Module 1: Introduction to Asset Security

by
Contents hide
1 Introduction to Asset Security
2 TEST YOUR KNOWLEDGE: INTRODUCTION TO ASSETS
3 TEST YOUR KNOWLEDGE: DIGITAL AND PHYSICAL ASSETS
4 TEST YOUR KNOWLEDGE: RISK AND ASSET SECURITY
5 Module 1 Challenge
6 CONCLUSION – Asset Security
Spread the love

Introduction to Asset Security

With this module, the participant can delve deep into the asset management aspects of cybersecurity as a whole. The session begins with a discussion on how assets are identified and prioritized for protection within an organization, casting light on the important relationship between risk management and asset classification. It discusses how to safeguard assets against physical threat and digital attack, emphasizing the multidimensional aspect of asset protection in the contemporary cybersecurity landscape.

In addition, it familiarizes them with the NIST framework, which is a national asset that provides industries with standards, guidelines, and best practices for managing cybersecurity risks. NIST is therefore poised as that provider of systematic approach to risk management in cybersecurity, a unique model which will help participants put together what is necessary to predict and protect indeed organizational assets in a constant revolving cyber world. This module greatly contributes to the participant’s journey along the lines of cybersecurity risk management, hooking them along with the best practices necessary to secure organizational assets.

Learning Objectives

  • Define important cybersecurity terminology: Comprehend the concepts of threat, vulnerability, asset, and risk.
  • Explain security in risk mitigation: Understand how security can be used to reduce the organizations’ risk.
  • Categorize assets based on worth: Understand the importance of assets to the organization in determining their categorization.
  • Identify data states: Know data in use, being transmitted, or resting and the security implications that each state has.
  • Understand the NIST Cybersecurity Framework: Investigate the benefits and application of the NIST Cybersecurity Framework

TEST YOUR KNOWLEDGE: INTRODUCTION TO ASSETS

1. What is a risk?

  • A weakness that can be exploited by a threat
  • The practice of labeling assets based on sensitivity and importance to an organization
  • Any circumstance or event that can negatively impact assets
  • Anything that can impact the confidentiality, integrity, or availability of an asset (CORRECT)

Risk is any source or event that can potentially affect the confidentiality, integrity, or availability (CIA) of an asset and compromise its security or functionality.

2. A security professional discovers a rogue access point on their company WiFi that is not managed by the networking team. The rogue device is altering and deleting sensitive records without authorization. What is the rogue device in this scenario?

  • Threat (CORRECT)
  • Vulnerability
  • Asset
  • Risk

A rogue device poses a threat because it might compromise the entire security and integrity of the company’s assets by introducing several routes for unauthorized access, malware, or other weaknesses that would otherwise not affect systems and data in organizations.

3. A product team is storing customer survey data for a new project in a cloud drive. The data is only accessible to product team members while the project is in development. What is this data’s asset type?

  • Internal demo
  • Confidential (CORRECT)
  • Customer data
  • Public

This data is strictly confidential and should be disclosed only to people working on a particular project. Confidential assets like this survey data of the customers should be kept secure from thieves and should have a restriction over its access by omission of unauthorized access towards disclosure or usage.

4. What is the practice of labeling assets based on sensitivity and importance to an organization?

  • Asset management
  • Asset restriction
  • Asset inventory
  • Asset classification (CORRECT)

Asset classification means the classification of assets according to their sensibility and significance regarding the organization. This practice has prioritized the protection and management of assets concerning their value and their potential impact on the organization’s operations and security.

5. What are the elements of security risk planning? Select three answers.

  • Assets (CORRECT)
  • Systems
  • Threats (CORRECT)
  • Vulnerabilities (CORRECT)

In Security Risk Planning, three vital aspects play a role, which are, assets, threats, and vulnerabilities. Asset means anything that is valuable to an organization e.g. a cash register with the money it contains. Valuing these assets thus gives an idea of the potential threats and vulnerabilities, which enables better planning and protection strategies.

One of the most important parts of security risk planning is considering three things that make up all risks: assets, threats, and vulnerabilities. A “threat” is any condition or event that results in negative impact on assets. For example, stealing money from a cash register.

A “vulnerability”, on the other hand, is a weakness in the system that can be taken advantage of by a threat, like an unlocked door to a restricted area that allows someone to access valuable features of the organization without being noticed.

6. Fill in the blank: _____ assets are often highly sensitive and considered need-to-know.

  • Internal-only
  • Public
  • Restricted (CORRECT)
  • Confidential

Restricted assets are those that often have a really high sensitivity and, therefore, considered “need-to-know”; that is, those who may access such assets are basically those who have clearance or authorization to handle said information. This is so that these assets can be controlled strictly in terms of confidentiality and integrity.

TEST YOUR KNOWLEDGE: DIGITAL AND PHYSICAL ASSETS

1. What is the practice of keeping data in all states away from unauthorized users?

  • Information security (CORRECT)
  • Asset
  • Cybersecurity
  • Network

Information security (InfoSec), as the term denotes, is the safeguarding of data in all its forms-whether used, in transit, or stored-from illegitimate access, disclosure, alteration, or destruction. Protection of the confidentiality, integrity, and availability of information is one of the measures against any probable breach of security.

2. An employee is promoted to a new role, so their workstation is transferred to a different office. As the employee’s workstation is being relocated, what data state are its files in?

  • At rest (CORRECT)
  • In transit
  • In use
  • In storage

As I said, the data are at rest. Now, data is said to be “at rest” when it is stored on a device or storage medium and is not actively accessed, processed, or transmitted. Here, when the workstation moves, this does not change the data’s state, as the data are still stored and not affected by moving the device.

3. What is an example of data in transit?

  • A sent email is traveling over the network to reach its destination. (CORRECT)
  • A spreadsheet file is saved on an employee’s hard drive.
  • A manager is editing a report on their computer.
  • A user logs in to their online account to review their messages.

An email journeying over a network to its destination can also be considered an instance of data in transit. Data in transit are data actively moving through a network, such as the Internet or between two devices, and are currently vulnerable to interception or tampering.

4. Fill in the blank: Data is in use when it is being _____ by one or more users.

  • accessed (CORRECT)
  • ignored
  • transported
  • classified
  • accessed (CORRECT)
  • ignored
  • transported
  • classified

When data is accessed, processed, or modified by at least one user or by one system, it is in use. Similarly, the act of working on data occurs when a file is open or queried from a database, as from that moment data become susceptible to various security threats, e.g., unauthorized access or data breach, during such time use or manipulation.

5. The only type of data that security teams must protect is data in use.

  • True
  • False (CORRECT)

Security teams need to protect data from being used, moved, or even just stored.

TEST YOUR KNOWLEDGE: RISK AND ASSET SECURITY

1. What type of risk do security plans address? Select three answers.

  • Loss of information (CORRECT)
  • Shift of market conditions
  • Damage to assets (CORRECT)
  • Disclosure of data (CORRECT)

A security plan addresses risks resulting from asset damage, information loss, and unauthorized disclosures of data. It includes strategies and measures to protect an organization’s assets from any potential threats, guarantee the integrity and confidentiality of information, and avoid data breaches or other security incidents.

2. What are the basic elements of a security plan? Select three answers.

  • Standards (CORRECT)
  • Policies (CORRECT)
  • Procedures (CORRECT)
  • Regulations

Three basic components of a security plan are policies, standards, and procedures. Policies are rules meant to avoid and protect all kinds of risks and safeguard the information. Standards give guidelines for developing such policies. Lastly, procedures provide step-by-step detailed instructions for carrying out specific security tasks.

3. Fill in the blank: The NIST CSF is a _____ framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

  • voluntary (CORRECT)
  • mandatory
  • limited
  • rigid

The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. It is a comprehensive framework with a flexible design that can be used in any industry.

4. What are some benefits of the NIST Cybersecurity Framework (CSF)? Select three answers.

  • It is required to do business online.
  • It’s adaptable to fit the needs of any business. (CORRECT)
  • It helps organizations achieve regulatory standards. (CORRECT)
  • It can be used to identify and assess risk. (CORRECT)

So many advantages do include the CSF such as their adaptability to personal business circumstances, their effectiveness in compliance with regulations, and usefulness in risk identification and assessment.

5. What primary elements do security plans include? Select three answers.

  • Assets
  • Policies (CORRECT)
  • Procedures (CORRECT)
  • Standards (CORRECT)

There are three consubstantial components of a security plan which are the policy, standards, and procedures. Policies are essentially a set of rules aimed at mitigating risks and safeguarding information from malicious events. Standards are utilized as a guide for developing such policies while procedures contain the directives that describe step-by-step instructions for any specific tasks associated with security.

6. “Identify” and “Detect” are two of the five NIST Cybersecurity Framework (CSF) core functions. What are the other three? Select all that apply.

  • Protect (CORRECT)
  • Respond (CORRECT)
  • Recover (CORRECT)
  • Plan

There are basically five core functions of the NIST Cybersecurity Framework (CSF): identify, protect, detect, respond, and recover. These functions are the streamlined version of the main responsibilities an organization needs to address in a security plan. They can be understood as a checklist for managing cybersecurity risks appropriately and effectively reducing them.

Module 1 Challenge

1. An attacker spreads malicious software within an organization, which executes unauthorized actions on the organization’s systems. What does this scenario describe?

  • Threat (CORRECT)
  • Regulation
  • Procedure
  • Vulnerability

2. Which of the following are examples of security vulnerabilities? Select three answers.

  • Unlocked doors at a business (CORRECT)
  • Weak password (CORRECT)
  • Suspended access card
  • Unattended laptop (CORRECT)

3. Which of the following statements correctly describe security asset management? Select two answers.

  • It uncovers gaps in security. (CORRECT)
  • It decreases vulnerabilities.
  • It helps identify risks. (CORRECT)
  • It is a one-time process.

4. An employee is asked to email customers and request that they complete a satisfaction survey. The employee must be given access to confidential information in the company database to conduct the survey. What types of confidential customer information should the employee be able to access from the company’s database to do their job? Select two answers.

  • Credit card data
  • Home addresses
  • E-mail addresses (CORRECT)
  • Customer names (CORRECT)

5. What are the characteristics of restricted information? Select two answers.

  • It is considered need-to-know. (CORRECT)
  • It is available to anyone in an organization.
  • It is highly sensitive. (CORRECT)
  • It is protected with less defenses.

6. Which of the following can be prevented with effective information security? Select three answers.

  • Reputational damage (CORRECT)
  • Compliance with regulations
  • Identity theft (CORRECT)
  • Financial loss (CORRECT)

7. What is an example of data in use? Select three answers.

  • Downloading a file attachment.
  • Playing music on your phone. (CORRECT)
  • Reading emails in your inbox. (CORRECT)
  • Watching a movie on a laptop. (CORRECT)

8. What are some key benefits of a security plan? Select three answers.

  • Enhance business advantage by collaborating with key partners.
  • Establish a shared set of standards for protecting assets. (CORRECT)
  • Outline clear procedures that describe how to protect assets and react to threats. (CORRECT)
  • Define consistent policies that address what’s being protected and why. (CORRECT)

9. An employee who has access to company assets abuses their privileges by stealing information and selling it for personal gain. What does this scenario describe?

  • Procedure
  • Regulation
  • Threat (CORRECT)
  • Vulnerability

10. Which of the following are examples of a vulnerability? Select two answers.

  • A malfunctioning door lock (CORRECT)
  • Malicious hackers stealing access credentials
  • Attackers causing a power outage
  • An employee misconfiguring a firewall (CORRECT)

11. Fill in the blank: Information security (InfoSec) is the practice of keeping ____ in all states away from unauthorized users.

  • documents
  • files
  • data (CORRECT)
  • processes

12. What is an example of digital data at rest? Select two answers.

  • Contracts in a file cabinet
  • Email messages in an inbox (CORRECT)
  • Letters on a table
  • Files on a hard drive (CORRECT)

13. Who should an effective security plan focus on protecting? Select three answers.

  • Employees (CORRECT)
  • Competitors
  • Business partners (CORRECT)
  • Customers (CORRECT)

14. Which of the following are functions of the NIST Cybersecurity Framework core? Select three answers.

  • Protect (CORRECT)
  • Detect (CORRECT)
  • Implement
  • Respond (CORRECT)

15. Fill in the blank: The NIST Cybersecurity Framework (CSF) is commonly used to meet regulatory _____.

  • procedures
  • compliance (CORRECT)
  • fines
  • restrictions

16. A malicious hacker gains access to a company system in order to access sensitive information. What does this scenario describe?

  • Threat (CORRECT)
  • Procedure
  • Vulnerability
  • Regulation

17. Which of the following are examples of internal-only information? Select two answers.

  • Intellectual property
  • Employee records (CORRECT)
  • Business plans (CORRECT)
  • Credit card numbers

18. Which of the following are components of the NIST Cybersecurity Framework? Select three answers.

  • Tiers (CORRECT)
  • Core (CORRECT)
  • Controls
  • Profiles (CORRECT)

19. What is the first step of asset management?

  • To classify assets based on value
  • To assign a risk score to assets
  • To make an asset inventory (CORRECT)
  • To address an asset’s vulnerabilities
 

20. What is an example of confidential information? Select two answers.

  • Marketing strategy (CORRECT)
  • Press release
  • Project documents (CORRECT)
  • Employee contacts

21. Fill in the blank: Most security plans address risks by breaking them down into these categories: damage, disclosure, and _____.

  • removal
  • deletion
  • loss of information (CORRECT)
  • leakage

22. What NIST Cybersecurity Framework (CSF) tier is an indication that compliance is being performed at an exemplary standard?

  • Level-1
  • Level-3
  • Level-4 (CORRECT)
  • Level-2

23. Which component of the NIST Cybersecurity Framework (CSF) is used to measure the performance of a security plan?

  • Tiers (CORRECT)
  • Framework
  • Respond
  • Core

24. Which of the following refers to the process of tracking assets and the risks that affect them?

  • Asset administration
  • Asset inventory
  • Asset classification
  • Asset management (CORRECT)

25. What is an example of restricted information? Select three answers.

  • Cardholder data (CORRECT)
  • Employee email addresses
  • Intellectual property (CORRECT)
  • Health information (CORRECT)

26. Why is it so challenging to secure digital information? Select two answers.

  • There are so many resources to dedicate to security.
  • There are no regulations that protect information.
  • Technologies are interconnected. (CORRECT)
  • Most information is in the form of data. (CORRECT)

27. Which component of the NIST Cybersecurity Framework (CSF) is used to  compare the current state of a security plan to others?

  • Core
  • Compliance
  • Profiles (CORRECT)
  • Detect

28. What is an example of data in transit? Select two answers.

  • A file being downloaded from a website (CORRECT)
  • An email being sent to a colleague (CORRECT)
  • A website with multiple files available for download
  • A slideshow presentation on a thumb drive

CONCLUSION – Asset Security

This in-depth experience captured by all participants ensures an even and broad understanding of asset management in the field of cybersecurity. From how to strategically identify and prioritize assets to overcoming particular hurdles associated with securing both physical and digital resources, these participants are well within the right track for finding precious insights regarding critical factors concerning asset protection. Furthermore, an introduction to the National Institute of Standards and Technology (NIST) framework has properly set industry-standard guidelines and best practices to ensure a structured approach to managing cybersecurity risks into the hands of the participants.

This module also therefore forms part of a great foundation for the learners in their advancing programs in cybersecurity so that they may act with confidence in the protection of assets navigating a very complex terrain. Practical application of theory allows such an overview to exhibit preparedness in contributing to effective risk management strategies while also taking on key roles in the actual securing of organizational assets.

Leave a Comment