ISO/IEC 27018 is the ISO standard that provides guidance to ensure that cloud service providers offer appropriate information security controls to protect the privacy of their customer’s clients by securing personally identifiable information entrusted to them. ISO/IEC 27018 is a code of practice for protecting personal information in cloud storage. The term for the personal data it covers is Personally Identifiable Information or PII. ISO/IEC 27018 is an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process PII to assess risk and implement controls for protecting PII. ISO/IEC 27018 was created in 2014 and updated in 2019. It has the following objectives:

Help the public cloud service provider to comply with applicable obligations when acting as a PII processor, whether such obligations fall on the PII processor directly or through contract.

Enable the public cloud PII processor to be transparent in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services.

Assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement.

Provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multiparty, virtualized server (cloud) environment can be impractical technically and can increase risks to those physical and logical network security controls in place 1 2 3 .

References :

ISO/IEC 27018: Protecting PII in Public Clouds - ISMS.online , ISMS.online, 2019

ISO/IEC 27018 - Wikipedia , Wikipedia, 2021

ISO/IEC 27018:2019 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors , ISO, 2019

Geofencing is a technique that uses the user’s location data to create a virtual boundary around a specific geographic area. Mobile applications can use geofencing to trigger certain actions or notifications when the user enters or exits the defined area. For example, a mobile application can send a push notification to the user when they are near a store or a restaurant. However, geofencing can also be used by marketers to gather sensitive data and know about users’ offline activities from the location data. For instance, a mobile application can track the user’s movements and preferences based on the places they visit and the time they spend there. This can help marketers to target the user with personalized ads and offers, but it can also pose a threat to the user’s privacy and security 1 2 . References : Network Defense Essentials - EC-Council Learning , Geofencing: What Is It and How Does It Work?

Centralized authentication is a method that uses a central server to authenticate users and devices on a network. The central server stores the credentials and access rights of the users and devices, and verifies them when they request to access the network resources. The central server can also provide encryption keys to the users and devices for secure communication. In the scenario, Jessica’s laptop and the access point use a RADIUS server as the central server for authentication. The RADIUS server transmits authentication keys to both the access point and Jessica’s laptop, which helps the access point identify the wireless client 1 2 . References : Network Defense Essentials - EC-Council Learning , Centralized Authentication: What It Is and How It Works

The correct sequence of steps involved in the creation of a data retention policy is 3 - > 1 - > 4 - > 5 - > 2. This is based on the following description of the data retention policy creation process from the web search results:

Build a team: To design a data retention policy, you need a team of industry experts, such as legal, IT, compliance, and business representatives, who can contribute their knowledge and perspectives to the policy. The team should have a clear leader who can coordinate the tasks and communicate the goals and expectations 1 .

Determine legal requirements: The team should research and understand the applicable legal and regulatory requirements for data retention that affect the organization, such as GDPR, HIPAA, PCI DSS, etc. The team should also consider any contractual obligations or industry standards that may influence the data retention policy 2 1 3 4 .

Identify and classify the data: The team should inventory and categorize all the data that the organization collects, stores, and processes, based on their function, subject, or type. The team should also assess the value, risk, and sensitivity of each data category, and determine the appropriate retention period, format, and location for each data category 2 1 3 4 .

Develop the data retention policy: The team should draft the data retention policy document that outlines the purpose, scope, roles, responsibilities, procedures, and exceptions of the data retention policy. The policy should be clear, concise, and consistent, and should reflect the legal and business requirements of the organization. The policy should also include a data retention schedule that specifies the retention period and disposition method for each data category 2 1 3 4 .

Ensure that all employees understand the organization’s data retention policy: The team should communicate and distribute the data retention policy to all the relevant employees and stakeholders, and provide training and guidance on how to comply with the policy. The team should also monitor and enforce the policy, and review and update the policy regularly to reflect any changes in the legal or business environment 2 1 3 4 .

References :

How to Create a Data Retention Policy | Smartsheet , Smartsheet, July 17, 2019

What Is a Data Retention Policy? Best Practices + Template , Drata, November 29, 2023

Data Retention Policy: What It Is and How to Create One - SpinOne , SpinOne, 2020

How to Develop and Implement a Retention Policy - SecureScan , SecureScan, 2020

Two-factor authentication (2FA) is a type of authentication that requires users to provide two or more forms of verification to access an online account. 2FA is a multi-layered security measure designed to prevent hackers from accessing user accounts using stolen or shared credentials. 2FA typically combines something the user knows (such as a password or PIN), something the user has (such as a phone or a token), and/or something the user is (such as a fingerprint or a face scan). In the above scenario, the banking application employs 2FA by asking Kevin to enter his registered credentials (something he knows) and an OTP sent to his mobile (something he has) before transferring the amount to Flora’s account. References :

Improve Your Cybersecurity with Password MFA - Defense.com™

What Is Two-Factor Authentication (2FA)? | Microsoft Security

Selecting Secure Multi-factor Authentication Solutions

Wireless security

A close-up of a wireless router Description automatically generated

Explore

The correct order of wireless encryption modes in terms of security from high to low is 2 - > 1 - > 4 - > 3. This is based on the following comparison of the wireless encryption modes:

WPA3: WPA3 is the latest and most secure wireless encryption mode, introduced in 2018 as a successor to WPA2. WPA3 uses the AES encryption protocol and provides several security enhancements, such as stronger password protection, individualized encryption, forward secrecy, and protection against brute-force and dictionary attacks. WPA3 also supports two modes: WPA3-Personal and WPA3- Enterprise, which offer different levels of security for home and business networks. WPA3-Personal uses Simultaneous Authentication of Equals (SAE) to replace the Pre-Shared Key (PSK) method and provide more robust password-based authentication. WPA3-Enterprise uses 192-bit cryptographic strength to provide additional protection for sensitive data and networks 1 2 3 .

WPA2 Enterprise with RADIUS: WPA2 Enterprise with RADIUS is a wireless encryption mode that combines the security features of WPA2 Enterprise and the authentication features of RADIUS. WPA2 Enterprise is a mode of WPA2 that uses the AES encryption protocol and provides stronger security than WPA2 Personal, which uses the PSK method. WPA2 Enterprise uses the 802.1X standard to implement Extensible Authentication Protocol (EAP) methods, such as EAP-TLS, EAP-TTLS, or PEAP, to authenticate users and devices before granting access to the network. RADIUS is a protocol that allows a central server to manage authentication, authorization, and accounting for network access. RADIUS can integrate with WPA2 Enterprise to provide centralized and scalable authentication for large and complex networks, such as corporate or campus networks .

WPA2 Enterprise: WPA2 Enterprise is a wireless encryption mode that uses the AES encryption protocol and provides stronger security than WPA2 Personal, which uses the PSK method. WPA2 Enterprise uses the 802.1X standard to implement Extensible Authentication Protocol (EAP) methods, such as EAP-TLS, EAP-TTLS, or PEAP, to authenticate users and devices before granting access to the network. WPA2 Enterprise is suitable for business or public networks that require individual and secure authentication for each user or device .

WPA2 PSK: WPA2 PSK is a wireless encryption mode that uses the AES encryption protocol and provides better security than WEP or WPA, which use the TKIP encryption protocol. WPA2 PSK uses the Pre-Shared Key (PSK) method, which means that all users and devices share the same password or passphrase to join the network. WPA2 PSK is easy to set up and use, but it has some security drawbacks, such as being vulnerable to brute-force and dictionary attacks, or having the password compromised by a rogue user or device. WPA2 PSK is suitable for home or small networks that do not require individual authentication or advanced security features .

References :

Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? - How-To Geek , How-To Geek, March 12, 2023

WiFi Security: WEP, WPA, WPA2, WPA3 And Their Differences - NetSpot , NetSpot, February 8, 2024

What is WPA3? And some gotchas to watch out for in this Wi-Fi security upgrade - CSO Online , CSO Online, November 18, 2020

[Types of Wireless Security Encryption - GeeksforGeeks], GeeksforGeeks, 2020

[Wireless Security Protocols: WEP, WPA, and WPA2 - Lifewire], Lifewire, February 17, 2021

[WPA vs. WPA2 vs. WPA3: Wi-Fi Security Explained - MakeUseOf], MakeUseOf, January 13, 2021

Containerization is a practice that helps security professionals protect mobile applications from various attacks. Containerization is a technique that isolates critical corporate data from the rest of the device data and applications. Containerization creates a secure and encrypted environment on the device where the corporate data and applications can be accessed and managed. This way, containerization prevents unauthorized access, data leakage, malware infection, or device theft from compromising the corporate data and applications 1 2 . References : Network Defense Essentials - EC-Council Learning , Mobile Application Security: Containerization vs. App Wrapping vs. SDK

Atomic-signature-based analysis is a type of attack signature analysis technique that uses a single characteristic or attribute of a packet header to identify malicious traffic. Atomic signatures are simple and fast to match, but they can also generate false positives or miss some attacks. Some examples of atomic signatures are source and destination IP addresses, port numbers, protocol types, and TCP flags. Atomic-signature-based analysis is the technique performed by Joseph in the above scenario, as he analyzed packet headers to check whether any indications of source and destination IP addresses and port numbers are being changed during transmission. References :

[Understanding the Network Traffic Signatures] - Module 12: Network Traffic Monitoring

Network Defense Essentials (NDE) | Coursera - Week 12: Network Traffic Monitoring

[Network Defense Essentials Module 12 (Network Traffic Monitoring) - Quizlet] - Flashcards: What are Network Traffic Signatures?

Finch has implemented the COBO (Corporate-Owned, Business-Only) mobile usage policy in the above scenario. COBO is a policy where the organization provides mobile devices to the employees and restricts them to use the devices only for work-related purposes. The organization has full control over the devices and can enforce security measures, such as encryption, password protection, remote wipe, and application whitelisting or blacklisting. The employees are not allowed to use the devices for personal use, such as browsing the internet, making personal calls, or installing personal apps. COBO is a policy that aims to maximize security and minimize distractions and risks for the organization and the employees. References :

Mobile usage policy in office - sample, cell phone policy in companies and organization , HR Help Board, 2020

Employee Cell Phone Policy Template , Workable, 2020

How Employers Enforce Cell Phone Policies in the Workplace , Indeed, 2022