Cyber Security and Information Assurance

Questions and Answers

What is the primary goal of risk reduction?

To accept the risk and take no further action

To lessen the probability, negative consequences, or both, associated with risk (correct)

To completely eliminate the risk

To transfer the risk to another party

What is meant by 'treat' or 'mitigate' in the context of risk management?

To monitor the risk without taking any further action

To transfer the risk to another party

To accept the risk and take no further action

To take one or more actions to reduce the impact or likelihood of a risk (correct)

What is risk transfer an example of?

Risk acceptance

Risk reduction

Risk monitoring

Risk treatment involving the agreed distribution of risk with other parties (correct)

What is the primary consideration when deciding to accept a risk?

The practicality and sensibility of taking further action

What is the main advantage of having contingency measures in place?

It mitigates the effect if the risk does occur

What is an effective way to ensure that procedures are followed?

Creating desk cards or prompts for users

What is an example of a risk transfer mechanism?

Taking out an insurance policy

What is a potential limitation of risk transfer?

It may not mitigate reputational damage

Why is it important to manage information held in staff members' heads?

To prevent the loss of critical information in case of staff unavailability

What has led to increased focus on risk management in companies?

High-profile commercial criminal investigations

What is the role of senior management in risk acceptance?

To accept that it is not practical or sensible to take any further action

Who is responsible for risk management in an organization?

The board of directors

What is the primary goal of implementing effective IA?

To support the organization's continued operation

Why is it essential to detail procedures for managing physical assets?

To prevent the inadvertent inclusion of confidential files

What is the relationship between IA and corporate governance?

IA supports the principles of corporate governance

Why is it important to manage information held in staff members' heads?

To ensure business continuity in case of staff unavailability

What is the primary reason for the increased complexity of the information assurance manager's role?

The significant increase in threats and vulnerabilities arising from the internet and the World Wide Web

What is the term used to describe the risks and vulnerabilities arising primarily from the use of the internet?

Cyber security

What is the primary goal of criminals and others in the context of cyber-attacks?

To steal information and sell it on or use it for other purposes

What is the term used to describe the use of gained information to extract financial gain from innocent victims?

Fraud

Why is the term 'information assurance' still used in this book?

To refer to general principles of information security

What is the primary focus of the legislation introduced by governments to address information assurance?

Addressing the increasing problems of information assurance

What is the result of the seemingly meteoric rise in cyber-attacks?

Cyber warfare and the need for cyber security

What is the underlying theme of the book's discussion on information assurance?

The rise of cyber-attacks and the need for information security

What is the impact of increased information availability on the service industry?

It has liberated the industry, similar to the introduction of the steam engine or electricity

What is a major concern for global organisations when sending sensitive information across borders?

Proving the authorised person sent the correct document at the appropriate time

What is a risk associated with conducting trade over the internet?

Denial-of-service attacks

What is a challenge for organisations operating in multiple countries?

Understanding differing local legislation restrictions

What is a consequence of a virus infection or ransomware attack on an organisation's reputation?

Negative impact on reputation and financial status

What is a challenge for organisations when dealing with people they know little about?

Establishing an appropriate level of trust

What is the role of the information assurance manager in a global organisation?

To ensure the satisfaction of management and litigants

What is a key concern for global organisations when sending sensitive information electronically?

Ensuring the information is sent with proof of receipt, integrity, and authority

What is the primary focus of information assurance?

Managing risk

What is a key characteristic of a valid threat?

It has already happened to someone else

What is the relationship between threats and opportunities?

What is a threat to one person may be an opportunity to another

What is the primary benefit of understanding threats and vulnerabilities?

Reducing the likelihood of a threat being carried out

What is the term for the potential consequences of a threat being carried out?

Impact

What is the primary goal of information risk management?

Managing risk to ensure the confidentiality, integrity, and availability of information systems

What is a threat to information systems?

An unauthorised person discovering your username and password

What is the term for the areas of risk that must be addressed in an information system's environment?

Confidentiality, integrity, and availability

Study Notes

Information Assurance and Cyber Security

• The complexity of threats to companies, public bodies, and organizations has increased, making information assurance management a crucial field.
• The term "cyber security" has emerged due to the significant increase in threats arising from the internet and the World Wide Web.

Cyber Warfare and Cyber Security

• Cyber-attacks involve misappropriating information, encrypting it, and demanding money to release it, or using it for fraudulent purposes.
• Criminals and others seek to steal information and sell it or use it for illicit gain.

Risk Reduction and Management

• Risk reduction involves taking actions to lessen the probability, negative consequences, or both, associated with a risk.
• Risk transfer involves distributing risk to other parties, such as taking out insurance or writing contracts to mitigate financial impact.
• Risk acceptance involves accepting a risk and monitoring it, rather than taking further action.

Information Security Principles

• Information security is crucial in today's digital age, where organizations operate across multiple countries and have sensitive information to protect.
• Ensuring the secure transfer of information between countries and managing differing legislations is a significant challenge.

Relationship with Corporate Governance

• The advent of high-profile commercial criminal investigations has led to more stringent legislation regarding risk taking in companies.
• Risk management has become a top priority in many boardrooms, and it is no longer acceptable to delegate responsibility to the IT manager.

Information Risk Management

• Information assurance is primarily about managing risk, which involves understanding threats, vulnerabilities, and impact.
• Threats are realistic possibilities that may cause undesirable consequences, and vulnerabilities are weaknesses that can be exploited.
• Combining threats with likelihood or probability creates risk.

Threats and Threat Landscape

• Threats can be realistic or opportunistic, and may have already occurred to someone else.
• Threats must be valid and may have records of incidents to support their validity.
• Threats can be perceived differently by different individuals, and what may be a threat to one person may be an opportunity to another.

Description

Explore the role of information assurance managers and the growth of cyber security, including the increasing complexity of threats and the need for expertise in this field.