BCS CISMP-V9 - BCS Foundation Certificate in Information Security Management Principles V9.0

 ITIL (Information Technology Infrastructure Library) is a widely recognized framework that offers a comprehensive set of best practices for IT Service Management (ITSM). It assists organizations in aligning IT services with business goals, including security objectives. ITIL provides guidance on the entire service lifecycle, from service strategy and design to service transition, operation, and continual service improvement. By following ITIL’s structured approach, organizations can enhance the quality of IT services, manage risk effectively, improve customer satisfaction, and ensure that IT and business strategies are in sync.

References: = The BCS Foundation Certificate in Information Security Management Principles acknowledges ITIL as a key framework for ITSM best practices. It is aligned with other standards like ISO/IEC 20000, which reflects ITIL’s best practices within its requirements1234.

The Acceptable Usage Policy (AUP) is the document most likely to contain directives on the security and utilization of an organization’s information and IT equipment, including email, internet, and telephony. An AUP outlines the acceptable and unacceptable behaviors for users of the organization’s IT systems and services. It typically includes rules and guidelines on the proper use of IT resources, security practices, and the consequences of non-compliance. The AUP is designed to protect both the organization and its users by mitigating risks associated with the misuse of IT resources and ensuring that the use of these resources aligns with the organization’s security policies and objectives123.

References := The BCS Foundation Certificate in Information Security Management Principles discusses the importance of having clear policies and procedures in place to manage information security risks, including the development and enforcement of an Acceptable Usage Policy1. This is further supported by industry best practices andguidelines on information security management, such as those provided by IT governance experts and ISO standards23.

 Ensuring the correctness of data inputted to a system is a fundamental aspect of data integrity within information security. Integrity refers to the trustworthiness and accuracy of data throughout its lifecycle. This means that the data has not been altered in an unauthorized manner and remains consistent, accurate, and trustworthy. It is crucial for the proper functioning of any system that relies on data to make decisions or perform operations. Measures to ensure data integrity include input validation, error checking, and data verification processes that prevent incorrect data entry, unauthorized data alteration, and ensure that the data reflects its intended state.

References: This concept is covered under the BCS Foundation Certificate in Information Security Management Principles, which outlines integrity as one of the key facets of information security, ensuring that data remains authentic and unaltered from its original state123.

 A penetration test, unlike a vulnerability scan, is an in-depth process where security professionals actively attempt to exploit vulnerabilities in a system. The goal is to simulate a real-world attack to understand how an attacker could exploit vulnerabilities and to determine the potential impact. This involves not just identifying vulnerabilities, as a scan does, but also attempting to exploit them to understand the full extent of the risk. Penetration tests are typically manual or semi-automated and involve a variety of tools and techniques to uncover and exploit security weaknesses, which can include common tools like Nmap, Nessus, and Metasploit.

References: The distinction between penetration testing and vulnerability scanning is well-documented in cybersecurity literature and aligns with industry best practices. Penetration testing is a critical component of an organization’s security strategy, providing a realistic assessment of security defenses12

Defence in depth is a security concept that involves implementing multiple layers of security controls throughout an information system. The idea is that if one control fails or a vulnerability is exploited, other controls will provide redundancy and continue to protect the system. This approach is analogous to a physical fortress with multiple walls; if an attacker breaches one wall, additional barriers exist to stop them from progressing further. In the context of information security, this could include a combination of firewalls, intrusion detection systems, antivirus software, and strict access controls, among others. Defence in depth is designed to address security vulnerabilities not only in technology but also in processes and people, acknowledging that human error or negligence can often lead to security breaches.

References: The concept of defence in depth aligns with the Information Security Management Principles as outlined by BCS, particularly under the domains of Technical Security Controls and Disaster Recovery and Business Continuity Management. It is alsosupported by various industry sources that describe defence in depth as a strategy that leverages multiple security measures to protect an organization’s assets12345.

 Online retailers are the most at risk for the theft of electronic-based credit card data due to the nature of their business, which involves processing a large volume of transactions over the internet. This exposes them to various cyber threats, including hacking, phishing, and other forms of cyber-attacks that can compromise credit card information. Traditional market traders, mail delivery businesses, and agricultural producers typically do not handle credit card transactions to the same extent or in the same electronic manner as online retailers, making them less likely targets for this specific type of data theft.

The principles of Information Security Management emphasize the importance of protecting sensitive data, such as credit card information, through technical security controls and risk management practices. Online retailers must implement robust security measures, including encryption, secure payment gateways, and regular security audits, to mitigate the risks associated with electronic transactions12.

References :=

BCS Information Security Management Principles, particularly the sections on Technical Security Controls and Information Risk, provide guidance on protecting electronic data and managing the associated risks1.

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

which appears to be a typographical error for ISO 15489. ISO 15489 is the international standard that deals with the management of records, including their retention. It provides a framework for creating, capturing, and managing records of any format or structure, in all types of business and technological environments, over time. This standard emphasizes the importance of records management for organizational efficiency and accountability, and it outlines the principles and practices to ensure that records are properly maintained and retained according to legal, regulatory, and operational requirements12.

References :=

ISO 15489-1:2016 Information and documentation — Records management — Part 1: Concepts and principles1.

ISO committee website for ISO 15489 Records management2.

The ISO/IEC 27000 series, particularly ISO/IEC 27001, provides a framework for information security management systems (ISMS) that helps organizations secure their information assets. This series covers various aspects of information security, including the protection of organizational records and data protection & privacy, which are legal compliance requirements in many jurisdictions. Intellectual Property Rights (IPR) are also considered within the scope of information security as they pertain to the protection of proprietary information and assets. Forensic recovery of data and data deduplication are technical and operational considerations but are not directly addressed as compliance legal requirements within the ISO/IEC 27000 series.

References: The ISO/IEC 27001:2022 standard outlines the requirements for an ISMS, including the need to address legal, physical, and technical controls to protect information assets12. The Advisera guide on ISO 27001 further explains the standard’s requirements for documented information, which would include organizational records and policies related to data protection and privacy3.

Misuse case diagrams are a type of diagram used in application threat modeling that includes malicious users (also known as threat actors) and describes how their potential actions could threaten the system, as well as how the system mitigates those threats. These diagrams are an adaptation of use case diagrams, which are commonly used in software engineering to specify the required usages of a system. Misuse case diagrams, on the other hand, focus on the negative scenarios, illustrating how a system can be used improperly and what measures are in place to prevent or mitigate these actions12.

References: The explanation utilizes the knowledge of misuse case diagrams as a tool in threat modeling to understand and communicate about potential security threats12.

The AAA service, which stands for Authentication, Authorization, and Accounting, is essential for managing user access to network resources. When it comes to providing AAA services for both wireless and remote access network services in a non-proprietarymanner, RADIUS (Remote Authentication Dial-In User Service) is the most suitable technology.

RADIUS is an open standard protocol widely used for network access authentication and accounting. It is supported by a variety of network vendors and devices, making it a non-proprietary solution that can be easily integrated into different network environments. RADIUS provides a centralized way to authenticate users, authorize their access levels, and keep track of their activity on the network1.

TACACS+ is a Cisco proprietary protocol and therefore does not meet the requirement of avoiding proprietary solutions.

OAuth is a framework for authorization and is not typically used for network access control in the same way that RADIUS is.

MS Access Database is not a network authentication protocol and would not provide the necessary AAA services for network security.

References: The information provided here is based on the principles of AAA services as outlined in the BCS Foundation Certificate in Information Security Management Principles and supported by industry-standard practices for non-proprietary network security solutions.