Skip to main content

Raise Security Awareness and Respond to Incidents

Learning Objectives

After completing this unit, you’ll be able to:

  • Define how security awareness and skills training influence behavior among the workforce.
  • Describe procedures and tools for managing service providers.
  • Explain Safeguards to manage service providers.
  • Identify how managing incident response helps your organization prepare, detect, and quickly respond to an attack.

Establish a Security Awareness Program

Now you have a better idea of how to protect email, defend against malware, recover data, and manage networks. Next let’s take a look at how to raise security awareness, manage service providers, and respond to incidents.

Meet Assem, a cybersecurity advisor at a bank. He knows that the action or inaction taken by employees and other personnel to report on security-related events is a huge organizational risk. He works with the security awareness team to create an effective training program that is more than just a once-a-year training video coupled with regular phishing training. Assem knows that while annual training is needed, there should also be more frequent, topical messages and notifications about security.

Assem understands that training should consider the regulations the bank must comply with, and threats targeting his organization and industry. He also advises the team that social engineering training, such as phishing tests, should include awareness of tactics that target different roles. He suggests the team make use of the National Institute of Standards and Technology (NIST)’s Special Publication (SP) 800-50 Information Security Awareness Training to help build an effective security awareness program.

Additionally, Assem advises the security awareness team on putting in place these Safeguards.

  • Establish and Maintain a Security Awareness Program: Assem works with the security awareness team to establish a security awareness program to educate the bank’s workforce on how to interact with assets and data in a secure manner. The team decides to conduct training at hire and, at a minimum, annually. They review and update content annually, or when significant changes occur that could impact this Safeguard.
  • Train Workforce Members to Recognize Social Engineering Attacks: The team trains workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
  • Train Workforce Members on Authentication Best Practices: The team trains workforce members on authentication best practices such as building strong passwords through composition, implementing multi-factor authentication (MFA), and credential management.
  • Train Workforce on Data Handling Best Practices: The team trains workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data.
  • Train Workforce Members ons Causes of Unintentional Data Exposure: The team trains workforce members to be aware of causes for unintentional data exposure, such as misdelivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
  • Train Workforce Members on Recognizing and Reporting Security Incidents: The team trains workforce members on how to recognize potential incidents and report them to the appropriate security personnel, which reduces risk across the organization.
  • Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates: The team trains the workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools.
  • Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks: The team trains the workforce on the dangers of connecting to, and transmitting data over, insecure networks for bank activities.

Assem implements these Safeguards to help his organization influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks.

Manage Service Providers

Now that Assem has helped the security awareness team implement robust security training, he next turns to advising the third-party management team on securely managing service providers. He works with the team to develop a process to evaluate service providers who hold sensitive data or are responsible for the bank’s critical information technology (IT) platforms or processes, to verify these providers are protecting those platforms and data appropriately.

The bank relies on vendors and partners to help manage their data, and on third-party infrastructure for some of its core applications and functions. Assem knows that there have been numerous examples where third-party breaches have significantly impacted organizations—for example, in as early as the late 2000s, payment cards were compromised after attacks infiltrated smaller third-party vendors in the retail industry. 

Assem also knows that the following standards all require their protection to extend to third-party service providers: the Payment Card Industry Data Security Standard (PCI DSS) and most data security and privacy regulations, the Federal Financial Institutions Examination Council (FFIEC) financial industry requirements, and the United Kingdom (UK) Cyber Essentials standard. 

One challenge the team faces is that, even though reviewing the security of third parties has been a task performed for decades, there isn’t a universal standard for assessing security, and many service providers are audited by their customers multiple times a month, causing impacts to their own productivity. 

To enhance the bank’s management of service providers, Assem recommends for the third-party management team to use standard checklists, such as ones from the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 Information Security Management Standard or the Center for Internet Security, Inc. (CIS®) Critical Security Controls® (CIS Controls®)

He advises the team that there should be a policy in place about reviewing service providers, an inventory of these vendors, and a risk rating associated with their potential impact to the business in case of an incident. He also advises the team, when performing reviews, to focus on the provider's services or departments that are supporting the bank. 

Assem reminds the third-party management team to securely decommission service providers when contracts are completed or terminated, which includes offboarding procedures, turning over all organizational data and hardware, and reminders or introductions of non-disclosure agreements (NDAs). He points them to NIST’s SP 800-88r1: Guidelines for Media Sanitization as a resource to ensure devices are sanitized when the bank discontinues service with a given provider.

Safeguards for Managing Service Providers

Additionally, Assem works with the third-party management team to implement this Safeguard. 

  • Establish and Maintain an Inventory of Service Providers: He advises the team on establishing and maintaining an inventory of service providers. The inventory should list all known service providers, their classification(s), and designated enterprise contact for each service provider. He advises the team to review and update the inventory annually, or when significant changes occur that could impact this Safeguard.

Assem knows this Safeguard will help establish a standard for assessing security and predictability for the process of auditing service providers.

Manage Incident Response

Finally, Assem turns to work with the incident response team to help them maintain policies, plans, procedures, defined roles, training, and communications to prepare, detect, and quickly respond to an attack. He knows that a comprehensive cybersecurity program includes protections, detections, responses, and recovery capabilities. 

He also knows that he can’t expect protections to be effective 100% of the time, so it’s important to have a documented plan for when an incident occurs. This enables the incident response team to know the right investigative procedures, reporting, data collection, management responsibility, legal protocols, and communications strategy to follow to understand, manage, and recover from the incident. 

Procedures and Tools for Incident Response

Assem works with the incident response team to develop an incident response plan. He knows that after defining incident response procedures, the incident response team, or a third party, should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and potential impacts the bank faces. 

A person standing in front of a whiteboard showing an attack scenario where an attacker delivers malware to a user who downloads it

To improve the bank’s incident response process, Assem also works with the threat intelligence team to include threat intelligence and threat hunting information. This will help the incident response team become more proactive, by identifying key or primary attackers to the bank and finance industry in order to monitor or search for their tactics, techniques, and procedures (TTPs). 

In addition, Assem works with the incident response team to advise them on putting in place these Safeguards. 

  • Designate Personnel to Manage Incident Handling: The team designates one key person, and at least one backup, who will manage the bank’s incident handling process.
  • Establish and Maintain Contact Information for Reporting Security Incidents: The team establishes and maintains contact information for parties that need to be informed of security incidents.
  • Establish and Maintain an Enterprise Process for Reporting Incidents: The team establishes and maintains a process for the workforce to report security incidents.

Assem has seen from experience that these Safeguards, along with communication to stakeholders, are key to managing incidents successfully. 

Sum It Up

In this module, you’ve been introduced to the CIS Controls. You've learned about how to inventory, control, and configure assets, and protect data. In addition, you’ve been introduced to the importance of managing accounts, access control, vulnerabilities, and audit logs. You’ve learned procedures and tools to protect email, defend against malware, recover data, and manage networks. You’ve also discovered Safeguards to improve security awareness, service provider management, and incident response.

You now have a better understanding of what it takes to implement the CIS Controls at your organization. Interested in learning more about cybersecurity topics? Head on over to the Cybersecurity Learning Hub to explore more and hear from real security practitioners.

Resources

Comparta sus comentarios sobre Trailhead en la Ayuda de Salesforce.

Nos encantaría conocer su experiencia con Trailhead. Ahora puede acceder al nuevo formulario de comentarios cuando quiera desde el sitio de la Ayuda de Salesforce.

Más información Continuar para compartir comentarios