csrm

Question 1

Give recommendations for the market

Answer 1

.1Integrate cyber security in the company’s risk framework
2. Monitor if management and employees take cybersecurity seriously
3. Develop a data breach action plan
4. Monitor data classification and security policies
5. Terminate or reduce/restructure reward of board members and management in case of
cyber impact
6. Increase board cyber savviness

Question 2

What is cyber security

Answer 2

the protection of cyber systems against cyber threats

Question 3

what is a cyber threat

Answer 3

a threat that exploits a cyberspace. A system does no longer meets its critical functionality and it needs time to recover and adapt.

Question 4

Why are there not always benefits for the costs invested in cyber security systems?

Answer 4

To some extended there are clear benefits but after a certain amount there are not as much returns as investments.

Question 5

what are the 4 opponents of the cyber security framework?

Answer 5

• Spooks: governments using tools to protect national interest – including the risk of ending up in the hands of crooks.
• Crooks: Botnet herders, malware writers, spam senders, bulk account compromise, targeted attackers, and cash-out operators.
• Geeks: Experts and researchers that repot vulnerabilities – to enable fixing the vulnerability
• The swamp: Focus on person rather than on property, e.g., hacktivism and hate campaigns.

Question 6

What is risk en what does risk management mean?

Answer 6

Risk is an uncertain event which may occur in the future. Risk management comprises coordinated activities to direct and control an organization/set of efforts about risk, based on spending less resources to achieve more goals.

Question 7

which viewpoints on riskmanagement are there and what do they mean?

Answer 7

• Classical viewpoint: risks will be converted into an expected loss
• Modern viewpoint: The effect of uncertainty on an organizations’ ability to meet its
  objectives.

Question 8

what are the biggest cyber impacts

Answer 8

Operational disruption
- Intellectual property theft
- Drop in share price
- Loss of customer trust
- Regulatory fines

Question 9

There are all kinds of security management mechanisms, but why do the organization’s cyber budget need to be invested?

Answer 9

to mitigate risks.

Question 10

what is ISO27001

Answer 10

a protocol for cyber protection. It is updated in 2022 in adaption to new risks. Some new controls were added. There are four theme clauses: Organizational, people, physical and technology.

Question 11

what are the 4 theme clauses of ISO27001

Answer 11

Organizational, people, physical and technology.

Question 12

what is cyber insurance

Answer 12

Cyber insurance allows organizations to transfer some of the financial risks associated with cyber incidents to an insurer. The financial losses might cost associated with remediation, investigators, and crisis communication. Most cyber insurance companies are typically insurance companies offering a broader range of insurance services. Companies are AIG, Chubb, Hiscox, Liberty Mutual, HSB.

Question 13

what is first party coverage

Answer 13

First party coverage is on the financial impact on the insured organization. It covers data breaches and cyberattacks at the insurer’s business.

Question 14

what is third party coverage

Answer 14

Third party coverage provides liability protection in case the insured organization makes a mistake that results in a client suffering

Question 15

ISO 31000 for risk management. This standard comprises three main elements. what are these?

Answer 15

• The risk management process: Feedback on the performance of the process is used for monitoring and reviews.
• The risk management framework: Defines the risk management process.
• A set of principles which guide risk management activities: Guide the creation of the
  framework.

Question 16

What steps are taken in the Risk management process (ISO 31000 standard)?

Answer 16

Risk assessment: Risk identification – risk analysis – risk evaluation – risk treatment.  before it is important to establish the context. Define the scope for the risk management process, define organization’s objectives, establish the risk evaluation criteria.

Monitoring and review are also an important aspect: measure the risk management performance against indicators, which are periodically reviewed for appropriateness. Check for deviations from the risk management plan. Check if the risk management framework, policy, and plan is still appropriate.

Communication and consultation: Early on it helps stakeholder’s interests and concerns, to check that the risk management process is focusing on the right elements. Later, it helps explain the rationale for decisions and for particular risk treatment options.

Question 17

what is the external context in the Risk management process (ISO 31000 standard)

Answer 17

regulatory environment, market conditions, stakeholder expectations

Question 18

what is the internal context in the Risk management process (ISO 31000 standard)

Answer 18

organization’s governance, culture, standards and rules, capabilities,
existing contracts, worker expectations, information systems etc.

Question 19

explain the Risk management cycle

Answer 19

• Establish the context: strategic- and organizational context, stakeholders, scope
• Identify the risks: Types of risks. Use techniques; events trees, Bayesian networks, CORAS
  diagram.
• Analyze the risks: Likelihood x frequency. What would be the impact?
• Evaluate the risks: Rank risks according to management priorities and risk/likelihood
• Treat the risks: consider priorities, resources, and risk acceptance
• Monitoring and review: ensure that controls are effective and efficient, detect changes. Risk
  management polices and decisions must be regularly reviewed.
• Communication & consolidation
• Again…

Question 20

what are the Four main options for risk management?

Answer 20

• Risk reduction
• Risk retention
• Risk avoidance
• Risk sharing

Question 21

Risk management framework

Answer 21

Determines
how risk management is integrated with the organization’s management system.

Question 22

what should the risk management framework include

Answer 22

• Risk architecture: Roles and responsibilities of individuals and committees that support the risk management process
• Strategy: Objectives of the risk management activity in the organization
• Protocols: How the strategy will be implemented, and risks managed.

Question 23

Risk management principles (ISO 31000)

Answer 23

They should influence the design and implementation of organization’s risk management framework and process.
- Creates and protects value
- Is tailored
- Part of decision making
- Transparent and inclusive
- Dynamic, iterative, and responsive to change
- Etc.

Question 24

Role-based access control (RBAC)

Answer 24

A policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permission, user-role and role-role relationships make it simple to perform user assignments. RBAC addresses many needs of commercial and government organizations.

• Users are associated with roles
• Roles are associated with permissions
• A user has a permission only if the user has an authorized role which is associated with that
  permission.

Question 25

Encryption

Answer 25

conversion of data from a readable format into an encoded format, using an algorithm (cipher). Encrypted data can be only read or processed after it’s been decrypted. Encryption is the basic building block of data security. It involves converting human-readable plaintext into incomprehensible text, which is known as ciphertext. Encryption involves using a cryptographic key, a set of mathematical values both the sender and recipient agree on. The recipient uses the key to decrypt the data, turning it back into readable plaintext.

Question 26

ciphertext

Answer 26

Essentially, this means taking readable data and changing it so that it appears random.

Question 27

Benefits of encryption:

Answer 27

Maintains data integrity, helps organizations adhere to regulations, protects data across devices, helps when moving data to cloud storage, secure offices, protects IP.

Question 28

Information security objectives

Answer 28

- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. - Integrity: Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. - Availability: Ensuring timely and reliable access to and use of information - Auditability: Ensuring that evidence of all crucial transactions is stored reliably for auditing purposes.

Question 29

Elements of access control

Answer 29

- Identification: Unique way of identifying an entity - Authentication: proof of entity - Authorization: rights of person in role - Nonrepudiation: receiver can’t deny receipt of message.

Question 30

what are the several types of attacks

Answer 30

Interruption, interception, modification, and fabrication.

Question 31

Cryptography components

Answer 31

- Basics: message m is a sequence of numbers (ASCII, a=1, b=2, c=3) - Hash function: generate unique numbers Hash(‘hello’) = mod(8 5 12 12 15, 127) = 100 - Symmetric key algorithms: parties have the same key - Public key algorithms: parties have complementary key values. This are public key ciphers (like RSA); digital signatures. - Procedures for key distribution and management

Question 33

Key management

Answer 33

Refers to mechanisms to bind a key to a person. Key distribution is an issue, make sure only authorized people have a key.

Question 34

RSA algorithm

Answer 34

Uses an RSA algorithm (Rivest-Shamir-Adleman). This algorithm will generate a public and private key that are mathematically linked. Public keys can be used to encrypt data and the private keys to decrypt it. Example: mailbox address is public key; the owner of the mailbox is the only one who has the private key. It is important to keep the private keys protected! Encryption is based on the numbers N and F so the public key is a pair (f, n). Their statements say, use these numbers to encrypt the lock and I will be a able to decipher.