ISO27001 and ISO27002, standards and risk management
What security principle refers to the reliable and timeless access to data and resources to authorized individuals?
Availability
Some examples of Integrity measures are?
Changes in data and systems are authorized Auditing Segregation of Duties Hashing (data integrity) Configuration management (system integrity) Change control (process integrity) Access control (physical and logical) Transmission CRC functions
Some examples of Confidentiality measures are?
Clear desk policy Need to know basis Strict access controls (physical and logical) Separation of duties Strict separations between environments Logical access management Encryption for data at rest (whole disk, database encryption) Encryption for data in transit (IPsec, SSL, PPTP, SSH)
ISO/IEC 27002
Code of practice for information security management
Additional steps in risk analysis - iso27005
Communication and Consultation Monitor and Review
What security principle ensures that a necessary level of secrecy is enforced at each element of data processing and prevents unauthorized disclosure?
Confidentiality
ISO/IEC 27000
Overview and vocabulary
To achieve information security, a suitable set of controls needs to be implemented, what are they?
Policies, procedures, organizational structures and software and hardware functions.
What is traffic padding?
Produces a continuous random data stream of cipher text making it harder for an attacker to distinguish between true data flow and padding.
Some examples of Availability measures are?
RAID Clustering Load Balancing Redundancy Software and Data backups dish shadowing Co-location and off-site facilities Roll back functions fail-over configurations
The likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact is referred to as?
Risk
6 step in risk analysis - iso27005
Risk Acceptance
2 step in risk analysis - iso27005
Risk Assessment - Risk Identification
NIST 800-30
Risk Management Guide for Information Technology
5 step in risk analysis - iso27005
Risk Treatment (Modify, Avoid, Retain, Share)
Something that is put into place to mitigate the potential risk of a vulnerability being exploited?
Safeguard, counter measure or control
Risk Sharing
The risk is shared with another party that can most effectively manage the particular risk. Sharing can be done by insurance that will support the consequences, or by sub-contracting a partner whose role will be to monitor the information system and take immediate actions to stop an attack.
A weakness that can be exploited by one or more threats and that exposes an organization to possible damages is called?
Vulnerability (running service, unpatched application or operating system software, open port on a FW, lax physical security, etc)
Risk Retention
The decision to retaining the risk without further action. Will rely on risk evaluation.
top-down approach
The initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.
Risk modification
The level of risk is managed by introducing, removing or altering controls so that the residual risk can be reassessed as being acceptable.
residual risk
risk remaining after risk treatment
Six Sigma
...is a process improvement methodology. It is the "new and improved" Total Quality Management (TQM) that hit the business sector in the 1980s. Was was developed by Motorola with the goal of identifying and removing defects in its manufacturing processes.
ITIL
...is the de facto standard of best practices for IT service management. It was created because of the increased dependence on information technology to meet business needs.
bottom-up approach
...refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction.
Before we are able to start defining a security strategy, we must first know what we are protecting and what we are protecting it from.
Risk Analysis Risk Assessment
3 step in risk analysis - iso27005
Risk Assessment - Risk Analysis
4 step in risk analysis - iso27005
Risk Assessment - Risk Evaluation
The potential of an unwanted incident occurring that may result in harm to a system or organization.
A threat
An entity that takes advantage or exploits a threat is called?
A threat agent
Risk Avoidance
An activity or condition that gives rise to a particular risk being avoided. For example, for risks caused by nature (e.g. earthquakes) it may be most cost effective to physically move the information processing facilities to another location.
All security controls and mechanisms are implemented to protect one or more of these security principles?
Confidentiality (exclusivity), Integrity and Availability
1 step in risk analysis - iso27005
Context
Confidentiality can be achieved by?
Encrypting data while at rest and during transit Using network traffic padding Implementing strict access controls and data classifications Training and awareness of proper procedures
The presence of a vulnerability that exposes an organization to a threat is called?
Exposure
ISO/IEC 27003
Guideline for ISMS implementation
ISO/IEC 27004
Guideline for information security management measurement and metrics framework
ISO/IEC 27005
Guideline for information security risk management
ISO/IEC 27033-1
Guideline for network security
ISO/IEC 27006
Guidelines for bodies providing audit and certification of information security management systems
ISO/IEC 27001
ISMS requirements
Process Management
ITIL Six Sigma
What security principle refers to being correct or consistent with the intended state of information?
Integrity
Likelihood
chance of something happening
risk communications and consultation
continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk
risk management
coordinated activities to direct and control an organization with regard to risk
risk
effect of uncertainty on objectives
Plan - Do - Check - Act (PDCA)
establishing objectives and making plans implementation of the plans measuring results to understand if objectives are met direction on how to correct and improve plans to better achieve success
external context
external environment in which the organization seeks to achieve its objectives
ISO-IEC27005 provides guidance for?
information security risk management
Internal context
internal environment in which the organization seeks to achieve its objectives
level of risk
magnitude of risk, expressed in terms of consequences and their likelihood
Control
measure that is modifying risk
Event
occurrence or change of a particular set of circumstances
Consequence
outcome of an event
risk assessment
overall process of risk identification, risk analysis and risk evaluation
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
risk evaluation
process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
risk identification
process of finding, recognizing and describing risks
risk analysis
process to comprehend the nature of risk and to determine levels of risk
risk treatment
process to modify risk
