Policies and Procedures Flashcards
Defines the role of security in an organization and establishes the desired
end state of the security program
Policies
Provide general direction and goals, a framework to meet the business
goals, and define the roles, responsibilities, and terms
Organizational Policies
Address the security needs of a specific technology, application, network,
or computer system
System Specific Policies
Built to address a specific security issue, such as email privacy, employee
termination procedures, or other specific issues
Issue Specific Policies
Created as reference points which are documented for use as a method
of comparison during an analysis conducted in the future
Baseline
Detailed step-by-step instructions that are created to ensure personnel
can perform a given action
Procedures
Category based on the value to the organization and the sensitivity of the
information if it were to be disclosed
Data Classification
Any information that can result in a loss of security, or loss of advantage
to a company, if accessed by unauthorized persons
Sensitives Data
Has no impact to the company if released and is often posted in
the open-source environment.
Public Data
- Contains data that should only be used within the organization
Private Data
Highest classification level that contains items such as trade
secrets, intellectual property data, source code, and other types
that would seriously affect the business if disclosed
Confidential Data
Items that wouldn’t hurt national security if released but could
impact those whose data is contained in it
Sensitive but Unclassified
Data that could seriously affect the government if unauthorized
disclosure were to happen
Confidential Data
Data that could seriously damage national security if disclosed
Secret Data
Data that could gravely damage national security if it were known
to those who are not authorized for this level of information
Top Secret Data
The process of identifying the person responsible for the confidentiality, integrity
availability and privacy of information assets
Data Ownership
A senior (executive) role with ultimate responsibility for maintaining the
confidentiality, integrity and availability of the information asset
Data Owner
A role focussed on the quality of the data and associated metadata
Data Steward
A role responsible for handling the management of the system on which
the data assets are stored
Data Custodian
A role responsible for the oversight of any PII/SPI/PHI assets managed by
the company
Privacy Officer
A piece of data that can be used either by itself or in combination with
some other pieces of data to identify a single person
Personal Identifiable Information (PII)
Affects U.S. government computer systems that collects, stores, uses, or
disseminates personally identifiable information
Privacy Act of 1974
Affects healthcare providers, facilities, insurance companies, and medical
data clearing houses
Health Insurance Portability and Accountability Act (HIPAA)
Affects publicly-traded U.S. corporations and requires certain accounting
methods and financial reporting requirements
Sarbanes-Oxley (SOX)