Protection of Information Assets

CIA Triad — The Foundation

Key Information Security Frameworks

Information Security Policy Hierarchy

• Information Security Policy: Board-approved, high-level statement of security intent — the master policy
• Topic-Specific Policies: Acceptable Use, Access Control, Encryption, BYOD, Remote Work, Incident Response
• Standards: Mandatory technical specifications (password complexity, encryption algorithms)
• Procedures: Step-by-step operational instructions
• Guidelines: Recommended but non-mandatory best practices

Security Governance Structure

• Board of Directors: Ultimate accountability; approve information security policy; receive risk reports
• CISO (Chief Information Security Officer): Owns security strategy, programme, and risk posture
• Information Security Steering Committee: Cross-functional oversight of security priorities and investments
• Data/Information Owner: Business manager accountable for data under their control; sets classification and access rules
• Data Custodian: IT staff responsible for technical safeguarding of data (backups, access provisioning)
• Data User: End user who accesses data per owner-granted permissions

Defence in Depth

Multiple overlapping security layers ensure that failure of one control does not result in a breach. Layers: Physical → Network → Host → Application → Data. Each layer independently prevents or detects attacks.

Access Control Fundamentals

Authentication Factors

• Something you KNOW: Password, PIN, security questions
• Something you HAVE: Smart card, hardware token (RSA SecurID), OTP app (Google Authenticator), SMS code
• Something you ARE: Biometrics — fingerprint, iris, facial recognition, voice
• Somewhere you ARE: Geolocation, network location (IP range)
• Something you DO: Keystroke dynamics, signature dynamics (behavioural biometrics)

Access Control Models

Identity & Access Management (IAM)

• Identity Lifecycle: Provisioning → Modification → Deprovisioning (joiners, movers, leavers)
• Single Sign-On (SSO): One authentication grants access to multiple systems — reduces password fatigue but creates single point of failure
• Federated Identity: Identity assertion trusted across organisational boundaries (SAML, OAuth 2.0, OpenID Connect)
• Privileged Access Management (PAM): Controls, monitors, and records privileged (admin) account usage
• Just-in-Time (JIT) Access: Temporary privilege elevation for specific tasks — minimises standing privileged access
• Access Recertification: Periodic review of all access rights to detect access creep — typically quarterly for privileged, annually for standard

Password Controls

• Minimum length ≥12 characters (NIST SP 800-63B recommends 8+ but longer is better)
• Complexity: mix of uppercase, lowercase, numbers, special characters
• Account lockout after 3-5 failed attempts (prevents brute force)
• Password history: prevent reuse of last 10-24 passwords
• Passwords must be stored as salted hashes — never plaintext
• NIST now recommends checking passwords against known breach lists rather than mandatory complexity rules

Biometric Performance Metrics

Data Classification Purpose

Data classification ensures information receives appropriate protection based on its sensitivity and value. It drives access controls, encryption requirements, handling procedures, retention, and disposal requirements.

Common Classification Schemes

Data Classification Roles

• Data Owner (Business Manager): Classifies data; determines access rights and handling requirements
• Data Custodian (IT): Implements protections as defined by the owner
• Data Steward: Manages data quality and governance on behalf of the owner
• Data Subject: Individual whose personal data is processed (GDPR term)
• Data Controller: Organisation determining why/how personal data is processed (GDPR)
• Data Processor: Organisation processing data on behalf of the controller (GDPR)

Data States & Required Controls

Data Loss Prevention (DLP)

DLP solutions monitor, detect, and block unauthorised transfer of sensitive data:

• Network DLP: Monitors outbound network traffic (email, web upload, FTP)
• Endpoint DLP: Controls data transfer from endpoints (USB, print, copy-paste)
• Cloud DLP: Monitors data in cloud applications (integrated with CASB)
• Discovery DLP: Scans repositories to find sensitive data in unexpected locations

Data Retention & Destruction

• Retention periods driven by: legal/regulatory requirements, contractual obligations, business need
• Legal holds override normal destruction schedules during litigation
• Secure destruction methods: Overwriting (NIST SP 800-88), degaussing (magnetic media), physical destruction (shredding, incineration)
• Destruction must be documented with certificates of destruction for sensitive data

Cryptography Fundamentals

Cryptographic Applications

• Digital Signature: Sender hashes message → encrypts hash with PRIVATE key → recipient decrypts with PUBLIC key and compares → proves authenticity and integrity (non-repudiation)
• Digital Certificate: Binds a public key to an identity; issued and signed by a Certificate Authority (CA)
• MAC (Message Authentication Code): Symmetric key + message → authenticates message origin and integrity (no non-repudiation)
• HMAC: Hash-based MAC — combines hashing with a secret key

Public Key Infrastructure (PKI)

Encryption Algorithms — Current Standards

• AES-256: Gold standard for symmetric encryption (data at rest and in transit)
• RSA-2048 or RSA-4096: Widely used asymmetric encryption (key exchange, digital signatures)
• ECC (Elliptic Curve Cryptography): Stronger security with smaller keys — preferred for mobile and IoT
• SHA-256 / SHA-3: Secure hashing — SHA-1 and MD5 are deprecated/broken
• TLS 1.3: Current standard for transport encryption — TLS 1.0/1.1 deprecated; TLS 1.2 acceptable but 1.3 preferred

Key Management

• Keys must be protected throughout their lifecycle: generation → distribution → storage → use → rotation → destruction
• Hardware Security Modules (HSMs) provide tamper-resistant key storage
• Key escrow: storing keys with a trusted third party for recovery purposes
• Key length directly impacts security — longer keys are exponentially harder to brute force

Network Security Controls

Zero Trust Architecture (ZTA)

Zero Trust rejects the implicit trust given to users/devices inside the network perimeter. Core principles:

• Verify explicitly: Always authenticate and authorise based on all available data points
• Least privilege access: Limit access to the minimum required; use JIT/JEA
• Assume breach: Design as if attacker is already inside; minimise blast radius
• Components: Identity provider, device health, micro-segmentation, continuous monitoring

OSI Model Security Relevance

Email Security Protocols

• SPF (Sender Policy Framework): DNS record listing authorised mail servers for a domain — prevents spoofing
• DKIM (DomainKeys Identified Mail): Digital signature on emails — verifies email hasn't been tampered with
• DMARC: Policy combining SPF + DKIM; tells receiving servers what to do with failures (none/quarantine/reject)

Endpoint Security Controls

• Antivirus / Anti-malware: Signature-based and heuristic detection of malicious software
• EDR (Endpoint Detection & Response): Continuous monitoring; detects and responds to advanced threats on endpoints
• XDR (Extended Detection & Response): Extends EDR across endpoints, network, cloud, and email for unified threat detection
• Full Disk Encryption (FDE): Encrypts entire disk — BitLocker (Windows), FileVault (macOS) — protects data if device is lost/stolen
• Host-Based Firewall: Controls inbound/outbound traffic at the endpoint level
• Application Whitelisting: Only approved applications can execute — blocks unknown malware
• USB Port Control: Prevents unauthorised data exfiltration or introduction of malware via removable media
• Patch Management: Timely application of OS and application security patches

Mobile Device Management (MDM)

BYOD (Bring Your Own Device) Controls

• BYOD policy defining acceptable use, security requirements, and privacy expectations
• Containerisation — corporate data in encrypted, isolated container on personal device
• Network Access Control (NAC) — verify device compliance before network access
• Remote wipe capability for corporate data (not necessarily whole device)
• Mobile threat defence (MTD) solutions detect device, app, and network threats

IoT Security Challenges

• Default credentials — many IoT devices ship with unchanged default usernames/passwords
• Limited patching capability — many devices lack update mechanisms
• Network segmentation — IoT devices should be isolated from corporate networks
• Physical security — IoT devices may be deployed in accessible/exposed locations
• Inventory and visibility — difficult to discover and manage all IoT assets

Vulnerability Management Lifecycle

1. Asset Discovery: Identify all systems, applications, and network devices in scope
2. Vulnerability Scanning: Automated tools identify known vulnerabilities (CVEs)
3. Risk Assessment & Prioritisation: CVSS scoring; business context; exploitability
4. Remediation: Patch, reconfigure, or compensate for identified vulnerabilities
5. Verification: Rescan to confirm vulnerabilities are remediated
6. Reporting: Track KPIs — mean time to remediate; percentage patched within SLA

CVSS (Common Vulnerability Scoring System)

CVSS v3.1 scores vulnerabilities 0-10 based on: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality Impact, Integrity Impact, Availability Impact.

Penetration Testing Types

Penetration Testing Methodology

1. Planning & Scoping: Define scope, rules of engagement, legal authorisation (get written permission)
2. Reconnaissance: Passive (OSINT) and active information gathering
3. Scanning & Enumeration: Port scanning (Nmap), service identification, vulnerability scanning
4. Exploitation: Attempt to exploit identified vulnerabilities
5. Post-Exploitation: Assess depth of compromise; lateral movement; data exfiltration simulation
6. Reporting: Document findings, risk ratings, evidence, and remediation recommendations

Vulnerability Scanning vs. Penetration Testing

Threat Intelligence Types

• Strategic: High-level trends for executive decision-making (threat landscape, nation-state actors)
• Tactical: TTPs (Tactics, Techniques, Procedures) used by threat actors — for security teams
• Operational: Specific campaigns, malware families, actor infrastructure
• Technical: IOCs (Indicators of Compromise) — IP addresses, file hashes, domains, URLs

MITRE ATT&CK Framework

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Key Tactics (in order of attack progression):

• Reconnaissance → Resource Development → Initial Access → Execution → Persistence → Privilege Escalation → Defence Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command & Control → Exfiltration → Impact

Common Attack Types (CISA Exam Favourites)

Malware Types

• Virus: Attaches to legitimate files; requires host execution to spread
• Worm: Self-replicating; spreads across networks without user action
• Trojan: Disguised as legitimate software; creates backdoor
• Rootkit: Hides attacker presence at OS/firmware level; very hard to detect
• Spyware: Secretly monitors and exfiltrates user data/keystrokes
• Adware: Displays unwanted ads; often bundles spyware
• Botnet: Network of compromised machines controlled by attacker (C2)
• APT (Advanced Persistent Threat): Long-term, targeted attack by sophisticated adversary (nation-state level)

Security Operations Centre (SOC)

The SOC is the centralised function responsible for continuous monitoring, detection, analysis, and response to cybersecurity incidents. SOC tiers:

• Tier 1 — Alert Triage: Monitor alerts; initial classification; escalate to Tier 2
• Tier 2 — Incident Handling: Deeper investigation; incident response; threat hunting
• Tier 3 — Threat Hunting / Advanced Analysis: Proactive hunting; advanced malware analysis; intelligence-driven detection

SIEM (Security Information & Event Management)

SIEM aggregates, normalises, correlates, and analyses security event data from across the IT environment.

• Log collection: From firewalls, IDS/IPS, endpoints, servers, applications, cloud
• Normalisation: Converting diverse log formats into a common schema
• Correlation rules: Identifying patterns that indicate attacks (e.g., multiple failed logins followed by success = brute force)
• Alerting: Notify SOC analysts of suspicious events
• Dashboards & reporting: Operational and compliance reporting
• Retention: Log archive for forensic investigation and compliance

SOAR (Security Orchestration, Automation & Response)

SOAR automates repetitive SOC tasks and orchestrates response playbooks:

• Automated alert triage and enrichment (lookup IOCs, geo-locate IPs)
• Automated containment (quarantine endpoint, block IP at firewall)
• Playbooks define step-by-step automated response procedures
• Reduces Mean Time to Respond (MTTR) to security incidents

UBA / UEBA (User & Entity Behaviour Analytics)

UEBA uses ML to establish behavioural baselines and detect anomalies:

• Detects insider threats — unusual data access, login times, data transfers
• Detects compromised accounts — behaviour deviating from the user's baseline
• Risk scoring — assigns dynamic risk scores based on anomalous behaviour

Log Management for Audit

IS auditors verify that logs are:

• Complete: All critical systems and security events are logged
• Tamper-proof: Write-once storage; cryptographic signing; separate log infrastructure
• Retained: Per policy and regulatory requirements (often 1-7 years)
• Synchronised: All systems use NTP for consistent timestamps
• Reviewed: Regular, documented review process with escalation procedures

GDPR (General Data Protection Regulation)

EU regulation effective May 2018 — most comprehensive privacy regulation globally. Applies to any organisation processing EU residents' personal data regardless of location.

GDPR Key Rights: Right to access, Right to rectification, Right to erasure ("right to be forgotten"), Right to data portability, Right to object, Right not to be subject to automated decision-making.

GDPR Breach Notification: Supervisory authority within 72 hours; affected individuals without undue delay if high risk.

GDPR Penalties: Up to €20 million or 4% of global annual turnover (whichever higher) for most serious violations.

Other Key Privacy Regulations

Privacy by Design (PbD)

Seven foundational principles (Ann Cavoukian):

1. Proactive not reactive — prevent privacy risks before they occur
2. Privacy as the default setting — maximum privacy protection without user action
3. Privacy embedded into design — not added on as an afterthought
4. Full functionality — positive sum, not zero sum (privacy AND security)
5. End-to-end security — full lifecycle protection
6. Visibility and transparency — open to verification
7. Respect for user privacy — keep it user-centric

DPO (Data Protection Officer)

GDPR requires a DPO for: public authorities, organisations whose core activities require large-scale processing of special categories of data, or large-scale systematic monitoring. DPO advises on compliance — cannot be dismissed or penalised for performing their tasks.

Why Security Awareness Matters

The human element is the most exploited attack vector — phishing, social engineering, and insider threats all rely on human failure. Security awareness transforms users from a vulnerability into a defence layer.

Security Awareness Programme Components

• Initial training: Mandatory for all new joiners before system access
• Annual refresher training: Covers updated threats and policy changes
• Role-specific training: Developers (secure coding), finance (BEC scams), executives (whaling/CEO fraud)
• Phishing simulations: Controlled phishing campaigns to test and educate users
• Security communications: Newsletters, posters, screen savers, security tips
• Training completion tracking: Monitor and escalate non-completion
• Effectiveness measurement: Pre/post testing; phishing simulation click rates over time

Social Engineering Awareness Topics

IS Auditor's Review of Security Awareness

• Is security awareness training mandatory and completion tracked?
• Is training conducted before granting system access to new employees?
• Are phishing simulations conducted and results analysed?
• Is there evidence that click rates are declining over time (programme effectiveness)?
• Is role-specific training provided for high-risk roles?
• Is training content updated to reflect current threats?

IS Audit Approach for Security

The IS auditor evaluates the design and operating effectiveness of information security controls through a risk-based approach.

1. Plan: Understand scope, identify risks, define audit objectives and procedures
2. Fieldwork: Gather evidence through interviews, observation, testing, and document review
3. Evaluate: Assess whether controls are adequate and operating effectively
4. Report: Document findings, risk ratings, and recommendations
5. Follow-up: Verify management has remediated agreed findings

Security Audit Techniques

Access Control Audit Procedures

• Review user access provisioning process — verify approvals are documented
• Test that terminated users' access is revoked promptly (within 24 hours)
• Perform access recertification — compare actual access to job role requirements
• Identify orphaned accounts (accounts for users who have left)
• Review privileged account inventory and justification for each
• Test password policy enforcement (minimum length, complexity, history)
• Verify MFA is enforced for privileged and remote access

Computer-Assisted Audit Techniques (CAATs)

• Audit software: IDEA, ACL (Galvanize) — data extraction, analysis, and exception identification
• Test data: Dummy transactions submitted to test application controls
• Integrated Test Facility (ITF): Fictitious entity within live system to process test transactions
• Parallel simulation: Recreate processing using auditor's program; compare results
• Embedded audit modules: Audit code embedded in application to capture specific transactions