of revenue and value.

However, it can also be a complex and challenging process, as it often

requires the adoption of new technologies, the overhaul of existing systems and processes,
and the development of new skills and capabilities.

Cyber Security
Information security and cybersecurity are often used interchangeably, but they do have some
distinct differences. Information security is the practice of protecting information and
information systems from unauthorized access, use, disclosure, disruption, modification, or
destruction. It involves protecting the confidentiality, integrity, and availability of data and
systems, and it is concerned with protecting against a wide range of threats such as natural
disasters, human error, and intentional attacks.

Cybersecurity, on the other hand, specifically focuses on protecting against digital threats such
as malware, ransomware, phishing attacks, and hacking. It involves the use of technologies,
processes, and policies to secure networks, devices, and data from these threats. While
cybersecurity is a subset of information security, it tends to be more focused on the digital
aspects of information protection.

In summary, information security is a broad term that covers the protection of all types of
information and systems, while cybersecurity specifically focuses on the protection of
computer systems and networks from digital threats.

Cyber Security Awareness

Cybersecurity awareness refers to the knowledge and understanding that individuals and
organizations have about potential cyber threats and the measures that can be taken to
protect against them. Cybersecurity awareness is important because it can help individuals
and organizations to recognize and respond to potential cyber threats and prevent attacks
from being successful.

Some key elements of cybersecurity awareness include:

• Understanding common cyber threats: This includes understanding the types of

attacks and tactics that cybercriminals may use, such as phishing scams, malware, and
ransomware.

10
 • Knowing how to protect against cyber threats: This includes taking steps such as using
strong passwords, keeping software and security protocols up to date, and being
cautious when opening emails or clicking on links.
• Understanding the importance of secure online behavior: This includes being aware
of the risks of sharing personal information online or using insecure networks and
taking steps to protect personal and sensitive data.

Overall, cybersecurity awareness is a critical component of protecting against cyber threats

and maintaining the security and integrity of information systems. By understanding and
following best practices for cybersecurity, individuals and organizations can significantly
reduce the risk of cyber-attacks.

Crown Jewels
The crown jewels approach is a cybersecurity strategy that involves identifying and protecting
the most valuable or critical assets within an organization's information systems. These assets,
which are often referred to as the "crown jewels," may include sensitive data, such as
customer or financial information, or critical systems, such as servers or networks.

The goal of the crown jewels approach is to prioritize the protection of these valuable assets,
as they are considered to be the most important and most at risk. To implement this approach,
organizations typically identify their crown jewels and then implement security measures
specifically designed to protect them. This may include measures such as encryption, access
controls, and monitoring.

The crown jewels approach is often used in conjunction with other cybersecurity strategies,
such as risk management and defense in depth. By identifying and prioritizing the protection
of their most valuable assets, organizations can better protect themselves against cyber
threats and minimize the potential impact of a security breach.

Data Protection
Data protection refers to the processes and measures that organizations and individuals use
to protect their data from unauthorized access, use, disclosure, disruption, modification, or

11
destruction. It involves protecting the confidentiality, integrity, and availability of data, and it
is concerned with ensuring that only authorized users can access and use the data.

There are many different types of data that need to be protected, including personal data,
financial data, and business-critical data. Data protection is important because data is often a
valuable asset that needs to be protected from various threats such as hackers, malware, and
natural disasters.

To protect data, organizations and individuals use a variety of measures such as encryption,
access controls, and backup and recovery systems. They may also implement security policies
and procedures, train employees on data protection best practices, and regularly update and
patch their systems to protect against known vulnerabilities. In addition, there are various
laws and regulations that organizations must comply with to protect personal data, such as
the General Data Protection Regulation (GDPR) in the European Union and the California
Consumer Privacy Act (CCPA) in the United States.

Private Information
PII, PPI, PHI, and PCI are all acronyms that refer to different types of sensitive information.
Here is a brief explanation of each:

• PII, or Personally Identifiable Information, refers to any information that can be used
to identify an individual, such as a name, address, or social security number.
• PPI, or Personally Protected Information, is a term used in the European Union to refer
to information that is considered sensitive and requires special protection. This
includes information such as racial or ethnic origin, political opinions, and health data.
• PHI, or Protected Health Information, refers to any information that relates to an
individual's health or medical history. HIPAA (the Health Insurance Portability and
Accountability Act) requires that this information be protected from unauthorized
disclosure.
• PCI, or Payment Card Industry, refers to a set of security standards that apply to
organizations that handle credit card or other payment card information. The PCI Data
Security Standard (PCI DSS) specifies requirements for protecting this information
from unauthorized access or disclosure.

12
Overall, these acronyms refer to different types of sensitive information that require special
protection due to the potential consequences of a breach or unauthorized disclosure.

CIA Model
The C.I.A. (Confidentiality, Integrity, and Availability) model is a framework that is used to
evaluate the security of a computer system. It consists of three main components:

• Confidentiality: This refers to the protection of sensitive information from

unauthorized access or disclosure.
• Integrity: This refers to the protection of data from unauthorized modification or
tampering.
• Availability: This refers to the ability of authorized users to access the system and its
resources as needed.

The C.I.A. model is often used by organizations to ensure that their systems and data are
secure, and to identify and address any vulnerabilities that may exist. It is also used by
cybersecurity professionals to assess the overall security of a system and to develop strategies
for improving security.

Layers-of-defense
The layers-of-defense model in cybersecurity is a framework that is used to create a multi-
layered approach to protecting computer systems and networks from cyber threats. It
involves the use of multiple defenses, or layers, to protect against different types of threats
at different points in the system.

The layers-of-defense model typically consists of three main layers:

• Prevention: This layer focuses on preventing attacks from occurring in the first place.
It includes measures such as firewalls, antivirus software, and intrusion prevention
systems (IPS).
• Detection: This layer is designed to detect attacks that have managed to bypass the
prevention layer. It includes measures such as network monitoring, intrusion
detection systems (IDS), and security information and event management (SIEM)
systems.

13
 • Response: This layer is activated when an attack is detected and is designed to contain
and mitigate the damage caused by the attack. It includes measures such as incident
response plans, backup and recovery systems, and security incident management
processes.

The layers-of-defense model is a useful framework for organizations to use when building a
robust cybersecurity strategy. By using multiple layers of defense, organizations can better
protect against a wide range of threats and improve the overall security of their systems and
data.

Defense in-depth
The defense-in-depth approach is a strategy for protecting an organization's assets against
security threats. It involves implementing multiple layers of security controls to create a multi-
faceted defense system.

The idea behind defense in depth is to create a system that is resilient and able to withstand
attacks even if one layer of security fails. Each layer of security is designed to protect against
a specific type of threat, and the layers work together to provide comprehensive protection.

Examples of security controls that might be included in a defense-in-depth approach include:

• Network security controls, such as firewalls, intrusion prevention systems (IPS), and
virtual private networks (VPNs)
• Access controls, such as user authentication and authorization systems
• Data security controls, such as encryption, data loss prevention (DLP), and data
backup and recovery systems
• Physical security controls, such as access control systems, security cameras, and alarm
systems
• Application security controls, such as input validation, secure coding practices, and
application firewalls

By implementing a defense-in-depth approach, organizations can reduce the risk of a

successful attack and protect their assets even if one layer of security is compromised.

14
Assume Breach
The assume breach model is a cybersecurity approach that assumes that an organization's
systems and data have already been compromised and focuses on detecting and responding
to the breach rather than trying to prevent it.

Under the assume breach model, organizations continuously monitor their systems and
networks for signs of a breach, and they have processes in place to quickly detect, contain,
and respond to any breach that occurs. This includes measures such as network monitoring,
intrusion detection systems (IDS), and security incident management processes.

The assume breach model is based on the idea that it is not always possible to completely
prevent a breach from occurring, so it is important to be prepared to respond to one if it does
happen. It is particularly useful for organizations that are at high risk of a breach, such as those
that handle sensitive data or those that are targeted by advanced persistent threats (APTs).

By adopting the assume breach model, organizations can improve their ability to detect and
respond to breaches, which can help to minimize the impact of a breach and prevent further
damage.

15
 CHAPTER 2

INFORMATION SECURITY
STANDARDS

16
NIST
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the
United States Department of Commerce that is responsible for promoting innovation and
industrial competitiveness by advancing measurement science, standards, and technology.

NIST conducts research and development in a wide range of areas, including information
technology, engineering, and physical sciences. It also develops standards, guidelines, and
best practices for a variety of industries and sectors, including cybersecurity.

In the cybersecurity field, NIST is best known for its NIST Cybersecurity Framework (CSF),
which is a set of guidelines and standards that organizations can use to assess and improve
their cybersecurity posture. The CSF provides a common language and framework for
understanding and managing cybersecurity risks, and it is widely used by organizations in the
public and private sectors.

NIST also plays a role in responding to cybersecurity incidents and working with other
government agencies to develop and implement cybersecurity policies and practices. Overall,
NIST is a key player in the cybersecurity field and its work helps to improve the security and
resilience of computer systems and networks.

NIST CSF
The NIST Cybersecurity Framework (CSF) is a set of guidelines and standards published by the
National Institute of Standards and Technology (NIST) to help organizations improve their
cybersecurity posture. The CSF provides a common language and framework for
understanding and managing cybersecurity risks, and it is widely used by organizations in the
public and private sectors.

The CSF is organized into five core functions:

Identify: This function involves identifying and prioritizing the assets, systems, and data that
need to be protected, as well as the threats and vulnerabilities that could potentially
compromise them.

• Protect: This function involves implementing controls and measures to prevent,

detect, and mitigate cyber threats. It includes measures such as firewalls, antivirus
software, and intrusion prevention systems.

17
 • Detect: This function involves continuously monitoring systems and networks for
signs of a breach and having processes in place to quickly detect and respond to any
breach that occurs. It includes measures such as network monitoring, intrusion
detection systems (IDS), and security information and event management (SIEM)
systems.
• Respond: This function involves having a plan in place to respond to a breach and
taking steps to contain and mitigate the damage caused by the breach. It includes
measures such as incident response plans, backup and recovery systems, and security
incident management processes.
• Recover: This function involves restoring systems and data to a secure state after a
breach has occurred and implementing measures to prevent similar breaches from
happening in the future.

The CSF is designed to be flexible and adaptable, and it can be customized to fit the needs of
different organizations. It provides a roadmap for improving cybersecurity and helps
organizations to better understand and manage their cybersecurity risks.

NIST SP800-53
NIST 800-53 is a security and privacy control standard published by the National Institute of
Standards and Technology (NIST). It provides a set of recommended security controls that
organizations can use to protect their information systems and data from cyber threats.

NIST 800-53 is organized into a set of control families, each of which addresses a specific
aspect of information security. The control families include:

1. Access Control: Controls to ensure that only authorized users can access systems and
data.
2. Awareness and Training: Controls to educate users about security risks and best
practices.
3. Auditing and Accountability: Controls to track and monitor user activity and detect
security breaches.
4. Certification, Accreditation, and Security Assessment: Controls to assess the security
of systems and ensure that they meet security standards.
5. Configuration Management: Controls to manage the configuration of systems and
ensure that they are secure.

18
 6. Contingency Planning: Controls to ensure that systems and data are protected in case
of a disaster or other emergency.
7. Identification and Authentication: Controls to verify the identity of users and ensure
that only authorized users can access systems and data.
8. Incident Response: Controls to plan for and respond to security incidents.
9. Maintenance: Controls to ensure that systems are properly maintained and secured.
10. Media Protection: Controls to protect removable media and other storage devices
from unauthorized access or tampering.
11. Physical and Environmental Protection: Controls to protect systems and data from
physical threats such as fire, flood, and theft.
12. Planning: Controls to ensure that security is integrated into the planning process for
new systems and projects.
13. Personnel Security: Controls to ensure that only suitable individuals have access to
sensitive information.
14. Risk Assessment: Controls to assess and manage security risks.
15. Security Assessment and Testing: Controls to test the security of systems and ensure
that they are secure.
16. System and Communications Protection: Controls to protect systems and
communications from cyber threats.
17. System and Information Integrity: Controls to ensure the integrity of systems and
data.

NIST 800-53 is used by many organizations in the public and private sectors to assess and
improve their cybersecurity posture. It is widely considered to be a comprehensive and
effective set of security controls for protecting information systems and data.

ISO/IEC 2700x
The ISO/IEC 2700x series is a set of international standards published by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC) that provide guidelines and best practices for information security management. The
series consists of several individual standards, each of which addresses a specific aspect of
information security.

19