Network Policies (3.2) Flashcards
IT Governance
o Used to provide a comprehensive security management framework for the organization ▪ Policies ▪ Standards ▪ Baselines ▪ Guidelines ▪ Procedures
Policy
o Defines the role of security inside of an organization and establishes the desired end state for that security program ▪ Organizational ▪ System-specific ▪ Issue-specific
Organizational
o Provides framework to meet the business goals and define the roles,
responsibilities, and terms associated with it
System-specific
o Addresses the security of a specific technology, application, network, or
computer system
Issue-specific
o Addresses a specific security issue such as email privacy, employee termination
procedures, or other specific issues
Standard
o Implements a policy in an organization
Baseline
o Creates a reference point in network architecture and design
Guideline
o Recommended action that allows for exceptions and allowances in unique
situations
Procedure
o Detailed step-by-step instructions created to ensure personnel can perform a
given task or series of actions
Change Management
▪ Structured way of changing the state of a computer system, network, or
IT procedure
▪ Make sure the risks are considered prior to implementing a system or
network change
● Planned
● Approved
● Documented
Incident Response Plan
▪ Contains instructions to help network and system administrators detect, respond to, and recover from network security incidents ● Preparation ● Identification ● Containment ● Eradication ● Recovery ● Lessons learned
Disaster Recovery Plan
▪ Documents how an organization can quickly resume work after an
unplanned incident
Business Continuity Plan
o Outlines how a business will continue operating during an
unplanned disruption in service
o A disaster recovery plan will be referenced from a business
continuity plan
System Life Cycle Plan
o Describes the approach to maintaining an asset from
creation to disposal
Planning
o Involves the planning and requirement analysis for a given
system, including architecture outlining and risk
identification
Design
o Outlines new system, including possible interconnections,
technologies to use, and how it should be implemented
Transition
o Actual implementation, which could involve coding new
software, installing the systems, and network cabling and
configurations
Operations
o Includes the daily running of the assets, as well as
updating, patching, and fixing any issues that may occur
Retirement
o End of the lifecycle and occurs when the system or
network no longer has any useful life remaining in it
Standard Operating Procedure
▪ A set of step-by-step instructions compiled by an organization to help its
employees carry out routine operations
Password Policy
▪ A set of rules created to improve computer security by motivating users
to create and properly store secure passwords
Acceptable Use Policy (AUP)
▪ A set of rules that restricts the ways in which a network resource may be
used and sets guidelines on how it should be used
Bring Your Own Device (BYOD) Policy
▪ Allows employees to access enterprise networks and systems using their
personal mobile devices
▪ Create a segmented network where the BYOD devices can connect to
Remote Access Policy
▪ A document which outlines and defines acceptable methods of remotely
connecting to the internal network
Onboarding Policy
▪ A documented policy that describes all the requirements for integrating a
new hire into the company and its cultures
Offboarding Policy
▪ A documented policy that covers all the steps to successfully part ways
with an employee who’s leaving the company
Security Policy
▪ A document that outlines how to protect the organization’s systems,
networks, and data from threats
Data Loss Prevention Policy
▪ A document defining how organizations can share and protect data
▪ Data loss prevention policy minimizes accidental or malicious data loss
▪ Set proper thresholds for your DLP policy
Non-Disclosure Agreement (NDA)
▪ Defines what data is confidential and cannot be shared outside of that
relationship
▪ A non-disclosure agreement is an administrative control
● Fines
● Forfeiture of rights
● Jail time
Memorandum of Understanding (MOU)
▪ Non-binding agreement between two or more organizations to detail
what common actions they intend to take
▪ Often referred to as a letter of intent
▪ Usually used internally between two business units
Service-Level Agreement (SLA)
▪ Documents the quality, availability, and responsibilities agreed upon by a
service provider and a client
