Chapter 11 Flashcards
Transitioning
with a business partner occurs either during the on-boarding or off boarding of a business partner
397
SLA
Service Level Agreement
Determines response time
BPO
Blanket Purchase Order
Agreement between a gov agency and private company for ongoing purchases of goods and services
Risk Awareness
Organizations both communicating with each other to share information regarding risks
MOU
Memorandum of Understanding
Document is used in many settings in the information industry. It is a brief summary of which party is responsible
ISA
Interconnection Security Agreement
Agreement between two organizations that have connected systems in regards to technical security
Organization training
Importance of Security Responsibilities of people in the organization Policies and proceedures Usage policies Account and password selection criteria Social engineering prevention
Management training
global issues in the organization including enforcing security policies and proceedures
Technical staff training
needs special knowledge about the methods implimentations and capabilities of the systems used to manage security
Safety concerns
Fencing Lighting Locks CCTV Escape Plans Drills Escape rooms Testing controls
Clean desk policy
Information on the desk: printouts, pads of paper, sticky notes can be seen by prying eyes
Compliance with laws, best practices and standards
Users need to realize that working with data is the same as driving a car: there are best practices and standards of which you must adhere
Data Handling
Only users needing to work with it should have access to data
Policy on Personal Devices
Don’t let people bring their personal devices into secure places because they’re dumbasses
Tailgating
Following someone into a secure environment after they open it up
Safe internet habits
Users need to be familiar enough with phishing to not give away information or download malware
Types of Information that your organization keeps
Public use
internal use
restricted use
Public information
information available to the larger public including financial statements
Limited distribution
Information that isn’t intended for release to the public. This isn’t secret but it’s private. Line of credit. If disclosed to competitors it would suck
Full Distribution
Marketing materials and the such that is available for general public
Private Information
Intended only for internal use in the company. Could potential embarrass the company. Work documents and work products
Internal Information
includes personnel records, financial working documents, ledgers, customer lists, and virtually any other information that is needed to run a business
Restricted information
can seriously damage an organization: trade secrets, strategic information, marketing plans. Need to know basis
Government classifications for information
Unclassified Sensitive but unclassified Confidential Secret Top Secret
Integrity
ensuring that data has not been altered. Hashing message authentication codes are the most common methods to accomplish this
Availability
Simply making sure that the data and systems are available for authorized users. Data backups, redundant systems, and disaster recovery plans.
HIPAA
Health Insurance Portability and Accountability
Regulation that mandates national standards and proceedures for storage, use, and transmission of personal medical information
Gramm-Leach-Bliley Act
Financial Modernization Act of 1999
Requires financial institutions to develop privacy notices and to notify customers that they are entitled to privacy
CFAA
Computer Fraud and Abuse Act
Gives feds the ability to prosecute hackers spammers and others as terrorists
FERPA
Family Education Rights and Privacy Act
Educational institutions may not release info to unauthorized parties without express permission of the student/parents
Computer Security Act
Requires federal agencies to identify and protect computer systems that contain sensitive information
CESA
Cyberspace Electronic Security Act
Gives law enforcement the right to gain access to encryption keys and cryptography methods
Remote Wipe
Sending a signal to a mobile device to clear information
Device Access Control
Controlling who in the organization has access to a mobile device
NDA
Something beta testers are required to sign. Hint Willy Wonka