Policies & Procedures Flashcards

1
Q

Baseline

A

Created as reference points which are documented for use as a method of comparison during an analysis conducted in the future

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Government Data Classifications

A

Unclassified Data
Can be released to the public

Sensitive but Unclassified
Items that wouldn’t hurt national security if released but could impact those whose data is contained in it

Confidential Data
Data that could seriously affect the government if unauthorized disclosure were to happen

Secret Data
Data that could seriously damage national security if disclosed

Top Secret Data
Data that could gravely damage national security if it were known to those who are not authorized for this level of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data Owner

A

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset

The data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data Steward

A

Responsible for maintaining quality of data
Responsible for data accuracy, privacy, & security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Data Custodian

A

A role responsible for handling the management of the system on which the data assets are stored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PCI DSS

A

Payment Card Industry Data Security Standard:
Contractual obligation to protect card information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

GDPR

A

General Data Protection Regulation:
Personal data cannot be collected processed or retained without the individual’s informed consent

GDPR also provides the right for a user to withdraw consent, to inspect, amend, or erase data held about them
GDPR requires data breach notification within 72 hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Deidentification

A

Methods and technologies that remove identifying information from data before it is distributed

Deidentification is often implemented as part of database design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data Masking

A

Deidentification Method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Tokenization

A

A deidentification method where a unique token is substituted for real data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Aggregation/Banding

A

A deidentification technique where data is generalized to protect the individuals involved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Reidentification

A

An attack that combines a deidentification dataset with other data source to discover how secure the deidentification method used is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Due Diligence

A

Ensuring that IT infrastructure risks are known and managed properly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Due Care

A

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ISA

A

Interconnection Security Agreement:
An agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

BPA (Business Partnership Agreement)

A

Business Partnership Agreement:
Conducted between two business partners that establishes the conditions of their relationship

A BPA can also include security requirements

17
Q

Degaussing

A

Exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive

18
Q

Purging (Sanitizing)

A

Act of removing data in such a way that it cannot be reconstructed using any known forensic techniques

19
Q

Clearing

A

Removal of data with a certain amount of assurance that it cannot be reconstructed

20
Q

CIS

A

Center for Internet Security: Created by NIST

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Improve cyber defenses (20 key actions)
Categorized for different organization sizes
Designed for implementation (written for IT pros)

21
Q

RMF

A

Risk Management Framework: Developed by NIST for the Federal Government
A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification

6 Steps
Categorize - define environment
Select - pick controls
Implement - define proper implementation
Asses - determine if controls are working
Authorize - Make a decision to authorize a system
Monitor - check for ongoing compliance

22
Q

CSF

A

Cybersecurity Framework: Developed by NIST
A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

5 Category Functions: Identify, Protect, Detect, Respond, Recover

23
Q

ISO 27000 (4 Provisions)

A

International standard

27001: Basic procedure for cybersecurity (international standard) - focused on establishing/maintaining info systems

27002: International standard focused on information security controls (to protect those systems)

27701: Adding privacy to ISMS (privacy extension for ISO 27001)

31000: Attempt to create global risk management framework

24
Q

SOC

A

System & Organization Controls:
A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

Audit & Compliance

SOC 2 = Trusted Services Criteria
Tells you what requirements are part of an audit

Type I audit:
Tests controls in place at a particular point in time

Type II audit:
Addresses the operational effectiveness of the specified controls over a period of time (usually 9-12 months)

25
Q

Cloud Security Alliance’s Cloud Control Matrix

A

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

Cloud-specific security controls
Controls are mapped to standards/best practices/regulations

26
Q

Cloud Security Alliance’s Reference Architecture

A

Methodology & tools
Assess internal IT groups & cloud providers
Determine security capabilities
Build a roadmap

27
Q

User Training: Gamification & Capture the Flag

A

Gamification
Score points, compete with others, collect badges

Capture the flag
Security competition
Hack into a server to steal data (the flag)
Can involve highly technical simulations
Practical learning environment

28
Q

MSA

A

Measured Systems Analysis:
Used with quality management systems
Assess the measurement process
Don’t make decisions based on incorrect data

29
Q

EOL vs. EOSL

A

EOL (End of Life)
Manufacturer stops selling product
May continue supporting it
Important for security patches/updates

EOSL (End of Service Life)
Manufacturer stops selling & supporting a product
No ongoing security patches/updates

30
Q

Data Retention

A

Keep files that change frequently for version control
Recover from virus infection

31
Q

Data Controller

A

Manages the purposes & means by which personal data is processed

32
Q

Data Processor

A

Work on behalf of the data controller
Often a third-party or different group

Examples:
Payroll department = data controller
Defines payroll amounts & timeframes

Payroll company = data processor
Processes payroll & stores employee info

33
Q

Data Protection Officer

A

Responsible for the organization’s data privacy policies
Sets policies, implements processes & procedures