Information Security Management Introduction

Question 1

Governance

Answer 1

‘The rules that run an organisation including, policies standards and procedures.’

Governance is about how the business is run. It is about how the organisation is managed, the oversight and accountability required to demonstrate active involvement by management.

Question 2

Corporate Governance

Answer 2

Corporate governance is the system and rules that companies must follow to make sure they are run properly and for the right reasons. This includes the way people work together and the rules they need to follow.

Question 3

IT Governance

Answer 3

IT governance is a type of corporate governance that concentrates on making sure that the organization uses its IT resources in the most effective and efficient way possible to accomplish its objectives.

Question 4

Information Governance

Answer 4

This refers to the guidelines, methods, regulations, and steps that an organization employs to handle information in a uniform way.

Question 5

Security Governance

Answer 5

Security governance is a set of procedures that help an organization in defining, supporting, and managing its security efforts, which are linked to information, IT, and corporate governance. The aim is to ensure that the organization meets its needs concerning regulatory compliance, risk management, and operational requirements.

Question 6

Information Assurance

Answer 6

We usually hear about this in the context of making sure information is safe, which is called Information Assurance. This means making sure information is used, processed, stored, and sent in a secure way. It also includes taking care of the systems and processes that are used to manage this information.

Question 7

Information Security

Answer 7

Information security is all about protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Question 8

Cyber Security

Answer 8

Cyber security is frequently interpreted as being the same as information security but in reality, there is a subtle difference. Cyber security is more about the technology used to secure systems and products rather than governance.

Question 9

The Security Triangle

Answer 9

The Security Triangle consists of security, functionality and ease of use.

Question 10

The CIA Triad

Answer 10

Information security has three main parts, called Confidentiality, Integrity, and Availability. Think of them like a triangle, with each one being a corner of the triangle.

Question 11

Confidentiality

Answer 11

We should only let authorized people see information, and we need to protect it so it doesn’t get shared by accident or on purpose. To make sure information stays confidential, we can use things like encryption or access controls to limit who can see it.

Question 12

Integrity

Answer 12

This is about making sure that information is accurate and can be trusted. We don’t want it to be changed without permission, so we use something called integrity controls like hashing or checksums to check if the information has been modified. We can also use access controls to limit who can change the information. The goal is to make sure the information is consistent and reliable.

Question 13

Availability

Answer 13

Availability means that information should be easy to get to when we need it. The IT department is responsible for making sure the systems that store information are always working properly. If something goes wrong, like a power outage or a hard drive failure, we might not be able to access the information. Another problem is when hackers try to block access to a website, which is called a Denial-of-Service attack. The goal is to make sure the information is always available and ready to use.

Question 14

Non-repudiation

Answer 14

Non-repudiation means that no one can deny doing something because there is proof that it happened. This is important for things like sending emails or ordering goods online. Without non-repudiation, people could deny doing things and it would be difficult to prove otherwise.

Question 15

Authenticity

Answer 15

This is about being able to prove where something came from and that the party who sent it cannot deny it. (Proof of origin)
This is closely related to non-repudiation.

Question 16

Assets

Answer 16

An asset is something valuable to the organization, it can be physical like a building or something intangible like information or reputation. For example, assets of a business include people, buildings, computer systems, information, reputation, and brand.

Question 17

Threats

Answer 17

A potential cause of an incident that may result in harm to a system or organisation

Question 18

Threat Source

Answer 18

Where does the threat come from. (The source of the threat)

Question 19

Threat Actor

Answer 19

AKA ‘Threat Agent’ - The party that carries out the attack

Question 20

Vulnerability

Answer 20

A weakness of an asset or group of assets that can be exploited by one or more threats

Question 21

Risk

Answer 21

The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation

Question 22

Impact

Answer 22

“Impact” is a word used to describe the result of a particular event that affects the goals or objectives of a business. In simpler terms, when a risk becomes a reality, it can have a negative effect on the business and cause problems with operations, customers, or employees.

Question 23

Risk Management

Answer 23

To deal with the various risks that come with running a business, we need a plan to manage them. This plan is called a risk management framework. Its job is to help us figure out what controls and processes we need to use to manage the risks. The goal of risk management is to first identify all the risks in the business, analyse them, figure out the best way to deal with each one, apply the chosen solution, and then make sure it works.

Question 24

What are the four stages of Risk Management?

Answer 24

Identify (the risks)
Analyse (the risks)
Treat (the risks)
Monitor (for effectiveness)

Question 25

What are some options in treating a risk?

Answer 25

Avoidance – stop the activity
Reduction – apply controls to reduce risk
Transfer – typically through insurance
Acceptance – we make a business decision to accept the risk

Question 26

Risk - Avoidance

Answer 26

Risk avoidance means deciding not to participate in or withdraw from an activity to avoid a particular risk. By avoiding the activity, we eliminate the possibility of the risk occurring. For example, we might choose not to build a data centre in an earthquake-prone area or not to construct high-value infrastructure in a coastal region where there is a risk of tsunamis. While we are not directly addressing the risk itself, we are making a conscious business decision to avoid it.

Question 27

Risk - Reduction

Answer 27

AKA - Mitigation, is a commonly used term in risk management, referring to the actions taken to reduce the probability or negative consequences of a risk. The definition of mitigation is “actions taken to lessen the probability, negative consequences, or both, associated with a risk.” The ultimate goal of mitigation is to reach an acceptable level of risk, which may involve implementing a single control or multiple layers of controls. For instance, using a gas-based suppression system in the server room to extinguish a fire is an example of risk reduction, while strong physical access controls that limit the likelihood of an unauthorized intruder gaining access to a business’s premises is another example of risk reduction.

Question 28

Risk - Transfer

Answer 28

This involves distributing an element of risk to another party. This can be done through various means such as insurance policies, outsourcing activities, or sharing responsibilities with suppliers and vendors. By transferring the risk, the responsibility may shift to a third party, but the liability and accountability for the risk remain with the owner. The most common example of risk transfer is insurance, which can protect against financial losses or damage caused by various risks. Cyber insurance is a specific type of insurance that covers risks related to cybersecurity. In summary, risk transfer involves shifting the responsibility for a risk to another party, but the accountability and liability for the risk remain with the owner.

Question 29

Risk - Acceptance

Answer 29

An informed decision to take a particular risk.” There are two types of risk acceptance:

1. Where a risk is identified but, based on the circumstances, the decision is made to accept the risk without taking any further actions towards it. This could be due to the risk being of a very low likelihood but very high impact, and the cost of providing protective measures would be excessive. This would be a business decision made by senior management.
2. Where a risk is identified, and risk reduction measures are applied through the use of controls to reduce the risk to an acceptable level. However, there is still some residual risk remaining, which is accepted.

Question 30

Identity

Answer 30

Identity is a unique characteristic that allows us to tell individuals or resources apart. It helps us keep track of what they are doing, like a username for a person or a process identity for a computer program.

Question 31

Authentication

Answer 31

Authentication is a way to confirm that someone or something is who or what they claim to be. It involves checking their identity using credentials such as a username and password or a pre-shared key. This helps to ensure that only authorized individuals or devices can access certain resources or perform certain actions.

Question 32

Authorisation

Answer 32

Authorization determines what actions can be taken after a user or device is successfully authenticated. Access controls are used to define what level of access a user or device has. For example, a user may be authorized to read a document but not authorized to modify it.

Question 33

Access Controls

Answer 33

Access controls are used to make sure that only authorized individuals or processes can access certain assets based on business and security needs. The authorization policy defines who has access, while access controls determine the level of access, such as read, write, or no access.

Question 34

Accountability

Answer 34

Accountability means being responsible for your actions and decisions. It involves keeping a record of activities that can be traced back to the responsible party. All systems have logs that record different activities, and these logs help in attributing actions to an individual or entity. Responsibility can be devolved, but accountability cannot. Even if someone else is responsible for managing an asset, the owner of the asset is still accountable for it.

Question 35

Audit

Answer 35

Audit is a review of actions, policies, and procedures to ensure compliance with requirements. It can cover user actions, system processes, policies, and effectiveness of controls. Audits can be conducted internally or externally by an independent body. The audit trail is a record of actions that may have been carried out by a user or individual. External audits can verify compliance with standards such as ISO27001, and compliance audits may go beyond contractual and regulatory requirements to consider legal compliance and privacy.

Question 36

Professionalism and Ethics

Answer 36

Businesses need to operate not just legally, but also ethically. In today’s world, ethics has become more important due to the power of social media and the potential damage to a company’s reputation and brand. Ethics is a global issue that is strongly linked to culture, and building the right culture in an organization can encourage ethical behaviour. Professional bodies that provide frameworks and certification programs for information assurance have ethics statements for their members to follow, and these statements help install ethics into the business. The goal is for the information assurance profession to have the same respect as other professions like lawyers.

Question 37

Why is information security important?

Answer 37

Information security is important because as technology advanced, the exchange of information became easier, and hackers emerged. Protecting information is critical because often, the information is the business. Security is not a separate issue but rather integrated into the business model.

Question 38

Drivers for Security

Answer 38

Businesses today face multiple security challenges due to factors such as the increasing use of the internet, the need to protect vast amounts of sensitive information, the use of social media, online banking, and global operations. Failure to implement protective security measures could lead to threats such as malware, insider threats, data breaches, and loss of integrity. The rapidly changing world of technology and evolving business models also affect information security. Therefore, information assurance must adapt to current circumstances and change dynamically as the business evolves.

Question 39

Cost of Security

Answer 39

Security measures require investment, and it’s important to have a return on that investment. The cost of implementing controls should not exceed the value of the asset being protected. In some cases, organizations may choose to accept certain risks if the cost of risk treatment is too high. It can be difficult to calculate potential losses, particularly with intangible assets such as databases.

Question 40

Information Security - Other consideration

Answer 40

The growth of technology and internet usage has led to an increase in cybercrime. Good information security measures can reduce the risk of becoming a victim of cybercrime. Having an Information Management Security System (ISMS) in place can help standardize security policies and ensure compliance with regulations. A good security program can improve working practices, promote secure ways of working, reduce costs, and act as a market differentiator for businesses. Information security should be part of company policy and should involve everyone from senior management to the shop floor.

Question 41

Cyberspace - Cybersecurity

Answer 41

Cyberspace refers to the virtual domain of digital networks, which consists of interconnected computer systems, servers, and other electronic devices. It is a complex and dynamic environment that allows for the creation, storage, modification, and sharing of information and data through various forms of communication. This includes the internet, as well as other digital systems and platforms that support business operations, infrastructure, and services. Cyberspace is constantly evolving and has become an essential part of modern society, affecting virtually all aspects of life, from communication and commerce to national security and defence.

Cybersecurity the practice or science or protecting Cyberspace from accidental or deliberate loss or harm.