18. Exercise: Identifying Systems and Associated Risks
Review the list of organizational systems and controls below and complete the matching exercise. In the matching exercise, you will be matching cybersecurity risks that could be associated with each system.
Data Warehouse/Data Lake - System used for storing organizational data which can be used to develop operational insights. It may contain sensitive data.
Firewall - Blocks or allows inbound and outbound traffic from one network segment to another or from a network segment(s) to external resources.
Cloud-based file sharing - Software-as-a-Service (SaaS) based system used to share files throughout an organization.
Multifactor authentication (MFA) - System requiring users to provide 2 or more authentication factors prior to gaining access to organizational resources.
Information security policy - Policy stating how information security is executed broadly throughout the organization.
Acceptable use policy - Policy stating how an organization's end-users can and cannot interact with and organization's information technology resources and data.
Email - System for exchanging electronic mail.
HR System - System for storing employee information and tracking the employee's journey during their time at an organization.
Full Disk Encryption - System for encrypting IT resources' hard disks - usually deployed on end-user assets such as laptops.
Customer Relationship Management (CRM) - System designed to assist organizations in maintaining accurate customer details and enable communication.
Risk Matching Exercise
QUIZ QUESTION::
Reference the list above and match the following risk statements to the appropriate organizational system or control.
ANSWER CHOICES:
Risk Statements |
Systems and Controls |
---|---|
Stored data - including sensitive information is encrypted using a weak cipher which may allow unpermitted access to the data. |
|
There is no policy section that specifically sets service level agreements (SLAs) for remediation of vulnerabilities(e.g. 30 days for high risk) which may allow vulnerabilities to remain unremediated. |
|
No standard method exists for preventing sensitive data from being emailed which may allow data leakage. |
|
Egress traffic rules are not continuously monitored which may allow unplanned changes to occur and unauthorized network access. |
|
Files and folders in SaaS file sharing platform are not encrypted which may cause data leakage or unauthorized access. |
SOLUTION:
Risk Statements |
Systems and Controls |
---|---|
Files and folders in SaaS file sharing platform are not encrypted which may cause data leakage or unauthorized access. |
|
Egress traffic rules are not continuously monitored which may allow unplanned changes to occur and unauthorized network access. |
|
There is no policy section that specifically sets service level agreements (SLAs) for remediation of vulnerabilities(e.g. 30 days for high risk) which may allow vulnerabilities to remain unremediated. |
|
Stored data - including sensitive information is encrypted using a weak cipher which may allow unpermitted access to the data. |
|
No standard method exists for preventing sensitive data from being emailed which may allow data leakage. |
Risk Matching Exercise Part II
QUIZ QUESTION::
Reference the list above and match the following risk statements to the appropriate organizational system or control.
ANSWER CHOICES:
Risk Statements |
Systems and Controls |
---|---|
No policy exists that prohibits users from emailing sensitive data in an unencrypted format which may allow data leakage. |
|
Users are able to login to organization's virtual private network (VPN) using only username and password which may allow unauthorized network access. |
|
Access to employee data is not logged which may allow unauthorized access to user data to go unnoticed. |
|
Status of disk encryption is not monitored on a regular schedule which may allow laptops to go unencrypted without notice and potentially cause data leakage. |
SOLUTION:
Risk Statements |
Systems and Controls |
---|---|
Access to employee data is not logged which may allow unauthorized access to user data to go unnoticed. |
|
Users are able to login to organization's virtual private network (VPN) using only username and password which may allow unauthorized network access. |
|
No policy exists that prohibits users from emailing sensitive data in an unencrypted format which may allow data leakage. |
|
Status of disk encryption is not monitored on a regular schedule which may allow laptops to go unencrypted without notice and potentially cause data leakage. |