Cyber Security | The Ismaili Canada
Main image

Cyber Security

The information on this page and its contents are intended for general informational purposes only and are not intended to be professional advice nor the advice of the Shia Imami Ismaili Council for Canada or its boards, portfolios, or local councils, including the Aga Khan Economic Planning Board for Canada. Please seek the advice of a relevant professional advisor in relation to your specific situation.

 Please Check Out our Digital Transformation Home Page!
What is Cybersecurity for Businesses
  • Cyber security - The practice and ability to protect or defend the use of virtual infrastructures and assets from cyber threats. 
  • Information security - The protection of information, in both physical and digital formats, against unauthorized access to, or modification, whether in storage, being processed, or in transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.

Cybersecurity Principles

  • Confidentiality - The property that data is not disclosed to unauthorized entities. This principle is concerned with privacy and information security. Not just Personally Identifiable Information of customers or employees, it also concerns the protection of corporate information on which the business relies such as financial information, Intellectual Property, and or operational data.
  • Integrity - The notion that data has not been altered in an unauthorized manner since it was created, transmitted, or stored4. Recognizing the importance of data for organizations, a level of trust is required that the information upon which the organization relies is accurate. Data informs decisions made by the organization, as well as its customers. For example, if management doesn’t know how the business is performing due to inaccurate data, it cannot determine whether the strategy is effective. Likewise, if customers have a bad experience because their data is incorrect, or they are being charged more for a good than expected, they might take their business elsewhere.
  • Availability - The property that data can be accessed, or a requested service can be provided, within an acceptable period. Even if data is accurate, if it is unavailable to the organization or its customers then it is of no use. Cyber security should protect information systems so that data is available on demand, in a manner that is user friendly. This relates to the speed of retrieval, as well as its structure and appearance for the end user.
Why is Cybersecurity Important

Cybersecurity as a business enabler​

Cybersecurity is a business enabler, seeking to maintain the confidentiality, integrity, and availability of data and information systems which are the bedrock of an organizations operations. As organizations increase their reliance on technology, their cyber risk exposure also increases. Managing this risk permits technology to be utilized by an organization for operational efficiency.

Cybersecurity and your clients

In addition to the operational value to your organization, the value and importance to your clients should be equally as important. Clients now expect privacy and an incident which leads to that privacy being lost could lead to a loss of trust in the organization, resulting in reputational damage, lost business, and ultimately financial loss.

The Threat of Cybercrime

The threat of cybercrime is growing. Sophisticated, well-funded criminal enterprises are carrying out attacks against organizations to steal data and demand ransoms. There is a trickle-down effect, where the technologies developed and used by the larger criminal organizations are sold on the dark web. They are not very expensive. The return on investment for anyone using these tools is significant, placing a target on any sized business. With a single mail campaign, essentially the click of a few buttons, the criminal may be opening the door to a series of ransom payments of anywhere between $5,000 to $500,000 or more. These criminals are motivated, and so cyber security is the best defense against them.

Regulatory scrutiny on cybersecurity practice

Regulations are in place which require organizations to ensure that cyber and information security is applied effectively, and to follow processes so that the collection and use of personal data is both legitimate and secure.

What You Should Be Thinking About

An Individual

Your Expectation of Privacy

Your expectations of privacy should correlate to the regulations under which corporations are permitted to collect and process your personal sensitive data. This includes an expectation that personal information will not be collected without the individuals consent; that your consent can be withdrawn at any time; that information collected is accurate and kept up to date; that information is collected and used for a legitimate business purpose, and the information collected is limited to only that required for the business need; that information will only be stored in so long as it is necessary for the organization to fulfil its business need; that while information is collected and used it is protected against loss, theft, or unauthorized access, disclosure, copying, use, or modification; and that an individual may have access to all information collected on them as well as receive explanations regarding the reasons for collection and use of that information so that the individual can make an informed decision regarding their status of consent.

Review tab on how to avoid falling victim to common social engineering threats.

A Startup or Mom & Pop Shop

Vendor selection and contractual protections 

For those less tech savvy entrepreneurs, consider seeking out a third party to manage your information security. Budgets can be tight, but a significant cyber incident can put a small business out of business. It is worth getting support from a third party you can trust. Vendors are an affordable way to gain expertise in cybersecurity and outsource a skilled function. However, you cannot outsource liability and so it is vital you understand how to select the right vendor for your needs, and protect your organization in the event of vendor issues.

Vendor selection

  • Seek a credentialed vendor with experience providing managed security services. Credentials and certifications such as the CISSP, CISM, SOC 2 Type 1 or 2 compliance report, ISO or NIST third party audit report. 
  • If using an individual consultant for services, seek out references to confirm the individual’s experience is as presented in their CV. 

Contractual Protections

  • Never go into business with a third party without a formal contract in place. Issues arise and no matter the sense of goodwill between both parties at the outset of the relationship, it is vital to ensure a formal contract exists that sets the parameters for disputes when they arise. This preserves a sense of order as both parties agreed to the terms prior to the engagement. 
  • Seek appropriate legal advice from a legally trained individual on contracts.

Review tab on how to avoid falling victim to common social engineering threats.

Cyber Hygiene 

Depending on your responsibilities for the management of your information technology assets, vs those outsourced to a third party subject to a contract, there are some basic cyber hygiene good practices which should be regularly monitored and executed to help protect your business. These cyber basics can be used to hold a vendor to account, or to manage your own network internally. 

  1. Account Security
  • Do not use generic accounts, ensure that each user has their own set of credentials and that accounts are not shared. 
  • Ensure that each account has a secure password/phrase, not used for other personal accounts or subscriptions, that includes more than 8 characters, a combination of letters, numbers, and symbols. 
  • Ensure that access controls for endpoints, software, and network devices follow a “deny-all” policy, restricting access permissions only to those who are authorized to do so. d) Ensure that any remote access to the organizations IT assets is done so via a Virtual Privacy Network (VPN) that is also subject to Multi-Factor Authentication (MFA). 

 

 2. Information Protection 

  • If possible, ensure that all devices used for storing information used by the organization has encryption enabled. Prioritize Mobile Devices such as Laptops and Mobile Phones, managed through an MDM Solution. 
  • Take training to understand information protection good practices. 
  • Be diligent when sending sensitive information via email that it does not go to unauthorized recipients. 
  • Only store sensitive data in secure parts of the network. Avoid desktops or other unrestricted file locations 

Information Systems Security 

  • Ensure that all endpoints have antivirus installed that is kept up to date.
  • Ideally, have an EDR tool installed and is kept up to date.
  • Ensure that your data is subject to regular back-ups, which are kept in a secure environment. Ideally one that is not accessible by regular business accounts directly.
  • Ensure that your email solution provides a strong filtering solution. Look out for solutions that contain SPF/DKIM/DMARC filters. If possible, choose a solution that provides sandbox quarantine and detonation capabilities for incoming emails.
  • Run policy compliance scans on configurations of security and network devices, and software, to ensure that your systems are running as intended following changes to those systems.

A Small/Mid-Sized Organization

Business Impact Analysis (BIA) and Risk Assessment 

Conduct a BIA to identify and prioritize information systems and components critical to supporting the organizations business processes. How critical is each process? What systems/IT assets support those processes? What would the impact be of an outage to a system that impacts the process it supports? How long would it take to recover that system and restore the process? What resources do you require to recover systems and which systems do you recover first? 

  • NIST SP 800-34 “Contingency Planning Guide for Federal Information Systems”, Section 3.2 ‘Conduct the Business Impact Analysis’: NIST 800-34, Rev 1 Contingency Planning Guide for Federal Information Systems 

Use the findings from the BIA to conduct a formal risk assessment, focused on those critical systems, to identify any potential risks, threats, or vulnerabilities which require addressing. Ensure that the organization is utilizing threat intelligence to make an informed decision on the severity rating of each threat or vulnerability. 

  • NIST SP 800 – 30 “Guide for conducting risk assessments” NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments. 

Cyber Security Strategy and Program Initiation 

  • It is time to formalize your cyber security strategy to align with security frameworks, and establish a program to mature the cyber security posture and culture as the business grows. Start by developing cyber security related policies. Some initial policies to consider are as follows: 
  1. Cyber security Policy 
  2. Acceptable Use Policy 
  3. Identity and Access Management Policy 
  4. Vulnerability Management Policy 
  5. Third Party Cyber Security Policy 
  • If these policies already exist, review and update them to ensure they align with current good practice cyber security frameworks. 
  • Once finalized, conduct an internal assessment to determine how the organization currently complies with its own policies. For any areas of non-compliance, take a risk-based approach to developing a list of remediation action items, and order them by priority to determine the cyber security program for the next 1-2 years. 

Vendor selection and contractual protections 

  • Seek a credentialed vendor with experience providing managed security services. Credentials and certifications such as the CISSP, CISM, SOC 2 Type 1 or 2 compliance report, ISO or NIST third party audit report. 
  • If using an individual consultant for services, seek out references to confirm the individual’s experience is as presented in their CV. 

Contractual Protections

  • Never go into business with a third party without a formal contract in place. Issues arise and no matter the sense of goodwill between both parties at the outset of the relationship, it is vital to ensure a formal contract exists that sets the parameters for disputes when they arise. This preserves a sense of order as both parties agreed to the terms prior to the engagement. 
  • Seek appropriate legal advice from a legally trained individual on contracts.
  • Ensure that critical vendors are required to demonstrate that they are maintaining their credentials/certifications at least on an annual basis.
  • Conduct monitoring to ensure that vendors are satisfying their SLA’s.

Review tab on how to avoid falling victim to common social engineering threats.

Ensure your organization conducts annual training that is supported by phishing campaigns to simulate real social engineering campaigns to test employee knowledge and skills.

A Large Organization

Business Impact Analysis and Risk Assessment 

Conduct a BIA to identify and prioritize information systems and components critical to supporting the organizations business processes. How critical is each process? What systems/IT assets support those processes? What would the impact be of an outage to a system that impacts the process it supports? How long would it take to recover that system and restore the process? What resources do you require to recover systems and which systems do you recover first? 

  • NIST SP 800-34 “Contingency Planning Guide for Federal Information Systems”, Section 3.2 ‘Conduct the Business Impact Analysis’: NIST 800-34, Rev 1 Contingency Planning Guide for Federal Information Systems 

Use the findings from the BIA to conduct a formal risk assessment, focused on those critical systems, to identify any potential risks, threats, or vulnerabilities which require addressing. 

Ensure that the organization is utilizing threat intelligence to make an informed decision on the severity rating of each threat or vulnerability. 

  • NIST SP 800 – 30 “Guide for conducting risk assessments” NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments. 

Cyber Security Strategy and Program Maturity 

  • Determine which cyber security framework(s) the organization is going to align to. Ensure that the cyber security policies and standards which govern the organizations cyber security align with those security frameworks, are subject to annual review and update, and inform cyber training and awareness program activities. 
  • Conduct internal assessments, regular vulnerability scans, policy compliance scans on configurations, annual penetration testing, and independent third-party audits to determine compliance with company policies and standards. Gather remediation item actions to ensure compliance, and prioritize those using a risk-based approach, to develop a cyber security program for the next year. 

Vendor Risk Management 

  • Conduct annual assessments of critical third-party vendors against the policies and standards set by the organization. Establish a standard for what is considered acceptable, unacceptable, and tolerable to determine a score for each vendor, depending on their variance from the organizations policies and standards. 
  • Monitor critical vendors for performance against the SLA’s defined and agreed upon in the respective contracts. 
How to Avoid Falling Victim to Common Social Engineering Threats

In the quest to boost profits, cyber threat actors are increasing their sophistication in order to draw in errors from a human element as individuals become more experienced in identifying a phishing attempt. Emails no longer promise riches from distant relatives, or contain lots of spelling mistakes. Threat actors are replicating legitimate vendors, often having purchased common software and platforms to gain insights that inform their template development. The human element continues to feature in 82% of breaches, with social engineering still a dominant part of that alongside misconfigurations. 

Phishing: Is a form of social engineering, typically through the deployment of computer-based means to trick personnel into disclosing sensitive information.   

  1. Is the email coming from a legitimate sender? Look closely for any minor variations to a legitimate email address which at first glance looks correct. Take time to verify by searching for a previous email from that sender which you are confident is legitimate. 
  2. Does the email play on any of your emotions to entice a response? Often a phishing email will play on emotions such as fear, sadness, happiness, or anger. 
  3. Does the sender instill a sense of urgency? Commonly the sender will try to cause the recipient to panic into rushing their thought process through fear of an unwanted repercussion. 
  4. Is the email asking you to submit any sensitive information, such as card details or a password? If the email appears to be legitimate having followed the previous steps, as a final precaution call the sender through a number previously verified. NOT the number on the email containing the instruction. Ask the organization to confirm this is legitimate and why they need these details. 
  5. Does the email contain a link for you to click on? Hover your mouse over the link to show the full URL. Review to confirm that the URL looks legitimate. If on a mobile device, click and hold the link until the URL appears. 
  6. If the email contains an attachment, be cautious of any “macro’s”. A yellow bar will appear at the top which says “enable content”. Do not enable the content unless you are confident of its legitimacy. This rule applies to word documents and excel files. 

Vishing: Is a form of social engineering, typically using voice-calling, to trick personnel into disclosing sensitive information.

  1. If receiving a call from an unknown number, do not say anything or give away your name. Often these calls are automated, and the robot will wait for interaction before starting their dialogue. Wait for the caller to introduce themselves and determine if you are expecting the call. If not, just hang up. Your voice could be recorded and used in the future as a form of voice recognition identity theft. 
  2. If the call appears to be coming from a legitimate source but the caller is asking for sensitive information, hang up and call the organization back on a number that was previously verified to confirm the request is legitimate. Do not call the number back. 

Smishing: Is a form of social engineering, typically using SMS, to trick personnel into disclosing sensitive information.   

  1. Similar to phishing, do not click on links or reply with any sensitive information. Call the sender on a number previously verified to confirm the request is legitimate.
How to Inform your Decisions Regarding Cybersecurity

Regulatory Requirements

Regulations exist to establish boundaries within which organizations must operate with regards to the collection, processing, and use of personal information. 

Federal - PIPEDA – The Personal Information Protection and Electronic Documents Act, PIPEDA covers the responsibilities Private sector organizations in Canada have regarding the confidentiality, integrity, and availability of personal information, stipulated by several 'Fair Information Principles', that the organization collects and or processes. The collection and processing of data is also covered, with requirements for consent of data subject, and transfer of information. 

New Bill C-26 An Act Respecting Cyber Security (ARCS), the focus of which is to protect Canadians through increased security across critical infrastructures including Finance, Telecommunications, Energy, and Transportation. It amends the Telecommunications Act to add security as a policy objective. It introduces the Critical Cyber Systems Protection Act (CCSPA), for securing critical infrastructure. 

Sanctions have changed the way organizations approach a ransomware incident. While insurance does pay for ransoms, should the organization fall victim to a ransomware group that is tied to a nation state under sanctions, the ransom cannot be paid. This could be catastrophic for an organization that has no backups available as is faced with the prospect of rebuilding their data and systems from scratch. Organizations must prioritize prevention and cyber resilience, even if insurance is available, if sanctions prevent the payment of ransom to recover. 

  • Alberta - PIPA Personal Information Protection Act Applies to provincially regulated private sector orgs and some non-profit organizations for the confidentiality and availability of PII, as well as requirements regarding the collection and use of that data. 
  • BC – Personal Information Protection Act is similar to PIPEDA in that it covers the Confidentiality, Integrity, and Availability, as well as the collection and use of that data.
  • Quebec - PIPA Bill 64 received royal assent on Sept 22nd – Administrative Monetary Penalties of $10M or 2% of revenues globally. Penal offences can result in a fine of up to $25M or 4% of global revenues.
  • Ontario is in the process of implementing changes at the provincial level also, so stay tuned!

Business Impact Analysis and Risk Assessment

Conduct a BIA to identify and prioritize information systems and components critical to supporting the organizations business processes. How critical are each process? What would the impact be of an outage? How long would the outage last? What resources do you require to recover systems, and which systems do you recover first? 

Use the findings from the BIA to conduct a formal risk assessment, focused on those critical systems, to identify any potential risks, threats, or vulnerabilities which require addressing. Utilize strong threat intelligence feeds when assessing findings to inform the prioritization of remediation action items using a risk-based approach. 

Cyber Security Frameworks

Frameworks offer guidance to organizations through the congregation of good practice standards which can be applied to manage cyber risk and exposure. They offer a common set of controls, procedures, and practices that allow organizations to benchmark their posture against the framework itself, and their industry peers who also align to the same framework. 

Multiple frameworks exist, each with its own merits and focus. Mature organizations will often seek to utilize practices from a range of frameworks, while those still in the earlier stages of their journey will pick one and seek to achieve a level of maturity that works for their risk management strategy. 

  • NIST CSF – National Institute of Standards and Technology Cyber Security Framework. Designed for government organizations, this standard has become a leading choice for organizations across both public and private sectors. Its content is free and broken down into 5 pillars to structure practices to Identify, Protect, Detect, Respond, and Recover.
  • ISO – International Organization for Standardization. While there are other standards which cater to specific practices such as cloud security, ISO 2700114/2700215 offer a foundation for organizations and are widely used by organizations who use ISO standards across other risk management areas beyond IT Security. ISO 27001 focusses on the processes for organizations to protect information assets, while ISO 27002 provides detailed control recommendations to achieve ISO 27001. Each control is supported by an objective, as well as guidance for implementation.
  • CIS – Center for Internet Security. The CIS provides a list of “Critical Security Controls” which are prioritized to mitigate the most prevalent cyber-attacks against systems and networks. Safeguards are split into three categories depending on the organization. A group is allocated for all enterprises as a minimum standard (IG1), a second group for organizations with increased complexity of risk (IG2), and a final group for organizations with internal expertise available to them (IG3).
  • COBIT – Control Objectives for Information and Related Technologies), from ISACA (Information Systems Audit and Control Association), provides organisations with a framework that contains four main domains: Planning and organization; acquiring and implementation; delivering and support; and monitoring and evaluation. It aligns IT security with business objectives through the delivery and management of systems.
  • OWASP Top Ten from the Open Web Application Security Project provides organizations with the top ten vulnerabilities and security risks organizations face regarding their web applications

 

How to Assess your Company's Current Cybersecurity Position
  • Baldridge Cybersecurity Excellence Builder and self-assessment tools, in partnership with NIST. 
  • CIS Self-Assessment Tool (CSAT)
  • C2M2 – Cybersecurity Capability Maturity Model. 
  • Engage an independent third party to conduct a Cyber Maturity Assessment against your organizations chosen cyber security framework. 
  • CMMC – Cyber Maturity Model Certification. While NIST permits self-assessment, the CMMC requires a third-party audit to determine compliance and maturity level, or which there are 5. The US Dept. of Defense requires this for all contractors who wish to work for them demonstrating its status as a highly regarded certification.
Practical Steps to Improve Your Company's Cybersecurity

Preventative Measures

These safeguards are in place to prevent a cyber incident from occurring, or in some cases can prevent an incident from escalating, while some of them combine as both preventative and detective. Ultimately, these form your first line of defense against cyber threats.

  • Multi-Factor Authentication for all remote access to the network, including third parties. The lack of MFA was heralded as one of the primary causes of the ransomware pandemic, as remote threat actors with stolen credentials could easily access corporate environments relatively undetected. With MFA enabled, this becomes far more challenging. 
  • EDR solution across all endpoints. EDR is a new development and upgrade from traditional antivirus. It utilizes behavioural analysis to learn what is considered ‘normal’ or not on an endpoint, raising alerts of anything concerning and offering containment solutions while an investigation is carried out. 
  • Email security solution with SPF/DKIM/DMARC, and Sandbox quarantine and detonation capabilities. With more sophisticated threat actors, a strong email security solution will help support your employees by filtering much of the threatening noise which comes through their inboxes. Here is what each of the mentioned features achieves:

    • SPF – Sender Policy Framework is an authentication standard that seeks to detect spoofed emails which appear to come from a legitimate domain such as @amazon.com.

    • DKIM – Domain Keys Identified Mail is another technique used to detected a spoofed sender email address via encryption through what is known as a digital signature.

    • DMARC – Domain-based Message Authentication, Reporting, and Conformance works to protect an organization as they send emails, as recipients can authenticate the email as coming from a legitimate domain once it has been registered.

    • Sandbox Quarantine and Detonation – This is a feature of some email security solutions that will intercept an incoming email that contains an attachment or a link, quarantine that email into a sandbox environment, and detonate the attachments or links and observe what happens. If it is deemed to be malicious, the email will be deleted and the user made aware that they had received a phishing email.

  • A training and awareness program that includes regular phishing simulations. No matter how much security an organization invests in, those preventative measures can be quickly made redundant should an end user make an error of judgement. A robust training and awareness program should seek to educate users on their responsibilities for protecting the business from cyber threats, enable users with the knowledge and skills to navigate those threats, and reward users for notification of actual or suspected incidents to help inform internal threat intelligence. In support of training, simulation exercises should be run to test employee awareness and knowledge, to identify areas of improvement and to offer metrics for performance analysis of the business’ cyber security culture.
  • Vulnerability Management, including regular scanning and remediation of vulnerabilities including timely patch implementation. An organizations capability will vary here depending on their resources, yet unpatched vulnerabilities are an easy exploit for threat actors. All organizations should aim to implement patches released by trusted vendors by two weeks to one month of the release date. In addition to patching, the external facing environment should be hardened, closing unnecessary ports to minimize the attack surface of the organization.
  • Policies and standards for cyber security will help govern the organization by establishing what the organization should be doing against which compliance can be assessed. 
  • Network segmentation of critical and sensitive assets/environments will help prevent an incident from escalating. Often threat actors will seek to gain a foothold in the organization then move laterally to more sensitive parts of the network. Through strong account management and segmentation, threat actors can be delayed allowing the organization time to respond to the incident and contain the threat.

Detective Measures

A centralized SOC, including 24/7 monitoring of a SIEM solution that captures activity across the network. 24/7 monitoring may be a stretch for smaller organizations, but it is common for threat actors to target organizations outside of business hours when they can go undetected. A SIEM solution collects log data from your endpoints, offering a single source of truth for analysis of events on the network to identify any actual or suspected malicious activity. The SIEM will learn what is normal vs suspicious, and raise alerts for the organization to investigate. 

 

Corrective Measures

Incident Response Plan, System Recovery Plan, and Business Continuity Plan. These documents will assist an organization to maintain order during an incident, with well defined roles and responsibilities to respond to, and recover from, an incident.  

Backups which are offline, protected by tight access controls, and subject to regular testing of integrity and recovery. As mentioned before, many actors will seek to move laterally through the environment to find an organisations most sensitive assets. Back-ups are often the difference between being able to recover from an incident, or having to pay a ransom to avoid an excruciatingly lengthy disruption to the organization as it re-builds from scratch. Ensuring that the organization has backups of all critical data, that is not accessible through the network, and the recovery from which is tested regularly to ensure that backups are working effectively, is vital to an organizations recovery, as well as to avoid payment of a ransom to a criminal organization. 

Conduct annual tabletop exercises, ransomware simulations, and information system recovery exercises. Building on the plans the organization has developed to provide instruction throughout an incident, these exercises seek to train employees in their roles and responsibilities so that the response is as smooth and efficient as possible. Ensure cross training of employees, so that the absence of one individual does not create a bottle neck. 

 

Risk

Risk transfer as part of a holistic cyber risk management strategy  

Risk Management 101: Avoid, Mitigate, Transfer, Accept 

  • Avoiding cyber risk is a challenge in the digital age. As a business we can choose to minimize our cyber risk by avoiding certain activities, but all modern business relies on IT to grow efficiently and maximize profits. 

  • Mitigation of risk occurs in tandem with cyber security, as it relates to the measures mentioned above. Investing in controls to reach a maturity level within an established cyber security framework, or targeting Preventative, detective, and corrective measures, to reduce risk to an acceptable level to the organization. Mitigation efforts should be focused through a combination of risk-based approach, as well as cost-benefit analysis, to ensure cyber security supports the business needs and does not become a hinderance.   

  • Given the complex nature of cyber security risk residual risk is always going to be something an organization is confronted with. Organizations will have to accept a level of risk that is suitable to their risk appetite. Where mitigation may not work from a cost benefit, or availability perspective, Risk transfer can be used to reduce residual risk to an acceptable level. 

  • Cyber Insurance offers risk transfer for that residual risk an organization will take on, and while insurance premiums are increasing, it still presents an affordable option for organizations considering the value of a good policy when mitigation may not be possible.  

 

Definitions

Definitions are taken from a combination of the NIST Glossary Glossary | CSRC (nist.gov), as well as KPMG insights. 

  • CISM – Certified Information Security Manager (CISM), is solely management-focused. 

  • CISSP – Certified Information Systems Security Professional (CISSP), is both technical and managerial for security leaders who design, engineer, implement, and manage the overall security posture of an organization. 

  • Configurations – The possible conditions, parameters, and specifications with which an information system or system component can be described or arranged. 

  • Log data – A record of the events occurring within an organizations systems and networks. 

  • MDM solution – Mobile Device Management, is the administration of mobile devices such as smartphones, tablets, computers, laptops, and desktop computers. MDM is usually implemented through a third-party product that has management features for particular vendors or mobile devices. 

  • MFA – Multi-Factor Authentication using two or more different factors. Factors include something you know (e.g., password/pin), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometrics). 

  • Phishing – Is a form of social engineering, typically through the deployment of computer-based means to trick personnel into disclosing sensitive information.   

  • PII – Information which can be used to distinguish or trace the identity of an individual alone, or when combined with other personal or identifying information which is linked to a specific individual. 

  • Policy compliance scans – These scans run across network devices, software, and endpoints to assess whether the configurations of each are in compliance with their respective policy. 

  • Ports – The entry or exit point from a computer for connecting communications or peripheral devices. 

  • Risk – The level of impact on organizational operations, assets, or individuals, resulting from the potential realization of a threat, and the likelihood of that threat occurring. 

  • SLA – Represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination. 

  • Smishing – Is a form of social engineering, typically using SMS, to trick personnel into disclosing sensitive information.   

  • SOC 2 Type 1 & 2 – Systems and Organization controls is a comprehensive reporting framework which is audited by an independent third-party. Type 1 reports on management’s description of what the organization has in place, while type 2 goes a step further to test the design and effectiveness of those controls.  

  • Social Engineering – The act of deceiving an individual into revealing sensitive information by associating with the individual to gain confidence and or trust. 

  • Threats - A human, event, or circumstance with the potential to adversely impact operations, assets, or personnel. 

  • Vishing – Is a form of social engineering, typically using voice-calling, to trick personnel into disclosing sensitive information.   

  • VPN – A virtual network built on top of existing networks, that can provide a secure communications mechanism for data to be accessed and transmitted between networks.  

  • Vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.  

Additional Resources

CyberSecure Canada 

​References

The Ismaili

Contact Us

His Highness Prince Aga Khan Shia Imami Ismaili Council for Canada

49 Wynford Drive Toronto, Ontario M3C 1K1 CANADA

Tel: +1-416-646-6965

Stay Connected

Subscribe to the Al-Akhbar newsletter today. Join over 40,000 people who receive weekly local, national and international news.

Sign-Up

Download the iiCanada App

Download on the App Store Download on the Google Play