Giddeon Njamngang Angafor, Iryna Yevseyeva and Leandros Maglaras
This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security…
Abstract
Purpose
This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security posture as it adapts to remote working because of the Coronavirus 2019 (COVID-19). The pandemic forced businesses to move operations from offices to remote working. Given that this happened quickly for many, some firms had little time to factor in appropriate cyber-hygiene and incident prevention measures, thereby exposing themselves to vulnerabilities such as phishing and other scams.
Design/methodology/approach
The exercise was designed and facilitated through Microsoft Teams. The approach used included a literature review and an experiential learning method that used scenario-based, active pedagogical strategies such as case studies, simulations, role-playing and discussion-focused techniques to develop and evaluate processes and procedures used in preventing, detecting, mitigating, responding and recovering from cyber incidents.
Findings
The exercise highlighted the value of using scenario-based exercises in cyber security training. It elaborated that scenario-based incident response (IR) exercises are beneficial because well-crafted and well-executed exercises raise cyber security awareness among managers and IT professionals. Such activities with integrated operational and decision-making components enable businesses to evaluate IR and disaster recovery (DR) procedures, including communication flows, to improve decision-making at strategic levels and enhance the technical skills of cyber security personnel.
Practical implications
It maintained that the primary implication for practice is that they enhance security awareness through practical experiential, hands-on exercises such as this VIRTTX. These exercises bring together staff from across a business to evaluate existing IR/DR processes to determine if they are fit for purpose, establish existing gaps and identify strategies to prevent future threats, including during challenging circumstances such as the COVID-19 outbreak. Furthermore, the use of TTXs or TTEs for scenario-based incident response exercises was extremely useful for cyber security practice because well-crafted and well-executed exercises have been found to serve as valuable and effective tools for raising cyber security awareness among senior leadership, managers and IT professionals (Ulmanová, 2020).
Originality/value
This paper underlines the importance of practical, scenario-based cyber-IR training and reports on the experience of conducting a virtual IR/DR tabletop exercise within a large organisation.
Details
Keywords
Jacqueline Cope, Francois Siewe, Feng Chen, Leandros Maglaras and Helge Janicke
This study is an exploration of areas pertaining to the use of production data in non-production environments. During the software development life cycle, non-production…
Abstract
Purpose
This study is an exploration of areas pertaining to the use of production data in non-production environments. During the software development life cycle, non-production environments are used to serve various purposes to include unit, component, integration, system, user acceptance, performance and configuration testing. Organisations and third parties have been and are continuing to use copies of production data in non-production environments. This can lead to personal and sensitive data being accidentally leaked if appropriate and rigorous security guidelines are not implemented. This paper aims to propose a comprehensive framework for minimising data leakage from non-production environments. The framework was evaluated using guided interviews and was proven effective in helping organisation manage sensitive data in non-production environments.
Design/methodology/approach
Authors conducted a thorough literature review on areas related to data leakage from non-production systems. By doing an analysis of advice, guidelines and frameworks that aims at finding a practical solution for selecting and implementing a de-identification solution of sensitive data, the authors managed to highlight the importance of all areas related to sensitive data protection. Based on these areas, a framework was proposed which was evaluated by conducting set of guided interviews.
Findings
This paper has researched the background information and produced a framework for an organisation to manage sensitive data in its non-production environments. This paper presents a proposed framework that describes a process flow from the legal and regulatory requirements to data treatment and protection, gained through understanding the organisation’s business, the production system, the purpose and the requirements of the non-production environment. The paper shows that there is some conflict between security and perceived usability, which may be addressed by challenging the perceptions of usability or identifying the compromise required. Non-production environments need not be the sole responsibility of the IT section, they should be of interest to the business area that is responsible for the data held.
Originality/value
This paper proposes a simplified business model and framework. The proposed model diagrammatically describes the interactions of elements affecting the organisation. It highlights how non-production environments may be perceived as separate from the business systems, but despite the perceptions, these are still subject to the same legal requirements and constraints. It shows the interdependency of data, software, technical infrastructure and human interaction and how the change of one element may affect the others. The proposed framework describes the process flow and forms a practical solution in assisting the decision-making process and providing documentary evidence for assurance and audit purposes. It looks at the requirements of the non-production system in relation to the legal and regulatory constraints, as well as the organisational requirements and business systems. The impact of human factors on the data is also considered to bring a holistic approach to the protection of non-production environments.