|
Information Security Risks
201
F I G U R E 1 8 . 2
Flash questionnaire for information security assessment
202
RISING OPERATIONAL RISKS
Digital: hacking, virus
infection, phishing and other
cyberattacks
1
Errors and slips when sending
docu
m
ents (e
m
ail recipients
or attach
m
ents)
8
Physical: theft, social
engineering
2
Disaster, syste
m
s disruptions,
third-party failure
3
Digital: infiltrated e
m
ployee/
contractor
4
Physical theft, prints, verbal
infor
m
ation
5
Loss/wrong disposal of
printed docu
m
ents
9
Error or slips when
co
mm
unicating to outsiders
10
Data base, backup loss
6
Loss of devices
7
Loss of archives
11
8
5
4
6
3
1
2
9
10
11
7
Likelihood
I
m
pact
V
ery likely
Likely
Moderate
Unlikely
Trivial
Minor
Moderate
Major
Extre
m
e
Rare
F I G U R E 1 8 . 3
Information security risk assessment matrix (fictitious)
Digital: hacking, virus
infection, phishing and other
cyberattacks
1
Errors and slips when sending
docu
m
ents (e
m
ail recipients
or attach
m
ents)
8
Physical: theft, social
engineering
2
Disaster, syste
m
s disruptions,
third-party failure
3
Digital: infiltrated e
m
ployee/
contractor
4
Physical theft, prints, verbal
infor
m
ation
5
Loss/wrong disposal of
printed docu
m
ents
9
Error or slips when
co
mm
unicating to outsiders
10
Data base, backup loss
6
Loss of devices
7
Loss of archives
11
4
6
3
2
9
10
11
7
Likelihood
I
m
pact
V
ery likely
Likely
Moderate
Unlikely
Trivial
Minor
Moderate
Major
Extre
m
e
Rare
8
5
1
8
5
1
F I G U R E 1 8 . 4
Revised assessment with additional controls
Information Security Risks
203
Filter
Filter 2
Filter 3
Range of L – M – H
probability of each control
failing. Run si
m
ulations of
different possible
co
m
binations: LLL to HHH
probability of failure
L-M-H range of data
corrupted or stolen
Ti
m
e to
detection
(L-M-H)
V
olu
m
e of
data lost
Honeypot
Prevention
Resilience and recovery
Detect
Destroy
Backup
Core data
F I G U R E 1 8 . 5
Scenario structuring in cybersecurity
elements to the scenario can include detective controls, incident management and tech-
nical recovery or communication management. Including post-event mitigation will
deliver more realistic estimates and highlight the importance of crisis management as
a damage control mechanism.
M I T I G A T I O N : B E H A V I O R A L A N D T E C H N I C A L M E A S U R E S
It would require a book in its own right to fully explore the extensive variety of infor-
mation controls. Here, we highlight just some of the main steps that organizations take
to mitigate information risks.
The protection of information has three dimensions that are often referred to as
CIA: confidentiality, integrity, availability. The first two concern information security
while the third relates to business continuity and systems uptime.
There are two broad categories for information controls:
■
Behavioral controls: these address human behaviors and fallibility when it
comes to handling and protecting information. The controls include awareness
campaigns, rules of conduct and prudence for employees and contractors, online
training, password management, supervision and sanctions. They apply to all
types of information security risks, not just cyberattacks.
■
Technical controls: these relate to all technical aspects of systems, either for
prevention or for detection. Preventive controls relate to system architecture,
access, firewalls, encryption, passwords or patching and are essentially directed at
204
RISING OPERATIONAL RISKS
external threats. Detective controls provide early warnings of data leaks, whether
initiated internally or externally, like DLPD (data leak prevention and detection)
techniques.
6
Finally, mitigating controls focus on keeping redundancies and
backups offline.
7
Table 18.2 presents a non-exhaustive list of key controls for information security.
The number and intensity of the controls are also a matter of risk appetite and
consistency of choices. Although every firm will claim zero tolerance for information
security breaches, they do not necessarily have the same level of commitment to
T A B L E 1 8 . 2
Some key controls in information security
Do'stlaringiz bilan baham: |
