Implementing Compliance 7

Question 0

Name some of the physical security control types.

Answer 0

Locks to prevent unauthorized access
Logging and visitor access at all entrances open to general public
Identification systems like security cards, proximity reader
Video surveillance from cctv cameras
Security guards
Signs like no trespassing
Bonded personnel to protect org from financial exposure such as cleaning services
Mantrap doors. Or deadman door is a system with a door at each end of a secure chamber. Outer closed before entering the inner door
Physical barriers fencing, barricades, secure resources should not have windows or be visible from the outside
Alarms
Motion detection placed at checkpoints
Protected distribution hardening cables with storing metallic tubing and alarms to detect tampering

Question 1

What are physical security controls

Answer 1

Security measures that restrict, detect, and monitor access to specific areas or assets.
Can control access to building, equipment, server rooms, data centers etc

Question 2

Name some environmental exposure that must be considered when evaluating the security of a building

Answer 2

Power fluctuations and failures
Water damage and flooding
Fires
Structural damage leading to unauthorized access

Question 3

Name some environmental controls that can be implemented to help control a facility’s physical environment

Answer 3

Heating, ventilation, and air conditioning system HVAC. Monitor for proper running
Hot and cold isle. Controls the temp and humidity within data centers and computer rooms
EMI shielding. Prevent electromagnetic transfer from cables and devices by creating a conductive material productive barrier
Alarm control panel. Should be protected and secured from exposure
Fire prevention. Annual inspections, installing fireproof walls, use fire proof office material
Fire detection. Fire detection system should be connected to a central reporting station.
Fire suppression. Extinguishers and special gases

Question 4

Why is environmental monitoring done

Answer 4

Regular monitoring is important to properly secure and prevent damage to resources.
Conditions that can threaten security should be monitored regularly

Question 5

Why is safety important

Answer 5

Affects both personnel and property
Deter intruders with fencing and cctv
Protect employees with locks and proper lighting at night
Formulate an escape plan or route and perform drills
Text your controls to verify they are up to standard

Question 6

Describe compliance

Answer 6

The practice of ensuring that the requirements of legislation, regulations, industry codes and standards and Organizational standards are met.
Review pertinent law and regulatory documentation
Review policies and other legal documents

Question 7

Explain legal requirements

Answer 7

Organizations must consider overall legal obligations
Work with civil authorities when an incident occurs
Comply with other departmental policies
Observe legal limitations and civil rights
Consider legal issues for different groups

Question 8

Must Observe generally accepted forensic practices when investigating security incidents

Answer 8

Evidence collection. Follow correct procedures for collecting evidence

Evidence preservation. Company must properly preserve all gather evidence for a lengthy period of time

Chain of custody. Maintain a complete inventory they shows who handled specific its please and where they have been stored.

Jurisdiction. Who has the right to investigate and prosecute an info technology criminal case

Question 9

What is security policy awareness

Answer 9

Ensures all users comply with the guidelines.
Security policy should be accessible
Users trained with regular training sessions and security policy documentation.

Question 10

What is role based training

Answer 10

Training based on job roles and organizational responsibilities.

Question 11

Describe personally identifiable information

Answer 11

Information used to Identify contact or locate an individual. Can include full name, fingerprints, license plate number, phone numbers, street address, drivers license number etc

Question 12

Describe Classification of information

Answer 12

Depends on the type of business and how data is stored
Classified as hard or soft.
Hard is concrete information. Soft is ideas thoughts and views.
Level is sensitivity
High/medium/low
Restricted/private/public
Confidential/restricted/public

Classification levels
Corporate confidential. Not provided to individuals outside of the enterprise
Personal and confidential. Personal info that needs to be protected
Private. Correspondence should be protected
Trade secret. Corporate intellectual property such as patents and processes
Client confidential. Client personal info protected.

Question 13

List the three important components they ensure proper employee security education

Answer 13

Awareness. Of potential threats to security. An employees role to protect assets and resources

Communication remain open between employees and security professionals

Education. Train employees in security procedures practices, and expectations.

Question 14

Describe user security responsibilities

Answer 14

Physical security. No ID no entrance to the building. No tailgating. Access in building for job purposes. Follow clean desk policies to secure documents

System Security. Use id and passwords properly and comply with requirements. Confidential files backed up and secured

Device security. Use correct procedures to log off all systems. Wireless communications must be approved. Portable devices secured and stored when not in use

Social networking security. Users aware of threats that target social networking. Follow security guidelines for social websites.

Question 15

Describe validation of effective training

Answer 15

Ensure compliance
Increase overall security of the organization
Identify which components have the greatest impact
Establish metric: measuring Impact or behavioral changes due to training, compliance tracking, risk assessments

Question 16

What is a business partner

Answer 16

Commercial entity that has a relationship with another separate entity
Can be a supplier, customer, agent, reseller, or vendor of similar products or services.
Formal or informal partnerships
Goes through on-boarding and off-boarding
On-boarding acclimates business partners to the security practices expected follow
At the end of the partnership establish off-boarding process where both parties should agree to terminate any integration.

Question 17

Social media networks and applications security risks

Answer 17

Presents risks to an organizations security
Sensitive information posted spreads quickly
Social engineering is a concern.
Adequately train administrators
Privacy considerations as you try to keep sensitive info from being leaked.

Question 18

Describe interoperability agreements

Answer 18

SLA. service level agreement. Defines what services are to be provided to the client and what support will be provided.

BPA. business partner agreement. Defines how a partnership between business entities will be conducted about what is expected of each entity

MOU. Memorandum of understanding. Not legally binding. No exchange of money. About achieving the same goal in the agreed upon manner. Not the most secure agreement

ISA. interconnection security agreement. Ensure that the use of inter organizational technology meets a certain security standard. Legally binding. Supports MOU.

Question 19

What is risk awareness

Answer 19

Involves being consistently informed about the details of day to day interoperability. Keep employees on the lookout for risks in their own departments
Establish preparation for risk management.

Question 20

Data sharing and backups with business partners

Answer 20

Not given total access to the independently owned data. 
Define who owns the data. 
Implement access control. 
Define what is unauthorized sharing
Consider legal ramifications 
Control how shared data is backed up.