K1.1 The role and types of preventative business control techniques in protecting the digital security

of an organisation:

• role – proactive control that stops something happening

• preventative control techniques:

o physical:

▪ specialist locks (for example anti-picking)

▪ barriers (for example fencing, bollards)

▪ gates

▪ cages

▪ flood defence systems

▪ temperature controls (for example air conditioning)

o combined – managed access:

▪ card readers

▪ biometric

▪ video/closed-circuit television (CCTV)

▪ pin/passcodes

o administrative, policies and procedures:

▪ separation of duties and relevance of role-based access

o technical – domains and security policies:

▪ allow/approved listing

▪ block/deny listing

▪ access control lists

▪ sandboxing

▪ device hardening

▪ certificate authority

K1.2 The role and types of detective business control techniques in protecting the digital security of an organisation:

• role – to identify an incident in progress or retrospectively

• detective control techniques:

o physical:

▪ CCTV

▪ motion sensors

o administrative, policies and procedures:

▪ logs (for example logs of temperature in server room, error logs)

▪ review/audit (for example people entering and leaving the facilities)

K1.3 The role and types of corrective business control techniques in protecting the digital security of

an organisation:

• role – reactive measures to limit the extent of damage and reoccurrence

• corrective control techniques:

o physical:

▪ fire suppression (for example sprinklers, extinguishers)

▪ gas suppression (for example inert and chemical gas systems)

o administrative, policies and procedures:

▪ standard operating procedure (for example actions taken when a fire is identified)

K1.4 The role and types of deterrent business control techniques in protecting the digital security of

an organisation:

• role – pre-emptive measures to dissuade a course of action

• deterrent control techniques:

o physical:

▪ security guards

▪ alarm systems

▪ visible surveillance systems

o administrative, policies and procedures:

▪ standard operating procedure (for example setting alarm system, fire drill)

▪ employment contracts stipulating codes of conduct

▪ acceptable usage policies

K1.5 The role and types of directive business control techniques in protecting the digital security of an

organisation:

• role – promotes a security-focused business culture

• directive control techniques:

o physical:

▪ signage

▪ mandatory ID badge display (for example employees and visitors)

o administrative, policies and procedures:

▪ agreement types

▪ general security policies and procedures

▪ regular and compulsory staff training (for example human firewall training)

K1.6 The role and types of compensating business control techniques in protecting the digital security

of an organisation:

• role – provides a safeguard against primary control failure

• compensating control techniques:

o physical:

▪ temperature controls (for example air conditioning)

o administrative, policies and procedures:

▪ role-based awareness training

▪ standard operating procedures (for example environmental control monitoring)

K1.7 The role and implementation of a disaster recovery plan in protecting the digital security of an

organisation:

• role – to recover and maintain service

• disaster recovery plan:

o physical:

▪ back-ups

▪ off-site alternative storage of servers

o administrative, policies and procedures of a disaster recovery plan (DRP) supported by an

organisational business continuity plan (BCP):

▪ ensuring all systems maintain functionality (for example arranging hardware)

▪ ensuring users can access systems away from the main building site

▪ deploying back-ups to maintain data integrity

▪ ensuring digital changes continue to meet business needs

▪ managing assets across the network and logging changes (for example tagging and logging

laptops)

▪ reporting infrastructure changes to management

K1.8 How a disaster recovery plan (DRP) works:

• define the scope of the plan:

o data centre premises

o organisational

o departmental

o individual

• gathering relevant information:

o historic outage details

o inventories of hardware, software, networks and data

o contact information for any involved parties

• risk-assessing:

o assets

o threats

o vulnerabilities

o probability of occurrence

o impact on business/data

• creating the plan:

o identify the resources required for the DRP:

▪ systems

▪ equipment

• plan approval:

o sign off by appropriate party

• testing the plan:

o identify scope

o identify resources

o determining frequency

o implement test

o review and document outcome

o amend the plan based on review as required

• continuous improvement:

o internal and external auditing of plan

K1.9 The types of impacts that can occur within an organisation as a result of threats and

vulnerabilities:

• danger to life – breaches in health and safety policies (for example injury and death)

• privacy – breaches of data (for example compromised confidential business data, identity theft)

• property and resources – damage to property and systems

• economic – financial loss or impairment

• reputation – damage to brand and business value

• legal – fines or prosecution

K1.10 The potential vulnerabilities in critical systems:

• unauthorised access to network infrastructure

• unauthorised physical access to network ports

• single point of failure

• system failure

• open port access:

o USB (universal serial bus)

o optical media:

▪ compact disc (CD)

▪digital versatile disc (DVD)

▪wireless networks

K1.11 The impact of measures and procedures that are put in place to mitigate threats and

vulnerabilities:

• measures:

o recovery time objective (RTO)

o recovery point objective (RPO)

o mean time between failure (MTBF)

o mean time to repair (MTTR)

• procedures:

o standard operating procedure (SOP):

▪ installation procedure

▪ back-up procedure

▪ set-up procedure

o service level agreement (SLA):

▪ system availability and uptime

▪ response time and resolution timescales

K1.12 The process of risk management:

• process:

o identification – identifying potential risks, threats or vulnerabilities

o probability – likelihood of occurrence (for example high, medium, low)

o impact – assess damage that can occur (for example asset value)

o prioritisation – rank risks based on the analysis of probability and impact, ownership of risk

o mitigation – reducing probability or impact of risk

K1.13 Approaches and tools for the analysis of threats and vulnerabilities:

• approaches:

o qualitative – non-numeric:

▪ determine severity using RAG rating:

• red – high risk requiring immediate action

• amber – moderate risk that needs to be observed closely

• green – low risk with no immediate action required

o quantitative – numeric:

▪ analyse effects of risk (for example cost overrun, resource consumption)

• tools:

o fault tree analysis

o impact analysis

o failure mode effect critical analysis

o annualised loss expectancy (ALE)

o Central Computer and Telecommunications Agency (CCTA) Risk Analysis and Management

Method (CRAMM)

o strength, weakness, opportunity, threat (SWOT) analysis

o risk register – risk is identified and recorded using a RAG rating

o risk matrix – used to calculate the RAG rating for a risk

K1.14 Factors involved in threat assessment for the mitigation of threats and vulnerabilities:

• environmental:

o extreme weather

o natural disaster

o humidity

o air quality

• manmade:

o internal:

▪ malicious or inadvertent activity from employees and contractors

o external:

▪ malware

▪ hacking

▪ social engineering

▪ third-party organisations

▪ terrorism

• technological:

o technology failures and faults:

▪ misconfigured devices

▪ disk failure/corruption

▪ component failure

▪ power issues

▪ network dropouts

▪ inaccessible systems

▪ virtual private network (VPN) not connecting

▪ unresponsive systems

o device failures and faults (for example laptops, desktops, servers):

▪ hard disk failure

▪ random access memory (RAM) failure

▪ damaged peripherals

▪ device incorrectly configured

▪ additional card implementation (for example network interface card (NIC), graphics)

▪ server back-up set-up

o system failures and faults:

▪ firewall settings

▪ software breakages/corruption

▪ redundant array of independent disks (RAID) failure

o impact of technical change:

▪ potential downtime

▪ requirement for system or software upgrades

▪ misconfigured systems

• political:

o changes or amendments in legislation

K1.15 The purpose of risk assessment in a digital infrastructure context:

• purpose:

o to identify and reduce risk by:

▪ implementing Health and Safety Executive (HSE) guidelines to projects (for example installing

a new uninterruptible power supply (UPS) system into a server room and identifying risks to

the installers)

▪ investigating risks within the project environment (for example undertaking a PESTLE

analysis)

▪ internal and external risk identification (for example implementing a supply chain assessment)

▪ quantification of impact on asset value (for example financial loss as a result of downtime)

K1.16 Types of risk response within a digital infrastructure context:

• types of response:

o accept – the impact of the risk is deemed acceptable

o avoid – change scope to avoid identified risk

o mitigate – reduce the impact or probability of the identified risk

o transfer – contractually outsource the risk to another party

K1.17 The process of penetration testing within digital infrastructure:

• the phases of penetration testing:

o planning and reconnaissance (for example, scope, goals, gather intelligence)

o scanning (for example, static and dynamic analysis)

o gaining access (for example, back door, SQL injection)

o maintaining access (for example, vulnerability used to gain in-depth access)

o analysis and WAF configuration (for example, results collated into report, analysed and used to

configure WAF settings)

K1.18 The considerations in the design of a risk mitigation strategy:

• risk response (for example accept, avoid, mitigate or transfer the risk)

• user profile (for example requirements, ability level)

• cost and benefit

• assign an owner of the risk

• escalation to appropriate authority within organisation

• planning contingencies

• monitoring and reviewing process

K1.19 The purpose of technical security controls as risk mitigation techniques and their applications to

business risks within a digital infrastructure context:

• purpose – to improve network security for users and systems

• technical security controls and their applications:

o 5 cyber essentials controls:

▪ boundary firewalls and internet gateways – restricting the flow of traffic in systems

▪ secure configuration – ensuring user only has required functionality (for example removing

unnecessary software, configuration to limit web access)

▪ malware protection – maintaining up-to-date anti-malware software and regular scanning

▪ patch management – maintaining system and software updates to current levels

▪ access control – restricting access to a minimum based on user attributes (for example

principle of least privilege, username and password management)

o device hardening – removing unneeded programs, accounts functions, applications, ports,

permissions and access

o segmentation – network, systems, data, devices and services are split up to mitigate the potential

impact of risks

o hardware protection – using server and software solutions to protect hardware and data

o multi-factor authentication – allowing 2 devices to authenticate against one system to confirm

who and where the user is trying to access from

o remote monitoring and management (RMM) (for example end user devices)

o vulnerability scanning (for example port scanning, device scanning)

K1.20 The purpose and types of encryption as a risk mitigation technique and their applications:

• purpose – to store and transfer data securely using cryptography

• types of encryption and their applications:

o asymmetric encryption – applied to send private data from one user to another (for example

encrypted email systems)

o symmetric encryption – applied to encrypt and decrypt a message using the same key (for

example card payment systems)

o data at rest encryption:

▪ full disk encryption – applied to encrypt the contents of an entire hard drive using industry

standard tool (for example Windows, macOS)

▪ hardware security module (HSM) – safeguards digital keys to protect a device and its data

from hacking

▪ trusted platform module (TPM) – applied to store encryption keys specific to the host device

o data in transit encryption:

▪ secure sockets layer (SSL) – applied to create an encrypted link between a website and a

browser using security keys for businesses to protect the data on their websites

▪ transport layer security (TLS) – applied to encrypt end-to-end communication between

networks (for example in email, websites and instant messaging)

K1.21 The purpose, criteria and types of back-up involved in risk mitigation:

• purpose:

o maintaining an up-to-date copy of data to enable future recovery and restoration (for example full

disaster recovery or partial data loss)

• back-up criteria:

o frequency (for example periodic back-ups)

o source (for example files or data)

o destination (for example internal, external)

o storage (for example linear tape open (LTO), cloud, disk)

• types of back-up:

o full

o incremental

o differential

o mirror

K1.22 The relationship between organisational policies and procedures and risk mitigation:

• organisational digital use policy:

o standard operating procedures for:

▪ network usage and control (for example monitoring bandwidth, identifying bottlenecks)

▪ internet usage (for example restricted access to sites, social media)

▪ bring your own device (BYOD)

▪ working from home (WFH) (for example DSE assessment)

▪ periodic renewal of password

▪ software usage (for example updating applications)

• health and safety policy for:

o standard operating procedures:

▪ lone working

▪ manual handling/safe lifting (for example moving hardware)

▪ working at height

▪ fire safety (for example staff training)

▪ Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 2013

• change procedure – approval and documentation of all changes

• auditing of policies and standard operating procedures – ensuring all actions are routinely examined

(for example to ensure continued compliance)

K1.23 The purpose and application of legislation, industry standards and regulatory compliance, and

industry best practice guidelines for the security of information systems within digital

infrastructure.

Legislation:

• UK General Data Protection Regulation (UK GDPR):

o purpose – standardises the way data is used, stored and transferred to protect privacy

o applications within digital infrastructure:

▪ article 1 – subject matter and objectives

▪ article 2 – material scope

▪ article 3 – territorial scope

▪ article 4 – definitions

▪ article 5 – principles relating to processing of personal data

▪ article 6 – lawfulness of processing

▪ article 7 – conditions for consent

• Data Protection Act (DPA) 2018:

o purpose – implementation of UK GDPR to protect data and privacy

o applications within digital infrastructure:

▪ used fairly, lawfully and transparently

▪ used for specified, explicit purposes

▪ used in a way that is adequate, relevant and limited to only what is necessary

▪ accurate and, where necessary, kept up to date

▪ kept for no longer than is necessary

▪ handled in a way that ensures appropriate security, including protection against unlawful or

unauthorised processing, access, loss, destruction or damage

• Computer Misuse Act 1990:

o purpose – protects an individual’s computer rights

o applications within digital infrastructure:

▪ unauthorised access to computer materials (point 1 to 3)

▪ unauthorised access with intent to commit or facilitate commission of further offences (point 1

to 5)

▪ unauthorised acts with intent to impair, or with recklessness as to impairing, operation of

computer (point 1 to 6)

Industry standards and regulatory compliance:

• ISO 27001:

o purpose – certifiable standard for information security management

o applications within digital infrastructure:

▪ UK GDPR/DPA 2018

▪ information security

▪ information management

▪ penetration testing

▪ risk assessments

• Payment Card Industry Data Security Standard (PCI DSS):

o purpose – worldwide standard for protecting business card payments to reduce fraud

o applications within digital infrastructure:

▪ build and maintain a secure network

▪ protect cardholder data

▪ maintain a vulnerability management program

▪ implement strong access control measures

▪ regularly monitor and test networks

▪ maintain an information security policy

Industry best practice guidelines:

• National Cyber Security Centre (NCSC) ‘10 Steps to Cyber Security’:

o purpose – inform organisations about key areas of security focus

o applications within digital infrastructure:

▪ user education and awareness

▪ home and mobile working

▪ secure configuration

▪ removable media controls

▪ managing user privileges

▪ incident management

▪ monitoring

▪ malware protection

▪ network security

▪ risk management regime

• Open Web Application Security Project (OWASP):

o purpose:

▪ implement and review the usage of cyber security tools and resources

▪ implement education and training into the general public and for industry experts

▪ used as a networking platform

o applications within digital infrastructure:

▪ support users with online security

▪ improve security of software solutions

K1.24 Principles of network security and their application to prevent the unauthorised access, misuse,

modification or denial of a computer, information system or data:

• the CIA triad – confidentiality, integrity and availability applied to develop security

• identification, authentication, authorisation and accountability (IAAA) – applied to prevent

unauthorised access by implementing security policies to secure a network further:

o applying directory services

o security authentication process

o using passwords and security implications

o identification and protection of data

o maintaining an up-to-date information asset register

K1.25 Methods of managing and controlling access to digital systems and their application within the

design of network security architecture:

• authentication – restricts or allows access based on system verification of user

• firewalls – restricts or allows access to a defined set of services

• intrusion detection system (IDS) – analyses and monitors network traffic for potential threats

• intrusion prevention system (IPS) – prevents access based on identified potential threats

• network access control (NAC) – restricts or allows access based on organisational policy enforcement

on devices and users of network

• mandatory access control (MAC) – restricts or allows access based on a hierarchy of security levels

• discretionary access control (DAC) – restricts or allows access based on resource owner preference

• attribute-based access control (ABAC) – restricts or allows access based on attributes or

characteristics

• role-based access control (RBAC) – restricts or allows access to resources based on the role of a

user

K1.26 Physical and virtual methods of managing and securing network traffic and their application

within the design of network security architecture:

• physical (for example server management, firewalls and cabling):

o software defined networking (SDN):

▪ transport layer security (TLS) (for example used in banking websites)

o screened subnet

o air gapping

• virtual:

o virtual LAN (VLAN):

o subnets:

o virtual private network (VPN) (for example intranet, file systems, local network systems)

o virtual routing and forwarding (VRF)

o IP security (IPSec)

o air gapping

K1.27 The principles and applications of cyber security for internet-connected devices, systems and

networks:

• the CIA (confidentiality, integrity and availability) triad – applied to assess the impact on security of

systems (for example a data breach):

o protection and prevention against a cyber attack through secure configuration of a network

o limiting the network or system exposure to potential cyber attacks

o detection of cyber attacks and effective logging/auditing to identify impacts

o appropriate segregation of devices, networks and resources to reduce the impact of a cyber

attack

K1.28 Techniques applied to ensure cyber security for internet-connected devices, systems and

networks:

• wireless security – WPA2 and use of end-to-end security implemented to monitor access to WiFi

systems

• device security – password/authentication implemented to improve device security

• encryption

• virtualisation

• penetration testing

• malware protection

• anti-virus protection

• software updates and patches

• multi-factor authentication

• single logout (SLO)

K1.29 The importance of cyber security to organisations and society:

• organisations:

o protection of:

▪ all systems and devices

▪ cloud services and their availability

▪ company data and information (for example commercially sensitive information)

▪ personnel data and data subjects (for example employee information, customer information)

o password protection policies for users and systems

o adherence to cyber security legislation to avoid financial, reputational and legal impacts

o protection against cybercrime

• society:

o protection of personal information to:

▪ maintain privacy and security

▪ protect from prejudices

▪ ensure equal opportunities

▪ prevent identity theft

o individuals’ rights protected under DPA 2018:

▪ be informed about how data is being used

▪ access personal data

▪ have incorrect data updated

▪ have data erased

▪ stop or restrict the processing of data

▪ data portability (for example allowing individuals to access and reuse their data for different

purposes)

▪ object to how data is processed in certain circumstances

o protection against cybercrime

K1.30 The fundamentals of network topologies and network referencing models and the application of

cyber security principles:

• topologies:

o bus

o star

o ring

o token ring

o mesh

o hybrid

o client-server

o peer-to-peer

• network referencing models:

o open systems interconnection (OSI) model:

▪ application layer

▪ presentation layer

▪ session layer

▪ transport layer

▪ network layer

▪ data link layer

▪ physical layer

o transmission control protocol/internet protocol (TCP/IP):

▪ application layer

▪ transport layer

▪ network layer

▪ network interface layer

• the minimum cyber security standards principles applied to network architecture:

o identify – management of risks to the security of the network, users and devices:

▪ assign cyber security lead

▪ risk assessments for systems to identify severity of different possible security risks

▪ documentation of configurations and responses to threats and vulnerabilities

o protect – development and application of appropriate control measures to minimise potential

security risks:

▪ implementation of anti-virus software and firewall

▪ reduce attack surface

▪ use trusted and supported operating systems and applications

▪ decommission of vulnerable and legacy systems where applicable

▪ performance of regular security audits and vulnerability checks

▪ data encryption at rest and during transmission

▪ assign minimum access to users

▪ provide appropriate cyber security training

o detect – implementation of procedures and resources to identify security issues:

▪ installation and application of security measures

▪ review audit and event logs

▪ network activity monitoring

o respond – reaction to security issues:

▪ contain and minimise the impacts of a security issue

o recover – restoration of affected systems and resources:

▪ back-ups and maintenance plans to recover systems and data

▪ continuous improvement review

K1.31 Common vulnerabilities to networks, systems and devices and the application of cyber security

controls:

• missing patches, firmware and security updates:

o application of cyber security controls:

▪ patch manager software

▪ tracking network traffic

▪ test groups/devices to test security

• password vulnerabilities (for example missing, weak or default passwords, no password lockout

allowing brute force or dictionary attacks):

o application of cyber security controls:

▪ minimum password requirements in line with up-to-date NCSC guidance (for example length,

special character)

▪ password reset policy

• insecure basic input-output system (BIOS)/unified extensible firmware interface (UEFI) configuration:

o application of cyber security controls:

▪ review BIOS/UEFI settings

▪ update BIOS

• misconfiguration of permissions and privileges:

o application of cyber security controls:

▪ testing permissions and access rights to systems

▪ scheduled auditing of permissions and privileges (for example remove access of terminated

staff)

• unsecure systems due to lack of protection software:

o application of cyber security controls:

▪ protecting against malware (for example virus, worm, trojan, ransomware)

▪ update security software

▪ monitoring security software

▪ buffer overflow

• insecure disposal of data and devices:

o application of cyber security controls:

▪ compliance with Waste Electrical and Electronic Equipment (WEEE) Directive 2013

▪ checking and wiping all data devices

• inadequate back-up management:

o application of cyber security controls:

▪ back-up frequency

▪ application of appropriate types of back-up

• dynamic host configuration protocol (DHCP) spoofing:

o application of cyber security controls:

▪ using DHCP snooping

• VLAN attacks and VLAN hopping:

o application of cyber security controls:

▪ implementation testing of the VLAN

▪ scheduled testing and monitoring of network

• misconfigured firewalls:

o application of cyber security controls:

▪ testing firewall

▪ scheduled monitoring and updates

• exposed services and ports – allows network attacks (for example a user connecting their device to

an ethernet port):

o application of cyber security controls:

▪ physical security controls

▪ monitoring network traffic

• misconfigured access control lists (ACLs):

o application of cyber security controls:

▪ monitor and review ACLs

• ineffective network topology design (for example inadequate placement of firewalls and screened

subnet):

o application of cyber security controls:

▪ review of network topology design prior to implementation

▪ implementation testing

• unprotected physical devices:

application of cyber security controls:

▪ install correct software