CH30 Policies and Procedures

Question 1

What are policies?

Answer 1

Policies defines the role of security in an organization and establishes the desired and state of the security program

For the exam : Policies are generic. Procedures are specific

Question 2

What are Organizational Policies?

Answer 2

provide general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms

Question 3

What are System-specific policies?

Answer 3

address the security needs of a specific technology, application, network, or computer system

Question 4

What are Issue-specific policies?

Answer 4

built to address a specific security issue, such as email privacy, employee termination procedures, or other specific issues

Question 5

What are 3 Information Security policy categories?

Answer 5

1. Regulatory – mandatory standards and laws that are going to affect the organization.
2. Advisory – guidance on what is and what is not considered acceptable activity. (Ex: Acceptable Use Policy – AUP)
3. Informative – focuses on a certain topic and it’s designed to be educational in nature.

Question 6

What are Procedures in regards to Policies and Procedures ?

Answer 6

detailed step-by-step instructions that are created to ensure personnel can perform a given action

For the exam : Policies are generic. Procedures are specific

Question 7

What is Data Classifications?

Answer 7

Category based on the value to the organization and the sensitivity of the information if it were to be disclosed.

Question 8

What is Sensitive Data?

Answer 8

Any information that can result in a loss of security, or loss of advantage to a company, if accessed by unauthorized persons

Question 9

What are the 4 classification levels of Commercial business ?

Answer 9

a. Public – has no impact to the company if released and is often posted I the open-source environment.

b. Sensitive – might have a minimal impact if released.

c. Private – contains data that should only be used within the organization

d. Confidential – highest classification level that contains items such as trade secrets, intellectual property data, source code, and other types that would seriously affect the business if disclosed.

Question 10

What are the 5 classification levels of Government Organization?

Answer 10

a. Unclassified – can be released to the public

b. Sensitive but Unclassified – items that wouldn’t hurt national security if released but could impact those whose data is contained in it.

c. Confidential – Data that could seriously affect the government if unauthorized disclosure were to happen.

d. Secret – data that could seriously damage national security if disclosed.

e. Top Secret – data that could gravely damage national security if it were known to those who are not authorized for this level of information

Question 11

Who is Data Owner?

Answer 11

a senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. He is responsible for labeling the asset and ensuring that it is protected with appropriate controls

Question 12

Who is Data Steward?

Answer 12

a role focused on the quality of the data and associated metadata

Question 13

Who is Data Custodian?

Answer 13

a role responsible for handling the management of the system on which the data assets are stored.

Question 14

Who is Privacy Officer?

Answer 14

a role responsible for the oversight of any PII/SPI/PHI assets managed by the company

Question 15

What is PII

Answer 15

PII = Personally Identifiable Information

a piece of data that can be used either by itself or in combination with some other pieces of data to identify a single person. (Ex: full name, driver license number, social security number, date of birthday, places of birth, biometric data, financial account number, address, email address, social media usernames)

Question 16

What is Privacy Act of 1972 ?

Answer 16

Affects U.S government computer systems that collects, stores, uses, or disseminates personally identifiable information.

Question 17

What is Health Insurance Portability and Accountability Act (HIPAA) ?

Answer 17

Affects healthcare providers, facilities, insurance companies, and medical data clearing houses

Question 18

What is Sarbanes-Oxley (SOX) ?

Answer 18

affects publicly-traded U.S. corporations and requires certain accounting methods and financial reporting requirements

Question 19

What is Gramm-Leach-Bliley Act (GLBA) ?

Answer 19

affects banks, mortgage companies, loan offices, insurance companies, investment companies, and credit card providers. Prohibits sharing of financial information of an individual with any third parties

Question 20

What is Federal Information Security Management (FISMA) Act of 2002 ?

Answer 20

Requires each agency to develop, document, and implement an agency-wide information systems security program to protect their data

Question 21

What is Payment Card Industry Data Security Standard (PCI DSS)?

Answer 21

a contractual obligation. An agreement that any organization who collects, stores, or processes credit card information for a customer to follow

Question 22

What is Help America Vote Act (HAVA) of 2002

Answer 22

provides regulations that govern the security, confidentiality, and integrity of the personal information collected, stored, or processed during the election and voting process

Question 23

What is SB 1386?

Answer 23

requires any business that stores personal data to disclose a breach. If their PII got hacked, they must notify the affected people about the data breach

Question 24

Privacy vs Security

Answer 24

Security controls focus on the CIA attributes of the processing system.
Ex: if I say this data is encrypted, then that is a security control. That’s confidentiality.

If I say this data has been hashed so I have a digital finger print of it, that tells me we have integrity of it.

Privacy – a data governance requirement that arises when collecting and processing personal data to ensure the rights of the subject’s data.

Question 25

What is General Data Protection Regulation (GDPR)?

Answer 25

Personal data cannot be collected, processed, or retained without the individual’s informed consent. GDPR also provides the right for a user to withdraw consent, to inspect, amend, or erase data held about them. GDPR requires data breach notification within 72 hours

Question 26

What is Deidentification?

Answer 26

methods and technologies that remove identifying information from data before it is distributed. It is often implemented as part of database design

Question 27

What is deidentification method called Data Masking ?

Answer 27

a deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data

Question 28

What is deidentification method called Tokenization?

Answer 28

a deidentification method where a unique token is substituted for real data

Question 29

What is deidentification method called Aggregation/Banding?

Answer 29

deidentify the people by gathering the data and generalizing it to protect the individuals involved. (ex : out of 100 people, 90 people didn’t have any effect)

Question 30

What is deidentification method called Reidentification?

Answer 30

an attack that combines a deidentified dataset with other data sources to discover how secure the deidentification method is. anonymization doesn’t work if you can look through the clues and find who the person was.

Question 31

What is Privacy policies?

Answer 31

govern the labeling and handling of data

Question 32

What is AUP?

Answer 32

AUP = Acceptable Use Policy

Defines the rules that restrict how a computer, network, or other systems may be used. (Ex : No gaming while at work)

Question 33

What is Change Management Policy?

Answer 33

Defines the structured way of changing the state of a computer system, network, or IT procedure. It makes sure that you’re going to get the changes that you want in a secure and methodical manner.

Question 34

What is Separation of Duties?

Answer 34

preventative type of administrative control

Question 35

What is Job Rotation ?

Answer 35

different users are trained to perform the tasks of the same position to help prevent and identify fraud that could occur if only one employee had the job

Question 36

What is Onboarding and Offboarding policy?

Answer 36

Dictates what type of things need to be done when an employee is hired, fired, or quits

Question 37

What is Due Diligence ?

Answer 37

Ensuring that IT infrastructure risks are known and managed properly

Question 38

What is Due Care?

Answer 38

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

Question 39

What is Due Process?

Answer 39

a legal term that refers to how an organization must respect and safeguard personnel’s rights.

For the exam : Due process is used to protect a person from the government, but it can also protect your organization from frivolous lawsuits

Question 40

What is NDA?

Answer 40

NDA = Non-disclosure agreement (NDA)

agreement between 2 parties that defines what data is considered confidential and cannot be shared outside of the relationship. It is often used by organizations to protect their intellectual property.

NDAs are a legally binding contract

Question 41

What is MOU?

Answer 41

MOU = Memorandum of Understanding

a non-binding agreement between two or more organizations to detail an intended common line of action. It is often referred to as a letter of intent. MOUs can be between multiple organizations. However, it is not legally binding

Question 42

What is SLA?

Answer 42

SLA = Service-Level Agreement

an agreement concerned with the ability to support and respond to problems within a given timeframe and continuing to provide the agreed upon level of service to the user

Question 43

What is ISA?

Answer 43

ISA = Interconnection Security Agreement

an agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet

Question 44

What is BPA?

Answer 44

BPA = Business Partnership Agreement

Conducted between two business partners that establishes the conditions of their relationship. It can also include security requirements

Question 45

What is Degaussing process in regards to disposal policies?

Answer 45

exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped form the device

Question 46

What is Purging (Sanitizing) in regards to disposal policies?

Answer 46

act of removing data in such a way that it cannot be reconstructed using any known forensic techniques

Question 47

What is Clearing in regards to disposal policies?

Answer 47

removal of data while a certain amount of assurance that it cannot be reconstructed

Question 48

What are 4 IT Security Frameworks?

Answer 48

1. Sherwood Applied Business Security Architecture (SABSA) – risk driven architecture. It seeks to consider the security problem by thinking about the what, where, when, why, who and how of a problem. They think about this as it intersects with six different layers : The operational, component, physical, logical, conceptual, and contextual layers.
2. Control Objectives for Information and Related Technology (COBIT) – A security framework that divides IT into four domains : Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
3. NIST SP 800-53 – a security control framework developed by the Dept. of Commerce. Each control is placed into one of three categories : technical, operational, or management.
4. Information Technology Infrastructure Library (ITIL) – focuses on service operations and security of your network. It is the de facto standard for IT service management. It also includes all sorts of other service based connections that we have with our organizations to provide value to our end users.

For the exam : you’re not going to be asked a lot of questions about frameworks. But you should know that there are frameworks that exist such as SABSA, COBIT, the NIST special publications, ISO 27000, and ITIL. Know that we use frameworks as a basis for our policies, our procedures, and our standards

Question 49

What is Center for Internet Security (CIS) ?

Answer 49

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Question 50

Risk Management Framework (RMF) ?

Answer 50

a process that integrates security and risk management activities into the system development life cycle early on to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.

RMF was developed for the deferral government’s use.

For the exam : Just know that Risk management framework is made by NIST and it’s used in federal government systems

Question 51

What is Cybersecurity Framework (CSF)?

Answer 51

Cybersecurity Framework (CSF). – a set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks.

CSF has 5 basic functional areas
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

For the exam : Just know that CSF, the Cyber Security Framework is made by NIST. Know 5 category functional areas

Question 52

What is ISO 27001?

Answer 52

International standard that details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).

For the exam : Just know that this is a basic procedure for cybersecurity, and it is an international standard.

Question 53

What is SOC?

Answer 53

SOC = SYSTEM and Organization Controls

a suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services.