ISMS
Clause 6 and Clause 8
Name 5 systems we would care about testing when it comes to access control.
Examples: Active Directory (Network), AWS (Infrastructure), O365 or G-Suite (Network), Source Code Repo
What SDLC methodology do most of our clients follow?
DevOps or Agile
Why should dev, test, and production environments be separated?
Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment.
When considering the security of electronic messaging (13.2.3) what are 2 things to consider?
Page 52 of ISO 27002:
- Authentication and Access
- Protecting messages from modification
- Correct addressing and transportation
What clause requires that you identify interested parties and what are examples?
Clause 4. Examples include internal stakeholders such as executives and external stakeholders such as clients.
In control 9.4.5 what are examples of tools that can "control program source code"?
When inspecting SDLC documentation, what are aspects of the SDLC you would look for in a change ticket?
Evidence of: Development, Testing, QA, Approval before promotion to production
What are 3 considerations for the "management of technical vulnerabilities" in clause 12.6.1?
- How to scan/identify vulnerabilties
- Roles (who will scan, who will fix)
- Identifying assets that need management
- How to patch
Who are confidentiality or non-disclosure agreements applicable?
Who are the governing bodies for ISO 27001 certification in the US and the United Kingdom?
US - ANAB
UK: UKAS
In control 9.4.4 what are examples of "privileged utility programs"?
Programs that might be capable of overriding system and application controls.
In control 14.2.6 it requires "secure development environment". What are examples of a secure development environment?
See ISO 27002 implementation guidance items a-j on page 60.
What are examples of things one would expect to see in capacity management monitoring? (12.1.3)
System Usage, Current and future capacity needs, Deletion of obsolete data, optimization of batch processes (see 12.1.3 on page 40 of ISO 27002)
What is network segmentation and why is it important?
Segmentation divides a computer network into smaller parts. The purpose is to improve network performance and security.
During the external audit, when is the ISMS typically tested by the auditor?
During Stage 1
Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as cryptographic means, smart cards, tokens or biometric means, should be used.
What resource does risk3sixty have available to learn more about DevSecOps/Security in the SDLC?
In AWS, what are examples of event logging toolsets?
AWS Cloudwatch, Datadog, many others
When considering "Network Security" what are three systems we often consider?
- Active Directory
- G-Suite
- MS365
Which clause requires that security teams create a "strategic roadmap" for information security?
Clause 6.2
What are example administrative accounts and or groups in Active Directory?
Administrator, Admin, Enterprise Admins, Schema Admins
In control 14.1.3 what are examples of how one can "protect application services transactions"?
Encryption in transit leveraging a trusted authority (such as digital certificates)
What are 3 best practices to secure endpoint devices?
- Standard secure hardening configurations
- Use of an MDM
- Antivirus/Malware
What are effective techniques to secure data in transit?