CHAPTER 4

Business Drivers
of Information
Security

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Explain information systems security  Risk management and approaches
and its effect on people and
 An overview of contingency planning:
businesses.
business impact analysis (BIA),
business continuity plan (BCP), and
disaster recovery plan (DRP)
 Assessing risks, threats, and
vulnerabilities
 Adhering to compliance laws and
governance
 Mobile workers and use of personally
owned devices
Risk Management’s Importance to the Organization (1 of 2)

 Identifying, assessing, prioritizing, and addressing risks is a core business

driver necessary to ensure any organization’s longevity

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Risk management activities should align with the organization’s strategic goals
 Risks can be positive or negative
 Minimize the effects of negative risks
 Maximize the effects of positive risks

 Common pitfall in building a risk management plan is to limit the scope of the
risk identification process to just inside the organization
 Consider reliance on third-party entities to conduct business, such as vendors and
supply chain
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Risks, Threats, and Vulnerabilities
Risk Management’s Importance to the Organization (2 of 2)

 Process of identifying, assessing, prioritizing, and addressing risks

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Ensures you have planned for risks that may affect your organization
 Risk methodology
 A description of how you will manage risk

 Risk register
 A list of identified risks
Understanding the Relationship Between a BIA, a BCP,
and a DRP

 Protecting an organization’s IT resources and ensuring that events do not

interrupt normal business functions

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Business impact analysis (BIA)
 Business continuity plan (BCP)
 Disaster recovery plan (DRP)
BIA

 An analysis of an organization’s functions and activities that classifies them as

critical or noncritical

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Identifies the impact to the business if one or more IT functions fails
 Identifies the priority of different critical systems
BIA Recovery Goals and Requirements

 Recovery point objective (RPO)

 The target state of recovered data that allows an organization to continue normal

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
processing; the maximum amount of data loss that is acceptable
 Recovery time objective (RTO)
 The maximum allowable time in which to recover the function

 Business recovery requirements

 Identify any other business functions that must already be in place for the specified
recovery function to occur and help in determining the recovery sequence
 Technical recovery requirements
 Define the technical prerequisites that are needed to support each critical business
function
BCP (1 of 2)

 A written plan for a structured response to any events that result in an

interruption to critical business activities or functions

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Order of priorities:
1. Safety and well-being of people
2. Continuity of critical business functions and operations
3. Continuity of components within the seven domains of an IT infrastructure
BCP (2 of 2)

 Elements of a complete BCP:

 Statement defining the policy, standards, procedures, and guidelines for

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
deployment
 Project team members with defined roles, responsibilities, and accountabilities
 Emergency response procedures and protection of life, safety, and infrastructure
 Situation and damage assessment
 Resource salvage and recovery
 Alternate facilities or triage for short- or long-term emergency mode of operations
and business recovery
DRP (1 of 2)

 Directs the actions necessary to recover resources after a disaster

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Extends and supports the BCP by identifying events that could cause damage
to resources that are necessary to support critical business functions
 Consider what could happen to each resource:
 Threat analysis
 Impact scenarios
 Recovery requirement documentation
 Disaster recovery
DRP (2 of 2)

 Hot site
 Has environmental utilities, hardware, software, and data like original data center

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Warm site
 Has environmental utilities and basic computer hardware

 Cold site
 Has basic environmental utilities but no infrastructure components

 Mobile site
 Trailer with necessary environmental utilities that can operate as warm or cold site
DRP Tests

 Checklist test

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Structured walk-through
 Simulation test
 Parallel test
 Full-interruption test
Assessing Risks, Threats, and Vulnerabilities

 Risk Management Guide for Information Technology Systems (NIST SP800-30)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
 ISO/IEC 27005:2018 “Information Security Risk Management”
Closing the Information Security Gap

 Security gap
Difference between the security controls in place and controls you need to

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
address vulnerabilities
 Gap analysis
Comparison of the security controls in place and the controls you need to
address all identified threats
Steps for Conducting a Gap Analysis (1 of 2)

 Identify the applicable elements of the security policy and other standards

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Assemble policy, standard, procedure, and guideline documents
 Review and assess the implementation of the policies, standards, procedures,
and guidelines
 Collect inventory information for all hardware and software components
Steps for Conducting a Gap Analysis (2 of 2)

 Interview users to assess knowledge of and compliance with policies

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Compare the current security environment to policies in place
 Prioritize identified gaps for resolution
 Document and implement the remedies to conform to policies
Adhering to Compliance Laws (1 of 2)

 Family Education Rights and Privacy Act (FERPA)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Federal Financial Institutions Examination Council (FFIEC)
 Children’s Online Privacy Protection Act of 1998 (COPPA)
 Gramm-Leach-Bliley Act (GLBA)
 Government Information Security Reform Act (Security Reform Act) of 2000
 The USA PATRIOT Act of 2001
 Federal Information Security Management Act (FISMA)
Adhering to Compliance Laws (2 of 2)

 Sarbanes-Oxley Act (SOX)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 California Security Breach Information Act (SB 1386) of 2003
 Health Insurance Portability and Accountability Act (HIPAA)
 Federal Information Security Modernization Act (FISMA)
 European Union General Data Protection Regulation (GDPR) of 2016
 Payment Card Industry Data Security Standard (PCI DSS)
 California Consumer Privacy Act (CCPA) of 2018
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Security Compliance Laws and Standards Timeline
Keeping Private Data Confidential (1 of 2)

 Ensuring availability and integrity is important

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Cannot undo a confidentiality violation
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The Three Tenets of Information Security
Keeping Private Data Confidential (2 of 2)

 Authentication controls  Authorization controls

• Passwords and PINs  Authentication server rules and

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
• Smart cards and tokens permissions
• Biometric devices  Access control lists
• Digital certificates  Intrusion detection and prevention
• Challenge-response handshakes  Physical access control
• Kerberos authentication  Connection and access policy
• One-time passwords filters
 Network traffic filters
Mobile Workers and Use of Personally Owned Devices

 Mobility
 Allows remote workers and employees to be connected to the IT infrastructure in

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
almost real time
 Bring Your Own Device (BYOD)
 Employees using their personally owned devices for business and personal use
BYOD Concerns

 Data ownership  Onboard camera/video

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Support ownership  Onboarding/ offboarding
 Patch management  Adherence to corporate policies
 Antivirus management  User acceptance
 Forensics  Architecture/ infrastructure
considerations
 Privacy
 Legal concerns
 Acceptable use policy
Endpoint and Device Security

 Full device encryption  Asset tracking

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Remote wiping  Inventory control
 Lockout  Mobile device management
 Screen locks  Device access control
 Global positioning system (GPS)  Removable storage
 Application control  Disabling unused features
 Storage segmentation
Summary

 Risk management and approaches

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 An overview of contingency planning: business impact analysis (BIA), business
continuity plan (BCP), and disaster recovery plan (DRP)
 Assessing risks, threats, and vulnerabilities
 Adhering to compliance laws and governance
 Mobile workers and use of personally owned devices