Question 1

1.
The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices
to help organisations improve their information security. Published by the International Organization for
Standardization and the International Electrotechnical Commission, the series explains how to
implement an information security management system (ISMS). An ISMS is a systematic approach to risk
management, containing measures that address the three pillars of information security: people,
processes and technology. The series consists of 46 individual standards, including ISO 27000, which
provides an introduction to the family as well as clarifying key terms and definitions.
Why use an ISO 27000-series standard?
Information security breaches are one of the biggest risks that organisations face. Sensitive data is used
across all areas of businesses these days, increasing its value for legitimate and illegitimate use. That is
why organisations are increasingly investing heavily in their defences, using ISO 27000 series as a
guideline for effective security. ISO 27000 series can be applied to organisations of any size and in any
sector, and the framework’s broadness means its implementation will always be appropriate to the size
of the business.

2.
Confidentiality
Confidentiality is the goal of keeping systems and data from being accessed, seen, read, or otherwise
interacted with by anyone who is not authorized to do so. Confidentiality is a characteristic met by
keeping data secret from people who aren’t allowed to have it or interact with it in any way, while
making sure that only those people who do have the right to access it can do so. Confidentiality is met
through various means, including the use of permissions to data, encryption, and so on.

Integrity
Meeting the goal of integrity requires maintaining data and systems in a pristine, unaltered state when
they are stored, transmitted, processed, and received, unless the alteration is intended due to normal
processing. In other words, there should be no unauthorized modification, alteration, creation, or
deletion of data. Any changes to data must be done only as part of authorized transformations in normal
use and processing. Integrity can be maintained by the use of a variety of checks and other mechanisms,
including data checksums, comparison with known or computed data values, and cryptographic means.

Availability
Maintaining availability means ensuring that systems and data are available for authorized users to
perform authorized tasks, whenever they need them. Availability bridges security and functionality,
because it ensures that users have a secure, functional system at their immediate disposal. An extremely
secure system that is not functional is not available in practice. Availability is ensured in various ways,
including system redundancy, data backups, business continuity, and other means.

3.
Information Security
Information security focuses on protecting a business as a whole. It doesn’t just focus on technology,
networking, and security. It has its foundations on protecting the business assets, including anything
that would be considered intellectual property and data that should remain private.
IT Security
IT Security focuses on content located on the local network. The local network can also include cloud
storage and infrastructure. Any assets stored on information systems would fall under the supervision of
an IT Security professional.

Conclusion
The takeaway from Information Security versus other forms of security is that Information Security
protects all forms of data. Printed documents, physical assets stored on premises, and any form of
intellectual property is within scope for Information Security specialists to defend against unauthorized
access. Depending on your company, you might even make decisions about physical entry controls, like
man trap entry system, bollards, or even fence heights. It is serious business.
Preventing unauthorized access is also a part of IT Security’s job responsibilities. These professionals
protect corporate data, but they must also defend from outside attackers by building an infrastructure
that cannot be breached by attackers. No system is ever fully impenetrable, but IT Security professionals
do whatever they can to ensure that private data is secure and monitor digital assets for any suspicious
activity.

4.
When you have been affected by a data breach, here are steps you should take right away.
 Find out what kind of data was stolen. Companies are required to notify customers if their
information was breached. If you get this type of notification, try to pinpoint which accounts
might be compromised and consider accepting whatever help the company offers. This may
include free credit monitoring.
 Contact your financial institution. Whether it is your credit card issuer or your bank, discuss
next steps such as changing your account numbers, disputing, or canceling fraudulent charges,
and setting up fraud alerts.
 Change and strengthen your passwords on all accounts. Even accounts that were not breached
might be compromised later, especially if you have been using the same passwords. A password
manager can help you create strong passwords, keep them safe, and let you access them when
needed.
 Check your free credit reports. Visit AnnualCreditReports.com to request your annual free
credit report from each credit bureau. This can help you spot errors and fraud, such as new
accounts you did not authorize. Also consider freezing your credit files to stop anyone from
opening new accounts in your name. Remember, you will have to lift the freeze if you need to
open new accounts later.
 Look for suspicious activity. Monitor your accounts and look for suspicious activity. This may
include charges or withdrawals you did not make or new accounts that appear on your credit
report.

What can happen if data breach is serious

Here is a quick look at 5 of the most important consequences of data breaches.
1. Revenue Loss: Significant revenue loss because of a security breach is common. Studies show that
29% of businesses that face a data breach end up losing revenue. Of those that lost revenue, 38%
experienced a loss of 20% or more. A non-functional website, for example, may cause potential
customers to explore other options. But any IT system downtime can lead to work disruptions.
2. Damage to Brand Reputation: A security breach can impact much more than just your short-term
revenue. The long-term reputation of your brand is at stake as well. For one, you do not necessarily
want your emails leaked. In most cases, you need these emails to remain private. However, customers
value their privacy, too — and breaches often involve customer payment information. Potential leads
will be hesitant to trust a business with a history of shoddy data security.
3. Loss of Intellectual Property: Loss of revenue and damaged reputation can be catastrophic. However,
in some cases, hackers will also target designs, strategies, and blueprints. Businesses within the
manufacturing and construction industries are more prone to this threat. Smaller businesses tend to
believe they will not get hit. But 60% of hacks target small businesses. This is because they are easier to
attack. Losing intellectual property can impact the competitiveness of your business. Some rivals would
not hesitate to take advantage of stolen information.
4. Hidden Costs: Surface-level costs are just the beginning. There are many hidden costs related to
breaches as well. For instance, legal fees may come into play. Also, you may need to spend more on PR
and investigations, not to mention insurance premium hikes. Regulatory fines are another reality that
many businesses overlook
5. Online Vandalism: Some hackers fancy themselves as pranksters. In these cases, a security breach
might only lead to few word changes on your website. While this seems relatively harmless, it can cause
a lot of damage. Subtle changes are harder to notice. For example, a hacker might change a few letters
or numbers on your contact page. They may also add vulgar content to some of your webpages.

5.
How to implement ISO 27000 series ISMS in organization
The following steps are necessary to implement as ISMS
 Implementation
 Get an understanding of ISO 27001:2013
 Appoint an ISO 27001 implementer (internal or external)
 Secure senior management support
 Establish the context, scope, and objectives
 Establish a management framework
 Conduct a risk assessment
 Implement controls to mitigate risks
 Conduct training
 Review and update the required documentation
 Measure, monitor, and review
 Conduct an internal audit: ISO/IEC 27001:2013 requires internal audits of the ISMS at planned
intervals. A practical working knowledge of the lead audit process is also crucial for the manager
responsible for implementing and maintaining ISO 27001 compliance.
 Registration/certification audits
 Stage 1 audit: the auditor will assess whether your documentation meets the
requirements of the ISO 27001 Standard and point out any areas of nonconformity and
potential improvement of the management system.
 Stage 2 audit: The auditor will conduct a thorough assessment to establish whether you
are complying with the ISO 27001 standard.
  With the right preparation, most small to mid-sized organizations can expect to achieve ISO
27001 certification within 6 – 12 months, depending on the size and complexity of the scope of
the management system.

Question 2
1.
For an e-commerce platform we will prefer the risk analysis guidelines of PCI DSS, as these are related to
merchants who handle financial data on the cloud. This standard is accepted worldwide for payment
handling data. Conducting a PCI DSS risk assessment helps an organization to identify and understand
the potential risks to their environment. By understanding these risks, an organization can prioritize risk
mitigation efforts to address the most critical risks first. Organizations can also implement threat
reducing controls more effectively, for example, by choosing a technology or solution that best
addresses identified risks.

2.
Following steps should be taken to successfully document the risk assessment plan. During the initial
phase of the risk assessment plan, it should be done thoroughly as scope and assets need to be properly
identified for each department. These should take 2 weeks to be thoroughly done. After that evaluating
and risk treatment should be done and should take 1 week each. After that risk assessment meetings
should be held monthly as it is a cyclic process as new risks are arriving each day.
  Scope of risk assessment: Scope will be dependent on the organization oh which risk
assessment is being done. Scope will decide what kind of information we need to protect.
 Asset inventory: Enumerating an organization's critical information assets
 Threats: Identifying threats that exist to those assets
 Vulnerabilities: Identifying vulnerabilities that, when combined with a threat, may create a risk
to the organization
 Risk evaluation: After identifying risks to the organization and their owners we must analyze
these risks using an appropriate methodology. Risks should be analyzed based on impacts and
likelihoods as decided by the organization. They should be quantified in an appropriable manner
like 1-5 and not use vague terms. Impact could be operational, legal, regulatory etc. Likelihood
means occurrence frequency, knowledge of threat vectors etc. After setting on a method to
analyze risk we then move to evaluating risk score against our assets
 Risk treatment: Risk treatment plans mainly include 4 types of methods:
 Mitigation Risk mitigation means to deal with risks by deploying appropriate controls.
 Transfer: If a risk cannot be mitigated, it may transfer to another party.
 Acceptance: If the risk has a low or no impact on business activities, it can simply be
accepted without applying any controls.
 Avoidance: Some risks are never mitigated or the cost of mitigating them is more than
their worth, such risks are avoided.
 Version history: As risk assessment is a cyclic process proper version will be maintained for each
risk assessment addition or meeting which will reflect the changes decided.
 Executive summary: This will include the overview of risks highlighted and discussed and other
things during each meeting or documentation update.

3.
At a minimum, the following should be invited to the risk assessment meeting:
 Project Manager: acts as the chairperson and facilitates the meeting
 Project Team: the project manager must assign members of the project team the roles of
recorder and timekeeper
 Key Stakeholders: those identified that may bring value in the identification of project risks
and/or mitigation and avoidance strategies
 Subject Matter Experts: those identified that may specialize in a certain project activity but are
not formally assigned to the project but may add value
 Project Sponsor: may participate depending on the size and scope of the project
 Asset Owner: those that own the asset whose risk in under consideration.
 Although meeting times may vary, 2 to 3 hours is a good estimate depending on the project size.
 In the start the meetings have to be done regularly when we are developing our risk assessment
plan but after that we may do them once per month.

4.
Risk assessment introduction
Risk assessment is a term used to describe the overall process or method where you:
 Identify risk and risk factors that have the potential to cause harm (Risk identification).
 Analyze and evaluate the risk associated with that risk (risk analysis and evaluation).
  Determine appropriate ways to eliminate the risk or control the risk when the risk cannot be
eliminated (Risk treatment).
The steps are necessary in this order because first we always have to identify the issue, then we have to
analyze it and at last we have to apply some methods for its treatment.

5.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the
collection and processing of personal information from individuals who live in the European Union (EU).
Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that
attract European visitors, even if they do not specifically market goods or services to EU residents.

6.
Let’s start with our organizations’ business context. Being a cloud service ecommerce provider, our
focus would be protection of customer communication from eavesdropping and ensuring customer data
(orders, payments etc.) confidentiality is an important priority. We will also ensure that their data is only
stored in cloud in the EU and not outside the EU.
Let us see how we define our risk criteria. Any risk which allows customer data to be leaked or hampers
customer’s access to our services is considered unacceptable and must be dealt at top priority. We will
score all our issues from 1-5. And since these are issues that will directly impact customer trust on the
organization they are considered as 5. The issue of downtime of the organization’s 3 rd party vendor
services will only impact the brand reputation and since no customer is directly affected by this it is
considered acceptable by the organization and is given a 3 score of moderate.
Let’s identify the risks to the organization. We make an asset register based on our example case.

Asset Asset Type Asset Owner

Employees People Organization Management
rd
3 party employees People Vendor Company
Customer data Information and data System team
Charging and billing system Hardware and software Card data handling company
Public website Hardware and software Vendor Company
Let’s identify and analyze risks against the assets shown above. A few risks against assets are written
below:
A. Employees accessing confidential customer data.
B. Charging and billing system service down which could lead to unavailability.
C. Public website taken offline or defaced would lead to customer not trusting the brand.
Now let’s analyze these risks:
A. The likelihood of employees accessing data is 5 and impact is 5 as they could misuse the data
B. Charging and billing system service down would be very less to occur because of the presence of
backup servers but if down its impact would be high for the organization. So, likelihood 2 and
impact 5.
 C. Public website hacked likelihood low because vendor has ensured secure network architecture
but insider threat of vendor could make its level high, so its likelihood as moderate 3, and since
company can accept the risk to its reputation and not its customer, so impact 1.
We evaluate the risks found above. Using the risk evaluation table, we evaluate and see where risks lie:

5 A
4
Likelihood 3 C
2 B
1
1 2 3 4 5
Impact

We have evaluated our risks; they can be categorized as:

A – HIGH
B – MODERATE
C – LOW
Risk A is high so it should be mitigated by applying appropriate controls. Risk B is moderate so any of the
4 methods from the risk treatment may work. C is low and acceptable by the organization.

7.
Risk can be managed through risk treatment

Risk treatment
After carefully evaluating asset risks, we move onto the risk treatment plan. Risk treatment plan must be
made against each asset whose risk we evaluated. Risk treatment plans mainly include 4 types of
methods:
 Mitigation: Risk mitigation means to deal with risks by deploying appropriate controls from the
control list of the ISMS. E.g. from ISO 270001 the main 14 domains controls and total 114
controls for a wide range of scenarios to mitigate risks.
 Transfer: If a risk cannot be mitigated, it may transfer to another party e.g. if a website if made
by a 3rd party vendor any bugs or risks found would be their responsibility to fix.
 Acceptance: If the risk has a low or no impact on business activities, it can simply be accepted
without applying any controls.
 Avoidance: Some risks are never mitigated or the cost of mitigating them is more than their
worth, such risks are avoided. For example, employees are not allowed to bring their own
devices to avoid sensitive data leakage to the outside.
Question 3
1.
An incident of crypto jacking has happened in the organization. Crypto jacking is the unauthorized use of
someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to click on
a malicious link in an email that loads crypto mining code on the computer, or by infecting a website or
online ad with JavaScript code that auto-executes once loaded in the victim’s browser. Either way, the
crypto mining code then works in the background as unsuspecting victims use their computers normally.
The only sign they might notice is slower performance or lags in execution.
Follow these steps to minimize the risk of organization falling prey to crypto jacking:
 Incorporate the cryptojacking threat into your security awareness training, focusing on phishing-
type attempts to load scripts onto users’ computers.
 Install an ad-blocking or anti-cryptomining extension on web browsers.
 Patch Your Systems
 Monitor for Abnormal GPU and CPU Usage

2.
10 security related activities to implement
 Introduce a vulnerability management solution to check for any unpatched and vulnerable
systems and services in the organization.
 Introduce continuous penetration assessment and red team exercises on assets to find if
applications or network can be hacked.
 Introduce threat hunting activities to monitor if any threat may have gained access to any asset.
 Regularly push security patches on all the infrastructure services so they remain protected
against threats.
 Implement a proper security operation center to monitor logs for any suspicious activity.
 Managing user privileges so that no user can perform undesired actions on the network
 Malware prevention tools should be deployed in user systems and on emails servers to stop any
known malwares.
 Removable media controls should be properly implemented, or better yet removable media
may be disallowed to run or corporate systems.
 Continuous Risk management plan must be adopted in the company to timely mitigate any new
identified threats against assets
 User education and awareness, users should be properly trained to avoid social engineering
attacks which may compromise their systems.

3.
Instructions for employees to protect organization’s assets
The COVID-19 pandemic has resulted in many people Working from Home (WFH) for the first time which
has specific cyber security risks. Attackers are actively spreading malicious documents / applications /
phishing website links via emails and social media applications as COVID 19 pamphlets to spread rumors
and to trick victims into revealing sensitive personal and official information. Keeping in view the
emerging Information Security concerns during WFH, all of you are advised to be cautious and must
ensure following cyber security practices:
DON'Ts
• Don't download and install any applications received via SMS / WhatsApp / Facebook messages
claiming to Corona Virus tracking except if there is any application officially approved by the
Government Agencies.
• Don't open emails with following or alike subjects: o COVID 19 Supplies (Masks, Gloves & Other
Products) o COVID 19 Pandemic Map o COVID 19 Effects / Symptoms o COVID 19 Online Diagnosis o
COVID 12 - World Health Organization Report Tracker
• Don't open any website by clicking on links provided in SMS/ WhatsApp/ email messages from
suspicious or unknown users.
• Don't download, extract or open any attachments from suspicious or unknown emails having file
extensions like .exe, .vbs, .bat, .ini, .bin, .com, .pif, .zzx etc. • Don't close web browsers without proper
logging-out and deleting browser's cache, passwords and usage history.
• Don't enable Macros or Editing on MS Office-based documents that says, "Enable Macros" or "Enable
Editing. • Don't use random portable storage devices with official laptops / desktops such as USB sticks,
memory cards or external hard drives.
• Don't accept / enter any security code received on WhatsApp or SMS, to verify your number.
• Don't enter any type of code received from friends or numbers of your contact list.
• Don't receive any international calls (in case you accidently entered the code) until you are fully sure.
DO's
• Be vigilant and exercise critical thinking when you receive any phone calls, SMS, or emails pertinent to
COVID 19.
• Be wary of any requests for personal details, passwords, or bank details, particularly if the message
conveys a sense of urgency.
• Exercise extra caution in opening email messages, attachments, or clicking on links from unknown
senders.
• If you are not using the official VPN connectivity regularly, please connect VPN client with
organization’s network at least twice a week for 3 to 4 hours each time to keep the Operating System
and antivirus software up to date.
• Actively monitor the participants during online official meetings via Skype for Business or other online
meeting software to avoid unwanted intrusions by malicious users.
• In case of any Information Security incident or clarification, please immediately contact IT Information
Security team through email.

4.
Additional controls
 Deploy proper access controls for each service on the network.
 Use token-based authentication for critical VPN services which connect to the organizations
network.
 Segment the network to separate and secure access to services.
 Introduction of security in software development life cycle so that vulnerabilities are mitigated
before product is deployed.
 Provide all security employees with technical trainings.
 Use PAM solutions for resources accessing critical servers so that their activity on the servers
can be monitored.
 Use phishing simulators to test employee’s security awareness training.

All of these additional points when combined with those discussed above will help to better the
whole security posture of the organization.