CH30 Policies and Procedures Flashcards
What are policies?
Policies defines the role of security in an organization and establishes the desired and state of the security program
For the exam : Policies are generic. Procedures are specific
What are Organizational Policies?
provide general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms
What are System-specific policies?
address the security needs of a specific technology, application, network, or computer system
What are Issue-specific policies?
built to address a specific security issue, such as email privacy, employee termination procedures, or other specific issues
What are 3 Information Security policy categories?
- Regulatory – mandatory standards and laws that are going to affect the organization.
- Advisory – guidance on what is and what is not considered acceptable activity. (Ex: Acceptable Use Policy – AUP)
- Informative – focuses on a certain topic and it’s designed to be educational in nature.
What are Procedures in regards to Policies and Procedures ?
detailed step-by-step instructions that are created to ensure personnel can perform a given action
For the exam : Policies are generic. Procedures are specific
What is Data Classifications?
Category based on the value to the organization and the sensitivity of the information if it were to be disclosed.
What is Sensitive Data?
Any information that can result in a loss of security, or loss of advantage to a company, if accessed by unauthorized persons
What are the 4 classification levels of Commercial business ?
a. Public – has no impact to the company if released and is often posted I the open-source environment.
b. Sensitive – might have a minimal impact if released.
c. Private – contains data that should only be used within the organization
d. Confidential – highest classification level that contains items such as trade secrets, intellectual property data, source code, and other types that would seriously affect the business if disclosed.
What are the 5 classification levels of Government Organization?
a. Unclassified – can be released to the public
b. Sensitive but Unclassified – items that wouldn’t hurt national security if released but could impact those whose data is contained in it.
c. Confidential – Data that could seriously affect the government if unauthorized disclosure were to happen.
d. Secret – data that could seriously damage national security if disclosed.
e. Top Secret – data that could gravely damage national security if it were known to those who are not authorized for this level of information
Who is Data Owner?
a senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. He is responsible for labeling the asset and ensuring that it is protected with appropriate controls
Who is Data Steward?
a role focused on the quality of the data and associated metadata
Who is Data Custodian?
a role responsible for handling the management of the system on which the data assets are stored.
Who is Privacy Officer?
a role responsible for the oversight of any PII/SPI/PHI assets managed by the company
What is PII
PII = Personally Identifiable Information
a piece of data that can be used either by itself or in combination with some other pieces of data to identify a single person. (Ex: full name, driver license number, social security number, date of birthday, places of birth, biometric data, financial account number, address, email address, social media usernames)
What is Privacy Act of 1972 ?
Affects U.S government computer systems that collects, stores, uses, or disseminates personally identifiable information.
What is Health Insurance Portability and Accountability Act (HIPAA) ?
Affects healthcare providers, facilities, insurance companies, and medical data clearing houses
What is Sarbanes-Oxley (SOX) ?
affects publicly-traded U.S. corporations and requires certain accounting methods and financial reporting requirements
What is Gramm-Leach-Bliley Act (GLBA) ?
affects banks, mortgage companies, loan offices, insurance companies, investment companies, and credit card providers. Prohibits sharing of financial information of an individual with any third parties
What is Federal Information Security Management (FISMA) Act of 2002 ?
Requires each agency to develop, document, and implement an agency-wide information systems security program to protect their data
What is Payment Card Industry Data Security Standard (PCI DSS)?
a contractual obligation. An agreement that any organization who collects, stores, or processes credit card information for a customer to follow
What is Help America Vote Act (HAVA) of 2002
provides regulations that govern the security, confidentiality, and integrity of the personal information collected, stored, or processed during the election and voting process
What is SB 1386?
requires any business that stores personal data to disclose a breach. If their PII got hacked, they must notify the affected people about the data breach
Privacy vs Security
Security controls focus on the CIA attributes of the processing system.
Ex: if I say this data is encrypted, then that is a security control. That’s confidentiality.
If I say this data has been hashed so I have a digital finger print of it, that tells me we have integrity of it.
Privacy – a data governance requirement that arises when collecting and processing personal data to ensure the rights of the subject’s data.
What is General Data Protection Regulation (GDPR)?
Personal data cannot be collected, processed, or retained without the individual’s informed consent. GDPR also provides the right for a user to withdraw consent, to inspect, amend, or erase data held about them. GDPR requires data breach notification within 72 hours
What is Deidentification?
methods and technologies that remove identifying information from data before it is distributed. It is often implemented as part of database design
What is deidentification method called Data Masking ?
a deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data
What is deidentification method called Tokenization?
a deidentification method where a unique token is substituted for real data
What is deidentification method called Aggregation/Banding?
deidentify the people by gathering the data and generalizing it to protect the individuals involved. (ex : out of 100 people, 90 people didn’t have any effect)
What is deidentification method called Reidentification?
an attack that combines a deidentified dataset with other data sources to discover how secure the deidentification method is. anonymization doesn’t work if you can look through the clues and find who the person was.
What is Privacy policies?
govern the labeling and handling of data
What is AUP?
AUP = Acceptable Use Policy
Defines the rules that restrict how a computer, network, or other systems may be used. (Ex : No gaming while at work)
What is Change Management Policy?
Defines the structured way of changing the state of a computer system, network, or IT procedure. It makes sure that you’re going to get the changes that you want in a secure and methodical manner.
What is Separation of Duties?
preventative type of administrative control
What is Job Rotation ?
different users are trained to perform the tasks of the same position to help prevent and identify fraud that could occur if only one employee had the job
What is Onboarding and Offboarding policy?
Dictates what type of things need to be done when an employee is hired, fired, or quits
What is Due Diligence ?
Ensuring that IT infrastructure risks are known and managed properly
What is Due Care?
Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence
What is Due Process?
a legal term that refers to how an organization must respect and safeguard personnel’s rights.
For the exam : Due process is used to protect a person from the government, but it can also protect your organization from frivolous lawsuits
What is NDA?
NDA = Non-disclosure agreement (NDA)
agreement between 2 parties that defines what data is considered confidential and cannot be shared outside of the relationship. It is often used by organizations to protect their intellectual property.
NDAs are a legally binding contract
What is MOU?
MOU = Memorandum of Understanding
a non-binding agreement between two or more organizations to detail an intended common line of action. It is often referred to as a letter of intent. MOUs can be between multiple organizations. However, it is not legally binding
What is SLA?
SLA = Service-Level Agreement
an agreement concerned with the ability to support and respond to problems within a given timeframe and continuing to provide the agreed upon level of service to the user
What is ISA?
ISA = Interconnection Security Agreement
an agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet
What is BPA?
BPA = Business Partnership Agreement
Conducted between two business partners that establishes the conditions of their relationship. It can also include security requirements
What is Degaussing process in regards to disposal policies?
exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped form the device
What is Purging (Sanitizing) in regards to disposal policies?
act of removing data in such a way that it cannot be reconstructed using any known forensic techniques
What is Clearing in regards to disposal policies?
removal of data while a certain amount of assurance that it cannot be reconstructed
What are 4 IT Security Frameworks?
- Sherwood Applied Business Security Architecture (SABSA) – risk driven architecture. It seeks to consider the security problem by thinking about the what, where, when, why, who and how of a problem. They think about this as it intersects with six different layers : The operational, component, physical, logical, conceptual, and contextual layers.
- Control Objectives for Information and Related Technology (COBIT) – A security framework that divides IT into four domains : Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
- NIST SP 800-53 – a security control framework developed by the Dept. of Commerce. Each control is placed into one of three categories : technical, operational, or management.
- Information Technology Infrastructure Library (ITIL) – focuses on service operations and security of your network. It is the de facto standard for IT service management. It also includes all sorts of other service based connections that we have with our organizations to provide value to our end users.
For the exam : you’re not going to be asked a lot of questions about frameworks. But you should know that there are frameworks that exist such as SABSA, COBIT, the NIST special publications, ISO 27000, and ITIL. Know that we use frameworks as a basis for our policies, our procedures, and our standards
What is Center for Internet Security (CIS) ?
Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)
Risk Management Framework (RMF) ?
a process that integrates security and risk management activities into the system development life cycle early on to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.
RMF was developed for the deferral government’s use.
For the exam : Just know that Risk management framework is made by NIST and it’s used in federal government systems
What is Cybersecurity Framework (CSF)?
Cybersecurity Framework (CSF). – a set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks.
CSF has 5 basic functional areas
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
For the exam : Just know that CSF, the Cyber Security Framework is made by NIST. Know 5 category functional areas
What is ISO 27001?
International standard that details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).
For the exam : Just know that this is a basic procedure for cybersecurity, and it is an international standard.
What is SOC?
SOC = SYSTEM and Organization Controls
a suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services.
