Managing Cyber Security- Part I- Applying COSO Flashcards
What are the Generally Accepted Privacy Principles?
1) Management- Entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures
2) Notice- The entity tells people about its privacy policies and procedures and explains why information is collected, used, retained
3) Choice and consent- users can opt (in US) of collection of personal information
4) Collection- Collect personal information only for identified purposes
5) Use and retention- use personal information consistent with statements about use. Retains only as long as needed or allowed by law or regulation
6) Access- people can assess, review and update their information
7) Disclosure to third parties- Third parties receive information according to policy and individual consent
8) Security for privacy- Protect personal information against unauthorized access
9) Quality- Personal information is accurate, complete, and relevant
10) . Monitoring and enforcement- Someone monitors the entity’s compliance with privacy policies and procedures and has procedures to address privacy-related communities
What are the categories of criteria for assess acheivientm of IT security:
1) Organization and management- Organizational structures and processes for managing and supporting people includes criteria for addressing accountability, integrity, ethical values, and qualifications of personnel, and the operational conditions in which they function
2) Communications. Communication of policies, processes, procedure, and commitments, and requirements
3) Risk management and design and implementation of controls
4) Monitoring of controls - including suitability, and design and operating effectiveness of controls, and actions to address identified deficiencies
5) Logical and physical access controls
6) System operations- Management of execution of system procedures including detecting and mitigating processing deviations
7) Change management- identification of needed changes, management of changes, and prevention of unauthorized changes.
What are time-based model of controls?
Given enough time and resources, preventative controls are going to break down and be circumvented.
Detection and correction must be timely.
Evaluates effectiveness of an organizations security by measuring and comparing the three categories of controls
Defense-in-depth- controls in place with multiple layers of controls
- Combination of firewalls, passwords, and preventive procedures