3. Security Standards & Security Management Flashcards

1
Q

What should information security standards offer?

A

Coherent approach (to information security)
Pragmatic & flexible (i.e. appropriate controls)
Guidance (to security)
Best practice (& sensible approach)
Help with compliance (regulatory / customers / business / government etc)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the problems associated with security standards?

A

Lack of awareness (several business surveys show this)
Lack of acceptance?
Cost & time (possibly easier to become assessor that gets certified (as with other standards))
Accreditation or good practice (being accredited doesn’t necessarily mean every area is secure & not being accredited doesn’t necessarily mean things aren’t secure)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the formal security standards?

A

Lots of ‘red tape’ and bureaucracy!
Long process (6 months to 1 year, plus continual process)
Not a one-off fix
Expensive, needs support mechanisms (e.g. teams, committees, focus groups, consultants, audit functions / facilities (and to take actions from these))
Needs top management support - or will not work or be adopted
Probably affects all of the organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the other security standards?

A

Technical standards / schemes for products:
TCSEC - Trusted Computer Security Evaluation Criteria
ITSEC - IT Security Evaluation Certification Scheme

Less formal information security standards - business certification schemes - e.g. webtrust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are webtrust’s principles?

A
Security
Availability
Processing integrity
Online privacy
Confidentiality
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is required for a security strategy to be consistent?

A

Threat vulnerability assessment
Comprehensive security plan
Other strategies (general / overall business, marketing, operational)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the possible security strategy threats that need to be identified?

A
System unavailable
Unauthorised disclosure / modification of information
Malware affecting systems
Unauthorised access (local & remote)
Fraud (by staff)
Errors & omissions
Privacy & confidentiality
Repudiation & accountability
Non-compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the process required for a security strategy?

A

Implement the strategy (allocate people, resources, equipment, set policies, tasks, processes)
Monitor (what things should you monitor? how regular?)
Evaluation (costs, effectiveness, responsiveness)
Update (policy, plans, resources)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly