5.3 Explain the importance of policies to organizational security. Flashcards

1
Q

What is an acceptable use policy?

A

Detailed documentation on the rules and behavior for company assets.
Covers internet use, telephones, computers, mobile devices, etc.
Used to limit legal liability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is least privilege?

A

Rights and permissions should be set to
the bare minimum
– You only get exactly what’s needed to complete
your objective
* All user accounts must be limited
– Applications should run with minimal privileges
* Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some ways to train users?

A

Gamification
– Score points, compete with others, collect badges
* Capture the flag (CTF)
– Security competition
– Hack into a server to steal data (the flag)
– Can involve highly technical simulations
– A practical learning environment
* Phishing simulation
– Send simulated phishing emails
– Make vishing calls
– See which users are susceptible to phishing attacks
without being a victim of phishing
* Computer-based training (CBT)
– Automated pre-built training
– May include video, audio, and Q&A
– Users all receive the same training experience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an SLA

A

Service Level Agreement (SLA)
– Minimum terms for services provided
– Uptime, response time agreement, etc.
– Commonly used between customers and
service providers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

MOU

A

Memorandum of Understanding (MOU)
– Both sides agree on the contents
of the memorandum
– Usually includes statements of confidentiality
– Informal letter of intent; not a signed contract

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

MSA

A

Measurement system analysis (MSA)
– Don’t make decisions based on incorrect data!
– Used with quality management systems,
i.e., Six Sigma
– Assess the measurement process
– Calculate measurement uncertainty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

BPA

A

Business Partnership Agreement (BPA)
– Going into business together
– Owner stake
– Financial contract
– Decision-making agreements
– Prepare for contingencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NDA

A

Non-disclosure agreement (NDA)
* Confidentiality agreement between parties
– Information in the agreement should not
be disclosed
* Protects confidential information
– Trade secrets
– Business activities
– Anything else listed in the NDA
* Unilateral or bilateral (or multilateral)
– On-way NDA or mutual NDA
* Formal contract
– Signatures are usually required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some secure business policies?

A
  1. Job rotation
    – Keep people moving between responsibilities
    – No one person maintains control for long periods
    of time
  2. Mandatory vacations
    – Rotate others through the job
    – The longer the vacation, the better chance
    to identify fraud
    – Especially important in high-security environments
  3. Separation of duties
    – Split knowledge:
    No one person has all of the details
    Half of a safe combination
    – Dual control:
    Two people must be present to perform
    the business function
    Two keys open a safe (or launch a missile)
  4. Clean desk policy
    – When you leave, nothing is on your desk
    – Limit the exposure of sensitive data to third-parties
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Supply chain assessement

A

Supply chain assessment
– Get a product or service from supplier to customer
– Evaluate coordination between groups
– Identify areas of improvement
– Assess the IT systems supporting the operation
– Document the business process changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data steward

A

– Manages the governance processes
– Responsible for data accuracy, privacy, and security
– Associates sensitivity labels to the data
– Ensures compliance with any applicable laws and
standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the primary data classifications?

A

Public
Private
internal data
confidential
restricted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Public data

A

Public data can be important but is accessible to the public. Since this data is openly shared, it is the lowest level of data classification and its public nature makes it unnecessary to protect its use by unauthorized actors
Examples of public data include:

The names of companies and members of their executive team
Physical and email addresses
Press releases and promotional material
Company organizational charts and job descriptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Private data

A

Private data requires a greater level of security than public data. This data should not be available for public access and is often protected through traditional security measures such as passwords. Compromised private data can pose a risk to an individual or an organization

Private data can include:

Email addresses and other personal contact information
Employee identification numbers
Smartphone content
Personal email content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Restricted data

A

Restricted data is the classification used for an organization’s most sensitive information. Access to this data is strictly controlled to prevent its unauthorized use. It needs to be encrypted for additional protection. The loss of restricted data can severely impact an organization or the individuals whose information is compromised. Examples of restricted data are:

Protected health information (PHI) as defined by regulatory agencies
Financial and tax data
Information that is secured by confidentiality agreements
Intellectual property

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Confidential

A

The next level of data classification is confidential data. This information should only be accessed by a limited audience that has obtained proper authorization. Methods like identity and access management (IAM) tools are used to control access to confidential data. The loss of confidential data is harmful to individuals and organizations. Confidential data includes:

Social Security, driver’s license, and other personally identifying numbers
Credit card and banking information
Medical and health information
Employee records
Biometric identifiers

17
Q

Internal Data

A

Internal Data
The use of an organization’s internal data is usually limited to its employees. Internal data can have different security requirements that affect who can access it and how it can be used. Examples include:

Business plans and marketing strategies
System IP addresses
Internal company websites
Financial data and revenue forecasts

18
Q

change management

A

How to make a change
– Upgrade software, change firewall configuration,
modify switch ports
* One of the most common risks in the enterprise
– Occurs very frequently
* Often overlooked or ignored
– Did you feel that bite?
* Have clear policies
– Frequency, duration, installation process,
fallback procedures
* Sometimes extremely difficult to implement
– It’s hard to change corporate culture

19
Q

change control

A
  • A formal process for managing change
    – Avoid downtime, confusion, and mistakes
  • Nothing changes without the process
    – Determine the scope of the change
    – Analyze the risk associated with the change
    – Create a plan
    – Get end-user approval
    – Present the proposal to the change control board
    – Have a backout plan if the change doesn’t work
    – Document the changes
20
Q

asset management

A

Identify and track computing assets
– Usually an automated process
* Respond faster to security problem
– You know who, what, and where
* Keep an eye on the most valuable assets
– Both hardware and data
* Track licenses
– You know exactly how many you’ll need
* Verify that all devices are up to date
– Security patches, anti-malware signature updates, etc

21
Q

What is the difference in change control and change management?

A

Change control is the decision to make a change, whereas change management refers to the aftermath of that decision.

22
Q

workflow

A

A workflow is an onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.

23
Q

Privilege bracket

A

Privilege bracketing is an account management practice that involves giving users permission to a resource for the duration of a specific project or a need-to-know situation.

24
Q

Training Diversity

A

Training diversity is a mix of training techniques in the form of workshops, seminars, gamification, etc. to foster user engagement and retention.

25
Q

MTTR

A

Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system restores to full operation.

26
Q

User Training

A

User training teaches users new functionality, as well as proper policies and procedures for both the company and the software. Users should complete training before using the system to prevent incidents, and understand what to do in the event of one.

27
Q

General Purpose guides

A

General purpose guides help increase security in hardware and software by providing instructions to configuring a system based on roles and appliances.

28
Q

Vendor specific guides

A

Vendor-specific guides provide instructions on how to install and securely configure hardware and software, specifically for a certain vendor.

29
Q

EOSL

A

The end of service life (EOSL) describes when a vendor will no longer support a product. As well, updates and patches will no longer be produced.

30
Q

EOL

A

The end of life (EOL) for a software product occurs when a product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model.