Chapter 11: Implementing Policies to Mitigate Risks Flashcards
An ____ ____ ____ defines proper system usage for users and spells out rules of behavior when accessing systems and networks. It often provides specific examples of unacceptable usage, such as visiting certain web sites, and typically includes statements informing users that the organization monitors user activities. Users are required to read and sign it when hired, and in conjunction with refresher training.
acceptable use policy
____ ____ policies require employees to take time away from their job. These policies help to reduce fraud and discover malicious activities by employees.
Mandatory vacation
A ____ ___ _____ policy separates individual tasks of an overall function between different entities or different people, and helps deter fraud. For example, a single person shouldn’t be able to approve bills and pay them, or print checks and then sign them.
separation of duties
____ ______ policies require employees to change roles on a regular basis. Employees might swap roles temporarily, such as for three to four weeks, or permanently. These policies help to prevent employees from continuing with fraudulent activities, and help detect fraud if it occurs.
Job rotation
____ _____ policies require users to organize their desks and surrounding areas to reduce the risk of possible data theft and
password compromise.
Clean desk
____ _____ are performed before hiring an employee. Once hired, onboarding processes give employees access to resources.
Background checks
An ____ ____ is conducted before an employee departs the organization, and the account is typically disabled during the interview.
exit interview
Improper use of ___ ____ sites can result in inadvertent information disclosure. Attackers gather information from these sites to launch attacks against users, such as cognitive password attacks to change users’ passwords. Training reduces these risks.
social networking
A __-_____ _____helps ensure that proprietary data is not shared.
non-disclosure agreement (NDA)
A ____ ____ ____ is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
service level agreement (SLA)
An ____ ____ ____ specifies technical and security requirements for connections and ensures data confidentiality while data is in transit.
interconnection security agreement (ISA)
A _____ or _____ supports an ISA, but doesn’t include technical details.
memorandum of understanding or memorandum of agreement (MOU/MOA)
Information ______ practices help protect sensitive data by ensuring users understand the value of data. Data _____ ensures that users know what data they are handling and processing.
classification
labeling
_____ data is available to anyone. _____ data is information that an organization intends to keep secret among a certain group of people. ______ data is data that is related to ownership, such as patents or trade secrets. _____ data includes PII and PHI.
Public
Confidential
Proprietary
Private
_____ and _____ methods ensure that sensitive data is removed from decommissioned systems. File shredders remove all remnants of a file. Wiping methods erase disk drives.
Destruction and sanitization
______ a disk magnetically erases all the data. Physically destroying a drive is the most secure method of ensuring unauthorized personnel cannot access proprietary information.
Degaussing
_____ policies identify how long data is retained. They can limit a company’s exposure to legal proceedings and reduce the amount of labor required to respond to court orders.
Retention
___ ___ ___ is used to personally identify an individual. Examples include the full name, birth date, address, and medical information of a person.
Personally Identifiable Information (PII)
____ ____ ____ is PII that includes medical or health-related information.
Personal Health Information (PHI)
____/_____ requires special handling for data retention. Many laws mandate the protection of both, and require informing individuals when an attack results in the compromise of them.
PII/PHI
A ____ _____ has overall responsibility for data. A ____ or custodian handles routine tasks to protect data. A ____ officer is responsible for ensuring an organization complies with relevant laws to protect privacy data, such as PII or PHI.
data owner
steward
privacy
An ____ ____ policy defines an incident and response procedures. Organizations review and update incidents periodically and after reviewing lessons learned after actual incidents.
incident response
The _____ step in incident response is preparation. It includes creating and maintaining an incident response policy and includes prevention steps such as implementing security controls to prevent malware infections.
first
Before acting, personnel verify an event is an actual incident. Next, they attempt to _____ or isolate the problem. Disconnecting a computer from a network will isolate it.
contain