Chapter 11 Implementing Policies to Mitigate Risks Flashcards

1
Q

________ ________ are written documents that lay out a security plan within a company.

A

Security policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

True or False : When created early enough, they help ensure that personnel consider and implement security throughout the life cycle of various systems in the company.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

True or False : When the policies and procedures are enforced, they help prevent incidents, data loss, and theft.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

After creating the _______, personnel within the organization create plans and procedures to support the policies.

A

Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Organizations often create ________ __________ _________ to support security policies.

A

Standard operating procedures (SOPs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

________ ________ enforce the requirements of a security policy.

A

Security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An __________ ___ _______ defines proper system usage or the rules of behavior for employees when using information technology (IT) systems.

A

Acceptable use policy (AUP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or False : The AUP may include statements informing users that systems are in place monitoring their activities.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or False : The AUP often includes definitions and examples of unacceptable use.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Other methods, such as _____ _________ or periodic emails, help reinforce an acceptable use policy.

A

Logon banners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

________ _______ policies help detect when employees are involved in malicious activity, such as fraud or embezzlement.

A

Mandatory vacation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

True or False : Additional policies may include separation of duties and job rotation to provide as much protection as possible. Additional policies may include separation of duties and job rotation to provide as much protection as possible.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

_________ __ ______ is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.

A

Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

___ ______ is a concept that has employees rotate through different jobs to learn the processes and procedures in each job. From a security perspective, ___ _______ helps to prevent or expose dangerous shortcuts or even fraudulent activity.

A

Job rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A _____ ____ ______ directs users to keep their areas organized and free of papers. The primary security goal is to reduce threats of security incidents by ensuring the protection of sensitive data.

A

Clean desk policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
True or False : Some items left on a desk that can present risks include: 
• Keys 
• Cell phones 
• Access cards 
• Sensitive papers 
• Logged-on computer 
• Printouts left in printer 
• Passwords on Post-it notes 
• File cabinets left open or unlocked 
• Personal items such as mail with Personally Identifiable Information (PII)
A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A __________ ____ checks into a potential employee’s history with the intention of discovering anything about the person that might make him a less-than- ideal fit for a job.

A

Background check

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

True or False : A background check will vary depending on job responsibilities and the sensitivity of data that person can access.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

True or False : Some background checks require the written permission from the potential employee.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A ___________ __________ is used between two entities to ensure that proprietary data is not disclosed to unauthorized entities.

(Page 751).

A

Non-disclosure agreement (NDA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An ____ __________ is conducted with departing employees just before they leave an organization.

A

Exit interview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

True or False : User accounts are often disabled or deleted during the exit interview and everything issued to the employee is collected.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

__________ is the process of granting individuals access to an organization’s computing resources after being hired. This includes providing the employee with a user account and granting access to appropriate resources.

A

Onboarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

True or False : One of the key considerations during the onboarding process is to follow the principle of least privilege. Grant the new employees access to what they need for their job, but no more.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

True or False : Employees who engage in cyberbullying against fellow employees are typically fired.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

True or False : Social media sites allow people to share personal comments with a wide group of people. However, improper use of social networking sites can result in inadvertent information disclosure. Attackers can also use information available on these sites to launch attacks against users or in a cognitive password attack to change a user’s password. Training helps users understand the risks.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Attackers have used two primary methods to get these malvertisements installed on legitimate web sites. One method is to ______ a web site and insert ads onto that web site. The second method is to ___ ____.

A

Attack, buy ads

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are three reasons organizations tend to restrict Peer to Peer P2P applications?

A
  1. High use of bandwidth
  2. Protection against data leakage
  3. Hosting of inappropriate data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

An ___ specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities.

A

Interconnection security agreement (ISA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An ___ is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

A

Service level agreement (SLA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

An ___ expresses an understanding between two or more parties indicating their intention to work together toward a common goal. It is often used to support an ISA by defining the purpose of the ISA and the responsibilities of both parties.

A

Memorandum of understanding (MOU) or memorandum of agreement (MOA)

It is less formal than an SLA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A ___ is a written agreement that details the relationship between business partners, including their obligations toward the partnership. It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership.

A

Business partners agreement (BPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

As a best practice, organizations take the time to identify, classify, and label data they use. ____ ______________ ensure that users understand the value of data, and the classifications help protect sensitive data. Classifications can apply to hard data (printouts) and soft data (files).

A

Data classifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

True or False : the U.S. government uses classifications such as Top Secret, Secret, Confidential, and Unclassified to identify the sensitivity of data. Private companies often use terms such as Proprietary, Private, Confidential, or Public.

A

True

35
Q

_____ ____ is available to anyone.

A

Public data

36
Q

___________ ____ is information that an organization intends to keep secret among a certain group of people.

A

Confidential data

37
Q

A proprietor is an owner and _________ ____ is data that is related to ownership.

A

Proprietary data

Such as patents or trade secrets

38
Q

________ ____ is information about an individual that should remain private.

A

Private data

39
Q

List two examples of private data types

A

Personally Identifiable Information (PII) and Personal Health Information (PHI)

40
Q

Data _______ ensures that users know what data they are handling and processing.

A

Labeling

41
Q

True or False : It’s common for organizations to have a checklist to ensure that personnel sanitize a system prior to disposing of it. The goal is to ensure that personnel remove all usable data from the system.

A

True

42
Q

List common methods to destroy data and sanitize media

A
  1. Purging - General term indicating all sensitive data has been removed from a device
  2. File shredding - Application that repeatedly overwrites space where the file is located with 1s and 0s
  3. Wiping - Disk wiping tool to completely remove all remnants of data on a disk
  4. Erasing and overwriting - SSDs need to be physically destroyed
  5. Burning - Incinerator
  6. Paper shredding
  7. Pulping - Reduces shredded paper to mash or puree
  8. Degaussing - Passing disk through powerful electronic magnet
  9. Pulverizing - process to physically destroy media for sanitation
43
Q

_____ ___ _______ is a special process that removes the random data stored at the end of a file. It is useful when you want to keep a file, but remove the random data.

A

Cluster tip wiping

44
Q

A ____ ______ ______ identifies how long data is retained, and sometimes specifies where it is stored.

A

Data retention policy

45
Q

True or False : Retention policies also help reduce legal liabilities.

A

True

46
Q

_______ _________ ________ is personal information that can be used to personally identify an individual.

A

Personally Identifiable Information (PII)

47
Q

______ ______ _______ is PII that includes health information.

A

Personal Health Information (PHI)

48
Q

List some examples of PII

A
  1. Full name
  2. Birthday and birth place
  3. Medical and health information
  4. Street or e-mail address information
  5. Personal characteristics such as biometric data
  6. Any type of identification number, such as Social Security number (SSN) or driver’s license number
49
Q

True or False: You need two or more pieces of information to make it PII.

A

True

Ex. Name and address so that it can be traced back to a specific person

50
Q

True or False : Whenever possible, organizations should minimize the use, collection, and retention of PII.

A

True

51
Q

True or False : Organizations have an obligation to protect PII. There are many laws that mandate the protection of PII, including international laws, federal laws, and local regulations.

A

True

52
Q

True or False : One of the common reasons data seems to fall into the wrong hands is that employees don’t understand the risks involved.

A

True

53
Q

True or False : Within the context of data security and privacy, the following laws are often a key concern:

  1. Health Insurance Portability and Accountability Act of 1996 HIPAA
  2. Gramm-Leachy Bliley Act (GLBA) - requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how that information is used
  3. Sarbanes-Oxley Act (SOX) - Requires that executives within an organization take individual responsibility for the accuracy of financial reports. Also includes specifics related to auditing, and identifies penalties to individuals for noncompliance.
  4. General Data Protection Regulation - EU directive mandates the protection of privacy data for individuals within the EU
A

True

54
Q

The ____ ______ is the individual with overall responsibility for the data. It is often a high-level position such as the chief executive officer (CEO) or a department head.

A

Data owner

55
Q

True or False : The data owner is responsible for identifying the classification of the data, ensuring the data is labeled to match the classification, and ensuring security controls are implemented to protect the data.

A

True

56
Q

A ____ ________ or ____ _______ handles the routine tasks to protect data.

A

Data steward or data custodian

57
Q

A ______ ______ is an executive position within an organization. This person is primarily responsible for ensuring that the organization is complying with relevant laws.

A

Privacy officer

58
Q

True or False : Many organizations create incident response policies to help personnel identify and respond to incidents.

A

True

59
Q

A _______ _________ is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within the organization, or that has the potential to do so.

A

Security incident

60
Q

True or False : An incident response policy defines a security incident and incident response procedures. Incident response procedures start with preparation to prepare for and prevent incidents. Preparation helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.

A

True

61
Q

An _______ __________ ____ provides more detail than the incident response policy. It provides organizations with a formal, coordinated plan personnel can use when responding to an incident.

A

Incident response plan (IRP)

62
Q

True or False: Some of the common elements in an incident response plan are:

  1. Definitions of incident types
  2. Cyber-incident response teams
  3. Roles and responsibilities
  4. Escalation
  5. Reporting requirements
  6. Exercises
A

True

63
Q

A __________ _______ ____ is composed of employees with expertise in different areas.

A

Cyber-incident response team (CIRT)

64
Q

True or False : Some of the common phases of an incident response process are:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons learned
A

True

65
Q

True or False : Computer forensics analyzes evidence from computers to determine details on computer incidents, similar to how CSI personnel analyze evidence from crime scenes.

A

True

66
Q

True or False : Forensic experts have specialized tools they can use to capture data.

A

True

67
Q

_____ __ _______ refers to the order in which you should collect evidence.

A

Order of volatility

68
Q

True or False : The order of volatility from most volatile to least volatile is:
• Data in cache memory, including the processor cache and hard drive cache
• Data in RAM, including system and network processes
• A paging file (sometimes called a swap file) on the system disk drive
• Data stored on local disk drives
• Logs stored on remote systems
• Archive media

A

True

69
Q

True or False : A distinct difference between standard system images and forensic images is that a forensic image is an exact copy and does not modify the original.

A

True

70
Q

True or False : Experts do not analyze the original disk and often don’t even analyze the original image. They understand that by analyzing the contents of a disk directly, they can modify the contents. By creating and analyzing forensic copies, they never modify the original evidence.

A

True

71
Q

True or False : A captured forensic image (from RAM or a disk) is just a file, and you can use hashing with forensic images to ensure image integrity.

A

True

72
Q

One benefit of using ___ is that it doesn’t change for daylight saving time, so it stays constant.

A

GMT

73
Q

Many video recorders use a ______ _____ ______ to identify times on tape recordings rather than the actual time.

A

Record time offset

74
Q

A _____ __ _______ is a process that provides assurances that evidence has been controlled and handled properly after collection.

A

Chain of custody

75
Q

The _____ __ _______ form provides a record of every person who was in possession of a physical asset collected as evidence. It shows who had custody of the evidence and where it was stored the entire time since collection.

A

Chain of custody

76
Q

A _____ ____ refers to a court order to maintain different types of data as evidence.

A

Legal hold

77
Q

True or False : When a user deletes a file, the operating system typically just marks it for deletion and makes the space the file is consuming available to use for other files.

A

True

78
Q

____ _____ ________ training is targeted to personnel based on their roles. The primary goal is to minimize the risk to the organization, and by giving users the training they need, they are better prepared to avoid threats.

A

Role-based awareness

79
Q

List roles that commonly require role-based training

A
  1. Data owner
  2. System administrator
  3. System owner
  4. User
  5. Privileged user
  6. Executive user
  7. Incident response team
80
Q

A _________ user is any user with more rights and permissions than typical end users.

A

Privileged

81
Q

True or False : The success of any security awareness and training plan is directly related to the support from senior management. If senior management supports the plan, middle management and employees will also support it. On the other hand, if senior management does not show support for the plan, it’s very likely that personnel within the organization will not support it either.

A

True

82
Q

True or False : Organizations handling credit card information need to comply with the Payment Card Industry Data Security Standard (PCI DSS).

A

True

83
Q

True or False : Personnel issues include insider threat, personal email, policy violation, social engineering, and social media.

A

True