Finals Lesson 2 Part 2 Flashcards
A mature security program will require the following policies and procedures:
- Acceptable Use Policy (AUP)
- Access Control Policy (ACP)
- Change Management Policy
- Information Security Policy
- Incident Response (IR) Policy
- Remote Access Policy
- Email/Communication Policy
- Disaster Recovery Policy
- Business Continuity Plan (BCP)
An ____ stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet.
Acceptable Use Policy (AUP)
It is standard on boarding policy for new employees. They are given this to read and sign before being granted a network ID. It is recommended that and organizations IT, security, legal and HR departments discuss what is included in this policy. An example that is available for fair use can be found at SANS.
Acceptable Use Policy (AUP)
The _____ outlines the access available to employees in regards to an organization’s data and information systems. Some topics that are typically included in the policy are access control standards such as NIST’s Access Control and Implementation Guides.
Access Control Policy (ACP)
Other items covered in this policy are standards for user access, network access controls, operating system software controls and the complexity of corporate passwords. Additional supplementary items often outlined include methods for monitoring how corporate systems are accessed and used; how unattended workstations should be secured; and how access is removed when an employee leaves the organization. An excellent example of this policy is available at IAPP.
Access Control Policy (ACP)
It refers to a formal process for making changes to IT, software development and security services/operations.
Change Management Policy
The goal of a _______ is to increase the awareness and understanding of proposed changes across an organization, and to ensure that all changes are conducted methodically to minimize any adverse impact on services and customers. A good example of an IT change management policy available for fair use is at SANS.
Change Management Policy; change management program
An organization’s ________ are typically high-level policies that can cover a large number of security controls. The primary information security policy is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization, or its networks, comply with its stated rules and guidelines.
Information Security Policy
This policy is designed for employees to recognize that there are rules that they will be held accountable to with regard to the sensitivity of the corporate information and IT assets.
Information Security Policy
The_______ is an organized approach to how the company will manage an incident and remediate the impact to operations. It’s the one policy CISOs hope to never have to use.
Incident Response (IR) Policy
The goal of this policy is to describe the process of handling an incident with respect to limiting the damage to business operations, customers and reducing recovery time and costs.
Incident Response (IR) Policy
The _____ is a document which outlines and defines acceptable methods of remotely connecting to an organization’s internal networks. I have also seen this policy include addendums with rules for the use of BYOD assets.
Remote Access Policy
This policy is a requirement for organizations that have dispersed networks with the ability to extend into insecure network locations, such as the local coffee house or unmanaged home networks. An example of this is available at SANS.
Remote Access Policy
A company’s ______ is a document that is used to formally outline how employees can use the business’ chosen electronic communication medium. I have seen this policy cover email, blogs, social media and chat technologies.
Email/Communication Policy;
email policy
The primary goal of this policy is to provide guidelines to employees on what is considered the acceptable and unacceptable use of any corporate communication technology. An example of this is available at SANS.
Email/Communication Policy
An organization’s _______ will generally include both cybersecurity and IT teams’ input and will be developed as part of the larger business continuity plan. The CISO and teams will manage an incident through the incident response policy. If the event has a significant business impact, the Business Continuity Plan will be activated. An example of a disaster recovery policy is available at SANS.
Disaster Recovery Policy;
disaster recovery plan
The _______ will coordinate efforts across the organization and will use the disaster recovery plan to restore hardware, applications and data deemed essential for business continuity. They are unique to each business because they describe how the organization will operate in an emergency.
Business Continuity Plan (BCP)
Only individuals with authorization can should access data and information assets
Confidentiality
Data should be intact, accurate and complete, and IT systems must be kept operational
Integrity
Users should be able to access information or systems when needed
Availability
A senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs. a junior employee. The policy should outline the level of authority over data and IT systems for each organizational role.
Hierarchical pattern
Users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts.
Network security policy
Data classification
The policy should classify data into categories, which may include:
top secret
secret
confidential
public
Systems that store personal data, or other sensitive data, must be protected according to organizational standards, best practices, industry compliance standards and relevant regulations. Most security standards require, at a minimum, encryption, a firewall, and anti- malware protection.
Data protection regulations
True or False:
Your objective in classifying data is:
* To ensure that sensitive data cannot be accessed by individuals with
lower clearance levels.
* To protect highly important data, and avoid needless security measures for unimportant data.
True
Encrypt data backup according to industry best practices. Securely store backup media, or move backup to secure cloud storage.
Data backup
Only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network.
Movement of data
Place a special emphasis on the dangers of social engineering attacks (such as phishing emails). Make employees responsible for noticing, preventing and reporting such attacks.
Social engineering
Secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands.
Clean desk policy
Define how the Internet should be restricted. Do you allow YouTube, social media websites, etc.? Block unwanted websites using a proxy.
Acceptable Internet usage policy
Practices for Drafting Information Security Policies:
- can make or break your security program. Poor information and data classification may leave your systems open to attacks. Additionally, lack of inefficient management of resources might incur overhead expenses. A clear classification policy helps organizations take control of the distribution of their security assets.
Information and data classification
Practices for Drafting Information Security Policies:
- should work together to meet compliance and security requirements. Lack of cooperation between departments may lead to configuration errors. Teams that work together can coordinate risk assessment and identification through all departments to reduce risks.
IT operations and administration
Practices for Drafting Information Security Policies:
- helps initiate appropriate remediation actions during security incidents. A security incident strategy provides a guideline, which includes initial threat response, priorities identification, and appropriate fixes.
Security incident response plan
Practices for Drafting Information Security Policies:
- provides the organization with clear cloud and SaaS adoption guidelines, which can provide the foundation for a unified cloud ecosystem. This policy can help mitigate ineffective complications and poor use of cloud resources.
SaaS and cloud policy
Practices for Drafting Information Security Policies:
- helps prevent data breaches that occur through misuse of company resources. Transparent AUPs help keep all personnel in line with the proper use of company technology resources.
Acceptable use policies (AUPs)
Practices for Drafting Information Security Policies:
- let IT administrators authorize systems and applications to the right individuals and let employees know how to use and create passwords in a secure way. A simple password policy can reduce identity and access risks.
Identity and access management (IAM) regulations
Practices for Drafting Information Security Policies:
- outlines the technical operations of the organization and acceptable use standards in accordance with the Payment Card Industry Data Security Standard (PCI DSS) compliance.
Data security policy
Practices for Drafting Information Security Policies:
- government enforced regulations such as the General Data Protection Regulation (GDPR) protect the privacy of end users. Organizations that don’t protect the privacy of their users risk losing their authority and may be fined.
Privacy regulations
Practices for Drafting Information Security Policies:
- nowadays most organizations have moved to the cloud. Companies that encourage employees to access company software assets from any location, risk introducing vulnerabilities through personal devices such as laptops and smartphones. Creating a policy for proper security of personal devices can help prevent exposure to threats via employee-owned assets.
Personal and mobile devices
