Anki - Organizational Security

Question 1

What is a policy?

Answer 1

Policy is an overall statement of intent.

Question 2

What are the main goals of a corporate security policy?

Answer 2

• To gain security awareness in the organization.
• To outline the risks, guidelines, and responsibilities.
• To demonstrate that due care and diligence has been applied.

Question 3

What are the three “mechanisms” of a security policy?

Answer 3

• Standard
• Procedure or SOP (Standard Operating Procedure)
• Guidance

Question 4

Why are an organization’s security policies important?

Answer 4

• Set the tone for employee attitudes towards security
• Set standards for completing work
• Policies may also be shared with partners/customers

Question 5

What is a “standard” when referring to security policies?

Answer 5

A standard is a measure by which to evaluate compliance with the policy.

Question 6

What is a “procedure” or “SOP” when referring to security policies?

Answer 6

A Standard Operating Procedure (SOP), is an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs.

Question 7

What is a “guidance” when referring to security policies?

Answer 7

Guidelines exist for procedures that do not have a policy or describe circumstances where it is appropriate to deviate from a specified procedure.

Question 8

What is an Interoperability Agreement?

Answer 8

An agreement between a company and any third party vendors.

Question 9

Why are Interoperability Agreements important?

Answer 9

A company is responsible for the services/actions a third party vendors might make. A security breach in their org, (e.g. data leak) is a breach of your own.

An agreement outlines the shared duties and contractual responsibilities.

Question 10

What are the 6 common types of Interoperability Agreements?

Answer 10

1. Memorandum of understanding (MOU)
2. Memorandum of agreement (MOA)
3. Service level agreement (SLA)
4. Business partners agreement (BPA)
5. Interconnection security agreement (ISA)
6. Non-disclosure agreement (NDA)

Question 11

What is an MOU?

Answer 11

Memorandum of understanding (MOU)

• A preliminary or exploratory agreement to express an intent to work together.
• Usually informal and not binding contracts.
• MOUs usually have clauses requesting mutual confidentiality.

Question 12

What is an MOA?

Answer 12

Memorandum of agreement (MOA)

• A formal agreement (or contract)
• Outlines specific obligations.
• If one party fails to fulfill its obligations, the other party will be able to seek legal redress.

Question 13

What is an SLA?

Answer 13

Service level agreement (SLA)

- A contractual agreement setting out the detailed terms under which a service is provided.

Question 14

What is a BPA?

Answer 14

Business partners agreement (BPA)

Most common with large IT companies and their resellers and solution providers. e.g. Microsoft and Cisco.

Question 15

What is an ISA?

Answer 15

Interconnection security agreement (ISA)

• Federal agencies connecting their system with a third party must create an ISA to govern the relationship.
• An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.

Question 16

How does NIST define an ISA?

Answer 16

ISAs are defined by NIST’s SP800-47 as “Security Guide for Interconnecting Information Technology Systems”

Question 17

What is an NDA?

Answer 17

Non-disclosure agreement (NDA)

• Legal basis for protecting information assets
• Used between companies and employees, companies and contractors, and two companies.

Question 18

Why is data security more important in today’s world?

Answer 18

Greater volumes of data are now stored and accessed in many locations, so organizations must consider not only the physical access to data storage systems, but also the devices that access them.