Policies and Procedures Flashcards
Policies
Defines the role of security in an organisation and establishes the desired end state of the security program
They may be regulatory, advisory or informative.
Organisational Policies
Provide general direction and goals, a framework to meet business goals, and define the roles, responsibilities and terms.
System-Specific Policies
Address the security of a specific technology, application, network or computer system
Issue-Specific Policies
Built to address a specific security issue, such as email privacy, employee termination, procedures, or other specific issues.
Standards
Standards are used to implement a policy in an organisation.
E.g.: Mandatory actions, steps or rules to achieve a level of security.
Baselines
Baselines are created as reference points which are documented for use a method of comparison during an analysis conducted in the future.
E.g.: A server baseline configuration.
Guidelines
Guidelines are used to recommend actions. Guiding actions that can be broken as the situation necessitates.
E.g.: All employees get 1TB of storage for personal files on the local network.
Procedures
Detailed step-by-step instructions that are created to ensure personnel can perform a given action.
E.g.: Creating a new user.
Sensitive Data
Any information that can result in a loss of security, or a loss of advantage to a company if used by an unauthorized individual.
What are the four common “Commercial Data Classifications”?
- Public (No impact to a company if released)
- Sensitive (Might have a minimal impact if released)
- Private (Data that should only be used in the organisation)
- Confidential (Trade secrets, IP, source code and other types of data that would affect the business if disclosed).
What are the five common “Government Data Classifications”?
Unclassified
Sensitive but Unclassified
Confidential
Secret
Top Secret
What are the five common “Government Data Classifications”?
Unclassified (Can be released to the public)
Sensitive but Unclassified (Items that wouldn’t hurt national security, but could impact those whose data is contained in it)
Confidential (Seriously affect the government on disclosure,
Secret (Serious damage to national security)
Top Secret (Gravely damage national security if known to those who are not authorized to see the data)
Data Owner
A senior or executive role that has ultimate responsibility for the CIA of the asset.
The data owner is responsible for labelling the asset and ensuring that is it protected with appropriate controls.
Data Steward
A role focused on the quality of the data and associated meta data
Data Custodian
A role responsible for handling the management of the system on which the data assets are stored. (E.g.: a system administrator)
Privacy Officer
A role responsible for the oversight of any PII/SPI/PHI assets managed by the company
What is PII?
Personally Identifiable Information
A piece of data that can be used either by itself or in combination with some other data to identify a single person.
For example. Your full name, date of birth, social media user names.
Federal Privacy Act of 1974
Affects U.S. government computer systems that collects, stores, uses or disseminates personally identifiable information
What does HIPPA stand for and who does this standard affect?
Health Insurance Portability and Accountability Act
US standard that affects healthcare providers, facilities, insurance companies, and medical data clearing houses.
Who does the Sarbanes-Oxley standard affect?
Publicly traded U.S. corporations. Sarbanes-Oxley (SOX) requires certain accounting methods and financial reporting requirements.
What does GLBA stand for and for and who does this standard affect?
Gramm-Leach-Bliley Act
Affects banks, mortgage companies, loan offices, insurance companies, investment companies and credit card providers.
What is FISMA?
FISMA is the Federal Information Security Management Act of 2002.
It is a requirement that American federal agencies must comply with.
This act requires each agency to develop, document, and implement an agency-wide information systems security program to protect their data
What is PCI DSS?
PCI DSS is the Payment Card Industry Data Security Standard.
PCI-DSS is a contractual obligation that any organisations take credit card transactions must meet.
What is SB1386?
SB1386 is a Californian regulation that states organisations must inform users of a data breach.
What is the difference between “privacy” and “security”?
Security focuses on the CIA attributes of the data processing system.
Privacy is a data governance requirement that arises when collecting and processing personal data to ensure the rights of the subject’s data.
What is GDPR?
GDPR is the General Data Protection Regulation.
It’s an EU standard that states data cannot be collected, processed, or retained without the individual’s informed consent.
What is deidentification (data privacy)?
The removal of identifying information from data before it is distributed.
What is data masking (data privacy)?
A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure of original data.
E.g.:
Card Number: ** ** ** ** ** 5412
What is Tokenization (data privacy)?
A deidentification method where a unique token is substituted for real data.
E.g. A patient I.D. in place of a patients name.
What is Aggregation/Banding (data privacy)?
A deidentification technique where data is generalised to protect the individuals involved.
E.g.: 90% of clinical trial participants tested positive
What is reidentification?
An attack that combines a deidentified dataset with other data sources to discover how secure the deidentification method used is.
What is “separation of duties”?
Separation of duties is a preventative type of administrative control that prevents fraud and abuse by distributing approval task among users.
What is job rotation?
Job rotation is where different users are trained to perform the tasks of the same position to help prevent fraud that could occur if only one employee had that job.
What is security awareness training?
Used to reinforce to users the importance of their help in securing the organisation’s valuable resources.
All employees should attend security awareness training at least once a year. The training should be aimed at a particular group within an organisation and include a discussion of company policies.
Studies have shown this is by far the best investment a company can make in terms of security.
what is security training?
Used to teach the organisations personnel the skills they need to perform their job in a more secure manner.
what is security education?
Security education is generalised training like Security+
