Security Management - Standards

Question 1

What is Risk Managament about?

Answer 1

• Risk identification(easy)
• Risk assessment (easy)
• Risk treatment (hard)
• Risk mitigationplan
• Implementation
• Review and evaluation

Question 2

What is ISMS?

Answer 2

Information Security Management System

Question 3

What is ISMS about?

Answer 3

• systematic approach to managing sensitive company information so that it remains secure
• Includes people, processes, documents, and IT systems by applying a risk management process

Question 4

what is ISO 27002:2013?

Answer 4

Guidelines for organisational information security standards and management practices

Question 5

Name a few groups of ISO 27002:2013

Answer 5

Information security policies

• Organisation of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• Systems acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

Question 6

Name some of the elementary threats listed in the BSI base protection

Answer 6

• Fire, water, local events/catastrophes
• Loss of service by supplier (e.g. power, connectivity)
• Electromagnetic emanation, wiretapping, espionage
• Theft, destruction, loss of devices

Question 7

what should be considered if a employee joins/leaves the organisation

Answer 7

• Background checks (prediction of future behaviour based on past)
• Access management (configuration of access rights matching to current tasks/position)

Question 8

How can you prevent that adversaries access facilities, resources or information stored on physical media?

Answer 8

• restrict access to buildings, rooms, equipment(guards, locks, escorts, surveillance)
• Restriction of movement of equipment, storage media(locks, trackers)

Question 9

What is CVE?

Answer 9

CVE Common Vulnerabilities and Exposures

list of identifiers and descriptions for discovered vulnerabilities

Question 10

decribe the process of a CVE entry assignment

Answer 10

1. Discovery of potential vulnerability or exposure
2. Assignmentof CVE ID by numberingauthority
   - Description
   - References
3. Posting of CVE entryto list by primary numbering authority