5.1 Flashcards

Security policies, security standards, security procedures, security considerations, data roles and responsibilities

1
Q

Security polices answer the ____ and ____ of security implementation.

Technical security controls answer the ____.

A

What, why

How

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A master list of all polices that should be followed to maintain the uptime, availability, and security of the network.

They might be mandated by governmental regulations.

It details what happens in different threat situations, and a list of roles and responsibilities.

A

Information security policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AUP stands for

A

Acceptable Use Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A policy that details how an organization’s assets (normally technology) may or may not be used.

Protects the organization from both cyber threats and legal liability.

A

AUP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A plan that keeps the organization’s critical functions going when disaster happens.

This could mean using manual transactions, paper receipts, and calling up credit card companies to manually approve credit card transactions.

A

BCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A plan that details actions that can help keep the organization going after disaster as well as steps for how to get the organization back to full functionality.

Like a BCP, but with more steps.

A

DRP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

This group of personnel is useful in incident response for their specialized training for any type of disaster.

A

CIRT/CSIRT/CERT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

This group of personnel is useful in incident response for their corporate support. This can help obtain the proper resources and people to address incidents.

A

IT security management team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This group of personnel is useful in incident response for ensuring that the network is compliant with mandated regulations.

A

Compliance officers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This group of personnel is useful in incident response for actively solving technical problems during disaster.

A

Technical staff

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This group of personnel is useful in incident response for being able to see everything that occurs in a network–even if they only see symptoms.

A

Users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A framework that helps to organize and maintain the creation of software.

A

SDLC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

2 of the most common SDLCs

A

Agile

Waterfall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A linear SDLC cycle

A

Waterfall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A faster SDLC that goes through multiple cycles before being finished

A

Agile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The process associated with making changes - upgrading software, changing firewall configuration, modifying switch ports, etc.

A

Change management

17
Q

True/False

Security standards may be written in-house or be picked from many nationally-recognized standards.

A

True

18
Q

True/False

One common account policy is that there are to be no local accounts; only accounts through LDAP or the AD database

A

True

19
Q

True/False

Access control also includes how and when a user’s privileges get revoked - such as security issues, account expiration, contract renewals, or dismissal from the organization.

A

True

20
Q

True/False

Encryption requirements list the type of encryption, type of implementation, and password storage techniques, but will also include how to encrypt data in transit/at rest/in use.

A

True

21
Q

The process of bringing a new person into the organization

A

Onboarding

22
Q

The process of dismissing a person from the organization.

This includes what will happen to the user’s hardware (and its associated data).

A

Offboarding

23
Q

True/False

When offboarding a user, you always want to delete their account.

A

False

Keeping the account around is important to retain encryption keys, files, and messages that may be important to use during company operations or during legal proceedings that require that information.

24
Q

Documents that define a set of steps to follow in any kind of situation. There should be at least one document for every kind of situation.

A

Playbook

25
Q

A governance structure that is a panel of specialists that are responsible for gathering information for a committee.

This structure may also set the tasks or series of requirements (usually very broad) for a committee to follow.

A

Board

26
Q

A governance structure that acts as the primary decision maker. It considers input from a board in order to determine next steps for a topic at hand. It takes direction from the board on what steps need to be accomplished next.

Once the task is completed, this structure presents it to the board for approval or feedback.

A

Committee

27
Q

The 2 methods of governance used by both public (governmental) and private (proprietary) governance structures.

A

Centralized
Decentralized

28
Q

The method of governance that involves one group/person making decisions for the entire organization.

A

Centralized

29
Q

The method of governance that gives decision-making power to many/all members of the organization, including those people who are actually doing said changes.

A

Decentralized

30
Q

The individual that is broadly and ultimately responsible for data being stored.

Ex. Vice president of sales is the data owner for all customer relationship data
Treasurer owns the financial information

A

Owner

31
Q

The individual that manages the purposes and means by which personal data is processed. They manage “how” the data will be used.

They provide instructions to the data processor on how the data should be used.

A

Data controller

32
Q

The individual that process data on behalf of the data controller and is often a third-party or different group.

A

Data processor

33
Q

An example of a data controller/data processor relationship

A

A data controller would be a company’s payroll department.

A data processor would be a third-party payroll company.

The payroll dept gives instructions to the payroll company on how employee data is used, and how the payroll process occurs.

The payroll company has access to the data and implements the process.

34
Q

The individual responsible for data accuracy, privacy, and security. They make sure that the organization is in compliance with laws/regulations associated with the data. They also assign sensitivity labels to the data, manage access rights to the data, and implement security controls.

A

Data custodian/steward