Module 4 ISO/IEC 27k series

Question 1

ISO 27799 is what

Answer 1

• Health informatics — Information security management in health using ISO/IEC 27002
• By implementing the ISO 27799, healthcare organizations and other
  custodians of health information will be able to ensure a minimum
  requisite level of security that is appropriate to their organization’s
  circumstances and that will maintain the confidentiality, integrity and
  availability of personal health information.

Question 2

what sector does ISO 27799 apply to

Answer 2

• ISO 27799 applies to health information in all its aspects:
• The purpose is to provide guidance to healthcare organizations and other
  holders of personal health information on how to protect such information
  via implementation of ISO/IEC 27002.

Question 3

what is ISO 27001

Answer 3

• International standard that provides the specification for an Information Security Management System (ISMS)

Question 4

there are 7 objectives/phases for 27001, list them

Answer 4

1. Context of the organization
2. Leadership
3. Planning
4. Support
5. Operation
6. Performane Evaluation
7. Improvement

Question 5

ISO 27001 primary objectives

Answer 5

1. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs
   and objectives, security requirements, the organizational processes used and the size and structure of the organization.
2. It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls.

Question 6

what does a properly implemented ISMS accomplisy

Answer 6

• An Information SecurityManagement System(ISMS) preserves the confidentiality, integrity, and availability of information by applying a risk
  management process and gives confidence to interested parties that risks
  are adequately managed.

Question 7

ISO 27001- what is in the support phase/objective

Answer 7

1. Resources
2. competence
3. Awareness
4. communications
5. Documented information

Question 8

what was ISO 27002 created for

Answer 8

• Reference for determining and implementing controls for information security risk treatment in an ISMS based on ISO/IEC 27001.
• Guidance document for organizations determining and implementing commonly accepted information security controls

Question 9

what are ISO 27002 controls

Answer 9

1. People
2. Organization
3. Technology
4. Physical

Question 10

some examples of ISO 27002 People controls

Answer 10

• Screening
• Terms and conditions of employment
• Information security awareness, education and training
• Disciplinary process

Question 11

some examples of ISO 27002 Physical controls

Answer 11

• Physical security perimeters
• Physical entry
• Securing offices, rooms and facilities
• Physical security monitoring
• Protecting against physical and environmental threats

Question 12

some examples of ISO 27002 Technology controls

Answer 12

• Data leakage prevention
• Information backup
• Redundancy of information processing facilities
• User endpoint devices
• Privileged access rights
• Information access restriction
• Access to source code
• Secure authentication
• Capacity management
• Protection against malware
• Management of technical vulnerabilities
• Configuration management
• Segregation of networks
• Web filtering
• Use of cryptography
• Secure development life cycle