BCS Certification in Information Security Management Principles

From Useful Data
Jump to navigation Jump to search

BCS Certification in Information Security Management Principles

About

BCS CISMP. The BCS (British Computer Society) Certification in Information Security Management Principles.
A five day course.
A 248 page text book.

Concepts

CIA. Confidentiality, Integrity, Availability.


Course Text Book

Title

The text book is Information Security Management Principles Third Edition.

Book Chapters

1. Information Security Principles

Confidentiality, integrity and availability.
Confidentiality = no unauthorised disclosure of information.
Integrity = information is accurate and complete.
Availability = information is accessible and usable.

Assets are anything with value. There are three types always to be considered: information; physical assets (e.g. buildings); software. Other types may also be considered (e.g. reputation, loyalty, recovery cost).

Threat = a potential cause of an unwanted incident.
Vulnerability = a weakness that can be exploited by a threat.
Risk = the effect of an uncertainty. Requires a threat and a vulnerability.
Impact = the level of severity of the consequence of the risk happening.

Controls. Responses to risks. There are four: eliminate; reduce; transfer; accept.
Eliminate = avoid the risk entirely; do something different.
Reduce = lessen the likelihood or the impact,
Transfer = pass the risk to someone else, e.g. insurance.
Accept = tolerate the risk. (This is not 'do nothing'.)

Identity, authentication and authorisation.
Identity = that which uniquely identifies an entity, be that an individual or item.
Authentication = assurance of a claimed identity.
Authorisation = permission granted to access (a system's resources).

Accountability, audit and compliance.
Accountability = able to link an action to an entity.
Audit = record checking; validating the accountability.
Compliance = meeting the requirements.

ISMS = Information Security Management System. A one stop shop for the organisation's information assurance.
Information Security = preserving the CIA of information.
Information Assurance = the confidence the information will be confidential, have integrity and be available.


2. Information Risk

We want assurance about our information, so we want information assurance. Information assurance is about the management of information risk. This chapter covers the component parts of risk: threats, vulnerabilities and impact. Combining threat with likelihood or probability gives risk.

Threat = an event causing undesirable consequences.

Physical threats. Theft, vandalism and accidents.

Outages and failures. Loss of power or people. Hard drive and other hardware failure. Human error.

Hacking and abuse. Social engineering, espionage, identity theft, viruses, ransomware, denial of service attacks (DoS), distributed denial of service attacks (DDoS), eavesdropping. Cyber terrorism and sabotage.

Legal and contractual threats. Failure to meet obligations. Breaches of the Data Protection Act (DPA) or General Data Protection Regulations (GDPR).

Accidents and disasters. Flood, landslide, earthquake, tsunami. Chemical leaks, explosions.

Vulnerabilities and vulnerability classification

Vulnerability = a weakness. E.g. a password on a Post-It or poor software design. A 'threat' is said to 'take advantage of a vulnerability' or 'exploit a vulnerability'.

General vulnerabilities. Weaknesses in software design, hardware, buildings, people, processes and procedures.

Information-specific vulnerabilities. Unsecured computers and devices. Un-patched software and operating systems. Unsecured network boundary devices. Unsecured web servers and email servers.

Unlocked filing cabinets.
Mobile 'phone leakage.
Cloud service information leakage.
Internet of Things (IoT) interception and attack.
Bring Your Own Devices (BYOD) vulnerabilities.

Assets

An asset can be tangible or intangible. Impacts usually apply to assets.

Likelihood or probability

Can be assessed quantitatively or qualitatively.

Risk

Risk = the impact or consequence of a vulnerability being exploited by a threat.
Threat evaluation = the impact or consequence times the likelihood or probability.

Calculating overall risk

A Business Impact Analysis (BIA) = determining the impact on one or more assets for each threat.

Risk Management

Terms: risk identification; risk evaluation; risk analysis; risk treatment.

3. Information Security Framework

xcxx

4. Security Life Cycles

xcxx

5. Procedural and People Security Controls

xcxx

6. Technical Security Controls

xcxx=

7. Physical and Environmental Security

xcxx

8. Disaster Recovery and Business Continuity Management

xcxx

9. Other Technical Aspects

xcxx

Course Outline

   The need for Information Security
   Information Security Management System (ISMS) concepts & definitions
   Information risk management
   Corporate governance
   Organisational responsibilities
   Policies, standards & procedures
   ISO/IEC 27002, 27001 & 13335
   Information security controls
   Incident management
   Legal framework - personal data, DPA, CMA, IPR & copyright, HR & employment issues
   Cryptographic models
   Data Communications & networks
   Physical security
   Auditing & gap analysis
   Training & raising awareness
   Business continuity
   Security investigations & forensics
Retrieved from "http://s-and-j.co.uk/wiki/index.php?title=BCS_Certification_in_Information_Security_Management_Principles&oldid=264"