2 - Security Policies and Procedures Flashcards
Internal and external changes force organizations to evolve on what levels?
operation, tactical, and strategic
What are security policies?
documents that provide the foundation for organization security goals
Policies created by organizations are a reflection of what?
The external laws and regulations that apply to the organization
What does policy life cycle management involve?
the creation, usage, and retirement of policies
What does performing a risk assessment identify?
risks to organizational assets
What should be used to guide policy creation?
policy templates
Where should policy input be sought?
from executives and other stakeholders
What should be established for policy violations?
penalties
To whom should organizational policies be published?
all employees in the organization
The organization should ensure staff members do what when a policy is published?
read, understand, and sign the policy
What should be used to enforce policies whenever possible?
technology
Who should be educated about organizational policy contents?
organizational staff
How often should policy reviews be scheduled?
annually or semi-annually
When should a policy be retired?
When it’s no longer applicable
Organizational policies can focus on what?
all aspects of an organization
System-specific policies focus on what?
specific computers or network systems, and the necessary security controls that protect them
Issue-specific policies focus on what?
specific organizational issues such as department issues, business products, processes, and others
Regulatory policies ensure that an organization does what?
follows the legal requirements of compliance law
Advisory polices do what?
provide strong recommendations or reminders for employees to consider
Informative policies do what?
gentle recommendations or reminders for employees to consider
Standards are required elements regarding what?
the implementation of controls or procedures in support of a policy
Guidelines do what?
specify optional and recommended security controls or processes to be followed
What is a process?
a predictable series of steps needed to achieve and objective
What are procedures?
operation-level, step-by-step details on how to achieve specific business processes
What are baselines?
point-in-time measurements of what we agree is the acceptable level or normal performance
Policies need to be consulted and periodically revised due to what types of changes to the business?
new business, technologies, environmental changes, regulatory requirements, and emerging risks
Policies are often driven by a combination of what requirements?
internal and external requirements
The security requirements of policies are often best described by whom?
other departments within your organization - including human resources, legal, management, etc
Security’s relationships with other business units and utilization of their skill sets are vital to what?
the success of an organization’s security program
A documented process of determining the prioritization of responses to threats:
risk assessment
A business impact analysis does what?
document the various risks to an organization and the resulting impact from disasters should those risks be realized
What are interoperability agreements?
a board category of agreements that include data, technology, and communication sharing requirements between two or more organizations
What are interconnection security agreements?
specialized agreements between organizations that have connected IT systems to document the security requirements associated with the interconnection
What are memorandums of understanding?
legal documents used to describe a bilateral agreement between parties
What is a service level agreements?
an agreement negotiated between parties detailing the expectations between a customer and a service provider
What is an operating level agreement?
an internal document that defines the relationships between internal parties to support business activities
What is a nondisclosure agreement?
an agreement between parties defining and establishing the rules for which information can be shared
What is a business partnership agreement?
a type of legal agreement between partners establishing the terms, conditions, and expectations of the relationship
What is a master service agreement?
an all-encompassing agreement between multiple organizations that serves as the building block for future agreements, transactions, and business documents
When working with other businesses, formal documentation requests and security requirements should be included in what?
the contract with the other business
Requests for proposal accomplish what goals?
- informs potential vendors of a product or service being sought
- provides specific details on what the organization wishes to purchase
- provides a basis from which to evaluate interested vendors
What does a Request for Quote do?
further restricts the list of companies that will receive the full request by asking for price ranges for services or products
A Request for Information is issued for what purpose?
to seek information regarding specific products or services in the marketplace
Privacy is the desire to control the use of what?
personsal data
Establishing and publishing the requirements associated with PII allows an organization to ensure what?
that the awareness of privacy requirements is spread throughout the organization and incorporated into plans, policies, and procedures
With regard to PII storage, organizations must clearly designate what?
- elements of PII that are being collected
- elements of PII that are stored
- security provisions
- storage time
With regard to PII usage, organizations must clearly state what?
what the PII will be used for, including any transfer to third parties
With regard to security policies, due care addresses what?
whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security
(involves taking action)
With regard to security, due diligence requires what?
that management do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior
Incident response is a team-led activity that does what?
prevents, detects, and responds to security breaches
What do forensic tasks involve?
the collection and perseverance of digital evidence
Continuous monitoring involves what?
tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls
Ongoing security is a coordinate effort that can do what?
move protection priorities in response to the shifting threat landscape and requirements
User training and awareness have what benefits for the company?
they ensure employees understand what security expectations are placed on them so they can better protect organizational assets and business objectives
Auditing requirements and frequency function as what?
a set of checks and balances to measure that he desired level of security control is actually present and functioning as designed
