numerous biometric samples with an objective to malfunction the biometric device. • Cryptographic attack: In a cryptographic attack, an attacker attempts to obtain information by targeting algorithms or the encrypted information that transmits between biometric devices and access control systems. • Mimic attack: In a mimic attack, the attacker attempts to reproduce a fake biometric feature of a genuine biometric user. For example, imitating the voice of an enrolled user.
Single Sign On • Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials (for example, a name and password) to access multiple applications. • It is important to implement strong password complexity for this kind of environment. • One example of SSO is Kerberos. Kerberos is an authentication service used to validate services and users in a distributed computing environment. Advantages of SSO • Multiple passwords not required. This encourages users to select a strong password. • Reduces administrative overhead costs in resetting passwords due to a lower number of IT help desk calls about passwords. • Reduces the time taken by users to log in to multiple applications. Disadvantages of SSO: • SSO acts as a single authentication point for multiple applications, which constitute a risk of a single point of failure. • Support for all major operating system environments is difficult.
Cryptography • Cryptography is defined as the art or science of secret writing with the use of techniques such as encryption. • Encryption is the process of converting data into unreadable code so it cannot be accessed or read by unauthorized people. • This unreadable data can again be converted into readable form by process of decryption. • Encryption can be of two types i.e. symmetric encryption and asymmetric encryption. • Symmetric Encryption: • Single key is used to encrypt and decrypt the messages • Comparatively, faster computation and processing. • Disadvantage of symmetric encryption is sharing of key with another party. • Asymmetric Encryption • Two keys are used. Public and Private Key. One for encryption and other for decryption. • Message encrypted with one key can be decrypted only by the other key. • Comparatively, slower computation and processing.
Symmetric Cryptography Drawbacks
Cryptography Encryption Keys • Sender’s Private Key - Key is available only with the sender. • Sender’s Public Key - Key is available in the public domain. can be accessed by anyone. • Receiver’s Private Key - Key is available only with the receiver. • Receiver’s Public Key - Key is available in the public domain. can be accessed by anyone. Offers: • Confidentiality: receiver’s public key is used to encrypt the message and receiver’s private key is used to decrypt the message. • Authentication & Non-repudiation: sender’s private key is used to encrypt the message and sender’s public key is used to decrypt the message. • Integrity: • Sender will create a hash of the message. • This hash is encrypted using the sender's private key. • Message along with an encrypted hash is sent to the receiver. • Receiver will do two things. First, he will decrypt the hash value using the sender's private key and second he will again calculate the hash of the message received. • Receiver will compare both the hash and if both hash values are the same, the message is considered as correct, complete and accurate.
Digital Signature • Digital Signature is a process wherein a digital code is attached to an electronically transmitted document to verify its contents and the sender's identity. • Steps for creating digital signature • Step 1: Create Hash (Message digest) of the message. • Step 2: Encrypt the hash (as derived above) with the private key of the sender. • A hash function is a mathematical algorithm which gives a unique fixed string for any given message. It must be noted that the hash value will be unique for each message. • Step 3: Receiver will calculate the hash value of the message • Step 4: Then he will decrypt the digital signature using the public key of sender • Step 5: Now, he will compare the value derived • If both tallies, it proves the integrity of the message. • Digital Signature ensures – integrity (message not tempered), authentication (message sent by sender), nonrepudiation (sender cant deny sending it) but not confidentiality.
Public Key Infrastructure • A public key infrastructure is a set of rules and procedures for creation, management, distribution, storage and use of digital certificate and public key encryption. • Digital Certificate: Digital certificate is an electronic document used to prove the ownership of a public key. Digital certificate includes information about the key, owner of the key and digital signature of the issuer of the digital certificate. • Certifying Authority (CA): A certification authority is an entity that issues digital certificates. • Registration Authority (RA): A registration authority is an entity that verifies user requests for digital signatures and recommends the certificate authority to issue it. • Certificate Revocation list (CRL): CRL is a list of digital certificates which have been revoked and terminated by certificate authority before their expiry date and these certificates should no longer be trusted. • Process involved in PKI • Step 1: Applicant applies for issuance of digital certificate to certifying Authority (CA). • Step 2: Certifying Authority (LA) delegates the verification process to Registration Authority (RA). • Step 3: Registration Authority (RA) verifies the correctness of information provided by the applicant. • Step 4: If information is correct, RA recommends CA for issuance of certificate • Step 5: Certifying Authority (LA) issues the certificate and manages the same through its life cycle. • CA also maintains details of certificates that have been terminated or revoked before its expiry date. This list is known as certificate revocation list (CRL). • CA also maintains a document called as Certification Practice Statement (CPS) containing standard operating procedure (SOP) for issuance and management of certificates. • Private key of a certificate authority is used to issue the digital certificate to all the parties in public key infrastructure.
Information Security Awareness Training • Security awareness training is most important element of information security program. • In absence of a structured and well-defined security awareness training programs, security program will not be providing desired results. It is not possible to address the security risks only through technical security measures. • It is important to address behaviour aspects of the employees through continuous awareness and education. • Most effective way to increase the effectiveness of the training is to customize the training as per the target audience and to address the systems and procedures applicable to that particular group. • For new joiner, security awareness program should be part of orientation program. It must be ensured that user has been trained on acceptable usage of information resources before any system or data access is provided. • Security manager should design some quantitative evaluation criteria to determine the effectiveness of security training and user comprehension. • Adherence to information security requirements is the best way to monitor the effectiveness of security programs. If exceptions are minimum, then it indicates that employees are aware about the security requirements. • More exceptions indicate that there is lack of awareness amongst the employees and information security programs are not effective.
Data Privacy • Privacy is the right of the individual to demand the utmost care of their personal information that has been shared with any organization or individual. • Individuals can demand that the use of their information should be appropriate, legal, and for a specific purpose for which information is obtained. • Privacy principles: • Organizations should specify the purposes for which personal information is collected. • Organizations are required to retain personal information only as long as necessary. • Organizations should have appropriate security safeguards for protecting personal information. Organizations should obtain appropriate consent before the transfer of personal information to another jurisdiction. • Organizations should have an appropriate process for reporting compliance with privacy policy, standards, and laws. • Organizations should have an appropriate governance mechanism over the third-party service provider processing privacy data on behalf of the organization. • Organizations should comply with applicable data protection regulations for the transfer of personal information across country borders.
Data Privacy • Organization should conduct privacy impact assessment (PIA) to determine and manage the risk related to privacy. • Objective of privacy impact analysis is to determine how well organization processes are adhered to privacy regulations. • First and most important aspect is to identify the privacy related data within organization. • DLP is a proactive approach to protect the personally identifiable information. DLP is a technical control to ensure that selected data does not goes outside the organization’s network. • Privacy by design embeds privacy principles within all processes and infrastructure of the organization.
Attack Methods • Botnets: Botnets are compromised computers also known as zombie computers. • Buffer Overflow: A buffer overflow, or buffer overrun, is a common software coding mistake that an attacker could exploit to gain access to the system. • Cross-Site Scripting (XSS): Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into the trusted websites. Such malicious scripts are injected through a user input field and hence poorly validated user input field are generally exposed by way of cross site scripting. • Denial of Service Attack (DOS): DOS attack intends to shut down a network or machine by flooding the same with traffic. • Data Diddling Data diddling is a type of attack in which data is altered as it is entered into a computer system. • Dumpster Diving: Dumpster diving is a technique to retrieve sensitive information from a thrash or a garbage bin. • Trojan Horse: In this attack, malicious software is disguised as some legitimate software. • Once installed in the system, it starts taking control of user’s system. • Logic Bomb: A program is executed when certain event happens. For example, logic bomb can be set to delete files or database at future date. • Trap Door: It is also known as back door. • Man in the middle Attack: In this attack, attacker interferes while two devices are establishing connection. Alternately, attacker actively establishes connection between two devices and pretends to each of them to be other device.
Attack Methods • Masquerading: In this type of attack, intruder hides his original identity and act as someone else. This is done to access system or data which is restricted. • IP Spoofing: In IP spoofing, a forged IP address is used to break a firewall. • Pharming In this type of attack, traffic of a website is redirected to a bogus website. • Piggy Backing In this type of attack, intruder follows an authorized person thorough a secured door and hence without authentication he can enter the restricted area. • Salami: In this technique, small amount is money is sliced from a computerized transaction and transferred to unauthorized accounts. • Social Engineering: In social engineering attack, attempt is made to obtain sensitive information from users by tricking and manipulating people. • Shoulder Surfing: In shoulder surfing attack, intruder or a camera captures the sensitive information by looking over the shoulder of the user entering the details in computer screen. • Passive attack are types of attack in which only information is captured but does not modify, insert or delete the traffic. Example of passive attack includes traffic analysis, network analysis and eavesdropping. • Structure Query Language (SQL) Injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data to the application.

Recommended

Chapter 10Monitoring and Information SystemsCHAPTER OVERVIEW
Chapter 10Monitoring and Information SystemsCHAPTER OVERVIEWChapter 10Monitoring and Information SystemsCHAPTER OVERVIEW
Chapter 10Monitoring and Information SystemsCHAPTER OVERVIEWEstelaJeffery653
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
7 Project planning for software engineering.pptx
7 Project planning for software engineering.pptx7 Project planning for software engineering.pptx
7 Project planning for software engineering.pptxgezaegebre1
 
Project: Monitoring
Project: Monitoring Project: Monitoring
Project: Monitoring Mfb Firoz
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptxdotco
 
EDM/PDM Implementation
EDM/PDM ImplementationEDM/PDM Implementation
EDM/PDM ImplementationGlen Alleman
 
Project Planning and Control
Project Planning and Control Project Planning and Control
Project Planning and Control drpvkhatrissn
 
7. (lecture 5) Project scheduling..ppt
7. (lecture 5) Project scheduling..ppt7. (lecture 5) Project scheduling..ppt
7. (lecture 5) Project scheduling..pptPedadaSaikumar
 

Recommended

Chapter 10Monitoring and Information SystemsCHAPTER OVERVIEW
Chapter 10Monitoring and Information SystemsCHAPTER OVERVIEWChapter 10Monitoring and Information SystemsCHAPTER OVERVIEW
Chapter 10Monitoring and Information SystemsCHAPTER OVERVIEWEstelaJeffery653
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
7 Project planning for software engineering.pptx
7 Project planning for software engineering.pptx7 Project planning for software engineering.pptx
7 Project planning for software engineering.pptxgezaegebre1
 
Project: Monitoring
Project: Monitoring Project: Monitoring
Project: Monitoring Mfb Firoz
 
CISA_WK_3.pptx
CISA_WK_3.pptxCISA_WK_3.pptx
CISA_WK_3.pptxdotco
 
EDM/PDM Implementation
EDM/PDM ImplementationEDM/PDM Implementation
EDM/PDM ImplementationGlen Alleman
 
Project Planning and Control
Project Planning and Control Project Planning and Control
Project Planning and Control drpvkhatrissn
 
7. (lecture 5) Project scheduling..ppt
7. (lecture 5) Project scheduling..ppt7. (lecture 5) Project scheduling..ppt
7. (lecture 5) Project scheduling..pptPedadaSaikumar
 
6.RISK MANAGEMENT.pptx
6.RISK MANAGEMENT.pptx6.RISK MANAGEMENT.pptx
6.RISK MANAGEMENT.pptxSATHYABAMAMADHANKUMA
 
Resource Management Maturity - Does Your Resource Management Practice Work Fo...
Resource Management Maturity - Does Your Resource Management Practice Work Fo...Resource Management Maturity - Does Your Resource Management Practice Work Fo...
Resource Management Maturity - Does Your Resource Management Practice Work Fo...Unanet
 
Turnaround Project Planner Primer
Turnaround Project Planner PrimerTurnaround Project Planner Primer
Turnaround Project Planner Primerahmad bassiouny
 
2nd and 3rd Lecture (Maintenance).pptx.pdf
2nd and 3rd Lecture (Maintenance).pptx.pdf2nd and 3rd Lecture (Maintenance).pptx.pdf
2nd and 3rd Lecture (Maintenance).pptx.pdfAhmedshayor
 
Project control and process instrumentation
Project control and process instrumentationProject control and process instrumentation
Project control and process instrumentationKuppusamy P
 
Cost management
Cost managementCost management
Cost managementAhmed Shoaib
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Chapter 3 Project Cost Control and Monitoring.pptx
Chapter 3 Project Cost Control and Monitoring.pptxChapter 3 Project Cost Control and Monitoring.pptx
Chapter 3 Project Cost Control and Monitoring.pptxssusercf695b
 
Project management part 2
Project management part 2Project management part 2
Project management part 2Anjan Mahanta
 
Proj Mgmt.ppt
Proj Mgmt.pptProj Mgmt.ppt
Proj Mgmt.pptNikhilDudka
 
Outsourcing.ppt
Outsourcing.pptOutsourcing.ppt
Outsourcing.pptsaadbougarn
 
PMBok Processes with CCPM Best Practices
PMBok Processes with CCPM Best PracticesPMBok Processes with CCPM Best Practices
PMBok Processes with CCPM Best PracticesRicardo Leite
 
Boost Equipment Performance, Save Money With Proactive Maintenance
Boost Equipment Performance, Save Money With Proactive MaintenanceBoost Equipment Performance, Save Money With Proactive Maintenance
Boost Equipment Performance, Save Money With Proactive MaintenanceJames Fitzgerald
 
Software Project Management - Staffing
Software Project Management - StaffingSoftware Project Management - Staffing
Software Project Management - StaffingTanishqRongta1
 
223417 Diploma_Sem4_software_engg-chap-05.ppt
223417 Diploma_Sem4_software_engg-chap-05.ppt223417 Diploma_Sem4_software_engg-chap-05.ppt
223417 Diploma_Sem4_software_engg-chap-05.pptDeepgaichor1
 
Prabu Yoharasa CV updated
Prabu Yoharasa CV updatedPrabu Yoharasa CV updated
Prabu Yoharasa CV updatedPrabu Yoharasah
 
management system development and planning
management system development and planningmanagement system development and planning
management system development and planningmilkesa13
 
Business continuity - 5 key steps to effective business impact analysis
Business continuity - 5 key steps to effective business impact analysisBusiness continuity - 5 key steps to effective business impact analysis
Business continuity - 5 key steps to effective business impact analysismoranjustin
 
SPM_UNIT-1(1).pptx
SPM_UNIT-1(1).pptxSPM_UNIT-1(1).pptx
SPM_UNIT-1(1).pptxSushant895574
 
Episode 23 : PROJECT TIME MANAGEMENT
Episode 23 : PROJECT TIME MANAGEMENTEpisode 23 : PROJECT TIME MANAGEMENT
Episode 23 : PROJECT TIME MANAGEMENTSAJJAD KHUDHUR ABBAS
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 

More Related Content

Similar to crisc_wk_6.pptx

Resource Management Maturity - Does Your Resource Management Practice Work Fo...
Resource Management Maturity - Does Your Resource Management Practice Work Fo...Resource Management Maturity - Does Your Resource Management Practice Work Fo...
Resource Management Maturity - Does Your Resource Management Practice Work Fo...Unanet
 
Turnaround Project Planner Primer
Turnaround Project Planner PrimerTurnaround Project Planner Primer
Turnaround Project Planner Primerahmad bassiouny
 
2nd and 3rd Lecture (Maintenance).pptx.pdf
2nd and 3rd Lecture (Maintenance).pptx.pdf2nd and 3rd Lecture (Maintenance).pptx.pdf
2nd and 3rd Lecture (Maintenance).pptx.pdfAhmedshayor
 
Project control and process instrumentation
Project control and process instrumentationProject control and process instrumentation
Project control and process instrumentationKuppusamy P
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Chapter 3 Project Cost Control and Monitoring.pptx
Chapter 3 Project Cost Control and Monitoring.pptxChapter 3 Project Cost Control and Monitoring.pptx
Chapter 3 Project Cost Control and Monitoring.pptxssusercf695b
 
Project management part 2
Project management part 2Project management part 2
Project management part 2Anjan Mahanta
 
PMBok Processes with CCPM Best Practices
PMBok Processes with CCPM Best PracticesPMBok Processes with CCPM Best Practices
PMBok Processes with CCPM Best PracticesRicardo Leite
 
Boost Equipment Performance, Save Money With Proactive Maintenance
Boost Equipment Performance, Save Money With Proactive MaintenanceBoost Equipment Performance, Save Money With Proactive Maintenance
Boost Equipment Performance, Save Money With Proactive MaintenanceJames Fitzgerald
 
Software Project Management - Staffing
Software Project Management - StaffingSoftware Project Management - Staffing
Software Project Management - StaffingTanishqRongta1
 
223417 Diploma_Sem4_software_engg-chap-05.ppt
223417 Diploma_Sem4_software_engg-chap-05.ppt223417 Diploma_Sem4_software_engg-chap-05.ppt
223417 Diploma_Sem4_software_engg-chap-05.pptDeepgaichor1
 
Prabu Yoharasa CV updated
Prabu Yoharasa CV updatedPrabu Yoharasa CV updated
Prabu Yoharasa CV updatedPrabu Yoharasah
 
management system development and planning
management system development and planningmanagement system development and planning
management system development and planningmilkesa13
 
Business continuity - 5 key steps to effective business impact analysis
Business continuity - 5 key steps to effective business impact analysisBusiness continuity - 5 key steps to effective business impact analysis
Business continuity - 5 key steps to effective business impact analysismoranjustin
 
Episode 23 : PROJECT TIME MANAGEMENT
Episode 23 : PROJECT TIME MANAGEMENTEpisode 23 : PROJECT TIME MANAGEMENT
Episode 23 : PROJECT TIME MANAGEMENTSAJJAD KHUDHUR ABBAS
 

Similar to crisc_wk_6.pptx (20)

6.RISK MANAGEMENT.pptx
6.RISK MANAGEMENT.pptx6.RISK MANAGEMENT.pptx
6.RISK MANAGEMENT.pptx
 
Resource Management Maturity - Does Your Resource Management Practice Work Fo...
Resource Management Maturity - Does Your Resource Management Practice Work Fo...Resource Management Maturity - Does Your Resource Management Practice Work Fo...
Resource Management Maturity - Does Your Resource Management Practice Work Fo...
 
Turnaround Project Planner Primer
Turnaround Project Planner PrimerTurnaround Project Planner Primer
Turnaround Project Planner Primer
 
2nd and 3rd Lecture (Maintenance).pptx.pdf
2nd and 3rd Lecture (Maintenance).pptx.pdf2nd and 3rd Lecture (Maintenance).pptx.pdf
2nd and 3rd Lecture (Maintenance).pptx.pdf
 
Project control and process instrumentation
Project control and process instrumentationProject control and process instrumentation
Project control and process instrumentation
 
Cost management
Cost managementCost management
Cost management
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Chapter 3 Project Cost Control and Monitoring.pptx
Chapter 3 Project Cost Control and Monitoring.pptxChapter 3 Project Cost Control and Monitoring.pptx
Chapter 3 Project Cost Control and Monitoring.pptx
 
Project management part 2
Project management part 2Project management part 2
Project management part 2
 
Proj Mgmt.ppt
Proj Mgmt.pptProj Mgmt.ppt
Proj Mgmt.ppt
 
Outsourcing.ppt
Outsourcing.pptOutsourcing.ppt
Outsourcing.ppt
 
PMBok Processes with CCPM Best Practices
PMBok Processes with CCPM Best PracticesPMBok Processes with CCPM Best Practices
PMBok Processes with CCPM Best Practices
 
Boost Equipment Performance, Save Money With Proactive Maintenance
Boost Equipment Performance, Save Money With Proactive MaintenanceBoost Equipment Performance, Save Money With Proactive Maintenance
Boost Equipment Performance, Save Money With Proactive Maintenance
 
Software Project Management - Staffing
Software Project Management - StaffingSoftware Project Management - Staffing
Software Project Management - Staffing
 
223417 Diploma_Sem4_software_engg-chap-05.ppt
223417 Diploma_Sem4_software_engg-chap-05.ppt223417 Diploma_Sem4_software_engg-chap-05.ppt
223417 Diploma_Sem4_software_engg-chap-05.ppt
 
Prabu Yoharasa CV updated
Prabu Yoharasa CV updatedPrabu Yoharasa CV updated
Prabu Yoharasa CV updated
 
management system development and planning
management system development and planningmanagement system development and planning
management system development and planning
 
Business continuity - 5 key steps to effective business impact analysis
Business continuity - 5 key steps to effective business impact analysisBusiness continuity - 5 key steps to effective business impact analysis
Business continuity - 5 key steps to effective business impact analysis
 
SPM_UNIT-1(1).pptx
SPM_UNIT-1(1).pptxSPM_UNIT-1(1).pptx
SPM_UNIT-1(1).pptx
 
Episode 23 : PROJECT TIME MANAGEMENT
Episode 23 : PROJECT TIME MANAGEMENTEpisode 23 : PROJECT TIME MANAGEMENT
Episode 23 : PROJECT TIME MANAGEMENT
 

More from dotco

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptxdotco
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptxdotco
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 

More from dotco (12)

Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptx
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
CISM_WK_3.pptx
CISM_WK_3.pptxCISM_WK_3.pptx
CISM_WK_3.pptx
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 

Recently uploaded

SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 

Recently uploaded (20)

SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 

crisc_wk_6.pptx

  • 1. Project Management Project Risk: • Unclear or ever-changing requirements - scope creep. • Unavailability of adequate resources for management of project • Unrealistic project deadlines may impact the quality of the project. • Unavailability of monitoring and controlling process. • Lack of support from senior management. Risk Assessment • What level of confidentiality and availability is required for the system? • Impact of any laws or regulation on the project (for example: privacy laws). • Architectural and technological risk. • Use of a secure information systems development process. • Security training for the developers and staff members Project Closeout • Final phase of a project management is project closeout which involves recording all deliverables, centralized documentation and handing over the project to the client or the team responsible for overseeing its operations. • It also includes evaluating the project performance and recording the lessons learned to improve the future projects.
  • 2. Project Management Project Management Tools • Earned Value Analysis • Earned Value Analysis (EVA) is a method of measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. • Critical Path Methodology (CPM) • The Critical Path Method (CPM) is used to estimate the duration of the project. • A critical path is determined by identifying the longest path of dependent activities. • The time required to finish the critical path is the shortest possible time required for finishing the project. • Slack time is the time that acts as a buffer or extra time, and an activity can be delayed up to the limit of the slack time without impacting the overall project completion date. • Project managers concentrate on activities with zero slack time (that is, those on the critical path), and if the critical path duration can be reduced then it will help to minimize the overall project duration. • Program Evaluation and Review Technique (PERT) • Like CPM, PERT is also a technique used to estimate project duration. • The difference between PERT and CPM is that while CPM considers only a single scenario, PERT considers three different scenarios (optimistic (best), pessimistic (worst), and normal (most likely)) and on the basis of those three scenarios, a single critical path is arrived at. • PERT is considered more accurate and appropriate than CPM for calculating estimates of project duration.
  • 3. Project Management Gantt Chart • Gantt charts are a technique to monitor the progress of a project. • Gantt charts are used to determine the status of the project, such as whether the project is delayed, ahead of schedule, or on schedule. • Gantt charts are used for tracking and monitoring achievements of milestones. Role of risk practitioner in project management • Risk practitioner should be involved from the initial stages of the project. • Project planning should also consider different risk applicable to the projects. • Risk practitioner should discuss with project manager various risk scenarios that can impact the project objectives. He should also be involved in monitoring the progress of the project.
  • 4. Enterprise Resiliency • ability to adapt quickly to disruptions while maintaining ongoing business operations and safeguarding people, assets, and brand equity overall. • Two fundamental aspects of enterprise resiliency is business continuity and disaster recovery. • Business continuity plan is defined as laid down processes to prevent, mitigate and recover from disruption. • Disaster recovery plan is a subset of overall business continuity plan. • While goal of BCP is to prevent and mitigation the incident, goal of DR is to restore operations in case business operations are down due to incident. • BCP is a continuous process of implementing various control to prevent or mitigate the impact of incident whereas disaster recovery is activated only when preventive measures have been failed and business processes are impacted due to incident.
  • 5. Enterprise Resiliency Phases • Initial phase is to conduct the risk assessment and business impact analysis to understand the critical processes and assets of the organization. • To develop and document a response and recovery strategy • Training the staff on response and recovery procedure • Testing the response and recovery plans • Auding the response and recovery plans Before developing a detailed BCP, it is important to conduct the business impact analysis. BIA helps to determine incremental cost of losing different systems. On the basis of BIA, recovery efforts required for the system is determined.
  • 6. Enterprise Resiliency Phases • Initial phase is to conduct the risk assessment and business impact analysis to understand the critical processes and assets of the organization. • To develop and document a response and recovery strategy • Training the staff on response and recovery procedure • Testing the response and recovery plans • Auding the response and recovery plans • Before developing a detailed BCP, it is important to conduct the business impact analysis. • BIA helps to determine incremental cost of losing different systems. On the basis of BIA, recovery efforts required for the system is determined. • The plan should be well documented and written in simple language that should be understandable to all. • Interviewing the key personnel to determine their understanding of the BCP will help the auditor to evaluate the clarity and simplicity of the BCP. • The plan should clearly document the responsibilities and accountability of each individual responsible for specific tasks in the event of a disaster. • It is recommended to have a single continuity plan for the whole organization. In case the BCP is maintained unit-wise, it should be ensured that all the plans have a uniform approach and are linked to one another, wherever required. • It is very important that each plan has a uniform structure and language and that plans are consistent with one another. IT plans and procedures must be consistent with, and support, the BCP. A copy of the BCP should be kept at an offsite location.
  • 7. Enterprise Resiliency Backup • For critical and time-sensitive data, shadow file processing is recommended. • In shadow file processing, exact duplicates of files are maintained, preferably at a remote site. • Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive transaction processing. • It is important to ensure that the offsite location is not subject to the same risks as the primary site. • If both the primary site and the offsite location operate from the same place, a disaster may put both of them out of action, which could have an adverse impact on business continuity. • The involvement of process owners is very important in identifying critical processes, their dependencies, and the required level of the RTO. • Business continuity plans should be written and maintained by representatives from all relevant functional units. • The protection of human life is a critical factor in any business continuity procedure. This takes precedence over all other elements. • RTO (Recovery Time Objective): maximum time allowed to recover business or IT systems. For example, an RTO of 2 hours indicates that an organization will not be overly impacted if its system is down for up to 2 hours. • RPO (Recovery Point Objective): amount of data loss or system inaccessibility (measured in time) that an organization can withstand. For example, an RPO of 2 hours indicates that an organization will not be overly impacted if it loses data for up to 2 hours.
  • 8. Recovery Objectives • in the case of critical systems, generally, the RTO and RPO is zero, or near zero. • A low RTO indicates that a system should be resumed at the earliest possible juncture. • To achieve this objective, organizations need to invest heavily in redundancy. A hot site is ideal where the RTO is lower. This will be a costly affair. • On the other hand, if the RTO is high, this indicates that systems are not that critical, and that an organization can afford downtime to some extent. An organization need not invest in redundancy for systems with a high RTO. A cold site is ideal where the RTO is higher. • A low RPO indicates that data loss should be at a minimum. • They should invest heavily in data backup management. • Data mirroring or data synchronization is an ideal technique where the RPO is zero or very low. • Hence, for a low RPO, data maintenance costs will be higher compared with a high RPO. • A low RTO/RPO indicates that disaster tolerance is low, that is, the organization cannot tolerate system downtime.
  • 9. Incident Response Plan and Procedures • A well-defined incident management process will yield far better results in reducing the business disruptions as compared to unorganized incident management processes. • Organization can effectively handle any unanticipated events. • Organization will have robust detection techniques and processes for timely identification of incidents. • Organization will have well defined criteria for defining severity of the incident and appropriate escalation process. • Availability of experienced and well-trained staff for effective handling of the incidents • Organization will have well defined communication channels for timely communication with respect to incidents to different stakeholders and external parties. • Organization will have well defined process to analyze the root cause of incident and addressing the gaps to prevent the reoccurrence. Security Incident and Event Management (SIEM) • Security Incident and Event Management (SIEM) system collects the data from various sources and analyses the same for possible security events. • The SIEM system has capability to detect the attacks by signature or behavior (heuristics) based analysis. • SIEM is the most effective method to determine the aggregate risk from different sources.
  • 10. Incident Response Plan and Procedures Characteristics of effective SIEM: • It has ability to consolidate and correlate inputs from different systems. • It has ability to identify incidents. • It has ability to notify staff. • It has ability to prioritize incidents based on possible impact. • It has ability to track the status of each incident. • It has ability to integrate with other IT systems.
  • 11. Data Classification Data Classification: • Classification of assets based on its criticality to the business. • Asset can be classified as confidential data, private data, or public data. • This classification helps the organization to provide appropriate level of protection to the assets. More resources should be utilized for protection of confidential data as compared to public data. Steps of data classification: • Create inventory of all the information assets of the organization. • Establish ownership for each information assets – Asset owner • Determine value of the assets that needs protection. • Classify the information assets based on its valuation. • Implement level of protection according to the level of classification.
  • 12. Data Classification Security managers need to ensure that the requirements of the data owners are properly identified and appropriately addressed in the information classification policy. Security managers need to ensure that classification policy should be made available to all the users. Content of classification policy should be part of security awareness program. Benefits of classification: • Classification helps to reduce the risk of under protection of assets. • Assets are protected in proportion to their criticality. • Classification helps to reduce the cost of over protection of assets.
  • 13. Data Life Cycle Management Phases of data life cycle • Data Creation • Storage • Use • Sharing • Archival • Destruction • Most important role of a risk practitioner is to ensure that data is appropriately protected at all the times. • Data access is provided on need to know basis only (i.e. least privilege). • Defined termination process to ensure immediate revocation of all access rights of a terminated or resigned employee. • Periodic access to user access rights to ensure that rights are available for current users only. • Implement appropriate level of encryption for critical data at rest as well as in transit. Encryption such as transport layer security (TLS) should be employed for web browsers as secure socket layer (SSL) is no longer considered as secure. • Segmentation or isolation is the best way to limit the exposure of critical data. • Effective isolation can be implemented by way of network segmentation through firewall, VLANs or other technologies. • Install anti-malware software and signature files for the same should be updated on daily basis.
  • 14. Data Life Cycle Management • Different data validation checks such as: range checks format checks special character checks size checks reasonableness checks. • Data validation can be either with whitelist of allowed data (i.e. only predefined values are allowed) or blacklist of prohibited date (i.e. except for few blacklisted data all other data is allowed). • Whitelisting approach is more preferable where input data is generally static and do not change too often) whereas blacklisting approach is more prevalent where range of valid value is broad and cannot be restricted. • Data loss prevention software have capability to control the movement and sharing of the data in accordance with data classification policy. • DLP software monitor the activities of the end devices and controls the data flow. DLP also facilitates the compliance reporting. • Most effective method for protecting the data stored on a USB or a mobile device is to encrypt the data. • Data should be retained in a hygienic condition as long as required by business or regulation requirements. • Data redundancy arises when the same data is stored at different places in a database. This causes problems in data update or data deletion or data modification or otherwise managing the data. • Data normalization is the process of reducing redundant data and thereby making databases more structured.
  • 15. System Life Cycle Development • A system development methodology is a structure that organizations use for the design, development, and implementation of new systems. • SDLC models • Traditional waterfall • This approach is useful when prototypes are required to understand the design and requirements of the proposed system. • It works well when requirements are well defined and do not undergo frequent changes. • Agile development • Agile means "the ability to move quickly and easily". • In the Agile method, programmers do not spend much time on documentation. They can write a program straight away. • The objective of the Agile approach is to produces releasable software in short iterations without giving much importance to formal paper-based deliverables. • SDLC Phases • Phase 1 – Initiation/ Feasibility :Objective, purpose and scope of the system is discussed, finalized and documented. • Phase 2 – Development / Acquisition: In this phase, alternatives are evaluated and the system is developed or acquired from a third party. • Phase 3 – Implementation In this phase, the system is tested and migration activities are carried out. • Phase 4 – Operations / Maintenance: In this phase, regular updates and maintenance is carried out for upkeep of the system. • Phase 5 - Disposal In this phase: obsolete systems are discarded by moving, archiving, discarding or destroying information and sanitizing the hardware and software.
  • 16. System Life Cycle Development • Risk practitioners should be involved in all the above phases of SDLC and security requirements should be integrated into all SDLC phases. • Performing risk assessments at each stage of the system development life cycle (SDLC) is the most cost- effective way to address the flaws at the earliest. • Software reengineering is the process of updating a system to enhance the system functionality to make the system better and more efficient. • Reverse engineering is the process of the detailed analysis and study of a system with the objective to develop a similar system. • Changeover is the process of shifting to a new system and stopping the use of the old systems. • Parallel changeover • In this method, the new and old systems are operated in parallel for some time. Once the users are confident about the new system; the old system may be discontinued. • Phased changeover • In this method, changes are implemented in a phased manner. • The system is broken into different phases and each old phase is gradually replaced by a new phase. • Abrupt changeover • In this method, a new system is implemented from a cut-off date and the old system is completely discontinued once the new system is implemented. • This process is also known as direct cutover. This is considered the riskiest approach with no scope for rollback if the new system fails.
  • 17. System Accreditation and Certification • Certification and accreditation (C&A) is a process for implementing any formal process. • Certification is comprehensive evaluation of the process or system typically measured against some defined norms or standards. • Accreditation is the formal declaration by a neutral third party that the certification program is administered in a way that meets the relevant norms or standards of certification program. • With respect to information security, system accreditation is process of approving the security and control functionality of the system and authorizing its implementation by a senior manager. • By accrediting a system, manager accepts the associated risk of the system.
  • 18. Continuous Auditing Techniques Integrated test facility • In an ITF, a fictitious entity is created in the production environment. • The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness. • Processed results and expected results are evaluated to check the proper functioning of systems. System control audit review file • In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis. • SCARFs record transactions above a specified limit or deviation-/exception related transactions. • These transactions are then reviewed by auditor. • SCARFs are useful when regular processing cannot be interrupted. Snapshot technique • This technique captures the snaps or pictures of the transaction as they are processed at different stages in the system. • Details are captured both before execution and after the execution of the transaction. The correctness of the transaction is verified by validating the before processing and after-processing snaps of the transactions. • Snapshot is useful when an audit trail is required. Audit hook • Audit hooks are embedded in application system to capture exceptions. • The auditor can set different criteria to capture the exceptions or suspicious transactions. • Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
  • 19. Emerging trends in technology • Bring your own device (BYOD) • organizations should have approved BYOD policy. • organization cannot escape their liability even if the data is leaked through personal device of the employees. • Periodic awareness training for use of BYOD should be organized. • In case corporate data is stored on personal devices, data is properly encrypted and remote data wipe facility should have been enabled to wipe out all data in case device is lost or stolen. • Virtualized Desktop for BYOD • In a virtualized desktop setup, user can access their respective desktop from any remote location. • The Internet of Things (IoT) • IoT is a concept wherein devices have the ability to communicate and transfer data with each other without any human interference. Alexa or google assistance • Risk practitioner should consider the following risks with respect to IoT: • The impact of IoT on the health and safety of human life • Regulatory compliance with respect to the use of IoT • The impact of IoT on user privacy • The impact of IoT on device vulnerabilities
  • 20. Information Security Principles • Risk practitioner need to have sufficient knowledge about technology to evaluate the new technology and to provide effective advice about deployment of technology within acceptable risk boundaries. • Risk practitioner need to provide special attention to older systems (i.e. legacy systems) as their original design may not support the current security standards. It may not be feasible to replace or upgrade the legacy systems due to heavy dependency on the system. For such cases, risk practitioner needs to ensure that appropriate compensating controls are in place. • Segregation of duties is the process of assigning responsibility for different functions of a job to separate individuals so as to prevent or detect the irregularities and fraud. • SoD also includes two people to participate in a task simultaneously which is also known as dual control. • Implementing a role based access is a preventive method to address the risk of violation of segregation of duties. • Job rotation and mandatory vacation plays a dual role of improving employee’s productivity as well as helps to detect fraud or other irregularities.
  • 21. Factor of Authentication • Something you know (for example, a password, PIN, or some other personal information) • Something you have (for example, a token, one-time password, or smart card) • Something you are (for example, biometric features, such as fingerprint, iris scan, or voice recognition) • Biometric verification is a process through which a person can be uniquely identified and authenticated by verifying one or more of their biological features. Examples of these biometric identifiers include a palm, hand geometry, fingerprints, retina and iris patterns, voice, and DNA. • Retina scan is considered the most accurate and reliable identifier with the lowest FAR. • Doshi, Hemang . CRISC Exam Study Guide : Aligned with latest CRISC Review Manual (2021) (p. 439). Kindle Edition. • Two-factor authentication means the use of two authentication methods from the preceding list. • Biometrics – accuracy measure • False acceptance rate (FAR): This is the rate of acceptance of a false person (that is, an unauthorized person). • False rejection rate (FRR): This is the rate of rejection of the correct person (that is, an authorized person). • Cross error rate (CER) or equal error rate (EER): This is the rate at which the FAR and FRR are equal. A biometric system with the lowest CER or EER is the most effective system. • FAR and FRR are inversely proportionate. An increase in the FAR will result in a decrease in the FRR and vice versa.
  • 22. Factor of Authentication Types of biometric attacks • Replay attack: In a replay attack, the attacker makes use of residual biometric characteristics (such as fingerprints left on a biometric device) to get unauthorized access. • Brute-force attack: In a brute-force attack, the attacker sends numerous biometric samples with an objective to malfunction the biometric device. • Cryptographic attack: In a cryptographic attack, an attacker attempts to obtain information by targeting algorithms or the encrypted information that transmits between biometric devices and access control systems. • Mimic attack: In a mimic attack, the attacker attempts to reproduce a fake biometric feature of a genuine biometric user. For example, imitating the voice of an enrolled user.
  • 23. Single Sign On • Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials (for example, a name and password) to access multiple applications. • It is important to implement strong password complexity for this kind of environment. • One example of SSO is Kerberos. Kerberos is an authentication service used to validate services and users in a distributed computing environment. Advantages of SSO • Multiple passwords not required. This encourages users to select a strong password. • Reduces administrative overhead costs in resetting passwords due to a lower number of IT help desk calls about passwords. • Reduces the time taken by users to log in to multiple applications. Disadvantages of SSO: • SSO acts as a single authentication point for multiple applications, which constitute a risk of a single point of failure. • Support for all major operating system environments is difficult.
  • 24. Cryptography • Cryptography is defined as the art or science of secret writing with the use of techniques such as encryption. • Encryption is the process of converting data into unreadable code so it cannot be accessed or read by unauthorized people. • This unreadable data can again be converted into readable form by process of decryption. • Encryption can be of two types i.e. symmetric encryption and asymmetric encryption. • Symmetric Encryption: • Single key is used to encrypt and decrypt the messages • Comparatively, faster computation and processing. • Disadvantage of symmetric encryption is sharing of key with another party. • Asymmetric Encryption • Two keys are used. Public and Private Key. One for encryption and other for decryption. • Message encrypted with one key can be decrypted only by the other key. • Comparatively, slower computation and processing.
  • 26. Cryptography Encryption Keys • Sender’s Private Key - Key is available only with the sender. • Sender’s Public Key - Key is available in the public domain. can be accessed by anyone. • Receiver’s Private Key - Key is available only with the receiver. • Receiver’s Public Key - Key is available in the public domain. can be accessed by anyone. Offers: • Confidentiality: receiver’s public key is used to encrypt the message and receiver’s private key is used to decrypt the message. • Authentication & Non-repudiation: sender’s private key is used to encrypt the message and sender’s public key is used to decrypt the message. • Integrity: • Sender will create a hash of the message. • This hash is encrypted using the sender's private key. • Message along with an encrypted hash is sent to the receiver. • Receiver will do two things. First, he will decrypt the hash value using the sender's private key and second he will again calculate the hash of the message received. • Receiver will compare both the hash and if both hash values are the same, the message is considered as correct, complete and accurate.
  • 27. Digital Signature • Digital Signature is a process wherein a digital code is attached to an electronically transmitted document to verify its contents and the sender's identity. • Steps for creating digital signature • Step 1: Create Hash (Message digest) of the message. • Step 2: Encrypt the hash (as derived above) with the private key of the sender. • A hash function is a mathematical algorithm which gives a unique fixed string for any given message. It must be noted that the hash value will be unique for each message. • Step 3: Receiver will calculate the hash value of the message • Step 4: Then he will decrypt the digital signature using the public key of sender • Step 5: Now, he will compare the value derived • If both tallies, it proves the integrity of the message. • Digital Signature ensures – integrity (message not tempered), authentication (message sent by sender), nonrepudiation (sender cant deny sending it) but not confidentiality.
  • 28. Public Key Infrastructure • A public key infrastructure is a set of rules and procedures for creation, management, distribution, storage and use of digital certificate and public key encryption. • Digital Certificate: Digital certificate is an electronic document used to prove the ownership of a public key. Digital certificate includes information about the key, owner of the key and digital signature of the issuer of the digital certificate. • Certifying Authority (CA): A certification authority is an entity that issues digital certificates. • Registration Authority (RA): A registration authority is an entity that verifies user requests for digital signatures and recommends the certificate authority to issue it. • Certificate Revocation list (CRL): CRL is a list of digital certificates which have been revoked and terminated by certificate authority before their expiry date and these certificates should no longer be trusted. • Process involved in PKI • Step 1: Applicant applies for issuance of digital certificate to certifying Authority (CA). • Step 2: Certifying Authority (LA) delegates the verification process to Registration Authority (RA). • Step 3: Registration Authority (RA) verifies the correctness of information provided by the applicant. • Step 4: If information is correct, RA recommends CA for issuance of certificate • Step 5: Certifying Authority (LA) issues the certificate and manages the same through its life cycle. • CA also maintains details of certificates that have been terminated or revoked before its expiry date. This list is known as certificate revocation list (CRL). • CA also maintains a document called as Certification Practice Statement (CPS) containing standard operating procedure (SOP) for issuance and management of certificates. • Private key of a certificate authority is used to issue the digital certificate to all the parties in public key infrastructure.
  • 29. Information Security Awareness Training • Security awareness training is most important element of information security program. • In absence of a structured and well-defined security awareness training programs, security program will not be providing desired results. It is not possible to address the security risks only through technical security measures. • It is important to address behaviour aspects of the employees through continuous awareness and education. • Most effective way to increase the effectiveness of the training is to customize the training as per the target audience and to address the systems and procedures applicable to that particular group. • For new joiner, security awareness program should be part of orientation program. It must be ensured that user has been trained on acceptable usage of information resources before any system or data access is provided. • Security manager should design some quantitative evaluation criteria to determine the effectiveness of security training and user comprehension. • Adherence to information security requirements is the best way to monitor the effectiveness of security programs. If exceptions are minimum, then it indicates that employees are aware about the security requirements. • More exceptions indicate that there is lack of awareness amongst the employees and information security programs are not effective.
  • 30. Data Privacy • Privacy is the right of the individual to demand the utmost care of their personal information that has been shared with any organization or individual. • Individuals can demand that the use of their information should be appropriate, legal, and for a specific purpose for which information is obtained. • Privacy principles: • Organizations should specify the purposes for which personal information is collected. • Organizations are required to retain personal information only as long as necessary. • Organizations should have appropriate security safeguards for protecting personal information. Organizations should obtain appropriate consent before the transfer of personal information to another jurisdiction. • Organizations should have an appropriate process for reporting compliance with privacy policy, standards, and laws. • Organizations should have an appropriate governance mechanism over the third-party service provider processing privacy data on behalf of the organization. • Organizations should comply with applicable data protection regulations for the transfer of personal information across country borders.
  • 31. Data Privacy • Organization should conduct privacy impact assessment (PIA) to determine and manage the risk related to privacy. • Objective of privacy impact analysis is to determine how well organization processes are adhered to privacy regulations. • First and most important aspect is to identify the privacy related data within organization. • DLP is a proactive approach to protect the personally identifiable information. DLP is a technical control to ensure that selected data does not goes outside the organization’s network. • Privacy by design embeds privacy principles within all processes and infrastructure of the organization.
  • 32. Attack Methods • Botnets: Botnets are compromised computers also known as zombie computers. • Buffer Overflow: A buffer overflow, or buffer overrun, is a common software coding mistake that an attacker could exploit to gain access to the system. • Cross-Site Scripting (XSS): Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into the trusted websites. Such malicious scripts are injected through a user input field and hence poorly validated user input field are generally exposed by way of cross site scripting. • Denial of Service Attack (DOS): DOS attack intends to shut down a network or machine by flooding the same with traffic. • Data Diddling Data diddling is a type of attack in which data is altered as it is entered into a computer system. • Dumpster Diving: Dumpster diving is a technique to retrieve sensitive information from a thrash or a garbage bin. • Trojan Horse: In this attack, malicious software is disguised as some legitimate software. • Once installed in the system, it starts taking control of user’s system. • Logic Bomb: A program is executed when certain event happens. For example, logic bomb can be set to delete files or database at future date. • Trap Door: It is also known as back door. • Man in the middle Attack: In this attack, attacker interferes while two devices are establishing connection. Alternately, attacker actively establishes connection between two devices and pretends to each of them to be other device.
  • 33. Attack Methods • Masquerading: In this type of attack, intruder hides his original identity and act as someone else. This is done to access system or data which is restricted. • IP Spoofing: In IP spoofing, a forged IP address is used to break a firewall. • Pharming In this type of attack, traffic of a website is redirected to a bogus website. • Piggy Backing In this type of attack, intruder follows an authorized person thorough a secured door and hence without authentication he can enter the restricted area. • Salami: In this technique, small amount is money is sliced from a computerized transaction and transferred to unauthorized accounts. • Social Engineering: In social engineering attack, attempt is made to obtain sensitive information from users by tricking and manipulating people. • Shoulder Surfing: In shoulder surfing attack, intruder or a camera captures the sensitive information by looking over the shoulder of the user entering the details in computer screen. • Passive attack are types of attack in which only information is captured but does not modify, insert or delete the traffic. Example of passive attack includes traffic analysis, network analysis and eavesdropping. • Structure Query Language (SQL) Injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data to the application.