Skip to content

What is it?

A set of rules, usually backed by a legal mandate, that control an activity or environment and provide a means for compliance to be inspected and enforced.

Why is it important?

The internet is an ever-changing environment where the rules are constantly being amended and updated as new technologies emerge. Regulations attempt to control the technological environment and the human behavior associated with it.

Why does a business professional need to know this?

The internet, being a relatively new and rapidly evolving environment, has been perceived as inherently devoid of control in its creation and, therefore, a space of perceived freedom. Freedom and control can be seen in both positive and negative lights. They present a double-edged sword; controlled environments may actually allow for more freedom, whereas free environments may encourage a lack of control and, therefore, chaos. The existence (or lack) of safety and security is a preoccupation for many, both personally and professionally.

In reality, the web environment has always been subject to control. There are many ways to regulate an environment: by law, through social norms, through market forces, or by imposing physical and logical constraints. Each of these has been applied to the internet.

In a business context, it is important to understand what is behind the setting of new rules and norms online and to know how those changes will affect us, either directly or indirectly(CSO 2012). Of course, as business professionals, we need to be prepared for new political, environmental, sociological, technological, legal, and economic factors that might have an impact on our organization. We must be prepared to adjust our business practices to react to new regulations related to cybersecurity.

References

About Vanessa Harrison

Photo of Vanessa Harrison

Vanessa Harrison, BA (Hons), CELTA, DELTA, MBA, MSc, is a management systems consultant, course writer and associate tutor for the British Standards Institution (BSI) in the EMEA region. She specializes in ISO 27001, ISO 22301, ISO 31000, and ISO 9001. Vanessa implements and audits the aforementioned standards and teaches the same at all levels, including the lead implementer and lead auditor qualifications.

Vanessa also works with the anti-bribery standard ISO 37001, manages the risk and compliance for 2CVGB Ltd, as a volunteer, and is a member of BSI committees RM/1 and CAR/1. These committees are responsible for revising and updating risk management standards, including ISO 31000, and Vanessa represents the UK at the international level.

Term: Regulation

Email: vanessa.harrison@hatseu.com

LinkedIn: linkedin.com/in/vanessa-harrison-ba-hons-celta-delta-mba-msc-a9868b14

What is it?

A common set of rules designed to ensure interoperability between different products, systems, and organizations.

Why is it important?

Standards provide stable, long-term guidelines that products can be validated against to ensure they will operate correctly and securely with other products that adhere to the same standard. Standards reflect the best practices of experienced cybersecurity professionals.

...continue reading "Term of the Week: Standards"

What is it?

A set of mandatory requirements that apply to specific areas of an organization’s operations, including cybersecurity.

Why is it important?

Policies are important because they define the strategic intent for rules, regulations, protocols, and procedures that the organization or industry implement.

...continue reading "Term of the Week: Policy"

What is it?

A strategy that helps reduce fraud and error by assigning two or more parts of a transaction to separate individuals. For example, the same person should not be able to enter an invoice then approve payment.

Why is it important?

Separation of duties (SoD) (also known as segregation of duties) prevents the same person from performing two or more parts of a transaction that would be susceptible to error or fraud if performed by one person. Fraud perpetrated through the lack of internal controls can lead to the loss of money, reputation, and market share as well as risking fines from regulators and, perhaps ultimately, shutdown of the organization.

...continue reading "Term of the Week: Separation of Duties"

What is it?

An assurance that information can be requested by and delivered to authorized individuals whenever required.

Why is it important?

Availability is part of the confidentiality, integrity, and availability (CIA) security triad. Even if information is kept confidential and has integrity, it still must be available so that authorized individuals can access the information in a reasonable period of time.

Why does a business professional need to know this?

A business professional needs to understand availability because it constitutes one leg of the confidentiality, integrity, availability (CIA) security triad, which is the foundation of secure information in cybersecurity.

Your efforts to secure your systems and data mean nothing if that data is not available to authorized users (individuals or other systems). Availability can be compromised by malicious individuals or by accident in many ways, including the following:

  • Distributed Denial of Service (DDoS) attacks, which attempt to slow down or crash systems by flooding a system with requests from many different systems
  • Malicious software that either crashes or slows down a system
  • System slow downs or crashes caused by malicious insiders or human error
  • Unexpectedly high volume of legitimate requests (e.g., a popular item goes on sale)

To help ensure availability, organizations need to plan for peak usage, for example by using load balancing and fail-over strategies. They also need to follow best practices for creating a strong cybersecurity defense. These include vulnerability assessments, business continuity planning, and incident response planning.

While these practices are not inexpensive, consider the loss in sales and productivity if your systems and data were to become unavailable for an extended period of time.

About Michael Moorman

Photo of Michael Moorman

Michael Moorman has been a full-time faculty member at Saint Leo University for 27 years, teaching computer information systems, computer science, and cybersecurity courses. He is a member of the IEEE Computer Society, a senior member of the ACM, and a Certified Information Systems Security Professional (CISSP). Prior to earning his doctorate and becoming a professor, he served in the US Air Force as a pilot and engineer.

Term: Availability

Email: Michael.Moorman@saintleo.edu

What is it?

An assurance that information remains unaltered from its intended state as it is produced, transmitted, stored, and received. Ensuring integrity may include ensuring the non-repudiation and authenticity of information as well.

Why is it important?

Integrity is considered by many to be the most important element of the confidentiality, integrity, and availability (CIA) security triad. Any system that is otherwise available and confidential can still be rendered useless if a user cannot be confident that the information it contains is trustworthy, accurate, and complete.

...continue reading "Term of the Week: Integrity"

What is it?

The safeguarding of data from unauthorized access or disclosure.

Why is it important?

Confidentiality is part of the confidentiality, integrity, and availability (CIA) security triad. In the CIA security model, the objective of confidentiality is to prevent the disclosure of information to unauthorized entities.

...continue reading "Term of the Week: Confidentiality"

What is it?

Authorized testing of a computer system or network with the intention of finding vulnerabilities. Also called pen testing.

Why is it important?

A cyberattack can harm not only your organization, but also customers, partners, employees, and vendors. Penetration testing can reveal vulnerabilities, suggest improvements to your systems, and reduce risk for your organization. In addition, penetration testing is encouraged and even required by certain industry standards.

...continue reading "Term of the Week: Penetration Testing"

What is it?

A test for security vulnerabilities that looks at the source code or binary of an application without running it.

Why is it important?

Static Application Security Testing (SAST) can be used before an application is executable, enabling early and regular tests for security vulnerabilities. SAST allows developers to fix problems during the development phase of an application and at a much lower cost than when the code is in quality assurance (QA) or production.

...continue reading "Term of the Week: Static Application Security Testing"

What is it?

A formal method to identify, characterize, and prioritize risks and threats, typically with the goal of reducing them, also known as threat analysis or risk analysis.

Why is it important?

Most software is riddled with vulnerabilities, and software is pervasive in devices such as phones, cars, voting machines, etc. Threat modeling is one of the most effective ways to avoid and find vulnerabilities.

...continue reading "Term of the Week: Threat Modeling"