Acceptable use, 87
failures, 48
Account monitoring and control, 135
Accountability controls, 143
Active system, 98
Administrative policies, 87
Administrative privileges, use of, 134
Adobe Acrobat portable document format (pdf), 37, 73
“Agile” development, 45
Alerting and invocation processes, 74
Amazon, 29
Apple, 30
Application software security, 133
Argonite, 94
Ashley Madison, 38
Assets
information. See Information assets
management, 137
Asynchronous replication, 99
Atlanta’s Hartsfield-Jackson airport, 94
Audit
and accountability controls, 143
logs, maintenance, monitoring, and analysis of, 134
Authentication, 10
controls, 143
Authorized and unauthorized devices, inventory of, 131–132
Authorized and unauthorized software, inventory of, 132
Awareness and training controls, 143
Backup and restoral policy, 90
Big data, 36
Biometric methods, 10
Bitcoins, 55
Bluetooth, 92
Bot herders, 54
Botnets, 54
Boundary defense, 134
Briefing cards, 73
Bring Your Own Device, 92
British Airways (BA), 94
British Standards Institute, 4
BS 11200:2014, 160
BS ISO/IEC 27021:2017, 153
BS ISO/IEC 27033-6:2016, 154
Business continuity
communication
organization and closely linked parties, 105–106
and cybersecurity, embedding
general awareness training, 123–127
disaster recovery
data/information recovery, 95–96
operating system and application recovery, 96–97
platform disaster recovery, 97–99
disruptive incidents, response to, 99–100
escalation, 102
incident management process, 100–101
management qualities required, 103–104
reporting, 102
planning and preparation
continuity requirements analysis, 84–86
policies and procedures, 86–93
solutions to cyber issues, 93–95
immediately following the incident, 83–84
prior to the disruptive incident, 83
Business Continuity Institute (BCI), 5–6
Business continuity management process, 84
and cybersecurity, 3
guidelines, 5
information security terminology
authentication, 10
confidentiality, 9
integrity, 9
nonrepudiation, 10
reasons for organizations practicing, 2–3
recommendations, 5
senior management buy-in, importance of, 3
specifications, 4
standards, 4
terminology
continuity requirements analysis, 9
maximum tolerable data loss, 8
maximum tolerable period of disruption, 7
Minimum Business Continuity Objective, 8
recovery point objective, 8
Business-critical information, 58
Business impact analysis, 84, 121, 128
Business-impacting cyber incidents, 42
Business resumption plans, 71, 76
Catastrophe, 81
Certification. See ISO/IEC 27001 certification; ISO 22301 certification
Change control policy, 89
Classification, 87
Cold standby platforms, 97
Commercial in confidence, 87
Communication
organization and closely linked parties, 105–106
test
cost and time vs. complexity, 113, 114
frequency of, 113
participants in, 113
process to be tested, 112, 113
Communications-Electronics Security Group (CESG), 162
Complexity
communications test, 114
full exercise, 114
partial exercise, 114
simulation, 114
Compromised system, 92
Confidentiality, 9
Configuration
data, 38
management controls, 143
Contact information, 76
Contingency planning controls, 144
Continuity requirements analysis, 9, 84–86
Continuous vulnerability assessment and remediation, 132
Cooling systems, 94
Copyright violation, 30
Corporate communications/organization’s Press Office, 115
Corrective controls, 67
Corrective risk treatment, 20
Crises, 80
management, 100
Critical Security Controls Version 5.0, 68–69
account monitoring and control, 135
administrative privileges, use of, 134
application software security, 133
audit logs, maintenance, monitoring, and analysis of, 134
authorized and unauthorized devices, inventory of, 131–132
authorized and unauthorized software, inventory of, 132
boundary defense, 134
continuous vulnerability assessment and remediation, 132
data protection, 135
data recovery capability, 133
hardware and software, secure configurations, 132
incident response and management, 135
malware defenses, 132
network devices, secure configurations for, 134
network ports, protocols, and services, limitation and control of, 134
penetration tests and “red team” exercises, 136
secure network engineering, 135
security skills assessment and training, 133
wireless access control, 133
Cryptography, 138
Cyber bullying. See Cyber harassment
Cyber incidents, 1
business-impacting, 42
Cyber issues, solutions to, 93–95
Cyber surveillance, 33
errors and failures, 57
loss of key information and IP and financial theft, 58
access control failures, 48
data stripping, 51
operational management failures, 49–50
people-related security failures, 50–51
physical and environmental failures, 49
systems acquisition, development, and maintenance procedures, 48–49
Cyberattacks. See also Cybercrime; Cyber threats; Cyber vulnerabilities
external, 17
internal, 17
Cybercrime, 25
copyright violation, 30
dark patterns, 31
defined, 26
Denial of Service and Distributed Denial of Service attacks, 29
exploitation, 28
intellectual property theft, 29–30
website defacement, 28
and business continuity, 3
benefits of, 123
general awareness training, 123–127
Critical Security Controls Version 5.0. See Critical Security Controls Version 5.0
cyber surveillance, 33
cybercrime
copyright violation, 30
dark patterns, 31
defined, 26
Denial of Service and Distributed Denial of Service attacks, 29
exploitation, 28
intellectual property theft, 29–30
website defacement, 28
ISO/IEC 27001 controls. See ISO/IEC 27001 controls, for critical security
NIST Special Publication 800-53 Revision 4. See NIST, Special Publication 800-53 Revision 4
Dark patterns, 31
Data
entry validation, 49
protection, 135
stripping, 51
transfers, 80
Denial of Service (DoS) attack, 29
Detective controls, 65
Detective risk treatment, 19
Direct Attached Storage (DAS), 96
Directive controls, 67
Directive policies for acceptable use, 87
Directive risk treatment, 20
Disaster, 81
Disaster recovery (DR), 11
of business-critical systems, 49
data/information recovery, 95–96
operating system and application recovery, 96–97
platform disaster recovery, 97–99
Disruptive incidents, response to, 99–100
escalation, 102
incident management process, 100–101
management qualities required, 103–104
reporting, 102
Distributed Denial of Service (DDoS) attack, 29
eBay, 29
Electronic versions of plans, 72
Environmental failures, 49
Errors and failure threats, 57
Escalation, 102
Event, 80
Exploitation, 28
External audit, 121
External IT systems, 85
External review, 120
Extrinsic vulnerabilities, 15–16
Facial recognition, 10
Facilitator, 114
Failure timescales, of business continuity, 79–81
Federal Information Processing (FIPS) standards, 150, 161
FedEx, 55
Financial loss projection, 43
Financial statements, 38
Fingerprint authentication, 10
Fire detection and prevention measures, 94
First-time “offences,” warnings for, 44
Force majeure, 100
Forward planning, 115
Full exercise
cost and time vs. complexity, 113, 114
frequency of, 113
participants in, 113
Glitches, 80
Global Domestic Product, 25
Good Practice documents. See Good Practice Guidelines (GPG)
Good practice guidelines (GPG), 5–6, 149–150
Communications-Electronics Security Group, 162
Information Security Forum, 162
National Institute of Standards and Technology, 161
United States Computer Emergency Readiness Team, 162
Guidelines, defined, 5
Hardware and software, secure configurations, 132
High availability systems, 99
Hot standby/high availability platforms, 98
Hoy standby systems, 98
Human resource security, 137
Identification and authentication controls, 144
Impact Team, 38
legal and regulatory, 44
on well-being of people, 45–46
Incident, 80
Incident management plans, 70–72, 74–75
generic plan contents, 74
Incident management process, 100–101
Incident manager, appointing, 103–104
Incident response
and management, 135
response controls, 144
Inergen, 94
Information and Communication Technology (ICT), 124
configuration information, 76–77
experts, 115
Information and intellectual property, 38–39
Information assets
cloud services, 41
information and intellectual property, 38–39
staff, 39
supply chain, 41
technology, 40
Information hierarchy, 36
Information lifecycle process, 37
Information security
aspects of business continuity management, 141
incident management, 141
policies, 136
terminology
authentication, 10
confidentiality, 9
integrity, 9
nonrepudiation, 10
Information Security Forum (ISF), 162
Information Technology (IT), 40
Information/cybersecurity staff, 115
Infosec Institute, 51
Insurance claim procedures, 119
Integrity, 9
Intellectual property (IP)
Intelligent personal assistants (IPAs), 52
Internal audit, 121
International Monetary Fund, 25
International Standards Organisation, 39
Internet, 81
Internet Engineering Task Force, 150
Internet of Things (IoT), 51–53
Internet Service Providers, 81
Intrinsic vulnerabilities, 15
Invocation process, 101
ISO 22300:2014, 158
ISO 22301:2014, 159
ISO 22301 certification, 120
ISO 22313:2014, 159
ISO 22316:2017, 159
ISO 22318:2015, 159
ISO 22320:2011 Ed 1, 159
ISO 22322:2015, 159
ISO 22324:2015, 160
ISO 22325:2016, 159
ISO/IEC 17788:2014, 157
ISO/IEC 17789:2014, 157
ISO/IEC 27000:2017, 150
ISO/IEC 27001 certification, 120
ISO/IEC 27001 controls
access control, 138
asset management, 137
communications security, 139–140
cryptography, 138
human resource security, 137
information security aspects of business continuity management, 141
information security incident management, 141
information security policies, 136
operations security, 139
organization of information security, 136–137
physical and environmental security, 138–139
supplier relationships, 140
system acquisition, development, and maintenance, 140
ISO/IEC 27001:2017, 150
ISO/IEC 27001/27002 controls, 69–70
ISO/IEC 27002:2017, 150
ISO/IEC 27003:2017, 150
ISO/IEC 27004:2016, 151
ISO/IEC 27005:2011, 151
ISO/IEC 27006:2015, 151
ISO/IEC 27007:2017, 151
ISO/IEC 27008:2011, 151
ISO/IEC 27009:2016, 151
ISO/IEC 27010:2015, 151
ISO/IEC 27011:2016, 152
ISO/IEC 27013:2015, 152
ISO/IEC 27014:2013, 152
ISO/IEC 27015:2012, 152
ISO/IEC 27016:2014, 152
ISO/IEC 27017:2015, 152
ISO/IEC 27018:2014, 153
ISO/IEC 27019:2017, 153
ISO/IEC 27032:2012, 153
ISO/IEC 27034-5:2017, 155
ISO/IEC 27034-6:2016, 155
ISO/IEC 27035-1:2016, 155
ISO/IEC 27035-2:2016, 155
ISO/IEC 27035:2011, 155
ISO/IEC 27037:2016, 156
ISO/IEC 27038:2016, 156
ISO/IEC 27039:2015, 156
ISO/IEC 27040:2016, 156
ISO/IEC 27041:2016, 156
ISO/IEC 27042:2016, 157
ISO/IEC 27043:2016, 157
ISO/IEC 27050-3:2017, 157
ISO/IEC 29100:2011, 158
ISO/IEC 29101:2013, 158
ISO/IEC 29190:2015, 158
ISO/IEC 30111:2013, 158
ISO/IEC29147:2014, 158
K.I.S. principle, 103
Led Zeppelin, 30
Legal and regulatory impact, 44
“Light-touch” audit, 117
Loss of key information, 58
Maintenance
controls, 144
defenses, 132
protection up-to-date, failure to keep, 50
Maximum tolerable data loss (MTDL), 8, 81
Maximum tolerable period of disruption (MTPD), 7, 83
Media, 100
protection controls, 145
Meltdown and Spectre, 34
Minimum business continuity objective (MBCO), 8, 83
Misuse and abuse threats, 56–57
MTPoD. See Maximum tolerable period of disruption (MTPD)
National Institute of Standards and Technology (NIST), 88
Draft Cyber Security guides, 160–161
good practice guidelines, 161
access control, 142
audit and accountability, 143
awareness and training, 143
configuration management, 143
contingency planning, 144
identification and authentication, 144
incident response, 144
maintenance, 144
media protection, 145
personnel security, 145
physical and environmental protection, 145
planning, 145
program management, 147
risk assessment, 146
security assessment and authorization, 143
system and communications protection, 146–147
system and information integrity, 147
system and services acquisition, 146
National Technical Authority for Information Assurance, 162
Network Attached Storage (NAS), 96
Network devices, secure configurations for, 134
Network ports, protocols, and services, limitation and control of, 134
Networks, of organization, 94–95
Nonrepudiation, 10
NotPetya, 55
Observers, 115
Operating system and application recovery, 96–97
Operational controls, for risk, 67–68. See also specific controls
Operational management failures, 49–50
Operations security, 139
Organization-approved training courses, 129
Paper-based documentation, 72
Partial exercise
cost and time vs. complexity, 113, 114
frequency of, 113
participants in, 113
process to be tested, 112, 113
Passcode, for authentication, 10
Passwords
for authentication, 10
length of, 88
policies, 89
recommendations on, 88
“Patch gap”, 91
Patent infringement, 30
PD 25111:2010, 160
PD 25666:2010, 160
PD ISO/TS 22317:2015, 159
Penetration tests and “red team” exercises, 136
People-related security failures, 50–51
Personal information, 38
Personnel security controls, 145
Petya struck, 55
Phishing attacks, 56
Physical and environmental protection controls, 145
Physical and environmental security, 138–139
Physical environment, as information asset, 40–41
Physical measures, 20
Physical security, 94
defects, 49
Planning and preparation
continuity requirements analysis, 84–86
policies and procedures, 86–93
Planning controls, 145
Plans
incident management. See Incident management plans
testing and exercising
benefits to organization of, 109–110
conditions for, 110
people involved in, 113, 114–115
reasons for, 109
requirements for, 109
Platform disaster recovery, 97–99
Policies and procedures, 86–93
Power, 93
Preventative controls, 65
Preventative risk treatment, 20
Prevention, 61. See also Strategic options; Tactical, and operational solutions
cost of, 3
fire detection and, 94
Probability, 16
Procedural controls, 67
Procedural measures, 20
Processes, as information asset, 39–40
Program management controls, 147
“Quick wins”, 86
Recommendations, defined, 5
Recovery point objective (RPO), 8, 81
Recovery time objective (RTO), 7–8, 81
Redundant Array of Inexpensive Disks (RAID), 96
Regulatory impact, 44
Remote access, 91
Reporting, 102
Requests For Comment, and the International Telecommunications Union standards, 150
“Residual” risk, 19
Risk
analysis, 17
appetite, 14
environment, general view of, 12–13
evaluation, 18
identification, 14
management process
communication and consultation, 20–21
defined, 11
used in, 11
share/transferring, 19, 62, 64
Robust network monitoring, failure to ensure, 50
Rootkits, 54
Scraping technique, 51
Secure network engineering, 135
Security assessment and authorization controls, 143
Security awareness training
Security requirements, 41
Security skills assessment and training, 133
Segregation of duties, 90
Senior management buy-in, importance of, 3
Shaky web interface, 52
Shared network drives, 90
Simulation exercise
cost and time vs. complexity, 113, 114
frequency of, 113
participants in, 113
process to be tested, 112, 113
Singapore Standards Council, 4
Solid State Drives (SSDs), 92
Spam, 56
Specifications, defined, 4
Spirit, 30
Spoofing attacks, 56
Spyware, 54
Staff, as information asset, 39
Standard “office” software applications, 73
Standards, 149
defined, 4
ISO/IEC 27000 series standards, 150–157
relevant ISO standards, 157–158
“Standby” system, 98
Storage Area Networks (SANs), 91, 96
“Storyboard” technique, 125
Strategic risk management process, 63
Subject matter experts, 115
Supplier relationships, 140
Supply chain, as information asset, 41
Symmetric warfare, 32
Synchronous replication, 99
System acquisition, development, and maintenance, 140
System and communications protection controls, 146–147
System and information integrity controls, 147
System and services acquisition controls, 146
Systems acquisition, development, and maintenance procedures, 48–49
Tactical, and operational solutions
Tactical controls, for risk, 65–67. See also specific controls
Team members, roles and responsibilities of, 74
Technical controls, 68
Technical measures, 20
Technology, as information asset, 40
Termination of access permissions, 89
Testing and exercising plans, 109
benefits to organization of, 109–110
conditions for, 110
people involved in, 113, 114–115
reasons for, 109
requirements for, 109
test and exercise, distinction between, 110
“The full story”, 107
Third-party relations, 45
Threats, 14
assessments, 59
cyber. See Cyber threats
Timeline, business continuity, 81–83
immediately following incident, 83–84
prior to disruptive incident, 83
Transmission Control Protocol (TCP), 80
Uber, 28
Uninterruptible power source (UPS), 93–94
United Nations, 25
United States Computer Emergency Readiness Team (US-CERT), 162
User Datagram Protocol (UDP), 80
User password management, 48
Users’ access rights, 48
Violation of copyright, 30
Viruses, 89
assessments, 59
cyber. See Cyber vulnerabilities
Walk-through test
cost and time vs. complexity, 113–114
frequency of, 113
participants in, 113
process to be tested, 112, 113
WannaCry virus, 55
Warfare, 32
Warm standby systems, 98
Web-based survey tool, 125
Website defacement, 28
Well-being of people, impacts on, 45–46
Wireless access control, 133
Wireless networking and mobile devices, 91–92
World Bank, 25
“Zero-day” vulnerabilities, 91