Week 12: Security Criteria - Selecting an External Cloud Provider Flashcards
Simply stating that a CSP is compliant only amounts to ___
self-certification
___are organizational programs whose scope covers every aspect of policy through specific security controls and procedures
Information Security Management Systems (ISMS)
ISO 27001 identifies several categories of security control objectives
Security Policy Organization of Information Security Asset Management Human Resources Physical and Environmental Security Communications and Operations Management Access Control Systems Development and Maintenance Information Security Incident Management Business Continuity Management Compliance
Information Security Management Systems (ISMS) - Security Policy
The policy should be consistent with business objectives and meet business requirements, and it should comply with laws and regulations
Information Security Management Systems (ISMS) - Organization of Information Security
A management framework to implement security, assign security roles, and coordinate implementations across the organization
Information Security Management Systems (ISMS) - Asset Management
Establishes responsibility for and protect an organization’s assets
Information Security Management Systems (ISMS) - Human Resources
This includes all aspects of personnel, including contractors and third party users, as well as all phases of employment
Information Security Management Systems (ISMS) - Physical and Environmental Security
This involves every aspect of ensuring a controlled and protected environment for information facilities and equipment
Information Security Management Systems (ISMS) - Communications and Operations Management
Defines responsibilities for information processing facilities and establishes procedures for their operation and control
Information Security Management Systems (ISMS) - Access Control
Controls access to information and ensures that controls meet organizational requirements
Information Security Management Systems (ISMS) - Systems Development and Maintenance
Identifies security requirements before starting the development process or any other aspect of implementation or acquisition
Verifies that applications and controls operate correctly and are appropriate
Information Security Management Systems (ISMS) - Information Security Incident Management
Reports security events, incidents, and weaknesses
Establishes formal processes and procedures for managing incidents
Information Security Management Systems (ISMS) - Business Continuity Management
Establishes and use a business continuity management process to counteract interruptions and protect critical processes
Information Security Management Systems (ISMS) - Compliance
Ensures compliance with legal and regulatory requirements
Obtaining accreditation is both time ___and ___
consuming
expensive