IT Examiner School - Oct 2025

Internal Use Only

5

Information Security Principles: Additional Concepts

Least Privilege Principle: Users and systems should only have the minimum access necessary to perform their tasks.

Monitoring and Auditing: Continuous monitoring, Compliance checks, and Real-time alerts.

Separation of Duties: Critical tasks are divided among multiple individuals to prevent fraud and errors.

Zero Trust Architecture: Continuous verification of user identities and device trustworthiness. No implicit trust, even for users inside the network perimeter.

Defense in Depth: Multiple layers of security controls (physical, technical, administrative)

Internal Use Only

Examples of Information Security Frameworks • NIST Cybersecurity Framework (CSF): A risk-based approach to managing cybersecurity risks. A voluntary commercial framework. (IPDR2) • ISO/IEC 27001: Standard for an Information Security

Management System (ISMS). Along with 27002 code of practice, 27701 Privacy Management System, ISO1000 Risk Management. Very detailed and broad. • Center for Internet Security (CIS) Controls: A set of 18 prioritized set of actions to defend against cyber threats. • COBIT (Control Objectives for Information and Related Technologies): Framework for managing and governing enterprise IT. • PCI-DSS (Payment Card Industry Data Security Standard): Standards for securing credit card transactions. • AICPA for SSAE18: SOC2 Trust Services Criteria • Type 1 audit: Test controls at a particular point in time. • Type2 audit: Test controls of at least 6 consecutive month period.