(ISC)² Common Body of Knowledge Quiz - Week 2

Questions and Answers

Which of the following standards is primarily focused on Information Security Management Systems (ISMS)?

• NIST
• ISO/IEC 27002
• Common Criteria
• ISO/IEC 27000 (correct)

ISO 27001 emphasizes the importance of risk management.

True (A)

What does the acronym ISMS stand for?

Information Security Management Systems

ISO 27000 follows a __________ cycle which includes planning, doing, checking, and acting.

plan, do, check, act

Match the following information security frameworks with their key focus:

ISO 27000 = Risk assessment and control implementation NIST = Identify, protect, detect, respond, recover Common Criteria = Consumer confidence in hardware and software Common Body of Knowledge = Risk management, identity, access control

What is the primary focus of Access Control Systems and Methodology?

Protecting resources from unauthorized access (D)

Physical Security includes mechanisms like locked doors and access logging.

True (A)

What does the ISO 27000 series primarily relate to?

Information security standards

___________ involves planning for system failures, natural disasters, and service interruptions.

Business Continuity Planning and Disaster Recovery

Match the following security domains with their focus areas:

Telecommunications and Network Security = Secure communications and protocols Law, Investigation, and Ethics = Legal aspects and forensic practices Cryptography = Encryption and key management Computer Operations Security = Securing ongoing computer operations

Which of the following is NOT a part of Security Management Practices?

Planning backup tests (B)

User authentication methods include biometric verification.

True (A)

What are the main types of authentication methods mentioned in the content?

Passwords, two-factor authentication, biometrics, single sign-on (SSO)

Flashcards

Access Control Systems

Protecting resources from unauthorized access while granting access to authorized personnel.

Authentication Methods

Processes used to verify the identity of a user or system.

Telecommunications and Network Security

Protecting communication networks and services from vulnerabilities and attacks.

Business Continuity Planning

Creating a plan to maintain operations during system failures or disasters.

Security Management Practices

Ensuring security awareness and training for IT staff and users.

Security Architecture

Planning and designing security policies and procedures for various systems.

Law, Investigation, and Ethics

Understanding legal aspects of security, investigation, and ethical considerations.

Application Security

Implementing security measures in software development.

Cryptography

Using encryption to secure data.

Computer Operations Security

Protecting computer operations from threats.

Physical Security

Protecting physical access to computer systems.

ISO 27000 Series

A series of international standards that define how to implement an Information Security Management System (ISMS).

ISO 27001

A core standard in the ISO 27000 series; mandates the requirements for an ISMS.

ISO 27002

A core standard in the ISO 27000 series; provides practical guidance on implementing security controls.

Information Security Management System (ISMS)

A system of policies, procedures, and controls designed to manage information security risks.

PDCA Model

A cyclical model (Plan, Do, Check, Act) used in process improvement, including ISMS.

Risk Management

Identifying, assessing, and mitigating potential security risks.

Security Controls

Policies, procedures and mechanisms implemented to mitigate identified security risks.

NIST Framework

A U.S. framework that outlines security processes, including risk management, with five core phases.

Study Notes

(ISC)² Common Body of Knowledge

• Access Control Systems and Methodology: Protects resources from unauthorized access, using authentication methods like passwords, two-factor authentication, biometrics, and single sign-on (SSO).
• Telecommunications and Network Security: Focuses on communication security, protocols, and network services, addressing vulnerabilities like perimeter security, extranet access, and Internet-based attacks.
• Business Continuity Planning and Disaster Recovery: Plans for system failures, natural disasters, and service disruptions, including backup testing, off-site storage, and ensuring critical services remain available after a disaster.
• Security Management Practices: Emphasizes security awareness, risk assessment, educating IT staff and users, and organized security teams for efficient crisis response.
• Security Architecture and Models: Involves policy planning for security issues like desktop security, data backups, and antivirus solutions.
• Law, Investigation, and Ethics: Covers aspects of security's legal framework, including legal proceedings, evidence handling, employee surveillance, and privacy laws.
• Application and Systems Development Security: Focuses on security in software development, considering permission handling, integrity checks, and preventing insider threats like spyware.
• Cryptography: Covers encryption types to secure data, and key management in Public Key Infrastructure (PKI).
• Computer Operations Security: Seeks to protect ongoing computer operations against threats like malicious code and denial-of-service attacks.
• Physical Security: Ensures physical access to crucial resources like servers and workstations is secured, using mechanisms like locked doors and access logging.

ISO 27000 Series

• Security Standards and Digital Curation: Digital information's flexibility requires strong protection against unauthorized access or changes. Information Security Management Systems (ISMS) ensure confidentiality, integrity, and availability.
• ISO/IEC 27000 Series: Defines ISMS implementation, with core documents like ISO/IEC 27001 and 27002 outlining requirements and implementation guidance based on the PDCA model.
• Functionality: ISO 27001 mandates risk management and includes more than 130 security controls; ISO 27002 offers practical guidance.
• Benefits: Certification enhances security, compliance, data protection, and business continuity.

Information Security Frameworks and Standards

• ISO 27000: Uses a "plan, do, check, act" cycle for risk assessment and control implementation.
• NIST: Similar to ISO 27000, including phases like identify, protect, detect, respond, recover.
• Common Criteria: Focuses on hardware and software security, assessing consumer confidence without specifying controls. Applicable only to security products.
• Common Body of Knowledge: Covers risk management, identity, and access control in information security.