Chapter 16 - Security Governance and Compliance Flashcards
Governance
Governance programs are the sets of procedures and controls put in place to allow an organization to effectively direct its work.
Board of Directors
A Board of Directors has ultimate authority over a corporation as the owner’s representatives. Shareholders elect the members of this board to direct the actions of the corporation on their behalf.
Independent Directors
Independent Directors have no significant relationship with the company other than their board membership.
Chief Executive Officer (CEO)
The Chief Executive Officer is hired by the board of directors to manage the day-to-day operations of the corporation. The CEO is hired by the board, may be dismissed by the board, and has their performance reviews and compensation determined by the board.
Centralized Governance Model
Centralized Governance Models use a top-down approach where a central authority creates policies and standards, which are then enforced throughout the organization.
Decentralized Governance Model
Decentralized Governance Models use a bottom-up approach, where individual business units are delegated the authority to achieve cybersecurity objectives and then may do so in the manner they see fit.
Policy
Policies are high-level statements of management intent. Compliance with policies is mandatory. An information security policy will generally contain broad statements about cybersecurity objectives.
Standards
Standards provide mandatory requirements describing how an organization will carry out its information security policies. These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective.
Procedures
Procedures are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances. Similar to checklists, procedures ensure a consistent process for achieving a security objective.
Guidelines
Guidelines provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice.
Compensating Control
Compensating Controls are designed to mitigate the risk associated with exceptions to security standards.
Change Management
Change Management processes ensure that appropriate personnel review and approve changes before implementation and ensure that personnel test and document the changes.
Impact Analysis
Impact Analysis is the process of evaluating changes to identify any security impacts before personnel deploy the changes in a production environment.
Backout Plan
A Backout Plan allows personnel to undo the change and return the system to its previous state if necessary.
What are the common tasks within a change management process?
- Request the change
- Review the change
- Approve/reject the change
- Test the change
- Schedule and implement the change
- Document the change
Version Control
Version Control ensures that developers and users have access to the latest versions of software and that changes are carefully managed throughout the release process. A labeling or numbering system differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine.
Two-Person Control
Two-Person Control requires the participation of two people to perform a single sensitive action.
Job Rotation
Job Rotation practices take employees with sensitive roles and move them periodically to other positions in the organization. The motivating force behind these efforts is that many types of fraud require ongoing concealment activities. If an individual commits fraud and is then rotated out of their existing assignment, they may not be able to continue those concealment activities due to changes in privileges and their replacement may discover the fraud themselves.
Mandatory Vacations
Mandatory Vacations force employees to take annual vacations of a week or more and revokes their access privileges during that vacation period.
Clean Desk Policy
Clean Desk Policies are designed to protect the confidentiality of sensitive information by limiting the amount of paper left exposed on unattended employee desks.
Due Diligence
Due Diligence involves thoroughly vetting potential vendors to ensure that they meet the organization’s standards and requirements. This process should include an evaluation of the vendor’s financial stability, business reputation, quality of products or services, and compliance with relevant regulations.
Conflicts of Interest
Conflicts of Interest arises when a vendor has a competing interest that could influence their behavior in a way that is not aligned with the best interests of the organization.
Right-to-Audit Clause
The Right-to-Audit Clause allows the customer to conduct or commission audits on the vendor’s operations and practices to ensure compliance with terms and conditions.
Supply Chain Analysis
Supply Chain Analysis is vital in understanding the risks associated with the vendor’s supply chain. This includes assessing the vendor’s suppliers and understanding the interdependencies and risks that could impact the vendor’s ability to deliver products or services.
Questionnaires
Questionnaires collect information regarding the vendor’s practices and performance regularly.
Service Level Agreements (SLAs)
Service Level Agreements are written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA.
Memorandum of Understanding (MOU)
A Memorandum of Understanding is a letter written to document aspects of the relationship between a vendor and a customer. MOUs are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings.
Memorandum of Agreement (MOA)
A Memorandum of Agreement is a formal document that outlines the terms and details of an agreement between parties, establishing a mutual understanding of the roles and responsibilities in fulfilling specific objectives. MOAs are generally more detailed than MOUs and may include clauses regarding resource allocation, risk management, and performance metrics.
Business Partner Agreement (BPA)
Business Partner Agreements exist when two organizations agree to do business with each other in a partnership.
Rules of Engagement
Rules of Engagement define the boundaries within which the vendor should operate. They normally include setting clear communication protocols, defining responsibilities, and establishing processes for issue resolution.
Compliance Reporting
Compliance Reporting ensures that organizations meet the regulatory requirements and maintain transparency within the organization and with external stakeholders.
Due Care
Due Care refers to the ongoing efforts to ensure that the implemented policies and controls are effective and continuously maintained. This means regularly reviewing and updating policies and taking proactive steps to ensure compliance.
Maturity Model
A Maturity Model describes the current and desired positioning of an organization along a continuum of progress.
What are the five security functions of the the NIST Framework Core?
- Identify
- Protect
- Detect
- Respond
- Recover
What are the four NIST Framework Implementation Tiers?
- Partial
- Informed
- Repeatable
- Adaptive
NIST Risk Management Framework for Information Systems and Organizations (RMF)
Also known as NIST SP 800-37, the NIST RMF is a formal process for implementing security controls and authorizing system use. The RMF is a mandatory standard for federal agencies.
ISO 27001
ISO 27001, also known as Information Security Management Systems, is a document including the following control objectives:
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance with internal requirements, such as policies, and with external requirements, such as laws
ISO 27002
The ISO 27002 standard goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives. ISO designed this supplementary document for organizations that wish to:
- Select information security controls
- Implement information security controls
- Develop information security management guidelines
ISO 27701
ISO 27701 contains standard guidance for managing privacy controls. It is important to remember that ISO 27001 covers cybersecurity while ISO 27701 cover privacy.
ISO 31000
ISO 31000 provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk.
Center for Internet Security (CIS)
The Center for Internet Security is an industry organization that publishes hundreds of security benchmarks for commonly used platforms.
Role-Based Training
Role-Based Training makes sure that individuals receive the appropriate level of training based on their job responsibilities.
Security Awareness
Security Awareness efforts are less formal efforts that are designed to remind employees about the security lessons they’ve already learned. Unlike security training, Security Awareness efforts don’t require a commitment of time to sit down and learn new material.