IT Examiner School eBook May 2025

Least Privilege Principle: Users and systems should only have the minimum access necessary to perform their tasks. Reduces the risk of exploitation if credentials are compromised.

Principles of Information Security Additional Concepts

Separation of Duties: Critical tasks are divided among multiple individuals to prevent fraud and errors.

Defense in Depth: Multiple layers of security controls (physical, technical, administrative) to protect data and systems.

Zero Trust Architecture: "Never trust, always verify.": Continuous verification of user identities and device trustworthiness. No implicit trust, even for users inside the network perimeter. Monitoring and Auditing: Continuous monitoring of networks and systems for suspicious activity. Regular audits to ensure compliance with security policies and standards. Real-time alerts for unauthorized access attempts.

Information Security Program Framework Definition: Structured guidelines that organizations use to manage and protect information assets effectively. Purpose: To establish best practices, meet regulatory requirements, and standardize security measures across the organization. • Roadmap for achieving strategy • Policies/Standards/Procedures/Guidelines • Controls & Control Objectives

• Roles and Responsibilities • Governance & Oversight • 3 rd Party Governance • Monitoring/Auditing/Assurance