M886 Information security management

Question 1

In what sense can information security be seen as enabling an organisation?

Answer 1

Properly designed controls enable an organisation to develop and operate efficiently, effectively and economically in an environment featuring diverse risks. A demonstrable record of good security may be required by business partners and/or clients/customers.

Question 2

State the information security objective that is sought for confidentiality

Answer 2

restrict access to authorised users only.

Question 3

State the information security objective that is sought for integrity

Answer 3

maintain correctness/prevent corruption.

Question 4

State the information security objective that is sought for availability

Answer 4

prevent loss and ensure accessibility in time and place.

Question 5

Explain how scarcity and shareability relate to the information security requirement of confidentiality.

Answer 5

In relation to an information asset, scarcity partitions the world into two regions: one in which the asset should be available and one in which it should not. Confidentiality is maintained by preventing an asset moving outside its scarcity region in a form that is insecure. Shareability requires an asset to be available in a timely fashion, so measures to assure confidentiality should be balanced against the need for ready access.

Question 6

What is the main objective of the Computer Misuse Act 1990?

Answer 6

To protect the confidentiality and integrity of data held on computers by individuals and/or organisations against those who seek to access the data without authorisation.

Question 7

In what sense can it be said that the Combined Code, and the Turnbull Report’s guidance thereon, imply the need for boards of listed companies to address information security?

Answer 7

Boards have a duty to protect the assets of a company and the interests of its shareholders. Information enables an organisation to continue functioning and is often an important asset in it s own right. Inappropriate loss of confidentiality, integrity or availability can be injurious to the company. Hence the need for information security management.

Question 8

One of the stages in the Standard’s method for risk assessment is threat identification. What are the other three?

Answer 8

Identification of vulnerabilities, assessment of likelihood and assessment of impact.

Question 9

Suggest one advantage and one disadvantage of using a qualitative approach to risk assessment.

Answer 9

Advantage: Ease of communication and understanding as most people will share a view on concepts such as ‘high risk’. Disadvantage: Lack of quantitative estimates of risk make it difficult to weigh the relative costs and benefits of security measures when compared to other forms of business which produce clear estimates of ‘return on investment’.

Question 10

Give one disadvantage of threat modelling as described by Alberts and Dorofee

Answer 10

In seeking to be exhaustive, it is indiscriminate in the effort given to considering relatively or very unlikely threats, many of which may not apply to a particular organisation.

Question 11

Give an example of a social engineering attack.

Answer 11

Attacker seeks to learn personal information such as family names, pets names, birthdays, etc., e.g. by engaging in conversation in social environment.

Question 12

What is the most common source of threats to the security of an organisation?

Answer 12

Personnel; 70% of all recorded incidents are caused by internal staff of which only 5% are deliberate.

Question 13

Give two reasons cited by Adams and Sasse for the failure of password policy.

Answer 13

Memorability is inhibited by a regime requiring frequent changes, so users often produce more insecure passwords. Aspiration to ‘do the job on time’ leads people to share passwords with colleagues.

Question 14

An organisation has decided to issue notebook computers to its staff. Identify one or more threats to the organisation presented by such notebooks.

Answer 14

Loss through theft. Introduction of malware through unauthorised (often ‘innocent’ domestic) use. Disclosure of information visible in an insecure environment (train, plane, etc.). Local (temporary client-side) versions of shared information assets may compromise integrity.

Question 15

Both the Standard and the Set Book categorise controls into four types. One of these is deterrent controls, describe the other three.

Answer 15

• Detective controls seek to raise an alarm if an breach or attack is suspected (e.g. monitoring for DoS activity)
• Preventative controls seek to reduce the likelihood of a breach or attack occurring (e.g. use of SSL protocol)
• Corrective controls seek to mitigate damage arising from a breach (e.g. restoration from backup)

Question 16

‘Separation of roles’ is a principle underpinning design of certain controls. Describe one example of its application.

Answer 16

A person raising an (electronic) order should not be able to authorise its execution; they should be required to refer to another party, possibly their line manager, but even more secure would be reference to a separate department with which they were unlikely to have a close working relationship.

Question 17

Describe the contents of the Statement of Applicability as specified by the Standard.

Answer 17

SoA documents both the included and excluded control objectives their associated controls as selected from the Standard) along with a rationale for selection/exclusion.

Question 18

How should hard disks storing SEC3 information be disposed of?

Answer 18

Overwriting with approved secure utility or physically destroyed by an approved company.

Question 19

From the point of view of information security, give one advantage and one disadvantage of ‘single sign-on’ technologies.

Answer 19

Advantage: having to remember multiple passwords is known to induce insecure behaviour such as writing passwords down or using over-simple passwords. ss-o reduces the number of passwords that a user needs to remember. Disadvantage: ‘discovery’ of an ss-o password gives extensive access to all assets covered by the ‘enhanced’ authorisation.

Question 20

In what way does encryption support confidentiality of information?

Answer 20

Encryption transforms plain text into cipher text in such a way as to render any unauthorised attempt to recover the original text, or any part of it, highly infeasible.

Question 21

In the context of cryptographic systems, what is a trusted third party?

Answer 21

A TTP is an agency of whom it is believed that there is a very high level of security in relation to management of secret keys. The level of security means it is possible to trust the authenticity of their digital signature.

Question 22

What are the major components of a business continuity plan?

Answer 22

Criteria for plan activation, emergency procedures, relocation, resumption, personnel (names and roles), training, rehearsal/testing, review/maintenance.

Question 23

For each stage of the PDCA cycle, describe the main activity.

Answer 23

Planning involves designing and implementing the ISMS. Doing involves the implementation of the ISMS, including training and awareness. Checking seeks to monitor and review the effectiveness of the ISMS. Action involves appropriate modification of the ISMS in the light of the Checking and changed circumstances affecting the organisation and its priorities.

Question 24

Principles for control application

Answer 24

• Primary and secondary risks
• Cost–benefit analysis
• Compartmentalisation and defence in depth
• Human-related principles
  
  • Minimum reliance on human intervention
  • Sustainability
  • Separation of roles
  • Acceptance and tolerance
  • Trustworthiness
  • Entrapment
• Quality-related principles
  
  • Override and failsafe defaults
  • Universality of application
  • Isolation
  • Completeness
  • Instrumentation
  • Auditability
  • Accountability
• Other principles
  
  • Absence of design secrecy
  • Need to know
  • Reaction and recovery
  • Resetting