DATA INCIDENTS | THEFT or CORRUPTION | LOSS or UNVOLUNTARY DISCLOSURE |
---|---|---|
EXTERNAL CAUSES or THIRD PARTIES | 1. Digital: Hacking, Virus infection, phishing and other cyberattacks 2. Physical: Theft, social engineering |
3. Disaster, systems disruptions, third-party failure |
INTERNAL CAUSES | 4. Theft and transfer of digital or physical information by infiltrated employee or contractor 5. Departing employees take proprietary information or intellectual property from the firm (mishandled exits) |
Digital: 6. Database loss, back-up loss 7. Loss of devices by staff members 8. Errors when sending documents (e-mail recipients or attachments) Physical: 9. Loss of printed documents (e.g., by accidentally disposing of them in a wastebasket) 10. Errors or accidental mentions of confidential information when communicating to outsiders 11. Loss of archives |
A Typology of Information Security Risks
High Profile, Egregious Data Hacks |
---|
|
|
Data Leaks: Transfer Of Confidential Information |
---|
|
|
|
|
|
Control 1: Inventory and Control of Enterprise Assets |
Control 2: Inventory and Control of Software Assets |
Control 3: Data Protection |
Control 4: Secure Configuration of Enterprise Assets and Software |
Control 5: Account Management |
Control 6: Access Control Management |
Control 7: Continuous Vulnerability Management |
Control 8: Audit Log Management |
Control 9: E-mail and Web Browser Protections |
Control 10: Malware Defences |
Control 11: Data Recovery |
Control 12: Network Infrastructure Management |
Control 13: Network Monitoring and Defense |
Control 14: Security Awareness and Skills Training |
Control 15: Service Provider Management |
Control 16: Application Software Security |
Control 17: Incident Response Management |
Control 18: Penetration Testing |
CIS Critical Security Control – Version 8
Behavioral Controls | |
---|---|
Awareness and Prudence | Awareness campaign Training Fake phishing test Password cracking attempt (from IT department) |
Conduct Rules | Rules of confidentiality Code of conduct Sanction rules |
Data Governance | Data transfer rules |
Technical Controls | |
---|---|
Architecture | Network partitioning Access Management Firewalls |
Encryption | Password rules Encryption levels and rules |
Detection | DLPD Honeypot |
Testing | Penetration testing |
Overdue vulnerability patching |
Overdue penetration tests/overdue resolution of penetration tests recommendations |
Overdue replacement of obsolescent software |
Results of phishing tests, of password cracking attempts |
Number of computers with inadequate access and overdue revisions of access |
% change in # of IT help-desk requests/change requests/issues per IT managers |
% vacancies in IT/cybersecurity teams |
Overcapacity usage of systems |
Conduct metrics on employee compliance |
Number of reported breaches of conduct and information rules on social media |
Number of “Repeat offenders” (staff failing more than one phishing test) in sensitive data areas |
Number of devices or access cards lost/stolen |
as Key Risk Indicators (KRIs). This table provides examples of KRIs for information security.