Chapter 18: Information Security Risks Flashcards
What are the three main components of information security risks?
- Confidentiality
Integrity - Availibility of data
Why is safeguarding information crucial?
What does this prevent? 3 types of impact
To prevent:
* Financial losses
* Reputational damage
* Regulatory penalties.
What is the objective of implementing robust security measures?
To protect what from what?
To protect sensitive information from various threats.
What are examples of cyber risks?
3 most obvious
- Hacking
- Virus infections
- Phishing attacks.
What are examples of physical risks in information security?
Theft of devices and social engineering attacks.
What are internal threats to information security?
Employee misconduct and mishandled exits with sensitive information.
What are external threats to information security?
Third-party failures and system disruptions.
What was the outcome for Cambridge Analytica following the data breach?
Filed for bankruptcy.
What is ISO/IEC 27001: 2013?
Governance.
A widely recognized information security standard offering general guidance on security governance, policies, risk assessment, and risk treatment.
What is the scope of ISO/IEC 27001: 2013?
High-level……..external.
Provides limited, high-level guidance, with detailed implementation often found in external resources.
What role do audits and management reviews play in ISO/IEC 27001: 2013?
What do they emphasise?
They are emphasized for maintaining information security.
What is the purpose of an information asset inventory?
Severity?
To identify and categorize information assets for better risk management.
What are the typical categories in an information asset inventory?
4.
- Highly confidential
- Confidential
- Internal
- Public.
What is a risk assessment process in information security?
What techniques and processes are often employed.
Involves surveys, RCSAs, scenario analysis, and Monte Carlo simulations.
What are behavioral controls in information security?
Examples.
- Awareness campaigns
- Rules of conduct
- Monitoring
- Sanctions.
What are technical controls in information security?
Examples.
Preventive measures like firewalls and encryption, and detective measures like DLPD.
What are Key Risk Indicators (KRIs) for information security?
Metrics for exposure, control failures, stress, and causal factors.
What was the cause of the Equifax data breach?
External intrusion due to an unpatched vulnerability.
What is a risk taxonomy in information security?
A classification system for different types of information security incidents.
What percentage of data leaks are insider-related, according to McAfee?
43%.
What is the focus of risk-based protection in information security?
Why are some risks ignored?
Protecting critical assets since fully protecting all data is too costly.
What is a cyber scenario assessment?
Modeling rare events like data breaches using scenario analysis.
What are future trends in information security?
Advanced threat detection, enhanced data privacy regulations, and integrated security solutions.
What is the role of Monte Carlo simulations in cyber scenario assessments?
To estimate loss distributions by considering detection time, data volume affected, and data value.
