Information Security Managment

The ISMS focuses on 5 areas:

  • Threats as well as applied threats
  • Attack Vectors
  • Measures (Controls)
  • Assets
  • Vulnerabilities

The measures can be divided into different categories. The categories used are mostly the organizational measures such as password rules or other guidelines as well as the technical measures such as the formation of separate networks.

An information security incident is an undesired event that leads to the loss of one or more assets. The frequency depends on the applied threat situation, on the (protective) measures and on the vulnerabilities.

There is a distinction between threat and applied thread. A threat is the circumstance that can lead to damage. An applied threat in turn affects a value via a vulnerability. A threat thus becomes an applied threat due to a vulnerability. For example Encryption Trojans are a potential threat to computer systems. However, not always an applied threat, because the Trojan may not run on Linux or macOS.

Vulnerabilities can also be defined as representing an Inadequacy in (security) measures.

Reactive tools

The most widely used approach in the information security field is to learn from mistakes and problems encountered. Therefore, here is a short list of databases:

  • NVD - National Vulnerability Database - https://cve.mitre.org - provides a unified list of closed vulnerabilities. Thereby also a standardized vulnerability scoring system was developed.
  • ExploitDb https://www.exploit-db.com - offers a database of closed vulnerabilities. closed vulnerabilities. This is a very good way to can be traced.
  • OWASP - Open Web Application Security Project - https://www.owasp.org - The project provides the users with security guidelines, tools and materials around the software development lifecycle (SDLC).

Other terms

  • Data security and data protection - Data security refers very generally to the organizational and technical measures that prevent loss, alteration or copying by unauthorized persons, changes or copying by unauthorized persons. The data protection refers only to the personal data, i.e., that the personal rights of the individual are not impaired, for example, by unauthorized changes or copying.

  • CIA - Confidentiality, Integrity, Availability - When it comes to the confidentiality or the secrecy of the information, so that only the defined circle of defined group of people has access to the data, we speak of Confidentiality. With integrity** is concerned with the authenticity or integrity of the information. Authentication can be used to ensure that the sender or the sender or receiver is talking to the correct remote station and that a spoofer has not changed the data in between. Availability** refers to the availability of a system. Often CIA is supplemented by binding which implies **non-repudiation**.

  • Risk - Risk is the product of the probability of an incident with the extent of damage. The probability of an incident can be divided the product of threat and vulnerability (the more, the higher the probability).

In order to reduce risks, the following activity categories can be used. can be used:

  1. organize,
  2. control access,
  3. combine measures,
  4. control implementation,
  5. correct errors.

Furthermore, the BSI offers additional information in the Catalogs of Measures.

Next