Policies and Procedures

Question 1

Policies

Answer 1

Defines the role of security in an organisation and establishes the desired end state of the security program

They may be regulatory, advisory or informative.

Question 2

Organisational Policies

Answer 2

Provide general direction and goals, a framework to meet business goals, and define the roles, responsibilities and terms.

Question 3

System-Specific Policies

Answer 3

Address the security of a specific technology, application, network or computer system

Question 4

Issue-Specific Policies

Answer 4

Built to address a specific security issue, such as email privacy, employee termination, procedures, or other specific issues.

Question 5

Standards

Answer 5

Standards are used to implement a policy in an organisation.

E.g.: Mandatory actions, steps or rules to achieve a level of security.

Question 6

Baselines

Answer 6

Baselines are created as reference points which are documented for use a method of comparison during an analysis conducted in the future.

E.g.: A server baseline configuration.

Question 7

Guidelines

Answer 7

Guidelines are used to recommend actions. Guiding actions that can be broken as the situation necessitates.

E.g.: All employees get 1TB of storage for personal files on the local network.

Question 8

Procedures

Answer 8

Detailed step-by-step instructions that are created to ensure personnel can perform a given action.

E.g.: Creating a new user.

Question 9

Sensitive Data

Answer 9

Any information that can result in a loss of security, or a loss of advantage to a company if used by an unauthorized individual.

Question 10

What are the four common “Commercial Data Classifications”?

Answer 10

• Public (No impact to a company if released)
• Sensitive (Might have a minimal impact if released)
• Private (Data that should only be used in the organisation)
• Confidential (Trade secrets, IP, source code and other types of data that would affect the business if disclosed).

Question 11

What are the five common “Government Data Classifications”?

Answer 11

Unclassified

Sensitive but Unclassified

Confidential

Secret

Top Secret

Question 12

What are the five common “Government Data Classifications”?

Answer 12

Unclassified (Can be released to the public)

Sensitive but Unclassified (Items that wouldn’t hurt national security, but could impact those whose data is contained in it)

Confidential (Seriously affect the government on disclosure,

Secret (Serious damage to national security)

Top Secret (Gravely damage national security if known to those who are not authorized to see the data)

Question 13

Data Owner

Answer 13

A senior or executive role that has ultimate responsibility for the CIA of the asset.

The data owner is responsible for labelling the asset and ensuring that is it protected with appropriate controls.

Question 14

Data Steward

Answer 14

A role focused on the quality of the data and associated meta data

Question 15

Data Custodian

Answer 15

A role responsible for handling the management of the system on which the data assets are stored. (E.g.: a system administrator)

Question 16

Privacy Officer

Answer 16

A role responsible for the oversight of any PII/SPI/PHI assets managed by the company

Question 17

What is PII?

Answer 17

Personally Identifiable Information

A piece of data that can be used either by itself or in combination with some other data to identify a single person.

For example. Your full name, date of birth, social media user names.

Question 18

Federal Privacy Act of 1974

Answer 18

Affects U.S. government computer systems that collects, stores, uses or disseminates personally identifiable information

Question 19

What does HIPPA stand for and who does this standard affect?

Answer 19

Health Insurance Portability and Accountability Act

US standard that affects healthcare providers, facilities, insurance companies, and medical data clearing houses.

Question 20

Who does the Sarbanes-Oxley standard affect?

Answer 20

Publicly traded U.S. corporations. Sarbanes-Oxley (SOX) requires certain accounting methods and financial reporting requirements.

Question 21

What does GLBA stand for and for and who does this standard affect?

Answer 21

Gramm-Leach-Bliley Act

Affects banks, mortgage companies, loan offices, insurance companies, investment companies and credit card providers.

Question 22

What is FISMA?

Answer 22

FISMA is the Federal Information Security Management Act of 2002.

It is a requirement that American federal agencies must comply with.

This act requires each agency to develop, document, and implement an agency-wide information systems security program to protect their data

Question 23

What is PCI DSS?

Answer 23

PCI DSS is the Payment Card Industry Data Security Standard.

PCI-DSS is a contractual obligation that any organisations take credit card transactions must meet.

Question 24

What is SB1386?

Answer 24

SB1386 is a Californian regulation that states organisations must inform users of a data breach.

Question 25

What is the difference between “privacy” and “security”?

Answer 25

Security focuses on the CIA attributes of the data processing system.

Privacy is a data governance requirement that arises when collecting and processing personal data to ensure the rights of the subject’s data.

Question 26

What is GDPR?

Answer 26

GDPR is the General Data Protection Regulation.

It’s an EU standard that states data cannot be collected, processed, or retained without the individual’s informed consent.

Question 27

What is deidentification (data privacy)?

Answer 27

The removal of identifying information from data before it is distributed.

Question 28

What is data masking (data privacy)?

Answer 28

A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure of original data.

E.g.:
Card Number: ** ** ** ** ** 5412

Question 29

What is Tokenization (data privacy)?

Answer 29

A deidentification method where a unique token is substituted for real data.

E.g. A patient I.D. in place of a patients name.

Question 30

What is Aggregation/Banding (data privacy)?

Answer 30

A deidentification technique where data is generalised to protect the individuals involved.

E.g.: 90% of clinical trial participants tested positive

Question 31

What is reidentification?

Answer 31

An attack that combines a deidentified dataset with other data sources to discover how secure the deidentification method used is.

Question 32

What is “separation of duties”?

Answer 32

Separation of duties is a preventative type of administrative control that prevents fraud and abuse by distributing approval task among users.

Question 33

What is job rotation?

Answer 33

Job rotation is where different users are trained to perform the tasks of the same position to help prevent fraud that could occur if only one employee had that job.

Question 34

What is security awareness training?

Answer 34

Used to reinforce to users the importance of their help in securing the organisation’s valuable resources.

All employees should attend security awareness training at least once a year. The training should be aimed at a particular group within an organisation and include a discussion of company policies.

Studies have shown this is by far the best investment a company can make in terms of security.

Question 35

what is security training?

Answer 35

Used to teach the organisations personnel the skills they need to perform their job in a more secure manner.

Question 36

what is security education?

Answer 36

Security education is generalised training like Security+