Question

Through this real-world project you will first select a particular industry (verticals may include financial, retail, education, manufacturing, e-commerce, entertainment, government, etc.) that is of interest to you. Your chief security officer (CSO) has given you the assignment of investigating serious risks to your organization's data assets. To educate senior managers and board of directors, you are tasked to research, document, and explain at least two administrative, two physical, and three technical vunerabilies to the enterprise data assets. You are also required to recommend security controls that would enhance the overall security posture of your organization.

Answer 1

Answer:-

two physical problems:-

1. Attaining enterprise asset transparency

In many organisations, the asset infrastructure is highly complex as assets are spread throughout locations, departments and databases which is making it difficult to achieve a complete view. This causes a lack of visibility, which prevents organisations from being able to readily answer questions like: “What is the current condition of our assets that are supporting this business process? Who is using them? Where are they located?”

However, without that asset transparency, critical information such as asset delivery, storage, forecasting and stock levels can all be easily missed, resulting in delayed workflows, higher costs, unsatisfied customers and missing or misplaced goods.

2. Relating assets across business applications

Increasingly, assets need to be related to each other in sometimes complex ways. These complex relationships require modelling which is difficult to deliver using a traditional asset management system or asset registry approach.

For example, managers of safety and environmental procedures may have roles that cross existing asset management system boundaries. In this scenario, managing assets would require the ability to identify all the use cases and purposes applicable. This can be difficult as today’s asset management tools tend to be siloed to particular applications.

three technical vunerabilies to the enterprise data assets:-

• Data loss. Theft of trade secrets could cause you to lose business to your competitors. Theft of customer information could result in loss of trust and customer attrition.
• System or application downtime. If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.
• Legal consequences. If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance

security controls that would enhance the overall security posture of your organization.

1. Figure out what’s critical to your business

Businesses are as different as people, and all have different things to protect. Take a close look at what really matters for your business and how it aligns with your overall business objectives and functions.

• intellectual property
• financial data
• patient information
• critical business functions etc.

Bottom line: If you don’t know what you are dealing with, you won’t be able to protect it.

2. Prioritize what you need to protect

Not all assets are created equal. Make sure that your most critical assets are identified and protected adequately.

You should prioritize securing important assets, but may not need to implement complex cybersecurity measures for less important assets. It will all depend on what you identify as important to continuing to run your business successfully and with minimal disruption.

3. Determine your risk appetite

Depending on their strategic objectives, businesses are willing to take different amounts of risk.

Figure out how much risk you’re willing to take to reach your goals, and where you should be rather conservative. Remember to review your risk appetite as your strategy changes and adjust it if needed.

4. Implement a cybersecurity framework

Now that you’ve defined your critical assets and risk appetite, it’s time to put in place a cybersecurity framework to:

• align your cybersecurity initiatives across the organization,
• improve your security and infrastructure resilience, and
• make sure that your cybersecurity risk management processes deliver measurable value.

A cybersecurity framework includes policies, processes, standards and guidelines. Have a close look at your business context and security requirements before deciding which cybersecurity framework makes most sense to follow.

5. Asses if your cybersecurity controls are mature enough

Do you have cybersecurity safeguards and controls in place, e.g. the CIS 20 Critical Security Controls or ISO27001?

• Yes: you need to find out how mature these controls are, if there are gaps in your controls and what you need to do to address these gaps.
• No: you need to find out which controls are useful to implement for your business, and how you can do so.

Assessing the maturity of your cybersecurity controls is essential to not only critical to protect your business, but also to maximize your ROI and legitimize your security spending for upcoming years.

6. Find out if you’re exposed to threats & vulnerabilities

You can only have a good cybersecurity posture if you manage your threats and vulnerabilities proactively and effectively. Some of today’s most common cyberthreats include:

• Ransomware
• DoS/DDoS attacks
• Social engineering
• Malware
• SPAM
• Data leakage/insider theft

You’ll need to find out if and to what extent your critical data and functions are exposed on the internet and exposed to attacks, then implement suitable security measures to protect your business from becoming a victim.