M886 Information security management Flashcards

1
Q

In what sense can information security be seen as enabling an organisation?

A

Properly designed controls enable an organisation to develop and operate efficiently, effectively and economically in an environment featuring diverse risks. A demonstrable record of good security may be required by business partners and/or clients/customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

State the information security objective that is sought for confidentiality

A

restrict access to authorised users only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

State the information security objective that is sought for integrity

A

maintain correctness/prevent corruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

State the information security objective that is sought for availability

A

prevent loss and ensure accessibility in time and place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain how scarcity and shareability relate to the information security requirement of confidentiality.

A

In relation to an information asset, scarcity partitions the world into two regions: one in which the asset should be available and one in which it should not. Confidentiality is maintained by preventing an asset moving outside its scarcity region in a form that is insecure. Shareability requires an asset to be available in a timely fashion, so measures to assure confidentiality should be balanced against the need for ready access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the main objective of the Computer Misuse Act 1990?

A

To protect the confidentiality and integrity of data held on computers by individuals and/or organisations against those who seek to access the data without authorisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In what sense can it be said that the Combined Code, and the Turnbull Report’s guidance thereon, imply the need for boards of listed companies to address information security?

A

Boards have a duty to protect the assets of a company and the interests of its shareholders. Information enables an organisation to continue functioning and is often an important asset in it s own right. Inappropriate loss of confidentiality, integrity or availability can be injurious to the company. Hence the need for information security management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

One of the stages in the Standard’s method for risk assessment is threat identification. What are the other three?

A

Identification of vulnerabilities, assessment of likelihood and assessment of impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Suggest one advantage and one disadvantage of using a qualitative approach to risk assessment.

A

Advantage: Ease of communication and understanding as most people will share a view on concepts such as ‘high risk’. Disadvantage: Lack of quantitative estimates of risk make it difficult to weigh the relative costs and benefits of security measures when compared to other forms of business which produce clear estimates of ‘return on investment’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Give one disadvantage of threat modelling as described by Alberts and Dorofee

A

In seeking to be exhaustive, it is indiscriminate in the effort given to considering relatively or very unlikely threats, many of which may not apply to a particular organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Give an example of a social engineering attack.

A

Attacker seeks to learn personal information such as family names, pets names, birthdays, etc., e.g. by engaging in conversation in social environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the most common source of threats to the security of an organisation?

A

Personnel; 70% of all recorded incidents are caused by internal staff of which only 5% are deliberate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Give two reasons cited by Adams and Sasse for the failure of password policy.

A

Memorability is inhibited by a regime requiring frequent changes, so users often produce more insecure passwords. Aspiration to ‘do the job on time’ leads people to share passwords with colleagues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An organisation has decided to issue notebook computers to its staff. Identify one or more threats to the organisation presented by such notebooks.

A

Loss through theft. Introduction of malware through unauthorised (often ‘innocent’ domestic) use. Disclosure of information visible in an insecure environment (train, plane, etc.). Local (temporary client-side) versions of shared information assets may compromise integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Both the Standard and the Set Book categorise controls into four types. One of these is deterrent controls, describe the other three.

A
  • Detective controls seek to raise an alarm if an breach or attack is suspected (e.g. monitoring for DoS activity)
  • Preventative controls seek to reduce the likelihood of a breach or attack occurring (e.g. use of SSL protocol)
  • Corrective controls seek to mitigate damage arising from a breach (e.g. restoration from backup)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

‘Separation of roles’ is a principle underpinning design of certain controls. Describe one example of its application.

A

A person raising an (electronic) order should not be able to authorise its execution; they should be required to refer to another party, possibly their line manager, but even more secure would be reference to a separate department with which they were unlikely to have a close working relationship.

17
Q

Describe the contents of the Statement of Applicability as specified by the Standard.

A

SoA documents both the included and excluded control objectives their associated controls as selected from the Standard) along with a rationale for selection/exclusion.

18
Q

How should hard disks storing SEC3 information be disposed of?

A

Overwriting with approved secure utility or physically destroyed by an approved company.

19
Q

From the point of view of information security, give one advantage and one disadvantage of ‘single sign-on’ technologies.

A

Advantage: having to remember multiple passwords is known to induce insecure behaviour such as writing passwords down or using over-simple passwords. ss-o reduces the number of passwords that a user needs to remember. Disadvantage: ‘discovery’ of an ss-o password gives extensive access to all assets covered by the ‘enhanced’ authorisation.

20
Q

In what way does encryption support confidentiality of information?

A

Encryption transforms plain text into cipher text in such a way as to render any unauthorised attempt to recover the original text, or any part of it, highly infeasible.

21
Q

In the context of cryptographic systems, what is a trusted third party?

A

A TTP is an agency of whom it is believed that there is a very high level of security in relation to management of secret keys. The level of security means it is possible to trust the authenticity of their digital signature.

22
Q

What are the major components of a business continuity plan?

A

Criteria for plan activation, emergency procedures, relocation, resumption, personnel (names and roles), training, rehearsal/testing, review/maintenance.

23
Q

For each stage of the PDCA cycle, describe the main activity.

A

Planning involves designing and implementing the ISMS. Doing involves the implementation of the ISMS, including training and awareness. Checking seeks to monitor and review the effectiveness of the ISMS. Action involves appropriate modification of the ISMS in the light of the Checking and changed circumstances affecting the organisation and its priorities.

24
Q

Principles for control application

A
  • Primary and secondary risks
  • Cost–benefit analysis
  • Compartmentalisation and defence in depth
  • Human-related principles
    • Minimum reliance on human intervention
    • Sustainability
    • Separation of roles
    • Acceptance and tolerance
    • Trustworthiness
    • Entrapment
  • Quality-related principles
    • Override and failsafe defaults
    • Universality of application
    • Isolation
    • Completeness
    • Instrumentation
    • Auditability
    • Accountability
  • Other principles
    • Absence of design secrecy
    • Need to know
    • Reaction and recovery
    • Resetting