Policies & Procedures Flashcards
Baseline
Created as reference points which are documented for use as a method of comparison during an analysis conducted in the future
Government Data Classifications
Unclassified Data
Can be released to the public
Sensitive but Unclassified
Items that wouldn’t hurt national security if released but could impact those whose data is contained in it
Confidential Data
Data that could seriously affect the government if unauthorized disclosure were to happen
Secret Data
Data that could seriously damage national security if disclosed
Top Secret Data
Data that could gravely damage national security if it were known to those who are not authorized for this level of information
Data Owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset
The data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls
Data Steward
Responsible for maintaining quality of data
Responsible for data accuracy, privacy, & security
Data Custodian
A role responsible for handling the management of the system on which the data assets are stored
PCI DSS
Payment Card Industry Data Security Standard:
Contractual obligation to protect card information
GDPR
General Data Protection Regulation:
Personal data cannot be collected processed or retained without the individual’s informed consent
GDPR also provides the right for a user to withdraw consent, to inspect, amend, or erase data held about them
GDPR requires data breach notification within 72 hours
Deidentification
Methods and technologies that remove identifying information from data before it is distributed
Deidentification is often implemented as part of database design
Data Masking
Deidentification Method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data
Tokenization
A deidentification method where a unique token is substituted for real data
Aggregation/Banding
A deidentification technique where data is generalized to protect the individuals involved
Reidentification
An attack that combines a deidentification dataset with other data source to discover how secure the deidentification method used is
Due Diligence
Ensuring that IT infrastructure risks are known and managed properly
Due Care
Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence
ISA
Interconnection Security Agreement:
An agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet
BPA (Business Partnership Agreement)
Business Partnership Agreement:
Conducted between two business partners that establishes the conditions of their relationship
A BPA can also include security requirements
Degaussing
Exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive
Purging (Sanitizing)
Act of removing data in such a way that it cannot be reconstructed using any known forensic techniques
Clearing
Removal of data with a certain amount of assurance that it cannot be reconstructed
CIS
Center for Internet Security: Created by NIST
Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)
Improve cyber defenses (20 key actions)
Categorized for different organization sizes
Designed for implementation (written for IT pros)
RMF
Risk Management Framework: Developed by NIST for the Federal Government
A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification
6 Steps
Categorize - define environment
Select - pick controls
Implement - define proper implementation
Asses - determine if controls are working
Authorize - Make a decision to authorize a system
Monitor - check for ongoing compliance
CSF
Cybersecurity Framework: Developed by NIST
A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks
5 Category Functions: Identify, Protect, Detect, Respond, Recover
ISO 27000 (4 Provisions)
International standard
27001: Basic procedure for cybersecurity (international standard) - focused on establishing/maintaining info systems
27002: International standard focused on information security controls (to protect those systems)
27701: Adding privacy to ISMS (privacy extension for ISO 27001)
31000: Attempt to create global risk management framework
SOC
System & Organization Controls:
A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services
Audit & Compliance
SOC 2 = Trusted Services Criteria
Tells you what requirements are part of an audit
Type I audit:
Tests controls in place at a particular point in time
Type II audit:
Addresses the operational effectiveness of the specified controls over a period of time (usually 9-12 months)
Cloud Security Alliance’s Cloud Control Matrix
Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider
Cloud-specific security controls
Controls are mapped to standards/best practices/regulations
Cloud Security Alliance’s Reference Architecture
Methodology & tools
Assess internal IT groups & cloud providers
Determine security capabilities
Build a roadmap
User Training: Gamification & Capture the Flag
Gamification
Score points, compete with others, collect badges
Capture the flag
Security competition
Hack into a server to steal data (the flag)
Can involve highly technical simulations
Practical learning environment
MSA
Measured Systems Analysis:
Used with quality management systems
Assess the measurement process
Don’t make decisions based on incorrect data
EOL vs. EOSL
EOL (End of Life)
Manufacturer stops selling product
May continue supporting it
Important for security patches/updates
EOSL (End of Service Life)
Manufacturer stops selling & supporting a product
No ongoing security patches/updates
Data Retention
Keep files that change frequently for version control
Recover from virus infection
Data Controller
Manages the purposes & means by which personal data is processed
Data Processor
Work on behalf of the data controller
Often a third-party or different group
Examples:
Payroll department = data controller
Defines payroll amounts & timeframes
Payroll company = data processor
Processes payroll & stores employee info
Data Protection Officer
Responsible for the organization’s data privacy policies
Sets policies, implements processes & procedures
