0% found this document useful (0 votes)
53 views4 pages

Week 3 - Tutorial

The document discusses two tasks related to applying a three-level control model of cybersecurity governance. Task 1 involves explaining the differences and relationships between cybersecurity policy and strategy. Task 2 involves applying the model to data privacy requirements and analyzing how the requirements impact the governance blocks of the model.

Uploaded by

Yao Xia Li
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
53 views4 pages

Week 3 - Tutorial

The document discusses two tasks related to applying a three-level control model of cybersecurity governance. Task 1 involves explaining the differences and relationships between cybersecurity policy and strategy. Task 2 involves applying the model to data privacy requirements and analyzing how the requirements impact the governance blocks of the model.

Uploaded by

Yao Xia Li
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

RMIT Classification: Trusted

INTE2585: Introduction to Cybersecurity Governance


Week 3 – Tutorial Activity
Task 1: Differences and similarities
The building blocks of policy and strategy are going to be explored in detail in Weeks 4 and 5, but for now, let’s do some early thinking about the
relationship between the two. 
Imagine you’re approached by a colleague who is completely baffled by what these building blocks of policy and strategy mean. How would you
explain what they are and their relationships to one another? 
Using what you have learned so far, along with some basic Google searches, come up with a quick visual, such as a sketch, table or diagram that
explains what policy and strategy are, how they relate, and how they’re different.

Task 2: Proactive approaches using the three-level control model


The three-level control model can have a proactive impact on security governance. The proactive approach analyses a specific domain (e.g.,
cybersecurity) from the viewpoint of all the model building blocks. Let’s apply the model to data privacy using European General Data Protection
Regulation (GDPR) requirements impacting information security. The GDPR recommendations on the protection of personal data that may impact IS
or an ISMS are listed as follows:

1 Personal data identification, categorization, and classification 5 Organization and responsibilities in data protection

2 Inventory of personal data 6 Risk management related to personal data

3 Measures to protect personal data 7 Liability of third parties

4 Data protection by design 8 Incident management

1
RMIT Classification: Trusted
Based on these requirements, mandatory cybersecurity controls can be set up in all of the levels of the governance control blocks. This makes it easier
to plan the involvement of different profiles in the compliance project. How do these GDPR requirements affect each governance and management
block? The first row has been done as an example for you.
Block Task  Responsibility
Cybersecurity strategy  review security strategy to include privacy
requirements suppliers, outsourcing, data transmission  Board of Directors, Senior Management 
 define risk appetite for data privacy  

Policies  Develop a personal data privacy policy or adapt


existing data protection or security policies
 Include the definition of personal data, classification,
categorisation, and special categories of personal data
(e.g. sensitive data) 
 Specify what personally identifiable information (PII)
is being processed 
 Have written standards specifying minimum protection
according to data classification, categorisation, and
context (data at rest, in transition, end-user access,
transfer, mobility, etc.) 
 Review and update HR policy regarding personal
employee data 
 Make sure there are policies and standards concerning
personal data protection in the system life-cycle
management process 
 Include the “data protection by design” concept in
development processes 
 Update the externalisation procedures, data-sharing
with third parties, and data transfers
Security organisation  Define security organisation and establish
responsibilities in data privacy protection (data
processors, data controllers, data owners,
governing bodies, management of the DP
program, and DPO)
 Review or establish reporting lines to the board

2
RMIT Classification: Trusted

Task 2: Reactive approaches using the three-level control model


Every time operational controls are changed; it is important to verify their interdependence with controls at the strategic and tactical levels. In other
words, we have to ensure that governance activities and tools are adapted to the new operational controls. Requests for changes resulting from
incidents, audit findings, or visible threats are often sent to operational managers who sometimes minimize the scope of change, ignore the imperatives
of governance, or simply do not have the means to require that strategic or tactical-level controls be adapted accordingly. Change managers could then
use the three-level control  model template to present the impact of change on strategic and tactical controls. 
Suppose a company wants to evaluate its protection capacity against cyber threats. The management has delegated this project to the IT department and
expects to receive a report specifying the current level of maturity, the required level of maturity, and what actions should be taken to close the gaps.
Let us suppose that a maturity evaluation of the controls in place compared with the standard’s requirements results in the six findings:

1 Not all systems are inventoried or classified 4 There is no automated data leak protection

There are no clear guidelines or service-level agreements on the time to


Risk appetite is not clearly defined or expressed in terms of factual
2 5 recover critical processes. Tests are based solely on the restoration of all
indicators
functionalities

3 Encryption is not used. Data flows are not classified 6 There are no planned tests of large-scale cyber attacks

For each of the findings, in groups make recommendations and note their impact on the blocks in three-level control model by filling the reactive
approaches using the three-level control model worksheet provided below.

Function Category Subcategory Findings Recommendations Building block impact

Identify Asset management ID.AM-5: Resources 1. Not all systems are e.g., Define a classification Asset Management  
(e.g., hardware, inventoried or and asset inventory. Include
devices, data, time, classified  data flows 
personnel, and
software) are
prioritized based on
their classification,
3
RMIT Classification: Trusted

criticality, and business


value  
Risk management strategy ID.RM-2: 2. Risk appetite is not e.g. Define a clear risk Policies
Organizational risk clearly defined or management policies
tolerance is determined expressed in terms of
and clearly expressed  factual indicators
Protect Data Security PR.DS-2: Data-in 3. Encryption is not e.g. Define a classification
transit is protected  used. Data flows are
not classified
PR.DS-5: Protections 4. There is no
against data leaks are automated data leak
implemented  protection
Information Protection PR. IP-9: Response
Processes and Procedures plans (Incident
Response and Business
Continuity) and
recovery plans
(Incident Recovery and
Disaster Recovery) are
in place and managed 
Recover Recovery Planning RC.RP-1: Recovery
plan is executed during
or after a cybersecurity
incident 

You might also like