1 INFORMATION SECURITY PRINCIPLES Flashcards

Question

Vulnerability

Answer 1

A weakness of an asset or control that can be exploited by one or more threats. ISO/IEC 2700 Weakness IF exploited COULD cause unwanted effects E.g. Car: driving fast on icy roads- might hit patch of ice causing to skid. Driving too fast = threat over patch of ice (vulnerability). Exploited if purposely put water on.

Answer 2

Ransomware attack – Organisation data; Regulatory loss and fines Data theft by employee – Customer data; Competitor gains advantage Data leaked to media – Financial data; Public/media exposure Column Headings: Size of loss Reputation loss Legal and compensation loss Fines Market loss Expected loss

Answer 3

The effect of uncertainty on objectives. ISO/IEC 27000 RISK= combo of threat & vulnerability and applies to asset e.g. threat driving too fast, vulnerability of ice, risk car might skid=likelihood of injury, risk being late for work, risk other cars hit REMOVING either threat or vulnerability REDUCES RISK

Answer 4

REMOVING either threat or vulnerability REDUCES RISK slower car= still risk of skid but impact likely lessened ice melts= risk of skid reduced, not eliminated as can still skid on dry road (worn tyres) risk acceptable

Answer 5

Risk Venn Diagram: Threats, Assets, Vulnerabilities; Threats ∩ Assets = Inherent weakness; Threats ∩ Vulnerabilities = Likelihood & frequency; Assets ∩ Vulnerabilities = Exploitation potential; All 3 overlap = Risk

Answer 6

Impact: The result of an information security incident, caused by a threat, which affects assets. ISO/IEC 13335 impact of risk occurring= potential impact must be considered/managed in IA as impact creates harm that can result in loss small & insignificant impact =accept/no further action only monitoring o/w risk of higher impact on organisation= further actions

Answer 7

Any organisation should have a policy for its management of IA. short, punchy statement from the chief executive stating that they acknowledge the risks to the organisation resulting from poor information assurance and will take appropriate measures to deal with them. SHOULD include statements that make it clear that the organisation regards risk as a serious issue, with it being discussed at all appropriate meetings, with those with the correct authority and responsibility taking an active interest in it. COMMON for organisation to form an IA/security working group to lead the activities necessary to ensure appropriate levels of assurance within the organisation.

Answer 8

Controls in the IA sense are those activities that are taken to manage the risks identified. There are four main types of strategic control, although the actual implementation of each of these types can be very varied

Answer 9

IA control An informed decision not to be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk. ISO Guide 73 Action/s that remove the threat of a certain risk occurring at all E.g. removing old and insecure software PREVENT AVOID TERMINATE

Answer 10

Risk reduction: Action taken to lessen the probability, negative consequences, or both associated with risk. ISO 22300:2018 Action/s reduce the impact or the likelihood of a risk occurring (rarely both) Necessary to use several measures on partnership E.g. contingency measures mitigate effects if risk occurs, PLAN B TREAT MITIGATE

Answer 11

Risk transfer: A form of risk treatment involving the agreed distribution of risk with other parties. ISO Guide 73 Move accountability to another organisation taking responsibility for future risk management although the original organisation still owns the risk. SHARE INDEMNITY INSURANCE Contracts stating financial impact of risk occurring borne by third party Liquidated damages insurance policy covers costs of rectifying results of a risk not take away the impact. E.g. REPUTATION damage still

Answer 12

Risk acceptance: The decision to accept a risk. ISO Guide 73 Senior management accepts not practical/sensible for no further action other than MONITORING Reasons: the likely impact of a risk is too small; The likelihood of a risk occurring is too small; the cost of appropriate measures >> financial impact of the risk occurring; risk outside the organisation’s direct control Within RISK APPETITE TOLERATE Not doing nothing

Answer 13

organisation’s risk appetite, which determines the level of risk the organisation is prepared to accept Risk acceptance relates to risk appetite

Answer 14

Identity: Information that unambiguously distinguishes one entity from another one in a given domain. ISO/IEC 24760-1 who access enables audit trails track specific changes assign confidence to changes identified assets uniquely

Answer 15

Authentication: The provision of assurance of the claimed identity of an entity. ISO/IEC 15944-6 individual is who they say they are identity confirmed to level of confidence appropriate for the task DOB or tokens, biometrics, detailed data checks

Answer 16

Authorisation: The right or permission that is granted to a system entity to access a system resource. ISO/TR 22100-4 system of information retrieval needs method of authorisation= clear which asses access and type of access authorisation varies dep on org. requirements, individual, asset type etc. someone has authority to approve

Answer 17

Accountability: The property that ensures that the actions of an entity can be traced uniquely to the entity. ISO/IEC 21827 action on infromation system/assurance management system holds individual ACCOUNTABLE for action may delegate work to others but retains accountability

Answer 18

Audit: The review of a party’s capacity to meet, or continue to meet, the initial and ongoing approval agreements as a service provider. ISO 15638-15 formal/informal checking of records ensure anticipated activities *identify gaps in functionality *note trends for problem resolution/identification *identify misuse of info *identify inappropriate use of authorisation and thus identify unauthorised activity

Answer 19

Compliance: Meeting or exceeding all applicable requirements of a standard or other published set of requirements. ISO/TR 19591 system/process complies with defined/expected operating procedure SHOULD be independently audited to achieve certification against a standard, legal or regulatory framework whole org compliant with recognised standard for IA or individual users compliant

Answer 20

An organisation will always have to tolerate some level of risk, the only thing that we can achieve is the reduction through mitigation or avoidance to an acceptable level. Phil Larner, principal information assurance manager, Leidos (personal communication

Answer 21

Professional bodies, such as the Chartered Institute of Information Security (CIISec) (previously the Institute of Information Security Professionals (IISP) that was set up in 2006 in the UK), have helped to raise the profile very significantly CISM then Information Systems Audit and Control Association (ISACA) Certified in Risk and Information Systems Control® (CRISC®), and for those wanting to move into management with five years’ experience, the ISACA Certified Information Security Manager® (CISM®) or ISC2 Certified Information Systems Security Professional (CISSP), which is a blend of technical and information security aimed more at those in senior technical or management roles. Certifications like these are expensive but often cited as requirements in the job description for cybersecurity management type roles.

Answer 22

General awareness of the work done by information assurance professionals (as distinct from IT security professionals) is gradually growing as organisations become increasingly complex with more and more information being managed and processed. staff most important asset << the information the organisation holds and uses effectively that has become its most important asset.

Answer 23

EKE: enthusiasm, knowledge and experience. one alone not enough A certification should never be undertaken just for the ‘badge’. It should be taken to gain knowledge and support personal development and career aspirations.

Answer 24

In the UK it may be that to view certain materials you need to gain security clearance, or Developed Vetting in the case of military or government positions.

Answer 25

Unauthorised Disclosure; Sharing info without owner’s consent; May lead to dismissal; NDAs now common across all sectors.

Answer 26

TRUST without it impossible to operate Trust in Assurance; Trust enables operations; Level of trust shapes controls; Assurance pros must be fully trustworthy; No compromise allowed.

Answer 27

Information security management system (ISMS): Part of the overall management system, based on an organisation risk approach, used to establish, implement, operate, monitor, review, maintain and improve information security. ISO 12812-2. one stop shop for all info for IA within organisation if need to go looking for docs/policies/practices in assurance LIKELY not BOTHER NO ONE STOP SHOP= REDUCTION in level of assurance! Policies, standards, procedures ,roles and responsibilities, technology and controls, PDCA cycle

Answer 28

organisations make info freely and easily available as possible, practical and necessary security rules controlling it? some policy more secure with need-to-know but in general everyone should be able to access easily and quickly

Answer 29

new start-up supporting quantum computing & quantum-resistant cryptography. Reputation around security so can bid for work with gov agencies. Effective IA system needed.

Answer 30

IA NEEDED FOR: 1)PROTECTION OF SENSITIVE INFO *Confidentiality (sensitive business data, customer info and intellectual property protected from unauthorised access) *Integrity (safeguards accuracy/consistency of data, unauthorised individuals do not alter info) *Availability (ensure info/systems accessible when needed, avoid disruptions to business operations) 2)COMPLIANCE LEGAL/REG. REQUIREMENTS laws/regulations/standards require stringent information security measures such as GDPR Data Protection Act 3)Manage risks proactively 4)Build trust with clients and partners 5)Respond effectively to incidents 6)Support business continuity 7)Gain competitive advantage ----------------- THREATS: Three Threats (from Chapter 1 themes) Malicious Insider – Employees with privileged access may misuse information. Advanced Persistent Threats (APTs) – Sophisticated, targeted cyber attacks from nation-states or competitors. Supply Chain Compromise – Third-party vendors may introduce vulnerabilities or leak sensitive data. VULNERABILITIES: ⚠️ Three Vulnerabilities Lack of Formal IA Policy – Without clear governance, controls may be inconsistent or weak. Inadequate Staff Awareness – Employees may mishandle sensitive data or fall for phishing. Unsecured Development Environments – R&D systems may lack proper access controls or encryption. 📉 Three Resulting Risks Loss of Government Trust – Breach or mishandling of data could disqualify the business from public sector contracts. Intellectual Property Theft – Competitors or attackers could steal quantum cryptography innovations. Reputational Damage – Any incident could undermine the company’s credibility in a security-critical market.

Answer 31

AN ENABLER OF BUSINESS

Answer 32

Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved. ISO 19092

Answer 33

IA not only IT manager or the security officer but for the whole organisation. All staff members of any organisation, regardless of its nature, its organisation, its location or any other factor, should be concerned about IA. personal or wider view of the effective, continued operation of the organisation

Answer 34

Information assurance (IA): The confidence that information systems will protect the information they carry and will function as they need to, when they need to, under the control of legitimate users. UK Cabinet Office Accomplished by Physical, technical and administrative controls

Answer 35

IA encompasses not only digital but also analogue or physical form These protections apply to data in transit, both physical and electronic forms, as well as data at rest in various types of physical and electronic storage facilities.

Answer 36

Information systems include any means of storing, processing or disseminating information, including IT systems, media and paper-based systems.

Answer 37

Assurance should not be viewed as an ‘add-on’ to be included only if there is the time and the money to do it. It has to be built in to organisation processes at all stages if it is to be truly effective. While it might be possible in some areas to add in security measures at the last moment (an extra lock on a door or an additional staff security check, for example), they will usually cost more and be less effective than if they had been added at the appropriate time earlier in the design process.

Answer 38

increased use of technology that has enabled organisation to be transacted remotely rather than in person enables direct access to suppliers (e.g. flights, cars, investments); Reduces need for intermediaries; Increases individual & organisational security risks.

Answer 39

The UK has shifted from manufacturing to service and financial industries; Service industries rely heavily on technology and information; Security risks have increased due to higher data volumes and exposure factory issues with security of ICSs

Answer 40

In the service industry, the availability of information has increased dramatically; This transformation is compared to the impact of the steam engine or electricity; It has liberated the industry but made securing information more difficult and more important

Answer 41

Organisations now operate across multiple countries and move sensitive data globally; IA must ensure integrity, authorised access, and proof of delivery; Local legislation affects how data must be handled in each region.

Answer 42

Online trading exposes organisations to ransomware, DoS attacks, and website tampering; These threats can damage reputation, finances, and public trust; Security controls must address both external and internal risks. trusting strangers

Answer 43

Disillusioned employees or activists may steal, delete, or alter critical data; Such incidents are often kept quiet to avoid reputational damage; Client databases and financial records are common targets.

Answer 44

ensitive data has been lost from laptops stolen from parked cars; Mobile devices like phones and tablets are easy targets for attackers; BYOD introduces risks when personal devices access organisational data

Answer 45

Cloud-based storage means data may reside anywhere globally; Defence in breadth considers all connected systems as potential attack vectors; Defence in depth uses layered security based on data sensitivity

Answer 46

Direct consumer-to-manufacturer trade increases exposure to unreliable services; Just-in-time operations depend on accurate and timely data flow; System outages can cause serious financial losses.

Answer 47

Defence in breadth means considering all connected systems when assessing security; Attackers may exploit weaker links like suppliers or advisors to access core systems; Security must extend beyond the organisation to include trusted third parties

Answer 48

Defence in depth uses multiple layers of security to protect sensitive systems; Security measures increase in complexity and strength as data becomes more critical; Attackers must overcome several barriers to reach high-value assets.

Answer 49

Cost of Cyber Breaches DCMS Cyber Security Breaches Survey 2024: Average direct cost of a cyber-attack on large organisations = £15,330; Indirect costs like reputational damage and productivity loss are not included.

Answer 50

Organisations must adapt rapidly to survive in a climate of constant change; Practices acceptable last week may no longer be suitable today; Assurance systems must be flexible but not weakened; Greater flexibility should lead to stronger security and better risk management.

Answer 51

Never risk free effective management reduce to acceptable level can be excessively expensive BALANCE cost/impact of risk if it occurs and cost of measures to reduce likelihood or impact no extravagant measures if risk limited e.g. insurance policy costs may offset gain or be too expensive. Insurance transfers financial impact but not impact on reputation & public opinion

Answer 52

of risk countermeasures Defined + planned /= shelved waiting for risk may not be valid/change effectiveness over time RISK MANAGEMENT + MAINTENANCE of actions is continual and iterative process

Answer 53

risk management, and the maintenance of the consequential actions taken, is a continual and iterative process that must not be allowed to wither through lack of action or misplaced belief that the situation will not change.

Answer 54

Assurance or security not add on include from start inclusion of assurance as part of the operational policy of the organisation is the only cost-effective way of covering the issues adequately.

Answer 55

IA is not just the info security manager’s job; Like health & safety, it must involve everyone; Top-down commitment is essential; Without senior management support, IA will fail.

Answer 56

A policy alone is meaningless without supporting standards, guidelines, and procedures; Documentation must be clear, concise, and readable — not thousands of pages; Procedures should be accessible (e.g. desk cards, checklists for operators); Covers both digital and physical assets, including staff-held knowledge. e.g. filing cabinets cleared before disposal

Answer 57

Effective IA reduces risks like data loss, corruption, or unauthorised access; reduce probability of risk occurring Helps justify investment through reduced impact and improved efficiency; Countermeasures and standards promote best practices and orderly operations; Security adds value- not just cost.

Answer 58

IA worthless without security conscious people aware of threats and dangers, how relevant they are to them and their data, and how to use the systems to make sure that the information assets are protected IMPORTANT to PROACTIVELY LEAD from the TOP by example for strategic direction assurance incidents mostly accidents> maliciously

Answer 59

signed by the chief executive or equivalent, which says words to the effect of: it must state that security is a high priority and everyone is responsible; Staff must follow policy when dealing with colleagues, suppliers, and customers; Uncertainty or suspicion must be reported to the information security manager.

Answer 60

interesting and relatable SHOULD BE programme of training for all employees, and it should be included as part of their induction training programme too Security culture needs ongoing awareness programmes; Training must be relatable, engaging, and part of induction; Explain specific risks and legal consequences; Cover confidentiality, integrity, availability, and non-repudiation; Track training for refreshers and legal proof of due diligence.

Answer 61

obligations placed upon employees regarding IA: confidentiality, integrity and availability

Answer 62

means of expressing the ethics and standards of the organisation examples of the kind of behaviour expected of employees in their dealings with each other and other people, be they customers, suppliers or anyone else. guidance on accepting and declaring the receipt of gifts/not offering, no alcohol ‘Gifts should be accepted when it would cause offence to refuse, but they must be declared to the organisation at the first opportunity. prize in an annual raffle or prize-giving

Answer 63

record of assurance awareness training – who, when and what – as it has several uses. First, it allows the identification of when refresher training is required, for example, due to the passage of time or changes to risks or the law. Second, it could prove very useful in the event of legal action by helping to prove due diligence.

Answer 64

SOCIAL ENGINEERING LINKS- information access to assets or damage organisation using social behaviour of staff e.g. meme emails can contain malicious code Banning gifts reduced threat

Answer 65

end-user code of practice document defines standard for the use of employee information and communications systems by employees adjunct to the contract of employment to protect both the organisation and the individual from the actions of others. vicarious liability document can also help to protect staff from harassment or malpractice by employers and other employees

Answer 66

In law an organisation can be held accountable for the actions of employees defence: show due diligence in informing & educating employees not to break law or relevant regulations

Answer 67

ACCEPTABLE USE POLICIES management must make clear level of infringement (e.g. misconduct, gross misconduct) for each offence; Disciplinary steps must be clear and documented; Staff should be consulted on document to ensure fairness and understanding; Include policy briefing in induction training for full awareness.

Answer 68

right to privacy and right to know what information is held about them by the enterprise (GDPR allows Subject Access Requests for individuals) (EU employees have right to know type and scale of monitoring carried out by enterprise and why- communicated about extent of monitoring in IA policies/employment privacy notice) May need to gain individual consent ASSESMENT OF MOMITORING STRATEGY SHOULD BE CARRIED OUT CARE with PERSONAL

Answer 69

to demonstrate that the monitoring techniques that are being used are justified, are not excessive and meet legal requirements. employee rights

Answer 70

Then care must be taken not to violate the individual’s right to privacy. Employers must not access personal emails or accounts without consent; Operational needs (e.g. accessing info during leave) must respect privacy; Staff should remove personal data from IT systems before leaving; Balancing access and privacy is essential.

Answer 71

vs privacy rules covert monitoring is rarely justified, excepted if clear grounds for criminal activity/malpractice Internal investigations ->employment tribunal or court case information collected must meet legal requirements e.g UKs Freedom of Information Act

Answer 72

barriers and boundaries to protect individuals from unwanted interference or monitoring FUNDAMENTAL RIGHT essential personal details processed and used appropriate manner following legal requirements within a country

Answer 73

Laws and regulation allow individuals to give permission or remove permission to those who require our personal data, with some exceptions around law enforcement and intelligence services, such as within the Regulation of Investigatory Powers Act (RIPA) 2000,

Answer 74

Privacy Laws restrict between countries EU and UK GDPR states personal information must not be transferred to countries that do not have such similarly strict rules. Certain countries, such as Argentina, Canada, New Zealand and Switzerland, have already shown (at the time of writing) that they operate a data protection model which is comparable to the GDPR model, and there are no restrictions with these countries. More countries may follow suit over time. For other countries, safeguards need to be considered to enable trans-border data flows to take place legally. This includes any data sovereignty laws, which are common in Africa.

Answer 75

UK law information privacy regulation as part of the EU privacy and human rights laws. Large fines up to 4% revenue or 18 million against violators of privacy and security standards Google £42 million fine failed to make consumer data processing statements easily accessible to its users BA £20 million after hackers harvested the personal data of about 400,000 people

Answer 76

**Lawfulness** **fairness** & **transparency ** Data must be processed legally and openly. **Purpose limitation** – Data collected for specific, legitimate purposes only. **Data minimisation ** – Only data necessary for the purpose should be collected. **Accuracy** – Data must be kept accurate and up to date. **Storage limitation ** – Data kept no longer than necessary. **Integrity and confidentiality (security)** – Data must be secure against unauthorised access or loss. **Accountability** – The controller is responsible for and must demonstrate compliance.

Answer 77

LAWFULLNESS personal data processed lawfully, legitimate reason for collecting/processing, such as consent from data subject FAIRNESS data processing must be fair for those individuals, data subjects should not be misled about how their data is used TRANSPARENCY Data subjects informed about how data collected, used, stored and shared. Clear accessible info provided to individuals about data processing activities

Answer 78

Personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Organisation clearly define why collecting data, ensure only used for that purpose

Answer 79

The data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Organisations should not collect more data than they need for their specific purpose.

Answer 80

Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay. Organisations must take reasonable steps to ensure the accuracy of the data they hold and process.

Answer 81

Personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed. Organisations should establish retention periods and securely delete or anonymise data once it is no longer needed.

Answer 82

Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. This requires implementing suitable technical and organisational measures to safeguard the data.

Answer 83

The data controller is responsible for, and must be able to demonstrate compliance with, the other GDPR principles. This means organisations need to take responsibility for the data they process and be able to show how they comply with data protection regulations. This involves maintaining records of processing activities, conducting data protection impact assessments and having data protection policies in place.

Answer 84

PERSONAL DATA DATA PROCESSING DATA SUBJECT DATA CONTROLLER DATA PROCESSOR

Answer 85

The person who decides why and how personal data will be processed. If you are an owner or employee in your organisation who handles data, this is you.

Answer 86

A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organisations.

Answer 87

The person whose data is processed. These are your customers or site visitors.

Answer 88

Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organising, structuring, storing, using, erasing … so basically anything.

Answer 89

Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it is relatively easy to identify someone from it.

Answer 90

Following Brexit (when the UK left the European Union), GDPR is now GDPR EU and GDPR UK, which sits alongside an amended version of the Data Protection Act 2018

Answer 91

The Data Protection Act 2018 came into force on 25 May 2018 and updates UK data protection law to align with the GDPR. comprehensive coverage to protect personal data and creates a specific data protection regime for the intelligence services, which is based on the standards in the modernised Convention 108 (the Council of Europe Convention for the Protection of Individuals Regarding Automatic Processing of Personal Data).

Answer 92

The Act applies to all organisations processing personal data in the UK, including both automated and manual processing. The Act introduces four regimes: processing within GDPR scope, outside GDPR scope, by law enforcement, and by intelligence services

Answer 93

The Act aims to protect individuals’ personal data and give them rights over how their data is used. The previous Data Protection Act was outdated and did not account for modern technologies like social media and big data.

Answer 94

PRIMARY OBJECTIVE: ENSURE PROTECTION OF PERSONAL DATA OF INDIVIDUALS (DATA SUBJECTS) to provide them with certain rights concerning data. Applies to any entity that processes personal data within the UK, including both automated and manual data processing.

Answer 95

4 distinct data protection regimes focusing on the regulation of personal data for specific type or category of data processing *within the scope of the GDPR; *outside the scope of the GDPR; *by competent authorities for law enforcement purposes; and *by the intelligence services.

Answer 96

* certain organisations required to appoint DATA PROTECTION OFFICER *DPA 2018 places restrictions on personal data outside EEA *personal data processed lawfully, fairly and transparently *consent, contract performance, legal obligation, vital interests, public tasks and legitimate interests *

Answer 97

Data protection principles mandate that data must be processed lawfully, fairly and transparently, collected for specified, explicit, and legitimate purposes, adequate, relevant, and limited to what is necessary, accurate and kept up to date, retained only for as long as necessary, and processed securely. An organisation must demonstrate compliance with these principles, implement appropriate technical and personnel measures and adopt data protection by design and by default. The Act includes additional provisions related to special categories of personal data, such as data on racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation, requiring higher protection. It also includes provisions related to the handling of criminal convictions and offence data.

Answer 98

The Information Commissioner’s Office (ICO) is the supervisory authority responsible for enforcing the DPA 2018. The ICO has the power to issue fines for non-compliance, which can be significant (up to £17.5 million or 4 per cent of the annual global turnover, whichever is higher).

Answer 99

May 2024 EU Council EU Artificial Intelligence Regulation aims to establish comprehensive legal framework for AI categorise AI systems based on risk levels impose stricter requirements for high risk AI applications emphasise TRANSPARENCY, ACCOUNTABILITY and robust data governance practices to protect individuals’ privacy and rights.

Answer 100

considerations and practices involved in ensuring that AI systems respect and protect the privacy of individuals. This encompasses a range of issues, including data collection, data usage, data sharing and data protection HOW COLLECTED & HOW USED ANONYMISATION & DE-IDENTIFICATION removing PII from datasets transparency and explainability in AI security measures such as encryption, access controls and regular audits Compliance with GDPR mandatory AI ACT ensure AI systems don't perpetuate biases/discriminate - regular audits for bias and mitigation strategies user control over own data is ethical>legal compliance

Answer 101

personally identifiable information Anonymisation and de-identification techniques can protect privacy by removing personally identifiable information (PII) from datasets, but these must be carefully applied to prevent re-identification.

Answer 102

ensure AI systems don't perpetuate biases/discriminate - regular audits for bias and mitigation strategies

Answer 103

1. Risk Management Assess current risks: Help the board identify internal risks (e.g. staff mishandling data) and external threats (e.g. cyber-attacks, data breaches). Analyse impact: Explain the potential consequences of these risks, including financial loss, operational disruption, and reputational damage. Mitigation through ISMS: Show how an ISMS provides a structured framework to reduce these risks by improving controls, monitoring, and response capabilities. 2. Cost–Benefit Analysis Implementation costs: Present the financial and resource costs of setting up and maintaining the ISMS, including training, technology, and staff time. Cost of inaction: Highlight the risks of not implementing an ISMS, such as fines, legal costs, and reputational harm from data breaches. Return on investment (ROI): Demonstrate how the ISMS can lead to long-term savings, improved efficiency, and increased trust from customers and partners. 3. Regulatory Compliance and Reputation Legal obligations: Clarify how an ISMS supports compliance with laws and standards like GDPR and ISO 27001, helping avoid penalties. Reputation management: Emphasise how proactive security measures build stakeholder confidence and protect the organisation’s public image. Certification benefits: Explain the strategic value of formal ISMS certification, which can enhance credibility and open access to regulated markets.

Answer 104

something that may happen that might cause unwanted consequence dark large clouds mean threat of rain but rain may not be a threat for every individual- may be opportunity without umbrella is a vulnerability risk is combo of threat of rain and vulnerability of not carrying umbrella e.g ruined hairstyle combo of circumstances lead to more serious risks Impact could be wet coat

Answer 105

Three threats These are areas where there is a potential for some adverse consequences if this threat should arise. In this scenario three threats might be as follows. 1. Information about members might be accessed by unauthorised people. 2. Information about the habitats of the Natterjack toad might be used by those who are not inclined to support its ongoing existence. 3. The website might be compromised with unofficial messages added to it

Answer 106

These are weaknesses in the system that might allow a threat to materialise. In this scenario and building on the threats given above, the vulnerabilities might be as follows. 1. The records of the members are maintained in a variety of ways including paper and unreliable computer systems. 2. The information about the toads’ habitats is maintained on an old internet-based server with very limited assurance in place. 3. There is no firewall between the website server and the internet

Answer 107

Three risks There is a large number of risks resulting from the threats and vulnerabilities listed above. Three of them might be as follows. 1. There is a risk that unscrupulous property developers might gain access to the personal details of members of GANT and take action against them or their property. 2. There is a risk that a habitat of the Natterjack toad might be destroyed by someone who is not interested in the existence of the animal. There is a risk that someone might gain access to the code of the GANT website and change the messages to information that is offensive to those interested in nature conservancy

Answer 108

1. Members of GANT could be injured, or their families and property adversely affected in some way. The cost of protecting the members and their families would be excessive and could not be found through the membership of GANT alone. 2. The cost of reintroducing Natterjack toads into the wild after their habitat has been destroyed would be very considerable. This could be the consequence (impact) of allowing unauthorised access to the details of the toads’ habitats. 3. GANT relies very heavily on the goodwill of other nature conservancy groups and donations from interested commercial companies. If they were embarrassed by the content of the website, they might reduce or withdraw their support for an organisation they saw as unprofessional and poorly organised. This could be devastating for the existence of GANT

Answer 109

A threat is something bad that could happen. It’s the potential danger—like a hacker, malware, or phishing email. A vulnerability is a weakness that makes it easier for a threat to succeed.

Answer 110

threat exploits a vulnerability — not the other way around. 🔹 Simple Explanation: Threat = the danger (e.g. hacker, malware, phishing email) Vulnerability = the weakness (e.g. untrained staff, outdated software) The threat takes advantage of the vulnerability to cause harm.

1 INFORMATION SECURITY PRINCIPLES Flashcards

(139 cards)