5.1 Flashcards
Security policies, security standards, security procedures, security considerations, data roles and responsibilities
Security polices answer the ____ and ____ of security implementation.
Technical security controls answer the ____.
What, why
How
A master list of all polices that should be followed to maintain the uptime, availability, and security of the network.
They might be mandated by governmental regulations.
It details what happens in different threat situations, and a list of roles and responsibilities.
Information security policies
AUP stands for
Acceptable Use Policy
A policy that details how an organization’s assets (normally technology) may or may not be used.
Protects the organization from both cyber threats and legal liability.
AUP
A plan that keeps the organization’s critical functions going when disaster happens.
This could mean using manual transactions, paper receipts, and calling up credit card companies to manually approve credit card transactions.
BCP
A plan that details actions that can help keep the organization going after disaster as well as steps for how to get the organization back to full functionality.
Like a BCP, but with more steps.
DRP
This group of personnel is useful in incident response for their specialized training for any type of disaster.
CIRT/CSIRT/CERT
This group of personnel is useful in incident response for their corporate support. This can help obtain the proper resources and people to address incidents.
IT security management team
This group of personnel is useful in incident response for ensuring that the network is compliant with mandated regulations.
Compliance officers
This group of personnel is useful in incident response for actively solving technical problems during disaster.
Technical staff
This group of personnel is useful in incident response for being able to see everything that occurs in a network–even if they only see symptoms.
Users
A framework that helps to organize and maintain the creation of software.
SDLC
2 of the most common SDLCs
Agile
Waterfall
A linear SDLC cycle
Waterfall
A faster SDLC that goes through multiple cycles before being finished
Agile
The process associated with making changes - upgrading software, changing firewall configuration, modifying switch ports, etc.
Change management
True/False
Security standards may be written in-house or be picked from many nationally-recognized standards.
True
True/False
One common account policy is that there are to be no local accounts; only accounts through LDAP or the AD database
True
True/False
Access control also includes how and when a user’s privileges get revoked - such as security issues, account expiration, contract renewals, or dismissal from the organization.
True
True/False
Encryption requirements list the type of encryption, type of implementation, and password storage techniques, but will also include how to encrypt data in transit/at rest/in use.
True
The process of bringing a new person into the organization
Onboarding
The process of dismissing a person from the organization.
This includes what will happen to the user’s hardware (and its associated data).
Offboarding
True/False
When offboarding a user, you always want to delete their account.
False
Keeping the account around is important to retain encryption keys, files, and messages that may be important to use during company operations or during legal proceedings that require that information.
Documents that define a set of steps to follow in any kind of situation. There should be at least one document for every kind of situation.
Playbook
A governance structure that is a panel of specialists that are responsible for gathering information for a committee.
This structure may also set the tasks or series of requirements (usually very broad) for a committee to follow.
Board
A governance structure that acts as the primary decision maker. It considers input from a board in order to determine next steps for a topic at hand. It takes direction from the board on what steps need to be accomplished next.
Once the task is completed, this structure presents it to the board for approval or feedback.
Committee
The 2 methods of governance used by both public (governmental) and private (proprietary) governance structures.
Centralized
Decentralized
The method of governance that involves one group/person making decisions for the entire organization.
Centralized
The method of governance that gives decision-making power to many/all members of the organization, including those people who are actually doing said changes.
Decentralized
The individual that is broadly and ultimately responsible for data being stored.
Ex. Vice president of sales is the data owner for all customer relationship data
Treasurer owns the financial information
Owner
The individual that manages the purposes and means by which personal data is processed. They manage “how” the data will be used.
They provide instructions to the data processor on how the data should be used.
Data controller
The individual that process data on behalf of the data controller and is often a third-party or different group.
Data processor
An example of a data controller/data processor relationship
A data controller would be a company’s payroll department.
A data processor would be a third-party payroll company.
The payroll dept gives instructions to the payroll company on how employee data is used, and how the payroll process occurs.
The payroll company has access to the data and implements the process.
The individual responsible for data accuracy, privacy, and security. They make sure that the organization is in compliance with laws/regulations associated with the data. They also assign sensitivity labels to the data, manage access rights to the data, and implement security controls.
Data custodian/steward