Mgmt InfoSec Notes ch 3

1. What is an information security framework?

A framework is an outline of security controls that is part of creating or implementing a security model. The blueprint is based off of the framework, containing more detail on controls in place and controls that are needed.

3. What is a security model?

A security model is a generic blueprint that assists in creating a working security plan.

5. What is access control?

Access control enables an organization to define and regulate access to data, and is based on identification, authentication, authorization and accountability.

10. What is a data classification model? How is data classification different then clearance level?

Data classification attempts to categorize information based on the level of damage that would be done if the information is exposed. The more important the data, the higher the classification level.  Clearance level is a rating scheme that attempts to categorize a user’s role in an organization and access to information is granted to groups of users in each level.
11. Which international information security standards have evolved from the BS 7799 model? What do they include?
BS7799 was published by the British Standards
Institute. From this document, the ISO/IEC 27002 was released, and then later
renamed as ISO/IEC 27002. BS 7799’s second part became ISO/IEC 27001.These
purchasable standards include recommendations for information security
management for use by those who initiate, implement or maintain organizational
security.  The 2005 version includes the
Plan-Do-Check- Act cycle, also known as the Deming Quality assurance model.

13. What are the documents in the ISO/IEC 27000

  • Risk Assessment and treatment
  • Security Policy
  • Organization of Information Security
  • Asset Management
  • Human Resource Security
  • Physical and Environmental security
  • Communications and Operations
  • Access Control
  • Information Systems Acquisition, Development and Management
  • Information Systems Incident Management
  • Business Continuity Management
  • Compliance

14. What is COBIT? Who is its sponsor? What does it accomplish?
COBIT stands for Control Objectives for Information and Related Technologies. It provides advice for implementation of sound controls and control objectives for Information Security.  COBIT provides a framework to support information security requirements and assessment needs, and breaks this into four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
15. What are the two primary advantages of NIST
security models?

  • NIST documents are publicly available at no charge
  • Have been around for some time and are broadly reviewed, therefore close to proven.