Scribd
Upload
10 views13 pages

CISMP - Chapter 1 - Information Security Management Principles

Uploaded by

David Rock
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views13 pages

CISMP - Chapter 1 - Information Security Management Principles

Uploaded by

David Rock
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Chapter 1

Information Security
Management Principles

BCS Foundation Certificate in Information Security


Management Principles

1
Learning objectives
• Identify definitions, meanings and use of concepts and terms across information
security management.

• Explain the need for, and the benefits of information security.

2
Definitions, meanings and use of concepts
and terms across information security
• Confidentiality
⎻ Information not disclosed to unauthorised entities unless access is
legitimate.

• Integrity
⎻ Ensuring completeness and accuracy of information.

• Availability
⎻ Accessible and usable when and where required.

• Non-repudiation
⎻ Unforgeable proof that an action took place.

3
Definitions, meanings and use of concepts
and terms across information security
• Cyber security
⎻ Ensuring networks, systems and information are protected in cyberspace.

• Assets
⎻ Things that have value.

• Asset types
⎻ Information, physical and software.

• Asset value
⎻ Financial, reputational, public image.

• Asset valuation
⎻ The process of establishing the value of assets.

4
Definitions, meanings and use of concepts
and terms across information security
• Threat
⎻ Something having the potential to do harm.

• Vulnerability
⎻ A weakness in an asset or control.

• Control
⎻ Something used to manage (treat) risk.

• Impact
⎻ The damage a threat can cause (also consequence).

5
Definitions, meanings and use of concepts
and terms across information security
• Likelihood
⎻ The chance that something will happen.

• Risk
⎻ The combination of impact and likelihood.

• Risk appetite and risk tolerance


⎻ The amount of risk an organisation is willing to bear.

• Information security policy


⎻ Document detailing how an organisation views the management of its
information.

6
Definitions, meanings and use of concepts
and terms across information security
• The types, uses and purposes of controls
⎻ Strategic
• Avoid/Terminate; Share/Transfer, Reduce/Modify, Accept, Tolerate.
⎻ Tactical
• Detective, Corrective, Preventative, Directive.
⎻ Operational
• Physical, Procedural/People, Technical.

• Defence in depth
⎻ Multiple methods of protection within a system rather than a single method.

• Defence in breadth
⎻ Security at the application level.

7
Definitions, meanings and use of concepts
and terms across information security
• Identity, authentication, authorisation and accounting
⎻ Who are you? Prove it; What are you allowed to access; Show an audit trail.

• Accountability
⎻ Tracing actions to a unique entity.

• Audit
⎻ A process for objective evaluation.

• Compliance
⎻ Ensuring policy is being followed.

8
Definitions, meanings and use of concepts
and terms across information security
• Information security professionalism and ethics
⎻ The expectations, behaviours and standards expected of people working in
information security.

• The Information Security Management System (ISMS) concept


⎻ A systematic approach used to establish, implement, operate, monitor, review,
maintain and improve an organisation’s information security.

9
Definitions, meanings and use of concepts
and terms across information security
• Information assurance
⎻ Confidence that information systems can protect an organisation’s information
security.

• Information governance
⎻ The overarching strategy for information management based on understanding
risks.

10
The need for, and the benefits of
information security
• Information security provides for the protection of business assets and
consequently relates strongly to the other areas of the organisation such as sales,
marketing, production, finance, human resources, legal and regulatory function.

• Information security must necessarily be adapted to fit different business models –


such as finance, manufacturing, retail, government and entertainment.

11
The need for, and the benefits of
information security
• Rapidly changing information and business environments have a direct impact
on information security especially in the areas of legislation, technology, and
societal factors such as social media.

• Organisations must balance the cost impact of implementing information


security controls against the reduction in risk achieved – not all will reduce the
risk to zero, and some might not reduce it to the level of the organisation’s risk
appetite.

12
The need for, and the benefits of
information security
• Information security must have a direct relationship with corporate governance and
other areas of risk management, ensuring that information security fits in to the
organisation’s overall strategy.

• Information security should be seen not as a necessary evil or inhibitor to innovation,


but as a business enabler, delivering value rather than cost and protecting the
organisation’s information assets, whilst still allowing people to do their jobs.

13

You might also like