Professional Documents
Culture Documents
1. Confidentiality:
Information can only be accessed by the person for whom it is intended
and no other person except him can access it.
2. Integrity:
Information cannot be modified in storage or transition between sender
and intended receiver without any addition to information being detected.
3. Non-repudiation:
The creator/sender of information cannot deny his or her intention to send
information at later stage.
4. Authentication:
The identities of sender and receiver are confirmed. As well as
destination/origin of information is confirmed.
Types Of Cryptography:
Security standards are generally provided for all organizations regardless of their
size or the industry and sector in which they operate. This section includes
information about each standard that is usually recognized as an essential
component of any cybersecurity strategy.
1. ISO
ISO stands for International Organization for Standardization. International
Standards make things to work. These standards provide a world-class
specification for products, services and computers, to ensure quality, safety and
efficiency. They are instrumental in facilitating international trade.
The need of ISO 27000 series arises because of the risk of cyber-attacks which the
organization face. The cyber-attacks are growing day by day making hackers a
constant threat to any industry that uses technology.
The ISO 27000 series can be categorized into many types. They are-
ISO 27001- This standard allows us to prove the clients and stakeholders of any
organization to managing the best security of their confidential data and
information. This standard involves a process-based approach for establishing,
implementing, operating, monitoring, maintaining, and improving our ISMS.
ISO 27005- This standard supports the general concepts specified in 27001. It is
designed to provide the guidelines for implementation of information security
based on a risk management approach. To completely understand the ISO/IEC
27005, the knowledge of the concepts, models, processes, and terminologies
described in ISO/IEC 27001 and ISO/IEC 27002 is required. This standard is
capable for all kind of organizations such as non-government organization,
government agencies, and commercial enterprises.
2. IT Act
The Information Technology Act also known as ITA-2000, or the IT Act main aims is
to provide the legal infrastructure in India which deal with cybercrime and
e-commerce. The IT Act is based on the United Nations Model Law on
E-Commerce 1996 recommended by the General Assembly of United Nations. This
act is also used to check misuse of cyber network and computer in India. It was
officially passed in 2000 and amended in 2008. It has been designed to give the
boost to Electronic commerce, e-transactions and related activities associated
with commerce and trade. It also facilitate electronic governance by means of
reliable electronic records.
IT Act 2000 has 13 chapters, 94 sections and 4 schedules. The first 14 sections
concerning digital signatures and other sections deal with the certifying
authorities who are licenced to issue digital signature certificates, sections 43 to
47 provides penalties and compensation, section 48 to 64 deal with appeal to
high court, sections 65 to 79 deal with offences, and the remaining section 80 to
94 deal with miscellaneous of the act.
3. Copyright Act
The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs
the subject of copyright law in India. This Act is applicable from 21 January 1958.
Copyright is a legal term which describes the ownership of control of the rights to
the authors of "original works of authorship" that are fixed in a tangible form of
expression. An original work of authorship is a distribution of certain works of
creative expression including books, video, movies, music, and computer
programs. The copyright law has been enacted to balance the use and reuse of
creative works against the desire of the creators of art, literature, music and
monetize their work by controlling who can make and sell copies of the work.
The copyright act covers the following-
4. Patent Law
Patent law is a law that deals with new inventions. Traditional patent law protect
tangible scientific inventions, such as circuit boards, heating coils, car engines, or
zippers. As time increases patent law have been used to protect a broader variety
of inventions such as business practices, coding algorithms, or genetically
modified organisms. It is the right to exclude others from making, using, selling,
importing, inducing others to infringe, and offering a product specially adapted
for practice of the patent.
5. IPR
Intellectual property rights is a right that allows creators, or owners of patents,
trademarks or copyrighted works to benefit from their own plans, ideas, or other
intangible assets or investment in a creation. These IPR rights are outlined in the
Article 27 of the Universal Declaration of Human Rights. It provides for the right to
benefit from the protection of moral and material interests resulting from
authorship of scientific, literary or artistic productions. These property rights
allow the holder to exercise a monopoly on the use of the item for a specified
period.
What is information technology (IT) risk
management?
IT risk management, also called “information security risk management,” consists
of the policies, procedures, and technologies that a company uses to mitigate
threats from malicious actors and reduce information technology vulnerabilities
that negatively impact data confidentiality, integrity, and availability.
Let’s explore what each of these steps looks like, and why each is relevant for an
effective IT risk management program:
Conceptually, identifying the locations where your data resides seems simple
enough. Most organizations start with their databases or collaborative
applications. However, as more companies embrace cloud-first or cloud-only
strategies, data becomes more dispersed and vulnerable to cyber threats.
Organizations no longer solely store data in on-premises servers. Many now use
serverless or other cloud-based storage locations such as shared drives.
Additionally, many organizations collect data in new ways such as via
customer-facing web portals. New data transmission channels, such as email and
messaging services, also change how organizations share information with
internal and external stakeholders.
Cloud-based data collection, transmission, and storage locations pose a higher
risk of theft because organizations often lack visibility into the effectiveness of
their controls. Thus, server hardware in an on-premises location may be a lower
risk than a cloud-based server. When engaging in an information risk assessment,
you need to identify the myriad of locations and users who “touch” your
information.
Not only do you need to know where your data resides, but you also need to know
what data you collect. Not all types of data are created equally. Personally
identifiable information (PII) includes data such as name, birth date, social
security number, or even IP address. Since malicious actors often target PII
because they can sell it on the Dark Web, the information is a high-risk asset.
Identifying the types of data your organization stores and aligning that to the
locations where you store your information act as the basis for your risk analysis.
Now that you’ve reviewed all data assets and classified them, you need to analyze
the risk. Each data asset type resides in a particular location. You need to
determine how the risk each poses overlaps and impacts the potential for a
malicious actor to attack. The best way to do this is to calculate:
For example, a low-risk data asset, such as marketing copy, may be in a high-risk
location such as a file-sharing tool. However, the financial impact on your
company if a malicious actor steals the information is minimal. Thus, this might
be categorized as low or moderate risk.
Setting your risk tolerance means deciding whether to accept, transfer, mitigate,
or refuse the risk. An example of a control for transferring risk might be
purchasing cyber risk liability insurance. An example of a control for mitigating
risk might be to put a firewall in place to prevent access to the location where the
data resides.
Third-party vendor risk mitigation also acts as an important part of your IT risk
management strategy. While you can control your vendors, you may not be able
to assert the same contractual obligations against their vendors. As part of your
holistic information risk management strategy, you need visibility into the
cybersecurity posture across your ecosystem.
For example, if your vendor’s vendor uses a cloud database and stores data as
plain text, then your information is at risk. Continuously monitoring your supply
stream for encryption, a way to make the data unreadable even if an attacker
accesses it, provides visibility into your ecosystem’s cyber health.
3. Monitor compliance
As data breaches command more new headlines, legislative bodies, and industry
standards organizations have released more stringent compliance requirements.
Several new laws such as the General Data Protection Regulation (GDPR), the
California Consumer Privacy Act (CCPA), and the New York Stop Hacks and
Improve Electronic Data Security (NY SHIELD) Act require continuous monitoring
as part of a compliance cybersecurity program.
The Disaster Recovery Plan, or DRP, enables the company to resume normal
operations after a disaster. In the context of IT, this disaster generally involves a
cybersecurity breach: loss, theft or disappearance of sensitive data, virus,
cyberattack, cybercrime.
In the context of IT, the DRP has several sub-goals toward a main goal which is
safeguarding the sustainability of your company's activities. Those sub-goals are:
The DRP is a document which lists all the processes your company has to put in
place to maintain or rebuild the IT systems in the aftermath of a cyber crisis:
● It indicates how and when to refer to the back-up system, provided for in
the crisis management plan;
● The Disaster Recovery Plan specifies which backup system to activate in
order to ensure the security of confidential data;
● It details how long each department can afford to be paralysed, namely the
RTO, Recovery Time Objective ;
● This document also determines the maximum acceptable data loss, or RPO
(Recovery Point Objective).
To summarise, Chief Information Officers (CIO) generally consider that the BCP
describes the measures to ensure the continuity of the activity, while the DRP
details the measures which guarantee the resumption of activity after an IT
shutdown. The Disaster Recovery Plan is indeed activated when the infrastructure
is unavailable.
In the event of a cyber attack, there are generally two execution scenarios for the
DRP:
● Either your company was prepared for IT crises, and had a BCP to mitigate
the impact of the disaster. In this case, your company can reduce the RTO
and RPO to a minimum and apply a “warm restart” of the applications. This
is a quick restart of activities on one or more backup servers, all based on
pre-disaster data saves.
● Either your structure did not have a BCP, nor the technical means to
execute an effective crisis management plan. Then, you have to do a “cold
restart” afterward, that is to say several hours or days after the disaster. In
this scenario it is a recovery based on the latest backups of the company.
However, this cold procedure tends to disappear with the generalisation of
cloud data storage.
When should you set up your IT recovery?
By definition, the DRP is only activated when the company suffers a real shutdown
of its IT activities. If you want this IT recovery plan to perform well and enable you
to quickly resume your activities, you must think it through well in advance of the
actual onset of a cyber crisis. Allow an average of 3 months to design it. This is an
indicative time frame, you might need more or less, depending on the size of your
structure.
Once the cyberattack, computer failure or human error has been recorded at the
expense of your infrastructure, the execution of your DRP should help minimise
your operational downtime. The longer the recovery, the more the company’s
financial results are jeopardised.
The main mission of the Disaster Recovery Plan is to ensure a rapid restart of your
operations. A too long interruption has an impact on your reputation, and as a
consequence, on your financial value. Moreover, if that one-off stop threatens the
fulfillment of your regulatory and contractual obligations, you incur harmful legal
consequences.
Nevertheless, setting up a DRP does come at a cost. Yet, it pays for itself if you
take into account the harmful consequences that it prevents for the company in
the event of a cyberattack or an IT failure:
The DRP relies on a third-party computer network and on data backups to ensure
satisfactory IT operation. Like the BCP, the advantages of the Disaster Recovery
Plan can only be appreciated if good practices are complied with. This is a plan
that should be thought through and regularly tested. Its development takes time
and a large budget to be effective.