M886 Information security management Flashcards
In what sense can information security be seen as enabling an organisation?
Properly designed controls enable an organisation to develop and operate efficiently, effectively and economically in an environment featuring diverse risks. A demonstrable record of good security may be required by business partners and/or clients/customers.
State the information security objective that is sought for confidentiality
restrict access to authorised users only.
State the information security objective that is sought for integrity
maintain correctness/prevent corruption.
State the information security objective that is sought for availability
prevent loss and ensure accessibility in time and place.
Explain how scarcity and shareability relate to the information security requirement of confidentiality.
In relation to an information asset, scarcity partitions the world into two regions: one in which the asset should be available and one in which it should not. Confidentiality is maintained by preventing an asset moving outside its scarcity region in a form that is insecure. Shareability requires an asset to be available in a timely fashion, so measures to assure confidentiality should be balanced against the need for ready access.
What is the main objective of the Computer Misuse Act 1990?
To protect the confidentiality and integrity of data held on computers by individuals and/or organisations against those who seek to access the data without authorisation.
In what sense can it be said that the Combined Code, and the Turnbull Report’s guidance thereon, imply the need for boards of listed companies to address information security?
Boards have a duty to protect the assets of a company and the interests of its shareholders. Information enables an organisation to continue functioning and is often an important asset in it s own right. Inappropriate loss of confidentiality, integrity or availability can be injurious to the company. Hence the need for information security management.
One of the stages in the Standard’s method for risk assessment is threat identification. What are the other three?
Identification of vulnerabilities, assessment of likelihood and assessment of impact.
Suggest one advantage and one disadvantage of using a qualitative approach to risk assessment.
Advantage: Ease of communication and understanding as most people will share a view on concepts such as ‘high risk’. Disadvantage: Lack of quantitative estimates of risk make it difficult to weigh the relative costs and benefits of security measures when compared to other forms of business which produce clear estimates of ‘return on investment’.
Give one disadvantage of threat modelling as described by Alberts and Dorofee
In seeking to be exhaustive, it is indiscriminate in the effort given to considering relatively or very unlikely threats, many of which may not apply to a particular organisation.
Give an example of a social engineering attack.
Attacker seeks to learn personal information such as family names, pets names, birthdays, etc., e.g. by engaging in conversation in social environment.
What is the most common source of threats to the security of an organisation?
Personnel; 70% of all recorded incidents are caused by internal staff of which only 5% are deliberate.
Give two reasons cited by Adams and Sasse for the failure of password policy.
Memorability is inhibited by a regime requiring frequent changes, so users often produce more insecure passwords. Aspiration to ‘do the job on time’ leads people to share passwords with colleagues.
An organisation has decided to issue notebook computers to its staff. Identify one or more threats to the organisation presented by such notebooks.
Loss through theft. Introduction of malware through unauthorised (often ‘innocent’ domestic) use. Disclosure of information visible in an insecure environment (train, plane, etc.). Local (temporary client-side) versions of shared information assets may compromise integrity.
Both the Standard and the Set Book categorise controls into four types. One of these is deterrent controls, describe the other three.
- Detective controls seek to raise an alarm if an breach or attack is suspected (e.g. monitoring for DoS activity)
- Preventative controls seek to reduce the likelihood of a breach or attack occurring (e.g. use of SSL protocol)
- Corrective controls seek to mitigate damage arising from a breach (e.g. restoration from backup)