Sunteți pe pagina 1din 22

A Cyber Risk Mitigation Strategy for Sony

Assignment
Want create site? With Free visual composer you can do it easy.
A Cyber Risk Mitigation Strategy for Sony Assignment

Paper details

This module (see attached file: HAR CYB M8 U2 Notes, HAR CYB M8 U1 Video
Transcript) focused on the importance of risk mitigation and the value companies can
derive from implementing a risk mitigation strategy to improve organizational
resilience and manage risks effectively. This assignment requires you to complete a
cyber risk mitigation strategy that Sony should have followed in light of the 2014
hack.

NOTE: I can also send any notes from pervious module if required.

Brief

This module (see attached file: HAR CYB M8 U2 Notes, HAR CYB M8 U1 Video
Transcript) focused on the importance of risk mitigation and the value companies can
derive from implementing a risk mitigation strategy to improve organizational
resilience and manage risks effectively. This assignment requires you to complete a
cyber risk mitigation strategy that Sony should have followed in light of the 2014
hack.

NOTE: I can also send any notes from pervious module if required.

Risk mitigation strategy – Please follow this exact template

Note:

The word counts for each question serve as a guide; your submission should not
exceed 4,500 words in its entirety.

1. Introduction

Write a brief paragraph in which you provide a high-level overview of Sony’s need for
a risk mitigation strategy. (150 words)

Start writing here:


2. Vision

Outline Sony’s vision of what implementing a risk mitigation strategy will


ideally achieve. (150 words)

Start writing here:

3. Strategic goals and objectives

List at least four strategic goals Sony must achieve to reduce its risks to an
acceptable level. List at least two objectives under each strategic goal that explain
what must be done to achieve the strategic goal. (450 words)

Note: A thorough risk mitigation strategy should include associated action plans and
milestones, but you are not required to detail these for the purposes of this
submission.

Start writing here:

4. Metrics

List at least three metrics Sony will use to analyze the achievement of its
goals/objectives. These metrics should be specific to the goals/objectives listed in
the previous question. (150 words)

Start writing here:

Note:

Include refined versions of your previous submissions in the sections below. Where
relevant, incorporate any feedback from your Tutor, as well as additional knowledge
gained during the course to improve on your previous submissions. – See attached file
– M2Assignment.docx
5. Threat actors and methods of attack

Integrate your submission from Module 2 (see attached file: M2-Assignment.docx), in


which you identified the threat actor Sony faced in the 2014 hack and their method of
attack, as well as at least one other threat actor Sony could face in the future and
what method of attack they might use. (550 words) (

Start writing here:

6. Business critical assets

Integrate your submission from Module 3 (see attached file: M3-Assignment.docx), in


which you identified the assets that are most essential to Sony’s ability to accomplish
its mission. Describe what vulnerabilities there may be in Sony’s systems, networks,
and data that may put these assets at risk. (550 words)

Start writing here:

7. Cybersecurity governance

Integrate the three questions from your submission in Module 4 (see attached file: M4-
Assignment), in which you recommended a cybersecurity leadership plan,
improvements to management processes, and a cybersecurity awareness training
program. (1,200 words)

Start writing here:

8. Protective technologies

In Module 5, you compiled a list of questions (See attached file: M5-Assignment.docx)


you would ask to understand the technologies implemented to protect your
organization’s critical systems, networks, and data. In this section, based on the
questions you asked and by conducting any other additional research, identify
technologies your organization can employ to protect its critical systems, networks,
and data.
If you are using the Sony case, recommend protective technologies that could have
addressed Sony’s shortcomings in protecting their critical networks, systems, and
data. (650 words)

Note:

This question requires you to submit a paragraph consolidating the information you
learned, and is not a resubmission of the questions you submitted in Module 5.

Start writing here:

9. Legal considerations

In Module 6, you compiled a list of questions (See attached file: M6-Assignment.docx)


you would direct towards Sony’s senior management and general counsel in order to
gauge the organization’s legal risk mitigation strategy and the adequacy of their
preparations. In this section, based on the questions you asked, and by conducting
any other additional research, discuss the legal considerations Sony should take into
account when compiling its risk mitigation strategy – recommend steps that could
have addressed Sony’s shortcomings in protecting themselves from legal action. (550
words)

Note:

This question requires you to submit a paragraph consolidating the information you
learned and is not a resubmission of the questions you submitted in Module 6.

Start writing here:

Your ongoing project submission will be graded according to the following rubric:

Very poor Poor Satisfactory Very good Exceptional


No submission, Some key Student has Student has Student has fully
Adherence to or student fails elements are not adhered to adhered to adhered to the
the brief to address any addressed. Most most of the almost all brief. All
element of the information brief. elements of the information
brief. (0) provided is Sufficient brief. Almost provided is
irrelevant. information is all information comprehensive
All sections in OR provided and is provided and and relevant.
the template is mostly is relevant. (10)
are completed. Answer does relevant. (7) (8.5)
not fall within
the prescribed
word count (100
Answer falls words over
within the word count).
prescribed (5.5)
word count
(4,500 words).

Introduction
Student
and vision Student shows
No submission. demonstrates
an incomplete
OR satisfactory
understanding
understanding Student
Student has of the need for
Student fails to of the need Student demonstrates a
clearly outlined their strategy, or
clearly outline for their demonstrates a thorough and
the need for its long-term
the need for the strategy, and strong incisive
their risk vision.
strategy or its its long-term understanding understanding of
mitigation
long-term vision. of the need for the need for their
strategy, and
vision. their strategy, strategy, and its
what it aims to There is some
and its long- long-term
achieve by evidence that
There is no The student term vision. vision. The
implementing the student has
evidence that has clearly The answer student has been
the strategy. engaged with
the student has engaged with shows a strong able to critically
the content
used the content the content grasp of the apply their
Student has covered in the
covered in the covered in the content. (8.5) learning from the
thought course but this
course to inform course, but a course. (10)
critically and is not always
their response. more nuanced
incorporated accurately
(0) answer is
learnings from applied. (5.5)
required. (7)
the content.
Strategic goals No submission. Student shows Student Student
Student
and objectives OR an incomplete demonstrates demonstrates a
demonstrates a
understanding satisfactory thorough and
strong
Student fails to of their understanding incisive
understanding
Student has clearly outline strategy’s goals of their understanding of
of their
outlined at their strategy’s and objectives. strategy’s their strategy’s
strategy’s goals
least four goals and goals and goals and
and objectives.
strategic goals objectives. objectives. objectives.
that will reduce There is some
their There is no evidence that
The answer
organization’s evidence that the student has The student The student has
shows a strong
risks to an the student has engaged with has clearly been able to
acceptable used the content the content engaged with grasp of the critically apply
level. They covered in the covered in the the content content. (8.5) their learning
have included course to inform course but this covered in the from the course.
at least two their response. is not always course, but a (10)
objectives that (0) accurately more nuanced
clearly explain applied. (5.5) answer is
what must be required. (7)
done to achieve
each goal.

Student has
thought
critically and
incorporated
learnings from
the content.
Metrics
Student shows
No submission.
an incomplete Student
OR
The student has understanding demonstrates
listed at least of metrics their satisfactory Student
Student fails to Student
three metrics organization understanding demonstrates a
list three demonstrates a
their could use to of the metrics thorough and
metrics their strong
organization measure its their incisive
organization understanding
could use to cybersecurity. organization understanding of
could use to of the metrics
measure the The metrics could use to the metrics their
measure their
achievement of lack relevance measure its organization can
cybersecurity. organization
their goals, and to the identified cybersecurity use, and they are
The metrics are should use, and
the metrics are goals/objectives and they are specific to the
not specific to they are
specific to the . relevant to the goals/objectives
the identified specific to the
goals/objective goals and identified.
goals/objectives goals/objectives
s identified. objectives
. identified.
identified.
There is some The student The student has
There is no
evidence that has clearly been able to
evidence that The answer
Student has the student has engaged with critically apply
the student has shows a strong
thought engaged with the course their learning
used the content grasp of the
critically and the course content but a from the course.
covered in the content. (8.5)
incorporated content, but this more nuanced (10)
course to inform
learnings from is not always answer is
their response.
the content. accurately required. (7)
(0)
applied. (5.5)

No submission. Student shows Student Student Student


Cybersecurity
OR an incomplete demonstrates demonstrates a demonstrates a
threat actors
understanding satisfactory strong thorough and
Student fails to of the threat understanding understanding incisive
list two threat actors who of the threat of the threat understanding of
Student has actors that could could attack actors who actors who the threat actors
identified at attack their their could attack could attack who could attack
least two threat organization. organization their their their
actors and They have not and the possible organization organization organization and
described a provided a method of and the and the possible the possible
scenario of an possible method attack. possible method of method of attack.
attack. of an attack. method of attack.
attack.
There is no There is some The student has
evidence that evidence that The answer been able to
In the case of the student has the student has The student shows a strong critically apply
Sony, student used the course engaged with has clearly grasp of the their learning
has accurately content to the course engaged with content. (8.5) from the course.
identified the inform their content, but this the course (10)
threat actor response. (0) is not always content but a
and method of accurately more nuanced
attack in the applied. (5.5 answer is
2014 hack, as required. (7)
well as one
other potential
threat actor.

Student has
thought
critically and
incorporated
learnings from
the content and
has applied this
to their chosen
organization.

Business No submission. Student Student


Student shows Student
critical assets OR demonstrates a demonstrates a
an incomplete demonstrates
strong thorough and
understanding satisfactory
Student fails to understanding incisive
of their understanding
Student has identify the of their understanding of
organization’s of their
identified the assets that are organization’s their
critical assets, organization’s
assets that are critical to their critical assets, organization’s
and how they critical assets,
most essential organization and how they critical assets,
are vulnerable. and how they
to their and accurately are and how they are
organization, describe how are vulnerable. Th vulnerable. The
and described these assets are vulnerable. e answer shows student has been
vulnerabilities vulnerable. There is some a strong grasp able to critically
these assets evidence that of the content. apply their
may be exposed There is no the student has The student (8.5) learning from the
to. evidence that engaged with has clearly course. (10)
the student has the course engaged with
used the course content but this the course
content to is not always content but a
Student has inform their accurately more nuanced
thought response. (0) applied. (5.5) answer is
critically and required. (7)
incorporated
learnings from
the content.
Cybersecurity
governance Student
Student shows demonstrates
No submission.
an incomplete satisfactory
OR Student
Student has understanding understanding Student
demonstrates a
recommended of cybersecurity of demonstrates a
Student fails to thorough and
cybersecurity leadership cybersecurity strong
recommend a incisive
leadership plans, leadership understanding
cybersecurity understanding of
plan, management plans, of cybersecurity
leadership plan, cybersecurity
improvements processes, and management leadership
improvements leadership plans,
to management cybersecurity processes, plans,
to management management
processes, and awareness and management
processes, and a processes, and
a cybersecurity training cybersecurity processes, and
cybersecurity cybersecurity
awareness programs. There awareness cybersecurity
awareness awareness
training is some training awareness
training training
program. evidence that programs. training
program. There programs. The
the student has The student programs. The
is no evidence student has been
engaged with has clearly answer shows a
that the student able to critically
the course engaged with strong grasp of
has used the apply their
Student has content but this the course the content.
course content learning from the
thought is not always content but a (8.5)
to inform their course. (10)
critically and accurately more nuanced
response. (0)
incorporated applied. (5.5) answer is
learnings from required. (7)
the content.
Protective No submission. Student shows Student Student Student
technologies OR an incomplete demonstrates demonstrates a demonstrates a
understanding satisfactory strong thorough and
Student fails to of the necessary understanding understanding incisive
Student has identify protective of the of the understanding of
accurately protective technologies technologies technologies the technologies
identified technologies that are, or that are, or that are, or that are, or
protective that are, or should be, should be, should be, should be,
technologies should be, implemented to implemented implemented to implemented to
that are, or implemented to enhance their to enhance enhance their enhance their
should be, enhance their cybersecurity. their cybersecurity. cybersecurity.
implemented to organization’s cybersecurity.
enhance their cybersecurity.
organization’s There is some The answer The student has
cybersecurity. There is no evidence that The student shows a strong been able to
evidence that the student has has clearly grasp of the critically apply
the student has engaged with engaged with content. (8.5) their learning
used the course the content the course from the course.
Student has content to covered in the content but a (10)
thought inform their course but this more nuanced
critically and response. (0) is not always answer is
incorporated accurately required. (7)
learnings from applied. (5.5)
the content.
Legal
considerations
No submission. Student shows Student
Student
OR an incomplete demonstrates
demonstrates a
Student has understanding satisfactory Student
thorough and
critically Student fails to of legal understanding demonstrates a
incisive
analyzed the critically considerations of legal strong
understanding of
legal analyze the that their consideration understanding
the legal
considerations legal organization s that their of the legal
considerations
their considerations should take into organization considerations
their
organization their account. should take their
organization
should take intoorganization into account. organization
should take into
account. should take into should take into
account.
account. There is some account.
evidence that The student
There is no the student has has clearly
The student has
Student has evidence that engaged with engaged with The answer
been able to
thought the student has the course the course shows a strong
critically apply
critically and used the course content but this content but a grasp of the
their learning
incorporated content to is not always more nuanced content. (8.5)
from the course.
learnings from inform their accurately answer is
(10)
the content. response. (0) applied. (5.5) required. (7)

Student has Student has There is clear There is strong


Application of No submission
demonstrated a demonstrated evidence that evidence that the
course content OR
limited a satisfactory the student has student has
to
understanding understanding thought about understood and
organizational The student has of their of their their thought carefully
context not made use of organization’s organization’sorganization’s about their
their unique context context and unique context organization’s
organization’s and constraints constraints, and constraints, unique context
The student has unique and context however a and catered for and constraints,
accurately organizational (5.5) there is room this in their and has provided
applied the context and for deeper strategy considered
learnings from constraints to engagement accordingly. recommendation
the course inform their with its (8.5) s in their strategy
content to their response (0) nuances. (7) accordingly. (10)
own
organization or
Sony’s unique
context.
Organization
of writing

Answer has Answer is Answer is


No submission Answer is
Answer should some logical structured structured
or complete structured very
be structured structure, but fairly well in exceptionally
lack of logical well in terms of
clearly and not enough to terms of logic well in terms of
structure. (0) logic and
logically. justify a passing and clarity. logic and clarity.
clarity. (8.5)
grade. (5.5) (7) (10)

Total: 110 points

M2 ASSIGNMENT

1. Question

In this module, you were introduced to three notable types of threat actors that have
emerged from the cyber landscape as threats to organizations’ cybersecurity, namely
nation states, cyber criminals, and insiders. You were also introduced to the methods
of attack these threat actors most commonly employ, and the types of sectors they
target.

In this ongoing project submission, you are required to complete the first part of your
risk mitigation strategy by identifying and analyzing potential threat actors to your
organization, or Sony.
Sony:

The Sony case study provides a foundation for which to base your ongoing project on,
however you are encouraged to conduct further research to engage with the nuances
of the case and to enforce your reasoning. You can find the Sony case study in Unit 2
of the Orientation Module or in this module’s Downloads folder. Address the following
points in your analysis:

 Identify the threat Sony faced in the 2014 hack, and explain their motives. Explain
whether or not you think the aspects of Sony’s sector made it vulnerable to the threat
you have identified.

 Offer an explanation of the methods of attack the threat actor employed to breach its
cybersecurity, and justify your reasoning.

 Describe a scenario of what method of attack at least one other type of threat actor
could use in the future, and why.

Your answer should be between 400 and 500 words.

2. Answer:

In 2014 the multimedia company Sony released the movie “The Interview”, starring
Seth Rogen and James Franco in a story involving the assassination of North Korean
leader Kim Jong Un. As a result, the North Korean government expressed disapproval
regarding the announced release of the movie. It is widely reported that the North
Korean government also had direct involvements with the hack of Sony’s systems and
databases during October and November of 2014 (Harvard, 2018). The hacks were of
significant importance because they directly affected the decision to cancel the
release of the movie, in addition to imposing enormous costs to the company as a
whole.

As a multimedia company with significant stakes in many countries around the world,
Sony has always been a security target. It is also worth mentioning that Sony has had
multiple breaches in the past, which has perhaps established the company as one that
is not as diligent about its security policies and practices as it should be. Sony was
also a prime target for a foreign actor such as North Korea because it could be used as
a demonstration of the hacking capabilities that the attackers had in terms of
breaching other major US companies. Therefore, the issue was not only of concern to
the IT sectors but to international defenses as well.

The scope of the attack on Sony was wide-ranging, which was achieved through a
long-term strategy and planning. This means that the hackers essentially used
malware tools in order to implant listening devices that captured sensitive internal
data within Sony’s framework. It is also possible that the hackers had help from the
inside (Smith, 2014). The total duration of the hack is estimated to have gone over at
least two months, although this is still a matter of uncertainty.

Due to the scope of Sony’s internal infrastructure, hackers decided to use viruses,
malware, and other types of discrete listening tools. This was the only way to avoid
detection over a longer period of time, and it ultimately proved successful. However,
what is more important to mention is that the hackers reportedly gained access to
Sony’s internal infrastructures physically. This means that hackers entered Sony’s
facilities in person and used physical methods in order to implant malware and spying
devices. For instance, a key password was reportedly stolen from someone working in
Sony’s IT sector. The password essentially provided hackers with full access to Sony’s
internal administration systems (Bort, 2014). Furthermore, this allowed the hackers to
easily install whatever malware tools were necessary and which would avoid
detection.

Another method of attack that could be used by another threat actor is phishing. The
attacker could potentially send well-designed phishing emails that would prompt users
to give out their credentials. There is always a likelihood that such an attack would
be employed because it has already worked in the past with high-profile politicians.

The case can be seen as an incredibly important example of why IT-oriented


companies should not underemphasize the importance of physical security, which
remains the most secure way to prevent breaches. Although Sony may have had
relatively strong cyber protections in place, it allowed for its physical security to be
breached with a lot of negligence on the matter. In the end, Sony’s more expensive
cyber securities were essentially made worthless thanks to a much simpler mode of
attack.

BIBLIOGRAPHY
Bort, J., 2014. How The Hackers Broke Into Sony And Why It Could Happen To Any
Company [WWW Document]. Business Insider.
URL https://www.businessinsider.com/how-the-hackers-broke-into-sony-2014-12

Harvard, 2018. Cybersecurity: Managing Risk In The Information Age.

Smith, M., 2014. Sony Pictures hackers reportedly had help from insiders [WWW
Document]. CSO Online. URL https://www.csoonline.com/article/2851927/sony-
pictures-hacked-by-guardians-of-peace-with-help-from-insiders.html

M4 Assignment
Brief

In this module, you were introduced to the importance of cybersecurity governance as


a fundamental aspect of protecting an organization’s information systems. Each unit
in this module explores one of the three crucial areas of cybersecurity governance
that need to be considered when developing a risk mitigation strategy.

Question 1

Unit 1 focused on various leadership roles and their respective responsibilities in


implementing an effective cybersecurity governance plan. Consider the leadership
roles in your chosen organization (your own or Sony’s) and their responsibilities in
implementing the organization’s cybersecurity strategy:

 Drawing on your learnings from this module, explain the organization’s governing
structure, and its approach to cybersecurity (as detailed in its policies and, where
possible, observed in practice). If you are focusing on Sony, you may extrapolate the
formal roles from the data available (in the case study and from your own research) and
contrast this with what was observed.
 Based on your substantiation above, recommend changes that should be implemented
and, if applicable, propose a new cybersecurity leadership plan that addresses its
shortcomings.

(Approx. 300–400 words)

Answer:

Cybersecurity is among the primary obstacles faced by organizations, and achieving


success is usually possible when leaders are capable of setting up different strategies
that can be used in order to manage cybersecurity threats. Each organization needs to
have an instilled culture of awareness regarding vital cybersecurity needs. In this
sense, leaders play a significant role in making sure that they are not only educated
but that they also serve to inspire their organizations on issues regarding
cybersecurity threats. This is especially true for C-suit leaders, who play a frontal role
in ensuring that cybersecurity is among the primary agendas in the organization’s
overall goals (Jang-Jaccard and Nepal, 2014, p. 983).

However, organizations are still facing significant obstacles in their efforts to


maintain cybersecurity, primarily due to the expensiveness of the ever-modernizing IT
infrastructure. The shortage of qualified leader is also a significant concern because
implementing such company-wide cybersecurity strategies requires specific relevant
skills. Educating the large numbers of available workforces is also a challenge, and
leaders are therefore required to ensure that there are proper security infrastructure
relationships within the organization.

Leaders of organizations, such as CEO’s, CIO’s, CSO’s, and CTO’s are central in
spearheading cybersecurity issues within organizations (Creery and Byres, 2005, p.
305). Leaders should also be receptive to dialogues with their workforces and need to
be well aware of the organizational culture and how it is applied among workers
within the organization since it is the leaders who set the tone and values of the
culture in the organization. Lastly, leaders should also be well educated and aware of
the different roles technology plays, and how it can impact people in multiple
aspects.

Question 2

Unit 2 of this module described the management processes organizations should


consider when developing a cybersecurity governance plan. Identify the steps your
organization is taking to implement the management processes discussed in the Unit 2
notes, and address the following:

 Evaluate whether the management processes utilized by your organization are sufficient
to ensure good cybersecurity governance; and
 Based on your substantiation above, recommend management processes for
implementing a cybersecurity governance plan.

If you are using Sony as your chosen organization:

 Evaluate why the management processes utilized by Sony were insufficient to ensure
good cybersecurity governance; and
 Based on your substantiation above, recommend management processes that would
have addressed Sony’s shortcomings in implementing a cybersecurity governance plan
and should be adhered to going forward.

(Approx. 300–400 words)

Answer:

Sony’s failure to organize efficiently can be explained through its failure to have
proper frameworks in place in terms of governance. In the first place, the leaders of
the organization failed to create and instill an organizational culture that promoted
cybersecurity awareness. In other words, the top management positions failed to be
properly educated about cybersecurity risks and consequently failed to promote this
understanding within the organization (Ashford, 2014). Another issue was the lack of
an individual that was solely tasked with managing cybersecurity. Instead, Sony’s
organization had a structure resembling a government, where security officers would
look at all aspects of perceived risks and threats from cybersecurity attacks (Ten Liu
and Manimaran, 2008, p. 1840).

Sony also failed to realize the importance of not only designing a cybersecurity
culture but also making sure that the workforce was in tune with it. Another failure
on Sony’s part was that it failed to prepare itself with a clear system of procedures in
the event of a cyber-attack. There were no proper channels of communication, and
there were no clear policies and processes that were prescribed for such events.
Although Sony may have focused on its overall desires in terms of security
frameworks, it ultimately failed to implement any of them successfully.

Ultimately, Sony failed to provide any successful recommendations to its workforce in


terms of security governance, which left everyone unprepared and fully open to an
attack. An organization always needs to operate under the assumption that it is
vulnerable to attacks at any moment and therefore needs to have properly
established reaction plans in place. Without these plans, Sony failed to assign
important security roles, thereby making it much more difficult to relay crucial
information when the 2014 attack took place (Tosh, Sengupta, Kamhoua, Kwiat and
Martin, 2005, p. 7343).

Question 3
Unit 3 focuses on the importance of keeping an organization’s cybersecurity
awareness updated. To do so, the notes described the types of security awareness
training that are available and the topics that should ideally be included in training
programs. In your answer, address the following:

 If relevant, identify any cybersecurity awareness programs or practices utilized by your


organization or Sony, and evaluate whether they sufficiently cover the recommended
topics mentioned in the Unit 3 notes.
 Based on your substantiation above, provide an outline of a cybersecurity awareness
program you would suggest for your chosen organization or Sony.

Your outline of the training program should cover the following three aspects:

1. The type of security awareness training (classroom or online);


2. The topics included in the training program;
3. The target audience; and
4. The roles and responsibilities of those responsible for executing the training program.

Each aspect should be accompanied by reasons for your choices based on the
organization’s context and needs.

(Approx. 300–400 words)

Note:

The word counts for each question serve as a guide; your submission should not
exceed 1,200 words in its entirety.

Answer:

Security awareness training in classrooms and online: The whole workforce is


gradually included in the training program, and groups are created based on skills and
knowledge. The program can be made cost-effective by ensuring that trainees can
interact with their trainers, thereby ensuring comprehensive learning of the subject
matter. Furthermore, the program can rely on emails in order to disseminate
important information about cybersecurity to all staff members in a timely manner.

Topics included in the training program: Physical devices can be used to ensure that
employees store their security information on gadgets that are set up by Sony’s
cybersecurity team. Therefore, awareness training topics can also include education
and knowledge about how these gadgets are used, and how essential they are for the
organization. For instance, mobile phone devices are always susceptible to hacking
attacks, meaning that the organization can institute mandatory switching of devices
before going to work, thereby making sure that all devices and gadgets within the
organization are approved and protected by Sony’s overall cybersecurity framework.
Nonetheless, employees would still be held accountable for any losses of data or
devices, but it would be much easier to monitor and control any breach points.

Cybersecurity awareness training also needs to be overseen and presented by CSO’s,


CISO’s, and CIO’s, who can play different roles in maintaining cybersecurity
awareness within their organizations. They are essentially program owners, whose
role is to elucidate the overall cybersecurity program to employees and develop
effective training objectives.

The program owners also need to ensure that all stakeholders of their organization
are made aware of cybersecurity awareness training programs, and are capable of
supporting the goals and cybersecurity applications. Finally, significant effort needs
to be invested in making sure that the proper training initiators are contracted,
meaning that they need to be assessed not only according to their skills but also to
their backgrounds in terms of trust and security (Ten, Liu and Govindarasu, 2007, p.
5).

References

Ashford, W., 2014. Sony hack exposes poor security practices [WWW Document].
Computer Weekly. URL https://www.computerweekly.com/news/2240236006/Sony-
hack-exposes-poor-security-practices (accessed 3.14.19).

Creery, A. and Byres, E.J., 2005, September. Industrial cybersecurity for power
system and SCADA networks. In Record of Conference Papers Industry Applications
Society 52nd Annual Petroleum and Chemical Industry Conference (pp. 303-309).
IEEE.

Jang-Jaccard, J. and Nepal, S., 2014. A survey of emerging threats in


cybersecurity. Journal of Computer and System Sciences, 80(5), pp.973-993.

Ten, C.W., Liu, C.C. and Govindarasu, M., 2007, June. Vulnerability assessment of
cybersecurity for SCADA systems using attack trees. In 2007 IEEE Power Engineering
Society General Meeting (pp. 1-8). IEEE.

Ten, C.W., Liu, C.C. and Manimaran, G., 2008. Vulnerability assessment of
cybersecurity for SCADA systems. IEEE Transactions on Power Systems, 23(4),
(pp.1836-1846).
Tosh, D., Sengupta, S., Kamhoua, C., Kwiat, K. and Martin, A., 2015, June. An
evolutionary game-theoretic framework for cyber-threat information sharing. In 2015
IEEE International Conference on Communications (ICC) (pp. 7341- 7346).

Brief

In this module, you were introduced to the importance of cybersecurity governance as


a fundamental aspect of protecting an organization’s information systems. Each unit
in this module explores one of the three crucial areas of cybersecurity governance
that need to be considered when developing a risk mitigation strategy.

Question 1

In Module 3, you were introduced to the critical systems, networks, and data that
organizations depend on to achieve their business goals. In this module, you explored
the various types of security technologies that are designed to protect organizations’
critical systems, networks, and data. For this online activity submission, you are
required to combine information from both Module 3 and Module 5 to answer the
following questions:

 Based on the Module 3 ongoing project, provide a brief overview of the critical systems,
networks, and data your organization (or Sony) depends on. (Approx. 150 words)

 Using your learnings from the Module 5 Unit 3 Notes, and your input from the small
group discussion forum, compile 10 questions you would direct to the chief information
officer (CIO), chief information security officer (CISO), or chief technology officer (CTO)
in your organization (or Sony) to understand the technologies that have been or should
be implemented to protect critical systems, networks, and data. (Approx. 500 words)

Your submission should not exceed 650 words in total.

Answer:

Overview of the critical systems, networks, and data that Sony depends on.

Sony Inc. is a multimedia company that deals with diversified products and services.
The vital systems are constituted in critical mission systems, business critical systems,
and critical safety systems. As such, the company has different critical systems
including movie production software and connected devices, servers, client
credentials and much more. The essential network systems include the network
servers and Sony website. The systems form the core function of communication and
data sharing with clients and other businesses as well as making transactions. Critical
data constitute client credentials, stores movies and pictures, and sales records and
more. Also, important are the staff data and financial transactions. It is essential to
point out that a compromise to the security of any of the above critical systems,
networks, and data can lead to both financial loss and tarnished reputation of the
company.

Questions for Sony’s CIO, CTO and CISO

1. What are the types of cybersecurity threat that face Sony?

Context – It is crucial for companies to be aware of the types of threats targeting


critical assets to device enough defenses mechanism. In essence, this is because Sony
has experience of being hacked.

2. What security measures do you have in place for such threats?

Context – The company has the responsibility to keep its systems and client data safe.
It is also a legal requirement. In so doing, the company will be responding to previous
threats and to control future attacks.

3. Which standards do you measure your cybersecurity?

Context – This is because there are various standards against which data are protected
like the General Data Protection Regulation. As such, this question informs on the
multiple measures that Sony adheres to ensuring cybersecurity.

4. Do you use third-party service and technologies in cyber security?

Context – Usually, internal capacities are not adequate in maintaining cybersecurity


and although not a requirement, large organizations like Sony require independent
third party security services for their critical functions.

5. What type of technologies does Sony use to protect its critical functions?

Context – Reason being, various technologies are recommended by international cyber


security organizations and experts. These technologies should be implemented in Sony
which has extensive investments and vulnerable to attacks.
6. Because Sony has invested much on cybersecurity, can you say it’s critical
systems, networks, and data are secure?

Context – It is essential to know the CISCO’s opinion given the enormous investment
dedicated to its cybersecurity. The company has a responsibility to assure safety to its
clients.

7. Do you consider an internal threat and which control measures do you have in
place?

Context – Besides having an external threat, internal threats are also eminent and
should be controlled. In essence, some external threats have insider connection or
vulnerability. It is a practice in cybersecurity to have security measures both internal
and external.

8. What are the key performance indicators of your cybersecurity?

Context – Installation of cybersecurity technologies needs to have metrics against


which their performances are measured as they need to compare to the industry
standards. Key performance indicators signal performance or nonperformance security
systems. The response informs the various metric used to measure cybersecurity.

9. Should an attack or threat occur, which mechanisms are put in place to ensure
the company continues with its critical mission?

Context – The question is in the context that the organization is supposed to have
installed recovery systems. Besides, the data stored in the systems are sensitive if
lost. The response to a threat is critical to ensuring the minimal occurrence of
subsequent risks.

10. How regularly do you audit your internal cybersecurity control?

Context – This question is essential as per the compliance with the ISO 27001:2013
which require an independent review of the information security control of an
organization. In essence, because of the sensitivity of the data, systems, and
networks, the continuous audit is necessary to patch vulnerabilities.

M 6 ASSSIGNMENT
Question 1

Throughout this module, you have been introduced to the legal considerations
associated with cybersecurity. The goal of this module is not to make you a lawyer or
an expert on privacy and cybersecurity law, but to help you understand the
importance of mitigating litigation risk.

Using what you learned from the module, and from the input in the small group
discussion forum, compile a set of 10 questions that you would direct towards an
organization’s senior management and legal counsel in order to gauge the
organization’s legal risk mitigation strategy and the adequacy of their preparations.
Ensure that your questions clearly relate to the legal and compliance risks that are
relevant to the organization’s context.

Your answer should be no longer than 550 words.

Answer:

Below are the 10 questions that I would ask Sony’s Executive team as well as their
Legal Counsel team.

1. How does the organization control the relationship between the processor and the
controller? Context: the GDPR has provided the required protocols that are needed to
be followed by the two parties (M6notes, N.D). The contractual process provides both
parties with the ability to go over the term of their relation. However, with the current
trends in cybersecurity, it has become a matter of concern and it is essential to
understand the privacy policy between the two parties and the liability in case of a
breach.
2. In the case of infringement, who takes the responsibility between the organization
and the vendor? Context: most of the third parties have access to the organization
data, and it could prove to be detrimental in the case of a breach (M6notes, N.D). The
target incidence saw the hackers target the vendor to launch malware. Hence it is vital
to comprehend who the blame falls on in the case of a breach.
3. Under which circumstances are third parties held liable? Context: different
industries have specific measures regarding the third parties. For instance, the
guidelines set by HIPAA regulate the terms of health facilities (M6notes, N.D).
Therefore, it is essential to comprehend if all industries have similar regulatory bodies.
4. What would happen if the insurance is unable to cover the risk? Context: in the case
of a breach the organization covers the cost with the insurer (M6notes, N.D). However,
the clause does not stipulate what would happen in the case; the insurer finds the
company to be liable.
5. When an organization is going public, they are required to disclose their data? Does
the process put the organization in harm’s way? Context: the security exchange
requires an organization to disclose some of the confidential information such as the
number of risks (M6notes, N.D). In so doing, the investors would remain assured of their
investment. Nonetheless, the protocol does not provide on the extent of the
information to be disclosed.
6. Which policies has the organization implemented to overcome the challenges of
jurisdiction? Context: China has set up various policies regarding its cyberspace
(M6notes, N.D). Over the years, the plans continue to evolve as it has provided some
terms and conditions that attract fines. Thus, it is essential to understand the scope of
organization policies.
7. Do the policies set up by the United States apply to other countries? Context: while
in the United States the organization is required to be conversant with the laws
implemented by the country (M6 video, N.D). Nonetheless, each state has created its
won policies which do not articulate their sphere of influence. Therefore, it is essential
to have a grasp where the laws of individual countries have a similar impact on
countries they have ties.
8. Under what circumstances can the organization consider settling a case? Context:
the federal trade commission’s act has stipulated the types of losses (M6 video, N.D).
Some of the consumers may use deceptive practices to gain compensation. As a result,
some organizations would prefer to settle to avoid having the reputation tarnished.
9. How does the company specify the compensation procedure? Context: In the case of
a breach there are various categorize of o people that the organization has to consider,
from the large organizations to the federal state (M6 video, N.D). Furthermore, there is
an extensive list of people waiting for the chance to sue the organization. In such
circumstances, it is essential to understand the procedures undertaken.
10. Which procedures does the organization take to mitigate risks? Context: in the case
of a cyber-security breach, the organization cannot minimize their risk to zero (M6
video, N.D). The statement implies that breaches in cybersecurity are to be expected
since systems cannot be completely efficient. However, organizations have to take
specific steps to ensure that they can foresee the problems.

List of References

M6 notes.N.D, cybersecurity: managing risks in the information age.pp.1-24

M6 video. N.D, cybersecurity: managing risks in the information age.pp.1-10