Information Security Governance Flashcards
Is a guideline discretionary or mandatory?
A guideline is discretionary.
Is a policy discretionary or mandatory?
A policy is mandatory.
All policies should contain what basic components?
Purpose.
Scope.
Responsibilities.
Compliance.
What is the purpose of a policy?
The need for the policy, typically to protect the confidentiality, integrity, and availability of protected data.
What is the scope of a policy?
The scope describes what systems, people, facilities, and organizations are included in the policy. To avoid confusion, any related entities not in scope should be documented.
What is the responsiblities of a policy?
Responsibilities include responsibilities of the information security staff, policy, and management teams as well as all members of the organization.
What is compliance in terms of being one of the basic components of a policy?
Compliance describes two related issues: how to judge the effectiveness of the policies (how well they are working), and what happens when policy is violated (the sanction). All policy must have “teeth”: a policy that forbids accessing explicit content on the Internet is not useful if there are no consequences for doing so.
Are procedures mandatory or discretionary?
Procedures are mandatory.
What is a procedure?
A procedure is a step by step guide for accomplishing a task.
Are standards mandatory or discretionary?
Standards are mandatory.
Why are standards important and necessary?
Standards lower the Total Cost of Ownership of a safeguard. Standards also support disaster recovery.
Are guidelines mandatory or discretionary?
Guidelines are discretionary.
What is a guideline and what is an example?
A guideline is a recommendation or advice. An example of a guideline is “to create a strong password, take the first letter of each word in a sentence, and mix in some numbers and symbols.”
What is a baseline?
Baselines are uniform ways of implementing a standard. “Harden the system by applying the Center for Internet Security Linux benchmarks” is an example of a baseline. The system must meet the baseline described by those benchmarks.
Besides technical risks, what else can pose the biggest risk to an organization?
People can pose the biggest risk to an organization.
Besides technical risks, what else can be considered the biggest risk to an organization?
People can be considered the biggest risk.
What are ways to mitigate the risk users pose to an organization?
Background checks should be performed, contractors need to be securely managed, and users must be properly trained and made aware of security risks. Controls such as Non-Disclosure Agreements and related employment agreements are a recommended personnel security control.
What is the difference between security awareness and training?
Security awareness modifies the behavior of users while training provides a skill set.
What is an example of awareness?
Reminding users never to share accounts or write their passwords down.
What types of checks should be done against an individual before hiring them?
Criminal records check should be conducted as well as verification of employment history, education, and certifications. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty in regards to the hiring process. More thorough background checks should be done for roles with heightened privileges, such as access to money or classified information. These checks can include a financial investigation, a more thorough criminal records check, and interviews with friends, neighbors, and current and former coworkers.
What types of checks should be done against an individual before hiring them?
Criminal records check should be conducted as well as verification of employment history, education, and certifications. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty in regards to the hiring process. More thorough background checks should be done for roles with heightened privileges, such as access to money or classified information. These checks can include a financial investigation, a more thorough criminal records check, and interviews with friends, neighbors, and current and former coworkers.
What should be done immediately when an employee is terminated?
Termination should result in immediate revocation of all employee access.
What does a fair termination process look like?
A progressive discipline process includes:
- Coaching
- Formal discussion
- Verbal warning meeting, with Human Resources attendance (perhaps multiple warnings)
- Written warning meeting, with Human Resources attendance (perhaps multiple warnings)
- Termination
Why is it important to consider how a vendor with access to multiple organizations’ systems manage access?
Many vendors will re-use the same credentials across multiple sites, manually synchronizing passwords. This increases the risk of stolen, guessed, or cracked credentials being reused to access the organization.
