5.3 Explain the importance of policies to organizational security.

Question 1

What is an acceptable use policy?

Answer 1

Detailed documentation on the rules and behavior for company assets.
Covers internet use, telephones, computers, mobile devices, etc.
Used to limit legal liability

Question 2

What is least privilege?

Answer 2

Rights and permissions should be set to
the bare minimum
– You only get exactly what’s needed to complete
your objective
* All user accounts must be limited
– Applications should run with minimal privileges
* Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior

Question 3

What are some ways to train users?

Answer 3

Gamification
– Score points, compete with others, collect badges
* Capture the flag (CTF)
– Security competition
– Hack into a server to steal data (the flag)
– Can involve highly technical simulations
– A practical learning environment
* Phishing simulation
– Send simulated phishing emails
– Make vishing calls
– See which users are susceptible to phishing attacks
without being a victim of phishing
* Computer-based training (CBT)
– Automated pre-built training
– May include video, audio, and Q&A
– Users all receive the same training experience

Question 4

What is an SLA

Answer 4

Service Level Agreement (SLA)
– Minimum terms for services provided
– Uptime, response time agreement, etc.
– Commonly used between customers and
service providers

Question 5

MOU

Answer 5

Memorandum of Understanding (MOU)
– Both sides agree on the contents
of the memorandum
– Usually includes statements of confidentiality
– Informal letter of intent; not a signed contract

Question 6

MSA

Answer 6

Measurement system analysis (MSA)
– Don’t make decisions based on incorrect data!
– Used with quality management systems,
i.e., Six Sigma
– Assess the measurement process
– Calculate measurement uncertainty

Question 7

BPA

Answer 7

Business Partnership Agreement (BPA)
– Going into business together
– Owner stake
– Financial contract
– Decision-making agreements
– Prepare for contingencies

Question 8

NDA

Answer 8

Non-disclosure agreement (NDA)
* Confidentiality agreement between parties
– Information in the agreement should not
be disclosed
* Protects confidential information
– Trade secrets
– Business activities
– Anything else listed in the NDA
* Unilateral or bilateral (or multilateral)
– On-way NDA or mutual NDA
* Formal contract
– Signatures are usually required

Question 9

What are some secure business policies?

Answer 9

1. Job rotation
   – Keep people moving between responsibilities
   – No one person maintains control for long periods
   of time
2. Mandatory vacations
   – Rotate others through the job
   – The longer the vacation, the better chance
   to identify fraud
   – Especially important in high-security environments
3. Separation of duties
   – Split knowledge:
   No one person has all of the details
   Half of a safe combination
   – Dual control:
   Two people must be present to perform
   the business function
   Two keys open a safe (or launch a missile)
4. Clean desk policy
   – When you leave, nothing is on your desk
   – Limit the exposure of sensitive data to third-parties

Question 10

Supply chain assessement

Answer 10

Supply chain assessment
– Get a product or service from supplier to customer
– Evaluate coordination between groups
– Identify areas of improvement
– Assess the IT systems supporting the operation
– Document the business process changes

Question 11

Data steward

Answer 11

– Manages the governance processes
– Responsible for data accuracy, privacy, and security
– Associates sensitivity labels to the data
– Ensures compliance with any applicable laws and
standards

Question 12

What are the primary data classifications?

Answer 12

Public
Private
internal data
confidential
restricted

Question 13

Public data

Answer 13

Public data can be important but is accessible to the public. Since this data is openly shared, it is the lowest level of data classification and its public nature makes it unnecessary to protect its use by unauthorized actors
Examples of public data include:

The names of companies and members of their executive team
Physical and email addresses
Press releases and promotional material
Company organizational charts and job descriptions

Question 14

Private data

Answer 14

Private data requires a greater level of security than public data. This data should not be available for public access and is often protected through traditional security measures such as passwords. Compromised private data can pose a risk to an individual or an organization

Private data can include:

Email addresses and other personal contact information
Employee identification numbers
Smartphone content
Personal email content

Question 15

Restricted data

Answer 15

Restricted data is the classification used for an organization’s most sensitive information. Access to this data is strictly controlled to prevent its unauthorized use. It needs to be encrypted for additional protection. The loss of restricted data can severely impact an organization or the individuals whose information is compromised. Examples of restricted data are:

Protected health information (PHI) as defined by regulatory agencies
Financial and tax data
Information that is secured by confidentiality agreements
Intellectual property

Question 16

Confidential

Answer 16

The next level of data classification is confidential data. This information should only be accessed by a limited audience that has obtained proper authorization. Methods like identity and access management (IAM) tools are used to control access to confidential data. The loss of confidential data is harmful to individuals and organizations. Confidential data includes:

Social Security, driver’s license, and other personally identifying numbers
Credit card and banking information
Medical and health information
Employee records
Biometric identifiers

Question 17

Internal Data

Answer 17

Internal Data
The use of an organization’s internal data is usually limited to its employees. Internal data can have different security requirements that affect who can access it and how it can be used. Examples include:

Business plans and marketing strategies
System IP addresses
Internal company websites
Financial data and revenue forecasts

Question 18

change management

Answer 18

How to make a change
– Upgrade software, change firewall configuration,
modify switch ports
* One of the most common risks in the enterprise
– Occurs very frequently
* Often overlooked or ignored
– Did you feel that bite?
* Have clear policies
– Frequency, duration, installation process,
fallback procedures
* Sometimes extremely difficult to implement
– It’s hard to change corporate culture

Question 19

change control

Answer 19

• A formal process for managing change
  – Avoid downtime, confusion, and mistakes
• Nothing changes without the process
  – Determine the scope of the change
  – Analyze the risk associated with the change
  – Create a plan
  – Get end-user approval
  – Present the proposal to the change control board
  – Have a backout plan if the change doesn’t work
  – Document the changes

Question 20

asset management

Answer 20

Identify and track computing assets
– Usually an automated process
* Respond faster to security problem
– You know who, what, and where
* Keep an eye on the most valuable assets
– Both hardware and data
* Track licenses
– You know exactly how many you’ll need
* Verify that all devices are up to date
– Security patches, anti-malware signature updates, etc

Question 21

What is the difference in change control and change management?

Answer 21

Change control is the decision to make a change, whereas change management refers to the aftermath of that decision.

Question 22

workflow

Answer 22

A workflow is an onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.

Question 23

Privilege bracket

Answer 23

Privilege bracketing is an account management practice that involves giving users permission to a resource for the duration of a specific project or a need-to-know situation.

Question 24

Training Diversity

Answer 24

Training diversity is a mix of training techniques in the form of workshops, seminars, gamification, etc. to foster user engagement and retention.

Question 25

MTTR

Answer 25

Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system restores to full operation.

Question 26

User Training

Answer 26

User training teaches users new functionality, as well as proper policies and procedures for both the company and the software. Users should complete training before using the system to prevent incidents, and understand what to do in the event of one.

Question 27

General Purpose guides

Answer 27

General purpose guides help increase security in hardware and software by providing instructions to configuring a system based on roles and appliances.

Question 28

Vendor specific guides

Answer 28

Vendor-specific guides provide instructions on how to install and securely configure hardware and software, specifically for a certain vendor.

Question 29

EOSL

Answer 29

The end of service life (EOSL) describes when a vendor will no longer support a product. As well, updates and patches will no longer be produced.

Question 30

EOL

Answer 30

The end of life (EOL) for a software product occurs when a product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model.