PRV Flashcards

1
Q

need to know principle

A

Limiting access: employees should be granted minimum level of privilege to perform the role assigned to them -> role based access

  • e.g. warehouse worker may need to access stock records but should not have access to financial or personnel records
  • based on classification of information assets (confidential, internal only, public)
  • also a principle of GDPR -> information privacy
  • administrators: critical accounts need to be controlled and safeguarded very well
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Resilience and Redundancy

A

Resilience: ensuring that there are no single points of failure, no systems or services within the organizations infrastructure can bring the overall operation to a standstill

Redundancy: there is always a standby system or network connection that can take over if the active system or network connection fails

  • back up
  • grandfather father son approach ) maintaining at least three generations of back up data

Resilience and redundancy should apply in the context of the entire it infrastructure, including buildings, power supplies, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Controls

A

Physical controls: locks secured buildings

technical controls: fingerprint locks, password protection

procedural controls: rules, policies, employee training)-> focus on user as the weakest link

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

technical controls

A

access control: (through biometrics, passwords, or physical access cards)

  • authentication: confirming subjects identity
  • authorization: deterring whether the person is allowed physical or logical access
  • accountability: documenting activities of authorized person and system (log)

Firewalls

cryptography (e-mails, vpns)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

information security policies

A

information security policy: written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets (no sticky notes with password e.g)

an information security policy defines:

  • > its scope
  • > its relevance
  • > relevant legislation laws
  • > responsibilities of employees
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

types of policies

A
  • enterprise information security policy
  • > assigns responsibilities for various areas of information security at a high level
  • > drafted by CISO, CIO, and other executives
  • > integrates an organizations mission and objectives concerning information security (philosophy on security)
  • > Structure of information security organization, roles and responsibilities

-issues specific security policy: detailed guidance on a particular are of relevance e.g- end user behavior

-system specific security policy:
more detailed on procedures in systems, e.g- configuration of a firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

end user code of practice

A

policy for end users that should be published to all users

  • > should detail what is expected from users
  • password policies
  • no access to information areas equipment for unauthorized users
  • logging-off from systems when leaving the computer
  • locking away sensitive documents (clean desk policy)
  • how personal devices may be used
  • reporting of security incidents

->noncompliance: employee disciplinary process, termination of contracts, reporting to law enforcement (involvement of HR and legal departments necessary when developing policy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

end user code of practice

A

policy for end users that should be published to all users

  • > should detail what is expected from users
  • password policies
  • no access to information areas equipment for unauthorized users
  • logging-off from systems when leaving the computer
  • locking away sensitive documents (clean desk policy)
  • how personal devices may be used
  • reporting of security incidents

->noncompliance: employee disciplinary process, termination of contracts, reporting to law enforcement (involvement of HR and legal departments necessary when developing policy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Education, Training and Awareness and Goals

A

Information Security Education Training and Awareness program is a managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization’s employees

goals:

  • > Reduce likelihood of security incidents
  • > Improve awareness of the importance and -need to protect organizational resources
  • > acquire necessary skills and know how to do jobs more securely
  • > Implemented after security policies have been defined

->Responsibility of the CISO

they need to be revised over time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SETA Components Objectives

A

Education: Why? Understanding
THeoretical instruction
Seminar Literature study

Long term

Training: how? Skill

Practical Instruction
Workshops
Lecture
Hands on practice

Medium term

Awareness: What? Alert to risks in environment

Media
Videos
Newsletters
Posters

Short term

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

security culture

A

best case: security has become part of employees own value system -> long-term goal is to create a security culture in which people are security aware, skilled, and understand why

Culture needs to begin at the top of the organization

  • > high level policy document signed by c level executive
  • > leading by example

security controls need to fit the entire organizational culture to increase the chance of compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Gamification

A

is a process of enhancing a specific service by implementing game design elements in a non game context to enhance the users overall value creation and experience

-weekly 30 minute game or training that employees have to complete otherwise their score is reduced

  • Progress and motivation tools
  • > rewards: scores badges
  • > competition: feedback, leader boards for comparison

but: gamification approach in conservative organization with strict hierarchies might fail
(CEO has lower score than lower management employee)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Downsides of Security Controls

A
  • Physical, procedural and technical controls can reduce the likelihood of incidents occurring but
  • can be too costly, compared to what should be protected
  • can be too intrusive and prevent employees from carrying out their work efficiently -> can encourage workarounds

Policies dependency and compliance which is undermined by factors such as time pressure, ignorance, lack of awareness and understanding -> security still depends on employee behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly