3 INFORMATION SECURITY FRAMEWORKS Flashcards

Question

In effective IA assurance: reporting structures and roles should include

Answer 1

To work effectively, reporting structures should include **dotted line responsibilities** to roles including, but not limited to, the chief risk officer (CRO), the senior responsible owner (SRO), the CIO, the senior information risk owner and the chief finance officer (CFO).

Answer 2

In other enterprises the function is based in the IT group because many (but rarely all) of the controls to protect the enterprise are reliant on computer technology.

Answer 3

Sometimes, the function can be placed within a central facilities group, since assurance responsibilities often span a number of management areas within an enterprise.

Answer 4

*, the assurance function may include responsibility for setting policy and direction but not for the actual implementation of the security control mechanisms, which then may be carried out by a separate area such as the IT department or local teams. * the assurance or audit function can also have responsibility for the implementation of technical security controls and solutions and for conducting investigations and monitoring compliance.

Answer 5

positioned as part of a formal structure so that it can facilitate the full management and co-ordination of assurance matters across the enterprise.

Answer 6

One senior person = overall responsibility for protecting the assurance of the enterprise’s information assets and be formally held accountable (board member or CEO as SINGLE POINT OF ACCOUNTABILITY for IA) ABILITY TO INFLUENCE Experience has shown that if senior support is not in place, assurance initiatives will probably fail Some organisations have a CISO too

Answer 7

the CISO is usually the primary person responsible for the overall security strategy, policy and implementation within an organisation. The main responsibility of this individual is to ensure that appropriate assurance controls are implemented across the enterprise.

Answer 8

There is an increasing quantity of UK and worldwide legislation and regulation that demands this level of accountability and responsibility, for example ‘Sarbanes–Oxley’ (USA) and the Companies Act (UK). The Turnbull Report in the UK states that a board member for a public limited company has to be responsible for ensuring adequate service continuity requirements are in place to prevent the enterprise going out of operation after experiencing a major problem.

Answer 9

The more recent legislative addition has been the European Union’s GDPR incorporated into UK law alongside the DPA of 2018 that tailors how the GDPR applies in the UK. Another piece of European legislation, the Network and Information Systems (NIS2) Regulations 2018, has a wide-ranging effect on organisations who are classed as ‘operators of essential services’ (OESs) and ‘relevant digital service providers’ (RDSPs).

Answer 10

that responsible person could perhaps face a custodial sentence or, in the case of GDPR, huge financial penalties that could be disastrous for an organisation.

Answer 11

The director should establish and chair an ongoing high-level working group to co-ordinate assurance activities across the organisation to ensure adequate assurance measures are in place to protect the organisation to an acceptable and agreed level of risk, often referred to as the organisation’s risk appetite.

Answer 12

*ensuring that assurance is included in the enterprise’s overall planning activities; *approving and prioritising assurance improvement activities; *reviewing assurance performance and changes in threats to assess whether the risk profile of the enterprise has altered; *assessing the effectiveness of policies, procedures and controls to engender an environment of continual improvement in them; *ensuring that all legislation and regulatory requirements are being met in an appropriate and effective way; approving policies, standards and procedures that relate to IA; acting as evangelists for assurance within the organisation by emphasising its importance to colleagues.

Answer 13

The director will normally delegate authority for the development of IA initiatives and responsibilities either to individuals within the working group or to other members of the organisation. **However, the director will be ultimately accountable for achievements or failures.**

Answer 14

steering committee or security forum should be made of a cross-section of individuals from enterprise, either stakeholders in assurance or responsibilities for should include LOBs to ensure assurance arrangement meet their org needs should include information security manager, reps from vested parties (internal audit, HR, physical security, head of IT, outsourcing partners) meet regularly

Answer 15

line of organisation (LOB) managers or departmental heads to ensure that assurance arrangements meet their organisation demands.

Answer 16

Must be clearly defined for roles and teams must understand their role in delivering the overall IA function Should reflect the enterprise IA policy and current legislation Reviewed regularly=remain current supplement with additional guidance

Answer 17

*scope of their responsibilities, level of authority; *processes they should be following to carry out responsibilities; *procedure they should carry out to report and deal with any security breaches; *understanding confidentiality/non-disclosure constraints; *requirements for regular reporting; *what if they leave the organisation; *what if they breach the agreed terms and conditions.

Answer 18

a clear mandate by senior management to do so and that the work is included as a formal part of their objectives. These individuals **must have sufficient skills and tools** to be able to carry out these tasks and **may need training and support** to acquire the necessary knowledge and **fully appreciate the critical nature of protecting information assets**.

Answer 19

* eyes and ears’ at a local level to ensure that security policies are followed and for identifying any security vulnerabilities or breaches *feedback to security managers on existing assurance processes and controls, identify risks and help propose new controls *Larger=regional, office locations *GDPR states requirements :has a designated office or point of contact within the EU if they come under the jurisdiction of the legislation

Answer 20

anyone with access to information assets within the organisation will have a level of personal responsibility for assurance USER RESPONSIBILITIES **need to be clearly set out** in an **acceptable** information **use policy** and bolstered by **education** so that they can help to protect against risk

Answer 21

system operating procedures.

Answer 22

Should be included in contractual terms and conditions and should include appropriate auditing and monitoring arrangements.

Answer 23

**an owner of that information** (i.e. head of department, organisation manager or process owner) who understands its importance to the enterprise and the resulting negative impact if its confidentiality, integrity or availability is compromised. This will help to ensure that adequate controls and procedures are put into place.

Answer 24

requirements can arise from a variety of bodies such as the police, utility companies, government, trade regulatory bodies or telecommunications suppliers. They may be statutory, regulatory or advisory.

Answer 25

**legal requirements that must be fulfilled. ** For example, law enforcement agencies must be contacted should certain laws be broken or where they are suspected of being broken – the download of indecent images of children would be such a case in many countries. Compliance with these requirements may influence how an enterprise’s incident reporting procedures are organised; for example, how, when and by whom the authorities should be contacted. Privacy legislation such as the GDPR will influence how information is stored and managed within the enterprise and how resources are deployed to ensure that the enterprise complies with this legislation.

Answer 26

**are often imposed by trade bodies, and these specify how an enterprise should operate to conform to certain standards. ** Although they are **not legal obligations**, regulatory bodies have extensive powers and failure to comply could lead to possible fines or, in extreme cases, exclusion from trading in a particular environment. The finance sector is a good example of this as it maintains strict controls to prevent financial malpractices such as fraud or money laundering – official bodies, such as the FCA within the UK, have far-reaching powers. Another example of a regulatory authority in the UK with significant powers is the government agency on health and safety in the workplace. In terms of information, the ICO in the UK is the lead body for setting standards and then enforcing them across all sectors, and also acts in an advisory role to other regulatory bodies – some termed ‘competent authorities’ under the Network and Information Systems (NIS) regulations – who have to concern themselves with IA. Some of these regulatory requirements support or supplement statutory requirements in certain organisation operations.

Answer 27

**Advisory requirements** may arise from government agencies or utility companies and **provide advice** as to what arrangements should be put into place to help cope with instances such as fires, natural disasters and acts of terrorism. These requirements are not legally binding and are generally issued to help encourage best practice.

Answer 28

By understanding the requirements of the emergency services, utility companies and government agencies, enterprises can design their contingency plans and incident management processes and procedures more effectively.

Answer 29

Those involved in the security function should provide should have current knowledge

Answer 30

awareness of industry trends, changes to threats, new control measures, analysis of risk, legislation and compliance requirements and the latest technological developments. It is an ongoing process. It is not necessary to have all the answers, but it is essential to be in a position to know where to find this information or to have access to someone with this specialist knowledge as and when needed. e.g. networking, security forums, IA peers, websites/groups, collaboration, early warnings of possible attacks and vulnerabilities, training courses

Answer 31

Larger IA functions support larger teams but can be cost effective to buy specific expertise too expensive to maintain e.g forensic analysis or security penetration

Answer 32

If external, accreditation UK: Council of Registered Ethical Security Testers (CREST) provides assessments of companies providing security testing services and individual testers NCSC established scheme:certified Cyber Security Consultancy, which certifies competent independent consultancy companies who offer information or cybersecurity advice and guidance

Answer 33

NCSC established scheme: certified Cyber Security Consultancy, which certifies competent independent consultancy companies who offer information or cybersecurity advice and guidance

Answer 34

Having in place clearly defined assurance roles and responsibilities, and up-to-date security policies and standards and procedures, will eliminate any ambiguities. They do need to be clearly communicated and be readily accessible. For example, assurance responsibilities should be included in employee job descriptions and form part of third parties’ contractual conditions. All users need to understand clearly what will happen if they do not follow IA policies and that senior management will be involved should the rules be breached. Regular awareness campaigns

Answer 35

An organisation requires their employees and third parties to use, manipulate and interpret information and requires their co-operation to ensure that the information assets are accessed in a secure and responsible manner. **All users need to know what the enterprise expects of them with regard to this**. Policies, standards, procedures and guidelines provide this guidance.

Answer 36

One senior person/director They are supported by a working group

Answer 37

Involving senior management will help to endorse the governance process, ensure that adequate resources are made available, ensure that controls are implemented effectively and that any identified security gaps are addressed.

Answer 38

A policy is a **high-level statement of the organisation values, goals and objectives in a specific area, and the general approach to achieving them**. Although they should be **regularly reviewed**, policies should hold good for some time as they are **not intended to provide either detailed or specific guidance** on **how** to achieve these goals. For example, a policy might say that each user is responsible for creating and maintaining their system passwords – although it does not say exactly how to do this. **Policies are mandatory.**

Answer 39

More prescriptive than a policy. It **quantifies what needs to be done and provides consistency in controls that can be measured**. For instance, passwords must contain a minimum of eight characters, be a mix of numbers, letters and special characters and be changed if compromised or for other similar reasons. **Compliance with standards is also mandatory.** They should support policy and state what ‘must’ be done and how it should be achieved. Standards can be either general (e.g. handling sensitive information) or technical (e.g. encryption of data), but they should always relate to a specific subject.

Answer 40

A procedure is a set of detailed working instructions and will describe what, when, how and by whom something should be done. Again, they are obligatory and should support enterprise policies and standards.

Answer 41

Guidelines are not mandatory, but can provide advice, direction and best practice in instances where it is often difficult to regulate how something should be done (e.g. working practices when out of the office).

Answer 42

*clearly written, concise, unambiguous *free of complex jargon and acronyms. *positive not negative ‘do not’ rules (less responsive). *Document clear and well-defined subject area within its scope for the target audience (e.g. ‘this policy applies to all employees in the UK’). *endorsed by senior management and clear ownership for **follow-through** *realistic and enforceable/exceptions? *consistent/compliant with the law *regularly reviewed

Answer 43

*how the organisation will manage IA; *the protection of information assets in accordance with their criticality; *the compliance with legal and regulatory obligations; *the means by which users will be made aware of IA issues and the process to deal with breaches to policy and suspected assurance weaknesses; *policy has the support of the board and chief executive. *More detailed guidance on what to include from ISO/IEC 27000 series and the ISF Standard of Good Practice for Information Security. *The high-level security policy should be signed off by the director responsible for IA. *available to all individuals with access to the organisation’s information and systems, both internal and external, in a format that is readily understandable and accessible by the user.

Answer 44

Third parties often require access to an enterprise’s information assets in terms of processing information, offering support, providing services or processing facilities. It is important to ensure that there is no misunderstanding between the enterprise and the third party over what controls are to be put in place to protect the enterprise’s information assets. **Policies, standards and procedures should be extended to third parties where relevant, and specific policies may need to be written to cover third-party arrangements.** These should be included within the terms of a contract.** Access should not be given** to an external entity **until** the enterprise can be **assured** that the appropriate controls have been put in place and that the third party has formally confirmed that they understand their obligations and accept their responsibility to comply.

Answer 45

*management of changes to the application/facility/service/resource; *the right to audit and monitor assurance arrangements within the third party; *notification and investigation of assurance incidents and security breaches; *the timely sharing of relevant cybersecurity information and knowledge; *recruitment of employees. Care taken: sensitive information is not disclosed to or by third parties, and policies should reflect demands on the third party for confidentiality and non-disclosure of information. The third party may, in the process of delivering the service, use further subcontractors or service providers. It is important, therefore, to ensure that any policies, standards, procedures and guidelines are applied to them too, and this can be controlled in the contract.

Answer 46

The third party may, in the process of delivering the service, use further subcontractors or service providers. It is important, therefore, to ensure that any policies, standards, procedures and guidelines are applied to them too, and this can be controlled in the contract.

Answer 47

There will, however, always be exceptions, and these need to be handled in a consistent manner by having a policy and process in place. This might simply involve informing a senior colleague of the issue and the proposed course of action to deal with the issue in the short term.

Answer 48

Occasionally, due to time pressures, or perhaps because of expediency, policy rules may be circumvented or ignored. Ignorance or a failure to properly understand the policy will prevent compliance, and in these instances users will not understand the risks to their information assets and are very unlikely to be fully aware of the threats to them. Policies and procedures rely on individuals knowing that the policy exists and understanding what the policy expects of them as well as their agreement to comply with it. So, policy controls have limitations.

Answer 49

high-level security policy should be bolstered by an end-user code of practice or acceptable use policy that provides a readily accessible way of communicating requirements to end users.

Answer 50

An acceptable use policy demonstrates the organisation’s commitment to IA and must be approved by the director responsible for IA. It should be published for all users that need to access the organisation’s information management systems and include all employees (permanent and temporary, full- and part-time), contractors and third parties.

Answer 51

*ensuring that user passwords and PINs are protected appropriately and are not compromised; *ensuring that users only access information, facilities or equipment for which they have the designated organisational need and requisite authorisation; *logging-off from systems when leaving a workstation unattended; locking away sensitive documentation and media when not in use (as part of a clear desk policy, for example); *use of personal devices such as mobile phones and tablets; *ensuring that all security incidents are reported. *An acceptable use policy can also include general statements regarding **behaviour in the workplace**, such as making it unacceptable to make any sexual, racist, obscene, discriminatory, harassing or other offensive statements regardless of the method used to transmit such statements (email, instant messaging, telephone, text, paper or spoken word). *All conditions of employment for permanent or contract employees should contain a statement that compliance with the enterprise IA policies is mandatory. *To avoid vicarious liability, the policy should also include statements that specify that users must comply with all appropriate legal and regulatory requirements placed on the organisation.

Answer 52

Anyone accessing the organisation’s information assets needs to know what the consequences of a policy violation are, and this should be clearly stated in the policy, standard or procedure Appropriate processes should be established for reporting and dealing with violations so that they are dealt with in a consistent manner. Should be documented and agreed with the relevant stakeholders when the documents are produced. Extreme case: employee disciplinary process, termination of supplier contract or report to law enforcement agency.

Answer 53

However, it is a waste of time having a policy in place unless the organisation is prepared to enforce it. Senior management, and those that have to enforce the rules, need to support the processes to deal with any violations. If violations have not been dealt with appropriately, or have been ignored by line management, then this should also be considered as a violation of policy and treated seriously.

Answer 54

remain current, relevant and effective they should be reviewed regularly

Answer 55

Reviews should take place after any significant changes to either systems or resources or as part of a regular review schedule (e.g. annually).

Answer 56

A management review process should be established to ensure that policy reviews take place in an organised and timely manner. The review schedule should identify all the people to be involved and a formal record kept of any revisions made – with an explanation as to why content has been incorporated, altered or removed. Senior management should then approve the final version of any amended documentation.

Answer 57

The review should involve all the main stakeholders, including external parties and, where applicable, regulatory authorities

Answer 58

*changes to technology, processes, organisation, resource availability or working practices; *changes to contractual, regulatory or legal requirements; *changes in threats and vulnerabilities; results, actions and recommendations from any assurance reviews or audits; *findings and recommendations from either incidents or previous assurance breaches, or where there is evidence of non-compliance with the policy.

Answer 59

Once the review has been completed, the revised policy should be communicated effectively to the relevant users, both internal and external to the organisation. This process should also be used for the maintenance of all other assurance documents, such as security standards, procedures and guidelines.

Answer 60

Regular independent assurance audits and reviews should be carried out across the organisation to ensure that its information systems are compliant with existing security policies, standards and controls. Possible vulnerabilities to these systems can be checked and the effectiveness of existing controls can be tested.

Answer 61

Audits and reviews provide a good opportunity to understand how well things are working within the enterprise and provide senior management with valuable information on the assurance of their environment.

Answer 62

Audits and reviews should be carried out periodically or when a significant change (e.g. a system upgrade, new threat or vulnerability, a change of risk appetite, etc.) has occurred.

Answer 63

To introduce a measure of impartiality into the review, it should be carried out by an **independent party**, which will also bring a fresh set of eyes to it. Ideally, a member of an **audit team** or a manager that has no conflict of interest in its outcome could do this. Alternatively, reviews can be carried out by a third party such as an external auditor or a consulting company.

Answer 64

*specialist knowledge in areas such as penetration testing with experience of similar *sufficient expertise *verify their abilities before commencement. *Technical testing should only be carried out by recognised and approved technicians and engineer *CV Background

Answer 65

*Senior management should introduce a programme of IA audits and reviews *Scope and deliverables agreed by senior management and area owner *Scoping exercise must be completed before starting *Checklist should be developed to measure assurance control effectiveness *Outputs must show if (e.g. policy, standard, procedural or technical) controls are correctly implemented and effective in reduce risk to an acceptable level

Answer 66

*Access rights for auditors/reviewers should be restricted to need-to-know *Access should be monitored/logged to create a reference trail *Read-only access to isolated system copies *Restrict audit tools to prevent misuse or data compromise *Consider legal implications of third-party access to sensitive data *Dispose of audit outputs (e.g. reports, scripts) securely *NDAs for sensitive information *Plan in advance to avoid operational disruption *Penetration tests may cause unexpected system activity *Follow change management to inform affected parties

Answer 67

*Audit/review results should be recorded in a formal report *Report presented to senior management and area manager *Agree corrective action plan with timescales *Monitor plan regularly to track progress *Add identified risks to central information risk register *File all documentation securely for future reference

Answer 68

*Carry out regular checks for compliance with policies, standards, procedures *Checks confirm control adequacy and relevance *Gauge user understanding and awareness of responsibilities *Lack of checks leads to reduced user regard for controls *Assurance weakens if users know monitoring is absent

Answer 69

investigate cause of non-compliance (e.g. training, misunderstanding, disregard) *May result from unrecognised process changes *Decide appropriate action to prevent recurrence *Action should match severity of non-conformance *Minor issues may be handled informally *Major issues need formal response (such as widespread password sharing) *Corrective actions should be reviewed for implementation

Answer 70

*Record results of compliance checks in formal report *Report serious non-compliance to senior management *Use findings to inform future policy reviews *Check licence use complies with purchase terms *Aim is continual improvement of IA posture *Reduce risk of breaches and incidents

Answer 71

was introduced in 2002 following a number of high-profile financial accounting scandals in the USA. The EU’s governance legislation was revised in 2004 via the Companies (Audit, Investigations and Community Enterprise) Act, which has been implemented across the member states and has replaced most of their local company legislation.

Answer 72

*high-level risk assessments for enterprise and critical systems * risk register showing identified risks & management *up-to-date security policies with review process *Register any dispensations from policies *Include results from assurance, security, and compliance reviews *Report breaches/incidents and actions taken *Plan to address compliance weaknesses *Present info in regulator-acceptable format *Use repeatable process to save time and reuse controls *May form part of enterprise IA policy

Answer 73

*understand risk and identify control requirements to reduce to acceptable *implement and monitor security controls *periodic re-evaluate risk and control effectiveness *support continual improvement *models include ISO/IEC 27001, SOMA, COSO *ISO/IEC 27001 uses PDCA (Plan, Do, Check, Act) cycle *other standards include NIST and PCI DSS *develop repeatable process for reporting compliance *reuse controls across regulatory groups *may form part of enterprise IA policy

Answer 74

SOMA, produced by the Institute for Security and Open Methodologies, provides a framework for measuring the operational security and management process and is structured in maturity levels that can be adapted to work at different levels of assurance maturity within the enterprise as well as being used with other standards.

Answer 75

COSO, produced by the Treadway Commission, provides a framework for evaluating effectiveness of assurance by establishing a set of objectives for assurance control and measuring against them. This is often used for testing the effectiveness of accounting controls.

Answer 76

NIST generic , and others targeted at specific industries or activities, such as the Payment Card Industry Data Security Standard (PCI DSS) requirements that govern the acceptance of payment cards.

Answer 77

classification systems, effective security countermeasure

Answer 78

INFORMATION ASSETS *magnetic, such as external disks, USB sticks, magnetic tape, tablets, mobile phones, digital cameras; *optical media, such as CD, DVD and even still microfiche; *paper, such as handwritten notes, printed files, punched tape, blueprints and plans; *data on Wi-Fi and radio frequency networks; physical – some devices may have a protective marking because of their design or content; *email, texts and the myriads of social media platforms such as Facebook, TikTok, LinkedIn, Instagram and X.

Answer 79

value to organisation from IMPACT on organisation/people if contents known to a competitor, foreign country or the public negligible to grave impact on national security’ for a government, or ‘major loss of goodwill'

Answer 80

top secret; secret; official.

Answer 81

All such assets need to be identified and valued against an agreed impact system; it is another form of risk assessment.

Answer 82

Official is the lowest level and covers the majority of information that is created or processed by the public sector and organisation operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but not to heightened levels.

Answer 83

Confidential; restricted; protected; unclassified. Details of what these levels mean and how information should be handled can be found on the various government websites.

Answer 84

highly confidential; confidential; internal only; public or open.

Answer 85

once values have been assigned, a set of **rules for handling and distribution of each classification of information must be drawn up to define their use**. The most fundamental guideline is universally referred to as the **need-to-know principle** – information should not be made available to people who do not need to know it. The fewer people that are aware of the knowledge, the easier it is to protect, yet that also presents a challenge in that enough people need to know to make best use of the information.

Answer 86

For example, in finance the concept of the ‘Chinese’ or ethical wall is used to guard against conflicts of commercial interest and insider dealing of shares. The trick is understanding where the ideal balance point lies for each piece or type of data.

Answer 87

probably sufficiently well protected by the normal identification and authentication (ID&A) mechanism for the system, the standard organisation rules and the locks on the doors of the building

Answer 88

Data that is ‘top secret’ is often required to be kept in strong safes inside heavily guarded buildings, must be handled in strictly defined ways and can only be accessed by people who have been through an extensive security screening process.

Answer 89

*‘Human resources only’ – employee files with sensitive personal data *‘Board member eyes only’ – restricted to board members *‘Commercial in confidence’ – not for competitors *‘Confidential until …’ – protect info until launch/campaign date *‘Intellectual property’ – subject to NDAs, may relate to patents

Answer 90

it automatically imposes certain constraints on the methods that can be used to process, store, transmit, dispose of or otherwise deal with it. These conditions are imposed on anyone who may come into contact with that information.

Answer 91

PLAN: clear to senior management how assurance programme helps reduce risk, support initiatives, realistic, value for money, fulfil agreed objectives, prior risk assessment Tactical & strategic, identify where quick wins, cost and appetite HOW, benefits, controls/effort needed, WHO accountable, tracking and cost/timescales should always have a SRO (sponsor) and steering committee REVISIONS, cuts, progress, deliverables manageable, reviewed tracked with meetings and alterations

Answer 92

steering committee should be set up to track the success of the programme and deal with any issues that arise. Resources and budget will need to be secured before the programme starts.

Answer 93

to enterprise as a whole, particular interests of management, add value to organisation, include early on, shared goals benefits from their investment how they can support the programme cause and potential impacts of risks informed decision on ROI

Answer 94

Return on investment (ROI) *ROI used to justify assurance spend and gain budget approval *Balance cost of controls vs. potential incident costs *Positive ROI supports case for implementation *Demonstrates financial value of assurance controls *Assurance can offer competitive advantage *Helps present assurance as a positive investment

Answer 95

plan to transform assurance function to improved state- road map/vision Strategy time period = possible implement significant change within changes in tech (3-5 years)

Answer 96

*Assess current assurance state, strengths & weaknesses *Consider changing risk profile from evolving objectives/practices *Include threat/vulnerability trends & incident types *Account for software/hardware developments *Include legal, compliance & audit requirements *Identify cost-saving opportunities * concise, non-technical language *Strategy should be reviewed & updated regularly *Shows IA maturity & commitment to governance *External pressure (e.g. regulation) may require strategy

Answer 97

The architecture translates organisation requirements for assurance into a set of controls that can be used to protect the enterprise’s information assets COMMON & CONSISTENT framework across enterprise, across systems , layers of detail of controls works on PRINCIPLES E.G. ‘auditing and monitoring controls will ensure that the organisation complies with security policies and legal obligations’ framework of assurance controls easily adaptable/repeated to reduce time/quicker/lower costs supports defence in depth & defence in breadth through CoCo

Answer 98

layers of security can be implemented such that only the most valuable or sensitive information is afforded the highest protection, a pattern for security sometimes called the onion model.

Answer 99

Defence in breadth can also be covered by information security architecture if the bounds of the organisation are extended, in terms of the information security aspects at least, to include key partners and suppliers. This would mean an organisation setting out their terms and conditions for the security of connections of systems and other logical interactions. These are sometimes referred to as code of connection or CoCo.

Answer 100

Components within the enterprise with similar security requirements can be grouped together into ‘domains’ so that common sets of security controls can be developed to protect them. For example, all enterprise systems with web-enabled interfaces can use the same domain controls. The term ‘services’ is used to describe the type of controls that will be used to protect these components.

Answer 101

The term ‘services’ is used to describe the type of controls that will be used to protect these components known as domains.

Answer 102

the reporting of assurance breaches or via auditing or testing of security controls. Governance processes will also determine changes in regulatory or legal requirements that may require additional controls to be put in place.

Answer 103

Countries that have some form of federal government will have multiple levels of law – such as in the USA, Australia, Canada or Switzerland, where there are local state laws that are subject to national or federal laws.

Answer 104

Within the EU, there are European directives (agreements between the member states) that have been produced to harmonise pieces of legislation across member states. Each country has to incorporate the legislation into their own legal system, and this can result in subtle yet significant differences as each country interprets the directives in their own way.

Answer 105

intellectual property rights; protection of records; data protection and privacy of personal information; prevention of misuse of information processing facilities; regulation of cryptographic controls.

Answer 106

The EU has a legal framework via the GDPR to protect all types of personal information, whereas the USA protects personal information via a number of federal statutes. In the EU any protection ceases at the time of death. specific area : protection of customer information by financial institutions (via the Gramm–Leach–Bliley Act, GLBA) or preserving privacy of medical information (Health Insurance Portability and Accountability Act – HIPAA).

Answer 107

UK’s Public Records Acts of 1957 and 1967 Within the UK, the RIPA 2000 was enacted to restrict covert monitoring of an individual’s information. It was introduced to take account of new developments in communications technology, the Human Rights Act and the Telecommunications Directive.

Answer 108

Legal accountability in an organisation refers to the obligation of the organisation and its members to comply with laws, regulations and ethical standards, and to be answerable for their actions.

Answer 109

is overseen by the board of directors, which is responsible for ensuring the organisation adheres to legal standards and ethical norms. This includes establishing internal policies and procedures that align with legal requirements and promote ethical behaviour.

Answer 110

Compliance with laws and regulations involves adhering to local, national and international laws relevant to the organisation’s operations, including employment laws, environmental regulations, data protection laws and industry-specific regulations. Organisations develop and implement comprehensive programmes to ensure ongoing compliance with applicable laws and regulations

Answer 111

Driver classification: Uber labels drivers as contractors, avoiding employee benefits Legal challenges: Lawsuits argue drivers should be employees due to Uber’s control California AB5: Aimed to reclassify gig workers as employees Proposition 22: Uber-backed law allowing contractor status with limited benefits Regulatory issues: Faced fines and bans over licensing and safety compliance Labour rights: Ongoing demands for better pay, security, and conditions Data breach (2016): Mishandled user data led to legal and regulatory action Impact: Sparked debate on gig economy laws and corporate accountability Ongoing influence: Uber’s case shapes future regulation and worker protections

Answer 112

USA introduced the Computer Fraud and Abuse Act in 1984, and this legislation has since undergone several amendments. The UK was the first European country to enact a law that specifically addressed computer crime, and this legislation formed the basis of the EU Directive on Computer Misuse. The Computer Misuse Act (CMA) 1990

Answer 113

Introduced three new offences: unauthorised access to a computer; unauthorised access with the intent to commit or facilitate further offences; and the unauthorised modification of computer material.

Answer 114

*illegal access (hacking) to computer systems; *illegal interception of information; *interference with information and systems; *computer-related fraud and forgery; *commercial infringement of copyrights; *download of illegal material such as indecent images of children; *trafficking in passwords, digital signatures and encryption keys.

Answer 115

used to describe stealing money or goods by using or involving a computer entering incorrect/altering information, creating or altering computer code

Answer 116

now one of the most common ways of criminals making money from organisations. In a sponsored report researched and written by Dr Mike McGuire in April 2018, titled Web of Profit, Dr McGuire estimated that the theft of intellectual property (IP) and trade secrets alone generates US$500 billion each year for the criminals.

Answer 117

criminals entice individuals to disclose their financial details, e.g. email from bank or senior staff **obtaining information by deception.**

Answer 118

accessing a computer system without the express or implied permission of the owner of that system modify software programs, web defacement, modify data, unpatched software

Answer 119

Website defacement is an example of where a hacker changes the information displayed on a web page.

Answer 120

Malicious code (or malware) is the term used to describe programs that have been written to cause security breaches or damage to computer systems by installing unwanted and unauthorised code onto them. deletion/corruption of data, hijacking resources to launch DDoS

Answer 121

viruses, Trojan horses and backdoor Ransomware

Answer 122

Ransomware is an example of malware that infects the target computer by encrypting the owner’s personal files. The victim is then contacted and offered the key to decrypt the files in exchange for cash or information. Dr McGuire estimates that ransomware adds a further US$1 billion annually to the criminals’ gains.

Answer 123

Many countries have in place legislation that prohibits the download of indecent images of children and of the ‘sexual grooming’ of children using the internet. In many countries there is a legal obligation for enterprises (and individuals) to report the discovery of this type of activity to the law enforcement agencies. It is very likely that legislation such as the Obscene Publications Act in the UK would be used to prosecute cases involving indecent images of children, as the penalties are more severe than in computer misuse legislation.

Answer 124

Computers can be misused by a person to harass and stalk another individual (cyber stalking), for instance by sending threatening emails that cause distress. It is essential to ensure that policies are in place to provide clear guidance to all computer users as to what constitutes computer misuse. Cyber stalking of this nature is now recognised in the UK under the Public Order Act, the Malicious Communications Act and the Protection from Harassment Act.

Answer 125

computer misuse The illegal or unauthorised use of software such as programs, computer games or electronically stored music is known as piracy Only legitimate software and material used in line with licence agreements should be installed on an organisation’s systems and guidance to computer users that the use of unlicenced material is not allowed should be provided.

Answer 126

board minutes, financial reports etc. minimum length of time vs legislation states when must be destroyed (personal privacy, such as the GDPR (EU) or the Fair and Accurate Credit Transaction Act 2003 (USA). PROOF OF DESTRUCTION record retention policy and schedule documents retained need to be stored in protective format

Answer 127

An organisation may be asked to produce these records (or proof of destruction) either by a government agency or by an opposing party in a legal dispute. Failure to comply with this could result in a legal judgment against the organisation, heavy fines and closure of the organisation or adverse publicity.

Answer 128

This should be communicated to staff so that they are aware of their responsibilities. In the case of international organisations, more than one schedule will need to be kept dealing with variances in requirements.

Answer 129

A document that needs to be retained should be stored in a format that can ensure its protection (for example on a secure central repository rather than in a personal file so that it is not deleted or lost inadvertently). For larger enterprises there are document management solutions on the market to do this

Answer 130

ISO 15489-1:2016 – Record Management Standards produced by the International Organisation for Standardization, or standards produced by the American National Standards Institute (ANSI)

Answer 131

is the term given to the legal rights that protect creative works, and most countries have legislation in place to protect such intellectual property.

Answer 132

initially designed to protect original artistic works such as pieces of music, but its use can also be applied to software programs, computer games, documents, books, photographs, video files or other types of work made using a computer or generated by a computer. AUTOMATIC for ORIGINAL work for FIXED DURATION

Answer 133

e.g. copyright law controls rights over copying, issuing, performing or adapting it. Abuse of these rights by someone else is called infringement

Answer 134

Piracy is the term commonly used to describe the unauthorised use of computer software and is a breach of copyright law. Where software has been developed by an enterprise, the copyright is normally owned by the enterprise rather than the individual(s) involved, unless a special provision has been agreed beforehand.

Answer 135

such as in Asia and East Asia.

Answer 136

here have been a number of initiatives to harmonise copyright protection internationally, such as the General Agreement on Tariffs and Trades, Trade Related Aspects of Intellectual Property Rights 1993 (GATT TRIPS). Within the EU there is a directive to harmonise certain aspects of copyright and associated rights in relation to information systems.

Answer 137

aims to protect secrets – personal, commercial or governmental. This can only be applied as long as the data are not in the public domain and covers breaches of confidence made between two or more parties.

Answer 138

Trademarks, such as Microsoft® or Apple®, are there to protect brand strength by demonstrating their uniqueness in terms of quality, reputation, reliability, ubiquity, originality, value for money or whatever the brand strives to promote.

Answer 139

is the term used when an object is trying to seem the same as something else in order to cash in on the originator’s reputation or ideas

Answer 140

An example of infringement that could apply to information assurance is when someone has set up an internet domain name that uses a very similar name to another, better-known site. The ‘impostor’ site is branded in much the same way as the original so that people who have mistyped the address believe they have gone to the intended site. This is a typical method of perpetrating banking fraud. Dr McGuire estimates that the trade in illicit and illegal online markets generates US$860 billion each year for the criminals.

Answer 141

are used to protect the intellectual property invested in the development of new products or in the creation of inventions, and, like copyright, they are in place to prevent other people from copying or manufacturing the product or invention so that the creator is able to realise their investment (in both time and money) in creating their original work. applied to software processes and such things as ‘gestures’, for example, on tablet computers. Within information technology, patents tend to be used to protect physical devices such as a new type of computing device. FIXED DURATION & NEED RENEWAL. COUNTRY SPECIFIC PATENTS (many countries expensive-expert advice) * provision within the EU to protect a patent in 30 countries in a single application, using the European Patent Convention (EPC).

Answer 142

*carry out regular assurance reviews and health checks; *apply security patches in a timely manner; *protect information against malicious code; *provide organisation continuity arrangements that meet agreed service levels; *vet new staff to an appropriate level; *enforce discipline against any security breaches; *manage security incidents reporting to parent org.); *protect against disclosure of sensitive information; *allow the enterprise the right to audit and monitor the services being provided; *prevent further subcontracting without written authorisation. *e.g. cloud computing

Answer 143

Digital signatures are a form of electronic signature that address fraud issue. Digital signatures binds, provide non-repudiation, ensures neither can deny transmission APPS available on mobile/tablets

Answer 144

Within the UK and EU, the legal regulation Electronic Identification, Authentication and Trust Services (eIDAS) came into force on 17 September 2014

Answer 145

*states that electronic signatures will not be denied legal effect or admissibility simply on the grounds that they are in electronic form. *Electronic signatures treated as handwritten signatures if they are backed by qualified certificates, by a certification service provider and created by a secure signature creation device. * admissible as evidence in legal proceedings both in relation to the authenticity of the transmission and as to the integrity of the contents of communication.

Answer 146

certification authority (CA) to be deemed trustworthy. CAs have their signatures verified by other CAs to build a greater degree of trust. CAs may be liable for any compromise to the integrity of digitally signed documents authorised by them, so, to limit their liability, many certification authorities stipulate a financial cap on transactions. There have been malicious attacks on digital certification companies, though, and this has led to some significant improvements in recent years.

Answer 147

Cryptography can protect privacy and confidential info Cryptography legislation varies from country to country (treason, death)

Answer 148

In China, foreign organisations and individuals have to gain permission to use cryptography under the China State Council directive 273 of the Regulation of Commercial Encryption Code. In Pakistan, all encryption hardware and software have to be inspected and approved by the Pakistan Telecom Authority. Even within the EU, there is variance on acceptable use of cryptography. France, for example, has a number of very specific requirements as to how cryptography can be used that are in addition to the EU directives.

Answer 149

controls export of cryptographic controls agreement was to ensure that transfers of conventional firearms and dual-use goods and technologies between countries were carried out responsibly and did not further the development of hostile regimes. 42 participating countries and, although export controls are implemented by each individual WA participating state, the scope of export controls is determined by Wassenaar directives.

Answer 150

*Restrictions on import/export of cryptographic hardware/software *Restrictions on tools designed to add cryptographic functions *Restrictions on encryption use *Authorities may require access to encrypted data *Regulators may impose additional cryptography constraints *Industry-specific standards may apply (e.g. finance sector) *All factors must be considered when applying cryptographic controls

Answer 151

standards used to define how systems should be configured and managed. The intention is that any new system in any location should be built using the settings and guidelines contained in this document. In this case, the concern is about configurations for information security.

Answer 152

*which OS versions to use; *which parts of the OS to install; *patches required; *additional applications such as anti-virus software, intrusion detection agents and so on; *settings for password length, ACLs and so on; *network configuration.

Answer 153

*no one size fits all *email server config differs for web server *not necessarily secure, new vulnerabilities so patched continuously

Answer 154

Once an attacker identifies the infrastructure in use, they can try the default passwords, which will often give them administrative privileges and provide an excellent basis for an attack. It is very important that all default passwords are changed as soon as the installation is complete. Since they are for administrative use and provide significant administrative rights to the user, that password needs to be longer and stronger than ordinary user passwords, making it much harder to break.

Answer 155

process of monitoring and controlling configuration of devices and documentation within the infrastructure

Answer 156

The configuration documentation should describe the baseline that is in place, and it can then be used to identify any changes made. can be used to help assess changes/impacts before approval, should be updated, might be used in auditing for QA

Answer 157

organisation has any links to third parties or external suppliers, such as managed service providers (MSPs

Answer 158

they are required to work to the same IA standards and adopt the same working practices, or at least to those that are clearly compatible. If they do not, they may become the weakest link in the chain and can invalidate much of the good work done in-house.

Answer 159

The use of working protocol documents and contractual clauses can require them to do so and should allow auditing to ensure compliance. It is becoming more common to see third parties required to have an accreditation such as ISO/IEC 27001 before they can work for an organisation. This provides a degree of confidence in their assurance, including the quality and content of their documentation.

Answer 160

protected against unauthorised access and loss physical/electronic must be safeguarded knowledge of countermeasures and procedures would allow attacker to find vulnerability in infrastructure and gain access- strictly control access to docs and monitor protective marking system

Answer 161

protective marking system to allow such documents to receive extra protection and safe handling.

Answer 162

not mandatory but can dissuade potential customers, can't demonstrate competency

Answer 163

each standard reviewed every 5 years, current can be purchased though BSI ISO collabs with IEC and ITU =WORLD STANDARDS COOPERATION

Answer 164

Work with ISO International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU

Answer 165

Specifically ISO/IEC 27000 series, which is the current set of standards for information security management. (others cover explicit technologies, techniques or architectures used within IT)

Answer 166

specific IA management mainly 27001 and 27002 risk management--27005 network security-27033 infosec in health sector 27799 cloud resources- 27017

Answer 167

Specifies the ISMS requirements standard

Answer 168

ISO/IEC 27002 provides a code of practice for information security management. It is probably the most influential standard for IA management. It describes a high-level set of controls to protect the confidentiality, integrity and availability of an organisation’s information assets, and looks at the various aspects of assurance such as security policy, IA employees, asset management, human resources assurance and compliance.

Answer 169

ISO/IEC 27002 is a generic advisory document rather than a formal specification like ISO/IEC 27001.

Answer 170

ISO/IEC 27007:2017 provides guidelines for auditing ISMSs, helping auditors to assess the compliance with ISO/IEC 27001.

Answer 171

In order to use the standard, the organisation will need to assess the risks of their enterprise and apply the recommended control measures from the standard that are applicable to mitigate these risks.

Answer 172

reviewed by them every year. This standard focuses on how IA can support organisation processes and provides guidance on implementing appropriate protection. It focuses on security governance, security requirements, control framework and security monitoring and improvement. The ISF membership (who are in the main corporate organisations) fund the forum via an annual subscription, and then collaborate with them in developments for best practices in IT security and information risk management. However, the Standard of Good Practice for Information Security is available to other organisations or individuals.

Answer 173

Many other standards not produced exclusively for IA that do affect IA management. Cover other related organisation functions or processes such as retention of records (ISO/IEC 15489), the implementation of organisation continuity (ISO/IEC 22301:2019 and PAS 77), project development (COBIT), the management of information technology services (ISO/IEC 2000 ITIL) and quality assurance (ISO/IEC 9001). If these standards have been implemented within an organisation, it is necessary to ensure that IA management controls are compatible with them and support their requirements. For example, ISO/IEC 20000–1:2018 Information technology – Service management includes requirements for operational security. It is necessary to be familiar with the standards that apply to the country and industry sector in which the organisation operates. There are a wide range of standards to which the financial and manufacturing industries need to adhere, and an inability to meet these requirements could, for instance, prevent an organisation from actively trading in the financial services market.

Answer 174

large, open, international community that develops and promotes standards for the internet. *governing body meets 2/3 times a year. *Standards developed by working groups (network designers, operators, vendors and researchers, that each focus on a particular topic) *Standards =RFC *issued to IETF community as draft RTCS

Answer 175

IETF STANDARDS: The standards generated are known as Request for Comments (RFCs), and upon production are subsequently issued to the IETF community as draft RFCs for comment and review. Once an RFC has been issued it is not withdrawn, although it may in time be superseded by further RFCs. This, in many ways, can show the development of standards. The published RFC documents have a status of either a proposed standard or an informational statement.

Answer 176

are standards and guidelines developed and issued by the NIST for federal government computer systems within the USA. Where possible, the US federal government uses existing (internationally recognised) published industry standards, but should none be suitable it will ask NIST to help develop them. NIST collaborates with national and international standards committees such as IETF and other interested parties (such as vendors and industry bodies) to produce FIPS PUBS.

Answer 177

based in france, *ETSI standardises ICT across Europe *Recognised by European Commission & EFTA *Provides technical specs for directives & regulations *CE mark shows product compliance *Members include manufacturers, operators, providers, researchers, users *Members set work programme & approve deliverables *Docs available via ETSI Documentation Service (EDS)

Answer 178

The European Union Agency for Network and Information Security (ENISA) *ENISA provides guidance based on research *Focus on human aspects of InfoSec *Includes psychology, sociology, anthropology, biology, behavioural economics *Explores human behaviour in security context

Answer 179

EU reg jan 2022 recovery from ICT disruptions Key provisions include **implementing robust ICT risk management frameworks**, promptly **reporting** major ICT-related incidents, conducting regular **resilience testing**, managing risks from third-party ICT service providers and promoting information sharing on cyber threats among financial entities

Answer 180

structured sets of guidelines/best practices help org. manage/protect their information assets frameworks designed for comprehensive approach to infosec, ensuring sensitive data protected from unauthorised, breaches using controls

Answer 181

Information security frameworks support the development of an information security programme, starting with risk assessment and the identification of control objectives and key controls. These are defined by standards such as NIST CSF 2.0, ISO27001:2022, CIS 18 and Cyber Essentials.

Answer 182

established in response to an executive order by former President Obama in 2013. This called for greater collaboration between the public and the private sector for identifying, assessing and managing cyber risk.

Answer 183

1.0 2014 1.1 2018 2.0 2024 developed through workshops, comments, analysis and draft to reflect current security challenges

Answer 184

GOVERN (underpins) Identify, Protect, Detect, Respond and Recover (concurrently and continuously)

Answer 185

Govern is used to ensure all the other functions align with the organisation requirements and are measured and managed. Leadership is an essential element of this.

Answer 186

Identify is used to develop an overall risk management approach to cybersecurity. It helps understand critical assets, organisation environment, governance model and supply chain

Answer 187

Protect is used to put defensive controls in place based on critical assets, to ensure they are protected within risk tolerance. Protect highlights the importance of managing identities, securing access, protecting data and training users.

Answer 188

Detect is used to ensure an attack is detected in the shortest time possible and detection systems are in place by spotting anomalies, investigating events, continuously monitoring and other detection processes.

Answer 189

Respond is used when under attack, and the quicker an organisation can respond the quicker it can reduce harm. Respond helps to ensure an organisation takes action as quickly as possible through incident response planning, analysis, mitigation, communication and ongoing improvement.

Answer 190

Recover is used to return to normal operations, in other words the same state, after the attack. The Recover function helps the organisation restore operations through recovery planning, continuous improvement and communications.

Answer 191

*Governance included *CSF 2.0 has expanded best practices. *Organisational Profiles *community profiles *Revision 5: outcome based approach *removed the limiting term ‘information system’

Answer 192

NIST 800-53 is the catalogue of security controls for information systems and organisations, serving as a comprehensive guide for safeguarding sensitive data. Adherence to NIST 800-53 assures compliance with the Federal Information Systems Management Act, which is required for federal government agencies and government contractors. NIST 800-53 has more than 900 security controls, organised into 18 control families. The current revision, Revision 5, released in 2020, dropped the word ‘federal’ to broaden the scope of the guidance, making NIST 800-53 applicable to all organisations. The main problem of the NIST framework is the number of controls and granularity. One method to remedy this is to go through the controls and remove all the ones that do not apply to your organisation.

Answer 193

Organisational Profiles, which are used to describe current and future security postures, making it easier to set goals and define the practice required to meet these goals.

Answer 194

Community Profiles, which are created to address shared security interests and goals common with many organisations that occupy the same sector or subsector and use similar technologies or have similar threat types

Answer 195

***Prioritise & scope** – define objectives, identify key assets ***Orient** – continue implementing the cybersecurity programme ***Current profile** – assess which CSF controls are in place ***Risk assessment** – analyse environment & likelihood of threats ***Target profile** – define desired control outcomes & risk appetite ***Gap analysis** – identify & prioritise gaps using risk/cost/benefit, allocate resources ***Implement Action plan** – implement steps to close gaps in chosen order

Answer 196

international standard for ISMSs part of ISO 2700 series Most important= 27001 HOW to manage all aspects of security provides a systematic approach to managing information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

Answer 197

*1 **Business** – Organization initiates the process * 2**ISO 27001 Standards** – Refer to the framework for information security * 3**Gap Analysis** – Identify gaps between current practices and standards * 4**Implement Controls** – Apply necessary security measures *5 **Certification** – Undergo external audit for compliance * 6**Verified** – Achieve certification and confirm adherence

Answer 198

*systematically examine information security risks, taking account of the threats, vulnerabilities and impacts; *design and implement a comprehensive set of information security controls with other forms of risk treatment to address those risks that cannot be accepted; *adopt an overarching management process ensuring information security controls continue to meet the information security needs, ongoing basis.

Answer 199

A.5.7 Threat intelligence A.5.23 Information security for use of cloud services A.5.30 ICT readiness for organisation continuity A.7.4 Physical security monitoring A.8.9 Configuration management A.8.10 Information deletion A.8.11 Data masking A.8.12 Data leakage prevention A.8.16 Monitoring activities A.8.23 Web filtering A.8.28 Secure coding

Answer 200

3 stage process **Stage 1** is an initial review of the ISMS. This includes checking for the existence and completeness of key documentation. **Stage 2 ** is a more detailed and formal compliance audit. Ongoing involves follow-up reviews or audits to confirm that the organisation remains in compliance.

Answer 201

114 to 93 controls new/merged found in Annex A, provides list of control objectives too in four themes 2022 11 new controls

Answer 202

**Organisational controls**: Covering information security policies, roles and responsibilities, as well as human resource security, among others. **People controls**: Focusing on areas such as access control, user responsibilities and security awareness and training. **Physical controls**: Encompassing physical and environmental security to protect information and systems from physical threats. **Technological controls**: Addressing controls related to secure configuration, network security and information security in supplier relationships.

Answer 203

The ISO 27001 clauses are the core pillars of the ISMS. Think of clauses as sections. Clauses 4–10 list every requirement the ISMS must meet before it can be ISO 27001 certified. Clauses 0–3: introduction; scope; normative references; terms and definitions. Clauses 4–10 (provide ISO 27001 requirements): context or employee; leadership; planning; support; operation; performance evaluation; improvement.

Answer 204

*Centre for Internet Security *Version 8: April 2021 *V8: CIS enhances controls; address threats to systems and software, increased use of cloud computing, virtualisation mobility, outsourcing, working from home and changes in attack tactics. *controls prioritise actions/best practice for defence in depth *developed from wide sector/first hand experience *controls, goals with guidelines=checklist best practice, more guidelines= stronger security posture

Answer 205

CIS Control 1: Inventory and Control of Enterprise Assets CIS Control 2: Inventory and Control of Software Assets CIS Control 3: Data Protection CIS Control 4: Secure Configuration of Enterprise Assets and Software CIS Control 5: Account Management CIS Control 6: Access Control Management CIS Control 7: Continuous Vulnerability Management CIS Control 8: Audit Log Management CIS Control 9: Email and Web Browser Protections CIS Control 10: Malware Defences CIS Control 11: Data Recovery CIS Control 12: Network Infrastructure Management CIS Control 13: Network Monitoring and Defence CIS Control 14: Security Awareness and Skills Training CIS Control 15: Service Provider Management CIS Control 16: Application Software Security CIS Control 17: Incident Response Management CIS Control 18: Penetration Testing

Answer 206

* **Enhanced security** – Provides a comprehensive set of best practices to defend against a wide range of cyber threats * **Simplified framework** – Offers a prioritised and simplified set of controls that are easier to implement and manage * **Improved compliance** – Helps an organisation align with various regulatory and compliance requirements by providing a clear security roadmap * **Scalability** – Suitable for organisations of all sizes, from small organisations to large enterprises * **Resource efficiency** – Helps in the efficient allocation of resources by focusing on the most critical security measures * **Continuous improvement** – Encourages regular updates and continuous monitoring to adapt to the evolving threat landscape

Answer 207

UK government-backed certification scheme designed to help organisations protect themselves against common online threats. *offers a clear set of basic security controls implement to mitigate the risk of cyber-attacks. REQUIREMENT for organisations with government contracts. *controls aimed at protecting against the most common internet-based threats, and cover five key areas.

Answer 208

* **Secure configuration** – Ensure systems are securely configured; remove unnecessary functionality and accounts; replace default settings with secure ones * **Patch management** – Keep systems and software up to date; regularly apply security patches to fix known vulnerabilities * **Malware protection** – Use anti-virus and anti-malware solutions to defend against malicious software * **Firewalls and internet gateways** – Protect internet connections with firewalls; block untrusted networks and provide a first line of defence * **Access control** – Restrict access to data and services; manage admin accounts securely; ensure only necessary access is granted

Answer 209

* **Advanced level of Cyber Essentials** – Requires hands-on technical verification by an independent certification body * **Not self-assessed** – Unlike basic Cyber Essentials, this involves external testing *Assessment includes: security of internet-connected devices, firewalls, anti-malware configurations, secure configurations, user access controls and the application of security patches.

Answer 210

* **Initial Cyber Essentials certification** – Complete the self-assessment covering five key controls * **Pre-assessment preparation** – Internally review and remediate cybersecurity measures * **Engage a certification body** – Select an accredited body to conduct the technical verification * **Technical verification** – Includes external/internal scans, configuration, malware, and access control reviews * **Remediation (if required)** – Fix any issues found during assessment * **Certification** – Issued if all requirements are met; valid for one year

Answer 211

* **External vulnerability scan** – Assesses exposure of internet-facing systems to common threats * **Internal vulnerability scan** – Checks internal systems for vulnerabilities post-breach * **Configuration review** – Examines device and software configurations for security * **Malware protection review** – Tests effectiveness of anti-malware measures * **Access control review** – Verifies enforcement of access controls and authorised access only

3 INFORMATION SECURITY FRAMEWORKS Flashcards

(244 cards)