1.4 Security Policy Flashcards

1
Q

Terminology - security policy v security procedure

A
  • Security Policy: Broad, general statement of management intent. You do not want a policy to be highly detailed because that would require frequent changes and updating.
    o All critical data will be backed up on a regular basis and stored in a way that it is highly secure but readily accessible when needed
    o Good policy is around 20-50 pages long and requires senior manager approval which can be time consuming in larger companies where you have to go through each level of management
    o It is also a legal document, in court must, shall, and will are very different from should, might, or can
  • Security procedure: Detailed steps to make the policy happen
    o What is the critical data, where is it stored, what is a regular basis, how do you insert the tape in the drive?
    o A department head can sign off on a procedure – it does not have to be the security manager
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Culture, policy, posture

A
  • We have an end goal of a specific security posture, in other words, how secure do we want to be and how much risk do we want to accept (risk appetite)?
  • To achieve that security posture, most go straight to changing policy – but what’s equally, or important, is the culture, or in other words, the shared beliefs and values of an organization.
  • Remember that policy is just ink on paper, it will not cause change unless you also have the prerequisite culture
  • Thus, to get to a desired security posture, you need to have a culture that supports your policies, and is not in opposition to them.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security policy: proprietary information

A
  • Security policy also needs to ensure that we have proper controls around proprietary or trade secret information – the Economic Espionage Act of 1996 gives the most complete definition in those terms – for information to be proprietary or a trade secret it must:
    o Have value that would be degraded or diminished by public release
    o Must be protected as being proprietary or a trade secret
  • This means that if someone sends out this information in a public domain, even by accident, then that information is no longer proprietary or a trade secret
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Expectation of privacy

A
  • Your employees have an expectation of privacy regarding their activity on your network – this means that you cannot monitor their activity in any way
  • The expectation ends when there is a formal and documented way to tell them there is no longer an expectation
  • The Electronic Communications Privacy Act states that before an employee can monitor you, all the following must be in place in a written statement:
    o Stating monitoring will be done
    o Who can do it and under what conditions
    o What will happen if something in appropriate is found
  • Most privacy laws and compliance regulations also require companies to protect and safeguard personally identifiable information – for example, payroll information and social security numbers require protection but also customer information on credit cards too
    o Each sector is regulated differently – healthcare organizations, financial institutions, and financial companies all have to abide by different laws of protecting data
  • Effective May 25, 2018, countries who collect data on EU citizens located in the EU region at the time of collection, must abide by the General Data Protection Regulation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Acceptable use policy

A
  • Dictates what is and is not proper use of company resources
    o Formalizes corporate culture
    o Agrees with all other policies
  • Must be a part of awareness training if you want to be able to terminate or apply disciplinary action
  • This is not a one size fits all – it formalizes the culture of your company, depending on what you’re company does certain behaviour may or may not be permissible
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Personnel security

A
  • We must not forget that the majority of security is done by the users themselves, they do this when they decide to chose a strong password over a week one, when they lock their computers before lunch, or when they clear their desk of important information before the end of the day
  • When you have certain business functions that’s carried out by users, and you want to lower the risk, then force collusion by:
    o Separation of duties – no one person should have control of a critical process from beginning to end – if someone generates invoices they shouldn’t be able to pay them
    o Dual control: two-person integrity is an example of this, whereby two passwords are required to access sensitive information but each person only knows one, so it takes two of them to get access
    o Job rotation: Rotate people in charge of critical functions so that newcomers can detect and report previous fraud
    o Mandatory vacations: Force employees to take vacation then audit their activities while they’re away since they can’t cover their tracks
    o Reference checks: Verifying that information in their hiring application is true
    o Credential checks
    o Background checks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly