Risk Management and Assessment in ISO Standards
52 Questions
1 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

APPSEC/ETH group GRC & CISO group DPI Cloud sec & compliance Operational ______.

Technology

Living-off-the-land attacks use trusted system tools to conduct attacks, making them harder to ______

detect

Mobile and IoT devices are increasingly targeted, with malvertising and malware posing ______

threats

A zero-day vulnerability is a software weakness unknown to those who should mitigate it, allowing hackers to exploit it before a fix is ______

<p>available</p> Signup and view all the answers

The economics of cybercrime is a significant issue, with estimated costs reaching $6 trillion in ______

<p>2021</p> Signup and view all the answers

CISOs/Security Officers act as strategic and tactical leaders in ______

<p>cybersecurity</p> Signup and view all the answers

Spear phishing is a targeted form of email ______

<p>scam</p> Signup and view all the answers

Ransomware attacks involve mass infection of systems and demand payment in exchange for restoring access to ______

<p>data</p> Signup and view all the answers

The cybersecurity landscape is subject to an ever-growing number of laws, regulations, and standards, such as ISO27k, NIST, CIS, GDPR, NIS, and FDA ______

<p>rulings</p> Signup and view all the answers

Technology layer includes implementation, automation, and ______

<p>reporting</p> Signup and view all the answers

Employee awareness forms the hygiene layer of ______

<p>cybersecurity</p> Signup and view all the answers

Hackers' return on investment (ROI) influences their target selection, with an average return per attack being less than $4,500

<p>[blank]</p> Signup and view all the answers

Cybercrime operates like a business, with a supply chain, middlemen, and distribution ______

<p>channels</p> Signup and view all the answers

An ISMS (Information Security Management System) is a ______ approach for managing an organization's information security, based on risk assessment and the organization's risk acceptance levels.

<p>systematic</p> Signup and view all the answers

ISO27k is a family of standards with two main standards: ______ focuses on security controls and risk assessments, while ISO27002 provides guidelines for implementing security controls.

<p>ISO27001</p> Signup and view all the answers

To define a ______ security strategy and roadmap, consider business objectives, security trends, and maturity levels.

<p>tailored</p> Signup and view all the answers

Cyber ______ is an essential barrier for trade in the context of security trends and security management.

<p>Compliance</p> Signup and view all the answers

Cybersecurity industry faces a significant lack of ______, with 1205 vacancies in Belgium and a 16% vacancy rate.

<p>resources</p> Signup and view all the answers

Risk management is a crucial aspect of ISO27001:2017, and risks must be ______ at different levels and occasions.

<p>managed</p> Signup and view all the answers

Developing a ______ strategy involves selecting a standard/framework, increasing technical security countermeasures, and prioritizing based on current maturity levels and budget constraints.

<p>cybersecurity</p> Signup and view all the answers

Challenges in cybersecurity include the '______ of More' and the need for a business-driven, optimized ROSI (Return on Security Investment).

<p>Fog</p> Signup and view all the answers

Cybersecurity presents ______, such as avoidance of direct damage, customer and investor confidence, and product differentiation.

<p>opportunities</p> Signup and view all the answers

______ of a security strategy include governance, organizational risks, technical maturity, and security requirements.

<p>Pillars</p> Signup and view all the answers

______ includes context, leadership, planning, support, operation, performance evaluation, and improvement.

<p>ISO27001:2017</p> Signup and view all the answers

A threat is a potential cause of an unwanted incident, and risk management involves comprehensive risk assessments, ______, and assessments during significant changes.

<p>updates</p> Signup and view all the answers

ISO31000, ISO27001:2017 defines ______ as the potential harm or threat to an organization, determined by the impact and probability

<p>risk</p> Signup and view all the answers

Risk management for ______ servers, such as JIRA and Confluence, involves assessing and protecting critical information assets

<p>CI/CD</p> Signup and view all the answers

Example assets include ______ Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives)

<p>Active</p> Signup and view all the answers

ISO27001:2017 outlines 114 ______ in 14 clauses and 35 control categories for effective risk management, including ______ for information security policies, human resource security, and access control

<p>controls</p> Signup and view all the answers

The ______ Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management

<p>NIST</p> Signup and view all the answers

The NIST CSF focuses on ______ for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems

<p>options</p> Signup and view all the answers

______ diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF

<p>Continuous</p> Signup and view all the answers

ISO27002:2017 and other ______ provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls

<p>standards</p> Signup and view all the answers

NIST validates cyber security programs and offers ______ for individuals as NIST CSF Practitioners

<p>certifications</p> Signup and view all the answers

The ______ Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements

<p>CIS</p> Signup and view all the answers

The ______ critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation

<p>5</p> Signup and view all the answers

IG1 organizations are small to medium-sized with limited IT and cybersecurity expertise. The principal concern is keeping business operational and protecting ______ and financial information.

<p>employee</p> Signup and view all the answers

IG2 organizations employ individuals responsible for managing and protecting IT infrastructure. They support multiple departments with varying risk profiles and may have regulatory compliance burdens. They store and process sensitive client or company information and can withstand short interruptions of service. Loss of public confidence is a major ______.

<p>concern</p> Signup and view all the answers

IG3 organizations employ security experts specializing in different cybersecurity facets. Systems and data contain sensitive information or functions subject to regulatory and compliance oversight. They address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the ______.

<p>public</p> Signup and view all the answers

After a maturity assessment using the chosen governance standard (NIST CSF/ ISO27K for governance and CIS Controls for technical), organizations should summarize findings and risks. Define high-level risk mitigation actions and set maturity targets for the next 3 years based on ______ benchmarks.

<p>industry</p> Signup and view all the answers

Prioritize and detail the risk mitigation actions. Consolidate findings, risks, and mitigation actions to create a cybersecurity ______.

<p>strategy</p> Signup and view all the answers

Findings include potential risks and should be summarized with context and insight to understand what is ______.

<p>important</p> Signup and view all the answers

Describe the risks associated with each finding, but remember that these are not the equivalent of detailed ______ assessments.

<p>risk</p> Signup and view all the answers

The CIS Center for Internet Security provides free cybersecurity strategies and tools, including the CIS Controls (V7.1), which map to both ISO27002 and NIST CSF ______.

<p>standards</p> Signup and view all the answers

The CIS Controls prioritize the implementation of cybersecurity measures into three Implementation Groups (IGs): IG1, IG2, and IG3, based on the size and expertise of the ______.

<p>organization</p> Signup and view all the answers

Sub-Controls should be implementable with limited expertise, aimed to thwart general attacks and work with small or home office COTS hardware and ______.

<p>software</p> Signup and view all the answers

Sub-Controls help security teams cope with increased operational complexity and depend on ______-grade technology and specialized expertise.

<p>enterprise</p> Signup and view all the answers

Sub-Controls must abate targeted attacks and reduce the impact of ______ attacks.

<p>zero-day</p> Signup and view all the answers

High-level description of the actions to take to mitigate the risk associated with finding A. These high-level actions will be further detailed later on.

<p>missing</p> Signup and view all the answers

High-level description of the actions to take to mitigate the risk associated with finding B. These high-level actions will be further detailed later on.

<p>missing</p> Signup and view all the answers

High-level description of the actions to take to mitigate the risk associated with finding C. These high-level actions will be further detailed later on.

<p>missing</p> Signup and view all the answers

One can choose to set a target maturity over 3 years Governance 2,40 2,11 2,11 2,25 2,40 Technical 2,10 1,50 1,75 1,95 2,20 Reference Now 2021 2022 2023 Based on benchmark figures within the same sector 80 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Prioritize and detail For each high-level, risk mitigating action, you can now specify the more detailed actions to take, and to prioritize these actions over the coming (3) years. Per action, think about documenting: Part of the governance or technical track The detailed action Stakeholders Budget estimate Timing Must-do / Roadmap candidate Consider putting the high-level actions on a timeline 81 Cybersecurity – how to define a cyber strategy 82 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 2 83 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 3 84 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 4 85 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 1 86 Questions. 87 Security Operating Model GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Cybersecurity is too big a task to be handled by one person. Divide and conquer. 89 90 Managed Security Office Framework Client Security Office Security Office Essential Security & Compliance Projects Ecosystem of partners Expert Services Security Office – Typical persons involved Client X Security Office Account manager Cloud security expert (if applicable) Application security expert (if applicable) CISO / SPOC (required) Security Architect (if applicable) Sidekick (preferred) … (what’s applicable) 92 Foundation Strong foundation principle for SOaaS Pentest CIS assessment In Ga telli th gen er in ce g Foundation Business Threat Model s ou n u in o nt icati o C rif Ve Security Office Portal Continuous Vulnerability Scanning e nc a rn ve ol o G n tr Co Incident Response Brainframe 93 Foundation Security Office Portal Compliance standards Custom compliance CIS Project Management M365 CIS Azure CIS Zero Trust GDPR NIST ISO 27001 MITRE ATT&CK Data sources in-depth recommendations M365 & AAD Azure Conditional Access OnPremises AWS Google Cloud 450+ customizable rules 94 Cyber Security & Start & ScaleUps GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Tech Scale-Up Phases Conserve cash Invest Aggressively Search for product/Market Fit Search for Repeatable, Scalable, & Profitable Growth Model Scaling the Business 96 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security 97 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security How to Implement Security Objectives: Focus on Product Security Only Define Basic Non-Functional Requirements Manually Threat Modeling Validate Security of MVP Penetration Testing Use Subsidized Security Services to minimize costs. 98 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. 99 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. How to Implement Security Objectives: Adopt Security Standards (ISO27k, NIST, …) Appoint Security Resources (CISO, Security Officer, DPO) Can still be parttime Retain focus on Product Security Agile Pentesting Agile Threat Modeling Optimize important processes by adopting (basic) security technology. E.g. Buy Cloud Licenses that include security functionalities (E5, …) SAST/DAST tooling to improve code quality … 100 Phase 3: Aggressive Scaling Scaling the Business Business Objectives: Sustain market leadership & growth Security Objectives: Continue to.

<p>missing</p> Signup and view all the answers

Study Notes

  • The CIS Center for Internet Security provides free cybersecurity strategies and tools, including the CIS Controls (V7.1), which map to both ISO27002 and NIST CSF standards.
  • The CIS Controls prioritize the implementation of cybersecurity measures into three Implementation Groups (IGs): IG1, IG2, and IG3, based on the size and expertise of the organization.

IG1:

  • IG1 organizations are small to medium-sized with limited IT and cybersecurity expertise.
  • Principal concern is keeping business operational and protecting employee and financial information.
  • Sub-Controls should be implementable with limited expertise, aimed to thwart general attacks and work with small or home office COTS hardware and software.

IG2:

  • IG2 organizations employ individuals responsible for managing and protecting IT infrastructure.
  • Support multiple departments with varying risk profiles and may have regulatory compliance burdens.
  • Store and process sensitive client or company information and can withstand short interruptions of service.
  • Loss of public confidence is a major concern.
  • Sub-Controls help security teams cope with increased operational complexity and depend on enterprise-grade technology and specialized expertise.

IG3:

  • IG3 organizations employ security experts specializing in different cybersecurity facets.
  • Systems and data contain sensitive information or functions subject to regulatory and compliance oversight.
  • Address availability of services and the confidentiality and integrity of sensitive data.
  • Successful attacks can cause significant harm to the public.
  • Sub-Controls must abate targeted attacks and reduce the impact of zero-day attacks.
  • After a maturity assessment using the chosen governance standard (NIST CSF/ ISO27K for governance and CIS Controls for technical), organizations should summarize findings and risks.
  • Define high-level risk mitigation actions and set maturity targets for the next 3 years based on industry benchmarks.
  • Prioritize and detail the risk mitigation actions.
  • Consolidate findings, risks, and mitigation actions to create a cybersecurity strategy.
  • Findings include potential risks and should be summarized with context and insight to understand what is important.
  • Describe the risks associated with each finding, but remember that these are not the equivalent of detailed risk assessments.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

Description

Test your knowledge of risk management and assessment in ISO standards with this quiz. Explore topics such as risk calculation, impact probability, ISO27001:2017, CI/CD servers, JIRA/Confluence, and recovery objectives.

More Like This

Risk Management Assessment Quiz
50 questions
Medical Device Risk Management Quiz
10 questions
Use Quizgecko on...
Browser
Browser