Chapter 11 Implementing Policies to Mitigate Risk Flashcards

1
Q

Written security policies are administrative controls that identify an overall security plan for an organization and help to reduce overall risk. Plans and procedures identify security controls used to enforce security policies.

A

An acceptable use policy defines proper system usage for users and spells out rules of behavior when accessing systems and networks. It often provides specific examples of unacceptable usage, such as visiting certain web sites, and typically includes statements informing users that the organization monitors user activities. Users are required to read and sign an acceptable use policy when hired, and in conjunction with refresher training.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Mandatory vacation policies require employees to take time away from their job. These policies help to reduce fraud and discover malicious activities by employees.

A

A separation of duties policy separates individual tasks of an overall function between different entities or different people, and helps deter fraud. For example, a single person shouldn’t be able to approve bills and pay them, or print checks and then sign them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Job rotation policies require employees to change roles on a regular basis. Employees might swap roles temporarily, such as for three to four weeks, or permanently. These policies help to prevent employees from continuing with fraudulent activities, and help detect fraud if it occurs.

A

Clean desk policies require users to organize their desks and surrounding areas to reduce the risk of possible data theft and password compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Background checks are performed before hiring an employee. Once hired, onboarding processes give employees access to resources. An exit interview is conducted before an employee departs the organization, and the account is typically disabled during the interview.

A

Improper use of social networking sites can result in inadvertent information disclosure. Attackers gather information from these sites to launch attacks against users, such as cognitive password attacks to change users’ passwords. Training reduces these risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A non-disclosure agreement helps ensure that proprietary data is not shared.

A

A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An interconnection security agreement (ISA) specifies technical and security requirements for connections and ensures data confidentiality while data is in transit.

A

A memorandum of understanding or memorandum of agreement (MOU/ MOA) supports an ISA, but doesn’t include technical details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Information classification practices help protect sensitive data by ensuring users understand the value of data. Data labeling ensures that users know what data they are handling and processing.

A

Public data is available to anyone. Confidential data is information that an organization intends to keep secret among a certain group of people. Proprietary data is data that is related to ownership, such as patents or trade secrets. Private data includes PII and PHI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Destruction and sanitization methods ensure that sensitive data is removed from decommissioned systems. File shredders remove all remnants of a file. Wiping methods erase disk drives.

A

Degaussing a disk magnetically erases all the data. Physically destroying a drive is the most secure method of ensuring unauthorized personnel cannot access proprietary information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Retention policies identify how long data is retained. They can limit a company’s exposure to legal proceedings and reduce the amount of labor required to respond to court orders.

A

Personally Identifiable Information (PII) is used to personally identify an individual. Examples include the full name, birth date, address, and medical information of a person. Personal Health Information (PHI) is PII that includes medical or health-related information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

PII/ PHI requires special handling for data retention. Many laws mandate the protection of both, and require informing individuals when an attack results in the compromise of PII or PHI.

A

A data owner has overall responsibility for data. A steward or custodian handles routine tasks to protect data. A privacy officer is responsible for ensuring an organization complies with relevant laws to protect privacy data, such as PII or PHI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An incident response policy defines an incident and response procedures. Organizations review and update incidents periodically and after reviewing lessons learned after actual incidents.

A

The first step in incident response is preparation. It includes creating and maintaining an incident response policy and includes prevention steps such as implementing security controls to prevent malware infections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Before acting, personnel verify an event is an actual incident. Next, they attempt to contain or isolate the problem. Disconnecting a computer from a network will isolate it.

A

Eradication attempts to remove all malicious components left after an incident. Recovery restores a system to its original state. Depending on the scope of the incident, administrators might completely rebuild the system, including applying all updates and patches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A review of lessons learned helps an organization prevent a reoccurrence of an incident.

A

The order of volatility for data from most volatile to least volatile is cache memory, regular RAM, a paging file, hard drive data, logs stored on remote systems, and archived media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Forensic experts capture an image of the data before analysis to preserve the original and maintain its usability as evidence.

A

Hard drive imaging creates a forensic copy and prevents the forensic capture and analysis from modifying the original evidence. A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Hashing provides integrity for images, including images of both memory and disk drives. Taking a hash before and after capturing a disk image verifies that the capturing process did not modify data. Hashes can reveal evidence tampering or, at the very least, that evidence has lost integrity.

A

A chain of custody provides assurances that personnel controlled and handled evidence properly after collecting it. It may start with a tag attached to the physical item, followed by a chain of custody form that documents everyone who handled it and when they handled it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A legal hold requires an organization to protect existing data as evidence.

A

Security awareness and training programs reinforce user compliance with security policies and help reduce risks posed by users.

17
Q

Role-based training ensures that personnel receive the training they need. For example, executives need training on whaling attacks.

A

Common roles that require role-based training are data owners, system administrators, system owners, end users, privileged users, and executive users.

18
Q

Continuing education programs ensure that personnel are kept up to date on current technologies, threats, and vulnerabilities.

A

Many video recorders use a record time offset to identify times on tape recordings rather than the actual time. For example, a recording might use a displayed counter to identify the time that has passed since the recording started.

19
Q

The order of volatility from most volatile to least volatile is: • Data in cache memory, including the processor cache and hard drive cache • Data in RAM, including system and network processes • A paging file (sometimes called a swap file) on the system disk drive • Data stored on local disk drives • Logs stored on remote systems • Archive media

A

Forensic experts have specialized tools they can use to capture data. For example, many experts use EnCase Forensic by Guidance Software or Forensic Toolkit (FTK) by AccessData. These tools can capture data from memory or disks.

20
Q

NIST SP 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities,” provides much more in-depth information about performing exercises.

A

End