Module-3

Information Security Management

A Road Map to Become Security Analyst

Module-3 Shiva Kumar

 1.Information Security Management

Information Security Management (ISM) is a systematic approach to managing sensitive information

to ensure its confidentiality, integrity, and availability. It involves a combination of policies,
processes, and technologies to protect an organization’s data from unauthorized access, misuse,
disruption, destruction, or theft.

Key Components of ISM:

•Confidentiality: Ensuring that information is accessible only to those authorized to access it.
•Integrity: Ensuring that data is accurate, consistent, and protected from unauthorized modifications.
•Availability: Ensuring that information and systems are accessible when needed by authorized users.

Module-3 Shiva Kumar

 1.Information Security Management (CTND.)

Goals of Information Security Management:

•Risk Management: Identify and mitigate risks to information assets.
•Compliance: Ensure adherence to laws, regulations, and industry standards (e.g., GDPR, ISO/IEC 27001).
•Incident Management: Prepare for, respond to, and recover from security breaches or disruptions.
Common Practices in ISM:
•Implementing an Information Security Management System (ISMS) (e.g., based on ISO/IEC 27001 standards).
•Conducting regular risk assessments to identify vulnerabilities.
•Deploying firewalls, encryption, and antivirus software to protect systems.
•Creating and enforcing access control policies to limit data access.
•Providing security training for employees to recognize and respond to threats like phishing.
•Maintaining business continuity and disaster recovery plans.

Module-3
Shiva Kumar
 2.Why companies need security policies

Companies need security policies to establish clear guidelines and rules for protecting
their information, systems, and resources. These policies ensure consistency in
handling sensitive data, reduce risks, and help companies comply with legal and
regulatory requirements. Without such policies, organizations are vulnerable to data
breaches, unauthorized access, and financial losses.

Module-1 Shiva Kumar

 2.Why companies need security policies(ctnd.)

Why Security Policies are Essential

❖Protect Sensitive Data

Security policies ensure that confidential information like customer data, financial records, and trade secrets are safeguarded from
unauthorized access or breaches.
• Example: A hSecurity policies ensure that confidential information like customer data, financial records, and trade
secrets are safeguarded from unauthorized access or breaches.
• ealthcare provider implements a policy for encrypting patient records to comply with regulations like HIPAA (Health
Insurance Portability and Accountability Act) and to prevent data leaks.
❖Prevent Unauthorized Access
Policies define who can access specific data or systems and how authentication is managed.
• Example: A company requires multi-factor authentication (MFA) for accessing internal systems, reducing the risk of
unauthorized logins.
❖Reduce Risks of Cyber Attacks
Security policies address common vulnerabilities, such as phishing, ransomware, or insider threats, through preventive measures.

• Example: A policy mandates regular employee training to recognize phishing emails, reducing the risk of falling victim to cyber scams.

Module-3 Shiva Kumar Palakurla

 2.Why companies need security policies(ctnd.)

Enable Business Continuity

A robust policy includes backup and recovery plans to ensure that business operations can resume quickly after disruptions.
• Example: A company has a disaster recovery policy that requires daily backups of critical data to an offsite location.
Define Employee Responsibilities
Security policies provide employees with clear guidelines on how to handle data, use company devices, and report security
incidents.
• Example: A policy prohibits using personal USB drives on company computers to prevent malware infections.

Module-3 Shiva Kumar Palakurla

 3. What is an Information Security Policy?
An Information Security Policy is a formal document that outlines an organization's approach to protecting its information and
information systems. It defines rules, responsibilities, and best practices for employees, partners, and other stakeholders to
ensure the confidentiality, integrity, and availability of data.
Purpose of an Information Security Policy:
1.To safeguard sensitive information from unauthorized access or misuse.
2.To set clear expectations for employees regarding security practices.
3.To ensure compliance with legal, regulatory, and industry standards.
4.To minimize risks such as data breaches, cyberattacks, or insider threats.

Module-3 Shiva Kumar Palakurla

 4. What should an Information Security Policy consist of?

Key Components of an Information Security Policy (with examples):

1. Purpose and Objectives

• What it is: States why the policy exists and what it aims to achieve.
• Example:
"The purpose of this policy is to protect the confidentiality, integrity, and availability of Company XYZ’s information assets. This
policy applies to all employees, contractors, and third parties who interact with company data."
2. Scope
• What it is: Defines what the policy covers (e.g., data types, systems, users, locations).
• Example:
"This policy applies to all company-owned systems, cloud-based platforms, physical devices, and any data accessed, stored, or
transmitted by employees, contractors, or third parties."

Module-3 Shiva Kumar Palakurla

 4. What should an Information Security Policy consist of?
3. Roles and Responsibilities
•What it is: Details the roles of employees, IT teams, management, and external parties in implementing the policy.
•Example:
• IT Department: Ensure security measures (e.g., firewalls, backups) are in place.
• Employees: Follow access control procedures and report security incidents.
• Third-Party Vendors: Adhere to the company’s security requirements for data handling.
4. Data Classification and Protection
•What it is: Explains how data is categorized (e.g., Public, Internal, Confidential) and the measures to protect each
type.
•Example:
• Public: Marketing materials – no restrictions.
• Internal: Employee directories – accessible only within the organization.
• Confidential: Financial records – encrypted and shared on a need-to-know basis only.

Module-3 Shiva Kumar Palakurla

 4. What should an Information Security Policy consist of?
5. Access Control
•What it is: Defines rules for granting, managing, and revoking access to systems and data.
•Example:
• Access to HR systems is limited to HR employees.
• Multi-factor authentication (MFA) is mandatory for remote logins.
• User accounts are disabled within 24 hours of an employee’s termination.
6. Acceptable Use Policy (AUP)
•What it is: Outlines how employees should use company systems and devices.
•Example:
• Company resources must not be used for personal activities (e.g., social media, gaming).
• Employees are prohibited from installing unauthorized software or plugins.

Module-3 Shiva Kumar Palakurla

 4. What should an Information Security Policy consist of?
7. Incident Management
•What it is: Describes the process for detecting, reporting, and resolving security incidents.
•Example:
• Employees must report suspicious emails or activities immediately to the IT team.
• In case of a breach, the IT department will follow the incident response plan, including isolating affected
systems and notifying stakeholders.
8. Physical Security
•What it is: Specifies measures to protect physical infrastructure and devices.
•Example:
• Server rooms must remain locked and accessible only to authorized personnel.
• Employees must not leave laptops unattended in public spaces.

Module-3 Shiva Kumar Palakurla

 4. What should an Information Security Policy consist of?
9. Data Backup and Recovery
•What it is: Details backup schedules and recovery procedures in case of data loss or system failure.
•Example:
• Critical data will be backed up daily and stored securely in an offsite location.
• Disaster recovery tests will be conducted biannually to ensure preparedness.
10. Compliance Requirements
•What it is: Lists the legal, regulatory, and industry standards the organization adheres to.
•Example:
• GDPR for European customer data.
• PCI-DSS for handling credit card transactions.
• ISO 27001 for overall information security.

Module-3 Shiva Kumar Palakurla

 4. What should an Information Security Policy consist of?
11. Training and Awareness
•What it is: Ensures employees understand their responsibilities through regular training.
•Example:
• Mandatory annual training on identifying phishing attempts and secure password practices.
• New employees must complete security training within their first week.
12. Policy Review and Updates
•What it is: Establishes how often the policy will be reviewed and updated.
•Example:
• "This policy will be reviewed annually or in response to significant changes in the organization’s security
posture or regulatory environment."

Module-3 Shiva Kumar Palakurla

 4. What should an Information Security Policy consist of?
13. Consequences of Violations
•What it is: Explains disciplinary actions for non-compliance with the policy.
•Example:
• Unauthorized sharing of confidential data may result in termination.
• Legal action may be pursued in cases of gross negligence or intentional harm.

Module-3 Shiva Kumar Palakurla

 5. Email Policy

An Email Policy is a set of rules and guidelines that governs the proper use of email systems in an organization. It
ensures that employees use email in a secure, professional, and legally compliant manner while protecting the
organization from security threats like phishing, malware, and data breaches.
Purpose of an Email Policy
1.To ensure that email communication remains professional and secure.
2.To prevent the misuse of company email systems.
3.To minimize security risks such as phishing and malware attacks.
4.To comply with legal and regulatory requirements.

Module-3 Shiva Kumar Palakurla

 6. End-User Encryption Key Protection Policy

An End-User Encryption Key Protection Policy outlines the rules and guidelines for securely managing, storing, and
using encryption keys by end users to protect sensitive data. Encryption keys are critical for maintaining data
confidentiality, and their compromise can lead to unauthorized data access or breaches
Purpose
The purpose of this policy is to:
1.Ensure encryption keys are managed securely to protect sensitive data.
2.Prevent unauthorized access to encryption keys.
3.Establish a framework for key generation, storage, usage, and disposal.
4.Comply with industry standards and regulatory requirements for data security.

Module-3 Shiva Kumar Palakurla

 7. Security Awareness and Training Policy

A Security Awareness and Training Policy outlines how an organization educates its employees, contractors, and other stakeholders on security
practices to protect organizational assets, data, and systems. This policy ensures that individuals are aware of security risks and are equipped to
handle them responsibly.

Purpose
The purpose of this policy is to:
1.Create a culture of security awareness.
2.Educate employees about their roles in protecting the organization against cyber threats.
3.Comply with industry regulations and standards (e.g., ISO 27001, GDPR, NIST).

Module-3 Shiva Kumar Palakurla

 7. Security Awareness and Training Policy
Key Components of the Policy
1. Goals of the Training Program
•Policy Statement: Define the objectives of the security training program.
Example:
• Educate employees on recognizing phishing attempts.
• Teach secure handling of sensitive data (e.g., customer PII).
• Reduce the risk of security breaches due to human error.
2. Frequency of Training
•Policy Statement: Specify how often training should occur.
Example:
• Security awareness training must be conducted:
• During onboarding for new employees.
• Annually for all staff.
• After major security incidents or updates to the organization’s policies.

Module-3 Shiva Kumar Palakurla

 7. Security Awareness and Training Policy
3. Training Topics
•Policy Statement: Define key topics to be covered.
Example:
• Identifying and reporting phishing emails.
• Importance of strong passwords and multi-factor authentication (MFA).
• Safe use of company devices and networks.
• Handling sensitive data in compliance with laws and regulations.
• Recognizing and responding to potential security incidents.
4. Delivery Methods
•Policy Statement: Specify how training will be delivered.
Example:
• Training will be delivered through:
• Interactive e-learning modules.
• In-person workshops.
• Periodic email reminders and newsletters.
• Simulated phishing campaigns to test awareness.
Module-3 Shiva Kumar Palakurla
 7. Security Awareness and Training Policy
5. Roles and Responsibilities
•Policy Statement: Define responsibilities for implementing the policy.
Example:
• The IT Security Team will design and update training content.
• Managers are responsible for ensuring their teams complete required training.
• Employees are responsible for applying the knowledge learned in training.
6. Monitoring and Compliance
•Policy Statement: Outline how training completion and effectiveness will be tracked.
Example:
• Training attendance will be tracked through the Learning Management System (LMS).
• Employees must pass an assessment with a score of 80% or higher.
• Non-compliance with training requirements may result in disciplinary actions.

Module-3 Shiva Kumar Palakurla

 7. Security Awareness and Training Policy
7. Reporting Security Incidents
•Policy Statement: Emphasize the importance of reporting security issues.
Example:
• Employees must report security incidents, such as phishing attempts, lost devices, or unauthorized access,
immediately to the IT security team.
8. Policy Review and Updates
•Policy Statement: Define how and when the policy will be reviewed.
Example:
• This policy will be reviewed annually or after significant security events.

Module-3 Shiva Kumar Palakurla

 8.Access Authorization, Modification, and Identity Access
Management
This policy defines the rules and guidelines for managing user identities, access authorization, and modifications to ensure secure access to an
organization’s systems, applications, and data.

Purpose
The purpose of this policy is to:
1.Ensure that only authorized individuals have access to the organization’s systems and sensitive data.
2.Define procedures for granting, modifying, and revoking access rights.
3.Minimize security risks by implementing best practices for Identity Access Management (IAM).

Module-3 Shiva Kumar Palakurla

 8.Access Authorization, Modification, and Identity Access
Management
Key Components of the Policy
1. Access Authorization
•Policy Statement: Access to systems and data must be granted based on the principle of "least privilege."
•Example:
• Employees will be granted access only to the systems and data necessary to perform their job
responsibilities.
• All access requests must be approved by the employee’s manager and reviewed by the IT Security Team.
2. User Identity Management
•Policy Statement: Each user must have a unique identity for accessing organizational systems.
•Example:
• Every employee will be assigned a unique username and password.
• Shared accounts are strictly prohibited.
• Multi-factor authentication (MFA) must be enabled for critical systems and sensitive data.

Module-3 Shiva Kumar Palakurla

 8.Access Authorization, Modification, and Identity Access
Management
3. Role-Based Access Control (RBAC)
•Policy Statement: Access will be granted based on predefined roles that align with job responsibilities.
•Example:
• A "Finance Analyst" role will have access to financial systems but will be restricted from engineering or HR
systems.
• Role assignments must be documented and reviewed quarterly.
4. Access Request Process
•Policy Statement: All access requests must follow a formal approval process.
•Example:
• Employees must submit an access request form specifying the required system and justification.
• Managers must approve the request, and the IT team will provision access.
• Unauthorized access requests will be denied and logged.

Module-3 Shiva Kumar Palakurla

 8.Access Authorization, Modification, and Identity Access
Management
5. Access Modification
•Policy Statement: Changes to user access must follow a structured modification process.
•Example:
• If an employee changes roles, access permissions will be updated to match the new job responsibilities.
• Managers must notify the IT team of any role changes or updates to access requirements.
• Access modification requests must be logged and reviewed.
6. Access Revocation
•Policy Statement: Access must be revoked immediately when no longer required.
•Example:
• Upon employee termination, the IT team must disable all accounts within 24 hours.
• Access to specific systems will be removed immediately after project completion for contractors.
• Revocation logs must be maintained for audit purposes.

Module-3 Shiva Kumar Palakurla

 8.Access Authorization, Modification, and Identity Access
Management
7. Identity and Access Management (IAM) Tools
•Policy Statement: IAM tools must be used to manage access securely.
•Example:
• The organization will use tools like Okta, Microsoft Azure AD, or AWS IAM for identity and access control.
• Automated workflows must enforce approval processes and access reviews.
8. Periodic Access Reviews
•Policy Statement: User access rights must be reviewed periodically to ensure compliance.
•Example:
• Managers must review employee access permissions quarterly to ensure they align with job roles.
• IT Security will conduct an annual audit of privileged accounts.

Module-3 Shiva Kumar Palakurla

 8.Access Authorization, Modification, and Identity Access
Management
9. Privileged Access Management (PAM)
•Policy Statement: Privileged accounts must be managed and monitored separately.
•Example:
• Administrative accounts must have stricter access controls, including MFA and logging of all actions.
• Privileged users must sign an acknowledgment of their responsibilities before access is granted.
10. Compliance and Reporting
•Policy Statement: Non-compliance with this policy will result in disciplinary actions.
•Example:
• Violations, such as sharing credentials, will lead to immediate review and potential suspension of access.
• Security incidents involving unauthorized access must be reported to the IT team within 24 hours.

Module-3 Shiva Kumar Palakurla

 9. Components of a security policy

A security policy is a formal document that outlines the rules, procedures, and best practices for protecting an
organization’s assets, data, and systems. It ensures compliance with legal regulations, reduces risks, and
establishes accountability.
•Introduction. States the fundamental reasons for having a security policy.
•Purpose and scope. Provides details on the security policy's purpose and scope.
•Statement of policy. States the security policy in clear terms.
•Statement of compliance. Specifies security laws, regulations, standards, and other guidance with which the policy
aims to comply.
•Policy leadership. States who are responsible for approving and implementing the policy, as well as levying
penalties for noncompliance.
•Verification of policy compliance. It states what is needed, such as assessments, exercises, and penetration tests,
to verify that security activities comply with policies.

Module-3 Shiva Kumar Palakurla

 10. Security Policy Template

Reputable firms provide information security policy templates. The SANS Institute cooperated with information security specialists
to build security policy templates. SANS has them online.

A security/compliance advice company may be able to give security policy templates and detailed advice on how to build sensible
rules (and ensure you stay compliant with your legal obligations). Templates are a starting point for establishing policies; they must
be adjusted to match your organization's requirements.

Example Security Policy

NIST's Cybersecurity Framework is a helpful template for establishing cyber security policy.
The 5FS
The "Five Functions" method encompasses five pillars for an effective and comprehensive cyber security program. These
capabilities are:

1. Identify
The company must comprehend the cybersecurity threats it confronts to prioritize its actions.

Module-3 Shiva Kumar Palakurla

 10. Security Policy Template
2. Defend
This refers to implementing the necessary protections to protect data assets and restrict or contain the effects of a
possible cybersecurity incident. This includes educating and empowering staff members to be aware of risks, establishing
procedures that protect network security and assets, and potentially utilizing cyber liability insurance to protect a
company financially if a cybercriminal can circumvent security measures.
3. Detect
Outline the actions that aid in detecting the onset of a cyber assault and allow a prompt reaction. Companies should
create data categorization, asset management, and risk management systems that warn them when data seems
compromised to rapidly and accurately diagnose a cyber assault.
4. Respond
Document the activities that should be performed in response to the discovery of cybersecurity risks. A company's
reaction should involve detailed and appropriate communication with its employees, shareholders, partners, and
consumers, as well as with law enforcement and legal counsel, as necessary.
5. Retrieve
Determine how a company may recover and restore any compromised capabilities or services caused by a cyber
attack.

Module-3 Shiva Kumar Palakurla

 11. Integrate Security Awareness Instruction

Each employee's training should begin on their first day, and you should offer them an ongoing opportunity to review the
rules and refresh their memories. Establishing strategies to guarantee that staff retain the training and are not just skimming
a policy and signing a paper is also crucial. It is more probable that workers will pay attention and remember knowledge
about your company's rules if they participate in interactive training or are tested upon completion of training.

Additionally, it would be best to search for opportunities to remind your staff of your rules and provide them with
information on new or changing policies. Monthly all-staff and team meetings are excellent occasions to review policies
with workers and demonstrate the significance management places on these rules. Making information security a part of
your company's culture will increase the likelihood that your staff will adhere to data security standards.

Module-3 Shiva Kumar Palakurla

 12. Technology makes it simple to implement security policies and procedures.
1. Automation of Security Processes
Technology can automate various security procedures, reducing the manual effort required to enforce policies and
ensuring consistent enforcement across the organization.
•Examples:
• Automated access controls: Tools like Identity and Access Management (IAM) systems can enforce role-
based access controls automatically, ensuring that employees only access the data they are authorized to
see.
• Automated patch management: Security tools can automatically apply patches and updates to systems to
address vulnerabilities, ensuring compliance with the organization's security policies.
2. Centralized Security Management Platforms
Security Information and Event Management (SIEM) systems help to centralize the monitoring and management
of security incidents, logs, and compliance reports.
•Examples:
• SIEM tools (e.g., Splunk, SolarWinds): They can collect, analyze, and store logs from various systems,
ensuring the policy of continuous monitoring is followed. They also provide alerts for any security incidents
or violations, helping you respond quickly.

Module-3 Shiva Kumar Palakurla

 12. Technology makes it simple to implement security policies and procedures.
3. Enforcing Password and Authentication Policies
Technology can enforce security policies related to passwords, authentication, and access to critical systems.
•Examples:
• Multi-Factor Authentication (MFA): Tools like Duo Security or Microsoft Azure Active Directory can enforce
MFA policies across the organization, ensuring that users provide an additional layer of authentication
beyond just a password.
• Password Management Systems: Software such as LastPass, 1Password, or Bitwarden ensures that
employees follow password complexity requirements and securely manage their credentials.
4. Cloud Security Solutions
Cloud services provide tools and platforms to implement security policies that protect sensitive data stored in the
cloud.
•Examples:
• Cloud Access Security Brokers (CASBs): CASBs help enforce policies for users accessing cloud applications,
ensuring that only authorized users have access to cloud-based systems and data.
• Data Encryption: Cloud providers like AWS, Google Cloud, and Microsoft Azure offer built-in encryption
tools that can automatically encrypt sensitive data, ensuring it meets the organization's data protection
policies.
Module-1 Shiva Kumar
 12. Technology makes it simple to implement security policies and procedures.
5. Real-Time Monitoring and Incident Response
Technology enables continuous monitoring for compliance with security policies and enables quick responses to
incidents.
•Examples:
• Intrusion Detection Systems (IDS): Tools like Snort and Suricata monitor network traffic for suspicious
activity, alerting security teams when potential policy violations or threats are detected.
• Security Orchestration, Automation, and Response (SOAR): Platforms like Palo Alto Networks Cortex XSOAR
automate incident response workflows, allowing teams to quickly respond to security breaches according
to predefined procedures.
6. Data Loss Prevention (DLP) Tools
DLP technologies can automatically monitor and control the movement of sensitive information across the
network, enforcing data protection policies.
•Examples:
• DLP Systems (e.g., Symantec, McAfee): These systems can detect and prevent sensitive data from being
shared inappropriately (e.g., via email or file sharing), ensuring compliance with organizational policies on
data confidentiality.

Module-3 Shiva Kumar Palakurla

 12. Technology makes it simple to implement security policies and procedures.
7. Security Awareness Training Platforms
Technology makes it easy to deliver and track security awareness training programs.
•Examples:
• Learning Management Systems (LMS): Platforms like KnowBe4, SANS Security Awareness, and Cybersecurity
& Infrastructure Security Agency (CISA) offer automated training modules, phishing simulations, and
reporting features to ensure employees are aware of security policies and practices.
• Phishing Simulators: Tools like PhishMe simulate real-world phishing attacks to train employees on how to
recognize and report suspicious emails, ensuring compliance with security awareness policies.

Module-1 Shiva Kumar

 13. Guidelines for Data Security and Backup
Guidelines for Data Security and Backup are essential to protect sensitive information, ensure business continuity,
and mitigate risks associated with data loss or breach. Here’s a comprehensive set of guidelines to implement
effective data security and backup practices:
1. Data Classification and Sensitivity Levels
•Classify Data: Data should be categorized into different levels of sensitivity, such as public, confidential, and
sensitive data.
•Example:
• Public Data: Information that can be freely shared (e.g., marketing materials).
• Confidential Data: Information that is restricted to specific users (e.g., employee details).
• Sensitive Data: High-risk data requiring encryption and strict access control (e.g., financial records, personal
data).

Module-3 Shiva Kumar Palakurla

 13. Guidelines for Data Security and Backup
2. Access Control and Authentication
• Use Role-Based Access Control (RBAC): Limit access to data based on the roles and responsibilities of employees.
• Implement Multi-Factor Authentication (MFA): Ensure that users require multiple forms of authentication before accessing sensitive data.
• Least Privilege Principle: Grant the minimum level of access required for employees to perform their duties.
• Example: Employees handling financial data should have restricted access to customer data.
3. Data Encryption
• Encrypt Sensitive Data: Ensure that data is encrypted both at rest (e.g., stored on servers) and in transit (e.g., transmitted over networks).
• Use Strong Encryption Standards: Utilize strong encryption methods such as AES-256 to protect data.
• Example: Encrypt databases containing customer credit card information or health records to ensure their confidentiality.
4. Data Backup Procedures
• Regular Backup Schedule: Set up automated backups for critical data on a daily, weekly, or monthly basis, depending on the nature of the data.
• Backup Redundancy: Maintain backups in multiple locations (e.g., local and cloud-based) to ensure availability in case of hardware failure or
disaster.
• Ensure Backup Integrity: Regularly test backup files for integrity and usability to verify that data can be restored when needed.
• Example: Daily backups for critical databases and weekly full system backups to cloud storage.

Module-3 Shiva Kumar Palakurla

 13. Guidelines for Data Security and Backup
5. Data Retention and Disposal Policies
• Set Retention Periods: Define how long different types of data should be stored, based on business needs and regulatory
requirements.
• Secure Data Deletion: Use secure methods (e.g., wiping or shredding) to delete data when it’s no longer required, ensuring it
cannot be recovered.
• Example: Retain customer data for 7 years for legal compliance and securely dispose of documents after that period.
6. Backup Encryption
• Encrypt Backups: Encrypt all backup copies to prevent unauthorized access in case the backup data is lost or stolen.
• Example: Use encryption software like Veritas or Veeam to encrypt backup files before storing them.
7. Offsite and Cloud Backups
• Use Offsite Backups: Maintain offsite backups to protect against data loss due to disasters like fire, flooding, or theft.
• Cloud Backup Solutions: Use cloud-based backup services like AWS S3, Microsoft Azure, or Google Cloud to ensure scalability and
accessibility.
• Example: Store backups in a geographically distant location or cloud service to reduce the risk of simultaneous data loss during a
disaster.

Module-3 Shiva Kumar Palakurla

 13. Guidelines for Data Security and Backup
8. Backup Testing
•Perform Regular Backup Testing: Test your backup systems regularly to ensure they work properly, and data can be
restored in case of an emergency.
•Test Frequency: Test the full system recovery process at least once every quarter.
•Example: Conduct a disaster recovery drill where backups are restored on a test environment to ensure they are
functional.
9. Disaster Recovery and Business Continuity Plan
•Develop a Disaster Recovery (DR) Plan: Establish clear protocols for restoring data and systems in case of a disaster,
including RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
•Business Continuity: Ensure that critical operations can continue even if data is temporarily unavailable, with
backup systems and procedures in place.
•Example: Ensure that key business processes, like processing payroll or fulfilling orders, can still continue even
when certain systems are down.

Module-3 Shiva Kumar Palakurla

 13. Guidelines for Data Security and Backup
10. Security for Backup Media
•Physically Secure Backup Media: Store backup tapes, hard drives, and other media in secure locations, such as
locked cabinets or vaults.
•Use Secure Transport: If backup media needs to be transported (e.g., to an offsite location), ensure it is encrypted
and securely transported.
•Example: Keep physical backups in a fireproof, climate-controlled environment, and use secure courier services for
offsite transfers.
11. Monitoring and Auditing
•Continuous Monitoring: Use monitoring tools to track the status of backups and data restoration processes.
•Audit Trails: Maintain logs of all backup and recovery operations to help identify potential issues or unauthorized
access.
•Example: Use tools like SolarWinds or Datadog to monitor backup performance and alert IT personnel of failures
or unusual activities.

Module-3 Shiva Kumar Palakurla

 13. Guidelines for Data Security and Backup
12. Employee Training and Awareness
•Regular Training: Educate employees on the importance of data security, backup procedures, and how to handle
data securely.
•Security Awareness: Teach employees about potential data loss risks, such as phishing attacks, that may
compromise backup systems.
•Example: Hold quarterly security training sessions focused on data security, encryption, and backup best practices.
13. Compliance with Regulations
•Adhere to Regulatory Requirements: Ensure that backup and data security procedures comply with industry
regulations such as GDPR, HIPAA, PCI-DSS, etc.
•Document Compliance: Keep documentation of backup processes and policies for auditing and compliance
purposes.
•Example: If your company handles healthcare data, ensure that your backup and data security measures comply
with HIPAA regula

Module-3 Shiva Kumar Palakurla

 14. Cybersecurity Metrics & KPIs
Cybersecurity Metrics & KPIs (Key Performance Indicators) are essential for measuring the effectiveness of an
organization's cybersecurity efforts. They provide insights into the security posture, help identify areas of
weakness, and ensure that security objectives align with business goals. Below are some critical cybersecurity
metrics and KPIs that organizations can track to assess their cybersecurity programs
1. Incident Response Metrics
•Mean Time to Detect (MTTD): Measures the average time it takes to identify a security incident after it occurs.
• Why It Matters: Faster detection can prevent further damage and reduce the impact of a breach

•Formula:

MTTD=Total Detection Time​/Number of Incidents Detected

Module-3 Shiva Kumar Palakurla

 14. Cybersecurity Metrics & KPIs
•Mean Time to Respond (MTTR): Measures the average time it takes to resolve a security incident once it's
detected.Why It Matters: Shorter response times reduce the risk of data loss and the overall damage from an
attack.
•Formula

MTTR=Total Time to Resolve Incidents/Number of Incidents Resolved​

•Incident Severity Levels: Classifying incidents based on their severity (e.g., critical, high, medium, low).

•Percentage of Incidents Contained Within SLA: Measures the percentage of incidents resolved within the agreed
Service Level Agreement (SLA).

Module-3 Shiva Kumar Palakurla

 15. Why are cyber security metrics important?

Module-3 Shiva Kumar Palakurla

 15. Why are cyber security metrics important?
Cybersecurity metrics are essential for several reasons, as they help organizations assess the effectiveness of their
security programs, improve decision-making, and align their security strategies with business goals. Here’s why
cybersecurity metrics are important:

1. Measure the Effectiveness of Security Measures

2.Identify Vulnerabilities and Weaknesses

3. Improve Incident Response

4. Prevent Future Attacks

5. Track Progress Over Time

Module-3 Shiva Kumar Palakurla

 15. Why are cyber security metrics important?
LMS

Module-3 Shiva Kumar Palakurla

THANK YOU
Palakurla Shiva Kumar