What do businesses, governments, the military, or private individuals need to have “secure” information? As an SSCP, you’ll have to help people and organizations identify their information security needs, build the systems to secure their information, and keep that information secure. In this chapter, you’ll explore the basic concepts of information security and learn to develop a high-level view of what users need to do keep their information safe, secure, and resilient. You’ll also learn how privacy is a vital element of, but is different from, information security.
We’ll focus your attention in this chapter on how businesses use information to get work done—and why that drives their needs for information security.
To see how that all works, you’ll first have to understand some fundamental concepts about information, business, governance, and security. You’ll also need to keep information and information technology separate and distinct in your mind as you go through this chapter. Information focuses on what people use and what kind of security it needs; information technology is how we implement those needs.
We’ve looked at what information is, and what business is; we’ve looked at how businesses need information to make decisions and how they need more information to know that their decisions are being carried out effectively. Now it’s time to look at key characteristics of information that directly relate to keeping it safe, secure, and reliable. Let’s define these characteristics now, but we’ll do this from simplest to most complex in terms of the ideas that they represent.
And in doing so, we’re going to have to get personal.
For a little more than 200 years, Western societies have had a clearly established legal and ethical concept of privacy as a core tenet of how they want their societies to work. Privacy, which refers to a person (or a business), is the freedom from intrusion by others into one’s own life, place of residence or work, or relationships with others. Privacy means that you have the freedom to choose who can come into these aspects of your life and what they can know about you. Privacy is an element of common law, or the body of unwritten legal principles that are just as enforceable by the courts as the written laws are in many countries. It starts with the privacy rights and needs of one person and grows to treat families, other organizations, and other relationships (personal, professional, or social) as being free from unwarranted intrusion.
Businesses create and use company confidential or proprietary information almost every day. Both terms declare that the business owns this information; the company has paid the costs to develop this information (such as the salaries of the people who thought up these ideas or wrote them down in useful form for the company), which represents part of the business’s competitive advantage over its competitors. Both terms reflect the legitimate business need to keep some data and ideas private to the business.
Staying in a hotel room demonstrates this concept of privacy. You are renting the use of that room on a nightly basis; the only things that belong to you are what you bring in with you. Those personal possessions and the information, books, papers, and files on your phone or laptop or thumb drives are your personal property and by law are under your control. No one has permission or legal authority to enter your hotel room without your consent. Of course, when you signed for the room, you signed a contract that gave your express permission to designated hotel staff to enter the room for regular or emergency maintenance, cleaning, and inspection. This agreement does not give the hotel permission to search through your luggage or your belongings, or to make copies or records of what they see in your room. Whether it is just you in the room, or whether a friend, family member, or associate visits or stays with you, is a private matter, unless of course your contract with the hotel says “no guests” and you are paying the single occupancy rate. The hotel room is a private space in this regard—one in which you can choose who can enter or observe.
This is key: privacy can be enforced both by contracts and by law.
Public law enforces these principles. Laws such as the Fourth and Fifth Amendments to the U.S. Constitution, for example, address the first three, whereas the Privacy Act of 1974 created restrictions on how government could share with others what it knew about its citizens (and even limited sharing of such information within government). Medical codes of practice and the laws that reflect them encourage data sharing to help health professionals detect a potential new disease epidemic, but they also require that personally identifiable information in the clinical data be removed or anonymized to protect individual patients.
The European Union has enacted a series of policies and laws designed to protect individual privacy as businesses and governments exchange data about people, transactions, and themselves. The latest of these, General Data Protection Regulation 2016/679 (GDPR), is a law that applies to all persons, businesses, or organizations doing anything involving the data related to an EU person. The GDPR’s requirements meant that by May 2018, businesses had to change the ways that they collected, used, stored, and shared information about anyone who contacted them (such as by browsing to their website); they also had to notify such users about the changes and gain their informed consent to such use. Many news and infotainment sites hosted in the United States could not serve EU persons until they implemented changes to become GDPR compliant.
GDPR also codified a number of important roles regarding individuals and organizations involved in the creation and use of protected data (that is, data related to privacy):
Even in countries not subject to GDPR, organizations are finding it prudent to use these roles or create comparable ones, in order to better manage and be accountable for protecting privacy-related data. And organizations anywhere, operating under their local laws and regulations, do need to be aware that data localization or data residency laws in many countries may have specific data protection, storage, and processing requirements for data pertaining to individuals who are residents or citizens of those countries.
In some jurisdictions and cultures, we speak of an inherent right to privacy; in others, we speak to a requirement that people and organizations protect the information that they gather, use, and maintain when that data is about another person or entity. In both cases, the right or requirement exists to prevent harm to the individual. Loss of control over information about you, or about your business, can cause you grave if not irreparable harm.
It’s beyond the scope of this book and the SSCP exam to go into much depth about the GDPR’s specific requirements, or to compare its unified approach to the collection of federal, state, and local laws, ordinances, and regulations in the United States. Regardless, it’s important that as an SSCP you become aware of the expectations in law and practice for the communities that your business serves in regard to protecting the confidentiality of data you hold about individuals you deal with.
Part of the concept of privacy is connected to the reasonable expectation that other people can see and hear what you are doing, where you are (or where you are going), and who might be with you. It’s easy to see this in examples; walking along a sidewalk, you have every reason to think that other people can see you, whether they are out on the sidewalk as well or looking out the windows of their homes and offices, or from passing vehicles. The converse is that when out on that public sidewalk, out in the open spaces of the town or city, you have no reason to believe that you are not visible to others. This helps us differentiate between public places and private places:
Your home or residence is perhaps the prime example of what we assume is a private place. Typically, business locations can be considered private in that the owners or managing directors of the business set policies as to whom they will allow into their place of business. Customers might be allowed onto the sales floor of a retail establishment but not into the warehouse or service areas, for example. In a business location, however, it is the business owner (or its managing directors) who have the most compelling reasonable expectation of privacy, in law and in practice. Employees, clients, or visitors cannot expect that what they say or do in that business location (or on its IT systems) is private to them, and not “in plain sight” to the business. As an employee, you can reasonably expect that your pockets or lunch bag are private to you, but the emails you write or the phone calls you make while on company premises are not necessarily private to you. This is not clear-cut in law or practice, however; courts and legislatures are still working to clarify this.
The pervasive use of the Internet and the World Wide Web, and the convergence of personal information technologies, communications and entertainment, and computing, have blurred these lines. Your smart watch or personal fitness tracker uplinks your location and exercise information to a website, and you’ve set the parameters of that tracker and your Web account to share with other users, even ones you don’t know personally. Are you doing your workouts today in a public or private place? Is the data your smart watch collects and uploads public or private data?
“Facebook-friendly” is a phrase we increasingly see in corporate policies and codes of conduct these days. The surfing of one’s social media posts, and even one’s browsing histories, has become a standard and important element of prescreening procedures for job placement, admission to schools or training programs, or acceptance into government or military service. Such private postings on the public Web are also becoming routine elements in employment termination actions. The boundary between “public” and “private” keeps moving, and it moves because of the ways we think about the information, and not because of the information technologies themselves.
The GDPR and other data protection regulations require business leaders, directors, and owners to make clear to customers and employees what data they collect and what they do with it, which in turn implements the separation of that data into public and private data. As an SSCP, you probably won’t make specific determinations as to whether certain kinds of data are public or private, but you should be familiar with your organization’s privacy policies and its procedures for carrying out its data protection responsibilities. Many of the information security measures you will help implement, operate, and maintain are vital to keeping the dividing line between public and private data clear and bright.
Often thought of as “keeping secrets,” confidentiality is actually about sharing secrets. Confidentiality is both a legal and ethical concept about privileged communications or privileged information. Privileged information is information you have, own, or create, and that you share with someone else with the agreement that they cannot share that knowledge with anyone else without your consent, or without due process in law. You place your trust and confidence in that other person’s adherence to that agreement. Relationships between professionals and their clients, such as the doctor-patient or attorney-client ones, are prime examples of this privilege in action. Except in very rare cases, courts cannot compel parties in a privileged relationship to violate that privilege and disclose what was shared in confidence.
Confidentiality refers to how much we can trust that the information we’re about to use to make a decision has not been seen by unauthorized people. The term unauthorized people generally includes anybody or any group of people who could learn something from our confidential information, and then use that new knowledge in ways that would thwart our plans to attain our objectives or cause us other harm.
Confidentiality needs dictate who can read specific information or files, or who can download or copy them. This is very different from who can modify, create, or delete those files.
One way to think about this is that integrity violations change what we think we know; confidentiality violations tell others what we think is our private knowledge.
Integrity, in the most common sense of the word, means that something is whole and complete, and that its parts are smoothly joined together. People with high personal integrity are ones whose actions and words consistently demonstrate the same set of ethical principles. You know that you can count on them and trust them to act both in ways they have told you they would and in ways consistent with what they’ve done before.
Integrity for information systems has much the same meaning. Can we rely on the information we have and trust in what it is telling us?
This attribute reflects two important decision-making needs:
Integrity applies to three major elements of any information-centric set of processes: to the people who run and use them, to the data that the people need to use, and to the systems or tools that store, retrieve, manipulate, and share that data. We’ll look at all of these concepts in greater depth in later chapters, but it’s important here to review what Chapter 1 said about DIKW, or data, information, knowledge, and wisdom:
You also saw in Chapter 1 that professional opinion in the IT and information systems world is strongly divided about data versus <I>D-I-K-W</I>, with nearly equal numbers of people holding that they are the same ideas, that they are different, and that the whole debate is unnecessary. As an SSCP, you’ll be expected to combine experience, training, and the data you’re observing from systems and people in real time to know whether an incident of interest is about to become a security issue, whether or not your organization uses knowledge management terminology like this. This is yet another example of just how many potentially conflicting, fuzzy viewpoints exist in IT and information security.
Is the data there, when we need it, in a form we can use?
We make decisions based on information; whether that is new information we have gathered (via our data acquisition systems) or knowledge and information we have in our memory, it’s obvious that if the information is not where we need it, when we need it, we cannot make as good a decision as we might need to:
These might seem obvious, and they are. Key to availability requirements is that they specify what information is needed; where it will need to be displayed, presented, or put in front of the decision makers; and within what span of time the data is both available (displayed to the decision makers) and meaningful. Yesterday’s data may not be what we need to make today’s decision.
It’s easy to trivialize this question by trotting out the formal definitions: privacy is freedom from intrusion, and security is the protection of something or someone from loss, harm, or injury, now or in the future. This reliance on the formal definitions alone hasn’t worked in the past, and it’s doubtful that a logical debate will cool down the sometimes overly passionate arguments that many people have on this topic.
Over the last 20 years, the increasing perception of the threat of terrorist attacks has brought many people to think that strong privacy encourages terrorism and endangers the public and our civilization. Strong privacy protections, these people claim, allow terrorists to “hide in plain sight” and use the Internet and social media as their command, control, communications, and intelligence systems. “If you’ve got nothing to hide,” these uber-security zealots ask, “why do you need any privacy?”
But is this privacy-versus-security dilemma real or imagined? Consider, for example, how governments have long argued that private citizens have no need of encryption to protect their information; yet without strong encryption, there would be no way to protect online banking, electronic funds transfers, or electronic purchases from fraud. Traffic and security CCTV and surveillance systems can help manage urban problems, dispatch first responders more effectively, and even help identify and detain suspects wanted by the police. But the same systems can easily be used by almost anyone to spy on one’s neighbors, know when a family is not at home, or stalk a potential victim. The very systems we’ve paid for (with our taxes) become part of the threat landscape we have to face!
We will not attempt to lay out all of this debate here. Much of it is also beyond the scope of the SSCP exam. But as an SSCP, you need to be aware of this debate. More and more, we are moving our private lives into the public spaces of social media and the Web; as we do this, we keep shifting the balance between information that needs to be protected and that which ought to be published or widely shared. At the technical level, the SSCP can help people and organizations carry out the policy choices they’ve made; the SSCP can also advise and assist in the formulation of privacy and security policies, and even help craft them, as they grow in professional knowledge, skills, and abilities.
Whether it’s the business of business, the functions of government, or the actions and choices of individuals in our society, we can see that information is what makes everything work. Information provides the context for our decisions; it’s the data about price and terms that we negotiate about as buyers or sellers, and it’s the weather forecast that’s part of our choice to have a picnic today at the beach. Three characteristics of information have long been recognized as vital to our ability to make decisions about anything:
Those three attributes or characteristics—the confidentiality, integrity, and availability of the information itself—reflect the needs we all have to be reasonably sure that we are making well-informed decisions, when we have to make them, and that our competitors (or our enemies!) cannot take undue or unfair advantage over us in the process. Information security practitioners refer to this as the CIA of information security. Every information user needs some CIA; for some purposes, you need a lot of it; for others, you can get by with more uncertainty (or “less CIA”).
Over the last decade, security professionals and risk managers have also placed greater emphasis on two other aspects of information security:
These add to our CIA Triad to produce the mnemonic CIANA. The growing incidence of cyberattacks on public infrastructures is also raising the emphasis on safety, while similarly, the massive data breaches seen in the last few years highlight the need for better privacy protections to be in place. This leads others in the security profession to use CIANA+PS as the umbrella label for security needs, attributes, or requirements at the big-picture, strategic level.
Throughout this course we’ll use the acronym best suited to the context, as not all situations call for emphasis on all seven attributes. The following sections illustrate this. (Note that the absence of an attribute in the items below should not be taken to suggest that that situation has no need for that information security characteristic.)
Each of us has a private life, which we may share with family, friends, or loved ones. We expect a reasonable degree of security in that private life. As taxpayers and law-abiding members of our societies, whether we realize it or not, we have agreed to a social compact—a contract of sorts between each of us as an individual and the society as a whole. We fulfill our duties to society by obeying the laws, and society keeps us safe from harm. Society defends us against other nations that want to conquer or destroy us; society protects us against criminals; and society protects us against the prospects of choking on our own garbage, sewage, or exhaust. In English, safety and security are two different words for two concepts we usually keep separate; in Spanish, one word, seguridad, embraces both ideas equally.
People may be people, but they can take on many different roles in a society. For example:
It’s not hard to see how societies benefit as a whole when the sum total of law, ethics, and information security practices provide the right mix of CIA for each of these kinds of individuals.
The fundamental fact of business life is competition. Competition dictates that decisions be made in timely ways, with the most reliable information available at the time. It also means that even the consideration of alternatives—the decisions the business is thinking about making—need to be kept out of the eyes and ears of potential competitors. Ethical concepts like fair play dictate that each business be able to choose where and when it will make its decisions known to their marketplaces, to the general public, and to its competitors.
As business use of robotics, autonomous devices, and Internet of Things capabilities grows, so too does the potential of unintended injury or property damage, if safety needs have not been properly considered.
Government agencies and officers of the government have comparable needs for availability and integrity of the information that they use in making decisions. As for confidentiality, however, government faces several unique needs.
First, government does have a responsibility to its citizens; as it internally deliberates upon a decision, it needs to do so confidentially to avoid sending inappropriate signals to businesses, the markets, and the citizens at large. Governments are made up of the people who serve in them, and those people do need reasonable time in which to look at all sides of complex issues. One example of this is when government is considering new contracts with businesses to supply goods and services that government needs. As government contracts officers evaluate one bidder’s proposal, it would be inappropriate and unfair to disclose the strengths and weaknesses of that proposal to competitors, who might then (unfairly!) modify their own proposals.
The law enforcement duties of government, for example, may also dictate circumstances in which it is inappropriate or downright dangerous to let the identity of a suspect or a key witness be made public knowledge.
Many nations consider that the ultimate role of government is to ensure public safety. Much work needs to be done in this regard, in almost every country.
Military needs for confidentiality of information present an interesting contrast. Deterrence—the strategy of making your opponents fear the consequences of attacking you, and so leading them to choose other courses of action—depends on your adversary having a good idea of just what your capabilities are and believing that you’ll survive their attack and be able to deal a devastating blow to them regardless. Yet you cannot let them learn too much, or they may find vulnerabilities in your systems and strategies that they can exploit.
Information integrity and availability are also crucial to the modern military’s decision making. The cruise missile attack on the offices of the Chinese Embassy in Belgrade, Yugoslavia, during the May 1999 NATO war against the Yugoslavian government illustrates this. NATO and USAF officials confirmed that the cruise missile went to the right target and flew in the right window on the right floor to destroy the Yugoslavian government office that was located there—except, they say, they used outdated information and didn’t realize that the building had been rented out to the Chinese Embassy much earlier. Whether this was a case of bad data availability in action—right place, wrong tenant at wrong time—or whether there was some other secret targeting strategy in action depends on which Internet speculations you wish to follow.
Whether or not a society is a functioning democracy, most Western governments and their citizens believe that the people who live in a country are responsible for the decisions that their government makes and carries out in their names. The West holds the citizens of other countries responsible for what they let their governments do; so, too, do the enemies of Western societies hold the average citizens of those societies responsible.
Just as with due care and due diligence, citizens cannot meet those responsibilities if they are not able to rely on the information that they use when they make decisions. Think about the kind of decisions you can make as a citizen:
Voters need information about these and many other issues if they are going to be able to trust that their government, at all levels, is doing what they need done.
Prior to the Internet, many societies kept their citizens, voters, investors, and others informed by means of what were called the newspapers of record. Sometimes this term referred to newspapers published by the government (such as the Moscow Times during the Soviet era); these were easily criticized for being little more than propaganda outlets. Privately owned newspapers such as The New York Times, Le Figaro, and the Times of London developed reputations in the marketplace for separating their reporting of verifiable facts about newsworthy events from their editorial opinions and explanations of the meanings behind those facts. With these newspapers of record, a society could trust that the average citizen knew enough about events and issues to be able to place faith and confidence in the government, or to vote the government out at the next election as the issues might demand.
Radio, and then television, gave us further broadcasting of the news—as with the newspapers, the same story would be heard, seen, or read by larger and larger audiences. With multiple, competing newspapers, TV, and radio broadcasters, it became harder for one news outlet to outright lie in its presentation of a news story. (It’s always been easy to ignore a story.)
Today’s analytics-driven media and the shift to “infotainment” has seen narrowcasting replace broadcasting in many news marketplaces. Machine learning algorithms watch your individual search history and determine the news stories you might be interested in—and quite often don’t bother you with stories the algorithms think you are not interested in. This makes it much more difficult for people who see a need for change to get their message across; it also makes it much easier to suppress the news a whistleblower might be trying to make public.
Other current issues, such as the outcry about “fake news,” should raise our awareness of how nations and societies need to be able to rely on readily available news and information as they make their daily decisions. It’s beyond the scope of the SSCP exam to tackle this dilemma, but as an SSCP, you may be uniquely positioned to help solve it.
“The people need to know” is more than just “We need a free press.” People in all walks of life need to know more about how their use of information depends on a healthy dose of CIA and how they have both the ability and responsibility to help keep it that way.
You’ve seen by now that whether we’re talking about a business’s leaders and owners, its workers, its customers, or just the individual citizens and members of a society, everybody needs to understand what CIA means to them as they make decisions and take actions throughout their lives. As an SSCP, you have a significant opportunity to help foster this learning, whether as part of your assigned job or as a member of the profession and the communities you’re a part of.
In subsequent chapters, we’ll look more closely at how the SSCP plays a vital role in keeping their business information systems safe, secure, and resilient.
“As an SSCP” is a phrase we’ve used a lot so far. We’ve used it two different ways: to talk about the opportunities facing you, and to talk about what you will have to know as you rise up to meet those opportunities.
There is a third way we need to use that phrase, and perhaps it’s the most important of them all. Think about yourself as a Systems Security Certified Professional in terms of the “three dues.” What does it mean to you to live up to the responsibilities of due care and due diligence, and thus ensure that you meet or exceed the requirements of due process?
(ISC)2 provides us a Code of Ethics, and to be an SSCP you agree to abide by it. It is short and simple. It starts with a preamble, which we quote in its entirety:
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.
Let’s operationalize that preamble—take it apart, step by step, and see what it really asks of us:
The code is equally short, containing four canons or principles to abide by:
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
The canons do more than just restate the preamble’s two points. They show us how to adhere to the preamble. We must take action to protect what we value; that action should be done with honor, honesty, and justice as our guide. Due care and due diligence are what we owe to those we work for (including the customers of the businesses that employ us).
The final canon addresses our continued responsibility to grow as a professional. We are on a never-ending journey of learning and discovery; each day brings an opportunity to make the profession of information security stronger and more effective. We as SSCPs are members of a worldwide community of practice—the informal grouping of people concerned with the safety, security, and reliability of information systems and the information infrastructures of our modern world.
In ancient history, there were only three professions—those of medicine, the military, and the clergy. Each had in its own way the power of life and death of individuals or societies in its hands. Each as a result had a significant burden to be the best at fulfilling the duties of that profession. Individuals felt the calling to fulfill a sense of duty and service, to something larger than themselves, and responded to that calling by becoming a member of a profession.
This, too, is part of being an SSCP.
Our Internet-enabled, e-commerce-driven world simply will not work without trustworthy, reliable information exchanges. Trust and reliability, as we’ve seen, stem from the right mix of confidentiality, privacy, and integrity in the ways we gather, process, use and share information. It’s also clear that if reliable, trustworthy information isn’t where we need it, when we need it, we put the decisions we’re about to make at risk; without availability, our safe and secure information isn’t useful; it’s not reliable. These needs for trustworthy, reliable information and information systems are equally important to governments and private businesses; and they are vitally important to each of us as individuals, whether as citizens or as consumers.
These fundamental aspects of information security—the CIA triad plus privacy, non-repudiation, authenticity, and safety—tie directly into our responsibilities in law and in ethics as information systems security professionals. As SSCPs, we have many opportunities to help our employers, our clients, and our society achieve the right mix of information security capabilities and practices.
From here, we move on to consider risk—what it is and how to manage and mitigate it, and why it’s the central theme as we plan to defend our information from all threats.
Explain the difference between information, information systems, and information technology systems. Information is what people use, think with, create, and make decisions with. Information systems are the business logic or processes that people use as they do this, regardless of whether the information is on paper, in electronic form, or only tacit (in their own minds). Information technologies such as paper and pen, computers, and punch cards are some of the ways you record information and then move, store, or update those recordings to achieve some purpose.
Explain the difference between due care and due diligence. Due care is making sure that you have designed, built, and used all the necessary and prudent steps to satisfy all of your responsibilities. Due diligence is continually monitoring and assessing whether those necessary and prudent steps are achieving required results and that they are still necessary, prudent, and sufficient.
Explain the difference between confidentiality and privacy. Privacy is defined in law and ethics as the freedom from intrusion by others into your life, your possessions, your place of work, or where you live. By controlling who can come into (or view) such private activities or places, you control what they can know about you and your activities. Confidentiality is defined in law and ethics as the requirement you place on another when you share information with them that you wish to keep private or in confidence; further disclosure by that person you share with cannot happen without your express consent.
Explain confidentiality, integrity, and availability as they pertain to information security needs. Confidentiality is about protecting the investment we have made in obtaining or producing information and the competitive advantage that information investment gives us so that others cannot take the information away from us and neutralize our advantage. Integrity means that the information as a set is reliable, complete, and correct, and has been created, modified, or used only by people and processes that we trust. Availability means that the information can be extracted, produced, displayed, or output where we need it, when we need it, in the form or format we need it in, to support our decision-making needs. Note that if information systems cannot assure integrity, the data that is produced (i.e., available) is not reliable, and in fact could be hazardous to use in making decisions.
Explain what business logic is and its relationship to information security. Business logic is the set of rules that dictate or describe the processes that a business uses to perform the tasks that lead to achieving the required results, goals, or objectives. Business logic is often called know-how, and it may represent insights into making better products or being more efficient than is typical, and as such, generates a competitive advantage for the business. It is prudent to protect business logic so that other unauthorized users, such as competitors, do not learn from it and negate its advantage to the business.
Explain what intellectual property is and how it relates to information security.
Intellectual property consists of sets of ideas, designs, procedures, and data expressed in forms that can be used to implement business logic. Typically, a business invests considerable effort in creating its intellectual property (IP) so that it will have a significant competitive advantage over others in the marketplace. As such, that investment is worthy of protection.
Explain the apparent conflict between privacy and security. Criminals, terrorists, and law-abiding citizens can all use powerful encryption, virtual private networks, and other information security technologies to protect their information and their activities from prying eyes. This causes some people to believe that protecting the privacy of the innocent is exposing others to harm. Yet these same people want their medical or financial information kept safe and securely out of the hands of criminal hackers.
Explain the roles of CEOs or managing directors in a modern business. CEOs or managing directors are the most senior, responsible individuals in a business. They have ultimate due care and due diligence responsibility for the business and its activities. They have authority over all activities of the company and can direct subordinate managers in carrying out those responsibilities. They may report to a board of directors, whose members have long-term, strategic responsibility for the success of the business.
Explain what a stakeholder is in the context of a business. A stakeholder is a person or organization that has an interest in or dependence on the successful operation of the business. Stakeholders could be investors; employees of the business; its strategic partners, vendors, or customers; or even its neighbors. Not all interests are directly tied to profitable operation of the business—neighbors, for example, may have a stake in the company operating safely and in ways that do not cause damage to their own properties or businesses.
Explain the difference between legal, regulatory, and ethical obligations or responsibilities as they pertain to information security. Legal responsibilities are defined in criminal or civil law, and they are enforced by government authorities, typically in a court of law. Regulatory responsibilities are established by government agencies that specify rules and procedures for business activities. They may have the force of law, but they were not written as laws by the legislature. Ethical responsibilities are the ideas about right and wrong behavior widely held in the society and marketplace where the business is located or functions.
Explain why everybody needs to know about information security. We all make decisions, whether as employees, students, family members, or members of our society. We must put some measure of trust and confidence into the information we use when we make those decisions, and therefore, we must be able to trust where we get information from. This means holding our sources accountable and cooperating with them in their efforts to protect information by keeping it confidential, preserving its integrity, and making it available to us. We are all parts of communities of trust.
Compare safety and security for information systems. Safety means operating a system in ways that do no harm, either to the system, its users, and bystanders, or to their property. Security means operating a system in ways that ensure that the information used in that system is available, of high integrity, and has been kept confidential as required. Systems with low information integrity are most likely unsafe to use or be around when they are used.
Explain the preamble of the (ISC)2Code of Ethics. The preamble reminds us that everyone’s safety and welfare depends on keeping information systems safe and secure from harm, misuse, or incorrect operation. As information systems security professionals, we have the opportunity and responsibility to ensure the safe and correct operation of these systems. As professionals, we have an obligation to one another and to society to have our actions be the standard others should aspire to.
Explain the canons of the (ISC)2Code of Ethics. Protect society and the infrastructures it depends on; act honorably and with integrity; provide correct, complete, professional service to those we work for and with; and help grow and maintain our profession.
Justify why you should follow the (ISC)2Code of Ethics. When you decide to be an information systems security professional, you are agreeing to the principles of the preamble and canons of that code. Not following the code places you in a contradiction—you cannot honestly protect an information system if you knowingly give incorrect, incomplete, or unprofessional advice to its owners, for example.
Relate nonrepudiation and authenticity to information security. Nonrepudiation prevents one party (a sender of a message, for example) from attempting to deny that they in fact sent that message. Without this property, the recipient is at risk of loss or impact if they take action on that request. Nonrepudiation, therefore, supports integrity and accountability. Authenticity is related to nonrepudiation, but different. Authenticity provides the means for each party in a transaction or message exchange to have confidence that the other party is whom they claim to be, and that they have the right, permission, or legal authority to participate in the exchange. Without authenticity being assured, both parties are at risk of the other party being an impostor, or someone acting beyond their legal rights to do so.
Know the various data protection roles defined by GDPR. The General Data Protection Regulation (GDPR), enacted by the European Union, defines five roles regarding the responsibilities for protecting sensitive data (data which relates to the privacy of an individual person). The first role, the subject, is the person described by or that can be identified by the data in question. The processor is a person or organization that performs tasks to create, modify, use, destroy, or share that data with others. The controller is the person or organization that establishes the purposes and intents for using the data, directs its processing, and has ultimate data protection responsibility. The custodian is a person or organization that provides storage for the data. Finally, the data protection officer is a designated official within an organization that handles protected data, who acts as the focal point for all data protection compliance issues.
Questions 15–17 apply to the following scenario. You live in Singapore, but you work remotely for an online merchant based in Berlin, Germany.
Questions 19–20 apply to the following scenario:
As an SSCP, suppose you work as a systems security analyst for a medical insurance claims processing company. During a security assessment, you discover that there is little or no protection in place to keep sensitive patient data from being compromised by a cyber attacker. You bring this to your manager’s attention, who tells you to not make an issue of this, as the company has decided that it’s cheaper to pay any damage claims if a breach occurs than it is to fix the problems and prevent such compromises in the first place.