BCS Certification in Information Security Management Principles: Difference between revisions
→2. Information Risk: Added detail |
m →2. Information Risk: formatting |
||
| Line 53: | Line 53: | ||
=== 2. Information Risk === | === 2. Information Risk === | ||
We want assurance about our information, so we want '''information assurance'''. Information assurance is about the '''management of information risk'''. | We want assurance about our information, so we want '''information assurance'''. Information assurance is about the '''management of information risk'''. | ||
This chapter covers the component parts of risk: '''threats''', '''vulnerabilities''' and '''impact'''. Combining '''threat''' with '''likelihood ''or'' probability''' gives '''risk'''. | This chapter covers the component parts of risk: '''threats''', '''vulnerabilities''' and '''impact'''. Combining '''threat''' with '''likelihood '''''or''''' probability''' gives '''risk'''. | ||
Threat = an event causing undesirable consequences. | Threat = an event causing undesirable consequences. | ||
==== Information-related Threat categories ==== | ==== Information-related Threat categories ==== | ||
<u>Physical threats</u>. Theft, vandalism and accidents. | |||
<u>Outages and failures</u>. Loss of power or people. Hard drive and other hardware failure. Human error. | |||
<u>Hacking and abuse</u>. Social engineering, espionage, identity theft, viruses, ransomware, denial of service attacks (DoS), distributed denial of service attacks (DDoS), eavesdropping. Cyber terrorism and sabotage. | |||
<u>Legal and contractual threats</u>. Failure to meet obligations. Breaches of the Data Protection Act (DPA) or General Data Protection Regulations (GDPR). | |||
<u>Accidents and disasters</u>. Flood, landslide, earthquake, tsunami. Chemical leaks, explosions. | |||
==== Vulnerabilities and vulnerability classification ==== | ==== Vulnerabilities and vulnerability classification ==== | ||
Vulnerability = a weakness. E.g. a password on a Post-It or poor software design. A 'threat' is said to 'take advantage of a vulnerability' ''or'' 'exploit a vulnerability'. | Vulnerability = a weakness. E.g. a password on a Post-It or poor software design. A 'threat' is said to 'take advantage of a vulnerability' ''or'' 'exploit a vulnerability'. | ||
<u>General vulnerabilities</u>. Weaknesses in software design, hardware, buildings, people, processes and procedures. | |||
<u>Information-specific vulnerabilities</u>. Unsecured computers and devices. Un-patched software and operating systems. Unsecured network boundary devices. Unsecured web servers and email servers. <br> | |||
:Unlocked filing cabinets. <br> | :Unlocked filing cabinets. <br> | ||
:Mobile 'phone leakage. <br> | :Mobile 'phone leakage. <br> | ||
| Line 79: | Line 79: | ||
:Internet of Things (IoT) interception and attack. <br> | :Internet of Things (IoT) interception and attack. <br> | ||
:Bring Your Own Devices (BYOD) vulnerabilities. | :Bring Your Own Devices (BYOD) vulnerabilities. | ||
==== Assets ==== | |||
An <u>asset</u> can be tangible or intangible. '''Impacts''' usually apply to assets. | |||
==== Likelihood ''or'' probability ==== | |||
Can be assessed <u>quantitatively</u> or <u>qualitatively</u>. | |||
==== Risk ==== | |||
<u>Risk</u> = the <u>impact</u> ''or'' <u>consequence</u> of a <u>vulnerability</u> being <u>exploited</u> by a <u>threat</u>. <br> | |||
<u>Threat evaluation</u> = the <u>impact</u> ''or'' <u>consequence</u> times the <u>likelihood</u> or <u>probability</u>. <br> | |||
===== Calculating overall risk ===== | |||
A <u>Business Impact Analysis</u> (BIA) = determining the impact on one or more assets for each threat. | |||
==== Risk Management ==== | |||
=== 3. Information Security Framework === | === 3. Information Security Framework === | ||
Revision as of 22:02, 13 February 2022
BCS Certification in Information Security Management Principles
About
BCS CISMP. The BCS (British Computer Society) Certification in Information Security Management Principles.
A five day course.
A 248 page text book.
Concepts
CIA. Confidentiality, Integrity, Availability.
Course Text Book
Title
The text book is Information Security Management Principles Third Edition.
Book Chapters
1. Information Security Principles
Confidentiality, integrity and availability.
Confidentiality = no unauthorised disclosure of information.
Integrity = information is accurate and complete.
Availability = information is accessible and usable.
Assets are anything with value. There are three types always to be considered: information; physical assets (e.g. buildings); software. Other types may also be considered (e.g. reputation, loyalty, recovery cost).
Threat = a potential cause of an unwanted incident.
Vulnerability = a weakness that can be exploited by a threat.
Risk = the effect of an uncertainty. Requires a threat and a vulnerability.
Impact = the level of severity of the consequence of the risk happening.
Controls. Responses to risks. There are four: eliminate; reduce; transfer; accept.
Eliminate = avoid the risk entirely; do something different.
Reduce = lessen the likelihood or the impact,
Transfer = pass the risk to someone else, e.g. insurance.
Accept = tolerate the risk. (This is not 'do nothing'.)
Identity, authentication and authorisation.
Identity = that which uniquely identifies an entity, be that an individual or item.
Authentication = assurance of a claimed identity.
Authorisation = permission granted to access (a system's resources).
Accountability, audit and compliance.
Accountability = able to link an action to an entity.
Audit = record checking; validating the accountability.
Compliance = meeting the requirements.
ISMS = Information Security Management System. A one stop shop for the organisation's information assurance.
Information Security = preserving the CIA of information.
Information Assurance = the confidence the information will be confidential, have integrity and be available.
2. Information Risk
We want assurance about our information, so we want information assurance. Information assurance is about the management of information risk. This chapter covers the component parts of risk: threats, vulnerabilities and impact. Combining threat with likelihood or probability gives risk.
Threat = an event causing undesirable consequences.
Information-related Threat categories
Physical threats. Theft, vandalism and accidents.
Outages and failures. Loss of power or people. Hard drive and other hardware failure. Human error.
Hacking and abuse. Social engineering, espionage, identity theft, viruses, ransomware, denial of service attacks (DoS), distributed denial of service attacks (DDoS), eavesdropping. Cyber terrorism and sabotage.
Legal and contractual threats. Failure to meet obligations. Breaches of the Data Protection Act (DPA) or General Data Protection Regulations (GDPR).
Accidents and disasters. Flood, landslide, earthquake, tsunami. Chemical leaks, explosions.
Vulnerabilities and vulnerability classification
Vulnerability = a weakness. E.g. a password on a Post-It or poor software design. A 'threat' is said to 'take advantage of a vulnerability' or 'exploit a vulnerability'.
General vulnerabilities. Weaknesses in software design, hardware, buildings, people, processes and procedures.
Information-specific vulnerabilities. Unsecured computers and devices. Un-patched software and operating systems. Unsecured network boundary devices. Unsecured web servers and email servers.
- Unlocked filing cabinets.
- Mobile 'phone leakage.
- Cloud service information leakage.
- Internet of Things (IoT) interception and attack.
- Bring Your Own Devices (BYOD) vulnerabilities.
Assets
An asset can be tangible or intangible. Impacts usually apply to assets.
Likelihood or probability
Can be assessed quantitatively or qualitatively.
Risk
Risk = the impact or consequence of a vulnerability being exploited by a threat.
Threat evaluation = the impact or consequence times the likelihood or probability.
Calculating overall risk
A Business Impact Analysis (BIA) = determining the impact on one or more assets for each threat.
Risk Management
3. Information Security Framework
xcxx
4. Security Life Cycles
xcxx
5. Procedural and People Security Controls
xcxx
6. Technical Security Controls
xcxx=
7. Physical and Environmental Security
xcxx
8. Disaster Recovery and Business Continuity Management
xcxx
9. Other Technical Aspects
xcxx
Course Outline
The need for Information Security Information Security Management System (ISMS) concepts & definitions Information risk management Corporate governance Organisational responsibilities Policies, standards & procedures ISO/IEC 27002, 27001 & 13335 Information security controls Incident management Legal framework - personal data, DPA, CMA, IPR & copyright, HR & employment issues Cryptographic models Data Communications & networks Physical security Auditing & gap analysis Training & raising awareness Business continuity Security investigations & forensics