Policies and Procedures Flashcards
Defines the role of security in an organization and establishes the desired
end state of the security program
Policies
Provide general direction and goals, a framework to meet the business
goals, and define the roles, responsibilities, and terms
Organizational Policies
Address the security needs of a specific technology, application, network,
or computer system
System Specific Policies
Built to address a specific security issue, such as email privacy, employee
termination procedures, or other specific issues
Issue Specific Policies
Created as reference points which are documented for use as a method
of comparison during an analysis conducted in the future
Baseline
Detailed step-by-step instructions that are created to ensure personnel
can perform a given action
Procedures
Category based on the value to the organization and the sensitivity of the
information if it were to be disclosed
Data Classification
Any information that can result in a loss of security, or loss of advantage
to a company, if accessed by unauthorized persons
Sensitives Data
Has no impact to the company if released and is often posted in
the open-source environment.
Public Data
- Contains data that should only be used within the organization
Private Data
Highest classification level that contains items such as trade
secrets, intellectual property data, source code, and other types
that would seriously affect the business if disclosed
Confidential Data
Items that wouldn’t hurt national security if released but could
impact those whose data is contained in it
Sensitive but Unclassified
Data that could seriously affect the government if unauthorized
disclosure were to happen
Confidential Data
Data that could seriously damage national security if disclosed
Secret Data
Data that could gravely damage national security if it were known
to those who are not authorized for this level of information
Top Secret Data
The process of identifying the person responsible for the confidentiality, integrity
availability and privacy of information assets
Data Ownership
A senior (executive) role with ultimate responsibility for maintaining the
confidentiality, integrity and availability of the information asset
Data Owner
A role focussed on the quality of the data and associated metadata
Data Steward
A role responsible for handling the management of the system on which
the data assets are stored
Data Custodian
A role responsible for the oversight of any PII/SPI/PHI assets managed by
the company
Privacy Officer
A piece of data that can be used either by itself or in combination with
some other pieces of data to identify a single person
Personal Identifiable Information (PII)
Affects U.S. government computer systems that collects, stores, uses, or
disseminates personally identifiable information
Privacy Act of 1974
Affects healthcare providers, facilities, insurance companies, and medical
data clearing houses
Health Insurance Portability and Accountability Act (HIPAA)
Affects publicly-traded U.S. corporations and requires certain accounting
methods and financial reporting requirements
Sarbanes-Oxley (SOX)
Affects banks, mortgage companies, loan offices, insurance companies,
investment companies, and credit card providers
Gramm-Leach_Billey ACT (GLBA)
equires each agency to develop, document, and implement an agencywide information systems security program to protect their data
o Federal Information Security Management (FISMA) Act of 2002
Provides regulations that govern the security, confidentiality, and
integrity of the personal information collected, stored, or processed
during the election and voting process
Help America Vote Act (HAVA) of 2002
Any type of information or asset should consider how a compromise of that
information can threaten the three core security attributes of the CIA Triad
Legal Requirements
A data governance requirement that arises when collecting and
processing personal data to ensure the rights of the subject’s data
Privacy
Personal data cannot be collected processed or retained without the
individual’s informed consent
General Data PRotection Regulation (GDPR)
methods and technologies that remove identifying information from data
before it is distributed
Deidentification
Deidentification Method where generic or placeholder labels are
substituted for real data while preserving the structure or format of the
original data
Data Masking
A deidentification method where a unique token is substituted for real
data
Tokenization
A deidentification technique where data is generalized to protect the
individuals involved
Aggregation/Banding
An attack that combines a deidentification dataset with other data source
to discover how secure the deidentification method used is
Reidentification
Defines the rules that restrict how a computer, network, or other systems
may be used
Acceptable Use Policy
Defines the structured way of changing the state of a computer system,
network, or IT procedure
Change Management Policy
Different users are trained to perform the tasks of the same position to
help prevent and identify fraud that could occur if only one employee
had the job
Job Rotation
Dictates what type of things need to be done when an employee is hired,
fired, or quits
Onboarding and Offboarding Policy
Ensuring that IT infrastructure risks are known and managed properly
Due Diligence
Mitigation actions that an organization takes to defend against the risks
that have been uncovered during due diligence
Due Care
A legal term that refers to how an organization must respect and
safeguard personnel’s rights
Due Process
Agreement between two parties that defines what data is considered
confidential and cannot be shared outside of the relationship
Non Disclosure Agreement (NDA)
A non-binding agreement between two or more organizations to detail
an intended common line of action
Memorandum of Understanding (MOU)
An agreement concerned with the ability to support and respond to
problems within a given timeframe and continuing to provide the agreed
upon level of service to the user
Service Level Agreement (SLA)
An agreement for the owners and operators of the IT systems to
document what technical requirements each organization must meet
Interconnection Security Agreement (ISA)
Conducted between two business partners that establishes the
conditions of their relationship
Business Partnership Agreement (BPA)
Exposes the hard drive to a powerful magnetic field which in turn causes
previously-written data to be wiped from the drive
Degaussing
Act of removing data in such a way that it cannot be reconstructed using
any known forensic techniques
Purging (Sanitizing)
Removal of data with a certain amount of assurance that it cannot be
reconstructed
Clearing
A security framework that divides IT into four domains: Plan and
Organize, Acquire and Implement, Deliver and Support, and Monitor and
Evaluate
Control Objectives for Information and Related Technology (COBIT)
Consensus-developed secure configuration guidelines for hardening
(benchmarks) and prescriptive, prioritized, and simplified sets of
cybersecurity best practices (configuration guides)
Center for Internet Security
A process that integrates security and risk management activities into the
system development life cycle through an approach to security control
selection and specification that considers effectiveness, efficiency, and
constraints due to applicable laws, directives, Executive Orders, policies,
standards, or regulations
Risk Management Framework (RMF)
A set of industry standards and best practices created by NIST to help
organizations manage cybersecurity risks
Cybersecurity Framework (CSF)
An international standard that details requirements for establishing,
implementing, maintaining and continually improving an information
security management system (ISMS)
ISO 27001
An international standard that provides best practice recommendations
on information security controls for use by those responsible for
initiating, implementing, or maintaining information security
management systems (ISMS)
ISO 27002
An international standard that acts as a privacy extension to the ISO
27001 to enhance the existing Information Security Management System
(ISMS) with additional requirements in order to establish, implement,
maintain, and continually improve a Privacy Information Management
System (PIMS)
ISO 27701
An international standard for enterprise risk management that provides a
universally recognized paradigm for practitioners and companies
employing risk management processes to replace the myriad of existing
standards, methodologies, and paradigms that differed between
industries, subject matters, and regions
ISO 31000
A suite of reports produced during an audit which is used by service
organizations to issue validated reports of internal controls over those
information systems to the users of those services
System and Organization Controls (SOC)
Designed to provide fundamental security principles to guide cloud
vendors and to assist prospective cloud customers in assessing the overall
security risk of a cloud provider
Cloud Security Alliance’s Cloud Control Matrix
A methodology and a set of tools that enable security architects,
enterprise architects, and risk management professionals to leverage a
common set of solutions that fulfill their common needs to be able to
assess where their internal IT and their cloud providers are in terms of
security capabilities and to plan a roadmap to meet the security needs of
their business
Cloud Security Alliance’s Reference Architecture
