Chapter 15,16,17

Legal hold or litigation hold

a notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations

•  backups paper documents and electronic files are all sorts must be preserved

 E-discovery 

is the process that allows each side of a legal case to obtain evidence from each other and other parties involved in the case and he Discovery is simply an electronic Discovery process

Electronic Discovery reference model (e d r m)

is a foundational framework for managing digital information throughout its lifecycle, crucial in cybersecurity for handling data from creation to potential litigation, outlining stages like Information Governance, Identification, Preservation, Collection, Processing, Review, Analysis, Production, and Presentation

 The edrm Uses nine stages to describe the discovery process

1.  information governance

2.  identification of electronically stored information

3.  preservation of the information to ensure that it hasn't changed

4.  collection of the information

5.  processing of the data to remove unneeded or relevant information

6.  review of the data to ensure it only contains what it's supposed to

7.  analysis of the information to identify key elements

8.  production of the data to provide the information to third parties

9.  presentation of the data

Cloud vendors

provide services to many customers and will not permit you to place an intrusive legal hold and Discovery agent in their cloud service

 order of volatility

documents what data is most likely to be lost due to Systems Operations or normal procedures

Chain of custody  

forms are simple sign off and documentation forms

Admissibility

for an original forensics requires that the data the intact and unaltered to have probably remained unaltered before and during the forensic process 

checksum

is a small, fixed-size value (a "digital fingerprint") calculated from data, used to verify data integrity by detecting accidental changes or malicious tampering during storage or transmission

Write blockers

allow a driver image to be read and access without any allowing any writes to it

Forensic suits

are complete forensic Solutions sign to support forensic data accusation analysis and Reporting

Forensic acquisition

is the process of identifying, collecting, and preserving digital evidence from electronic devices

Prevention 

in forensics focuses on stopping security incidents before they happen and minimizing the risk of evidence loss. It’s part of the broader security lifecycle that includes prevention, detection, response, and recovery

Reporting in forensics 

For a solid forensic case report:

• Start with a title page.

• Create a detailed table of contents.

• Write a concise case summary.

• List and explain all evidence.

• State clear objectives.

• Outline investigation steps.

• Mention analysis tools.

• Present key findings.

Governance programs

are sets of procedures and controls put in place to allow an organization to effectively direct its work

 corporate governance programs

ensure that the organization sets in appropriate statistic Direction develops a plan to implement that strategy and the executes its strategic plan 

Board of directors

where a group of people elect a group of individuals to direct the action of the corporation on their behalf and have ultimate authority over the organization as the owners Representatives

Independent directors

meaning they have no significant relationship with the company other than their board membership

 CEO

manages the company

Governance, risk and compliance GRC

program carry out the work of governance through the creation and implementation

 GRC integrate three related task

•  governance of organization

•  risk management

•  Compliance

there are two two major categories in governance structure

•  centralized governance models

•  decentralized governance models

 centralized governance models

use a top-down approach where a central Authority creates policies and standards which are then enforced through the organization

decentralized governance models

use a bottom of approach for individual business units are delegated the authority to achieve cyber security objectives and may do so in the manner they see fit 

Information security policy framework

which contains a series of documents designed to describe the organization's cybersecurity program

•  information security policy that provides high level Authority and guidance for the security program

 policies

are high level statements of management intent compliance with policies mandatory 

Organizations

commonly include the following documents and their information security policy Library

•  information security policy

•  incident response policy

•  acceptable use policy AUP

•  business continuity and Disaster Recovery policies

•  software development life cycle sdlc policy

•  change management and change control policies

 incident response plan

that describes how the rotational respond to security incidence

 accessible use policy

that provides Network and system users with clear Direction on permissible uses of information resources

Business continuity and disaster recovery policy

that outlines the procedures and strategies to ensure that essential business functions continue to operate during and after disaster 

 software development life cycle (sdlc)

policy that establishes the processes and standards for developing invitation software

 change management and change control policy

that describes how the organization will review approve the Implement proposed changes to Information Systems

Standards

provide mandatory requirements describing how an organizational carry out its information security policies

their are four types of standards

•  password standards

•  Access Control standards

•  physical security standards

•  encryption standards

 password standards

set forth requirements for password length complexity reuse and similar issues

 Access Control status

describe the account life cycle from provisioning through active use and decommissioning

 physical security standards

establish the guidelines for securing a physical premise and asset of the organizations

 encryption standards

the specified the requirement for encrypting data both in transit and at rest

procedures

are detailed step by step process that individuals and organizations must follow in specific circumstances they ensure a consistent process for achieving a security objective

Organizations

commonly conclude the following procedures in their policy Frameworks

•  change management procedures

•  onboarding and off boarding procedures

•  Playbook

change management procedures

that describe how the organization will perform change management activities that will comply with the organization change management policy including the possible use of Version Control and other tools

Onboarding and off boarding procedures

that describe how they're organization will add new user accounts as employees join the organization and how those accounts will be removed for no longer needed

playbooks

that describe the actions that the organizations incident response team will take one specific types of incidence

guidelines

provide best practices and recommendations related to a given concept technology or task

 the document begins with the purpose section that online three goals of the guideline

1.  help agencies determine if and to what extent their agency will Implement and rely on electric records and electric signatures

2.  provide agencies with information they can use to establish policy or rule governing their use and acceptance of digital signatures

3.  provide direction to agencies for sharing and of their policies with the office of the Chief Information officer 

Enterprise risk management ERM

program organizations take a formal approach to risk analysis that begins with identifying risk continues with determining the severity of each risk that result set adopting one or more risk management strategies to address each risk

 risk management

Is the process of systematically addressing the risks facing an organization

 threats

any possible event that might have an adverse impact on the confidentiality integrity and are availability of our information or information systems

 vulnerabilities

are weaknesses in our systems or controls that could be exploited by a threat

 risk occur

at the intersection of a vulnerability that a threat that might exploit the vulnerability

risk identification

process requires identifying the threats and vulnerability that exists in your operation environment

 external risks

are those risks that originate from a source outside the organization this is an extremely broad category risk including adversary malicious code and natural disaster

 internal risks

are those risks that originate from within the organization they include malicious insiders mistakes made by unauthorized users equipment failure and similar risk

 multi-party wrists

are those that impact more than one organization

 Legacy systems

pose a unique type of risk organization these outdated systems often do not receive security updates and cyber security officials must take extraordinary messages to protect them

 intellectual property IP

theft risk occur when a company poses possesses Trade Secrets or other proprietary information that if disclosed could compromise organization's business advantage

 software compliance/Licensing risks

occur when an organization license software from a vendor and intentionally or accidentally runs a file of usage limitations that expose the customer to financial and legal risk

Risk assessment

a systematic process to identify potential hazards, analyze their likelihood and potential impact, and then prioritize actions to mitigate or control them

 high risk assessments

are conducted in response to a specific event or situation which as a new project technology implementation or a significant change in the business environment

reoccurring assessments

are performed at regular intervals such as annual or quarterly this assessments are meant to track the evolution of wrist over time modern changes in the risk profile and ensure that risk management practices are adapting to news threat and vulnerabilities

 Continuous risk assessments

involve ongoing monitoring and Analysis of risk. these can include automated systems that consistently scam for new threats or changes in the risk environment

 risk analysis

is a formalized approach to risk prioritization the last organizations to conduct their reviews and a structured manner

 qualitative risk analysis

uses numeric data in the analysis resulting in the assessments that allow the various straightforward prioritization of risks

qualitative risk analysis

substitutes subjective judgments and categories for strict numerical analysis allowing the assessment of risks that are difficult to quantify

 annualized rate of occurrence (a r o)

the number of times the risk is expected each year

 asset value AV

is expressed in dollars or other currency that may be determined using the cost to acquire the asset

 EF exposure factor

is expressed as a percentage of asset expected to be damaged

 SEL single loss expectancy

is the amount of financial damage expected at each time a risk materializes

annual loss expectancy a l e

is the amount of damage expected from a risk each year 

 risk mitigation

is the process of applying security controls to reduce the probability and or magnitude of a risk it is the most common risk management strategy

 risk avoidance

is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize. 

Risk transference

Shift some of the impact of a risk from the organization's experiencing the risk to another entity the most common example of it is purchasing an insurance policy that covers a risk

risk acceptance

is the final risk management strategy and it boils down to deliberately choosing to take no other risk management strategies and a simply continue operations as normal in the face of the risk

 exemptions are similar to exceptions

but are generally more formal 

Inherent risk facing an organization is the original level of risk that exists before implementing any controls

 residual risk

is the risk that remains after organization implements controls designed to mitigate avoid and or transfer the inherent risk

 risk appetite

is the level of risk that is willing to accept as a cost of doing business

 Risk threshold

is a specific level at which a risk becomes unacceptable

 risk tolerance

is the ability to withstand risk and his new operation without any significant impact

risk key indicators k r i

are metrics used to measure and provide early warning signals for increasing levels of risk

 risk owner

is an individual and it's irresponsible for managing and monitoring risks

experience scenario risk appetite

organizations with an expense story risk appetite are willing to take on higher levels of risk and the pursuit of potential higher Rewards

neutral risk appetite

organizations with a new tourist appetite take a balance approach they're willing to take on moderate levels of risk to achieve steady growth and returns

conservative risk appetite

organizations with a conservative respect I tend to avoid high risk and focus on maintaining Civility and protecting existing assets

risk Matrix or heat Maps

a visual tool that plots the likelihood (probability) of a threat occurring against its potential impact (severity) on an organization

risk reporting

is an essential component of the risk management process that involves communicating the status and evolution of risk to stakeholders within the organization

Regular updates routine reports

that provides stakeholders with the status of risk the effectiveness of controls in any recent changes are developments

 dashboard reporting

utilizes visual aids like graphics and charts to summarize risk data usually in real time

 ad h o c

creating security measures "as needed" for temporary, direct device-to-device (peer-to-peer) wireless connections,

strand analysis

this reporting form involves in analyzing historical data to identify patterns or Trends in the risk faced by the organization

risk event reports

focus on documenting specific risk events such as security breaches or instance their impacts and and the response taken

Disaster Recovery planning DRP

is the discipline of developing plans to recover operations as quickly as possible and the face of a disaster

business impact analysis Bia

is the formal process designed to identify the mission essential functions within organization and facilitate the identification of the critical systems that support those functions

 meantime between failures MTBF

is a measure of the reliability of a system it is expected amount of time that will elapse between system failures

 mean time to repair MTTR

is the average amount of time to restore a system to its normal operating state after a failure

 recovery time objective RTO

is the amount of time that the organization can tolerate assistant being down before it is repaired

 recovery Point objective RPO

is the amount of data that the organization can tolerate losing during an outage

 single points of failure(SPOF)

is any component in a system—physical, software, or process—whose failure causes the entire system to stop working, usually because there's no backup or redundant part to take over

personal identical information p i i

includes any information that you uniquely identifies an individual person including customer employees or third parties

protected health information Phi

includes medical records maintained by healthcare providers

 financial information

includes any personal financial records maintained by the organizations