Organizational Security Policies Flashcards
What is an AUP? (acceptable use policy)
What is acceptable use of company assets?
This is a wide reaching document that covers many topics, used by an organization to limit legal liability. If someone is dismissed these are well documented reasons why.
What is a job rotation?
This is where you would have people rotate through jobs and never stay in a job for too long of a time. No one person maintains control for long periods of time.
Less of a chance for someone to take advantage of a particular security issue.
What are mandatory vacations?
This is that requires people to leave their job and go on vacation for a certain amount of time.
This is an opportunity for the person who takes over to make sure everything is running as expected and to limit the capability for any type of fraud.
What is separation of duties?
Split-knowledge is one type of separation of duties. This is when no one person has all of the details. Like two people having half of a safe combination.
Another very similar one is dual control. This is when two people have to be there in person to open a safe. This one is more focused on being There physically rather than knowledge.
What is a clean desk policy?
This is a policy that requires that, when you get up and leave your desk, nothing is on your desk.
This is to limit the exposure of sensitive data.
What is an SLA? (service level agreement)
These set up minimum terms for services provided.
Uptime, response time agreement, etc.
Commonly used between customers and service providers.
What is a MOU? (memorandum of understanding)
A memo sent between two parties so they understand what the requirements might be for a particular business process.
This is for agreements that don’t need a full blown contract.
Both sides agree on the contents of the memorandum.
Usually includes statements of confidentiality.
Informal letter of intent, not a contract.
What is an MSA? (measurement system analysis)
This allows a company to evaluate the quality of their measurement systems.
You don’t want to make decisions based on incorrect data.
This is used with quality management systems to make sure all of your business data is being correctly.
What is a BPA? (business partnership agreement)
This is used when two parties want to go into business together.
This provides details about what the owner stake might be, contractual agreements about the finances, who gets to make decisions, and how to prepare for contingencies.
What is data governance?
This is the rules processes and accountability associated with an organization’s data and making sure it is used in the right ways.
Who is a data steward?
Person in charge of data governance.
This is the person who is responsible for data privacy, for making sure the data is accurate, and ensuring that all of the data is kept secure.
This is also the person who decides what type of sensitivity label is going to be associated with this data. They need to categorize data into categories such as “personal” “public” “restricted” etc.
Then they need to apply the proper rules and procedures for that type of data.
This falls in line with compliance, if the data is private or something that could be considered personal to an individual than you may need to take special precautions with it.
What is data retention and the reasons for it?
Data retention can be useful for a number of things.
Keeping backups for 30 days for example in case of a virus infection.
Keeping files that change frequently for version control.
Often there are legal requirements for retention. Email storage may be required over years. Some industries must legally store certain data types such as corporate tax information, customer PII, tape backups, etc.
What is a change management policy?
This is a policy the defines how and when changes will be made in a network infrastructure from updates, changes to firewall configurations, modifying switch ports, etc.
Such as frequency, duration, installation process, fallback procedures, etc.
What is change control?
This is a formal process for managing changes in your infrastructure.
This is useful for avoiding downtime, confusing, and mistakes.
Most important part here is to have a blackout plan if the change doesn’t work.
Once we make these changes we need to document the changes.
What is asset management?
This is a way of identifying and tracking computing assets.
Where are they, who do they belong to, what are they, etc.
Usually an automated process.
It allows you to respond faster to a security problem because you have a much better understanding of everything, and keep an eye on the most valuable assets, as well as keep everything updated.
