ISO27001 and ISO27002, standards and risk management

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

What security principle refers to the reliable and timeless access to data and resources to authorized individuals?

Availability

Some examples of Integrity measures are?

Changes in data and systems are authorized Auditing Segregation of Duties Hashing (data integrity) Configuration management (system integrity) Change control (process integrity) Access control (physical and logical) Transmission CRC functions

Some examples of Confidentiality measures are?

Clear desk policy Need to know basis Strict access controls (physical and logical) Separation of duties Strict separations between environments Logical access management Encryption for data at rest (whole disk, database encryption) Encryption for data in transit (IPsec, SSL, PPTP, SSH)

ISO/IEC 27002

Code of practice for information security management

Additional steps in risk analysis - iso27005

Communication and Consultation Monitor and Review

What security principle ensures that a necessary level of secrecy is enforced at each element of data processing and prevents unauthorized disclosure?

Confidentiality

ISO/IEC 27000

Overview and vocabulary

To achieve information security, a suitable set of controls needs to be implemented, what are they?

Policies, procedures, organizational structures and software and hardware functions.

What is traffic padding?

Produces a continuous random data stream of cipher text making it harder for an attacker to distinguish between true data flow and padding.

Some examples of Availability measures are?

RAID Clustering Load Balancing Redundancy Software and Data backups dish shadowing Co-location and off-site facilities Roll back functions fail-over configurations

The likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact is referred to as?

Risk

6 step in risk analysis - iso27005

Risk Acceptance

2 step in risk analysis - iso27005

Risk Assessment - Risk Identification

NIST 800-30

Risk Management Guide for Information Technology

5 step in risk analysis - iso27005

Risk Treatment (Modify, Avoid, Retain, Share)

Something that is put into place to mitigate the potential risk of a vulnerability being exploited?

Safeguard, counter measure or control

Risk Sharing

The risk is shared with another party that can most effectively manage the particular risk. Sharing can be done by insurance that will support the consequences, or by sub-contracting a partner whose role will be to monitor the information system and take immediate actions to stop an attack.

A weakness that can be exploited by one or more threats and that exposes an organization to possible damages is called?

Vulnerability (running service, unpatched application or operating system software, open port on a FW, lax physical security, etc)

Risk Retention

The decision to retaining the risk without further action. Will rely on risk evaluation.

top-down approach

The initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.

Risk modification

The level of risk is managed by introducing, removing or altering controls so that the residual risk can be reassessed as being acceptable.

residual risk

risk remaining after risk treatment

Six Sigma

...is a process improvement methodology. It is the "new and improved" Total Quality Management (TQM) that hit the business sector in the 1980s. Was was developed by Motorola with the goal of identifying and removing defects in its manufacturing processes.

ITIL

...is the de facto standard of best practices for IT service management. It was created because of the increased dependence on information technology to meet business needs.

bottom-up approach

...refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction.

Before we are able to start defining a security strategy, we must first know what we are protecting and what we are protecting it from.

Risk Analysis Risk Assessment

3 step in risk analysis - iso27005

Risk Assessment - Risk Analysis

4 step in risk analysis - iso27005

Risk Assessment - Risk Evaluation

The potential of an unwanted incident occurring that may result in harm to a system or organization.

A threat

An entity that takes advantage or exploits a threat is called?

A threat agent

Risk Avoidance

An activity or condition that gives rise to a particular risk being avoided. For example, for risks caused by nature (e.g. earthquakes) it may be most cost effective to physically move the information processing facilities to another location.

All security controls and mechanisms are implemented to protect one or more of these security principles?

Confidentiality (exclusivity), Integrity and Availability

1 step in risk analysis - iso27005

Context

Confidentiality can be achieved by?

Encrypting data while at rest and during transit Using network traffic padding Implementing strict access controls and data classifications Training and awareness of proper procedures

The presence of a vulnerability that exposes an organization to a threat is called?

Exposure

ISO/IEC 27003

Guideline for ISMS implementation

ISO/IEC 27004

Guideline for information security management measurement and metrics framework

ISO/IEC 27005

Guideline for information security risk management

ISO/IEC 27033-1

Guideline for network security

ISO/IEC 27006

Guidelines for bodies providing audit and certification of information security management systems

ISO/IEC 27001

ISMS requirements

Process Management

ITIL Six Sigma

What security principle refers to being correct or consistent with the intended state of information?

Integrity

Likelihood

chance of something happening

risk communications and consultation

continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk

risk management

coordinated activities to direct and control an organization with regard to risk

risk

effect of uncertainty on objectives

Plan - Do - Check - Act (PDCA)

establishing objectives and making plans implementation of the plans measuring results to understand if objectives are met direction on how to correct and improve plans to better achieve success

external context

external environment in which the organization seeks to achieve its objectives

ISO-IEC27005 provides guidance for?

information security risk management

Internal context

internal environment in which the organization seeks to achieve its objectives

level of risk

magnitude of risk, expressed in terms of consequences and their likelihood

Control

measure that is modifying risk

Event

occurrence or change of a particular set of circumstances

Consequence

outcome of an event

risk assessment

overall process of risk identification, risk analysis and risk evaluation

stakeholder

person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.

risk evaluation

process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable

risk identification

process of finding, recognizing and describing risks

risk analysis

process to comprehend the nature of risk and to determine levels of risk

risk treatment

process to modify risk


Set pelajaran terkait

Chapter 14 PrepUWhich group of terms best defines assessing in the nursing process?

View Set

OLIGOPOLIO Y COMPETENCIA MONOPOLISTICA

View Set

Global & Strategic Management Exam 2 Ch 5,6,7,8

View Set

Ch 12-Brooker Biology-Gene Expression at the Molecular Level

View Set

UNIT 1 - Challenge 2: Age of Exploration: 1400s - 1600s

View Set

Bio SAT ii Practice test problems

View Set

PHYS 137 Midterm take two because I actually am very worried

View Set

Neurobiology Chapter 9: Somatic Sensory System

View Set