Information Security Framework Flashcards

Question 1

Q

Information Security Framework

Answer

A

Purpose: Ensure appropriate security controls for information assurance across the enterprise.

Components of an Information Security Framework:
- Roles: Define the responsibilities and accountability of individuals involved in information security.

- Documentation requirements: Specify the documentation needed to support information security practices.

- Processes: Establish the procedures and workflows to implement and maintain security controls.

In summary, an information security framework is designed to provide the necessary elements for ensuring the presence of effective security controls and information assurance throughout an organization. It encompasses various components, such as defining roles, documenting requirements, and establishing processes to support robust information security practices.

Question 2

Q

Organisational Structures

Answer

A

Purpose: Establish a structure for effective information assurance by allocating roles and responsibilities across the enterprise.
- Understanding Assurance Requirements: Clear understanding of the assurance requirements to support business goals and objectives.
- Accountability and Coordination: Define accountability and ensure coordination of assurance activities for effective management.
- Pyramid-shaped Organisational Structure:
- CEO (Chief Executive Officer): Head of the organization, responsible for running the company.
- Executive Leadership Team: Assists the CEO in various business functions.
- Board of Directors:
- Strategic and Financial Oversight: Oversees the business operation from a strategic and financial viewpoint, reporting to shareholders and investors.
- CEO Reporting: CEO reports to the board of directors.
- Senior Leadership Team:
- CFO (Chief Financial Officer): Manages finances, financial reporting, and compliance.
- CIO (Chief Information Officer): Responsible for IT strategy and day-to-day IT operations.
- COO (Chief Operating Officer): Oversees day-to-day operations of the company.
- CISO (Chief Information Security Officer): Develops and implements information security program, accountable for information assurance.
- Reporting Line: Could report to the CEO, COO, or other senior management positions.
- CSO (Chief Security Officer): Responsible for corporate and physical security (may exist but not shown in the provided structure).
- Other Senior Management Roles:
- CRO (Chief Risk Officer): Manages risk-related activities.
- CCO (Chief Compliance Officer): Oversees compliance with regulations and standards.

In summary, an effective organisational structure for information assurance is crucial in allocating roles and responsibilities. The pyramid-shaped structure typically includes the CEO, executive leadership team, and board of directors. The senior leadership team, including roles such as CFO, CIO, COO, and CISO, play vital roles in financial management, IT strategy, operations, and information security. Other roles like CSO, CRO, and CCO may also exist to address corporate security, risk management, and compliance.

Question 3

Q

Which role in the organisational structure is responsible for developing and implementing an information security program and providing guidance on cyber strategy at a strategic level?

A) CFO (Chief Financial Officer)
B) CIO (Chief Information Officer)
C) COO (Chief Operating Officer)
D) CISO (Chief Information Security Officer)

Answer

A

D) CISO (Chief Information Security Officer).

The CISO is responsible for developing and implementing an information security program and providing guidance on cyber strategy at a strategic level. This role ensures that information assurance is prioritized and accounted for within the organization’s structure.

Question 4

Q

Which senior leadership role is responsible for managing the finances and records of the company, ensuring financial reporting, and making business decisions based on sound financial criteria?

A) CEO (Chief Executive Officer)
B) CFO (Chief Financial Officer)
C) CIO (Chief Information Officer)
D) COO (Chief Operating Officer)

Answer

A

B) CFO (Chief Financial Officer)

The senior leadership role responsible for managing the finances and records of the company, ensuring financial reporting, and making business decisions based on sound financial criteria is the CFO (Chief Financial Officer).

Question 5

Q

In an organizational structure, which senior leadership role is responsible for managing the day-to-day operations of the company?

a) CEO (Chief Executive Officer)
b) CFO (Chief Financial Officer)
c) COO (Chief Operating Officer)
d) CISO (Chief Information Security Officer)

Answer

A

C) COO (Chief Operating Officer)

The senior leadership role responsible for managing the day-to-day operations of the company is the COO (Chief Operating Officer).

Question 6

Q

Which roles in the organizational structure are typically responsible for information security at a strategic level? Select two.

A) CEO (Chief Executive Officer)
B) CIO (Chief Information Officer)
C) CISO (Chief Information Security Officer)
D) CFO (Chief Financial Officer)

Please select two options from the provided choices.

Answer

A

The correct answers are B and C

The roles of CIO (Chief Information Officer) and CISO (Chief Information Security Officer) are typically responsible for information security at a strategic level. Well done!

Question 7

Q

Which roles are responsible for managing the financial aspects of a company? Select two options.

A) CEO (Chief Executive Officer)
B) CFO (Chief Financial Officer)
C) CIO (Chief Information Officer)
D) CISO (Chief Information Security Officer)

Answer

A

A) CEO (Chief Executive Officer)
B) CFO (Chief Financial Officer)

CEO (Chief Executive Officer): The CEO is the head of the company or organization and is responsible for overall management and decision-making. While the CEO may not directly handle financial matters on a day-to-day basis, they have the ultimate responsibility for financial performance and strategic financial decision-making.
CFO (Chief Financial Officer): The CFO is specifically responsible for managing the financial aspects of the company. This includes overseeing financial planning, budgeting, financial reporting, and ensuring compliance with financial regulations. The CFO plays a key role in making financial decisions that impact the organization’s operations and long-term financial health.

Both the CEO and CFO have important roles in managing the financial aspects of a company, with the CFO specifically focusing on financial management and reporting while the CEO holds the overall responsibility for the organization’s financial performance.

Question 8

Q

Information Security Manager (ISM)

Answer

A

The ISM role is responsible for implementing information security measures within an organization.
- The ISM works closely with the CISO (Chief Information Security Officer) and may report directly to the CISO.
- Responsibilities of the ISM include:
- Serving as a single point of responsibility for Information Assurance within the organization.
- Ensuring that Information Assurance aligns with the business’s goals and objectives.
- Collaborating with the CISO in developing and implementing security policies.
- Securing necessary resources for Information Assurance initiatives.
- Communicating information security matters to senior management, other managers, and users within the organization.
- Coordinating with external authorities such as law enforcement and regulators.
- Providing guidance and support to security practitioners within the organization.
- The ISM should have a good understanding of the business, its objectives, and its risk profile.
- While the CISO focuses on strategic aspects and senior-level reporting, the ISM is more involved in implementing security measures, monitoring threats, and promoting a security culture within the organization.

Note: In some organizations, the CISO and the ISM roles may be combined into one position.

Question 9

Q

Information Security Manager (ISM)

Answer

A

The ISM role is responsible for implementing information security measures within an organization.
- The ISM works closely with the CISO (Chief Information Security Officer) and may report directly to the CISO.
- Responsibilities of the ISM include:
- Serving as a single point of responsibility for Information Assurance within the organization.
- Ensuring that Information Assurance aligns with the business’s goals and objectives.
- Collaborating with the CISO in developing and implementing security policies.
- Securing necessary resources for Information Assurance initiatives.
- Communicating information security matters to senior management, other managers, and users within the organization.
- Coordinating with external authorities such as law enforcement and regulators.
- Providing guidance and support to security practitioners within the organization.
- The ISM should have a good understanding of the business, its objectives, and its risk profile.
- While the CISO focuses on strategic aspects and senior-level reporting, the ISM is more involved in implementing security measures, monitoring threats, and promoting a security culture within the organization.

Note: In some organizations, the CISO and the ISM roles may be combined into one position.

Question 10

Q

Which of the following responsibilities is typically assigned to an Information Security Manager (ISM)?

A) Developing business strategies and financial planning

B) Conducting vulnerability assessments and penetration testing

C) Managing the organization’s human resources and personnel

D) Establishing and maintaining physical security controls

Remember, we are looking for the responsibility typically assigned to an Information Security Manager.

Answer

A

The correct answer is B) Conducting vulnerability assessments and penetration testing.

The responsibility of an Information Security Manager typically involves overseeing the implementation of security controls and practices, including conducting assessments to identify vulnerabilities and performing penetration testing to assess the effectiveness of security measures. This helps ensure the organization’s systems and data are adequately protected against potential threats.

Establishing and maintaining physical security controls (option D) may fall under the responsibility of a different role, such as a Facilities Manager or a Physical Security Manager.

Question 11

Q

Which of the following responsibilities is typically associated with an Information Security Manager?

A) Designing network architectures and infrastructure

B) Developing and implementing security policies and procedures

C) Managing software development projects

D) Conducting forensic investigations

Answer

A

B) Developing and implementing security policies and procedures.

An Information Security Manager is primarily responsible for overseeing the development and implementation of security policies and procedures within an organization. This includes creating and enforcing security standards, guidelines, and best practices to protect the organization’s information assets. While network architecture and infrastructure (option A) may fall under the purview of an IT or network specialist, managing software development projects (option C) typically belongs to a software development or project management role. Conducting forensic investigations (option D) is often handled by a dedicated forensic analyst or incident response team.

Question 12

Q

Security Steering Committee

Answer

A

A high-level forum chaired by the ISM and comprised of business unit managers.
- Purpose: Support the security function and promote good security practices.
- Functions:
- Regular meetings with all interested parties.
- Approval of documentation (policies, standards, procedures) - approval from the committee, sign-off from the CISO.
- Managing the risk register - centralized oversight of risk across departments.
- Utilizing external subject matter experts (SMEs) when needed.

Business unit managers or heads of departments:
- Manage assets within their departments.
- Allocate resources.
- Understand critical aspects within their
department.

Security Practitioners (Part of the IT department or dedicated security departments):

Responsibilities:
- Network management.
- Firewall management.
- Security Operations Centre (SOC).
- Security consultants.

Roles include implementing and managing security controls, monitoring controls, and addressing daily operational issues.
- Involved in change management related to new systems, infrastructure changes, etc.

Question 13

Q

Who typically chairs the Security Steering Committee within an organization?

A) Chief Executive Officer (CEO)

B) Chief Information Security Officer (CISO)

C) Chief Financial Officer (CFO)

D) Chief Operating Officer (COO)

Answer

A

Answer: B

The Security Steering Committee is usually chaired by the Chief Information Security Officer (CISO). This committee serves as a high-level forum to discuss security matters and support the security function within the organization. While other roles such as CEO, CFO, and COO may have involvement or participation in security-related decisions, the CISO is typically responsible for leading the Security Steering Committee.

Question 14

Q

What is one of the main functions of a Security Steering Committee within an organization?

A) Managing day-to-day security operations

B) Developing information security policies

C) Conducting security awareness training for employees

D) Implementing technical security controls

Answer

A

Answer: B

One of the main functions of a Security Steering Committee is to develop information security policies. This committee serves as a forum to discuss and approve documentation such as policies, standards, and procedures related to information security. While the committee may have oversight and involvement in various security-related activities, its primary role is to ensure the development and approval of effective policies that guide security practices within the organization.

Question 15

Q

Which of the following statements best describes the role of a Security Steering Committee in the context of information security governance?

A) The committee is responsible for performing daily security operations and incident response.

B) The committee serves as a centralized authority for approving and overseeing security projects and initiatives.

C) The committee is tasked with conducting vulnerability assessments and penetration testing.

D) The committee focuses on providing technical support for implementing security controls.

Answer

A

Answer: B

The role of a Security Steering Committee in information security governance is primarily focused on serving as a centralized authority for approving and overseeing security projects and initiatives. This committee ensures that security efforts align with the organization’s objectives, reviews and approves security-related documentation, and provides guidance and direction for security initiatives. While the committee may have oversight and involvement in other security-related activities, its primary responsibility lies in strategic decision-making and governance rather than daily operational tasks or technical support.

Question 16

Q

Users

Answer

A

Employees within the organization who use the systems and manipulate the data.

Responsibilities:
- Use information assets in compliance with policies,
procedures, standards, and guidelines.
- Follow job roles and responsibilities.
- Adhere to processes and procedures.
- Maintain a degree of security awareness through training.
- Exhibit appropriate personal behaviour when using
company resources.
- Engage in responsible external communication to
safeguard security and company reputation.

Personal responsibility:
- All staff members have a level of personal responsibility for
security and assurance.
- Awareness of responsibilities is crucial, including security
awareness training.

Job descriptions:
- Should clearly outline responsibilities, authority levels, non-
disclosure obligations, breach handling procedures, and
the process for leaving the business.
- Subject to review to ensure currency, relevance, and
compliance.

Security awareness program:
- Companywide program applicable to all staff.

Features:
- Organization-wide coverage.
- Up-to-date and relevant content.
- Tailored to the audience.
- Promotes behaviour change and a security culture.
- Achieves compliance where required.

Training effectiveness:
- Scenarios and testing to make the subject relevant and
measure effectiveness.
- Record of program completion.

Culture:
- Outcome of a security awareness program.
- Security mindset and behaviour modification.
- Applies across the organization, from senior management
to shop floor staff.
- Encourages questioning and reporting of suspicious
activities.
- Collective responsibility for fostering a secure culture
aligned with organizational goals and objectives.

Question 17

Q

Which of the following is an essential element of a security awareness training program?

A) Limited to specific job roles within the organization

B) Outdated and irrelevant content

C) Tailored to senior management only

D) Promotes a security culture and behaviour change

Answer

A

D) Promotes a security culture and behaviour change.

Explanation: A security awareness training program should aim to create a security culture within the organization. It should not be limited to specific job roles but should be organization-wide. The content should be up to date, relevant, and tailored to the audience, including all staff members. The main objective of the program is to promote a change in behaviour, encouraging individuals to think before they act and to be more vigilant about security risks. By promoting a security culture, organizations can create a collective responsibility for security and improve their overall security posture.

Question 18

Q

What is an important aspect of a security awareness training program?

A) It should only be mandatory for employees in high-risk roles.

B) It should be a one-time event without any follow-up sessions.

C) It should be tailored to the specific needs and roles of individuals.

D) It should focus solely on compliance requirements.

Answer

A

C) It should be tailored to the specific needs and roles of individuals.

Explanation: Security awareness training programs should be designed to address the unique needs and roles of individuals within an organization. Different employees have varying levels of access to information assets and face different security risks based on their job responsibilities. Tailoring the training ensures that employees receive relevant and applicable knowledge to their specific roles, increasing the effectiveness of the program. It helps employees understand their personal responsibilities, recognize security threats relevant to their work, and adopt appropriate security behaviours.

Question 19

Q

Which of the following are important considerations when implementing a security awareness training program? (Select two.)

A) Making the training mandatory for all employees

B) Customizing the training content for different departments

C) Conducting periodic assessments to measure training effectiveness

D) Providing rewards and incentives for completing the training

E) Including technical jargon and complex concepts in the training materials

Answer

A

A) Making the training mandatory for all employees
C) Conducting periodic assessments to measure training effectiveness

When implementing a security awareness training program, it is important to make the training mandatory for all employees to ensure widespread participation and consistent knowledge. Additionally, conducting periodic assessments helps measure the effectiveness of the training program and identifies areas that may require further attention or improvement. Customizing the training content for different departments can also be beneficial, but it is not one of the required considerations mentioned in the question. Providing rewards and incentives can be helpful in motivating employees to complete the training, but it is not a universal requirement. Including technical jargon and complex concepts in the training materials may hinder understanding and should be avoided to ensure clear communication.

Question 20

Q

Framework Requirements

Answer

A

Information Security Framework: Ensures governance requirements are met.

Three distinct groups of requirements:
Statutory, Regulatory, and Advisory.

Question 21

Q

Statutory Requirements:

Answer

A

Statutory requirements are mandatory information security requirements imposed on organizations.
- They are typically jurisdictional and stem from governments or the legal system.

Examples of statutory requirements include:
- Legal requirements from government and law.
- Privacy requirements, such as the General Data Protection
Regulation (GDPR) and Data Protection Act.
- Jurisdictional requirements specific to a geographic region.
- Incident response requirements, including obligations to
inform law enforcement in cases of criminal activity.

Compliance with statutory requirements is crucial to remain legal and avoid legal consequences.
Privacy legislation mandates how data should be stored and managed within the organization.
Incident response requirements ensure appropriate actions are taken during security incidents.
Organizations with a global presence need to be aware of legal requirements across multiple geographic regions.
Understanding and complying with statutory requirements influence how the business functions.
Non-compliance with statutory requirements can lead to legal penalties and damage to the organization’s reputation.
Regular monitoring and updates are necessary to ensure ongoing compliance with statutory requirements.
Working closely with legal counsel and staying informed about relevant laws and regulations is essential.

Question 22

Q

Which of the following best describes statutory requirements in information security?

A) Voluntary guidelines recommended for good security practices.

B) Best practices issued by industry associations.

C) Mandatory requirements imposed by governments or the legal system.

D) Standards developed by international organizations.

Answer

A

C) Mandatory requirements imposed by governments or the legal system.

Statutory requirements in information security refer to legal obligations that organizations must adhere to as prescribed by laws or regulations set by governments or the legal system. These requirements are not voluntary or optional, but rather mandatory for compliance. Well done!

Question 23

Q

Which of the following is an example of a statutory requirement in information security?

A) Best practice guidelines suggested by industry associations.

B) Recommendations from cybersecurity experts.

C) Data protection laws imposed by the government.

D) Internal policies and procedures developed by the organization.

Answer

A

C) Data protection laws imposed by the government.

Statutory requirements in information security refer to legal obligations imposed by government entities or the legal system. Data protection laws, such as the General Data Protection Regulation (GDPR), mandate how organizations should handle and protect personal data. Compliance with these laws is necessary to ensure the organization operates within the legal framework and protects individuals’ privacy rights. Well done!

Question 24

Q

Which of the following is an example of a jurisdictional statutory requirement in information security?

A) ISO 27001 certification

B) Payment Card Industry Data Security Standard (PCI DSS)

C) Health Insurance Portability and Accountability Act (HIPAA)

D) International Organization for Standardization (ISO) guidelines

Answer

A

C) Health Insurance Portability and Accountability Act (HIPAA).

HIPAA is a statutory requirement in the United States that sets standards for the protection of sensitive patient health information. It specifically applies to the healthcare industry and mandates the secure handling and storage of protected health information (PHI). Compliance with HIPAA is legally required for healthcare organizations and their business associates to ensure the privacy and security of patient data.

The other options listed in the question are not jurisdictional statutory requirements. Therefore, the correct answer is C) Health Insurance Portability and Accountability Act (HIPAA) as it represents a jurisdictional statutory requirement in information security.

(In the context of information security, jurisdictional statutory requirements may include laws, regulations, or acts that organizations must comply with to ensure the security and protection of data within a specific region. These requirements are legally enforceable and may cover various aspects such as data privacy, data protection, incident reporting, or specific industry regulations.)

Question 25

Q

Regulatory Requirements

Answer

A

Regulatory requirements are external obligations imposed on businesses by various organizations and bodies. These requirements are not legal requirements but are mandated by regulatory bodies such as the FCA (Financial Conduct Authority) and others. Understanding and complying with regulatory requirements is crucial for organizations to operate within specific industries or sectors.

Question 26

Q

Financial Sector Controls

Answer

A

In the financial sector, there are specific controls and standards that businesses need to adhere to. An example is the PCI-DSS (Payment Card Industry Data Security Standard), which outlines the security measures for handling payment card transactions. Compliance with PCI-DSS is necessary for businesses to process card payments. Non-compliance can result in the inability to process card transactions, leading to significant business impacts.

Question 27

Q

Industry-Specific Regulations

Answer

A

Different industries have their own regulatory requirements. For instance, the healthcare industry in the US is governed by HIPAA (Health Insurance Portability and Accountability Act), which focuses on the protection of healthcare records and patient privacy. Other industry sectors, such as power generation and communications, also have regulatory bodies that enforce specific compliance standards.

Question 28

Q

Regulatory Power and Consequences

Answer

A

Regulatory bodies possess extensive powers to enforce compliance and impose penalties. Non-compliance with regulatory requirements can result in severe consequences, including financial penalties, reputational damage, legal actions, and even the potential shutdown of business operations. It is essential for organizations to understand and meet regulatory obligations to avoid these negative consequences.

Question 29

Q

Which of the following regulatory standards is specifically designed to govern the handling of payment card transactions?

A) HIPAA

B) FCA

C) GDPR

D) PCI-DSS

Answer

A

D)PCI-DSS

PCI-DSS specifically focuses on the security measures for handling payment card transactions.

Question 30

Q

Which regulatory standard is primarily concerned with safeguarding the privacy and security of individuals’ healthcare information in the United States?

A) FCA

B) PCI-DSS

C) GDPR

D) HIPAA

Answer

A

D) HIPAA,

HIPAA is the regulatory standard that governs the protection of healthcare records and ensures the privacy and security of individuals’ health information in the United States.

Question 31

Q

Advisory Requirements

Answer

A

Advisory requirements provide advice and suggested practices to businesses.
- They are not legally binding or enforced but exist to guide companies in dealing with specific events.

Sources of advice for can come from:
- Government agencies
- Industry trade bodies
- Vendors
- Service providers
These bodies issue advice to help businesses implement measures that support their operations.

National Cyber Security Centre (NCSC):
- The NCSC is a government body that acts as a Computer Security Incident Response Team (CSIRT).
- It monitors incidents worldwide, provides early warnings of threats, and disseminates information.
- The NCSC conducts threat assessments and offers technical support to various entities.
- It serves as a single point of contact for businesses and the public.
- The NCSC provides support for critical national infrastructure, including the Internet and communications.

Note: Advisory requirements offer guidance and recommendations without legal enforcement. The NCSC is an important government agency providing cybersecurity support and incident response services.

Question 32

Q

Which of the following is true about Advisory Requirements?

A) They are legally binding and enforceable by regulatory bodies.

B) They offer advice and suggested practices but are not legally binding.

C) They are issued by the government to penalize non-compliant companies.

D) They provide mandatory guidelines that businesses must adhere to.

Answer

A

B) They offer advice and suggested practices but are not legally binding.

Advisory Requirements provide recommendations and guidance to businesses but do not carry legal obligations or enforceability. They serve as valuable sources of information and best practices for organizations to enhance their security measures.

Question 33

Q

Which organization is known for providing advisory requirements and guidance on cybersecurity best practices in the United Kingdom?

A) National Cyber Security Centre (NCSC)

B) International Organization for Standardization (ISO)

C) Federal Trade Commission (FTC)

D) Health Insurance Portability and Accountability Act (HIPAA)

Answer

A

A) National Cyber Security Centre (NCSC).

The NCSC is known for providing advisory requirements and guidance on cybersecurity best practices in the United Kingdom. They act as a computer security incident response team (CSIRT) and provide support to businesses, disseminate information, conduct threat assessments, and offer general technical support in the field of cybersecurity.

Question 34

Q

Which of the following bodies serves as a computer security incident response team (CSIRT) and provides early warnings of threats, threat assessments, and technical support to various entities?

A) National Cyber Security Centre (NCSC)

B) Payment Card Industry Security Standards Council (PCI SSC)

C) Financial Conduct Authority (FCA)

D) International Organization for Standardization (ISO)

Answer

A

A) National Cyber Security Centre (NCSC)

The National Cyber Security Centre (NCSC) serves as a CSIRT and provides early warnings of threats, threat assessments, and technical support, making it the most suitable answer.

Question 35

Q

Which source provides guidance on best practices for implementing security measures and supports businesses in dealing with certain events?

A) Government agencies

B) Industry trade bodies

C) Vendors

D) All of the above

Answer

A

D) All of the above

Government agencies, industry trade bodies, and vendors frequently issue guidance and advice on implementing security measures and dealing with specific events, making all the options correct.

Question 36

Q

Professional Bodies

Answer

A

Professional bodies provide training and support to ensure information security personnel have the necessary skills and competencies. They offer certificated qualifications, training paths, and maintain registers of members.

Examples of professional bodies include:
- ISSA (International Systems Security Association): A not-for-profit organization of information security professionals.
- ISACA (Information Systems Audit and Control Association): An international professional association focused on IT governance, offering certifications in areas like audit, risk management, privacy, and information security.
- ISC2 (International Information Systems Security Certification Consortium): A non-profit organization specializing in training and certification for cybersecurity professionals, known for the CISSP certification.
- IISP (Institute of Information Security Professionals): A chartered institute dedicated to raising the standard of professionalism in information security.
- BCS (British Computer Society): A broader organization in information technology and computer science, with the ISSG (Information Security Specialist Group) as its specialist sub-group. They offer the CISMP certification.
- Other bodies, such as EC-Council, provide certifications in specific areas like the Certified Ethical Hacker qualification.

Maintaining memberships and certifications, staying updated on changes in laws and regulations, conducting audits and compliance checks, and monitoring advisory changes are important for businesses and staff.

Relevant industry certifications and academic qualifications (e.g., degree-level programs in information and cybersecurity) contribute to skilled and motivated staff.

Question 37

Q

Which professional body is known for its focus on IT governance and offers certifications in audit, risk management, privacy, and information security?

A) ISSA

B) ISACA

C) ISC2

D) IISP

Answer

A

B) ISACA.

ISACA stands for Information Systems Audit and Control Association

ISACA is an international professional association focused on IT governance and offers certifications in various areas including audit, risk management, privacy, and information security.

Question 38

Q

Which professional organization specializes in training and certification for cybersecurity professionals, and is best known for the CISSP certification?

A) ISSA - International Systems Security Association

B) ISACA - Information Systems Audit and Control Association

C) ISC2 - International Information Systems Security Certification Consortium

D) IISP - Institute of Information Security Professionals

Answer

A

C) ISC2 - International Information Systems Security Certification Consortium.

ISC2 specializes in training and certification for cybersecurity professionals, and they are well-known for offering the CISSP (Certified Information Systems Security Professional) certification.

Question 39

Q

Documentation

Answer

A

Documentation is a key responsibility of the information security manager.
The documentation set includes: policies, standards, procedures, and guidelines.

Policies provide high-level guidance and establish the organization’s approach to information security.
Standards define specific requirements and specifications that must be followed.
Procedures outline step-by-step instructions for performing specific tasks related to information security.
Guidelines offer recommendations and best practices for implementing security measures.

The documentation set ensures adherence to policies and procedures and helps employees understand their information security obligations.

Question 40

Q

Which document provides step-by-step instructions for performing specific tasks related to information security?

A) Policies

B) Standards

C) Procedures

D) Guidelines

Answer

A

C) Procedures

Procedures are the documents that outline detailed instructions or steps to be followed when carrying out specific tasks related to information security. They provide specific guidance on how to perform actions in a consistent and secure manner.

Question 41

Q

Which document sets the overarching principles and expectations for information security within an organization?

A) Policies

B) Standards

C) Procedures

D) Guidelines

Answer

A

A) Policies

Policies are high-level documents that establish the overall principles, rules, and expectations for information security within an organization. They outline the goals, objectives, and acceptable behaviours related to information security and serve as a foundation for developing more detailed standards, procedures, and guidelines.

Question 42

Q

Policies

Answer

A

Policies are at the top of the information hierarchy in an information security framework.

The most important policy is the Information Security Policy, which sets the business approach to information assurance.

Characteristics of an Information Security Policy:
- Brief high-level guidance
- States the business objectives towards security
- Demonstrates senior management commitment to security
- Written in plain language and clear to understand
- Provides the mandate for the security function
- Serves as the umbrella for other policies
- Should be read and understood by all employees

Other specific policies may include:
- Acceptable use policy (AUP)
- Email policy
- Remote workers policy
- Password policy
- Privacy policy

Each policy covers a specific mandate, and there should be a limited number of policies, typically not more than a couple of dozen.
All other documents should be linked back to a policy.
Policies are mandatory documents that must be followed and serve as the “law” in terms of information security.

Question 43

Q

Which of the following characteristics should an Information Security Policy possess?

A) Detailed instructions on implementing security controls

B) A statement of intent and high-level guidance

C) Technical specifications for network infrastructure

D) Guidelines for incident response procedures

Answer

A

B) A statement of intent and high-level guidance.

The Information Security Policy is designed to provide a broad overview and direction for information security within an organization, outlining the business objectives and demonstrating senior management commitment to security. It provides high-level guidance rather than detailed instructions or technical specifications.

Question 44

Q

Which type of policy specifically outlines the rules and guidelines for the appropriate use of organization’s computer systems and networks?

A) Information Security Policy

B) Acceptable Use Policy

C) Password Policy

D) Privacy Policy

Answer

A

B) Acceptable Use Policy.

It specifically focuses on defining the acceptable and unacceptable use of an organization’s computer systems and networks by its employees and other authorized users. Well done!

Question 45

Q

Standards

Answer

A

Standards compliments policies and provide more prescriptive controls.
- Internal standards are derived from industry best practices and guide specific control implementation.
- External standards come from outside organizations and the business may choose to comply with them.
- ISO 27001 is an example of an external standard for Information Security Management System (ISMS).
- Internal standards can be verified through internal audits, while external standards require third-party audits.
- Compliance with external standards promotes information security commitment to customers and investors.

Question 46

Q

Which of the following statements about standards is true?

A) Internal standards are derived from external organizations.

B) External standards require internal audits for verification.

C) ISO 27001 is an example of an internal standard.

D) Compliance with external standards promotes information security commitment.

Answer

A

D) Compliance with external standards promotes information security commitment.

External standards, such as ISO 27001, provide a recognized framework for information security management and demonstrate a commitment to maintaining a robust security posture.

Question 47

Q

Procedures

Answer

A

Procedures are Step-by-step instructions for carrying out processes within the business.

Procedures ensure the correct implementation of policies and standards.
Non-compliance with procedures can have adverse implications for the business.
Procedures, like policies and standards, are mandatory.

Question 48

Q

Which of the following statements is true regarding procedures in an organization’s information security framework?

A) Procedures are optional and can be bypassed if needed.

B) Procedures provide high-level guidance and are not mandatory.

C) Procedures outline step-by-step instructions for carrying out processes.

D) Procedures are only applicable to technical aspects of information security.

Answer

A

C) Procedures outline step-by-step instructions for carrying out processes.

Procedures provide detailed instructions on how to perform specific tasks or processes within an organization, ensuring that they are carried out consistently and in the correct manner.

Question 49

Q

Guidelines / Documentations

Answer

A

Guidelines: Discretionary information on how something could be achieved based on industry best practice.

Characteristics of Documentation:
- Clearly written and concise.
- Endorsed by senior management.
- Clearly defined ownership.
- Realistic and gain support from employees.
- Consistent and unambiguous.
- Compliant with legal and regulatory requirements.
- Enforceable with mechanisms for enforcement and due
process.
- Subject to periodic review to ensure relevance and legality.

Documentation with Third Parties:
- Ensure third parties conform to information security measures.
- Contracts should contain strong language regarding security requirements.
- Establish compatibility of third-party processes and procedures.
- Consider relevant certifications and accreditations.
- Ability to audit and monitor third parties.
- Notification of internal incidents by third parties.
- Evaluation of checks and recruitment processes used by third parties.

Note: Documentation plays a crucial role in establishing and maintaining information security practices within an organization, and proper management of documentation is essential to ensure compliance and effectiveness. Regular review and collaboration with third parties are necessary to mitigate risks associated with the supply chain.

Question 50

Q

Which of the following characteristics best describes guidelines in the context of information security documentation?

A) Mandatory and must be followed strictly.

B) Prescriptive controls derived from industry best practice.

C) Step-by-step instructions for carrying out processes.

D) Discretionary information on how something could be achieved.

Answer

A

D) Discretionary information on how something could be achieved.

Guidelines in the context of information security documentation provide recommendations or suggestions on how to achieve certain goals or objectives, but they are not mandatory like policies, standards, and procedures.

Question 51

Q

Which of the following statements accurately describes the role of guidelines in information security documentation?

A) Guidelines are mandatory documents that must be followed by all employees.

B) Guidelines provide step-by-step instructions on how to carry out specific processes.

C) Guidelines are prescriptive controls that must be implemented to ensure compliance.

D) Guidelines offer discretionary information on how something could be achieved.

Answer

A

D) Guidelines offer discretionary information on how something could be achieved.

Guidelines provide suggestions, recommendations, or best practices on how to accomplish a task or objective, but they are not mandatory and allow for flexibility in implementation. Well done!

Question 52

Q

End User Code of Practice and Acceptable Use Policy

Answer

A

The Acceptable Use Policy is a document that outlines what is considered acceptable when using company assets and resources, including guidelines for Internet and email usage.

The policy applies to employees, third-party contractors, and visitors who utilize company resources.
The Acceptable Use Policy is part of a broader code of practice that defines the expectations of the business regarding end-user conduct, both within the workplace and remotely.
The code of practice may also include an ethics statement, demonstrating senior management’s commitment to ethical behaviour and the company’s ethical business practices.
Awareness training programs can be used to reinforce the principles and guidelines outlined in the code of practice and the acceptable use policy.
These documents play a crucial role in promoting responsible and ethical behaviour among end-users and ensuring the proper use of company resources.

Remember to review and understand the specific requirements and guidelines set forth in the Acceptable Use Policy and the code of practice to align your actions with the expectations of the organization and promote a secure and ethical work environment.

Question 53

Q

Which of the following best describes the purpose of an end user code of practice and acceptable use policy?

A) To establish guidelines for senior management’s ethical behaviour
.
B) To outline the responsibilities of employees in managing company resources.

C) To define the requirements for network infrastructure and security measures.

D) To provide training programs for end users on IT best practices.

Answer

A

B) To outline the responsibilities of employees in managing company resources.

The end user code of practice and acceptable use policy define the expected behaviour and guidelines for employees, contractors, and visitors when using company assets and resources. It helps ensure responsible and secure use of these resources. Well done!

Question 54

Q

Which of the following is a key purpose of an Acceptable Use Policy (AUP)?

A) Providing guidelines for senior management’s ethical behaviour

B) Defining the acceptable standards of conduct for end users

C) Outlining the technical specifications for company resources

D) Establishing the network infrastructure for remote access

Answer

A

B) Defining the acceptable standards of conduct for end users

An Acceptable Use Policy (AUP) is a document that defines the acceptable standards of conduct for end users when using company assets and resources. It outlines the rules and guidelines for appropriate and responsible use of technology within the organization. Well done!

Question 55

Q

Policy Violations

Answer

A

Employees may occasionally break policy, and it is essential for the organization to be prepared to enforce it.

There should be documented processes in place for reporting and handling policy violations consistently.
These processes should be agreed upon with all relevant parties, including business units.

Documentation should also cover:
- Processes for involving law enforcement when necessary.
- Involvement of legal and HR departments to ensure compliance with employee legislation.
- Disciplinary procedures, including the process for termination of employment if required.
- Policies apply to all staff members, regardless of their position within the organization.
- The process for dealing with policy violations should be applied equally from C-level executives to regular users.

Question 56

Q

What is an essential aspect of handling policy violations in an organization?

A) Granting exceptions to employees based on their position within the organization.

B) Consistently enforcing policies regardless of an employee’s position.

C) Ignoring policy violations if they occur at the C-level executive level.

D) Dealing with policy violations informally without involving legal and HR departments.

Answer

A

B) Consistently enforcing policies regardless of an employee’s position.

Policies should apply to all members of staff, regardless of their position within the organization, and the process for dealing with policy violations should be applied equally across the board.

Question 57

Q

What are some important considerations when dealing with policy violations within an organization?

A) Granting exceptions based on employee seniority

B) Applying consistent enforcement regardless of employee position

C) Ignoring minor policy violations to maintain employee morale

D) Allowing policy violations for employees with high performance

Answer

A

B) Applying consistent enforcement regardless of employee position.

It is essential to ensure that policy violations are dealt with consistently and fairly across all levels of the organization, from C-level executives to regular employees. This helps maintain a strong culture of compliance and reinforces the importance of adhering to organizational policies.

Question 58

Q

Policy Review

Answer

A

Policies should undergo regular review and evaluation to ensure their currency, relevance, and effectiveness.

Policy review should occur:
- After a defined time through periodic reviews.
- When there are changes to systems, technologies, working processes, assets (hardware, software, and data), contracts, or legal requirements.
- In response to notifications of new threats and vulnerabilities.
- Following audits or incidents/breaches.
- When there is a lack of compliance with policies, prompting the need for a review.

Reviewing policies helps ensure they align with the evolving business environment, technological advancements, and emerging threats, allowing organizations to maintain robust information security practices.

Question 59

Q

When should policies be reviewed?

A) Only when there are changes to systems and technologies.

B) After a defined time through periodic reviews.

C) Only in response to audits or incidents/breaches.

D) When there is a lack of compliance with policies.

Answer

A

B) After a defined time through periodic reviews.

Policies should be reviewed after a defined time through periodic reviews to ensure they remain current, relevant, and effective. Well done!

Question 60

Q

When should policies be reviewed in response to changes in working processes, systems, or legal requirements?

A) Only after a defined time through periodic reviews.

B) Only when there is a notification of new threats and vulnerabilities.

C) Only as a result of an incident or breach.

D) When there are changes to working processes, systems, or legal requirements.

Answer

A

D) When there are changes to working processes, systems, or legal requirements.

Policies should be reviewed and updated to reflect any changes that may impact their effectiveness or compliance. Well done!

Question 61

Q

Information Security Governance

Answer

A

Governance refers to the oversight of the organization and its security efforts.
- Security governance ensures that policies and standards are reviewed and followed.
- Compliance with current legislation, government regulations, and industry-specific requirements is important.
- Monitoring and oversight of security may be validated and verified by external accreditation bodies.
- Internal and external oversight ensures the accuracy and maintenance of information security claims.
- External reviews can be conducted by organizations such as the British Standards Institution (BSI).

The main activities of governance include review and audit, regular management reviews, and feedback processes.
- Reviews trigger amendments or changes to existing policies when necessary.
- Typical activities in ongoing security review include regular meetings, feedback on incidents, policy amendments, addressing process failures, and agreeing on changes.
- All affected parties are involved or notified during the review process.

Question 62

Q

What is the main purpose of security governance in an organization?

A) Enforcing compliance with internal policies
B) Reviewing and updating security documentation
C) Monitoring and responding to security incidents
D) Ensuring alignment with government regulations

Answer

A

D) Ensuring alignment with government regulations.

Security governance involves ensuring that the organization follows all relevant government regulations, in addition to compliance with internal policies and standards. It includes monitoring and oversight to validate compliance and may involve external accreditation bodies to verify the organization’s adherence to security measures.

Question 63

Q

Which of the following is a key aspect of security governance that ensures compliance with legal and regulatory requirements?

A) Incident response planning
B) Security awareness training
C) Risk assessment and management
D) Monitoring and oversight

Answer

A

D) Monitoring and oversight.

Monitoring and oversight are essential components of security governance to ensure compliance with legal and regulatory requirements. Well done!

Question 64

Q

Audit & Review of Governance

Answer

A

An audit is a comprehensive evaluation conducted by independent experts to assess and verify the compliance, effectiveness, and efficiency of an organization’s processes, systems, and controls.

Reviews may lead to audits of security activities.

Audit process:
- Regular security audits should be conducted.
- Audit should be independent and impartial.
- Audit should cover all aspects, including technology, processes, and people.
- The audit team, whether internal or external, should have the appropriate credentials.

These notes cover the importance of conducting regular security audits, ensuring independence and impartiality in the audit process, and involving the right expertise in the audit team. They highlight the comprehensive nature of audits, covering technology, processes, and people.

Answer 65

A

D) Audits assess the compliance, effectiveness, and efficiency of security activities and processes.

Answer 66

A

D) Independent and impartial evaluation of all aspects including technology, processes, and people.

An effective audit process should be conducted by an independent entity and cover all relevant aspects of security, including technology, processes, and people, without bias or favouritism.

Answer 67

A

Compliance is verified through audits, which assess the organization’s adherence to policies, standards, and procedures.
- Audits have a defined scope and are conducted by internal or external auditors, who may sign non-disclosure agreements.
- Audit findings are documented in a report, which includes non-compliance issues and recommendations for improvement.
- Senior management uses audit reports to assess the effectiveness and cost-efficiency of security investments.
- Contractors and third parties should also meet the same level of compliance as the organization.

Various industry sectors have specific compliance requirements, such as ISO 27000 series, GDPR, PCI-DSS, SOX, and Data Protection Act.

Regular compliance checks and audits ensure that controls are adequate, relevant, and functioning as intended.
- Compliance checks also gauge user understanding and awareness of their responsibilities.

Non-compliance can be attributed to factors like lack of training, understanding, documentation, changes in business processes, or disregard for procedures.
Compliance reporting is important for senior management and regulatory bodies to demonstrate regulatory compliance.
Information to be included in compliance reporting may consist of risk assessment results, risk register, policy reviews, incident and breach reports, and audit reports.

Answer 68

A

B) GDPR.

GDPR stands for General Data Protection Regulation and it specifically addresses privacy and the transfer of personal data to third parties or other jurisdictions. Well done!

Answer 69

A

D) SOX.

Sarbanes Oxley (SOX) is an industry standard that deals with the financial oversight of publicly listed corporations. It focuses on ensuring the accuracy and reliability of financial reporting and includes provisions for internal controls and audit requirements.

Answer 70

A

PDCA stands for Plan, Do, Check, Act, which is a model based on continuous improvement.

PDCA is also known as the Deming Cycle and is frequently mentioned in relation to information security management.

The PDCA cycle consists of four steps:

-Plan: Establish objectives and processes required to achieve desired results or goals.
-Do: Implement the plan and execute the processes.
-Check: Study the results and compare them with the expected outcomes.
-Act: Analyse any differences between the actual and expected results, determine the root causes, and propose corrective actions.

PDCA is a repetitive cycle that supports continuous improvement in managing tasks such as network management, risk management, and control implementation.

Remember that PDCA is a structured approach that helps organizations achieve their objectives and continuously improve their processes and outcomes.

Answer 71

A

C) Check.

In the PDCA cycle, the Check step involves studying the results and comparing them with the expected outcomes to assess whether the objectives and processes are being achieved as planned. Well done!

Answer 72

A

A) Plan.

In the PDCA cycle, the “Plan” step involves establishing the objectives and processes necessary to deliver the expected results. Well done!

Answer 73

A

Information security framework is part of the long-term strategy of a business. The framework is based on implementing formal control processes for understanding and managing risk.

The key steps in implementing the framework include:
- Understanding risk and establishing risk acceptance levels.
- Identifying controls to reduce risk to acceptable levels.
- Implementing security controls.
- Monitoring the effectiveness of controls.
- Periodically re-evaluating risk.
- Continually improving the process.

Businesses typically work with three timelines: strategic, tactical, and operational.
- An information security framework is a long-term endeavour and is not achieved quickly.
- Pursuing ISO 27001 accreditation, for example, takes time and effort.

Key concepts:
- Long-term strategy
- Risk management
- Control processes
- Monitoring and evaluation
- Continual improvement
- ISO 27001 accreditation

Remember to understand the importance of a long-term approach, risk management, and the various steps involved in implementing an information security framework.

Answer 74

A

D) Periodically re-evaluating risk and continually improving the process

Periodically re-evaluating risk and continually improving the process is a key step in implementing an information security framework. It ensures that the framework remains effective and aligned with the changing risk landscape and business requirements.

Answer 75

A

D) Identifying controls for reducing risk to acceptable levels.

Implementing an information security framework involves identifying and implementing appropriate controls to mitigate risks and ensure the security of the organization’s information assets.

Answer 76

A

Stages of the implementation process:
- Look at the current state: Assess the existing baseline and determine the current situation.
- Define the desired state: Identify the goals and objectives of the information security framework.
- Gap analysis: Analyse the gaps between the current state and the desired state to identify necessary actions.
- Timeline: Determine the estimated time required for implementation.
- Budget: Assess the financial resources needed for the implementation.
- Stages of implementation: Break down the implementation process into milestones and staging points.
- Post-implementation review: Evaluate the effectiveness of the implemented framework.
Implementation project requirements:
- Comprehensive planning: Develop a detailed plan that outlines the steps and activities required for implementation.
- Budget: Allocate sufficient financial resources to support the implementation project.
- Resources: Identify the necessary personnel and technologies needed for successful implementation.
- Priorities: Determine the order of tasks based on their importance and dependencies.
- Realism: Ensure that the goals, budget, and timelines set for the project are achievable.
Risk reduction as the primary goal:
- Information security frameworks aim to reduce risks associated with the organization’s assets.
- Effective risk management, including identification, analysis, and treatment, is crucial for the success of the framework.
Stakeholder involvement and communication:
- Projects require input and communication from all stakeholders.
- Identification of interested parties is essential to ensure their involvement and engagement.
- The project manager should manage stakeholder expectations and clarify deliverables to avoid misconceptions.

Remember to review these concepts thoroughly, understanding the stages of implementation, project requirements, risk reduction, and stakeholder involvement.

Answer 77

A

A) To analyse the gaps between the current state and the desired state.

During the gap analysis stage of implementation, the focus is on identifying the gaps or discrepancies between the current state of the organization’s security practices and the desired state as defined by the information security framework. This analysis helps in understanding what needs to be done to bridge those gaps and align the organization with the desired security objectives.

Answer 78

A

Characteristics of a successful plan for information assurance:
- Realistic and achievable
- Addresses the needs of the business
- Reaches its objectives within agreed timescales
- Provides a return on investment (value for money)
Selling the benefits of security and a framework:
- Tailor benefits for individual stakeholders
- Dispel the myth that security hinders the business
- Use language that relates to business interests (e.g., growth, resilience, return on investment, total cost of ownership)
- Present both the positives and negatives of the security framework
Integration of security with the business:
- Security is not a stand-alone entity but an integral part of the business
- Security supports the business in achieving its goals and objectives
Technology and security architecture:
- Choose technologies that satisfy control requirements without being unmanageable or ineffective
- Translate policy into technology through a security architecture
- Use security domains to group objects under a single area of responsibility
- Ensure controls and devices work in harmony with each other
Other types of risk in the business:
- Financial risk
- Technical risk
- Operational risk
- Health and safety risk
Managing implementation:
- Establish a steering committee to track the success of the program and address any issues
- Regularly review the project plan to assess progress and address scope creep
- Report project progress to the program sponsor, stakeholders, and senior management

Make sure to review these points and understand the concepts related to planning, selling the benefits, integration, technology, risk management, and project management in the context of implementing an information security framework.

Answer 79

A

D) Realistic and achievable, addresses business needs, reaches objectives within agreed timescales, and provides a return on investment.

A successful plan for information assurance is realistic and achievable, addresses the needs of the business, reaches its objectives within agreed timescales, and provides a return on investment. Well done!

Answer 80

A

B) Tailoring benefits to individual stakeholder requirements.

When selling the benefits of a security program, it is important to understand the needs and expectations of different stakeholders and communicate the advantages of the program in a way that resonates with them individually. This approach increases the chances of gaining their support and buy-in.

Answer 81

A

Incident management is an integral part of an information security framework.
- Incidents are inevitable and can have adverse impacts on business operations.
- Incident refers to an event that disrupts the normal functioning of the business.
- Incidents can take various forms, such as physical security breaches, malicious software, data breaches, denial of service attacks, and criminal activities.
- Planning for incidents and having appropriate response plans is crucial.
- Incident response plans should address both accidental and deliberate incidents.
- Forensic investigation may be required as part of incident response to gather evidence.
- An incident response plan should be established proactively, before any incidents occur.

Answer 82

A

C) An event that disrupts the normal functioning of the business.

In the context of information security, an incident refers to an event that has an adverse impact on the operation of the business, such as a security breach, data breach, physical security breach, or denial of service attack. These incidents disrupt the normal functioning of the business and require appropriate management and response.

Answer 83

A

C) Planning and preparing for incidents in advance.

Incident management involves having predefined procedures, protocols, and plans in place to effectively respond to and manage incidents when they occur. By planning and preparing in advance, organizations can minimize the impact of incidents and mitigate risks effectively.

Answer 84

A

Incident Management Process:
- The incident management process consists of several steps, which may vary in the number and title of the steps.
- The BCS (British Computer Society) highlights the following steps: Reporting, Investigation, Assessment, Corrective Action, and Review.
Reporting:
- The first stage is recognizing and reporting an incident.
- Incidents can be reported by users, system alarms, or through a centralized reporting system like SIEM.
- Basic information should be collected, including the reporter’s details, timing, description, impact on business operations, and any actions taken.
Investigation:
- Containment is an essential step to prevent the incident from spreading or worsening.
- Containment measures mitigate the severity and impact of the incident.
- Typical containment activities include isolating affected workstations or removing infected servers from the network.
- Investigation involves gathering information about the incident’s cause and, in some cases, conducting forensic investigations for legal purposes.
Corrective Action:
- Corrective action focuses on removing the problem and addressing the root cause to prevent reoccurrence.
- It may involve replacing failed components, reloading software, applying patches, and restoring systems to working status.
- Recovery includes restoring backup data and conducting thorough testing before returning systems to operational service.
Review:
- The post-incident review aims to learn from the incident and the response process.
- It evaluates the appropriateness of the response, adequacy of responder training and equipment, identification of root causes, and necessary changes for future improvement.
- Actions are assigned based on the review, and follow-up ensures their completion.
Incident Response Capability:
- Effective incident response requires preparation, including the formation of an incident response team.
- The team should have defined roles, preparedness, and contact availability when needed.
- Permanent team members or co-opted members may be involved.
Involvement of Law Enforcement:
- In some cases, involving law enforcement may be necessary, especially if criminal activity is suspected.
- Close cooperation is crucial, as priorities between law enforcement and business recovery may conflict.

Admissibility of evidence is important, and evidence should be collected, stored, and maintained within legal frameworks to ensure integrity and avoid misuse offenses.

Answer 85

A

C) Containment

The BCS (British Computer Society) highlights the following steps: Reporting, Investigation, Assessment, Corrective Action, and Review.

Answer 86

A

D) To evaluate the effectiveness of the incident response and identify areas for improvement

The purpose of the “Review” stage in the incident management process is to evaluate the effectiveness of the incident response and identify areas for improvement. It involves analysing the incident, assessing the response actions taken, and determining if any changes or enhancements are needed to prevent similar incidents in the future.

Answer 87

A

Corporate Governance: A business must operate within legal and regulatory frameworks based on the jurisdiction it operates in.
Compliance with Laws: Maintaining information security also requires adherence to legal compliance. It is essential to understand and comply with the laws of the countries where the business operates.
Global Nature of Information Technology: Information technology operates globally, but different countries have different rules and regulations regarding areas such as cryptography, privacy, and intellectual property.
Privacy Issues: Privacy regulations vary across jurisdictions, and businesses must ensure compliance with laws related to the protection of personal data.
Intellectual Property: Intellectual property rules can differ, and businesses need to understand and respect the laws governing copyrights, trademarks, patents, and trade secrets.
Cryptography and Digital Signatures: The use of cryptography and digital signatures may be subject to specific regulations or restrictions, and businesses should be aware of the legal requirements.
Forensic Evidence Collection: Collecting and handling forensic evidence must be done in accordance with legal procedures to ensure its admissibility in court.
Data Retention: Laws and regulations govern the retention of data, specifying the duration and requirements for storing certain types of information.
Computer Misuse: Laws related to computer misuse address unauthorized access, hacking, malware distribution, and other illegal activities involving computer systems.
Employee Rights: Legal frameworks also cover employee rights in the context of information security, ensuring fair treatment, privacy, and protection against discrimination.

Issues that may change according to jurisdiction may include:
 privacy issues with personal data
 intellectual property rules
 use of cryptography, digital signatures
 collection of forensic evidence
 retention of data
 computer misuse
 employee rights

Answer 88

A

C) Privacy issues with personal data.

Privacy regulations and requirements can vary from one jurisdiction to another, so organizations need to ensure they comply with the specific privacy laws and regulations applicable in the regions where they operate. Well done!

Answer 89

A

D) Trademarks and patents.

Intellectual property refers to creations of the mind, such as inventions, artistic works, designs, symbols, and names used in commerce. Trademarks and patents are specific types of intellectual property that are protected by legal frameworks to prevent unauthorized use or copying.

Answer 90

A

Legal systems vary from country to country. The UK and US base their legal system on common law, while many other countries use a codified legal system.

The law is split into several areas, including criminal law, civil law, and regulatory law.

*Criminal law involves breaking the law and can lead to punishments such as fines or imprisonment.

*Civil law covers cases like libel, breach of contract, and the punishment is often financial.

*Regulatory law involves bodies that have the power to penalize organizations for failures and breaches.

The European Union (EU) has its own laws, and member countries align their laws within that framework.
The US legal system has federal law, which is integrated into state laws, and different states can have their own laws.
A UK company operating globally needs awareness of European law, US law, and other relevant jurisdictions.
Privacy laws have become crucial, with the implementation of GDPR in the EU.
GDPR enshrines data protection regulations and applies to EU member states, including the UK.
The US has individual privacy regulations based on specific requirements, such as HIPAA in the healthcare industry.
Transferring personal data of EU citizens to the US requires mechanisms like Standard Contractual Clauses.
Some countries have data protection laws compatible with GDPR, but the US is not currently on the list of equivalent countries.

Answer 91

A

C) Common law

In the context of UK and international law, common law refers to a legal system based on the law of precedence. It is predominantly a jury-based system, where decisions and interpretations of the law are influenced by previous court rulings. Under common law, judges have the authority to make legal decisions and set legal precedents that other courts can follow in similar cases.

Answer 92

A

C) GDPR (General Data Protection Regulation).

GDPR is a regulation that was implemented by the European Union to protect the personal data and privacy of individuals within the EU. It establishes guidelines for the collection, processing, and storage of personal data by organizations. GDPR imposes strict requirements on organizations, including the need to obtain explicit consent for data processing, the right to access and delete personal data, and the obligation to implement appropriate security measures. It applies to all EU member states and has extraterritorial reach, meaning that it also applies to organizations outside the EU that handle the personal data of EU citizens.

Answer 93

A

B) HIPAA (Health Insurance Portability and Accountability Act).

HIPAA is a regulation in the United States that sets standards for protecting sensitive patient health information, ensuring its privacy and security. It applies to entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. The primary goal of HIPAA is to safeguard the confidentiality, integrity, and availability of protected health information (PHI) while allowing for the necessary exchange of healthcare data.

Answer 94

A

Lawfulness, fairness, and transparency:
- Personal data must be processed lawfully, fairly, and transparently.
- Organizations must specify the purpose of collecting personal data and how they intend to use it.
Purpose limitation:
- Personal data should be collected for a specific and legitimate purpose.
- It should not be further processed in a way that is incompatible with the original purpose.
Data minimization:
- Only collect data that is relevant and necessary for the intended purpose.
Accuracy:
- Personal data should be accurate and kept up to date.
- Organizations should maintain data accuracy and correct any inaccuracies when necessary.
Storage limitation:
- Personal data should be retained for no longer than necessary for the stated purpose.
- Data should not be kept beyond its intended use.
Security:
- Personal data must be processed in a manner that ensures its integrity and confidentiality.
- Appropriate security measures should be in place to prevent unauthorized access.
Accountability:
- The data controller is responsible for the data while it is in their possession.
- Organizations should demonstrate their compliance with privacy principles.

Additional Tenets:

Data security:
- Companies must handle data securely and implement appropriate technical measures.
Data processing:
- GDPR sets specific instances when it is legal to process user data.
Consent:
- Strict rules exist for notifying users when their data is being collected.
Personal privacy:
- GDPR provides privacy rights for data subjects, including the right to be informed, access, rectify, and obtain data.
- The right to be forgotten allows for the removal of personal data.

Employee Rights:

Employees have a reasonable expectation of privacy in the workplace, unless they have waived those rights.
Companies should have a published privacy policy accessible to all staff.
Monitoring activities should be communicated and employees must consent to such monitoring.
Regulation of Investigatory Powers Act (RIPA) allows lawful interception by authorized parties such as security services and law enforcement.

Note: GDPR and other privacy regulations cover both electronic and paper records.

Answer 95

A

A) Security.

The principle of security states that personal data should be processed in a manner that ensures appropriate security, integrity, and confidentiality of the data. This means implementing measures to protect the data from unauthorized access, disclosure, alteration, or destruction. Security measures may include encryption, access controls, secure storage, and regular security assessments.

Answer 96

A

B) Purpose limitation.

The principle of purpose limitation states that personal data should be collected for a specific and legitimate purpose and should not be further processed in a manner that is incompatible with those purposes. Data minimization (option C) refers to collecting only the necessary and relevant data, while purpose limitation specifically focuses on the purposes of data processing.

Answer 97

A

C) Security

The principle that emphasizes the importance of handling personal data securely and implementing appropriate technical measures is the principle of “Security.” Well done!

Answer 98

A

Computer Misuse Act 1990 (UK):
- Unauthorized access to a computer: Breaking into computers, hacking, and misuse without authority.
- Unauthorised access with intent to facilitate a further offence: Breaking in and using the computer as a platform for other illegal activities.
- Unauthorised modification of computer material: Tampering with data.
- Possession of access tokens: Possessing lists of usernames and passwords.
Computer-based crimes examples:
- Hacking: Unauthorized access to computer systems.
- Fraud: Deceptive practices involving computer systems.
- Theft of intellectual property: Unauthorized acquisition or use of protected information.
- Copyright infringement: Violation of copyright laws.
- Illegal downloads: Unauthorized downloading or sharing of copyrighted material.
- Interference of communications as denial of service: Disrupting or blocking communication services.
Computer misuse legislation in other countries:
- Germany: Penal Code 202 & 303.
- Netherlands: Dutch Criminal Code section 138a, 139.
- Belgium: Cyber Security Act 2019.
- United States: Penal Code 18 covers unauthorized access, wiretapping, fraud, etc.

Answer 99

A

C) Gaining unauthorized access to a computer system with the intention to steal sensitive data.

Gaining unauthorized access to a computer system with the intention to steal sensitive data is considered a violation of the Computer Misuse Act 1990 in the UK. This act prohibits unauthorized access, hacking, and misuse of computer systems without authority

Answer 100

A

A) Identity theft

Answer 101

A

A) Unauthorized access to a computer system.

This is considered an offense under computer misuse legislation, as it involves accessing a computer system without proper authorization or permission.

Answer 102

A

Data retention is governed by local regulations and varies based on industry and business requirements.
Companies should have a data retention policy that addresses both legal requirements and business needs.
The data retention policy should specify:
a. What data is to be retained.
b. How the data should be stored and secured.
c. The designated retention period for each type of data.
d. Access controls and permissions for data handling.
e. Review and update procedures for policy compliance.
f. Proper data destruction methods and timelines.
Data retention may be required for compliance with industry-specific regulations such as financial record-keeping or customer information retention.
Businesses should ensure that their data retention decisions align with legal obligations and other relevant requirements.
Regular reviews of the data retention policy should be conducted to incorporate any changes in regulations or business needs.
Secure data disposal methods should be employed when it is time to destroy the retained data.
Data retention policies contribute to regulatory compliance, risk management, and protection of sensitive information.

Answer 103

A

C) Legal requirements and industry regulations.

When defining a data retention policy, it is crucial to consider the legal requirements and regulations specific to the industry in which the company operates. Compliance with applicable laws ensures that the company retains data for the required duration and avoids any legal consequences.

Answer 104

A

D) The sensitivity and classification of the data.

When implementing a data retention policy, it is important to consider the sensitivity and classification of the data. Different types of data may have different retention requirements based on their sensitivity and the legal or regulatory obligations associated with them. By considering the sensitivity and classification of the data, organizations can ensure that appropriate retention periods and security measures are applied to protect the data effectively.

Answer 105

A

Intellectual Property:
- Intellectual property refers to valuable assets held by businesses, and it needs to be protected.
- Mechanisms for legal protection of data within businesses include copyright, trademark, trade secrets, and patents.

Copyright:
- Copyright provides protection for various works such as literary works, software, music, and pictures.
- It grants the creator/owner exclusive rights to the work and allows them to take legal action against unauthorized copying or usage.
- In the UK, copyright protection lasts for the life of the owner plus seventy years after their death.

Trademark:
- Trademarks protect brands and distinctive signs that identify products or organizations.
- Examples include logos like the golden arches of McDonald’s or the Nike tick.
- Trademarks help prevent others from using similar signs that may cause confusion or dilute the brand’s distinctiveness.

Trade Secrets:
- Trade secrets refer to confidential information that gives a competitive advantage to a business.
- Examples include secret recipes or unique manufacturing processes.
- Protecting trade secrets involves keeping the information confidential and taking legal action against unauthorized disclosure or use.

Patents:
- Patents are granted for inventions, products, or processes that are registered with the local patent office.
- They provide exclusive rights to the inventor for a specific period, typically ten to twenty years.
- Patents prevent others from making, using, or selling the patented invention without permission.

Note: Each form of intellectual property has its own legal requirements and duration of protection. Understanding and safeguarding intellectual property is crucial for businesses to maintain their competitive advantage and protect their assets.

Answer 106

A

C) Trade secrets.

Trade secrets protect confidential information that gives a business a competitive edge, such as formulas, processes, customer lists, or other valuable proprietary information. Well done!

Answer 107

A

B) Trademark.

Trademarks are specifically designed to protect the visual identification of a product or organization, such as logos, symbols, or specific designs that help distinguish a brand from others in the market.

Answer 108

A

Definition: A contract is a legal agreement between two or more parties, covering various aspects of business relationships and obligations.
Types of Contracts: Contracts can include employment contracts, agreements with third-party suppliers, outsourcing contracts, and more.
Employment Contracts: An employment contract establishes the terms and conditions of employment, including job description, roles, responsibilities, and potential consequences for breaching the contract.
Outsourcing Contracts: Many businesses outsource certain functions to third-party suppliers. These contracts should include a Service Level Agreement (SLA) that outlines the expected level of service from the supplier.
Information Security Considerations: When dealing with third-party suppliers, it is crucial to ensure they have appropriate assurance measures in place to protect information and maintain secure processes.
Contract Specifics: Contracts may include provisions such as the need for non-disclosure agreements (NDAs) for third-party staff, background checks or vetting of personnel, the ability to audit suppliers, regular contract and performance reviews, clear contractual language, robust SLAs, and penalty clauses for breaches.
Liability: Contracts define the responsibilities and liabilities of each party involved, clarifying who is liable for what actions or failures.

Remember to review and understand contract terms, ensure compliance, and consider the implications of contractual agreements with third-party suppliers.

Answer 109

A

B) Duration of the contract and payment terms.

Answer 110

A

C) To ensure that sensitive information shared between the parties remains confidential.

Including a confidentiality clause in a contract helps protect the sensitive information exchanged between the parties involved. It establishes the obligation for both parties to maintain the confidentiality of any proprietary or confidential information disclosed during the course of their business relationship. This clause helps safeguard trade secrets, customer data, intellectual property, and other confidential information from unauthorized disclosure or misuse.

Answer 111

A

National and international standards are produced by professional industry bodies and are voluntarily adopted by businesses.

ISO (International Organisation for Standardisation) is the largest and most well-known organization that develops standards.
ISO has published over 20,000 standards covering various aspects of business, and collaboration takes place with over 160 countries.
ISO standards are usually reviewed every five years, and the year of revision is indicated (e.g., ISO 27001:2013).
ISO 27001 is the best-known standard in information security and specifies the requirements for an Information Security Management System (ISMS).
ISO 27002 provides implementation guidance for ISO 27001.
ISO 27001 is mandatory, while ISO 27002 is advisory.
ISO 27000 is the umbrella for a family of standards related to information security, including ISO 27007 on the audit process for ISO 27001.
To achieve ISO 27001 accreditation, a business needs to be audited by a qualified and independent third party.
The Information Security Forum (ISF) is another international body that provides the ISF Standard on Good Practice for information security and risk management.
The ISF Standard on Good Practice focuses on establishing security governance and understanding security requirements.
Other relevant standards include ITIL for service delivery and management, ISO 22301 for business continuity, and COBIT for information technology control objectives.

Answer 112

A

C) ISO (International Organisation for Standardisation).

ISO is responsible for developing a wide range of standards, including ISO 27001 for Information Security Management System.

Answer 113

A

A) ISF (Information Security Forum)

The international organization that provides a standard on good practice for information security and risk management is the Information Security Forum (ISF). Well done!

Answer 114

A

Product certification ensures that hardware and software conform to safety requirements, security requirements, technical specifications, and compliance regulations.

The Common Criteria is a multi-country collaboration that defines standards of functionality and security for product certification.
The Common Criteria is embodied in the standard ISO 15408 and has replaced many different national systems.
The evaluation process in the Common Criteria is based on Evaluation Assurance Levels (EAL), which range from EAL 1 to EAL 7.
EAL 1 covers pure functionality, while EAL 7 involves formal design review and thorough testing.
Most modern operating systems and firewalls are accredited at EAL 4 or 5.

Answer 115

A

A) EAL 7.

EAL 7 represents the highest level of evaluation in the Common Criteria for product certification. It involves formal design review and testing, indicating a more thorough evaluation process. EAL 1 represents the lowest level, focusing on pure functionality, while EAL 4 is a commonly accredited level for modern operating systems and firewalls. ISO 15408 is the standard that embodies the Common Criteria.

Answer 116

A

EAL Levels:
- EAL 1: Functionally tested.
- EAL 2: Structurally tested.
- EAL 3: Methodically tested and checked.
- EAL 4: Methodically designed, tested, and reviewed.
- EAL 5: Semi-formally designed and tested.
- EAL 6: Semi-formally verified design and tested.
- EAL 7: Formally verified design and tested.
Evaluation Process:
- The product is submitted by the manufacturer for evaluation to a third-party organization.
- Evaluation is conducted over a considerable period of time.
- Third-party organizations, such as Microsoft and others, perform the evaluation.
Common Criteria Terminology:
- EAL: Evaluation Assurance Level represents the level of assurance or security provided by the product.

PP: Protection Profile defines the security requirements for a specific type of device, such as a router, firewall, or operating system.
ToE: Target of Evaluation refers to the specific type of device or system being evaluated, such as a packet filter or multi-layer firewall.
ST: Security Target describes the specific features of the product that need to be evaluated.

Note: The Common Criteria is a multi-country collaboration that establishes standards of functionality and security for products. ISO 15408 is the standard that embodies the Common Criteria.

Answer 117

A

D) EAL 7.

EAL 7 involves formally verified design and testing.

Answer 118

A

D) EAL 4

EAL 4 involves methodical design, testing, and review of the product. EAL 1 is functionally tested, EAL 3 is methodically tested and checked, and EAL 5 is semi-formally designed and tested. EAL 4 is a higher level that includes comprehensive design, testing, and review processes.

Answer 119

A

B) EAL 3

EAL 3: Methodically tested and checked.

Answer 120

A

IETF (Internet Engineering Task Force): Develops and promotes standards for the Internet. The standards are documented in RFCs (Request for Comment), which cover various aspects of Internet protocols and technologies.
ITU (International Telecommunications Union): Responsible for technical specifications in information and communications technologies. ITU-T deals with telecommunications and defines standards using numerical titles, such as X.500 for Directory Services and X.509 for Digital Certificates.
NIST (National Institute of Standards and Technology): American non-regulatory body that provides guidance and best practices for information security. NIST SP-800 series includes a range of documents covering different aspects of information security, such as SP800-37 for Risk Management and SP-800-53 for security controls.
ENISA (European Union Agency for Network and Information Security): Dedicated to promoting cybersecurity across Europe. Works with member states and EU institutions to develop network and information security practices and address security issues.

These bodies and their standards play a crucial role in defining technical specifications, protocols, and security practices for various aspects of information and communication technologies.

Answer 121

A

A) IETF (Internet Engineering Task Force)

-IETF (Internet Engineering Task Force): Develops and promotes standards for the Internet. The standards are documented in RFCs (Request for Comment), which cover various aspects of Internet protocols and technologies.

Answer 122

A

A) ITU (International Telecommunications Union)

ITU (International Telecommunications Union): Responsible for technical specifications in information and communications technologies. ITU-T deals with telecommunications and defines standards using numerical titles, such as X.500 for Directory Services and X.509 for Digital Certificates.

Answer 123

A

C) NIST.

The National Institute of Standards and Technology (NIST) is an American non-regulatory body that provides guidance and best practices for American commercial organizations. Well done!

Brainscape's Knowledge GenomeTM

Information Security Framework Flashcards

Brainscape's Knowledge Genome^TM