Chapter 9 Policy and Compliance Flashcards
Contains a series of documents designed to describe the organization’s security program
Information security policy framework
Information security policy frameworks generally include four different types of documents, what are they?
Policies
Standards
Procedures
Guidelines
- High-level statements of management intent
- A statement of the importance of cybersecurity to an organization
- Requirement that all staff and contracts take measures to protect the confidentiality, integrity, and availability of information and information systems
- Statement of ownership of information created and or possessed by the organization Designation of the chief information security officer (CISO) or other individual as an executive responsible for cyber security issues
- Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy
Policies
- Common document that is often apart of an organization’s information security policy library
- Provides high level of authority and guidance for the security program
Information security policy
- Common document that is often apart of an organization’s information security policy library
- Provides network and system users with clear direction on permissible uses of information resources
Acceptable use policy
- Common document that is often apart of an organization’s information security policy library
- Clearly states the ownership of information created or used by the organization
Data ownership policy
- Common document that is often apart of an organization’s information security policy library
- Describe the classification structure used by the organization and the process used to properly assign classifications to data
Data classification policy
- Common document that is often apart of an organization’s information security policy library
- Outlines what information organization will maintain and the length of time different categories of information will be retained prior to destruction
Data retention policy
- Common document that is often apart of an organization’s information security policy library
- Describe the account life cycle from provisioning through active use and decommissioning
Account management policy
- Common document that is often apart of an organization’s information security policy library
- Set forth requirements for password length, complexity, reuse, and similar issues
Password policy
- Provides mandatory requirements describing how an organization will carry out its information security policies
- i.e. the specific configuration settings used for OS systems, controls put in place for highly sensitive information and etc
Standards
Provide examples of standards
- Devices must have secure configuration in place prior to deployment
- Any deviations from defined security configurations must be approved through a change management process and documented. a process must exist to annually review deviations for continued relevance.
- A process messages to regular check configurations at devices in alert the resource custodian of any changes
- Are detailed step-by-step processes that individuals and organizations must follow in specific circumstances
- i.e. building new systems, releasing code to the production environment, responding to security incidents, and etc…
Procedures
- Common procedure doc
- Describes how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology
Monitoring procedures
- Common procedure doc
- Describes how the organization will respond to subpoenas, court orders, and other legitimate request to produce digital evidence
Evidence production procedures
- Common procedure doc
- Describes the frequency in process of applying patches to applications and systems under the organization’s care
Patching procedures
- Provides best practices and recommendations related to a given concept, technology, or task
- Not mandatory and offered as helpful advice
Guidelines
What happens when an organization must deviate from a policy?
The policy framework should lay out the specific requirements for receiving an exception and the individual or committee with authority to approve exceptions
Security and privacy rules that affect Healthcare Providers, Health insurances, and Health Information clearing house
The Health Insurance Portability and Accountability Act (HIPAA)
- Provide detailed rules about the storage, processing, and transmission of credit and debit card information
- Not a law but a contractual obligation it applies to credit card merchants and service providers
The Payment Card Industry Data Security Standard (PCI DSS)
- Covers financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program.
The Gramm Leach Bliley Act (GLBA)
Applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records
The Sarbanes-Oxley (SOX) Act
Requires that educational institutions implement security and privacy controls for student educational records
The Family Educational Rights and Privacy Act (FERPA)
Describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach
Various data breach notification laws
Responsible for developing cyber security standards across the US federal government
The National Institute for Standards and Technology (NIST)
The NIST framework includes what three components?
- The Framework Core
- The Framework Implementation Tiers
- The Framework Profiles
- NIST framework
- A set of five security functions that apply across all Industries and sectors; identify, protect, detect, respond, and recover.
- The framework then divides the functions into categories, subcategories, and informative references
The Framework Core
- NIST framework
- Assesses how an organization is position to meet cyber security objectives
- Example is there a maturity model that describes the current and desired positioning of an organization along a continuum of progress
The Framework Implementation Tiers
- NIST framework
- Describes how a specific organization might approach the security functions covered by the framework core
The Framework Profiles
- Once the most commonly used information security standard but is now declining in popularity outside of highly regulated industries that require compliance
- Includes control objectives covering 14 categories
International Organization for standardization (ISO 27001)
Is a set of best practices for IT governance developed by the Information Systems Audit and Control Association (ISACA)
The Control Objectives for Information and Related Technologies (COBIT)
COBIT divides Information Technology activities into what four domains?
- Plan and Organize
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate
COBIT addresses each of the four domains of Technology by providing what five framework components?
- COBIT framework
- Process descriptions
- Control objectives
- Management guidelines
- Maturity models
Offers an alternative model for approaching security architecture from a variety of different perspectives that map to architectural layers
The Sherwood Applied Business Security Architecture (SABSA) framework
- SABSA architectural layers
- Contextual security architecture
Business View
- SABSA architectural layers
- Conceptual security architecture
Designers View
- SABSA architectural layers
- Physical security architecture
Builders View
- SABSA architectural layers
- Component security architecture
Trade Treatment review
- SABSA architectural layers
- Security Service management architecture
Service Managers View
Widely adapted approach to enterprise architecture
The Open Group Architecture Framework (TOGAF)
The Open Group Architecture Framework (TOGAF) divides architecture into four domains: what are they?
- Business architecture
- Applications architecture
- Data architecture
- Technical architecture
- One of The Open Group Architecture Framework (TOGAF) domains
- Defines governance and organization and explains the interaction between Enterprise architecture and business strategy
Business architecture
- One of The Open Group Architecture Framework (TOGAF) domains
- Includes the applications and systems that an organization deploys, the interactions between those systems and their relation to business processes
Applications architecture
- One of The Open Group Architecture Framework (TOGAF) domains
- Provides the organization’s approach to storing and managing information assets
Data architecture
- One of The Open Group Architecture Framework (TOGAF) domains
- Describes the infrastructure needed to support the other architectural domains
Technical architecture
Framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise
The Information Technology Infrastructure Library (ITIL)
The Information Technology Infrastructure Library (ITIL) covers what five core activities?
- Service strategy
- Service design
- Service transition
- Service operation
- Continual service improvement
Specific measures that fulfill the security objectives of an organization
Security controls
Are security controls that impact the physical world
Physical controls
- Technical controls that enforce confidentiality, integrity, and availability in the digital space
- i.e. firewall rules, Access Control lists, and choosing prevention systems, and encryption
Logical controls
- Procedural mechanisms that an organization follows to implement sound security management practices
- i.e. user account reviews, employee background investigations, log reviews, and separation of duties policies
Administrative controls
Are formal reviews of an organization’s security program or specific compliance issues conducted on behalf of a third party
Audits
Less formal reviews of security controls that are typically requested by the security organization itself and an effort to engage in process Improvement
Assessment
