1. While the technologies are new, the information security
concepts that should be applied are not new; data security
concepts that have been used for five to six decades or more
can be applied within these gadgets, as can the comparably
newer privacy control concepts.
2. Privacy should be viewed as not just a differentiator or
something to be done if legally required, but a standard
requirement for any new technology or service involving
3. Location-based controls, which seem to have fallen out of
favor as a viable security control in the past couple of decades,
could also be used in a limited way to provide security to
4. Make sure change controls, access controls and other longtime information security practices are implemented not only
within the Io T devices, but also in the rules for using Io T
devices for business and within business environments.
5. Encrypt only the wireless data transmissions, but not the data
6. Io T raises multiple data privacy and security concerns when
new data sources combine with legacy sources to reveal new
insights about individuals through predictive analytics that
may be inconsistent with the original purposes for collection
7. Although Io T represents a state of change and advancement,
a common set of principles can serve as the foundation for
companies seeking to understand and manage privacy and
security in the development and implementation phases of new
8. Combining large data sets can offer powerful knowledge and
analysis, but data usage may be inconsistent with the primary
purposes of collection.
9. The appropriate or desired state is determined by the
organization, with acknowledgement that the highest level
of maturity (optimized) may not be suitable for all or even
IVANOVS AND DERUMA ARTICLE
10. Cybersecurity is a long-term trend in which information
assurance, risk approach by design and privacy by default
indicate the evolution of information security and give broader
understanding of cyberspace.
11. In this case, soft skills for risk managers; auditors; process,
information and system owners, including information security
managers, are needed to resolve problems more creatively
to assure the confidentiality, integrity, availability and
accountability of an organization’s information assets.
12. A better understanding of cyberecosystem elements, their
relationships and main performance drivers makes it possible
to plan and develop effective cybersecurity readiness, only with
the adequate resources and capabilities of big enterprises.
13. Organizations need to go further; they need to reengineer the
behavior, attitudes and knowledge of all stakeholders, including
those outside the organization (e.g., customers, suppliers).
14. A Poneman Institute study revealed that only 14 percent of
companies surveyed said that their executive management
does not take part in the incident response process, and “as
a consequence of this involvement and awareness, incident
managers may not find it difficult to prioritize incident
handling and to obtain the resources from business leadership
to invest in the skills and technologies necessary to deal
with future security incidents,” which are expected to
15. The incident manager should be prepared up front with
the communication grid, i.e., what information should be
communicated to which business stakeholders and during
which life cycle stage of the incident.
16. An inappropriate financial gain is not considered a financial
impact that requires investigation, analysis and eventually
17. The IT manager, depending upon the evolving state of the
incident and its containment or eradication success rate,
would, in turn, be expected to constantly reassess the impact
and respond accordingly.
18. On the other hand, if the network damage is spreading fast
and is outpacing the incident response team, the business
managers may have to consider other options, such as
activating a disaster recovery site, transferring work to a
different location or shifting to a manual option.
Based on Volume 6, 2015—The Internet of Things
Value— 1 Hour of CISA/CISM/CGEIT/CRISC Continuing Professional Education (CPE) Credit
TRUE OR FALSE
Prepared by Smita Totade, Ph.D.,
CISA, CISM, CGEIT, CRISC
Take the quiz online: