Chapter 11: Implementing Policies to Mitigate Risks Flashcards
What is Change Management?
A structured process for making and documenting changes to systems or data to reduce disruption and maintain security and compliance.
When it comes to Change Management, the following should be considered:
Having a formal approval process, defining Ownership/Responsibility, Stakeholder Analysis, Impact Analysis, Testing, A Backup Plan, and a Maintenance Window(s).
What is Documentation?
Records that detail system configurations, processes, policies, and changes to ensure transparency and aid in troubleshooting or audits.
What is Version Control?
A system that tracks changes to files and code, allowing you to revert to previous versions and collaborate safely.
What is Regulated Data?
Data protected by laws or standards due to its sensitive nature, requiring specific security and privacy controls.
What is Financial Information?
Sensitive data related to banking, transactions, taxes, or payroll that must be protected from fraud and unauthorized access.
What is Intellectual Property (IP)?
Creations of the mind that need protection from theft or unauthorized use.
What are Trade Secrets?
Proprietary business knowledge or processes that provide a competitive edge and must be kept confidential.
What is Legal Information?
Data related to legal matters that must be securely stored and accessed by authorized users only.
What are a Data Classification Systems?
A method to categorize data by sensitivity (e.g. public, internal, confidential, secret) to apply appropriate protections.
What is Sensitive Data?
Any data that must be protected due to potential harm if exposed, such as personal info, health records, or login credentials.
What are Permission Restrictions?
Limits placed on data access based on user roles or need-to-know principles to prevent unauthorized usage.
What are Geographic Restrictions?
Rules that limit access or storage of data to specific regions or countries, often for legal or compliance reasons.
What are Data Retention Policies?
Guidelines for how long data must be stored before being archived or securely deleted, often based on legal or business needs.
What is Data Sanitization?
The secure removal of data from devices or systems to prevent recovery, using methods like wiping, degaussing, or physical destruction.
What is Erasing and Overwriting?
Removing data by writing new data over it multiple time to prevent recovery, commonly used for hard drives.
What is File Shredding?
A software method that deleted files and then overwrites their storage locations to make unrecoverable.
What is Wiping?
The process of securely erasing an entire storage device by overwriting all sectors with random data.
What is Paper Shredding?
Physically cutting paper documents into fine strips or confetti to prevent data theft from discarded documents.
What is Burning?
Destroying paper documents by incineration to ensure the information cannot be reconstructed.
What is Pulping?
Mixing shredded paper with water and chemical to turn it into a slurry, making it impossible to reconstruct.
What is Pulverizing?
Physically smashing a storage device into pieces so it can no longer function or have data recovered.
What is Degaussing?
Using a strong magnetic field to erase data from magnetic storage devices by disrupting their magnetic domains.
What are Third-Party Solutions (to data sanitization)?
Professional services that specialize in secure data destruction through physical or digital means.
What is a Certificate of Destruction (COD)?
A formal document provided by a vendor confirming that data or devices were destroyed securely and in compliance with standards.
What is an Incident Response?
A structured approach to identifying, managing, and recovering from cybersecurity events or breaches.
What is a Data Breach?
An incident where sensitive, protected, or confidential data is accessed, stolen, or disclosed without authorization.
What is a Security Incident?
Any event that compromises CIA of information of systems.
What is an Incident Response Plan?
A predefined set of instruction and roles to follow when a security incident occurs to contain damage and recover quickly.
What are some common elements of an incident response plan?
Definition of incident types, incident response team, and roles and responsibilities.
What does the Incident Response Process look like?
Preparation, Detection, Analysis, Containment, Eradication, Recovery, and Lesson Learned.
What is a Communication Plan?
A part of IRP that outlines how information about the incident will be shared with stakeholders, staff, and possibly the public.
What are common elements included in a Communication Plan?
First Responders, Internal Communication, Reporting Requirements, External Communication, Law Enforcement, and Customer Communication.
What are Tabletop Exercises?
Simulated security incidents used to test response procedures, typically conducted in a meeting environment with key stakeholders.
What are Simulations?
Realistic, scenario-driven activities designed to practice and evaluate response to security incidents in a controlled environment.
What is Threat Hunting?
Proactively searching for hidden threats or malicious activity within an organization’s network or systems before they cause harm.
What is Digital Forensics?
The practice of collecting, analyzing, and preserving electronic data for investigative purposes, typically in legal cases.
What is the Order of Volatility?
The principle of collecting data in order of its volatility–more volatile data (like RAM) should be preserved first, as it may disappear quickly.
What is the most volatile to least volatile?
Cache, RAM, Swap file or pagefile, Disk, Attached devices, and Network.
What are Forensics Artifacts?
Digital traces (such as logs, timestamps, file metadata) that can be analyzed to uncovered evidence of malicious activity or incidents.
Why are Snapshots important in Data Acquisition?
Security experts use snapshots to capture memory (including cache and RAM).
What is a Legal Hold?
A directive to preserve relevant data for legal or investigative purposes, preventing data from being altered or deleted.
What is eDiscovery?
The process of identifying, collecting, and reviewing electronic data for use in legal investigations or proceedings.
What is Chain of Custody?
A documented record showing the chronological handling of evidence, ensuring its integrity in court.
What is Security, Orchestration, Automation, and Response (SOAR)?
A platform that integrates security tools and automates incident response processes to improve efficiency and consistency in handling security threats.
What is a Playbook?
A set of predefined procedures or best practices for responding to common cybersecurity incidents, often automated in SOAR systems.
What is a Runbook?
A detailed, step-by-step guide for resolving specific incidents or performing routine tasks, often used by IT or security operations teams.
What is Security Governance?
The framework of policies, processes, and controls that guide and ensure the effective management of security within an organization.
What Governance Structures?
The organizational hierarchy, roles, and responsibilities defined to oversee and enforce security policies, procedures, and regulations.
What are Boards?
Groups of individuals, often at the executive level, responsible for overseeing the organization’s strategic direction, including cybersecurity initiatives and governance.
What are Committees?
Groups of individuals within an organization designed to focus on specific issues, such as cybersecurity, risk management, or compliance.
What are Government Entities?
Regulatory bodies and agencies at the local, state, or national levels that set standards and enforce laws related to cybersecurity, privacy, and data protection.
What is a Centralized Governance Structure?
A management framework where decision-making and responsibility for security policies and procedures are concentrated in a central body or team.
What are Decentralized Structures?
A management approach where decision-making and responsibility for security policies and practices are distributed across multiple teams, or departments within the organization.
What are some External Considerations that organizations need to consider?
Regulatory requirements, Legal obligations, Industry standards, and the security environment at the local, regional, national, and global levels.
What are Security Policies?
Formalized documents that define an organization’s security objectives, strategies, and rules, guiding how sensitive data and resources are protected.
What is an Acceptable Use Policy (AUPs)?
A document outlining acceptable and prohibited activities regarding the use of an organization’s IT resources and network ,ensuring compliance with security protocols.
What is Information Security Policy?
A policy that specifies how an organization protects its information assets, including requirements for confidentiality, integrity, and availability.
What are Business Continuity and Disaster Recovery Policies?
Guidelines and strategies for ensuring critical business functions can continue during and after a disruptive event, and for recovering from disasters.
What are Incident Response Policies?
Protocols and procedures to follow when responding to cybersecurity incidents, ensuring a swift, coordinated, and effective response to minimize impact.
What are Software Development Lifecycle (SDLC) policies?
Guidelines that dictate the secure development, testing, deployment, and maintenance of software, integrating security practices throughout the software development lifecycle.
What are Change Management policies?
Rules and procedures that govern how changes to IT systems, configurations, or processes are requested, evaluated, approved and implemented to reduce risk and maintain stability.
What are Security Standards?
Formal, mandatory rules derived from policies that define consistent security requirements across systems and environment.
What are some common security standards?
Password standards, Access control standards, Physical security standards, and Encryption standards.
What are Security Procedures?
Step-by-step instructions detailing how to implement specific security controls or tasks consistently and safely.
What are some examples of Security Procedures?
Change Management procedures, Onboarding procedures, and Offboarding procedures.
What are Security Guidelines?
Recommended (but not mandatory) best practices designed to help staff make informed decisions about security in situations not covered by formal policies.
What is Data Governance?
A framework of policies, roles, standards, and processes that ensure high data quality, security, availability, and proper management throughout the data lifecycle.
What is Critical Data?
Information vital to business operations or compliance that, if lost or compromised, could significantly impact the organization.
What is a Data Owner?
The person or role responsible for data’s classification, use, and access rules–often accountable for ensuring data is handled according to policy.
What is a Data Steward?
Responsible for maintaining data quality and consistency, ensuring data is accurate, complete, and used properly across systems.
What is a Data Custodian?
Handles the day-to-day management of data infrastructure and storage, including backups and access controls–but does not define data usage.
What is a Data Controller?
Entity or person that determines the purpose and means of processing personal data.
What is a Data Processor?
Entity or individual that processes data on behalf of the data controller.
What is Monitoring?
The continuous checking of the effectiveness of the organization’s security measures.
What is Revision?
Adjusting policies, standards, and procedures as needed based on the results of monitoring.
What is Third-Party Risk Management?
The process of identifying, assessing, and mitigating security and compliance risks posed by vendors, partners, or contractors with access to systems or data.
What is the Supply Chain?
The interconnected system of organizations, people, activities, and resources involved in producing and delivering a product or service.
What is a Supply Chain analysis?
The examination and mapping of the supply chain to identify potential vulnerabilities, single points of failure, or risks from third parties.
What is Vendor Diversity?
Using a variety of vendors from different backgrounds or regions to reduce risk, promote competition, avoid vendor lock-in, and improve supply chain resilience.
What is End of Life (EOL)?
The point when a vendor no longer sells or supports a product. No new features or updates are released.
What is End of Service Life (EOSL)?
The final stage when the vendor stops providing any technical support, security updates, or patches–posing security risks if still in use.
What is Right-to-Audit clause?
A contract clause allowing one party to audit the other’s compliance with security, privacy, or contractual obligations, especially in third-party relationships.
What is Penetration Testing?
A simulated cyberattack authorized by an organization to identify and exploit vulnerabilities in systems, networks, or apps.
What is Due Diligence?
The investigation or evaluation of a third party or process before entering a business agreement–often involves reviewing security, legal, and financial risks.
What are Conflicts of interest?
A situation where a person or organization has competing interests or loyalties that could interfere with objective decision-making.
What is a Service Level Agreement (SLA)?
A formal agreement that defines the expected service standards (like uptime or response times) and consequences for failure to meet them.
What is a Memorandum of Understanding (MOU)? AKA memorandum of Agreement (MOA)?
A non-binding agreement between parties that outlines terms and intentions of a partnership or cooperation, often a precursor to formal contracts.
What is a Business Partner Agreement?
A legally binding contract outlining the roles, responsibilities, and expectations between business partners in a collaboration.
What is a Non-disclosure Agreement?
A contract that legally binds parties to keep specified information confidential and not share it without permission.
What is a Master Services Agreement?
A broad contract that sets the general terms of a business relationship; individual projects are defined under separate agreements like SOWs or work orders.
What are Work Orders (WO)?
Short documents specifying work to be done under an MSA or other agreement–typically includes timeline, cost, and deliverables.
What are Statement of Work (SOW)?
A detailed document outlining the specific tasks, deliverables, and timeline for a project within the scope of a larger contract like an MSA.
What are Rules of Engagement?
Guidelines that define how penetration testing is to be carried out, including scope, timing, and communication protocols.
What are Data Subjects?
Individuals whose personal data is being collected, processed or stored by a data controller or processor.
What is the Health Insurance Portability and Accountability Act (HIPPA)?
A U.S law that protects sensitive patient health information by setting data privacy and security standards for healthcare providers and insurers.
What is the Gramm-Leach Bliley Act (GLBA)?
A U.S law that requires financial institutions to explain data-sharing practices, protect personal data, and provide privacy notices to customers.
What is the General Data Protection Regulation (GDPR)?
A comprehensive EU privacy law that gives individuals control over their personal data and requires organizations to follow strict data protection practices.
What are Payment Card Industry Data Security Standard (PCI DSS)?
A set of security standards for organizations that handle credit card information, designed to ensure secure processing, storage, and transmission of cardholder data.
In regards to monitoring and reporting, what is Due Diligence?
The ongoing effort to research and evaluate risks before taking actions–such as assessing third parties, systems, or procedures–to make informed decisions.
In regards to monitoring and reporting, what is Due Care?
The actions taken after identifying risks–like implementing appropriate safeguards–to demonstrate responsible behavior and adherence to security best practices.
In regards to monitoring and reporting, what is Attestation?
A formal declaration (often written or digital) that confirms a system, control, or process meets required standards or policies.
In regards to monitoring and reporting, what is Acknowledgement?
A user’s or employee’s formal confirmation that they’ve read, understood, and agreed to follow specific policies, training, or procedures.
What is the Right to be Forgotten?
A legal right (especially under the GDPR) allowing individuals to request deletion of their personal data from an organization’s systems when it’s no longer needed.
What is Data Inventory?
A complete and organized record of all data assets within an organization, including where data is stored, how it’s used, and who has access to it.
What is Data Retention?
Policies and procedures that dictate how long data is kept, stored, or archived based on legal, regulatory, or business requirements.
What is Security Awareness?
Programs that educate employees about the risks and tactics associated with social engineering.
What is Computer-based Training (CBT)?
Interactive digital training delivered through a computer system–commonly used for employee security awareness, compliance, and skills development.
What are Phishing Campaigns?
Simulated phishing attacks sent to employees to test and improve their awareness and response to social engineering threats.
