Chapter 11 Implementing Policies to Mitigate Risks Flashcards
________ ________ are written documents that lay out a security plan within a company.
Security policies
True or False : When created early enough, they help ensure that personnel consider and implement security throughout the life cycle of various systems in the company.
True
True or False : When the policies and procedures are enforced, they help prevent incidents, data loss, and theft.
True
After creating the _______, personnel within the organization create plans and procedures to support the policies.
Policy
Organizations often create ________ __________ _________ to support security policies.
Standard operating procedures (SOPs)
________ ________ enforce the requirements of a security policy.
Security controls
An __________ ___ _______ defines proper system usage or the rules of behavior for employees when using information technology (IT) systems.
Acceptable use policy (AUP)
True or False : The AUP may include statements informing users that systems are in place monitoring their activities.
True
True or False : The AUP often includes definitions and examples of unacceptable use.
True
Other methods, such as _____ _________ or periodic emails, help reinforce an acceptable use policy.
Logon banners
________ _______ policies help detect when employees are involved in malicious activity, such as fraud or embezzlement.
Mandatory vacation
True or False : Additional policies may include separation of duties and job rotation to provide as much protection as possible. Additional policies may include separation of duties and job rotation to provide as much protection as possible.
True
_________ __ ______ is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.
Separation of duties
___ ______ is a concept that has employees rotate through different jobs to learn the processes and procedures in each job. From a security perspective, ___ _______ helps to prevent or expose dangerous shortcuts or even fraudulent activity.
Job rotation
A _____ ____ ______ directs users to keep their areas organized and free of papers. The primary security goal is to reduce threats of security incidents by ensuring the protection of sensitive data.
Clean desk policy
True or False : Some items left on a desk that can present risks include: • Keys • Cell phones • Access cards • Sensitive papers • Logged-on computer • Printouts left in printer • Passwords on Post-it notes • File cabinets left open or unlocked • Personal items such as mail with Personally Identifiable Information (PII)
True
A __________ ____ checks into a potential employee’s history with the intention of discovering anything about the person that might make him a less-than- ideal fit for a job.
Background check
True or False : A background check will vary depending on job responsibilities and the sensitivity of data that person can access.
True
True or False : Some background checks require the written permission from the potential employee.
True
A ___________ __________ is used between two entities to ensure that proprietary data is not disclosed to unauthorized entities.
(Page 751).
Non-disclosure agreement (NDA)
An ____ __________ is conducted with departing employees just before they leave an organization.
Exit interview
True or False : User accounts are often disabled or deleted during the exit interview and everything issued to the employee is collected.
True
__________ is the process of granting individuals access to an organization’s computing resources after being hired. This includes providing the employee with a user account and granting access to appropriate resources.
Onboarding
True or False : One of the key considerations during the onboarding process is to follow the principle of least privilege. Grant the new employees access to what they need for their job, but no more.
True
True or False : Employees who engage in cyberbullying against fellow employees are typically fired.
True
True or False : Social media sites allow people to share personal comments with a wide group of people. However, improper use of social networking sites can result in inadvertent information disclosure. Attackers can also use information available on these sites to launch attacks against users or in a cognitive password attack to change a user’s password. Training helps users understand the risks.
True
Attackers have used two primary methods to get these malvertisements installed on legitimate web sites. One method is to ______ a web site and insert ads onto that web site. The second method is to ___ ____.
Attack, buy ads
What are three reasons organizations tend to restrict Peer to Peer P2P applications?
- High use of bandwidth
- Protection against data leakage
- Hosting of inappropriate data
An ___ specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities.
Interconnection security agreement (ISA)
An ___ is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
Service level agreement (SLA)
An ___ expresses an understanding between two or more parties indicating their intention to work together toward a common goal. It is often used to support an ISA by defining the purpose of the ISA and the responsibilities of both parties.
Memorandum of understanding (MOU) or memorandum of agreement (MOA)
It is less formal than an SLA
A ___ is a written agreement that details the relationship between business partners, including their obligations toward the partnership. It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership.
Business partners agreement (BPA)
As a best practice, organizations take the time to identify, classify, and label data they use. ____ ______________ ensure that users understand the value of data, and the classifications help protect sensitive data. Classifications can apply to hard data (printouts) and soft data (files).
Data classifications