Chapter #1:

 What is Cybersecurity?
- Cybersecurity is the practice of protecting computers, servers, mobile devises,
electronic systems, networks, data and programs from malicious attacks. It's also
known as information technology security or electronic information security

- These cyberattacks are usually aimed at:

1. Accessing 2. changing
3. destroying sensitive information 4. extorting money from users
5. interrupting normal business processes

 What is Ethics?
- Ethics in the broadest sense refers to the concern that humans have always had for
figuring out how best to live

- As an academic field of study, it belongs primarily to the discipline of philosophy,

where it is studied either:
- theoretical level: (‘what is the best theory of the good life?’)

- practical level: (‘how should we act in this or that situation, based upon our
best theories of ethics?’)

 Ethics in Cybersecurity
cybersecurity ethics is a new and under-researched field.
With increasing attention being paid to cybersecurity:
from hacking attacks on major corporations to attacks on critical national infrastructure

liberal democratic governments and corporations are looking to academia for

guidance on how to respond ethically
 Data protected by CIA Triad
- Confidentiality: Protects information or system from disclosure or exposure by
unauthorized parties.
To be protected from unauthorized access

- Integrity: Involves maintaining the consistency, accuracy, and trustworthiness of data over
its entire life cycle and its originality

- Availability: enables authorized users (persons, computer or systems) to access information

when it is required without interference or obstruction
To ensure the data and systems are available when it is required by authorized parties

 Offenses by CIA
- Offenses against the confidentiality, integrity and availability of computer and
information systems, such as:
1. Unauthorized access to data, systems or services
2. Unauthorized use of data, systems or services
3. Unauthorized interception of data
4. Unauthorized suppression, alteration, deterioration, or destruction of data
5. Interfere with the operation of a system
6. Misuse of data or systems
7. Denial of service or access
8. Unauthorized possession/use of password
9. Generally cybercrime statute prohibited unauthorized access
 Threats
- Threats to the information systems and data can be in three categories:
1. Physical and environmental threats
Examples: natural disasters - infrastructure failures - intentional acts
2. Technical threats
Examples: unauthorized access – disclosure – destruction – alteration
3. People threats
Examples: employees – consultants - third parties - unrelated people(hackers)
- Threats could be intentional or unintentional threats
 Security Controls
- sometimes called: security measures - security safeguards
- Are based on various controls (process, people and technology)

- Security Controls (PDR) can be grouped to three types:

Preventive security controls (Firewall – IPs)
Detective security controls (IDs – IDP)
Reactive security controls (BCM – BCP – DR)
 Important Ethical Issues in Cybersecurity
- Harms to privacy:
Some of the most common cyberthreats to privacy include:
1. identity theft: which personally identifying information is stolen and used to
impersonate victims in financial transactions
For: (taking out loans in a victim’s name or using their credit cards to make unauthorized purchases), or
for other illegitimate purposes, such as providing criminals with stolen identities

2. Hacking and other network intrusions:

used to obtain sensitive information about individuals and their activities that can be
used for the purposes of blackmail, extortion, and other forms of unethical and/or
illegal manipulation of people’s will.

and it can also be Privacy violations of this sort are often used to get victims to harm
the interests of third-parties

- Harms to property:
property can be indirectly threatened by violations of data privacy, through mechanisms such
as extortion.

However, often property is directly targeted through cyberintrusions that may seek to:
1. misappropriate electronic funds 2. remotely cause damage
3. obtain bank account numbers and passwords
4. steal valuable intellectual property such as trade secrets
5. destruction to an individual or organization’s (digital or physical) property

- Transparency and Disclosure:

Because cybersecurity is a form of risk management, and because those risks significantly
impact other parties, there is a default ethical duty to disclose those risks when known, so
that those affected can make informed decisions.

Example:
it is generally agreed to be the case that if an organization discovers a critical vulnerability in
its software, it should notify its customers/clients of that discovery in a timely fashion so
that they can install a patch (if available) or take other defensive measures

 Privacy Policy
- Privacy: is an individual’s right to keep one’s personal information (data) out of public view.

- Privacy Policy: is a statement or a legal document that discloses some or all of the ways a
party gathers, uses, discloses, and manages a customer or client's data
 Inference Controls/Statistical Disclosure Limitation
Inference controls: also known as statistical disclosure limitation is a discipline that seeks to
protect data so they can be published without revealing confidential information that can be
linked to specific individuals among those to which the data correspond

applied to protect respondent privacy in areas such as:

1- official statistics 2- health statistics
3- e-commerce (sharing of consumer data)
etc…

 Breach disclosure policy

- Data Breach is a security incident in which sensitive, protected or confidential data is
copied, transmitted, viewed, stolen or used by an individual unauthorized to do so

- Data breach notification laws are laws that require an individuals or entities affected by a
data breach, to notify their customers and other parties about the breach and take specific
steps remedy the situation based on state legislature

 Data collection and retention policies

- data retention policy is a recognized and proven protocol within an organization for
retaining information for operational use while ensuring adherence to the laws and
regulations concerning them

- objectives of a data retention policy keep important information for future use or
reference to organize information so it can be searched and accessed at a later date and to
dispose of information that is no longer needed

- data retention policies within an organization are a set of guidelines that describes
which data will be archived, how long it will be kept, what happens to the data at the end of
the retention period (archive or destroy) and other factors concerning the retention of the
data

- part of any effective data retention policy is the permanent deletion of the retained data
achieving secure deletion of data by:
1- by encrypting the data when stored
2- deleting the encryption key after a specified
 Cloud security tradeoffs
- Cloud computing paradigm provides with end-users an on demand access to a shared pool
of resources
Computational resource and storage are two of the most integral services of cloud computing

- Security lapses In Public Cloud:

1- customers are unaware of where and how their data is stored

2- the presence of zero-day vulnerabilities which the cloud computing company may
not be aware of. These tend to provide a means by which the hackers can sniff data on
public cloud thus putting customers at risk

3- Multiple customers having their data stored and managed by a single company
means that anyone can bypass authentication and cause severe damage

4- public clouds are connected to the internet and without virtual private networking
properly secured then clients’ data are exposed to external attacks

5- problem of changing passwords regularly to shield data against external attack

6- The huge cache of data on the public cloud makes it difficult for companies to offer
maximum security to their clients who reside in their environment

- Security Lapses in Private Cloud

1- private clouds utilize the virtual machines in their operation and if there exist a
breach of communication between two or more virtual machines on the same virtual
environment then the cloud is in danger of attack

2- Inability of private cloud owners to apply security configuration on systems has

exposed their clouds to malicious penetration

3- introduction of malware into the machines by authorized persons

- Security Lapses in Hybrid Clouds

1- inability to be in charge and control of their data and that they don’t know who the cloud
provider will assign to manage giving rise to the issue of unknown persons seeing the contents
of their data

2- hybrids are hosted on the internet is also a security concern as most breaches are conducted
on the internet

3- Unencrypted can simply be intercepted by hackers as it journeys across different networks

on the internet. This brings us to the problem of data leakage or “data discharge”. This can
occur as a result of data being transported or migrated as requested by the owners of the data.
 Summary of the differentiation between Clouds types
Public Private Hybrid
Data separation (segregation) Weak Strong Medium
Encryption Medium Strong Medium
Physical (barricades) Security Medium Strong Medium
Data tenancy (residency) Weak Strong Medium
Data ownership Control Weak Strong Medium
Attack Frequency Strong Medium Medium
Conformity (compliance with policies) Weak Strong Medium
Chapter #2:
 Privacy Definition
- According to Jerry Durlak:
privacy (definition): is a human value consisting of four elements he calls rights.
We put these rights into two categories:
- The first category includes three rights that an individual can use to fence off
personal information seekers

- the second category contains those rights an individual can use to control the
amount and value of personal information given out

1- Control of external influences:

Solitude: The right to be alone without disturbances
Anonymity: The right to have no public personal identity
Intimacy: The right not to be monitored
2- Control of personal information:
Reserve: The right to control one’s personal information including the
methods of dissemination of that information

The notion of privacy is difficult to accurately define because the definition of privacy
depends on things like:
1- culture 2- geographical location
3- political systems 4- religious beliefs
and a lot more…

Types of Privacy
- Personal Privacy: This type of privacy involves the privacy of personal attributes.
The right to privacy of all personal attributes would mean the prevention of anyone or
anything that would intrude or violate that personal space where those attributes are.

This would include all types of intrusions including:

1- physical searches 2- video recording
3- surveillance of any type

- Institutional Privacy: Institutions and organizations want their data private not only for
business advantages but also for the life of the business.

Need to private:
1- The research data 2- the sales and product data
3- the marketing strategies 4- the activities of the organization

- Informational Privacy: concerns the protection of unauthorized access to information itself

 Informational Privacy (We have to protect):
- Personal information: Most personal information of value includes information on
personal lifestyles:
1. Religion 2. sexual orientation
3. political affiliations 4. personal activities

- Financial information: it is important not only to individuals but also to organizations.

It is a very valued asset because it gives the organization the autonomy it needs to compete in
the marketplace.

- Medical information: is very personal and very important to all of us. For:
1. personal 2. Employment
3. Insurance purposes
many people want their medical information to be private

- Internet: In this new age, the Internet keeps track of all our activities online.
With an increasing number of people spending an increasing number of time online in:
1. social networks
2. digital convergence
becoming a reality with every passing day, not only will our social life be online but soon all
our lives also will. We want those activities and habits private

 Legal foundations of Privacy protection

The concept of privacy has played a large role in legal discussions and judgments during the
last century

Attention will be directed to the two legal landmarks on privacy that are philosophically
richest:
1. Privacy as non-intrusion 2. Privacy as Freedom to Act
 Information Gathering
Have you paid enough attention to the number of junk mail, telephone calls during dinner,
and junk emails you have been getting? If so, you may have thought about who has your
name on a list and what they’re doing with it.

In recent years, telemarketers have been having a field day as technological advances have
replaced the door-to-door salesman.

Many companies you have done business with may:

1. Sold 2. shared your personal information
To other companies and tracing the source may be difficult.

In many cases, we do not preserve our privacy. We have helped information seekers like
companies in gathering and databasing information from us.

We do this:
- every time we apply for discount cards from:
1. grocery stores 2. gas stations
3. merchandise stores
- every time we fill out information on little cards to enter contests

- every time we give out our:

1. Social Security number 2. telephone numbers
To store clerks in department stores.

The information they collect from us is put into databases and is later sold to the highest
bidder, usually a marketer

Information gathering is a very serious business that is increasingly involving a growing

number of players that traditionally governments gathering mostly defensive information on
weapon systems.

However, with:
1. Globalization 2. the Internet
the doors to the information gathering field have been cast open.
Now:
1. Individuals 2. Companies
3. Organization 4. governments
are all competing, sometimes for the same information

Although the problem is skyrocketing, there is minimum effort to curtail the practice. This is a
result of a number of reasons, the most important of which is 5.4 Privacy 89 that the rate at
which technology is developing is continuously outstripping our legal systems and our ability
to legislate late alone enforce the new laws
 Information Gathering
Several attempts have been made including the Gramm–Leach–Bliley Financial Services
Modernization Act aimed to restrict financial institutions such as:
1. Banks 2. Brokerages
from sharing customers’ personal information with third parties

The Act also tries in some way to protect the customer through three requirements that the
institutions must disclose to us:
1. Privacy policy: Through which the institution is bound to tell us the types of
information the institution collects and has about us and how it uses that information

2. Right to opt out: Through which the institution is bound to explain our recourse to
prevent the transfer of our data to third-party beneficiaries

3. Safeguards: Through which the institution must put in place policies to prevent
fraudulent access to confidential financial information

 Privacy Violation and Legal implication

It is believed that privacy forms the foundation of a free and democratic society

However, the fundamental right is violated every day in many ways. While individual privacy
rights have been violated for years, the advent of the Internet has accelerated the rate and
scale of violations

There are numerous contributing factors or causes of violations:

1. Consumers willingly give up information about themselves when they register at
Web sites, shopping malls in order to win prizes, and in mailing solicitations

2. Consumers lack the knowledge of how what they consider a little bit of information
can turn into a big invasion of privacy

3. Inadequate privacy policies

4. Failure of companies and institutions to follow their own privacy policies
 Privacy violation and Legal implication
Some privacy violations include intrusion, misuse of information, and interception of
information:
- Intrusion: is an invasion of privacy by wrongful entry, seizing, or acquiring
possession of the property of others.

Example:
- hackers: are intruders because they wrongfully break into computer systems
whether they cause damage or not.

With computer network globalization intrusion is only second to viruses among

computer crimes, and it is growing fast

- Misuse of Information: Human beings continually give out information in exchange

for services.

Examples:
1. Businesses 2. Governments
collect this information from us honestly to provide services effectively.

The information:
- collected is not just collected only to be stored
- may be sold for financial reason

There is nothing wrong with collecting personal information when it is going to be

used for:
- legitimate reason
- the purpose it was intended

The problem arises when this information is used for:

- unauthorized purposes
- collecting this information then becomes an invasion of privacy

- Interception of Information: Interception of information is unauthorized access to

private information via eavesdropping, which occurs when a third party gains
unauthorized access to a private communication between two or more parties
 Ramifications of Differential Privacy
- Differential privacy (DP): is a strong, mathematical definition of privacy in the context of
statistical and machine learning analysis.

According to this mathematical definition, DP is a criterion of privacy protection, which many

tools for analyzing sensitive personal information have been devised to satisfy

- Differential privacy makes it possible for tech companies to collect and share aggregate
information about user habits, while maintaining the privacy of individual users

- Differential Privacy permits:

1. Companies access a large number of sensitive data for:
1. Researching 2. Business
without privacy breach

2. Research institutions can develop differential privacy technology to automate

privacy processes within cloud-sharing communities across countries.

Thus, they could protect the privacy of users and resolve data sharing problem

- What does it guarantee?:

- Differential privacy mathematically guarantees that anyone seeing the result of a
differentially private analysis will essentially make the same inference about any
individual’s private information, whether or not that individual’s private information
is included in the input to the analysis

- DP provides a mathematically provable guarantee of privacy protection against a

wide range of privacy attacks (include differencing attack, linkage
attacks, and reconstruction attacks)

- What does it not guarantee?:

DP guarantees to protect only private information. So, if one’s secret is general information, it
will be not protected
 Privacy protection
- With the help of sophisticated network scanning and spying software such as:
1. STARR 2. FreeWhacker
3. Net Spy 4. Snapshotspy
5. Surf Spy 6. PC Activity Monitor
7. Stealth Keyboard Logger
and others, no personal information on any computer on any network is safe

- In many countries, there are guidelines and structures that safeguard and protected privacy
rights.

These structures and guidelines, on the average, fall under the following categories:
- Technical: Through the use of software and other technically based safeguards and
also by education of users and consumers to carry out self-regulation

- Contractual: Through determination of which information such as:

- electronic publication
and how such information is disseminated, is given contractual and
technological protection against unauthorized reproduction or distribution.

Contractual protection of information, mostly special information like:

- publications
is good only if actions are taken to assure contract enforceability

- Legal: Through the enactment of laws by national legislatures and enforcement of

such laws by the law enforcement agencies
 Technology-based Solutions for Privacy Protection
- Cloud data protection (CDP): Encrypting sensitive data before it goes to the cloud with the
enterprise (not the cloud provider) maintaining the keys.

Sample Vendors:
1. Bitglass 2. CipherCloud 3. Cisco
4. Netskope 5. Vaultive 6. Symantec
7. Skyhigh Networks

- Tokenization: Substituting a randomly generated value (the token) for sensitive data such:
1. credit card numbers 2. bank account numbers
3. social security numbers

After tokenization, the mapping of the token to its original data is stored in a hardened
database. Unlike encryption, there is no mathematical relationship between the token and its
original data

To reverse the tokenization: hacker must have access to the mapping database.

Sample vendors:
1. CyberSource (Visa) 2. Gemalto 3. Liaison
4. MasterCard 5. MerchantLink 6. Micro Focus (HPE)
7. Paymetric 8. ProPay 9. Protegrity
10. Shift4 11. Verifone 12. Thales e-Security
13. TokenEx 14. TrustCommerce 15. Symantec (Perspecsys)
- Big data encryption: Using encryption and other obfuscation techniques to obscure data in
relational databases as well as data stored in the distributed computing architectures of big
data platforms, to protect personal privacy, achieve compliance, and reduce the impact of
cyberattacks and accidental data leaks.
Sample vendors:
1. Gemalto 2. Micro Focus (HPE)
3. Zettaset 4. IBM
5. Thales e-Security
- Application-level encryption: Encrypting data within the app itself as it’s generated or
processed and before it’s committed and stored at the database level.
It enables fine-grained encryption policies and protects sensitive data at every tier in the
computing and storage stack and wherever data is copied or transmitted.
Only authenticated: authorized app users can access the data, even database admins can’t
access encrypted data

Sample vendors:
1. Gemalto 2. Micro Focus (HPE)
3. Thales e-Security
 Ethics and Privacy
With the advent of the Internet and electronic messages, confidentiality is a great concern.

Computer technology has raised more privacy questions than it has found answers to:
- Is there any confidentiality in electronic communication?
- Is anything that goes in the clear over public communication channels secure anymore?
- Are current encryption protocols secure enough?
- What laws need to be in place to secure anyone of us online?
- Who should legislate them?
- Who will enforce them?

We need:
1. ethical framework.
2. legal framework
Both these frameworks would probably help.
The question is:
- who will develop these frameworks?
- Who will enforce them?
Chapter #3:
 Introduction
- Definitions of Privacy:
“Privacy is the protection of personal data and is considered a fundamental human right.”
- OECD Guidelines, 1980

“The rights and obligations of individuals and organizations with respect to the collection,
use, disclosure, and retention of personal data.” - AICPA/CICA, 2005

Privacy means adherence to trust and obligation in relation to any information relating to
an identified or identifiable individual (data subject).

Management is responsible to comply with privacy in accordance with its privacy policy
or applicable privacy laws and regulations

- Privacy and Data protection VS. Information Security:

Information Security:
1. Confidentiality 2. Integrity
3. Availability

- Privacy and Data protection VS. Information Security:

Data protection is about avoiding harm to individuals by misusing or mismanaging
their personal data

 Data Privacy in KSA

- Data Privacy definition:
Every statement (whatever its source or form) that would lead to the individual being
specifically identified, or make it possible to identify him directly or indirectly, include:
1. Name 2. personal identification number
3. Addresses 4. contact numbers
5. license numbers 6. records and personal property
7. bank account 8. credit card numbers
9. still or moving photos of the individual
and other data of a personal nature
 Current Privacy Trends
Increased Collection of PII:
1. Support business operations
2. Problem with marketing strategies
3. Sensitive information can be part of business
4. Businesses show it under security reasons or/and protection
5. Consumers do not realize the sensitive information
6. Marketing is designed to encourage consumers to acquiesce (comply, agree)
7. Tension and frustration between consumers and service providers

 ISACA/OECD Privacy principles

- ISACA Guideline G31:
1. Defines privacy 2. Links to Standards and CobiT
3. Describes performance of audit work

- G31: relies upon 12 Privacy Principles outlined by the Organization for Economic
Cooperation and Development (OECD)
 Generally Accepted Privacy Principles (GAPP)
- By AICPA and CICA task force:
1. Defines 10 Privacy Principles similar to ISACA G31
2. Provides complete guidance on privacy program implementation and auditing
3. Implementation criteria

- Personal Information (referred to personally identifiable information) examples:

1. Name 2. Home or e-mail address
3. Identification number:
1. ID
2. Social Security
3. Social Insurance Number

4. Physical characteristics
5. Consumer purchase history

- Some laws and regulations define the following to be sensitive personal information:
1. Information on medical or health conditions 2. Financial information
3. Racial or ethnic origin 4. Political opinions
5. Religious or philosophical beliefs 6. Trade union membership
7. Sexual preferences
8. Information related to offenses or criminal convictions
 Generally Accepted Privacy Principles (GAPP)
- 10 General accepted privacy principles:
- Management: The entity defines, documents, communicates, and assigns
accountability for its privacy policies and procedures

- Notice: The entity provides notice about its privacy policies and procedures and
identifies the purposes for which personal information is collected, used, retained,
and disclosed

- Choice and consent: The entity describes the choices available to the individual and
obtains implicit or explicit consent with respect to the collection, use, and disclosure
of personal information

- Collection: The entity collects personal information only for the purposes identified
in the notice

- Use, retention, and disposal: The entity limits the use of personal information to
the purposes identified in the notice and for which the individual has provided implicit
or explicit consent.

The entity retains personal information for only as long as:

1. necessary to fulfill the stated purposes
2. as required by law or regulations
thereafter appropriately disposes of such information

- Access: The entity provides individuals with access to their personal information for
review and update

- Disclosure to third parties: The entity discloses personal information to third

parties only for the purposes identified in the notice and with the implicit or explicit
consent of the individual

- Security for privacy: The entity protects personal information against unauthorized
access (both physical and logical)

- Quality: The entity maintains accurate, complete, and relevant personal information
for the purposes identified in the notice

- Monitoring and enforcement: The entity monitors compliance with its privacy
policies and procedures and has procedures to address privacy related complaints and
disputes
 Open Data
- Open Data: is a piece of data or content is open if anyone is free to use, reuse, and
redistribute it subject only, at most, to the requirement to attribute and/or share-alike.

- In summary, this means the following:

- Availability and Access: the data must be available as a whole and at no more than
a reasonable reproduction cost, preferably by downloading over the internet

The data must also be available in:

1. convenient form 2. modifiable form

- Reuse and Redistribution: the data must be provided under terms that permit
reuse and redistribution

- Universal Participation: everyone must be able to use, reuse and redistribute there
should be no discrimination against fields of endeavour or against persons or groups

 Benefits of Open Data

- Transparency: People need to be able freely to access data and information and to share
that information with other citizens
- Sharing and reuse allows:
1. Analysing 2. Visualising
to create more understanding

- Releasing social and commercial value: Data is a key resource for social and commercial
activities.
- Open data can help drive the creation of:
1. innovative business
2. services that deliver social and commercial value.

- Participatory governance: Open Data enables people to be much more directly informed
and involved in decision-making and facilitation their contribution

- Reducing costs: Open data enables the sharing of information in machine-readable

interoperable formats, hence reducing costs of information exchange and data integration

- Building trust: Open policy making and data increase the trust of others
Chapter #4
 Developing compliant security program
- Reasonable security: requires an appropriate comprehensive information security program
1. From technical perspective
2. Legal requirements

- Legal-compliant information security program involves an iterative process:

1. Last Topic 2. Identify assets
3. Risk assessment 4. Security controls
5. Monitor and test 6. Continually review and oversee third party
All those requirements should be considered

If the security program is not in writing, it does not exist

 1- Identify information assets

- Identify the information assets to be protected:
1. What 2. where
3. how is it used 4. valuable
5. Owner 6. (what else)…etc

- Inventory of the data and information of the company:

1. Creates 2. Collects
3. Receives 4. Uses
5. Processes 6. Stores
7. Communications to others

- Identifying requires:
1. Where the data and systems are located
2. Who controls them
3. Which jurisdictions that will impact and which laws must be complied with

- Consider locations of sensitive data

- Consider the data which is controlled by third party:

The company is responsible of the data security
 2- Conduct a risk assessment
- Assessment of the potential risk is required for protection:
- Considering assessment of:
1. Threat 2. vulnerability (of assets)
3. likelihood of threats 4. evaluating the potential damage
5. efficiency of the security controls

- Threats: is anything that has the potential to cause harm (nature or man-made)

- Vulnerability: is the flaw or weakness that can be exploited

- Risk: is a function of the likelihood of a given threat-source’s exercising a particular

potential vulnerability, and the resulting impact of that adverse event on the
organization

- Risk assessment: is the baseline for security controls which can be

selected, implemented, measured and validated

- Traditional negligence Law takes the same approach base on the factors:
1. The probability of identified harm (likelihood)
2. The gravity of the resulting injury (impact)
3. The burden (or cost) of implementing adequate precautions
4. In general, the exercise depends on the circumstances of that case and on the
extent of foreseeable danger

- Numerous security laws and regulations expressly require a risk assessment as part
of the security program or (impliedly)

- risk assessment is required as part of:

- GLB (The Gramm-Leach-Bliley Act)
- HIPAA - FISMA
- and others (impliedly)

As part of the “reasonable” security to all industries:

1. Finance
2. Healthcare
etc.
 2- Conduct a risk assessment
- Some courts have held that the risk assessment plays a key role in the liability
(e.g. several US courts):
1. the case of “Bell v. Michigan council” where the harm was foreseeable and the
potential risk was high, the defendant was liable for failure to provide appropriate
security

2. EU and other countries

- In EU and other countries:

Risk assessment is always required in the obligation to provide appropriate security

- Many data protection laws expressly require a risk assessment as part of the law

- Most laws require to provide a level of security “appropriate” to the risk (e.g. UAE)

 3- Select and implement security controls

- Implementing appropriate physical, technical, and administrative security controls to
manage the risk.

- The implementation of the applicable security law involves:

1. Categories of security controls to be considered
2. Key role of the risk assessment

- The implementation of selected security controls is to mange and reduce the risk to a
reasonable and appropriate level

 Select and implement security controls (Categories of security controls to consider)

- Most security statutes and regulations do not require a specific security measure or a
particular technology:
- HIPAA (may use/shall use security measures)

- Consider certain categories of security measures, even if it is not specified:

- Many laws require to implement “access control measures” to ensure the authorized
persons only. It say nothing about the access control

- Sometimes, law defines the objectives or criteria to be achieved:

- restricting access on a need to know basis
- terminating access when an employee leaves the comp
 3- Select and implement security controls (Key role of the risk assessment)
- Based in what specific security measures should be implemented no
“one size fits all” approach

- Security measures must be responsive to the fact-specific risk assessment:

1. I.e. to particular threats and vulnerabilities
2. E.g. access control could not fix the carelessness problem

- In addition to risk assessment, other factors are often cited in security statutes and
regulations as:
1. Org. size, complexity and capabilities
2. Nature and scope of the business
3. Nature and sensitivity of information and information systems
4. Infrastructure capabilities
5. State of the art of technology and security
6. Cost of the security

- E.g. US banking regulators summaries the authentication process in a guidance

document as:
- Should use effective methods to authenticate and identify customers
- Should be appropriate to the risk associated
- Should conduct risk assessment to identify the level and type of risk
- Risk should recommend single or multifactor of authentication and layered security

- Risk assessment/report can not be ignored

- Information security LAW clearly requires to use the result of security assessment to
identify the appropriate strategy of security controls:
E.g. US banking regulators is risk-based for authentication
Do not accept to implement strong authentication controls without
risk assessment

- Thus, a particular security control (appropriate and reasonable) must be determined

in the basis of the risk assessment

- Standards for legally appropriate security controls vary based on businesses,

applications and time:
- Single risk assessment is not sufficient (ongoing-process)
 4- Monitor and test the controls
- Security controls must be in place and effective:
E.g. a breach that compromise of up to 90 million credit card numbers, problem data is
encrypted but it is weak encryption

- Assessment of the sufficiency of the security controls is mandatory to control the

identified risks

- Conducting regular testing or monitoring of the effectiveness of the security

measures is important component of the legal standard

- Regular review such as:

1. System activity 2. audit logs
3. access reports 4. incident reports
etc…

 5- Review and adjust the program

- Legal standard: for information security recognizes that the security is a moving target

- Businesses must keep up with ever changing in:

1. Threats 2. Risk
3. Vulnerabilities 4. available of security controls

- Businesses must conduct periodic internal reviews to evaluate and adjust the
information security program as a result of:
1. Testing and monitoring 2. Material changes to the business
3. Changes in technology 4. Changes in threats (internal or external)
5. Other circumstances
6. Environmental or operational changes

- Best practice and developing legal standard may require a periodic review and
assessment (audit) from independent professional party:
1. To certify that the security program meets or exceeds applicable requirements (C.I.A)
2. To adjust the security program
 6- Oversee third party service providers
- Businesses often rely on third parties (outsource)

- When the data is in the possession and controlled by a third party, it presents a
challenge to ensure the security

- Laws and regulations impose information security obligation on businesses with

respect of the use of third party

- The legal obligation to provide security is responsibility of the organization

- It is often said “you can outsource the work, but not the responsibility”

- Thus, the third party relationship should be subject to the same risk management,
security, privacy and protection

- Three basic requirements on businesses for outsourcing as follows:

1. Must exercise due diligence in selecting service provider

2. Must contractually require outsource provider to implement appropriate security

measures

3. Must monitor the performance of the outsource provider

 Security Controls to Consider

1.Physical 2.Technical
3. Administrative

- Laws require “reasonable” or “appropriate” security with no specification

- Almost cases list only the categories of security controls
- To be legally compliant, security controls should be selected based on the risk
assessment

- No single law or regulation expressly requires all these controls to be addressed

- If some of these categories of controls are not addressed, a court or regulator may
conclude that the security has not satisfied its obligation to implement “reasonable”
or “appropriate” security
 Security Controls to Consider
- If a corporation considers a security control, but it is unnecessary considering its own
risk assessment, that may be sufficient, as long as the control was considered and
documented

- The law does not require corporation to implement security controls in a particular
way or use a particular technology:
- HIPAA (may use any security measures) to achieve the objectives

 Physical and Security Controls (Facility and Equipment):

- Regulations frequently require to protect the facility (physical security)

- Three (3) general categorization:

1. Physical access restrictions: to prevent unauthorized persons from physical access to the
building:
1. Premises 2. Equipment
3. displayed information 4. outputs

2. Protection against technological failures: to implement uninterrupted power supply

(UPS), for:
1. Systems 2. emergency light
3. Temperature 4. humidity controls

3. Protection against environmental threats: to implement fire detection and suppression

 Physical and Security Controls (Media):

- Security laws and regulations requires to protect data media from being read,
copied, altered or removed by unauthorized including:
- Media access, only authorized parties have access (to data or systems)
- Media storage, secure removable media
- Media transport, to secure the transportation of media
- Media destruction and disposal, to ensure the deletion and destruction of the media
and data (data can not be recovered)

- Laws and regulations require to “properly dispose of information” using “reasonable

measures”:
- Policies and procedures manage media, hard document or soft document
- For destroy or re-use the media
 Technical Security Controls (Access Controls):
- Access controls:
1. To prevent unauthorized access
2. Appropriately limit and control access

- Laws and regulations require “reasonable” security measures to control access

(in general):
- Policies and procedures are required for more details

- Other laws impose “reasonable” security measures to protect data (from read, copy,
modify or remove) by access control

- Regulations require to implement measures and procedures to access need-to-know

- Some regulations address the authorization process:

- To access data or systems

 Technical Security Controls (Identification and Authentication):

- Controlling access to system and data requires(IAA):
1. Identification: to identify that seeking access
2. Authentication: to authenticate that claiming to have such access
3. Authorization: to give the right access

- Laws impose authentication process for identity parties

- Procedures and mechanisms for passwords (p91)
- Some regulators consider single-factor authentication is not sufficient for
high-risk situation

 Technical Security Controls (System and services acquisition controls):

- Acquisition: of systems or services present security risk
- security laws and regulations require to adopt appropriate security policies and
procedures to manage the acquisition process. It should include:
1. Imposing appropriate security requirements
2. Proper design and implementation of the system
3. Proper testing and evaluation of the security

- For outsource, most security regulations require that the third parties employ
adequate security controls
 Technical Security Controls (System and information integrity):
- Have appropriate controls to protect the integrity of the system and date:
1. Checking data 2. input validity and accuracy
3. data error 4. malicious protection
5. intrusion detection

- Various security regulations require controls to address system and data integrity,
including:
1. System integrity: to protect from unauthorized changes
2. Data integrity: to protect from unauthorized alteration, disclosure or destruction
3. Malicious code protection: for preventing, detecting and reporting of malicious
4. Intrusion detection: tools techniques and procedures for monitoring

 Administrative security control (Personal security):

- Consider employees and third-party personnel for:
1. not proper trained or qualified for the job
2. dishonest person or motivated to do inappropriate or destructive acts

- Laws and regulations require to verify employees, agents and contractors to have:
1. Technical expertise 2. Personal integrity
3. Reliability

- Laws and regulations may require to have frequently:

1. Screening individuals
2. Background check

- Regulations may require clearly specifying the obligations of:

1. Employees 2. Agents
3. Contractors

- Regulations may focus in the work processes (with sensitive data or systems) as:
1. Segregation of duties
2. Dual control procedures (2 level of control)
3. Other personnel management procedures
4. Appropriate supervision of workforce

- Penalty or sanctions may be required by the laws and regulations

- Policies for personnel termination, exit-interviews are critical
 Administrative security control (Employee awareness and training):
- Importance of education, training and awareness for employees and contractors to
promote security and protection

- People are often the weakest link in the security chain

- Legal: standard for “reasonable security” mandates appropriate security awareness training
and education for employees, to ensure they are aware and comply with the security

- Security education begins with communication of policies, procedures, standards and

guidelines

- It includes periodic training, awareness and reminders in security for all

- Users should accept rules of behavior before grants access

 Administrative security control (Contingency planning, backup, disaster recovery):

- Security laws and regulations often require to develop and implement a contingency
plan for systems and data

- Failure could be by:

1. natural:
1. Fire 2. Earthquake
2. mane made:
1. DoS 2. Attacks
- Contingency plan should include:
1. System and data backup procedures
2. Recovery plan
3. Alternate source storage and site(s)
4. Alternate communication services or channels
5. Backup and retention procedures
6. Proper immediately deletion after they can not be used
7. Appropriate mechanism to recovery
8. Designated appropriate team with roles and responsibility
9. Testing of the plan on a regular basis
10. Regular reviewing of the plan
 Administrative security control (Incident response plan):
- Security laws and regulations often require to develop and implement incident
response policies and procedures

- To provide a plane for taking responsive action in the situation of attacking

- It should address the following:
1. Incident reporting: to inform involved people
2. Incident handling and response: right actions have been taking
3. Incident monitoring and recordkeeping: ongoing tracking and documenting
4. Incident response assistance: inside or outside support
5. Training: appropriate training for relative people
6. Testing: periodic testing for the plan