JA slide show
 
Questions & Answers about Information Security

What is accreditation?
What are business continuity plans?
What is certification?
What does data traceability mean?
What is encryption?
What is an information security management system?
What is an information system?
What are ISO 27001, ISO 27002 and ISO 9001?
What is risk assessment?
What is a Statement of Applicability (SOA)?
What is an Information Security Management System (ISMS)?

Accreditation
Accreditation is certification by a duly recognised body of a party's competence to perform particular tasks and projects. Further details: http://www.ukas.com/

What are business continuity plans?
Business continuity management is a component of information security management in accordance with international standards in this field. The goal of business continuity management is to protect critical business processes from the effect of major failures or disasters. With integrated measures through prevention and error recovery, the effects of disruptions and crises are reduced to an acceptable limit.

Business continuity plans are an integral part of business continuity management. Such plans include categorising operations by importance as well as specifying parties with well-defined roles during emergencies, actions to be performed in order to recover operations in a timely fashion, and regular testing. Business continuity plans need to be reviewed regularly to remain valid.

Business continuity plans are also called disaster or contingency plans.

What is certification?
Certification is confirmation by a third party that operating procedures comply with stated criteria. An organisation can be certified in part or in whole. The scope of the operations to be certified must be known, and the certification is limited to those activities. Certification is accredited if the certifying party has been validated by a government-recognised accreditation body. One example of such a government-recognised accreditation body is the United Kingdom Accreditation Service (UKAS). The British Standards Institution in London, which has a branch in Iceland, is an accredited certification body. Certification is not accredited if the certification body itself has not been validated by a government-authorised accreditation body. For example, Vottun hf. in Iceland is not an accredited certification body.

What does data traceability mean?
In all software, it is important that developments and change in data can be examined. This applies particularly to software used in risk and quality management. In software offering traceability, the following needs to be recorded as a minimum upon each change to data:

  • Who made the change
  • The status of the data before the change
  • The status of the data after the change
  • When the change took place
  • The effects of the change on individual parts of the system or the system as a whole

Data traceability is a key component in Stiki's software.

 

What is encryption?

  • Encryption:
    The process of scrambling information so that only the intended recipient can unscramble and read the information. When words or number sequences are encrypted, they are converted through the use of an algorithm into a secret code. To make the data understandable again, they need to be decrypted, i.e. converted back to their original form. Encryption uses a secret sequence of characters called an encryption key.
  • One-way encryption:
    Encryption without an encryption key. Input, as a word or a number sequence, e.g. an ID number, is converted into a sequence of characters that cannot be traced back using a decryption key. This is often done using a mathematical formula called a one-way hash function.
  • Symmetric encryption:
    A single key is used for both encryption and decryption. Input, as a word or a number sequence, is converted using a certain algorithm and key. The person performing the encryption chooses the key and needs to keep it secret from outsiders. The same key is used to reconvert the encrypted data to its original form.
  • Asymmetric encryption:
    Two different keys are used in asymmetric encryption, one for encryption and one for decryption. Initially, a pair of mathematically related keys is created. Despite the relationship between them, the decryption key (or private key) cannot be derived from the encryption key (or public key). When this type of encryption is used, it is vital to keep the decryption key secret. This encryption method is commonly used in e-mail communications. The sender encrypts the e-mail text and attachments using the recipient's public key. After delivery, the recipient decrypts the e-mail using his private key.

What is an information security management system?
An information security management system (ISMS) is part of an organisation's overall management system. It is intended to maintain information security. The ISMS extends to the organisation's activities and customer relations. It covers a company's organisation chart, its policies, internal structure, division of responsibilities, work routines, procedures, processes and resources.

The scope of an ISMS can include an organisation's total operations or specific parts of its activities. The ISMS needs to cover the information systems, including assets, services and software, used in the operations specified under the defined scope.

What is an information system?
An information system includes the data collection and a data processing system that together form an integrated system for the storage and use of information. Information systems also include personnel, equipment, software, services, funds and other factors in relation to the provision or distribution of information.

What are ISO 27001, ISO 27002 and ISO 9001?
ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems - Requirements. This standard contains specifications for information security management.

ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management.

ISO 9001 Quality management systems - Requirements. This is a standard for quality management systems.

Further details: https://bsi-global.com, http://www.iso.org/iso/en/ISOOnline.frontpage

What is risk assessment for data processing?
Risk assessment is the total process of risk analysis and risk weighting in accordance with ISO/IEC 27001:2005, and the evaluation of risks to data and data processing, their effects, sensitivity to such risks and the probability of occurrence of the risk events. This includes assessment of the risk of an outside party accessing information, altering it or otherwise compromising its security. Risk assessment also covers the scope and results of the risk with reference to the nature of the data being used. The goal of risk assessment is to provide a basis for selecting security measures. Risk assessments are reviewed annually.

What is a Statement of Applicability?
A statement of applicability (also known as an SOA) is a document which identifies the controls chosen for your environment, and explains how and why they are appropriate. The SOA draws upon the results of the risk assessment and, if ISO/IEC27001 compliance is to be achieved, must directly relate the selected controls back to the original risks they are intended to mitigate. The controls are normally selected from ISO/IEC 27002, but it is possible to also include proprietary controls. A number of sector-specific schemes are being introduced which stipulate additional mandatory controls.
The SOA should make reference to the workflows, processes, policies or other documentation/systems through which the selected control will actually be implemented.

It is also good practice to document the rationale explaining why non-selected controls were excluded.
Auditors ask for the SOA in the certification process. The SOA is also a good marketing document for stakeholders such as customers, employees, shareholders, and also for surveillance authorities.

An implementation program is the next step after issuing the Statement of Applicability.

Information Security Management System (ISMS)
A risk assessment is prepared for a specific information security management system (ISMS). According to the ISO/IEC 27001 standard, an information security management system is: “That part of the overall management system that is designed to establish, implement, operate, monitor, review, maintain and improve information security based on a business risk approach.” There is often a single information security management system for a whole business entity or the whole company, enabling the preparation of a risk assessment for that body.
 

Webinar

Learn more about RM STUDIO. Request a Webinar with one of our experts.

Overview of RM STUDIO

Are you ready? Get a quick overview of RM STUDIO.

RM Studio Brochure

Download the latest version of our RM STUDIO brochure.

Benefits of RM Studio

Using RM Studio is easy, and encourages brainstorming and discussions - an important part of the risk assessment process.

Login

Risk assessment

Risk Assessment plays an important role in the implementation of information security and is one of the requirements.

Information Assets

Information asset is any information of value to a company and its operation. Information assets, like any other assets of a company.

Traceability

Offering traceability is a very important feature in software. Data traceability is a key component in RM Studio®