Cybersecurity Management Systems Quiz

Test your knowledge on cybersecurity management systems with this quiz! From ISO/IEC 27001 to NIST Framework and CCN-STIC guides, this quiz covers a range of topics related to implementing and auditing a cybersecurity management system. Learn about key processes, risk management practices, and necessary roles in the information system lifecycle. Test your understanding of important concepts such as access control, asset management, and incident management. Whether you're new to cybersecurity management systems or looking to refresh your knowledge, this quiz

Created by

@TrustedIndicolite

Questions and Answers

¿Qué es el SGSI?

Un sistema de gestión de seguridad informática

¿Qué procesos incluye ISO/IEC 27002/ISO/IEC 27001?

Procesos de seguridad informática

¿Qué es el Marco de NIST?

Una guía para evaluar el nivel de desarrollo de los procesos de gestión de seguridad informática

¿Qué pueden identificar las auditorías internas o externas del SGSI?

Áreas para mejorar en el sistema Signup and view all the answers

¿Qué combina SGSI?

Medidas técnicas con procesos para gestionar la seguridad física y de las personas de los activos Signup and view all the answers

¿Qué pueden reforzar los sistemas de videovigilancia?

Los programas de control de acceso Signup and view all the answers

¿Qué son necesarios para proteger los activos de información?

Políticas y procedimientos basados en evaluaciones de riesgos Signup and view all the answers

¿Qué especifican los documentos de proceso o procedimiento?

Mecanismos formales e informales para tareas, gestión de riesgos, disponibilidad, integridad, confidencialidad y responsabilidad de la seguridad de la información Signup and view all the answers

Study Notes

Implementation of a cybersecurity management system (SGSI) starts with observing compliance needs and defining policies in coordination with legal advisors and governance structure.
ISO/IEC 27002/ISO/IEC 27001 includes processes such as security policy, information security organization, asset management, human resources security, physical and environmental security, communication and operations management, access control, acquisition, development and maintenance of information systems, incident management, business continuity management, and compliance.
NIST Framework is a guide for evaluating the level of development of cybersecurity management processes.
Audits can be internal or external and can identify areas for improvement in the system.
SGSI combines technical measures with processes for managing people and physical security of assets.
Videovigilance systems can be used to reinforce access control programs, but must comply with data protection laws and inform individuals of their rights.
Policies and procedures based on risk assessments are necessary to protect information assets.
Process or procedure documents specify formal and informal mechanisms for tasks, risk management, availability, integrity, confidentiality, and responsibility for information security.
Technology is an essential part of the infrastructure but only represents a part of the security architecture.
Measuring and monitoring performance of information security processes is necessary to achieve cybersecurity objectives.

A security management system must be audited to ensure its effectiveness and efficiency.
Clear indications of security objectives being met and absence of unexpected security incidents are key indicators of success.
Knowledge of imminent threats and effective means of determining organizational vulnerabilities are important.
Methods for monitoring changing risks and consistency in log reviews are necessary.
Testing continuity and disaster recovery plans is crucial.
An audit by a trusted third party is necessary for certification, but only certifies the management of the system, not the organization's security.
The audit must be conducted by qualified auditors and the certification entity must be accredited.
The audit process includes document review, on-site verification, and issuance of an audit report.
Observations, minor non-conformities, and major non-conformities are identified in the audit report.
Corrective and preventive actions must be taken to address non-conformities and achieve certification.

The CCN-STIC-205 guide provides a model for preserving security function in the lifecycle of information systems.
Security requirements should be considered during the acquisition or development of an information system.
The decision to buy or develop software or hardware affects the level of risk.
Good practice for software is to acquire from reputable manufacturers and conduct additional security audits.
Good practice for hardware is to opt for custom design to make it difficult for attackers to exploit known vulnerabilities in commercial devices.
The CCN-STIC-201 guide outlines necessary roles for the information system lifecycle, with the ASTIC being responsible for decisions and specifications.
The ASTIC is the authority for granting permission for system deployment based on compliance with SGSI standards.
The Security Development Lifecycle of Microsoft and the Team Software Process can also be used as models for preserving security in the lifecycle of information systems.
Anticipating security requirements is crucial in the acquisition or development of an information system.
The level of risk is affected by the decision to buy or develop software or hardware.