<\/p>\n\n\n\n
DISCUSSION BOARD: Protecting Availability<\/span><\/strong> As CFO, \u201cAvailability\u201d in the CIA triad means keeping the data Opportunities for Workplace Deviance<\/span><\/strong><\/p>\n\n\n\n How has cyber technology created opportunities for workplace deviance?<\/p>\n<\/div>\n\n\n\n In a general concept, workplace deviance is characterized by:<\/p>\n\n\n\n Taking this general concept and applying to how cyber technology contribute to workplace deviance are:<\/p>\n\n\n\n Just a couple of examples; however technological advancement created a lot of opportunities for workplace deviance.<\/p>\n<\/div>\n<\/div>\n\n\n\n Write-Up Assignments 1 <\/strong> Write-Up CIA Triad Write-Up Assignments 2<\/strong> Write-Up – SCADA Systems Write-Up Assignments 3<\/strong> Discussion Assignments DISCUSSION BOARD: Protecting AvailabilityIn this discussion board, you are the CISO for a publicly traded company. Whatprotections would you implement to ensure availability of your systems (and why)? As CFO, \u201cAvailability\u201d in the CIA triad means keeping the dataavailable when needed. To manage cybersecurity risks, I can utilizethe NIST framework to create profiles…. <\/p>\n
In this discussion board, you are the CISO for a publicly traded company. What
protections would you implement to ensure availability of your systems (and why)?<\/p>\n<\/div>\n\n\n\n
available when needed. To manage cybersecurity risks, I can utilize
the NIST framework to create profiles. Starting by understanding
organizational resources, evaluating the current framework. Build the
best possible fortress to protect company data.
Deploying and making sure that server security is up to date, if
physical security measures are taken properly, along with disaster
recovery measures\u2013in case of emergency, server fails the availability
protocol is breached. Ensure strong password policy. Along with
authorization policy so that those who require access are
appropriately assigned access levels with authorization level. Making
sure that individuals can not access information which they are not
supposed to access to mitigate information breach or leak which
could potentially lead to server failure. Most importantly, conducting
employee awareness training is the fundamental part. Raising
awareness of phishing, Email spoofing, social engineering.
It is believed widely that if you see incompatibilities in \u201cavailability\u201d is
a \u201ccanary in the coalmine\u201d, as such I will be responsible for
safeguarding company data at the entry point of the company.<\/p>\n<\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n\n
\n
Write-Up Assignments<\/strong><\/mark><\/h2>\n\n\n\n
Using the\u00a0Chai Article\u00a0(Links to an external site.)<\/a>, along with additional research you will conduct on your own, describe the CIA Triad, and the differences between Authentication & Authorization, including an example.<\/p>\n\n\n\n
<\/mark><\/strong>CIA triad is also known as AIC triad. CIA is abbreviated for \u201cConfidentiality\u201d,
\u201cIntegrity\u201d and \u201cAvailability.\u201d It is a model designed for organizations to create security
policies and used as a basis for the development of security systems.
Confidentiality involves the efforts to make sure company\u2019s information is secure
and private. For example, access to personal information of employees such as resumes,
addresses, phone numbers should be limited to HR or certain executives.
Integrity involves the efforts to maintain data being accessed, viewed or transported
from being altered wrongfully. For example, information in the email was intercepted by
malicious actor and altered meaning data has lost its integrity.
Availability involves the people can access the information when is needed and it is
done so by appropriate personnel. It is important to reflect the policy of confidentiality and
integrity.
Difference between authentication and authorization
Commonly, authentication is a process to verify the identity of user trying to access,
in other words login to the service. Authorization is a process to determine what the user is
granted to perform. According to the authentication level set in the application or
computer, each user can perform is what is authorized to do. Common example is when a
user tries to access some page in application or service then gets an error message. This is
because the user does not have access rights, meaning an unauthorized access.<\/p>\n<\/div>\n<\/div>\n\n\n\n
In this write-up you will use the\u00a0SCADA SystemsLinks to an external site.<\/a>\u00a0article, along with your own research, to explain the vulnerabilities associated with critical infrastructure systems, and the role SCADA applications play in mitigating these risks.<\/p>\n\n\n\n
<\/mark><\/strong>To explain and better understand the vulnerabilities associated with critical infrastructure
systems, and the role SCADA applications play in mitigating these risks, I used SCADA
Systems1<\/a><\/sup> and One Flaw too Many: Vulnerabilities in SCADA Systems2<\/a><\/sup>.
SCADA is an automation system for monitoring and managing industrial processes and devices.
The system consists of multiple contact points that work as data collection sensor monitors
within the network. Each technology can create vulnerabilities.
\u25cf HMI can be accessed remotely anywhere by using mobile devices
\u25cf There are many technology solutions provided to enhance HMI system. PaaS, Saas
applications such as DeltaV SaaS SCADA3<\/a><\/sup>3
\u25cf Vulnerabilities are reported Through the communication protocol of PLC or RTU which
acts as a microprocessor and collects data from industrial equipment.
The most vulnerable part of the SCADA system is the control interface\u2013Human Machine
Interface. HMI is where human operators can visually manage and monitor information, sensors,
make critical decisions related to the condition of system, and troubleshoot.
Therefore, to mitigate the potential risk, it is important to
\u25cf Evaluate and ensure that each technology solution do not bring potential vulnerabilities.
\u25cf Enforcing MFA, not accessing from public wifi \u2013HMI can be accessed remotely anywhere
by using mobile devices
\u25cf Access level management (RBAC)
\u25cf Security awareness training
SCADA vendors such as, SIEMENS provide routers to address communication vulnerabilities
with industrial VPN, and firewall solutions4<\/a><\/sup>.4 Because SCADA solution is provided by multiple
vendors, companies or the government might select the lowest cost solution. However,
considering the risk that can potentially be caused to the infrastructure system. Companies
should carefully select the solution and enforce security training to further prevent potential
threats.<\/p>\n\n\n\n
During this week’s reading, you’ve been exposed to different points of view regarding human contribution to cyber threats.\u00a0 Now, put on your Chief Information Security Officer hat.\u00a0 Realizing that you have a limited budget (the amount is unimportant), how would you balance the tradeoff of training and additional cybersecurity technology?\u00a0 That is, how would you allocate your limited funds?\u00a0 Explain your reasoning.
Write-Up Human Factor
<\/mark><\/strong>It is important to focus on the return on investments and maximizing the security return.
Since the human factor is the weakest link to cyber threats\u2013commonly believed that 85% is
accounted for regardless the size of the organization. Cybersecurity training to address human
error is a high-return investment.
Although often cited in multiple sources from the return on investment point of view, is that the
result of security awareness training is unmeasurable. However, enabling employees to
recognize threats contributes to prevention. According to Infosec5<\/a><\/sup>, Cost to remediate from
security incidents after proper security training is approximately 10% lower. Reduction in
incidents leads to productivity gain and financial gain, as I learned from Linkedin article6<\/a><\/sup>.
That said, a balanced cost distribution is essential. Within the allocated budget,
estimating the cost of preventive measures for roughly 65% on technology investments to 35%
on awareness training. After conducting the risk assessment to determine what is required to
fortify security measures. Then, I would like to explore what type of technology update will be
beneficial to reduce human error further.<\/p>\n\n\n
ump5:~:text=for%20your%20organization.-,Step%201%3A%20measure%20your%20security%20costs,-
To%20measure%20the \u21a9\ufe0e<\/a><\/li>