Cissp Domain 1-2 Flashcards
isc2 code of ethics
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
Policy
high level statements
to communicate rules
and provide direction
standards,guidelines,procedures, baselines
are too support policy
policies must be approved by the executive management
Information security policy
highlevel statements to protect
information and information assets
ensuring the C I A
Three main types of policies exist:
Organizational (or Master) Policy.
System-specific Policy.
Issue-specific Policy.
Organizational (or Master) Policy.
The master security policy can be thought of as a blueprint for the whole organization’s security program. It is the strategic plan for implementing security in the organization.
System-specific Policy
A System-specific policy is concerned with a specific or individual computer system.
Issue-specific policy
An Issue-specific policy is concerned with a certain functional aspect that may require more attention. Change Management Policy. Physical Security Policy. Email Policy. Encryption Policy. Vulnerability Management Policy. Media Disposal Policy. Data Retention Policy. Acceptable Use Policy. Access Control Policy.
Policy attributes
ERR or
AT
AD ward E IN entine
>endorsed >relevant >realestic >attainable >Adaptable >Enforceable >Inclusive
policy Lifecycle
developer publo adow reviw korbe
> Develop
Publish
Adopt
Review
Advisory Policy
The job of an advisory policy is to ensure that all employees know the consequences of certain behavior and actions. Here’s an example advisory policy:
Illegal copying: Employees should never download or install any commercial software, shareware, or freeware onto any network drives or disks unless they have written permission from the network administrator. Be prepared to be held accountable for your actions, including the loss of network privileges, written reprimand, probation, or employment termination if the Rules of Appropriate Use are violated.
Informative Policy
This type of policy isn’t designed with enforcement in mind; it is developed for education. Its goal is to inform and enlighten employees. The following is an example informative policy:
In partnership with Human Resources, the employee ombudsman’s job is to serve as an advocate for all employees, providing mediation between employees and management. This job is to help investigate complaints and mediate fair settlements when a third party is requested.
Regulatory Policy
These policies are used to make certain that the organization complies with local, state, and federal laws. An example regulatory policy might state:
Because of recent changes to Texas State law, The Company will now retain records of employee inventions and patents for 10 years; all email messages and any backup of such email associated with patents and inventions will be stored for one year.
Standards
Standards are much more specific than policies. Standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement. As an example, a standard might set a mandatory requirement that all email communication be encrypted. So although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left for the procedure.
baseline
A baseline is a minimum level of security that a system, network, or device must adhere to. Baselines are usually mapped to industry standards. As an example, an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard. TCSEC standards are discussed in detail in Chapter 5, “System Architecture and Models.”
guideline
Guidelines are practical instructions and recommendations targeting all levels of staff in the organization. These instructions are considered as operational guides on how to apply and enforce the standards and baselines.
Appendix A: Password Construction Guidelines
Acceptable Methods to Create a Strong Password
Use a minimum of 10 characters. Generally, the more characters you can use, the harder a password is to be cracked or guessed.
Choose a password that is easy for you to remember but would be hard for another to guess. One useful approach is to use a sentence or saying to create a “passphrase” by using the first letters, capitalization, and special characters as substitutes. For example, “One ring to rule them all, one ring to bind them” may be used to create a passphrase like “1R2rtAor2Bt” that can be used as a very strong password.
Passwords must include at least three of the four following types of characters
English uppercase letters (A through Z).
English lower case letters (a through z).
Numbers (0 through 9).
Special characters and punctuation symbols (Example: _, -. +, =,!, @, %, *, &, ”, :, ., or /).
Do not use the following characters \ , ~ or < .
Do not use a space or tab.