2 - Security Policies and Procedures Flashcards

1
Q

Internal and external changes force organizations to evolve on what levels?

A

operation, tactical, and strategic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are security policies?

A

documents that provide the foundation for organization security goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Policies created by organizations are a reflection of what?

A

The external laws and regulations that apply to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does policy life cycle management involve?

A

the creation, usage, and retirement of policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does performing a risk assessment identify?

A

risks to organizational assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What should be used to guide policy creation?

A

policy templates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Where should policy input be sought?

A

from executives and other stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What should be established for policy violations?

A

penalties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

To whom should organizational policies be published?

A

all employees in the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The organization should ensure staff members do what when a policy is published?

A

read, understand, and sign the policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should be used to enforce policies whenever possible?

A

technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Who should be educated about organizational policy contents?

A

organizational staff

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How often should policy reviews be scheduled?

A

annually or semi-annually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When should a policy be retired?

A

When it’s no longer applicable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Organizational policies can focus on what?

A

all aspects of an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

System-specific policies focus on what?

A

specific computers or network systems, and the necessary security controls that protect them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Issue-specific policies focus on what?

A

specific organizational issues such as department issues, business products, processes, and others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Regulatory policies ensure that an organization does what?

A

follows the legal requirements of compliance law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Advisory polices do what?

A

provide strong recommendations or reminders for employees to consider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Informative policies do what?

A

gentle recommendations or reminders for employees to consider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Standards are required elements regarding what?

A

the implementation of controls or procedures in support of a policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Guidelines do what?

A

specify optional and recommended security controls or processes to be followed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a process?

A

a predictable series of steps needed to achieve and objective

24
Q

What are procedures?

A

operation-level, step-by-step details on how to achieve specific business processes

25
What are baselines?
point-in-time measurements of what we agree is the acceptable level or normal performance
26
Policies need to be consulted and periodically revised due to what types of changes to the business?
new business, technologies, environmental changes, regulatory requirements, and emerging risks
27
Policies are often driven by a combination of what requirements?
internal and external requirements
28
The security requirements of policies are often best described by whom?
other departments within your organization - including human resources, legal, management, etc
29
Security's relationships with other business units and utilization of their skill sets are vital to what?
the success of an organization's security program
30
A documented process of determining the prioritization of responses to threats:
risk assessment
31
A business impact analysis does what?
document the various risks to an organization and the resulting impact from disasters should those risks be realized
32
What are interoperability agreements?
a board category of agreements that include data, technology, and communication sharing requirements between two or more organizations
33
What are interconnection security agreements?
specialized agreements between organizations that have connected IT systems to document the security requirements associated with the interconnection
34
What are memorandums of understanding?
legal documents used to describe a bilateral agreement between parties
35
What is a service level agreements?
an agreement negotiated between parties detailing the expectations between a customer and a service provider
36
What is an operating level agreement?
an internal document that defines the relationships between internal parties to support business activities
37
What is a nondisclosure agreement?
an agreement between parties defining and establishing the rules for which information can be shared
38
What is a business partnership agreement?
a type of legal agreement between partners establishing the terms, conditions, and expectations of the relationship
39
What is a master service agreement?
an all-encompassing agreement between multiple organizations that serves as the building block for future agreements, transactions, and business documents
40
When working with other businesses, formal documentation requests and security requirements should be included in what?
the contract with the other business
41
Requests for proposal accomplish what goals?
- informs potential vendors of a product or service being sought - provides specific details on what the organization wishes to purchase - provides a basis from which to evaluate interested vendors
42
What does a Request for Quote do?
further restricts the list of companies that will receive the full request by asking for price ranges for services or products
43
A Request for Information is issued for what purpose?
to seek information regarding specific products or services in the marketplace
44
Privacy is the desire to control the use of what?
personsal data
45
Establishing and publishing the requirements associated with PII allows an organization to ensure what?
that the awareness of privacy requirements is spread throughout the organization and incorporated into plans, policies, and procedures
46
With regard to PII storage, organizations must clearly designate what?
- elements of PII that are being collected - elements of PII that are stored - security provisions - storage time
47
With regard to PII usage, organizations must clearly state what?
what the PII will be used for, including any transfer to third parties
48
With regard to security policies, due care addresses what?
whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security (involves taking action)
49
With regard to security, due diligence requires what?
that management do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior
50
Incident response is a team-led activity that does what?
prevents, detects, and responds to security breaches
51
What do forensic tasks involve?
the collection and perseverance of digital evidence
52
Continuous monitoring involves what?
tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls
53
Ongoing security is a coordinate effort that can do what?
move protection priorities in response to the shifting threat landscape and requirements
54
User training and awareness have what benefits for the company?
they ensure employees understand what security expectations are placed on them so they can better protect organizational assets and business objectives
55
Auditing requirements and frequency function as what?
a set of checks and balances to measure that he desired level of security control is actually present and functioning as designed