LEXCODE

!
!
!

Information security sphere

!
!
!

Contingency
Planning

End Point
Security

Network
Security

Cyber Security
Training

Application
Security

Cyber Security
Testing
Cyber
Incident
Response

Data
Protection

Regulatory
Compliance

(c) 2013 LEXCODE Regulatory Compliance Technologies Pvt. Ltd.

This document may be reproduced and distributed freely. Attribution to the copyright holder is mandatory.
www.lexcode.in

Segments(of(the(Lexcode(Information(Security(Sphere(
! 1. End-point Security
End point security requires that each
computing device on the network
comply with certain standards before
network access is granted.!

2. Network Security

3. Application Security

Network security relates to the cyber

security aspects of computer
networks and network-accessible
resources.!

Application security relates to the

cyber security aspects of applications
and the underlying systems.!

Endpoints include laptops, desktops

computers, smart phones and other
communication devices, tablets,
specialized equipment such as bar
code readers, point of sale (POS)
terminals etc.
End-point security encompasses 1. Host-based firewalls, intrusion
detection systems and intrusion
prevention systems,
2. Host-based anti-virus systems, antimalware systems, anti-spyware
systems, anti-rootkit systems, antiphishing systems, pop-up blockers,
spam detection systems, unified
threat management systems.
3. SSL Virtual Private Networks,
4. Host Patch and Vulnerability
Management,
5. Memory protection programs,
6. Control over memory devices,!
Bluetooth Security,
7. Password Management,

Network Security encompasses -

Application attacks include - !

1. Secure authentication and

identification of network users, hosts,
applications, services and resources

1. Input Validation attacks such as

buffer overflow, cross-site scripting,
SQL injection, canonicalization,

2. Network based firewalls, intrusion

detection systems and intrusion
prevention systems,

2. Authentication attacks such as

network eavesdropping, brute force
attacks, dictionary attacks, cookie
replay, credential theft,

3. Network based anti-virus systems,

anti-malware systems, anti-spyware
systems, anti-rootkit systems, unified
threat management systems,
4. Network Patch and Vulnerability
Management,
5. Virtual Private Networks
6. Securing Wireless Networks
7. Computer Security Log
Management
8. Enterprise Telework and Remote
Access Security
9. Securing WiMAX Wireless
Communications
10. Network Monitoring

8. Security for Full Virtualization

Technologies,

11. Network Policy Management

9. Media Sanitization,

10. Securing Radio Frequency

Identification (RFID) Systems.!

3. Authorization attacks such as

elevation of privilege, disclosure of
confidential data, data tampering,
luring attacks,
4. Configuration management attacks
such as unauthorized access to
administration interfaces /
configuration stores, retrieval of clear
text configuration data, lack of
individual accountability, overprivileged process & service accounts,
5. Sensitive information attacks such
as access to sensitive data in storage,
network eavesdropping,
6. Session management attacks such
as session hijacking, session replay,
man in the middle,
7. Cryptography attacks due to poor
key generation or key management
and weak or custom encryption,
8. Parameter manipulation attacks e.g.
query string manipulation, form field /
cookie / HTTP header manipulation,
9. Exception management attacks
such as denial of service,
10. Auditing and logging attacks

4. Cyber Incident Response

5. Regulatory Compliance

6. Data Protection

Incident Response relates to the plans,

policies, and procedures for handling
cyber security incidents.

Regulatory Compliance relates to

measures undertaken to ensure
compliance with applicable laws and
mandatory cyber security standards.

Data Protection relates to the cyber

security aspects of protecting the
confidentiality, integrity and
availability of data.

Failure to meet regulatory compliance

requirements can result in civil and
criminal action and even
imprisonment for organization heads.

From a Data Protection perspective,

data can be classified into 3 types data at rest, data in motion and data
under use.

Usage of consolidated and

harmonized compliance controls
ensures regulatory compliance
without unnecessary duplication of
effort and activity.

Critical and confidential data includes

source code, product design
documents, process documentation,
internal price lists, financial
documents, strategic planning
documents, due diligence research for
mergers and acquisitions, employee
information, customer data such as
credit card numbers, medical records,
financial statements etc.

Broadly speaking, Cyber Incident

Response covers 1. Organizing an Incident Response
Capability
2. Preparing for and preventing
Incidents
3. Detection and analysis of Incidents
4. Containment, Eradication and
Recovery
5. Post Incident Activity
Specifically, Cyber Incident
Response encompasses 1. Forensic Imaging & Cloning,
2. Recovering Digital Evidence in
Computer Devices,
3. Mathematical Authentication of
Digital Evidence,
4. Using Data from Data Files,
Operating Systems, Network Traffic,
Applications and Multiple Sources,
5. Analyzing Active Data, Latent Data
and Archival Data,

Once such control system is the

"Effective Compliance and Ethics
Program" contained in Chapter 8B2.1
of the Federal Sentencing Guidelines
Manual issued by the United States
Sentencing Commission.
Another control is the "AS 38062006" issued by Standards Australia.
This provides guidance on1. the principles of effective
management of an organization's
compliance with its legal obligations,
as well as any other relevant
obligations such as industry and
organizational standards,
2. principles of good governance and
accepted community and ethical
norms.

Data Loss Prevention solutions 1. identify confidential data,

2. track that data as it moves through
and out of enterprise and
3. prevent unauthorized disclosure of
data by creating and enforcing
disclosure policies.
Various encryption technologies such
as symmetric encryption, public key
encryption and full disk encryption
can be used for data protection.
A data protection policy involves -

6. Wireless, Network, Database,

Password, Facebook, Google,
Malware, Memory, Browser, and Cell
Phone Forensics,

The principles cover 1. commitment to achieving

compliance,

1. Instituting good security and

privacy policies for collecting, using
and storing sensitive information.

Web Investigation, Investigating

Emails, Investigating Server Logs,

2. implementation of a compliance
program,

2. Using strong encryption for data

storage.

Cyber Investigation & Forensics

Documentation,

3. monitoring and measuring of

compliance, and

3. Limiting access to sensitive data.

Windows Forensics, Linux Forensics

and Mac Forensics,

4. continual improvement.

4. Safely purging old or outdated

sensitive information.

7. Cyber Security Training

8. Cyber Security Testing

9. Contingency Planning

Cyber Security Training is a formal

process for educating personnel
about cyber security and building
relevant skills and competencies.

Cyber Security Testing is the process

of ascertaining how effectively the
entity meets specific cyber security
objectives.

Contingency planning revolves

around preparing for unexpected and
potentially unfavourable events that
are likely to have an adverse impact.

Cyber Security Testing

encompasses -

Types of Contingency Plans are -

Cyber Security Training ensures that

relevant personnel understand their
cyber security responsibilities. This
enables them to properly use and
protect the information and resources
entrusted to them.
Effective cyber security training
must include 1. Real-world training on systems that
emulate the live environment,
2. Continual training capability for
routine training,
3. Timely exposure to new threat
scenarios,
4. Exposure to updated scenarios
reflecting the current threat
environment,
5. Coverage of basic day-to-day
practices required by the users

1. Review Techniques, which include

Documentation Review, Log Review,
Ruleset Review, System Configuration
Review, Network Sniffing and File
Integrity Checking,
2. Target Identification and Analysis
Techniques, which include Network
Discovery, Network Port and Service
Identification, Vulnerability Scanning,
Active & Passive Wireless Scanning,
Wireless Device Location Tracking and
Bluetooth Scanning,
3. Target Vulnerability Validation
Techniques which include Password
Cracking, Penetration Testing,
Penetration Testing and Social
Engineering,
4. Security Assessment Planning
which includes Developing a Security
Assessment Policy, Prioritizing and
Scheduling Assessments, Selecting
and Customizing Techniques,
Assessment Logistics, Assessor
Selection and Skills, Location
Selection, Technical Tools and
Resources Selection, Assessment Plan
Development and Legal
Considerations,
5. Security Assessment Execution
which includes Coordination,
Assessing, Analysis, Data Handling,
Data Collection, Data Storage, Data
Transmission and Data Destruction,
6. Post Testing Activities which
includes Mitigation
Recommendations, Reporting and
Remediation/Mitigation

1. Business Continuity Plan

2. Continuity of Operations Plan
3. Crisis Communications Plan
4. Critical Infrastructure Protection
Plan
5. Cyber Incident Response Plan
6. Disaster Recovery Plan
7. Information System Contingency
Plan
8. Occupant Emergency Plan
Stages in the Information System
Contingency Planning Process are 1. Developing the Contingency
Planning Policy Statement
2. Conducting the Business Impact
Analysis
3. Identifying Preventive Controls
4. Creating Contingency Strategies
5. Plan Testing, Training, and Exercises
6. Plan Maintenance

LEXCODE
Regulatory Compliance Technologies Pvt. Ltd.
Incubated by Science & Technology Park
promoted by Department of Science and Technology
Government of India

!
!
!
!
Contact us at:
Science and Technology Park, University of Pune, Pune 411007
www.lexcode.in