Risk Management Frameworks in Information Security

Questions and Answers

What do Requirements 4 through 10 in ISO/IEC 27001 describe?

• The history and development of ISO/IEC 27001
• The implementation details of a risk management framework
• The structure of an entire information security management system (ISMS) including risk management (correct)
• The legal requirements for information security systems

What is the focus of ISO/IEC 27005?

• Physical security measures
• Information system architecture
• Information technology risk management (correct)
• Information technology project management

Which framework is described in NIST Special Publication 800-37?

• Managing Information Security Risk
• Risk Management Framework to Federal Information Systems (correct)
• COBIT 5
• RIMS Risk Maturity Model

What is the main focus of COBIT 5?

Enterprise IT governance and management (D)

What is the primary focus of Confidentiality in the context of IT Security?

Ensuring data remains undisclosed to unauthorized individuals (A)

Which encryption method is commonly used for data at rest to maintain Confidentiality?

AES256 (B)

What technique is used to protect against alterations of data and systems in the context of Integrity?

Check sums (e.g., CRC) (B)

Which growing trend poses a new threat to system integrity and data integrity, as mentioned in the text?

lOT (Internet Of Things) (D)

What is the cornerstone of IT Security according to the text?

Confidentiality, Integrity, and Availability (CIA) Triad (A)

What is the DAD Triad in the context of IT Security?

Disclosure, Alteration, and Destruction (C)

What can happen if an organization prioritizes too much Integrity?

Availability can suffer (B)

Which measure is emphasized as crucial for maintaining Data availability in the text?

Redundancy on hardware power (Multiple power supplies/UPS’/ generators) (D)

Study Notes

ISO/IEC 27001

• Requirements 4-10 describe implementation, operation, and continuous improvement of Information Security Management System (ISMS)

ISO/IEC 27005

• Focuses on Information Security Risk Management

NIST Framework

• Described in NIST Special Publication 800-37, a risk management framework for information systems

COBIT 5

• Main focus is on IT governance and management

Confidentiality

• Primary focus is on protecting sensitive information from unauthorized access

Encryption

• Commonly used for data at rest to maintain Confidentiality

Data Integrity

• Technique used to protect against alterations of data and systems is Hash Function

Cloud Computing

• Growing trend posing a new threat to system integrity and data integrity

IT Security

• Cornerstone is the Protection of Confidentiality, Integrity, and Availability (CIA) of information assets
• DAD Triad refers to Confidentiality, Integrity, and Availability
• Prioritizing too much Integrity can lead to decreased Availability
• Crucial measure for maintaining Data Availability is ensuring business continuity and disaster recovery

Description

This quiz explores the use of risk management frameworks in information security, focusing on the ISO/IEC 27001 standard and its requirements. It covers the structure of an information security management system and alternatives to building a program from scratch.