IT Security Management System Questions with Solutions
1. Why is IT Security so hard?: - Complex risk landscape, Combination of technical, organizational, and infrastructural security
measures required.
- Security measures should be appropriate.
- Constant monitoring and maintenance.
- Risks are increasing
- Increased demand for external security audits and certification
2. What is IT Grundschutz?: A BSI methodology and a compendium of building blocks to help organizations implement an ISMS with
appropriate safeguards compatible with ISO IEC 27001
3. Which BSI documents define the IT Grundschutz framework?: - BSI-Standard 200-1, Information Security Management
Systems (ISMS)
- BSI-Standard 200-2, IT-Grundschutz Methodology
- BSI-Standard 200-3, Risk analysis based on of IT-Grundschutz and the IT
Grundschutz Compendium
4. What is the goal of IT Grundschutz?: Provide an appropriate and attordable level of information security by combining
organizational technical and infrastructural safeguards
5. How is IT Grundschutz positioned relative to ISO 27001?: It is compatible and an ISO 27001 certification on the basis
of IT Grundschutz is possible
6. Name the process oriented module groups in the IT Grundschutz Compendi- um: ORP (Organization and
Personnel)
1/
7
, CON (Concepts) OPS
(Operations)
DER Detection and Reaction
7. Name the system oriented module groups in the IT Grundschutz Compendi- um: APP (Applications)
SYS (IT Systems) IND
(Industrial IT) NET
(Networks) INF
(Infrastructure)
8. What are the Components of an information security management system (ISMS) from BSI 200-1?:
Security Process, Employees, Management Principles, Resources
9. What are the Phases of the Security Process BSI200-2?: 1)Initiation of the security process: Management is responsible to
define goals and strategies of the security process, and to provide the required
resources. It also has to decide on the type of protection (Basic, Core, or Standard).
2) Creation of the policy for information security: This is the general guideline defining the security objectives of the institution.
3) Establishment of the organizational structures required for implementing an ISMS.
4) Creation of security concepts according to IT-Grundschutz: This is a concrete instantiation of the security guideline. 5)Implementation of the defined
security concepts and elimination of identified weak spots.
6)Maintenance and improvement by checking and updating the security measures. If the institution implemented Basic or Core Protection, an update to
Standard Protection should be considered
10. What are Management's responsibilities?: Management has overall responsibility for infor- mation security and lives
it.
Create appropriate structure within company, sufficiently independent of other departments. Define information security policy.
Provide personal, financial, and technical resources for IT Security management. Decide on the protection level
(Basic, Core, or Standard Protection).
2/
7
1. Why is IT Security so hard?: - Complex risk landscape, Combination of technical, organizational, and infrastructural security
measures required.
- Security measures should be appropriate.
- Constant monitoring and maintenance.
- Risks are increasing
- Increased demand for external security audits and certification
2. What is IT Grundschutz?: A BSI methodology and a compendium of building blocks to help organizations implement an ISMS with
appropriate safeguards compatible with ISO IEC 27001
3. Which BSI documents define the IT Grundschutz framework?: - BSI-Standard 200-1, Information Security Management
Systems (ISMS)
- BSI-Standard 200-2, IT-Grundschutz Methodology
- BSI-Standard 200-3, Risk analysis based on of IT-Grundschutz and the IT
Grundschutz Compendium
4. What is the goal of IT Grundschutz?: Provide an appropriate and attordable level of information security by combining
organizational technical and infrastructural safeguards
5. How is IT Grundschutz positioned relative to ISO 27001?: It is compatible and an ISO 27001 certification on the basis
of IT Grundschutz is possible
6. Name the process oriented module groups in the IT Grundschutz Compendi- um: ORP (Organization and
Personnel)
1/
7
, CON (Concepts) OPS
(Operations)
DER Detection and Reaction
7. Name the system oriented module groups in the IT Grundschutz Compendi- um: APP (Applications)
SYS (IT Systems) IND
(Industrial IT) NET
(Networks) INF
(Infrastructure)
8. What are the Components of an information security management system (ISMS) from BSI 200-1?:
Security Process, Employees, Management Principles, Resources
9. What are the Phases of the Security Process BSI200-2?: 1)Initiation of the security process: Management is responsible to
define goals and strategies of the security process, and to provide the required
resources. It also has to decide on the type of protection (Basic, Core, or Standard).
2) Creation of the policy for information security: This is the general guideline defining the security objectives of the institution.
3) Establishment of the organizational structures required for implementing an ISMS.
4) Creation of security concepts according to IT-Grundschutz: This is a concrete instantiation of the security guideline. 5)Implementation of the defined
security concepts and elimination of identified weak spots.
6)Maintenance and improvement by checking and updating the security measures. If the institution implemented Basic or Core Protection, an update to
Standard Protection should be considered
10. What are Management's responsibilities?: Management has overall responsibility for infor- mation security and lives
it.
Create appropriate structure within company, sufficiently independent of other departments. Define information security policy.
Provide personal, financial, and technical resources for IT Security management. Decide on the protection level
(Basic, Core, or Standard Protection).
2/
7
