Abstract
Among the biggest cybercrime or information security challenges, the information security professionals must be up to date with the new risks, cases, and different ways of attacks. Being up to date in this complex and aggressive scenario is a huge challenge and is a necessity to the security professional to fight against the cybercriminals. Additionally, based on this standard of requisites to start an information security program, an immature professional may be confused on the different frameworks used by the industries, mainly ISO/IEC 27000 family, NIST 800-53, NIST Cybersecurity Framework, COBIT, etc. This chapter will help the information security professional to decide where is important to focus efforts, to decide what is feasible and which control does not demand any additional investment. Additionally, this grade helps the InfoSec professionals to compare the information security maturity level within the companies and between the companies, comparing with benchmarks.
TopBackground
The ISO/IEC 27000 is the most known and used framework of Information Security and Cybersecurity Managers. Being used as the most comprehensive and in-depth framework in different companies.
As this family of standards have more than 40 different standards, this chapter will focus only on the ISO/IEC 27001 which focus on the requirements and security techniques of the information security management systems on information technologies. Also, this is the unique standard eligible for the accredited certification, which is a very good manner to assess and to present to possible customers that the Information Security controls and cares are in place properly.
Key Terms in this Chapter
Phishing: This is a specific attack, where the attacker sends a malicious e-mail, containing a malicious program embedded or a link to a site hosting the malicious program. Usually, this e-mail has a very curious content, trying to entice the reader to click or open the file.
Cyber-Attack: Any attack that use computer, internet, or any digital device.
Advanced Persistent Threat (APT): This is a specific type of cyber-attack, where the attacker uses different type and methodology of attacks and usually these attacks are directed and aim a specific target.
Framework: This is a set of tools and/or procedures organized and catalogued to be prepared to produce or build something, for instance, cybersecurity framework is a set of tools or procedures organized and cataloged to build a cybersecurity program.
Risk: A relationship between probability and impact or consequence of a threat or a situation. It may be positive or negative.
Risk Management: A methodology to identify, measure, classify, and compare risks.
CISSP (Certified Information System Security Professional): This is one of the most known information security certificates issued and maintained by (ISC).