L9 - Security policies and Management

Question 1

What is social engineering?

Answer 1

It’s the study of a target in order to get close enough to it, so that the attacker may either directly get access to the targets system or indirectly by leaving for example a rubber ducky.

Question 2

What are IT security management concepts?

Answer 2

• Information security governance
• Information security management
• IT Security Operations.

Question 3

What is information security governance?

Answer 3

It provides a strategic directions, ensures objectives are achieved, manages risks appropriately, use of organisational resources responsibly and monitors the success of failure.

Question 4

What information security governance is effecive and not?

Answer 4

It’s when all of IT security management is actively working to achieve IT security governance. Ineffective when not.

Question 5

What are some security policys?

Answer 5

An organizational security policy may include any of these:
* Acceptable use policy
* Risk management policy
* Vulnerability management policy
* Data protection policy
* Access control policy
* Business continuity policy
* Personnel security policy
* Physical security policy
* Secure application development policy

Question 6

What are the prinicipal problems associated with employee behaviour?

Answer 6

• Errors and omissions
• Fraud
• Actions by disgruntled employees

Question 7

What is awareness?

Answer 7

Seeks to inform and focus on an employees attention on security issues within their organisation.

Question 8

How do you address awareness?

Answer 8

• Make employees aware of their responsibilities
• Make employees understand the importance for the well-being of the company.
• Promote enthusiasm and management buy-in.
• Tailor the program to the needs of the organisation

Question 9

What is ISO?

Answer 9

It’s a general code of practice standars for organisations.

Question 10

How does ISO 27002 work?

Answer 10

It provides a checklist of general security controls to be considered implemented/used by organisations. It contains 14 categories, each of these categories contains a set of security controls.

Question 11

Name a few categories in ISO 27002

Answer 11

• Introduction
• Scope
• Information security policies
• Human resources security
• Access control
• Operations security
• Compliance
• etc.

Question 12

What is ISO 27001?

Answer 12

It specifies specific requirements for establishing, implementing and continually improving a securit management system.

Question 13

What is the difference between ISO 27002 and 27001

Answer 13

• 27002: defines the security goals and controls.
• 27001: defines how to manage the implementation of security controls.