Please enable JavaScript.
Coggle requires JavaScript to display documents.
R10 some topics - Coggle Diagram
R10 some topics
R10.1 Types of Confidential Information Stored by Organisations
Commercially sensitive information
Includes
Client/customer details
It may include anyone who interacts with the organization and should not be accessed by employees
Man organizations will have a client relationship team that looks after clients so the team will need to access this information
Client details may include individuals, or named representatives from different organizations or business
Customer details relate to those who buy goods or services
Information held b customers will include personal details like names, contact details and order history
If privacy and confidentiality of client and customer details is not maintained the organization may lose clients and customers as they expect to have their data stored safe and secure
Profit margins
The profit margin that is set on any goods supplied should be kept confidential
It is the difference between price paid for goods and the selling price, so when price of goods is reduced, profit margin reduces
Contracts
Contact will be in place where goods are brought from a third party
Contract will usually include delivery time, quantity required and price to be paid. Details can be negotiated and should be kept confidential between the two parties
Any breach in this could lead to companies having a stronger negotiating power
Trade secrets and intellectual property (IPA)
When an organization sells specific goods, can be classed as a trade secret. They often apply to a patent
IPA covers software processes in addition to patents for tangible items.
If the function of the organization is to provide cloud-based services hen the software processes used by organization could be covered by the IPA
Sales revenue and stakeholder details
Some organizations may have a policy of keeping stakeholders informed about sales numbers as it may have a financial impact
Sales numbers can be used to determine goods that are bought and sold by organization, like low sales goods may be reduced in price and not stocked again
Access Information
Includes
Multi-factor authentication
Email accounts
Passwords
Phone numbers
Access codes
Important that any access information is provided to staff at all levels and is kept confidential to maintain security of the workplace
Human Resources
Information held includes
Employee salaries and employee perks
Salaries should only be known by employee and HR department
Illegal to pay different salaries on the basis of gender
Data held by HR about salaries will also include national insurance number and tax codes
Employment data and medical information
May include warnings about breaches of policy and disciplinary actions
Medical data will be stored as an employer as a duty of care, wehre required, adapted equipment and resonable adaptations
Employment data include start date, qualifications, contact details and emergency contact details
Staff may also require time off to attend medical appointments related to any medical conditions
Information held by HR is confidential, personal and should be stored following legislation guidelines
R10.2 The Principles of CIA/IAAA within Digital Systems
CIA
Integrity
Involves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle.
Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorized people
Availability
Means information should be consistently and readily accessible for authorized parties.
This involves properly maintaining hardware and technical infrastructure and systems that hold and display the information
Confidentiality
Confidentiality measures are designed to prevent sensitive information from unauthorized access attempts
It is common for data to be categorized according to the amount and type of damage that could be done if it fell into the wrong hands.
a model designed to guide policies for information security within an organization.
R10.3 Threats that May Cause Damage to an Organisation
Threats
Hacking
Malware
Distributed denial-of-service (DDoS)
Malicious spam
Denial-of-service (DoS)
Non-technical threats
Botnets
Cyber security incidents
DDOS
The AWS DDoS Attack in 2020
Ransomware
COVID-19 testing delayed after Irish hospitals hit by ransomware
Phishing
Nordea Bank Incident
Human Error
LinkedIn data breach
Hacking
Quora Data Breach
Trojans
ILOVEYOU virus
SQL injection
7-Eleven breach
Keyloggers
DarkHotel
Malicious employees
Yahoo departing employee stole trade secrets
Facts and Figures
4,500 attempts of which are successful. Meaning around 1.6 million of the 5.7 million SMBs in the UK per year.
Data breaches cost UK enterprises an average of $3.88 million per breach, according to IBM and Cost of a Data Breach study.
One small business in the UK is successfully hacked every 19 seconds, according to Hiscox. Around 65,000 attempts to hack small- to medium-sized businesses
33% of UK organisations say they lost customers after a data breach. 38% had lost business because of security issues.
Up to 88% of UK companies have suffered breaches in the last 12 months.
One in every 3,722 emails in the UK is a phishing attempt, according to Symantec.
48% of UK organisations hit by ransomware in the last year, according to Sophos.
R10.6 Risk Mitigation Controls to Prevent Threats
Risk Migration Controls
National Cyber Security Centre (NCSC) Cyber Essentials:
Control access to data and services
Chose most secure settings for devices and software
Protection from viruses and malware
Up-to-date software and devices
Firewall to secure internet connections
Anti-virus and anti-malware software
Firewalls
Software
Hardware
Intrusion detection and prevention systems
Encryption
Process
Protocols
Purpose
User access, policies and procedures
Permissions
IT user policies
Air gaps
Staff training and CPD (Continuous professional development)
Human firewall
Honeypot
Back-ups
Incremental
Differential
Full
Virtual private networks (VPNs)
Software and system maintenance
Importance of latest software updates
Scheduled mainenance
Interruption to service
R10.4 Vulnerabilities within an Organisation
Technical Vulnerabilities
Compatibility of legacy systems
Fail-open electronic locks
Software no longer supported by supplier
Weak passwords (default passwords)
Out of date software/hardware/firmware
Missing authentication and authorization
Inadequate encryption (weak or outdated)
Exploitable bugs/zero-day bugs
Non-technical Vulnerabilities
Employees
Competency levels of staff
Lack of recruitment screening
Not following policies and procedures
Poor data/cyber hygiene (not archiving documents, accounts and access)
Physical access controls
Using simple access codes and reusing access codes (1234)
No monitoring of access to secure areas
Door access codes not changed regularly
Unnecessary staff access to secure areas