Information Security Foundation based on ISO/IEC 27002

Similar documents
EXIN Information Security Management Advanced

EXIN Foundation in IT Service Management based on ISO/IEC 20000

EXIN Information Security Foundation based on ISO/IEC Sample Exam

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

Preparation Guide. EXIN Cloud Computing Foundation

Preparation Guide. IT Service Management Foundation Bridge based on ISO/IEC 20000

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Security aspects of e-tailing. Chapter 7

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Preparation Guide Content. EXIN Cloud. 1. Overview 4 2. Exam Requirements 6 3. List of Basic Concepts 9 4. Exam Literature 13. Computing Foundation

ISO 27002:2013 Version Change Summary

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

IT Service Management Practitioner: Support & Restore (based on ITIL ) (IPSR.EN)

Information Security Management Expert based on ISO/IEC 27002

Preparation Guide. Microsoft Operations Framework Foundation

RYERSON UNIVERSITY Ted Rogers School of Information Technology Management And G. Raymond Chang School of Continuing Education

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Certified Cyber Security Analyst VS-1160

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Preparation Guide. EXIN Agile Scrum Foundation

(Instructor-led; 3 Days)

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Department of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus

Introduction to Cyber Security / Information Security

EX0-105 Information Security Foundation based on ISOIEC 27002

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Preparation Guide. EXIN IT Service Management Executive Consultant/Manager based on ISO/IEC 20000

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CIS 253. Network Security

Bellevue University Cybersecurity Programs & Courses

Foundation Bridge in IT Service Management (ITSM) according to ISO/IEC Specification Sheet. ISO/IEC Foundation Bridge TÜV SÜD Akademie

Cyber Essentials Scheme

CompTIA Security+ (Exam SY0-410)

List of courses offered by Marc Taillefer

Know the Risks. Protect Yourself. Protect Your Business.

The Information Security Problem

Networked Systems Security

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Awareness Training

CIS 6930/4930 Computer and Network Security. Dr. Yao Liu

OCR LEVEL 3 CAMBRIDGE TECHNICAL

BCS Certificate in Information Security Management Principles Syllabus

Eleventh Hour Security+

EXIN Cloud Computing Foundation

WHITE PAPER. Mitigate BPO Security Issues

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

SNAP WEBHOST SECURITY POLICY

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

Newcastle University Information Security Procedures Version 3

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

INFORMATION TECHNOLOGY SECURITY STANDARDS

HIPAA Compliance Evaluation Report

INFORMATION SYSTEMS. Revised: August 2013

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Vendor Risk Assessment Questionnaire

Brainloop Cloud Security

CESG Certification of Cyber Security Training Courses

Information security controls. Briefing for clients on Experian information security controls

FORBIDDEN - Ethical Hacking Workshop Duration

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

ISO Controls and Objectives

Security Overview. BlackBerry Corporate Infrastructure

Cyber Security solutions

The Next Generation of Security Leaders

CISA TIMETABLE (4 DAYS)

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Italy. EY s Global Information Security Survey 2013

Cyber Security a Global Challenge; What and how Thailand is doing

Securing the Service Desk in the Cloud

Information Security: Business Assurance Guidelines

Loophole+ with Ethical Hacking and Penetration Testing

TCOM 562 Network Security Fundamentals

Course Outline Computing Science Department Faculty of Science. COMP Credits Computer Network Security (3,1,0) Fall 2015

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Data Management Policies. Sage ERP Online

CPSC 467: Cryptography and Computer Security

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

ISO27001 Controls and Objectives

Weighted Total Mark. Weighted Exam Mark

TELEFÓNICA UK LTD. Introduction to Security Policy

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Best Practices For Department Server and Enterprise System Checklist

InfoSec Academy Application & Secure Code Track

Certification for Information System Security Professional (CISSP)

ISMS Implementation Guide

Transcription:

Preparation Guide Information Security Foundation based on ISO/IEC 27002 Edition March 2015

Copyright 2015 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing system or circulated in any form by print, photo print, microfilm or any other means without written permission by EXIN. Preparation Guide Information Security Foundation based on ISO/IEC 27002 (ISFS.EN) 2

Content 1. Overview 4 2. Exam requirements 7 3. List of basic concepts 11 4. Literature 14 33

1. Overview EXIN Information Security Foundation Summary Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. (ISO/IEC 27002 definition) Information security is gaining importance in the Information Technology (IT) world. Globalization of the economy is leading to an ever-increasing exchange of information between organizations (their employees, customers and suppliers) and an explosion in the use of networked computers and computing devices. The international standard, the Code of Practice for Information Security ISO/IEC 27002:2013 is a widely respected and referenced standard and provides a framework for the organization and management of an information security program. Implementing a program based on this standard will serve an organization well in its goal of meeting many of the requirements faced in today s complex operating environment. A strong understanding of this standard is important to the personal development of every information security professional. In EXIN s Information Security modules the following definition is used: Information Security deals with the definition, implementation, maintenance, compliance and evaluation of a coherent set of controls (measures) which safeguard the availability, integrity and confidentiality of the (manual and automated) information supply. In the module EXIN Information Security Foundation based on ISO/IEC 27002, the basic concepts of information security and their relationships are tested. One of the objectives of this module is to raise the awareness that information is valuable and vulnerable, and to learn which measures are necessary to protect information. The subjects of this module are: Information and security: the concept, the value, the importance and the reliability of information; Threats and risks: the concepts of threat and risk and the relationship with the reliability of information; Approach and organization: the security policy and security organization including the components of the security organization and management of (security) incidents; Measures: the importance of security measures including physical, technical and organizational measures and Legislation and regulations: the importance and impact of legislation and regulations 44

Context Qualification program The Certificate EXIN Information Security Foundation based on ISO/IEC 27002 is part of the qualification program Information Security. The module is followed up by the Certificates EXIN Information Security Management Advanced based on ISO/IEC 27002 and EXIN Information Security Management Expert based on ISO/IEC 27002. 55

Target group The examination for EXIN Information Security Foundation based on ISO/IEC 27002 is intended for everyone in the organization who is processing information. The module is also suitable for entrepreneurs of small independent businesses for whom some basic knowledge of information security is necessary. This module can be a good start for new information security professionals. Prerequisites none Examination type Computer based multiple-choice questions Indication study load 60 hours In-course assessment Not applicable Time allotted for examination 60 minutes Examination details Number of questions: 40 Pass mark: 65% (26 of 40) Open book/notes: no Electronic equipment permitted: no The Rules and Regulations for EXIN s examinations apply to this exam. Sample questions To prepare for your examination you can download a sample exam at http://www.exin.com. Training Group size The maximum number of course participants is 25. (This does not count for online- or computer based training.) Contact hours The minimum number of contact hours for the course is 7. This number includes group assignments, exam preparation and short coffee breaks. Not included are: homework, the logistics related to the exam session, the exam session and lunch breaks. Training provider A list of accredited training providers may be found on EXIN s website http://www.exin.com. 66

2. Exam requirements The exam requirements are specified in the exam specifications. The following table lists the topics of the module (exam requirements). The weight of the different topics in the exam is expressed as a percentage of the total. Exam requirement Exam specification Weight (%) 1 Information and security 10 1.1 The concept of information 2.5 1.2 Value of information 2.5 1.3 Reliability aspects 5 2 Threats and risks 30 2.1 Threats and risks 15 2.2 Relationships between threats, risks and the reliability of information 15 3 Approach and organization 10 3.1 Security policy and security organization 2.5 3.2 Components 2.5 3.3 Incident management 5 4 Measures 40 4.1 Importance of measures 10 4.2 Physical security measures 10 4.3 Technical measures 10 4.4 Organizational measures 10 5 Legislation and regulation 10 5.1 Legislation and regulations 10 Total 100 77

Exam specifications 1. Information and security (10%) 1.1 The concept of information (2.5%) The candidate understands the concept information. 1.1.1 Explain the difference between data and information; 1.1.2 Describe the storage medium that forms part of the basic infrastructure. 1.2 Value of information (2.5%) The candidate understands the value of information for organizations. 1.2.1 Describe the value of data/information for organizations; 1.2.2 Describe how the value of data/information can influence organizations; 1.2.3 Explain how applied information security concepts protect the value of data/information. 1.3 Reliability aspects (5%) The candidate knows the reliability aspects (confidentiality, integrity, availability) of information. 1.3.1 Name the reliability aspects of information; 1.3.2 Describe the reliability aspects of information. 2. Threats and risks (30%) 2.1 Threat and risk (15%) The candidate understands the concepts of threat and risk. 2.1.1 Explain the concepts threat, risk and risk analysis; 2.1.2 Explain the relationship between a threat and a risk; 2.1.3 Describe various types of threats; 2.1.4 Describe various types of damage; 2.1.5 Describe various risk strategies. 2.2 Relationships between threats, risks and the reliability of information. (15%) The candidate understands the relationship between threats, risks and the reliability of information. 2.2.1 Recognize examples of the various types of threats; 2.2.2 Describe the effects that the various types of threats have on information and the processing of information. 88

3. Approach and organization (10%) 3.1 Security policy and security organization (2.5%) The candidate has knowledge of the concepts security policy and security organization. 3.1.1 Outline the objectives and the content of a security policy; 3.1.2 Outline the objectives and the content of a security organization. 3.2 Components (2.5%) The candidate knows the various components of the security organization. 3.2.1 Explain the importance of a code of conduct; 3.2.2 Explain the importance of ownership; 3.2.3 Name the most important roles in the information security organization. 3.3 Incident Management (5%) The candidate understands the importance of incident management and escalation. 3.3.1 Summarize how security incidents are reported and what information is required; 3.3.2 Give examples of security incidents; 3.3.3 Explain the consequences of not reporting security incidents; 3.3.4 Explain what an escalation entails (functionally and hierarchically); 3.3.5 Describe the effects of escalation within the organization; 3.3.6 Explain the incident cycle. 4. Measures (40%) 4.1 Importance of measures (10%) The candidate understands the importance of security measures. 4.1.1 Describe various ways in which security measures may be structured or arranged; 4.1.2 Give examples for each type of security measure; 4.1.3 Explain the relationship between risks and security measures; 4.1.4 Explain the objective of the classification of information; 4.1.5 Describe the effect of classification. 4.2 Physical security measures (10%) The candidate has knowledge of both the set-up and execution of physical security measures. 4.2.1 Give examples of physical security measures; 4.2.2 Describe the risks involved with insufficient physical security measures. 99

4.3 Technical measures (10%) The candidate has knowledge of both the set-up and execution of technical security measures. 4.3.1 Give examples of technical security measures; 4.3.2 Describe the risks involved with insufficient technical security measures; 4.3.3 Understand the concepts cryptography, digital signature and certificate; 4.3.4 Name the three steps for online banking (PC, web site, payment); 4.3.5 Name various types of malicious software; 4.3.6 Describe the measures that can be used against malicious software. 4.4 Organizational measures (10%) The candidate has knowledge of both the set-up and execution of organizational security measures. 4.4.1 Give examples of organizational security measures; 4.4.2 Describe the dangers and risks involved with insufficient organizational security measures; 4.4.3 Describe access security measures such as the segregation of duties and the use of passwords; 4.4.4 Describe the principles of access management; 4.4.5 Describe the concepts identification, authentication and authorization; 4.4.6 Explain the importance to an organization of a well set-up Business Continuity Management; 4.4.7 Make clear the importance of conducting exercises. 5. Legislation and regulations (10%) 5.1 Legislation and regulations (10%) The candidate understands the importance and effect of legislation and regulations. 5.1.1 Explain why legislation and regulations are important for the reliability of information; 5.1.2 Give examples of legislation related to information security; 5.1.3 Give examples of regulations related to information security; 5.1.4 Indicate possible measures that may be taken to fulfill the requirements of legislation and regulations. Comment The security measures are for most staff members the first aspects of information security they encounter. Therefore the measures are central to the module and have the highest weight. The threats and risks follow in terms of weight. Finally, insight in the policy, organization and legislation and regulation in the area of information security is necessary in order to understand the importance of the information security measures. 10

3. List of basic concepts This list contains the terms with which candidates should be familiar. Terms are listed in alphabetical order. Access control Asset Audit Authentication Authenticity Authorization Availability Backup Biometrics Botnet Business Continuity Management (BCM) Business Continuity Plan (BCP) Business Assets Category Certificate Change Management Classification (grading) Clear desk policy Code of conduct Code of practice for information security (ISO/IEC 27002:2013) Completeness Compliance Computer criminality legislation Confidentiality Continuity Controls Copyright legislation Corrective Correctness Cryptography Cyber crime Damage Data Detective Digital signature Direct damage Disaster Disaster Recovery Plan (DRP) Encryption Escalation o Functional escalation 11

o Hierarchical escalation Exclusivity Hacking Hoax Identification Impact Incident cycle Indirect damage Information Information analysis Information architecture Information management Information security review Information system Infrastructure Integrity Interference ISO/IEC 27001:2013 ISO/IEC 27002:2013 Key Logical access management Managing business assets Maintenance door Malware Non-disclosure agreement Non-repudiation Patch Personal data protection legislation Personal firewall Phishing Precision Preventive Priority Privacy Production factor Public Key Infrastructure (PKI) Public records legislation Qualitative risk analysis Quantitative risk analysis Reductive Redundancy Reliability of information Repressive Risk Risk analysis Risk assessment (Dependency & Vulnerability analysis) o Risk avoiding o Risk bearing Risk management o Risk neutral Risk strategy Robustness Rootkit 12

Secret authentication information Security in development Security event Security incident Security measure Security Organization Security Policy Security regulations for the government Segregation of duties Social engineering Spam Spyware Stand-by arrangement Storage medium System acceptance testing Threat Timeliness Trojan Uninterruptible Power Supply (UPS) Urgency User access provisioning Validation Verification Virtual Private Network (VPN) Virus Vulnerability Worm 13

4. Literature Exam literature A Hintzbergen, J., Hintzbergen, K., Smulders, A. and Baars, H. Foundations of Information Security Based on ISO 27001 and ISO 27002 Van Haren Publishing, 3 rd edition, 2015 ISBN 978 94 018 0012 9 ebook 978 94 018 0541 4 Overview of the literature Exam specification Literature 1.1 A: Chapter 3 1.2 A: Chapter 3 and 4 1.3 A: Chapter 3 and 4 2.1 A: Chapter 3 2.2 A: Chapter 3 and 11 3.1 A: Chapter 3, 5 and 6 3.2 A: Chapter 6, 7, 8 and 13 3.3 A: Chapter 3, 15 and 16 4.1 A: Chapter 3, 8 and 16 4.2 A: Chapter 3 and 11 4.3 A: Chapter 6, 11 and 12 4.4 A: Chapter 3, 6, 9, 17 and 18 5.1 A: Chapter 18 14

15

Contact EXIN www.exin.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information