BCS Certification in Information Security Management Principles

From Useful Data
Jump to navigation Jump to search

BCS Certification in Information Security Management Principles


BCS CISMP. The BCS (British Computer Society) Certification in Information Security Management Principles.
A five day course.
A 248 page text book.


CIA. Confidentiality, Integrity, Availability.

Course Text Book


The text book is Information Security Management Principles Third Edition.

Book Chapters

1. Information Security Principles

Confidentiality, integrity and availability.
Confidentiality = no unauthorised disclosure of information.
Integrity = information is accurate and complete.
Availability = information is accessible and usable.

Assets are anything with value. There are three types always to be considered: information; physical assets (e.g. buildings); software. Other types may also be considered (e.g. reputation, loyalty, recovery cost).

Threat = a potential cause of an unwanted incident.
Vulnerability = a weakness that can be exploited by a threat.
Risk = the effect of an uncertainty. Requires a threat and a vulnerability.
Impact = the level of severity of the consequence of the risk happening.

Controls. Responses to risks. There are four: eliminate; reduce; transfer; accept.
Eliminate = avoid the risk entirely; do something different.
Reduce = lessen the likelihood or the impact,
Transfer = pass the risk to someone else, e.g. insurance.
Accept = tolerate the risk. (This is not 'do nothing'.)

Identity, authentication and authorisation.
Identity = that which uniquely identifies an entity, be that an individual or item.
Authentication = assurance of a claimed identity.
Authorisation = permission granted to access (a system's resources).

Accountability, audit and compliance.
Accountability = able to link an action to an entity.
Audit = record checking; validating the accountability.
Compliance = meeting the requirements.

ISMS = Information Security Management System. A one stop shop for the organisation's information assurance.
Information Security = preserving the CIA of information.
Information Assurance = the confidence the information will be confidential, have integrity and be available.

2. Information Risk

We want assurance about our information, so we want information assurance. Information assurance is about the management of information risk. This chapter covers the component parts of risk: threats, vulnerabilities and impact. Combining threat with likelihood or probability gives risk.

Threat = an event causing undesirable consequences.

Information-related Threat categories

Physical threats. Theft, vandalism and accidents.

Outages and failures. Loss of power or people. Hard drive and other hardware failure. Human error.

Hacking and abuse. Social engineering, espionage, identity theft, viruses, ransomware, denial of service attacks (DoS), distributed denial of service attacks (DDoS), eavesdropping. Cyber terrorism and sabotage.

Legal and contractual threats. Failure to meet obligations. Breaches of the Data Protection Act (DPA) or General Data Protection Regulations (GDPR).

Accidents and disasters. Flood, landslide, earthquake, tsunami. Chemical leaks, explosions.

Vulnerabilities and vulnerability classification

Vulnerability = a weakness. E.g. a password on a Post-It or poor software design. A 'threat' is said to 'take advantage of a vulnerability' or 'exploit a vulnerability'.

General vulnerabilities. Weaknesses in software design, hardware, buildings, people, processes and procedures.

Information-specific vulnerabilities. Unsecured computers and devices. Un-patched software and operating systems. Unsecured network boundary devices. Unsecured web servers and email servers.

Unlocked filing cabinets.
Mobile 'phone leakage.
Cloud service information leakage.
Internet of Things (IoT) interception and attack.
Bring Your Own Devices (BYOD) vulnerabilities.


An asset can be tangible or intangible. Impacts usually apply to assets.

Likelihood or probability

Can be assessed quantitatively or qualitatively.


Risk = the impact or consequence of a vulnerability being exploited by a threat.
Threat evaluation = the impact or consequence times the likelihood or probability.

Calculating overall risk

A Business Impact Analysis (BIA) = determining the impact on one or more assets for each threat.

Risk Management

Terms: risk identification; risk evaluation; risk analysis; risk treatment.

Risk Management Process
  • context establishment = what are the organisation's information assets? How do they fit into the business model?
  • risk identification = identify the threats. Identify the vulnerabilities. Determine the impact of each.
  • risk analysis = assess the likelihood of each risk. Plot them on a grid of likelihood x impact; a risk matrix.
  • risk treatment = avoid / terminate; reduce the threat, likelihood or impact; transfer or share (e.g. insurance); accept or tolerate.
  • communication & consultation = with asset owners or those who know the vulnerabilities
  • monitoring and review = monitor each risk as appropriate; review the whole risk log occasionally
Risk Treatment options
  • avoid / terminate = do not do the thing.
  • reduce the likelihood or impact = reduce the threat; reduce the vulnerability; reduce the impact. Thee are called controls.
  • transfer or share (e.g. insurance) = outsource to specialists.
  • accept or tolerate = live with low risks; decide treatment costs more than the risk.
Risk Controls

The three controls above - reduce the threat; reduce the vulnerability; reduce the impact - are not the only ones.

There are also tactical risk management controls:

  • detective controls = identify security incidents (e.g. intrusion detection systems)
  • preventative controls = stop an incident from taking place (e.g. firewall rules preventing access to banned sites)
  • corrective controls = stop an incident that has happened from having an impact (e.g. anti-virus software which disables executables)
  • directive controls / personnel controls = informing users what is / is not permitted (e.g. fair use clauses in employment contracts)

There are also operational controls:

  • physical controls = separates assets from intrusion (e.g. door security)
  • procedural controls = guidance (e.g. process and procedure documents, standards, guidelines, regulations)
  • technical controls = hardware or software solutions that reduce risks (e.g. firewalls, activity logging)

Once a risk has been controlled, there is usually some residual risk remaining, which generally falls under level of the risk appetite and so can be accepted. Alternatively, it may be too costly to apply any further controls but it is accepted anyway.

Risk Assessment approaches

  • Qualitative Risk Assessment = a subjective assessment of risk for when facts are hard to come by. Define and agree a scale, e.g. High, Medium and Low, and apply that to the risks.
  • Quantitative Risk Assessment = a factual approach using statistical evidence.
  • Semi-quantitative Risk Assessment = when facts are hard to come by, use a subjective financial scale, e.g. £10k = Low, £100k = Medium and £1m = High.
  • Software tools exist to help. However, keep it simple; a spreadsheet is probably good enough.
  • Questionnaires help ensure a level of consistency when interviewing business specialists. Start with open questions, then drill down to inputs, process and what people do when things go wrong.

Accurate risk assessment means it is easier to produce a convincing business case for funding.

Information asset valuation

Information assets - which can include people with specialist knowledge - can have a value attached to them, determine by its function and the cost to the business of losing access to that information for an extended period.

Information classification policies

Information can be classified according to its confidentiality, from 'unmarked' or 'unresticted' through, say 'confidential' to 'secret'. These classifications are up to the business to decide. Each classification would have a policy on how information at that level should be handled, stored or disposed of.

Assess the risk in business terms

Use terminology the business will understand, not risk management jargon.

Balancing information security cost against the losses

This is often financial: the relative cost of the damage caused versus the lesser cost of preventing or reducing it. However, the decision can also have legal or regulatory requirements meaning it has to be done regardless.

Accepting risk: the role of management

Accepting risk ≠ ignoring risk.
It is too easy to accept a risk. Have managers sign off on acceptance. But when the risk is medium or higher, have more than one manager sign off on it, where the second manager is from a different business area. *** This is A Good Idea ***
Accepted risks should be revisited more frequently and reassessed for threat, impact and likelihood having not changed and the decision to accept still within the risk appetite.

Risk Registers

Risk registers are best practice and for some business are mandated.

  • a risk register permits risks to be recorded in a formal manner
  • a risk register allows auditing of impact, likelihood and risk responses
  • a risk register eases ongoing monitoring of risks
  • a risk register can be used as a management report on risk mitigation

A risk register should contain as a minimum:

  • the details of the threat
  • the assessed impact
  • the assessed likelihood
  • the calculated risk evaluation
  • the recommended treatment(s)
  • the actual actions taken
  • the expected completion date
  • the person responsible for the actions

The risk register should be reviewed regularly, for example, monthly or quarterly.

3. Information Security Framework

An information security framework describes the required control mechanisms and their implementation. Or something like that.

Organisation and responsibilities

Organise the information assurance. Someone has to be in charge. Someone has to be responsible. People need to know what to do. You need an Information Security Manager; they may have a team. It may be in Corporate Compliance or IT or central Facilities. Common roles are:

  • Chief Information Security Officer (CISO)
  • Chief Risk Officer (CRO)
  • Senior Responsible Owner (SRO)
  • Chief Information Officer (CIO)
  • Senior Information Risk Owner (SIRO)
  • Chief Finance Officer) CFO

The Information Assurance role may include implementation, or not. It may be an audit function.

Good practice:

  • There should be board level representation of information asset assurance.
  • People who have delegated authority for management information security need to have defined responsibilities and to be managed.
  • Information assets need to have an owner responsible for their confidentiality, integrity and availaility.
  • Legislation or regulations may determine how information must be stored.
  • Information security staff will require ongoing CPD.
  • The organisation should develop a culture of good information security practice. (Easy to say...)

Organisational policy, standards and procedures

Policies, standards and procedures are to tell people what to do.

  • Policy = a high level statement of an organisation's values, goals and objectives and the approach to achieving them. Does not say how to achieve it.
  • Standard = a description of what needs to be done in a measurable way. Compliance is mandatory. Supports the policy. Says how to do it.
  • Procedure = a set of detailed working instructions describing what, when, how and who. Obligatory. Supports the policy and standard.
  • Guidelines = provide advice, direction and best practice. Not mandatory.

Information security governance

Policies, standards and procedures should be reviewed occasionally.

Information assurance programme implementation

Plan to put in a realistic framework. Present it as a positive benefit. Ensure it has a sound business case. Show good information assurance gives commercial advantage. Use an information security strategy and an information assurance architecture.

Security incident management

Security incidents will happen. It's not if, it's how often. The incidents may relate to the confidentiality, the integrity or the availability of the information. Have plans in place to deal with them before it happens. Over half of incident response plans fail when first tested. So plan, then test the plan.

  • security incident response plan = a set of instructions to respond to and recover from an information security incident.
    • Incident Response Team (IRT) = people identified and trained in advance to follow the plan. Empowered and senior.

There are five steps in incident management:

  1. reporting;
  2. investigation;
  3. assessment;
  4. corrective action;
  5. review.

Make an effort not to destroy evidence so that it can be used in court.

Legal framework

Laws vary by country. Laws that might matter:

  • intellectual property rights;
  • protection of organisational records;
  • data protection;
  • privacy of personal information;
  • computer misuse prevention;
  • regulation of cryptography.

Security standards and procedures

Standards provide interoperability.

4. Security Life Cycles


5. Procedural and People Security Controls


6. Technical Security Controls


7. Physical and Environmental Security


8. Disaster Recovery and Business Continuity Management


9. Other Technical Aspects


Course Outline

   The need for Information Security
   Information Security Management System (ISMS) concepts & definitions
   Information risk management
   Corporate governance
   Organisational responsibilities
   Policies, standards & procedures
   ISO/IEC 27002, 27001 & 13335
   Information security controls
   Incident management
   Legal framework - personal data, DPA, CMA, IPR & copyright, HR & employment issues
   Cryptographic models
   Data Communications & networks
   Physical security
   Auditing & gap analysis
   Training & raising awareness
   Business continuity
   Security investigations & forensics