Chapter 11: Security Administration Flashcards
Transitioning
This is when you begin or terminate close business relations with a new partner.
What do you need to think about when transitioning?
Whether your policies work together, what your interoperability policies look like, and whether your security requirements mesh
-Who owns the data? How will it be backed up and managed?
Service Level Agreement (SLA)
Defines the level of service that’s going to be provided. How long will response time be for an on site tech?
SLA will typically have a technical definition in terms of mean time between failures (MTBF), mean time to repair or mean time to recovery (MTTR)
Blanket Purchase Order (BPO)
An ongoing agreement between the government and a private company in which the government agrees to keep purchasing materials, equipment, or services from a company.
The Memorandum of Understanding (MOU)
Summarizes which party is responsible for what part of the work
Interconnection Security Agreement (ISA)
Documents the technical requirements for interconnected infrastructure
Clean Desk Policy
Training Topics
Make sure employees won’t leave important information out in the open
Compliance with laws, best practices, and standards
Training Topics
Keep your users educated on which rules they must follow
Data Handling
Training Topics
Only let those who need data access it. Least Privilege.
Personally Owned Devices
Training Topics
Don’t let employees use flash drives, DVDs, cell phones, laptops, whatever. Just don’t.
Prevent tailgating
Training Topics
Tell people to be aware of what’s going on around them
Safe Internet Habits
Training Topics
Training users to avoid malicious sites and only visit trusted web servers
Public Information
Information available to the public or certain external entities.
<b>Limited Distribution</b>
-Private information, but it is shared with outside entities like a bank or something
<b>Full Distribution</b>
-Available to everyone!
Private Information
Could embarrass the company, disclose trade secrets, or worse
<b>Internal Information</b>
-Personnel records, customer lists, medical records, etc.
<b>Restricted Information</b>
-could destroy the company. Proprietary protocols, trade secrets, strategic info, marketing plans, etc.
CIA
Confidentiality, Integrity, Availability
DAD
Disclosure, Alteration, Destruction
Health Insurance Portability and Accountability Act (HIPAA)
Standards for storage, use, and transmission of medical information. Passed in 1996.
- Covers confidentiality, privacy, and security
- Fines for HIPAA violations are as high as $250,000
Gramm-Leach-Bailey Act (Financial Modernization Act of 1999)
Banks can’t release certain information. Custormers can opt out of information sharing. Account info can’t be shared for marketing purposes. I hope it contained some hilarious clause about y2k.
Computer Fraud and Abuse Act (CFAA)
Hackers and spammers can be classified and tried as terrorists. Anyone who had any knowledge can be tried as an accessory. Not really relevant now that most anyone may be classified as a terrorist threat under the PATRIOT Act.
Family Educational Rights and Privacy Act (FERPA)
School can’t share information without the student or parent knowledge and permission
-School must give student access to their own record if requested
Computer Security Act of 1987
Federal agencies must secure sensitive data
Cyberspace Electronic Security Act (CESA) 1999
Law enforcement has the right to gain access to cipher keys
Cyber Security Enhancement Act of 2002
Feds have easy access to ISPs and other data transmission to monitor your communications
PATRIOT Act of 2001
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT).
-Absolutely disgusting show of governmental overreach and betrayal of citizen privacy and humanity.
