Chapter 11 Implementing Policies to Mitigate Risks Flashcards
________ ________ are written documents that lay out a security plan within a company.
Security policies
True or False : When created early enough, they help ensure that personnel consider and implement security throughout the life cycle of various systems in the company.
True
True or False : When the policies and procedures are enforced, they help prevent incidents, data loss, and theft.
True
After creating the _______, personnel within the organization create plans and procedures to support the policies.
Policy
Organizations often create ________ __________ _________ to support security policies.
Standard operating procedures (SOPs)
________ ________ enforce the requirements of a security policy.
Security controls
An __________ ___ _______ defines proper system usage or the rules of behavior for employees when using information technology (IT) systems.
Acceptable use policy (AUP)
True or False : The AUP may include statements informing users that systems are in place monitoring their activities.
True
True or False : The AUP often includes definitions and examples of unacceptable use.
True
Other methods, such as _____ _________ or periodic emails, help reinforce an acceptable use policy.
Logon banners
________ _______ policies help detect when employees are involved in malicious activity, such as fraud or embezzlement.
Mandatory vacation
True or False : Additional policies may include separation of duties and job rotation to provide as much protection as possible. Additional policies may include separation of duties and job rotation to provide as much protection as possible.
True
_________ __ ______ is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.
Separation of duties
___ ______ is a concept that has employees rotate through different jobs to learn the processes and procedures in each job. From a security perspective, ___ _______ helps to prevent or expose dangerous shortcuts or even fraudulent activity.
Job rotation
A _____ ____ ______ directs users to keep their areas organized and free of papers. The primary security goal is to reduce threats of security incidents by ensuring the protection of sensitive data.
Clean desk policy
True or False : Some items left on a desk that can present risks include: • Keys • Cell phones • Access cards • Sensitive papers • Logged-on computer • Printouts left in printer • Passwords on Post-it notes • File cabinets left open or unlocked • Personal items such as mail with Personally Identifiable Information (PII)
True
A __________ ____ checks into a potential employee’s history with the intention of discovering anything about the person that might make him a less-than- ideal fit for a job.
Background check
True or False : A background check will vary depending on job responsibilities and the sensitivity of data that person can access.
True
True or False : Some background checks require the written permission from the potential employee.
True
A ___________ __________ is used between two entities to ensure that proprietary data is not disclosed to unauthorized entities.
(Page 751).
Non-disclosure agreement (NDA)
An ____ __________ is conducted with departing employees just before they leave an organization.
Exit interview
True or False : User accounts are often disabled or deleted during the exit interview and everything issued to the employee is collected.
True
__________ is the process of granting individuals access to an organization’s computing resources after being hired. This includes providing the employee with a user account and granting access to appropriate resources.
Onboarding
True or False : One of the key considerations during the onboarding process is to follow the principle of least privilege. Grant the new employees access to what they need for their job, but no more.
True
True or False : Employees who engage in cyberbullying against fellow employees are typically fired.
True
True or False : Social media sites allow people to share personal comments with a wide group of people. However, improper use of social networking sites can result in inadvertent information disclosure. Attackers can also use information available on these sites to launch attacks against users or in a cognitive password attack to change a user’s password. Training helps users understand the risks.
True
Attackers have used two primary methods to get these malvertisements installed on legitimate web sites. One method is to ______ a web site and insert ads onto that web site. The second method is to ___ ____.
Attack, buy ads
What are three reasons organizations tend to restrict Peer to Peer P2P applications?
- High use of bandwidth
- Protection against data leakage
- Hosting of inappropriate data
An ___ specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities.
Interconnection security agreement (ISA)
An ___ is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
Service level agreement (SLA)
An ___ expresses an understanding between two or more parties indicating their intention to work together toward a common goal. It is often used to support an ISA by defining the purpose of the ISA and the responsibilities of both parties.
Memorandum of understanding (MOU) or memorandum of agreement (MOA)
It is less formal than an SLA
A ___ is a written agreement that details the relationship between business partners, including their obligations toward the partnership. It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership.
Business partners agreement (BPA)
As a best practice, organizations take the time to identify, classify, and label data they use. ____ ______________ ensure that users understand the value of data, and the classifications help protect sensitive data. Classifications can apply to hard data (printouts) and soft data (files).
Data classifications
True or False : the U.S. government uses classifications such as Top Secret, Secret, Confidential, and Unclassified to identify the sensitivity of data. Private companies often use terms such as Proprietary, Private, Confidential, or Public.
True
_____ ____ is available to anyone.
Public data
___________ ____ is information that an organization intends to keep secret among a certain group of people.
Confidential data
A proprietor is an owner and _________ ____ is data that is related to ownership.
Proprietary data
Such as patents or trade secrets
________ ____ is information about an individual that should remain private.
Private data
List two examples of private data types
Personally Identifiable Information (PII) and Personal Health Information (PHI)
Data _______ ensures that users know what data they are handling and processing.
Labeling
True or False : It’s common for organizations to have a checklist to ensure that personnel sanitize a system prior to disposing of it. The goal is to ensure that personnel remove all usable data from the system.
True
List common methods to destroy data and sanitize media
- Purging - General term indicating all sensitive data has been removed from a device
- File shredding - Application that repeatedly overwrites space where the file is located with 1s and 0s
- Wiping - Disk wiping tool to completely remove all remnants of data on a disk
- Erasing and overwriting - SSDs need to be physically destroyed
- Burning - Incinerator
- Paper shredding
- Pulping - Reduces shredded paper to mash or puree
- Degaussing - Passing disk through powerful electronic magnet
- Pulverizing - process to physically destroy media for sanitation
_____ ___ _______ is a special process that removes the random data stored at the end of a file. It is useful when you want to keep a file, but remove the random data.
Cluster tip wiping
A ____ ______ ______ identifies how long data is retained, and sometimes specifies where it is stored.
Data retention policy
True or False : Retention policies also help reduce legal liabilities.
True
_______ _________ ________ is personal information that can be used to personally identify an individual.
Personally Identifiable Information (PII)
______ ______ _______ is PII that includes health information.
Personal Health Information (PHI)
List some examples of PII
- Full name
- Birthday and birth place
- Medical and health information
- Street or e-mail address information
- Personal characteristics such as biometric data
- Any type of identification number, such as Social Security number (SSN) or driver’s license number
True or False: You need two or more pieces of information to make it PII.
True
Ex. Name and address so that it can be traced back to a specific person
True or False : Whenever possible, organizations should minimize the use, collection, and retention of PII.
True
True or False : Organizations have an obligation to protect PII. There are many laws that mandate the protection of PII, including international laws, federal laws, and local regulations.
True
True or False : One of the common reasons data seems to fall into the wrong hands is that employees don’t understand the risks involved.
True
True or False : Within the context of data security and privacy, the following laws are often a key concern:
- Health Insurance Portability and Accountability Act of 1996 HIPAA
- Gramm-Leachy Bliley Act (GLBA) - requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how that information is used
- Sarbanes-Oxley Act (SOX) - Requires that executives within an organization take individual responsibility for the accuracy of financial reports. Also includes specifics related to auditing, and identifies penalties to individuals for noncompliance.
- General Data Protection Regulation - EU directive mandates the protection of privacy data for individuals within the EU
True
The ____ ______ is the individual with overall responsibility for the data. It is often a high-level position such as the chief executive officer (CEO) or a department head.
Data owner
True or False : The data owner is responsible for identifying the classification of the data, ensuring the data is labeled to match the classification, and ensuring security controls are implemented to protect the data.
True
A ____ ________ or ____ _______ handles the routine tasks to protect data.
Data steward or data custodian
A ______ ______ is an executive position within an organization. This person is primarily responsible for ensuring that the organization is complying with relevant laws.
Privacy officer
True or False : Many organizations create incident response policies to help personnel identify and respond to incidents.
True
A _______ _________ is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within the organization, or that has the potential to do so.
Security incident
True or False : An incident response policy defines a security incident and incident response procedures. Incident response procedures start with preparation to prepare for and prevent incidents. Preparation helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.
True
An _______ __________ ____ provides more detail than the incident response policy. It provides organizations with a formal, coordinated plan personnel can use when responding to an incident.
Incident response plan (IRP)
True or False: Some of the common elements in an incident response plan are:
- Definitions of incident types
- Cyber-incident response teams
- Roles and responsibilities
- Escalation
- Reporting requirements
- Exercises
True
A __________ _______ ____ is composed of employees with expertise in different areas.
Cyber-incident response team (CIRT)
True or False : Some of the common phases of an incident response process are:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons learned
True
True or False : Computer forensics analyzes evidence from computers to determine details on computer incidents, similar to how CSI personnel analyze evidence from crime scenes.
True
True or False : Forensic experts have specialized tools they can use to capture data.
True
_____ __ _______ refers to the order in which you should collect evidence.
Order of volatility
True or False : The order of volatility from most volatile to least volatile is:
• Data in cache memory, including the processor cache and hard drive cache
• Data in RAM, including system and network processes
• A paging file (sometimes called a swap file) on the system disk drive
• Data stored on local disk drives
• Logs stored on remote systems
• Archive media
True
True or False : A distinct difference between standard system images and forensic images is that a forensic image is an exact copy and does not modify the original.
True
True or False : Experts do not analyze the original disk and often don’t even analyze the original image. They understand that by analyzing the contents of a disk directly, they can modify the contents. By creating and analyzing forensic copies, they never modify the original evidence.
True
True or False : A captured forensic image (from RAM or a disk) is just a file, and you can use hashing with forensic images to ensure image integrity.
True
One benefit of using ___ is that it doesn’t change for daylight saving time, so it stays constant.
GMT
Many video recorders use a ______ _____ ______ to identify times on tape recordings rather than the actual time.
Record time offset
A _____ __ _______ is a process that provides assurances that evidence has been controlled and handled properly after collection.
Chain of custody
The _____ __ _______ form provides a record of every person who was in possession of a physical asset collected as evidence. It shows who had custody of the evidence and where it was stored the entire time since collection.
Chain of custody
A _____ ____ refers to a court order to maintain different types of data as evidence.
Legal hold
True or False : When a user deletes a file, the operating system typically just marks it for deletion and makes the space the file is consuming available to use for other files.
True
____ _____ ________ training is targeted to personnel based on their roles. The primary goal is to minimize the risk to the organization, and by giving users the training they need, they are better prepared to avoid threats.
Role-based awareness
List roles that commonly require role-based training
- Data owner
- System administrator
- System owner
- User
- Privileged user
- Executive user
- Incident response team
A _________ user is any user with more rights and permissions than typical end users.
Privileged
True or False : The success of any security awareness and training plan is directly related to the support from senior management. If senior management supports the plan, middle management and employees will also support it. On the other hand, if senior management does not show support for the plan, it’s very likely that personnel within the organization will not support it either.
True
True or False : Organizations handling credit card information need to comply with the Payment Card Industry Data Security Standard (PCI DSS).
True
True or False : Personnel issues include insider threat, personal email, policy violation, social engineering, and social media.
True
