Compliance Much has been said in the previous chapters about how and why information security is carried out. We have taken a close look at the risk analysis and determined a threat and risk profile. On the basis of this, we have taken physical, technical and organizational measures. Some measures are optional, whereas others are required by law. Legislation covers the areas such as privacy, tax and finance and regulations for banks and companies with a notation at a stock exchange. A company’s own policy must also be observed. In an earlier chapter, the PDCA cycle was discussed. Components of that cycle include both self-monitoring and monitoring that is carried out by an external auditor. These are components that involve reviewing the observance of internal and external legislation and regulations. This chapter deals with compliance to legislation and regulations, and the manner in which this monitoring is carried out. In addition there is an overview of some of the standards that are commonly used within the field of IT security. 18.1 WHAT IS COMPLIANCE? Compliance can also be described as tractability, obligingness, pliability, tolerance and dutifulness. What it boils down to is that an organization must observe its own internal regulations as well as the laws of the country and requirements of local legislation and regulations. Sometimes this can cause conflicts. Multinational organizations in particular have to adhere, on the one hand, to their own internal policies, whilst also ensuring that they operate consistently and are seen to do so in relation to international and local legislation and regulations. 18 Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
138 Foundations of Information Security 18.1.1 Compliance measures As a result of the above, it has become clear that producing an internal policy within an organization is the way in which to become compliant. The first step for an organization is to produce a policy in which it declares that is it must comply with the national and local legislation and regulations. In addition procedures, guidelines and tools must be developed that clarify and help employees in applying these regulations in practice. Risk analyses must be conducted to ensure that the relevant risks are identified, the correct security levels are set and the appropriate measures for those security levels are determined and implemented. Compliance is related to the field of security but is a specialized field of expertise. In order to achieve compliance it is important to work closely with legal experts. 18.1.2 Observance of statutory regulations The primary goal of every company is to achieve its own business objectives. This means producing a certain product or providing certain services. For example, the police and special investigation bodies ensure that specific legislation and regulations are observed. Every company, however, must observe local legislation, regulations and contractual obligations. The security requirements that a company must meet are strongly related to these. Although local legislation and regulations adhere to international agreements, it doesn’t mean that they are designed to support companies that operate internationally. These companies require a top level policy that is somewhat more general and whose underlying policy documents have to be adapted to the legislation in force in the country in which they are based, in order to do business locally. Legislative requirements may differ quite a bit, particularly in the area of privacy, and therefore the manner in which one deals with information that may be privacy-related should also differ. In order to ensure that legislative and regulatory requirements are observed, it is always important to seek legal advice from the organization’s local legal advisers or from qualified attorneys. There is no one-size-fits all when it comes to regulations. There are, for instance, regulations that apply only to financial institutions and there are security regulations for the government. Government-specific regulations are usually country-specific and can include security regulations for special (sensitive or classified) information. Special information is a term for information that needs extra protection based on the sensitive nature that stems from its potential impact or risk to national security. For example the European Commission has five levels for classifying special information. These levels are EU Top secret, EU Secret, EU Confidential, EU Restricted, and EU Council / Commission. NATO also has Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
18 Compliance 139 five levels but uses slightly different terms. The five levels are Cosmic Top Secret, Focal Top Secret, NATO Secret, NATO Confidential and NATO Restricted. 18.1.3 Intellectual property rights (IPR) When a company uses software, the use of material which could be subject to intellectual property rights (IPR) must be addressed. The following guidelines need to be considered in order to protect material that may be deemed intellectual property. It is important to understand that copyright material also needs to be addressed in order to ensure compliance with copyright legislation You should: ■ Publish a policy regarding compliance with intellectual property rights, or copyright material, in which the legal use of computer programs and information products are defined; ■ Maintain an awareness of the policy for the protection of intellectual property rights; include in the IPR policy the disciplinary measures the organization will take against any employees who violate this policy; ■ Recognize that intellectual property rights include copyright to computer programs, documents, design rights, trademarks, patents and source code licenses; ■ Only purchase computer programs from well-known and recognized suppliers to ensure no copyright is infringed; ■ Ensure that if open source is used, the associated license form must be respected and observed; ■ Maintain a register of assets and identify all of the associated requirements for these assets in relation to the protection of intellectual property rights; ■ Understand that computer programs which are subject to property rights are usually supplied on the basis of a license agreement which states the license conditions. 18.1.4 Privacy and protection of personally identifiable information The right to privacy is a highly developed area of law in Europe. All the member states of the European Union (EU) are also signatories to the European Convention on Human Rights (ECHR). Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence,” subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence. In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did. In order to understand the Directive, it is necessary to understand how and why EU and U.S. perspectives on data protection and privacy are different. The United States Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
140 Foundations of Information Security prefers what is called a ‘sectoral’ approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations. Former U.S. President Bill Clinton and former Vice President Al Gore explicitly recommended in their ‘Framework for Global Electronic Commerce’ that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. To date, the U.S. has no single, overarching privacy law comparable to the EU Directive. Privacy legislation in the United States tends to be adopted on an ‘as needed’ basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Protection Act of 1988, the Cable Television Consumer Protection and Competition Act of 1992, and the Fair Credit Reporting Act). Therefore, while certain sectors may already satisfy the EU Directive, at least in part, most do not. Case Springbooks The bookstore handles a variety of information that should comply with privacy legislation. Examples of such information are customer-related information and employee-related information. In order to process this data the bookstore is aware that it must comply with certain regulations, though it is unsure which. It is important to know what laws and regulations apply to the data being processed within the information systems. In order to do this it is not only important to look at the information itself but also at the information systems that are used to process the data and the infrastructure that is used to transport the data. For the bookstore this analysis resulted in maintaining regional databases where customer data is being processed one for the US, and one for the countries in which the EU privacy directive is applicable. Since there can be slight variations in the local implementation for countries within the EU of this directive, local lawyers are consulted in order to ensure compliance in this area. Compliance not only involves observing the legislation and regulations prescribed by governments, but the translation of these into internal rules also plays an important role. In recent years, a worldwide standard for information security has been developed in the form of the Code for Information Security that was mentioned earlier. This is the ISO 27002 standard that is part of the ISO 27000 series. Various standardization bodies in the European Union and internationally have adopted this ISO standard. Thus, a farreaching standard in security measures has been created for government and business. 18.1.5 Protecting data and the confidentiality of personal data The protection of data and privacy falls under personal data protection legislation and guidelines. In addition, contractual stipulations with a customer may play a part. Every organization should have a policy for the protection of personal data and this policy should be known to everybody who processes personal data. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
18 Compliance 141 Observing this policy and all the relevant legislation and regulations for data protection can often be best achieved by appointing a person who is specifically responsible for the protection of data and who gives support to managers, users and service providers in the execution of their duties in this area. Of course, there also have to be technical and organizational measures in place to protect personal data. It is an important point that the citizen has the right to inspect his or her registered data, so organizations should have a policy and procedures in place for this. 18.1.6 Protection of records The tools used for system audits, for example computer programs or databases, must be kept separate from development systems and production systems and should not be stored in tape libraries or users’ rooms, unless additional protective measures of a suitable level have been taken. If third parties are involved in an audit, there is the risk that the audit tools and the information to which this third party has access may be misused. Measures such as limiting access to only those systems that the auditor needs for his investigation, a nondisclosure agreement and limiting physical access may be considered to help mitigate this risk. Once an audit is complete, the organization should immediately change any passwords that were given to the auditors. Finally, after everything that has been discussed, one unchangeable rule will always apply: no matter how well an organization has planned its security, security is only as strong as the weakest link. 18.2 INFORMATION SECURITY REVIEWS Reviews are useful as a means of periodically evaluating security measures, processes and procedures. Depending on the scope of a review it can be used for different purposes. Reviews can be applied to test whether security measures conform to defined requirements such as company standards, legislation and regulations. They are applied to evaluate if the security measures are in line with specific security requirements identified for an information system and that these measures are implemented and maintained effectively. Finally reviews also help to verify that these measures are working as specified and expected. In order to make sure that the importance of reviews is sufficiently addressed, they should be part of a review program. Elements of a review program include, amongst other things, the scope of the reviews, review criteria, frequency and review methodologies. The plan should state what areas need to be reviewed along with the outcomes of previous reviews. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
142 Foundations of Information Security It is important to pay special attention to the selection of the auditors since they need to be objective to ensure impartiality of the review process. One golden rule is that an auditor should never review his own work. A documented procedure is needed that describes the responsibilities within a scope for defining the planning of, and conducting of, reviews. The responsible manager should ensure that any identified non-conformities are addressed and that their causes are investigated. Furthermore he should ensure that any required actions are taken and verify the results of these actions. Finally, the internal and/or external auditor should check whether the organization complies with the regulations. The auditor does this by looking at whether a specific measure is in place. Is it included in the policy? Is it observed in practice? Does the measure function as it should? 18.2.1 Compliance with security policies and standards There are many organizations and standards about information security. Important standards are developed by ISO, NIST and ANSI. In Europe ISO is the most common in use. In the USA the NIST and ANSI standards are more common. Most of the standards cover the same security objectives. Each standard gives extra attention to a particular element within the discipline which differentiates it from the other standards. ISO ISO, founded in 1947, is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country. The American National Standards Institute (ANSI), for example, represents the United States. Member organizations collaborate in the development and promotion of international standards. Among the standards the ISO fosters is Open Systems Interconnection (OSI), a universal reference model for communication protocols. NIST NIST (National Institute of Standards and Technology) is a unit of the US Commerce Department. The NIST 800 Series is a set of documents that describes United States federal government computer security policies, procedures and guidelines. The documents are available free of charge, and can be useful to businesses and educational institutions, as well as to government agencies. NIST 800 Series publications evolved as a result of exhaustive research into workable and cost-effective methods for optimizing the security of information technology (IT) systems and networks in a proactive manner. The publications cover all NISTrecommended procedures and criteria for assessing and documenting threats and vulnerabilities and for implementing security measures to minimize the risk of adverse events. The publications can be useful as guidelines for the enforcement of security rules and as legal references in case of litigation involving security issues. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
18 Compliance 143 In February 2014 NIST published a brand new cyber security framework for critical infrastructures. This framework is very interesting for any industry dealing with critical infrastructures. It provides a useful viewpoint on the implementation of such a security framework and it uses not only NIST standards, but also ISO (27xxx) standards as well. ANSI ANSI (American National Standards Institute) is the primary organization for fostering the development of technology standards in the United States. ANSI works with industry groups and is the U.S. member of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Long-established computer standards from ANSI include the American Standard Code for Information Interchange (ASCII) and the Small Computer System Interface (SCSI). Other important standards are developed by ITU and IEEE. ITU-T The ITU-T (Telecommunication Standardization Sector of the International Telecommunications Union) is the primary international body for fostering cooperative standards for telecommunications equipment and systems. It was formerly known as the CCITT and is located in Geneva, Switzerland. IEEE The IEEE (Institute of Electrical and Electronics Engineers) describes itself as “the world’s largest technical professional society - promoting the development and application of electrotechnology and allied sciences for the benefit of humanity, the advancement of the profession, and the wellbeing of our members.” The IEEE fosters the development of standards that often become national and international standards. The organization publishes a number of journals, has many local chapters, and several large societies in special areas, such as the IEEE Computer Society. Protocols used on a worldwide basis for connecting wireless networking are based on IEEE technology, like the IEEE 802.11a, 802.11b, 802.11g, 802.11n and the newer 802.11ac versions to provide wireless connectivity and the encryption standards WEP and WPA. OWASP The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
144 Foundations of Information Security OWASP Foundation is a charitable organization that supports and manages OWASP projects and infrastructure. OWASP is not affiliated with any technology company, although it supports the informed use of security technology. OWASP has avoided affiliation as it believes freedom from organizational pressures may make it easier for it to provide unbiased, practical, costeffective information about application security. OWASP advocates approaching application security by considering the people, process, and technology dimensions. OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS). The primary aim of the OWASP ASVS project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published and a Web Service Edition is under development. The Payment Card Industry (PCI) It is a fact that commerce using the Internet relies solely on trust; users will not use systems that they believe are insecure. The Payment Card Industry (PCI) compliance is mandatory for merchants, third party processors, and service bureaus - not optional. PCI has adopted OWASP as the facto standard for securing payment cards. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix A Glossary Availability: Ensures the reliable and timely access to data or computing resources by the appropriate personnel. In other words, availability guarantees that the systems are up and running when needed. In addition, this concept guarantees that the security services required by the security practitioner are in working order. Due care: Shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible threats. Due diligence: The act of investigating and understanding the risks the company (or governmental organization) faces. A company practices due care by developing and implementing security policies, procedures, and standards. Evaluation: Process of comparing the estimated risk against given risk criteria to determine the significance of the risk. Exposure: An exposure is an instance of being exposed to losses from a threat agent. A vulnerability exposes an organization to possible damages. Hoax: A hoax is a message that tries to convince the reader of its veracity and then persuades the reader to carry out a particular action. The spread of a hoax depends on readers deliberately sending the message to other potential victims who may then also do the same. Information architecture: The definition of an architecture as used in ISO/IEC/IEEE Standard 42010:2011 is: “The fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution.” Logic bomb: A piece of code that is built into a software system. This code will then carry out a function when specific Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
146 Foundations of Information Security conditions are met. This is not always used for malicious purposes. A computer programmer, for example, may build in a code which destroys (sensitive) files once they leave the company network. Viruses and worms often contain logic bombs, which usually have a built-in delay for the execution of the virus or the spread of the worm. Risk: The likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. Risk analysis: Systematic use of information to identify sources and to estimate the risk. Risk assessment: Overall process of risk analysis and risk evaluation. Risk avoidance: The measures taken so that a threat is neutralized to such an extent that the threat no longer leads to an incident. Consider, for example, the software patches for an operating system. By patching the OS immediately after the patches are available, you are preventing your system against know technical problems or security issues. Many of the countermeasures within this strategy have a preventive character. Risk bearing: Recognition of the fact that certain risks are accepted. This could be because the costs of the security measures exceed the possible damage. But it could also be that the management decides to do nothing even if the costs are not higher than the possible damage. The measures that a risk bearing organization takes in the area of information security are usually of a repressive nature. Risk management: The process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital and earnings. Risk neutral: The security measures taken are such that the threats either no longer manifest themselves or, if they do, the resulting damage is minimized. The majority of measures taken in the area of information security by a risk neutral organization are a combination of preventive, detective and repressive measures. Risk treatment: The process of selection and implementation of measures to modify risk. Rootkit: A set of software tools that are often used by a third party (usually a hacker) after having gained access to a (computer) system. The rootkit hides itself deep in the operating system, possibly resulting in the operating Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix A Glossary 147 system becoming unstable. A rootkit is almost impossible to remove without damaging the operating system. Security controls: Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity and availability (CIA) of the information system. Note that the terms safeguard and countermeasure are sometimes used as synonyms for security control. Spyware: A computer program that collects information on the computer user and sends this information to another party. The purpose of this is to make money. Spyware does not purposely try to damage the PC and/or the installed software, but rather to violate privacy. Storm Worm: Since January 2007 the Internet has been plagued by the Storm Worm, a so-called botnet, which, according to various estimations, has infected millions of computers. Threat: A potential cause of an unwanted incident, which may result in harm to a system or organization. Threat agent: The entity that takes advantage of a vulnerability is referred to as a threat agent. Trojan: A trojan is a program which, in addition to the function that it appears to perform, purposely conducts secondary activities, unnoticed by the computer user, which can harm the integrity of the infected system. Virus: A small computer program that purposely replicates itself, sometimes in an altered form. The replicated versions of the original virus are, by virtue of this definition, also viruses. In order for the virus to spread it is dependent upon carriers that contain executable code. Vulnerability: A weakness of an asset or group of assets that can be exploited by one or more threats. Worm: A small computer program that purposely replicates itself. The results of the replication are copies of the original spreading to other systems by making use of the network facilities of its host. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
148 Foundations of Information Security Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix B Overview of family of ISO 27000 standards Nearly forty ‘ISO 27000’ standards are planned, more than half of which have been published and are on sale at the international10 or local11 IEC/ISO organization. These are: ■ ISO/IEC 27000:2014 - provides an overview/introduction to the ISO27000 standards plus a glossary for the specialist vocabulary. ■ ISO/IEC 27001:2022 is the Information Security Management System (ISMS) requirements standard, a formal specification for an ISMS. ■ ISO/IEC 27002:2013 is the code of practice for information security controls describing good practice information security control objectives and controls. ■ ISO/IEC 27003:2010 provides guidance on implementing ISO/IEC 27001. ■ ISO/IEC 27004:2009 covers information security management measurement. ■ ISO/IEC 27005:2011 covers information security risk management. ■ ISO/IEC 27006:2011 is a guide to the certification or registration process for accredited ISMS certification or registration bodies. ■ ISO/IEC 27007:2011 is a guide to auditing Information Security Management Systems. ■ ISO/IEC TR 27008:2011 concerns the auditing of ‘technical’ security controls. ■ ISO/IEC 27009 will advise those producing standards for sector-specific applications of ISO27000. ■ ISO/IEC 27010:2012 provides guidance on information security management for inter-sector and inter-organizational communications. ■ ISO/IEC 27011:2008 is the information security management guideline for telecommunications organizations (published as ITU X.1051 too). ■ ISO/IEC 27013:2012 provides guidance on the integrated implementation of both ISO/IEC 27001 (ISMS) and ISO/IEC 20000-1 (IT service management). ■ ISO/IEC 27014:2022 offers guidance on the governance of information security. ■ ISO/IEC TR 27015:2012 provides information security management guidelines for financial services. ■ ISO/IEC TR 27016:2014 covers the economics of information security management. 10 http://www.iso.org/iso/home.html 11 The local ISO organization or ISO/IEC representing organization offers often the original (English) version and a local translation Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
150 Foundations of Information Security ■ ISO/IEC 27017 will cover information security controls for cloud computing. Status update Dec 22. ■ ISO/IEC 27018 covers PII (Personally Identifiable Information) in public clouds. ■ ISO/IEC TR 27019:2022 covers information security for process control in the energy industry. ■ ISO/IEC 27021 is proposed to explain the competencies and knowledge required by information security management professionals. ■ ISO/IEC TR 27023 will map between the 2005 and 2022 versions of 27001 and 27002. ■ ISO/IEC 27031:2011 is an ICT-focused standard on business continuity. ■ ISO/IEC 27032:2012 covers cybersecurity. ■ ISO/IEC 27033:2009+ is replacing the multi-part ISO/IEC 18028 standard on IT network security (parts 1, 2, 3, 4 & 5 are published, part 6 is in preparation). ■ ISO/IEC 27034:2014 is providing guidelines for application security. ■ ISO/IEC 27035:2011 on information security incident management. ■ ISO/IEC 27036:2022+ is a multi-part security guideline for supplier relationships including the relationship management aspects of cloud computing (parts 1, 2 and 3 have been published). ■ ISO/IEC 27037:2012 covers identifying, gathering and preserving digital evidence. ■ ISO/IEC 27038:2014 is a specification for digital redaction. ■ ISO/IEC 27039 will concern intrusion detection and prevention systems. ■ ISO/IEC 27040 will offer guidance on storage security. ■ ISO/IEC 27041 will offer guidance on assurance for digital evidence investigation methods. ■ ISO/IEC 27042 will offer guidance on analysis and interpretation of digital evidence. ■ ISO/IEC 27043 will offer guidance on digital evidence investigation principles and processes. ■ ISO/IEC 27044 will offer guidance on SIEM (Security Incident and Event Management). ■ ISO/IEC 27050 will offer guidance on electronic discovery. ■ ISO 27799:2008 provides health sector specific ISMS implementation guidance based on ISO/IEC 27002:2005. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.1 Example exam INTRODUCTION This is the sample exam for the EXIN Information Security Foundation based on ISO/ IEC 27002. This sample exam consists of 40 multiple choice questions. Each multiple-choice question has a number of possible answers, of which only one is the correct answer. The maximum number of points that can be obtained for this exam is 40. Each correct answer is worth one point. If you obtain 26 points or more you will pass. The time allowed for these sample questions is 60 minutes. No rights may be derived from this information. Good luck! Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
152 Foundations of Information Security Sample exam 1 of 40 What is the relationship between data and information? A. Data is structured information. B. Information is the meaning and value assigned to a collection of data. 2 of 40 In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages. Which factor is not important for determining the value of data for an organization? A. The content of data. B. The degree to which missing, incomplete or incorrect data can be recovered. C. The indispensability of data for the business processes. D. The importance of the business processes that make use of the data. 3 of 40 A hacker gains access to a webserver and can view a file on the server containing credit card numbers. Which of the Confidentiality, Integrity, Availability (CIA) principles of the credit card file are violated? A. Availability B. Confidentiality C. Integrity 4 of 40 There is a network printer in the hallway of the company where you work. Many employees don’t pick up their printouts immediately and leave them on the printer. What are the consequences of this to the reliability of the information? A. The integrity of the information is no longer guaranteed. B. The availability of the information is no longer guaranteed. C. The confidentiality of the information is no longer guaranteed. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.1 Example exam 153 5 of 40 A well-executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is not one of the four main objectives of a risk analysis? A. Identifying assets and their value B. Implementing counter measures C. Establishing a balance between the costs of an incident and the costs of a security measure D. Determining relevant vulnerabilities and threats 6 of 40 An administration office is going to determine the dangers to which it is exposed. What do we call a possible event that can have a disruptive effect on the reliability of information? A. dependency B. threat C. vulnerability D. risk 7 of 40 What is the purpose of risk management? A. To determine the probability that a certain risk will occur. B. To determine the damage caused by possible security incidents. C. To outline the threats to which IT resources are exposed. D. To implement measures to reduce risks to an acceptable level. 8 of 40 A couple of years ago you started your company which has now grown from 1 to 20 employees. Your company’s information is worth more and more and gone are the days when you could keep control yourself. You are aware that you have to take measures, but what should they be? You hire a consultant who advises you to start with a qualitative risk analysis. What is a qualitative risk analysis? A. This analysis follows a precise statistical probability calculation in order to calculate exact loss caused by damage. B. This analysis is based on scenarios and situations and produces a subjective view of the possible threats. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
154 Foundations of Information Security 9 of 40 There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The back-up tapes kept in another room had melted and many other documents were lost for good. What is an example of the indirect damage caused by this fire? A. Melted back-up tapes B. Burned computer systems C. Burned documents D. Water damage due to the fire extinguishers 10 of 40 You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called? A. Risk bearing B. Risk avoidance C. Risk neutral 11 of 40 What is an example of a human threat? A. A USB-stick passes on a virus to the network. B. Too much dust in the server room. C. A leak causes a failure of electricity supply. 12 of 40 What is an example of a human threat? A. a lightning strike B. fire C. phishing Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.1 Example exam 155 13 of 40 You work in the office of a large company. You receive a call from a person claiming to be from the Helpdesk. He asks you for your password. What kind of threat is this? A. Natural threat B. Organizational threat C. Social Engineering 14 of 40 A fire breaks out in a branch office of a health insurance company. The personnel are transferred to neighboring branches to continue their work. Where in the incident cycle is moving to a stand-by arrangements found? A. between threat and incident B. between recovery and threat C. between damage and recovery D. between incident and damage 15 of 40 Information has a number of reliability aspects. Reliability is constantly being threatened. Examples of threats are: a cable becomes loose, someone alters information by accident, data is used privately or is falsified. Which of these examples is a threat to integrity? A. a loose cable B. accidental alteration of data C. private use of data 16 of 40 A member of staff denies sending a particular message. Which reliability aspect of information is in danger here? A. availability B. correctness C. integrity D. confidentiality Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
156 Foundations of Information Security 17 of 40 How is the purpose of information security policy best described? A. An information security policy documents the analysis of risks and the search for countermeasures. B. An information security policy provides direction and support to the management regarding information security. C. An information security policy makes the security plan concrete by providing it with the necessary details. D. An information security policy provides insight into threats and the possible consequences. 18 of 40 A security incident regarding a webserver is reported to a helpdesk employee. His colleague has more experience on webservers, so he transfers the case to her. Which term describes this transfer? A. Functional escalation B. Hierarchical escalation 19 of 40 A worker from an insurance company discovers that the expiration date of a policy has been changed without her knowledge. She is the only person authorized to do this. She reports this security incident to the Helpdesk. The Helpdesk worker records the following information regarding this incident: ■ date and time ■ description of the incident ■ possible consequences of the incident What most important information about the incident is missing here? A. the name of the person reporting the incident B. the name of the software package C. the PC number D. a list of people who were informed about the incident Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.1 Example exam 157 20 of 40 In the incident cycle there are four successive steps. Which step follows after the step Incident? A. Threat B. Damage C. Recovery 21 of 40 Which measure is a preventive measure? A. Installing a logging system that enables changes in a system to be recognized B. Shutting down all internet traffic after a hacker has gained access to the company systems C. Putting sensitive information in a safe 22 of 40 What is a repressive measure in case of a fire? A. Taking out a fire insurance B. Putting out a fire after it has been detected by a fire detector C. Repairing damage caused by the fire 23 of 40 What is the goal of classification of information? A. To create a manual about how to handle mobile devices B. Applying labels making the information easier to recognize C. Structuring information according to its sensitivity 24 of 40 Who is authorized to change the classification of a document? A. The author of the document B. The administrator of the document C. The owner of the document D. The manager of the owner of the document Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
158 Foundations of Information Security 25 of 40 The computer room is protected by a pass reader. Only the System Management department has a pass. What type of security measure is this? A. a corrective security measure B. a physical security measure C. a logical security measure D. a repressive security measure 26 of 40 Strong authentication is needed to access highly protected areas. In case of strong authentication the identity of a person is verified by using three factors. Which factor is verified when we must show our access pass? A. something you are B. something you have C. something you know 27 of 40 In physical security multiple expanding zones (protection rings) can be applied in which different measures can be taken. What is not a protection ring? A. Building B. Middle ring C. Object D. Outer ring 28 of 40 Which threat can occur as a result of the absence of a physical measure? A. A user can view the files belonging to another user. B. A server shuts down because of overheating. C. A confidential document is left in the printer. D. Hackers can freely enter the computer network. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.1 Example exam 159 29 of 40 Which security measure is a technical measure? A. Allocating information to an owner B. Encryption of files C. Creating a policy defining what is and is not allowed in e-mail D. Storing system management passwords in a safe 30 of 40 The back-ups of the central server are kept in the same locked room as the server. What risk does the organization face? A. If the server crashes, it will take a long time before the server is again operational. B. In the event of fire it is impossible to get the system back to its former state. C. No one is responsible for the back-ups. D. Unauthorized persons have easy access to the back-ups. 31 of 40 Which type of malware builds a network of contaminated computers? A. Logic Bomb B. Storm Worm or Botnet C. Trojan D. Spyware 32 of 40 Within an organization the security officer detects that a workstation of an employee is infected with malicious software. The malicious software was installed due to a targeted Phishing attack. Which action is the most beneficial to prevent such incidents in the future? A. Implementing MAC technology B. Start a security awareness program C. Update the firewall rules D. Update the signatures of the spamfilter Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
160 Foundations of Information Security 33 of 40 You work in the IT department of a medium-sized company. Confidential information has come into the wrong hands several times. This has hurt the image of the company. You have been asked to propose organizational security measures for laptops at your company. What is the first step that you should take? A. Formulate a policy regarding mobile media (PDAs, laptops, smartphones, USB sticks) B. Appoint security personnel C. Encrypt the hard disks of laptops and USB sticks D. Set up an access control policy 34 of 40 What is the name of the system that guarantees the coherence of information security in the organization? A. Information Security Management System (ISMS) B. Rootkit C. Security regulations for special information for the government 35 of 40 What is ‘establishing whether someone’s identity is correct’ called? A. Authentication B. Authorization C. Identification 36 of 40 Why is it necessary to keep a disaster recovery plan up to date and to test it regularly? A. In order to always have access to recent back-ups that are located outside the office. B. In order to be able to cope with daily occurring faults. C. Because otherwise, in the event of a far-reaching disruption, the measures taken and the incident procedures planned may not be adequate or may be outdated. D. Because this is required by Personal Data Protection legislation. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.1 Example exam 161 37 of 40 On the basis of which legislation can someone request to inspect the data that has been registered about him or her? A. Public records legislation B. Personal data protection legislation C. Computer criminality legislation D. Government information (public access) legislation 38 of 40 Which is a legislative or regulatory act related to information security that can be imposed upon all organizations? A. Intellectual Property Rights B. ISO/IEC 27001:2013 C. ISO/IEC 27002:2013 D. Personal data protection legislation 39 of 40 You are the owner of the courier company SpeeDelivery. You employ a few people who, while waiting to make a delivery, can carry out other tasks. You notice, however, that they use this time to send and read their private mail and surf the Internet. In legal terms, in which way can the use of the Internet and e-mail facilities be best regulated? A. Installing an application that makes certain websites no longer accessible and that filters attachments in e-mails B. Drafting a code of conduct for the use of the Internet and e-mail in which the rights and obligations of both the employer and staff are set down C. Implementing privacy regulations D. Installing a virus scanner 40 of 40 Under which condition is an employer permitted to check if Internet and e-mail services in the workplace are being used for private purposes? A. The employer is permitted to check this if the employee is informed after each instance of checking. B. The employer is permitted to check this if the employees are aware that this could happen. C. The employer is permitted to check this if a firewall is also installed. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
162 Foundations of Information Security Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 1 of 40 What is the relationship between data and information? A. Data is structured information. B. Information is the meaning and value assigned to a collection of data. A. Incorrect. Information is structured data. B. Correct. Information is data that has a meaning in some context for its receiver. (§3.1) 2 of 40 In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages. Which factor is not important for determining the value of data for an organization? A. The content of data. B. The degree to which missing, incomplete or incorrect data can be recovered. C. The indispensability of data for the business processes. D. The importance of the business processes that make use of the data. A. Correct. The content of data does not determine its value. (§3.12.4) B. Incorrect. Missing, incomplete or incorrect data that can be easily recovered is less valuable than data that is difficult or impossible to recover. C. Incorrect. The indispensability of data for business processes in part determines the value. D. Incorrect. Data critical to important business processes is therefore valuable. 3 of 40 A hacker gains access to a webserver and can view a file on the server containing credit card numbers. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
164 Foundations of Information Security Which of the Confidentiality, Integrity, Availability (CIA) principles of the credit card file are violated? A. Availability B. Confidentiality C. Integrity A. Incorrect. The hacker did not delete the file or denied access for authorized entities in any way, therefore the availability was not harmed. B. Correct. The hacker was able to read the file (confidentiality). (§3.3) C. Incorrect. There was no information altered in the credit card file; therefore the integrity of the file was not violated. 4 of 40 There is a network printer in the hallway of the company where you work. Many employees don’t pick up their printouts immediately and leave them on the printer. What are the consequences of this to the reliability of the information? A. The integrity of the information is no longer guaranteed. B. The availability of the information is no longer guaranteed. C. The confidentiality of the information is no longer guaranteed. A. Incorrect. The integrity of the information on the prints is still guaranteed, for it is on paper. B. Incorrect. The information is still available in the system that was used to create and print it. C. Correct. The information can end up or be read by persons who should not have access to the information. (§3.3) 5 of 40 A well-executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is not one of the four main objectives of a risk analysis? A. Identifying assets and their value B. Implementing counter measures C. Establishing a balance between the costs of an incident and the costs of a security measure D. Determining relevant vulnerabilities and threats Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 165 A. Incorrect. This is one of the main objectives of a risk analysis. B. Correct. This is not an objective of a risk analysis. Measures can be selected when in a risk analysis is determined which risks require a security measure. (§3.12.3) C. Incorrect. This is one of the main objectives of a risk analysis. D. Incorrect. This is one of the main objectives of a risk analysis. 6 of 40 An administration office is going to determine the dangers to which it is exposed. What do we call a possible event that can have a disruptive effect on the reliability of information? A. dependency B. threat C. vulnerability D. risk A. Incorrect. A dependency is not an event. B. Correct. A threat is a possible event that can have a disruptive effect on the reliability of information. (§3.8) C. Incorrect. Vulnerability is the degree to which an object is susceptible to a threat. D. Incorrect. A risk is the average expected damage over a period of time as a result of one or more threats leading to disruption(s). 7 of 40 What is the purpose of risk management? A. To determine the probability that a certain risk will occur. B. To determine the damage caused by possible security incidents. C. To outline the threats to which IT resources are exposed. D. To implement measures to reduce risks to an acceptable level. A. Incorrect. This is part of risk analysis. B. Incorrect. This is part of risk analysis. C. Incorrect. This is part of risk analysis. D. Correct. The purpose of risk management is to reduce risks to an acceptable level. (§3.12.1) 8 of 40 A couple of years ago you started your company which has now grown from 1 to 20 employees. Your company’s information is worth more and more and gone are the days when you could keep control yourself. You are aware that you have to take measures, but what should they be? You hire a consultant who advises you to start with a qualitative risk analysis. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
166 Foundations of Information Security What is a qualitative risk analysis? A. This analysis follows a precise statistical probability calculation in order to calculate exact loss caused by damage. B. This analysis is based on scenarios and situations and produces a subjective view of the possible threats. A. Incorrect. In a quantitative risk analysis, an attempt is made to numerically determine the probabilities of various events and the likely extent of the losses if a particular event takes place. B. Correct. A qualitative risk analysis involves defining the various threats, determining the extent of the vulnerabilities, and devising countermeasures, should an attack occur. (§3.12.5) 9 of 40 There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The back-up tapes kept in another room had melted and many other documents were lost for good. What is an example of the indirect damage caused by this fire? A. Melted back-up tapes B. Burned computer systems C. Burned documents D. Water damage due to the fire extinguishers A. Incorrect. Melted back-up tapes are direct damage caused by the fire. B. Incorrect. Burned computer systems are direct damage caused by the fire. C. Incorrect. Burned documents are direct damage caused by the fire. D. Correct. Water damage due to the fire extinguishers is indirect damage caused by the fire. This is a side effect of putting out the fire, which is aimed at minimizing the damage caused by the fire. (§3.16) 10 of 40 You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called? A. Risk bearing B. Risk avoidance C. Risk neutral Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 167 A. Correct. This means certain risks are accepted. (§3.17) B. Incorrect. This means that measures are taken so that the threat is neutralized to such an extent that it no longer leads to an incident. C. Incorrect. This means that the security measures are taken such that the threats either no longer manifest themselves, or if they do, the resulting damage is minimized. 11 of 40 What is an example of a human threat? A. A USB-stick passes on a virus to the network. B. Too much dust in the server room. C. A leak causes a failure of electricity supply. A. Correct. A USB-stick is always inserted by a person. Thus, if by doing so a virus enters the network, then it is a human threat. (§3.15.1) B. Incorrect. Dust is not a human threat, but a non-human threat. C. Incorrect. A leak is not a human threat, but a non-human threat. 12 of 40 What is an example of a human threat? A. a lightning strike B. fire C. phishing A. Incorrect. A lightning strike is an example of a non-human threat. B. Incorrect. Fire is an example of a non-human threat. C. Correct. Phishing (luring users to false websites) is one form of a human threat. (§12.4.2) 13 of 40 You work in the office of a large company. You receive a call from a person claiming to be from the Helpdesk. He asks you for your password. What kind of threat is this? A. Natural threat B. Organizational threat C. Social Engineering A. Incorrect. A phone call is a human action so not a natural threat. B. Incorrect. The term ‘organizational threat’ is not a common term for a kind of threat. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
168 Foundations of Information Security C. Correct. Using the right expressions or names of known people and their departments gives the impression of being a colleague trying to obtain company and trade secrets. You should check whether you are actually talking to the helpdesk. A helpdesk employee will never ask for your password. (§7.2.1) 14 of 40 A fire breaks out in a branch office of a health insurance company. The personnel are transferred to neighboring branches to continue their work. Where in the incident cycle is moving to a stand-by arrangement found? A. between threat and incident B. between recovery and threat C. between damage and recovery D. between incident and damage A. Incorrect. Carrying out a stand-by arrangement without an incident is very expensive. B. Incorrect. Recovery takes place after putting a stand-by arrangement into operation. C. Incorrect. Damage and recovery are actually limited by the stand-by arrangement. D. Correct. A stand-by arrangement is a corrective measure that is initiated in order to limit the damage. (§16.1 and 16.5) 15 of 40 Information has a number of reliability aspects. Reliability is constantly being threatened. Examples of threats are: a cable becomes loose, someone alters information by accident, data is used privately or is falsified. Which of these examples is a threat to integrity? A. a loose cable B. accidental alteration of data C. private use of data A. Incorrect. A loose cable is a threat to the availability of information. B. Correct. The unintended alteration of data is a threat to its integrity. (§3.2 and 3.4) C. Incorrect. The use of data for private ends is a form of misuse and is a threat to confidentiality. 16 of 40 A member of staff denies sending a particular message. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 169 Which reliability aspect of information is in danger here? A. availability B. correctness C. integrity D. confidentiality A. Incorrect. Overloading the infrastructure is an example of a threat to availability. B. Incorrect. Correctness is not a reliability aspect. It is a characteristic of integrity. C. Correct. The denial of sending a message has to do with nonrepudiation, a threat to integrity. (§3.2 and 3.4). D. Incorrect. Misuse and/or disclosure of data are threats to confidentiality. 17 of 40 How is the purpose of information security policy best described? A. An information security policy documents the analysis of risks and the search for countermeasures. B. An information security policy provides direction and support to the management regarding information security. C. An information security policy makes the security plan concrete by providing it with the necessary details. D. An information security policy provides insight into threats and the possible consequences. A. Incorrect. The analysis of risks and the search for countermeasures is the purpose of risk analysis and risk management. B. Correct. The security policy provides direction and support to the management regarding information security. (§5.1.1) C. Incorrect. The security plan makes the information security policy concrete. The plan includes which measures have been chosen, who is responsible for what, the guidelines for the implementation of measures, etc. D. Incorrect. The purpose of a threat analysis is to provide insight into threats and the possible consequences. 18 of 40 A security incident regarding a webserver is reported to a helpdesk employee. His colleague has more experience on webservers, so he transfers the case to her. Which term describes this transfer? A. Functional escalation B. Hierarchical escalation Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
170 Foundations of Information Security A. Correct. If the helpdesk employee is not able to deal with the incident personally, the incident can be reported to someone with more expertise who may be able to resolve the problem. This is called a functional (horizontal) escalation. (§16.1) B. Incorrect. This is called a functional (horizontal) escalation. Hierarchical escalation is when a task is transferred to someone with more authority. 19 of 40 A worker from an insurance company discovers that the expiration date of a policy has been changed without her knowledge. She is the only person authorized to do this. She reports this security incident to the Helpdesk. The Helpdesk worker records the following information regarding this incident: ■ date and time ■ description of the incident ■ possible consequences of the incident What most important information about the incident is missing here? A. the name of the person reporting the incident B. the name of the software package C. the PC number D. a list of people who were informed about the incident A. Correct. When reporting an incident, the name of the reporter must be recorded at a minimum. (§16.2) B. Incorrect. This is additional information that may be added later. C. Incorrect. This is additional information that may be added later. D. Incorrect. This is additional information that may be added later. 20 of 40 In the incident cycle there are four successive steps. Which step follows after the step Incident? A. Threat B. Damage C. Recovery A. Incorrect. The damage follows after the incident. The correct order of steps is Threat, Incident, Damage, Recovery. B. Correct. The order of steps in the incident cycle are: Threat, Incident, Damage, Recovery. (§16.5) C. Incorrect. The damage follows the incident. The correct order of steps is Threat, Incident, Damage, Recovery. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 171 21 of 40 Which measure is a preventive measure? A. Installing a logging system that enables changes in a system to be recognized B. Shutting down all internet traffic after a hacker has gained access to the company systems C. Putting sensitive information in a safe A. Incorrect. Via a logging system only after the incident is occurred can be researched what happened. This is a detective measure aimed at detecting incidents. B. Incorrect. Shutting down all internet traffic is a repressive measure aimed at limiting an incident. C. Correct. A safe is a preventive measure, which avoids damage can be done to the sensitive information stored in the safe. (§16.5) 22 of 40 What is a repressive measure in case of a fire? A. Taking out a fire insurance B. Putting out a fire after it has been detected by a fire detector C. Repairing damage caused by the fire A. Incorrect. Taking out an insurance protects against the financial consequences of a fire. B. Correct. This repressive measure minimizes the damage caused by the fire. (§16.5) C. Incorrect. This is not a repressive measure, it does not minimize the damage caused by the fire. 23 of 40 What is the goal of classification of information? A. To create a manual about how to handle mobile devices B. Applying labels making the information easier to recognize C. Structuring information according to its sensitivity A. Incorrect. Creating a manual has to do with user guidelines and is not classification of information. B. Incorrect. Applying labels to information is designation, a special form of categorizing information which follows classification. C. Correct. Classification of information is used to define the different levels of sensitivity into which information can be structured. (§8.5) Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
172 Foundations of Information Security 24 of 40 Who is authorized to change the classification of a document? A. The author of the document B. The administrator of the document C. The owner of the document D. The manager of the owner of the document A. Incorrect. The author may change the content but not change the classification of a document. B. Incorrect. The administrator may not change the classification of a document. C. Correct. The owner must ensure the asset is classified or reclassified if necessary so is authorized to change the classification of a document. (§8.5) D. Incorrect. The manager of the owner has no authority in this. 25 of 40 The computer room is protected by a pass reader. Only the System Management department has a pass. What type of security measure is this? A. a corrective security measure B. a physical security measure C. a logical security measure D. a repressive security measure A. Incorrect. A corrective security measure is a recovery measure. B. Correct. This is a physical security measure. (§11.1) C. Incorrect. A logical security measure controls the access to software and information, not the physical access to rooms. D. Incorrect. A repressive security measure is intended to minimize the consequences of a disruption. 26 of 40 Strong authentication is needed to access highly protected areas. In case of strong authentication the identity of a person is verified by using three factors. Which factor is verified when we must show our access pass? A. something you are B. something you have C. something you know Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 173 A. Incorrect. An access pass is not an example of something that you are. B. Correct. An access pass is an example of something that you have. (§11.1.2) C. Incorrect. An access pass is not something that you know. 27 of 40 In physical security multiple expanding zones (protection rings) can be applied in which different measures can be taken. What is not a protection ring? A. Building B. Middle ring C. Object D. Outer ring A. Incorrect. A building is a valid zone and deals with access to the premises. B. Correct. Protection rings: Outer ring (area around the premises), Building (access to the premises), Working space (the rooms in the premises, also known as ‘Inner Ring’), Object (the asset that is to be protected). There is no such thing as a middle ring. (§11.1.1) C. Incorrect. An object is a valid zone and deals with the asset that is to be protected. D. Incorrect. An outer ring is a valid zone and deals with the area around the premises. 28 of 40 Which threat can occur as a result of the absence of a physical measure? A. A user can view the files belonging to another user. B. A server shuts down because of overheating. C. A confidential document is left in the printer. D. Hackers can freely enter the computer network. A. Incorrect. Logical access control is a technical measure which prevents unauthorized access to documents of another user. B. Correct. Physical security includes the protection of equipment through climate control (air conditioning, air humidity). (§11.2.1) C. Incorrect. A security policy should cover the rules how to handle confidential documents. All employees should be aware of this policy and practice the rules. It is an organizational measure. D. Incorrect. Preventing hackers to enter the computer or network is a technical measure. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
174 Foundations of Information Security 29 of 40 Which security measure is a technical measure? A. Allocating information to an owner B. Encryption of files C. Creating a policy defining what is and is not allowed in e-mail D. Storing system management passwords in a safe A. Incorrect. Allocating information to an owner is classification, which is an organizational measure. B. Correct. This is a technical measure which prevents unauthorized persons from reading the information. (§10.1) C. Incorrect. This is an organizational measure, a code of conduct that is written in the employment contract. D. Incorrect. This is an organizational measure. 30 of 40 The back-ups of the central server are kept in the same locked room as the server. What risk does the organization face? A. If the server crashes, it will take a long time before the server is again operational. B. In the event of fire it is impossible to get the system back to its former state. C. No one is responsible for the back-ups. D. Unauthorized persons have easy access to the back-ups. A. Incorrect. On the contrary, this would help to make the system operational more quickly. B. Correct. The chance that the back-ups may also be destroyed in a fire is very great. (§11.2.1) C. Incorrect. The responsibility has nothing to do with the storage location. D. Incorrect. The computer room is locked. 31 of 40 Which type of malware builds a network of contaminated computers? A. Logic Bomb B. Storm Worm or Botnet C. Trojan D. Spyware Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 175 A. Incorrect. A logic bomb is not always malware. It is a piece of code that is built into a software system. B. Correct. A worm is a small computer program that purposely replicates itself, copies of the original are spread by making use of the network facilities of its host. (§12.5.2 and 12.5.7) C. Incorrect. A Trojan is a program which, in addition to the function that it appears to perform, purposely conducts secondary activities, unnoticed by the user. D. Incorrect. Spyware is a computer program that collects information on the computer user and sends this information to another party. 32 of 40 Within an organization the security officer detects that a workstation of an employee is infected with malicious software. The malicious software was installed due to a targeted Phishing attack. Which action is the most beneficial to prevent such incidents in the future? A. Implementing MAC technology B. Start a security awareness program C. Update the firewall rules D. Update the signatures of the spam filter A. Incorrect. MAC is about access control; this does not prevent a user to be persuaded to execute some actions as a result from the targeted attack. B. Correct. The underlying vulnerability of this threat is the unawareness of the user. Users are persuaded in these kinds of attacks to execute some code that violates the policy (e.g. install suspicious software). Addressing these kind of attacks in a security awareness program will reduce the chance of reoccurrence in the future. (§12.4 and §12.5) C. Incorrect. Despite the firewall could e.g. block traffic that resulted from the installation of the malicious software. To prevent the threat from reoccurrence the firewall will not help. D. Incorrect. The targeted attack does not necessary have to make use of e-mail. The attacker may for instance also use social media, of even the phone to make contact with the victim 33 of 40 You work in the IT department of a medium-sized company. Confidential information has come into the wrong hands several times. This has hurt the image of the company. You have been asked to propose organizational security measures for laptops at your company. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
176 Foundations of Information Security What is the first step that you should take? A. Formulate a policy regarding mobile media (PDAs, laptops, smartphones, USB sticks) B. Appoint security personnel C. Encrypt the hard disks of laptops and USB sticks D. Set up an access control policy A. Correct. The policy how to use mobile media is an organizational measure and security measures for laptops can be an obligation. (§6.2.1) B. Incorrect. Appointing security personnel is a technical measure. When someone takes a laptop out the office the risk of leakage of information stays. C. Incorrect. Encrypting the hard disks of laptops and USB sticks is a technical measure. This can be carried out based on an organizational measure. D. Incorrect. Access control policy is an organizational measure, which only covers the access to buildings or IT-systems. 34 of 40 What is the name of the system that guarantees the coherence of information security in the organization? A. Information Security Management System (ISMS) B. Rootkit C. Security regulations for special information for the government A. Correct. The ISMS is described in ISO/IEC 27001. (§5.1.1) B. Incorrect. A rootkit is a malicious set of software tools often used by a third party (usually a hacker). C. Incorrect. This is a governmental set of rules how to handle special information. 35 of 40 What is ‘establishing whether someone’s identity is correct’ called? A. Authentication B. Authorization C. Identification A. Correct. Establishing whether someone’s identity is correct is called authentication. (§9.2) B. Incorrect. When one is given the access rights for a computer or network is called authorization. C. Incorrect. Identification is the process of making an identity known. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 177 36 of 40 Why is it necessary to keep a disaster recovery plan up to date and to test it regularly? A. In order to always have access to recent back-ups that are located outside the office. B. In order to be able to cope with daily occurring faults. C. Because otherwise, in the event of a far-reaching disruption, the measures taken and the incident procedures planned may not be adequate or may be outdated. D. Because this is required by Personal Data Protection legislation. A. Incorrect. This is one of the technical measures taken to recover a system. B. Incorrect. For normal disruptions the measures usually taken and the incident procedures are sufficient. C. Correct. A far-reaching disruption requires an up-to-date and tested plan. (§17.1.1 and §17.2) D. Incorrect. Personal Data Protection legislation involves the privacy of personal data. 37 of 40 On the basis of which legislation can someone request to inspect the data that has been registered about him or her? A. Public records legislation B. Personal data protection legislation C. Computer criminality legislation D. Government information (public access) legislation A. Incorrect. Public records legislation regulates the storage and destruction of archive documents. B. Correct. The right to inspection is regulated in Personal data protection legislation. (§ 18.1.4) C. Incorrect. Computer criminality legislation makes it easier to deal with offences perpetrated through advanced information technology. An example of a new offence is computer hacking. D. Incorrect. Government information public access legislation regulates the inspection of written governmental documents. Personal data is not a governmental document. 38 of 40 Which is a legislative or regulatory act related to information security that can be imposed upon all organizations? A. Intellectual Property Rights B. ISO/IEC 27001:2013 C. ISO/IEC 27002:2013 D. Personal data protection legislation Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
178 Foundations of Information Security A. Incorrect. This regulation is not related to information security for organizations. B. Incorrect. This is a standard with guidelines for organizations how to deal with the set-up of an information security process. C. Incorrect. This standard, also known as the ‘Code of practice for Information Security’, contains guidelines for information security policy and measures. D. Correct. All organizations should have a policy and procedures for personal data protection, which should be known to everybody who processes personal data. (§18.1.5) 39 of 40 You are the owner of the courier company SpeeDelivery. You employ a few people who, while waiting to make a delivery, can carry out other tasks. You notice, however, that they use this time to send and read their private mail and surf the Internet. In legal terms, in which way can the use of the Internet and e-mail facilities be best regulated? A. Installing an application that makes certain websites no longer accessible and that filters attachments in e-mails B. Drafting a code of conduct for the use of the Internet and e-mail in which the rights and obligations of both the employer and staff are set down C. Implementing privacy regulations D. Installing a virus scanner A. Incorrect. Installing this kind of software regulates the use of internet and e-mail partly. It cannot regulate time spent on private use. This is a technical measure. B. Correct. In a code of conduct the use of internet and e-mail can be documented which websites may or may not be visited and to which extend private use is permitted. These are internal regulations. (Chapter 7 introduction text) C. Incorrect. Privacy regulations only regulates the use of personal data of personnel and customers, not the use of internet and e-mail. D. Incorrect. A virus scanner checks incoming e-mail and internet connections on malicious software. It does not regulate the use of internet and e-mail. It is a technical measure. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.2 Answer Key 179 40 of 40 Under which condition is an employer permitted to check if Internet and e-mail services in the workplace are being used for private purposes? A. The employer is permitted to check this if the employee is informed after each instance of checking. B. The employer is permitted to check this if the employees are aware that this could happen. C. The employer is permitted to check this if a firewall is also installed. A. Incorrect. The employee does not have to be informed after each check. B. Correct. The employees must know that the employer has the right to monitor the use of IT services. (Chapter 7 introduction text) C. Incorrect. A firewall protects against external intruders. This is not influencing the right of the employer to monitor the use of IT services. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
180 Foundations of Information Security Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix C.3 Evaluation The table below shows the correct answers to the questions in this sample examination. number answer points number answer points 1 B 1 21 C 1 2 A 1 22 B 1 3 B 1 23 C 1 4 C 1 24 C 1 5 B 1 25 B 1 6 B 1 26 B 1 7 D 1 27 B 1 8 B 1 28 B 1 9 D 1 29 B 1 10 A 1 30 B 1 11 A 1 31 B 1 12 C 1 32 B 1 13 C 1 33 A 1 14 D 1 34 A 1 15 B 1 35 A 1 16 C 1 36 C 1 17 B 1 37 B 1 18 A 1 38 D 1 19 A 1 39 B 1 20 B 1 40 B 1 Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
182 Foundations of Information Security Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Appendix D About the authors The authors are all members of the Dutch Platform for Information Security and aim to make the field of information security more accessible for both information security specialists and departmental staff who are just starting out. Hans Baars, CISSP, CISM, worked as information security officer and internal EDP Auditor at the Dutch National Police Force from 1999 to 2006. In this position he was involved in formulating the information security policy of the Dutch police force. From 2006 he worked as a security consultant, during which time he advised government and commercial businesses on how to design their physical and information security. From 2009 he was Chief Information Security Officer at Enexis BV, a Gas and Powergrid company in the Netherlands. Nowadays he is working as Cyber Security Manager at the OMNETRIC Group, a highly specialized company working in the smart energy sector. Since 2006 Hans is certified information security manager, CISSP (ISC2) an CISM (ISACA). Kees Hintzbergen, CISA is a freelance senior information security consultant. Kees has more than 30 years’ experience in IT and information provisioning and has worked in the field of information security since 1999. In his everyday life Kees is a consultant, coach and ‘mirror’ where he employs the ‘common sense method’. Thanks to his experience and integrity, he has been successful with several jobs. Since 2012 he has been involved in the development of an Information Security Baseline based on the ISO/IEC 27001 and ISO/IEC 27002 (2005 and 2013 versions) for Dutch municipalities and has provided support around implementing that Baseline, developing additional products to support the implementation of the Baseline and manning a helpdesk that gives security answers to Dutch municipalities. He was also actively involved in the creation of a CERT for Dutch municipalities. Jule Hintzbergen, CISSP, CISM, CEH. After working initially for 21 years for the Ministry of Defense, Jule has worked since 1999 at Capgemini as a cybersecurity consultant. He has more than 30 years’ experience in IT and spends much of his time dealing with information security. He has worked in various capacities in the area of Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
184 Foundations of Information Security project management, information management, physical and information security and biometrics and bordermanagement. Since 2012 he has been involved in the development of an Information Security Baseline based on the ISO/IEC 27001 and ISO/ IEC 27002 (2005 and 2013 versions) for Dutch municipalities and has provided support around implementing that Baseline, developing additional products to support the implementation of the Baseline and manning a helpdesk that gives security answers to Dutch municipalities. André Smulders (CISSP) is Businessconsultant Information Security and Risk Management at TNO. When André completed his study Technology Management at the University of Eindhoven he started working on innovative ICT projects. Since 2000 he started specialising in the field of Information Security and Risk Management. In his current role he is supporting organisations both in the public and private sector to manage risks in complex networked ecosystems. On this topic he co-wrote the book “Networked Risk Management, how to successfully manage risks in hyperconnected value networks”. Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
Index A access control ...................................................................57 - policy ...............................................................................69 - system ..............................................................................71 accountability ...................................................................10 ALE (Annualized Loss Expectancy) ............................28 Annex SL, proposals for management system standards (ISO) .............................................................9 ANSI (American National Standards Institute) ......142 architecture, definition ...................................................49 ARO (Annualized Rate of Occurrence) .......................29 asset ..............................................................................10, 63 asset management............................................................63 ASVS (Application Security Verification Standard) ....................................................................144 asymmetric cryptographic system ...............................79 authentication ..................................................................70 authenticity .........................................................10, 40, 111 authorization ............................................................69, 111 availability ........................................................................10 - measures .........................................................................21 B backdoor ............................................................................19 back-up ................................................................21, 76, 106 - procedures ......................................................................21 biometrics .........................................................................87 BCC (Blind Carbon Copy) .............................................99 BCM (Business Continuity Management) ................132 BCMN (Business Process Modeling Notation) ..........48 BCP (Business Continuity Planning) ............... 132, 134 botnet .......................................................................104, 147 Bring Your Own Device (BYOD) ..................................67 business assets ..................................................................65 business continuity ...........................................................1 Business Continuity Management (BCM) ................132 Business Continuity Planning (BCP)................ 132, 134 Business Impact Analysis (BIA)..................................132 Business Process Modeling Notation (BCMN) ..........48 BYOD (Bring Your Own Device) ..................................67 C capacity management .....................................................97 categories of countermeasures ......................................31 CBAC (Claims-Based Access Control) ........................74 certificates .........................................................................75 certification .....................................................................123 change management .......................................................96 Chief Information Security Officer (CISO) ......... 24, 56 Claims-Based Access Control (CBAC) ........................74 classification .....................................................................65 classifying special information: five levels for (European Commission) ........................................138 clear desk policy ......................................................... 17, 53 COBIT® ..............................................................................64 code of conduct ................................................................59 compliance ......................................................................137 compliance measures ....................................................138 confidentiality ............................................................10, 17 continuity ........................................................................132 control................................................................................10 cryptanalysis ....................................................................75 Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net
186 Foundations of Information Security cryptographic keys ..........................................................76 cryptography ....................................................................75 D DAC (Discretionary Access Control) ..........................72 data .....................................................................................42 data confidentiality .........................................................76 Data Protection Officer ...................................................56 DCE (Distributed Computing Environment) ............45 denial-of-service (DoS) attacks .....................................20 designation........................................................................65 detection ............................................................................32 digital signatures .............................................................75 direct damage ...................................................................35 disaster.................................................................1, 133, 136 Disaster Recovery Planning (DRP) ................... 132, 134 Discretionary Access Control (DAC) ..........................72 distributed computing ....................................................45 Distributed Computing Environment (DCE) ............45 due care .............................................................................41 due diligence .....................................................................41 E electronic messaging .....................................................112 encryption .........................................................................57 - techniques ......................................................................20 escalation ........................................................................125 EU Directive 99/93/EG ...................................................80 European Commission: five levels for classifying special information ...................................................138 event logging ..................................................................106 exposure factor .................................................................28 extranet ........................................................................... 111 F fire extinguishing agents ................................................90 fire protection ...................................................................89 fire-resistant cabinet .......................................................89 G grading ..............................................................................65 guarding of access ...........................................................74 H hash function....................................................................82 hashing ..............................................................................19 hierarchical .....................................................................125 hoax ......................................................................... 102, 145 I identification ....................................................................70 IEEE (Institute of Electrical and Electronics Engineers) ..................................................................143 incident cycle ..................................................................128 indirect damage ...............................................................35 informatics ........................................................................42 information .................................................................11, 42 - leaks ...............................................................................129 information analysis .................................................11, 42 information architecture ................................. 49, 50, 145 information integrity ......................................................19 information management ........................................11, 44 information security ...................................................1, 11 - requirements ..................................................................24 information security management .............................117 Information Security Management System (ISMS)........................................................12, 37 Information Security Manager (ISM) ..........................56 Information Security Officer (ISO) .................24, 56, 96 information security policy ..................................... 37, 53 Information Security Policy Officer .............................56 information system .................................................. 12, 44 information transfer .....................................................112 input/output system (BIOS) passwords .......................23 Institute for Security and Open Methodologies (ISECOM) .........................................26 insurance ...........................................................................33 integrity .............................................................12, 101, 111 - measures .........................................................................20 intellectual property rights (IPR) ...............................139 intentional human threat ...............................................34 interference .......................................................................92 intranet ............................................................................ 111 intrusion detection ..........................................................19 intrusion detection systems (IDS) ................................21 IPsec ................................................................................. 111 Copyright protected. Use is for Single Users only via a VHP Approved License. For information and printed versions please see www.vanharen.net