The risk3sixty Way
Where can you find videos on the ISO 27001 framework?
risk3sixty's YouTube channel, the ISO 27001 playlist.
Where can you find answers to questions and videos about how to use Phalanx?
Phalanx knowledge base
What is management committed to based on ISO 27001? What clause requires this?
Continuous improvement of the information security program. (Clause 5.1)
What are two authoritative guides on risk management?
ISO 27005, NIST 800-30
What is a VPN? When would a company use a VPN?
A virtual private network extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
What is the risk3sixty status reporting routine?
Send a weekly status report to the client
Update Asana status reporting for the internal team
What modules are included with Phalanx for every client?
Assessments (not templates)
Risk Register
Compliance Calendar
How would you test the competence of security resources per clause 7.2?
-Review the organization's hiring process, role description, and definition of requirements
- Inspect the individual's resume, training history, certifications
According to ISO 27005, what is the formula to arrive at a risk score?
Impact x Likelihood = Risk
How would you test the effectiveness of a firewall ruleset?
- Review a network diagram to understand the easements
- Inspect the firewall ruleset with the network administrator to understand the logic
- Check for any allow-all rulesets
Once you complete an assessment, how do you complete a formal report for the client?
Generate a formal report in Phalanx.
What is the most efficient way to write-up an assessment finding in Phalanx?
Using the formal findings database.
When auditing clause 7.5 (documented information) what activities or habits would you expect?
- How they create and update documentation (page 6 of ISO 27001)
- How they control documented information (page 6-7 of ISO 27001)
When performing a risk analysis, what are 3 sources of data/inputs you might consider?
Identification of Assets
Identification of vendors
Identification of threats
Identification of existing controls
Identification of potential vulnerabilities
Identification of potential consequences
What is a WAF?
A web application firewall is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service.
It is deployed in front of web applications and analyzes bi-directional web-based (HTTP) traffic - detecting and blocking anything malicious.
Describe risk3sixty Ideal Client Profile.
High Growth Tech
How much do we charge for Phalanx?
- starting at $750/mo for existing clients
- starting at $1,500/mo for phalanx only clients
- Talk to sales for enterprise clients
When auditing clause 10.1 what audit artifacts would you expect to determine if Nonconformity and corrective action is in place?
- Logging of non-conformities (e.g., in risk register)
- Assignment and tracking of progress toward improvement (e.g., project management documents, actions taken, meeting minutes, evidence of remediation, etc.)
What are the 5 risk treatment options? What is an example of each?
Accept - Do nothing
Transfer - Insurance
Mitigate - New Control
Share - 3rd Party
Avoid - Halt Project
What are three ways you could secure wireless networks?
Maintain an Inventory of Authorized Wireless Access Points Detect Wireless Access Points Connected to the Wired Network
Use a Wireless Intrusion Detection System Disable Wireless Access on Devices if Not Required Limit Wireless Access on Client Devices
Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication Disable Wireless Peripheral Access of Devices
Create Separate Wireless Network for Personal and Untrusted Devices
Name risk3sixty's core values. Provide an example of each core value in action.
Grit, Team, Steadfast, Craftsmanship, Freedom
Name 5 templates we have built on in the assessments module.
What are examples of information security aligning to defined business objectives?
See page 11-12 of our IMS as an example.
What are examples of risk acceptance criteria?
Examples Management May Choose to Accept Risk:
• Costs exceeds the value of mitigating the risk (e.g., It cost more to mitigate the risk that the value of resolution)
• With limited resources management has chosen to prioritize the mitigation of other risks over the risk in question. (In this case the risk should be continually monitored until resolution)
• Effort to mitigate the risk exceeds the resource availability of the organization and dedicating resources to this project presents more risk than temporarily accepting the risks
Maintain Standard Security Configurations for Network Devices
Document Traffic Configuration Rules Use Automated Tools to Verify Standard Device Configurations and Detect Changes Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
Use Dedicated Machines For All Network Administrative Tasks Manage Network Infrastructure Through a Dedicated Network