Sec+ Chapter 16: Security Policies, Standards, and Compliance

Question 1

NIST

Answer 1

National Institute of Standards for Technology

Question 2

ISO

Answer 2

International Organization for Standardization

Question 3

Information security policy framework

Answer 3

Series of documents that describe an orgs cybersecurity program and contain:

1) Policies

2) Standards

3) Procedures

4) Guidelines

Question 4

Policies

Answer 4

High level statements of management intent

EX: InfoSec policy, AUP, Data governance policy, Data classification policy, Data retention policy, Credential management policy, Password policy, Continuous monitoring policy, Code of conduct, Asset management

Question 5

Standards

Answer 5

Requirements that describe how an org will carry out its InfoSec policies

EX: Configuration settings for common OS, controls for highly sensitive info, etc

Question 6

Procedures

Answer 6

Detailed step by step processes that individuals or orgs must follow in specific circumstances

A consistent process for achieving a security objective

EX: Monitoring procedures, Evidence production procedures, Patching procedures

Question 7

Guidelines

Answer 7

Best practices and recommendations related to a given concept, tech, or task

Question 8

Least privilege

Answer 8

People should only get the minimum set of permissions they need to carry out their job

Question 9

Separation of duties

Answer 9

Takes two different and sensitive tasks and creates a rule that no single person may have the privileges required to perform both tasks

EX: One person has half the safe combo, another person has the other half

Question 10

Two person control

Answer 10

Requires the participation of two people to perform a single action

Question 11

Job rotation

Answer 11

Takes employees with sensitive roles and periodically moves them to other positions in the organization

Question 12

Mandatory vacations

Answer 12

Forces employees to take annual vacations of a week or more consecutive time, revoking their access privileges during that time

A way we can identify fraud, especially in high security environments

Question 13

Clean desk policy

Answer 13

Limits the amount of paper left exposed on unattended desks

Any time you get up from your desk, you have to clean your desk and lock everything away

Question 14

MSA

Answer 14

Master service agreement

Umbrella contract for the work a vendor does with an org over extended period of time

Question 15

SLA

Answer 15

Service level agreement

Specifies the conditions of service provided by the vendor and the remedies to the customer if the vendor fails to meet the SLA

EX: Uptime or response time agreements

Question 16

MOU

Answer 16

Memorandum of understanding

An informal letter sent between two parties so they understand the requirements for a business process

Doesn’t have the binding qualities of a contract, but informs both sides of expectations

Question 17

BPA

Answer 17

Business partnership agreement

When two orgs agree to do business with each other in a partnership

Details owner stake, financial contract, decision making agreements, contingences, etc

Question 18

EOL /EOSL

Answer 18

End of life

Manufacturer stops selling a product, but may continue supporting the product

End of service life

When a manufacturer stops selling and stops supporting a product

Both of these are also used to ensure there’s an orderly transition when a vendor relationship ends

Question 19

HIPAA

Answer 19

Health insurance portability and accountability act

Security and rules affecting healthcare providers, insurers, and clearinghouses

Question 20

PCI DSS

Answer 20

Payment card industry data security standard

Rules about the storage, processing, and transmission of credit and debit card info

Question 21

GLBA

Answer 21

Gramm leach bailey act

Requires US financial institutions have a formal security program and designate an individual as having overall responsibility for that program

Question 22

SOX

Answer 22

Sarbanes Oxley Act

Requires publicly traded US companies to have a strong degree of assurance for the IT systems that store and process financial records

Question 23

GDPR

Answer 23

General data protection regulation

Security and privacy requirements to protect the privacy of personal info for EU residents worldwide

Question 24

FERPA

Answer 24

Family educational rights and privacy act

Requires US educational institutions to implement security and privacy controls for student educational records

Question 25

Data breach notification laws

Answer 25

The requirements that individual states place on orgs that suffer data breaches regarding notification of affected individuals

Question 26

NIST CSF

Answer 26

NIST cybersecurity framework

Voluntary commercial framework designed to assist orgs attempting to meet one or more of the following five objectives:

1) Describe current cybersecurity posture

2) Describe target state for cybersecurity

3) ID and prioritize opptys for improvement

4) Asses progress towards target state

5) Communicate among stakeholders about cybersecurity risk

Comprised of three major areas

1) Framework core: Identify, protect, detect, respond, and recover

2) Framework implementation tiers: Where an org understands what their approach to cybersecurity will be and what tools and processes are needed to manage risks

3) Framework profile: Policies, guidelines, and standards are compared to implementations based on framework core

Question 27

NIST RMF

Answer 27

NIST risk management framework

Mandatory framework for US federal agencies or anyone handling federal data, ensures security and privacy

Six step process:

1) Categorize: Define the environment

2) Select: Pick appropriate controls for security and privacy

3) Implement: Define proper implementation of policies

4) Assess: Determine if policies are working properly

5) Authorize: Make a decision to authorize a system

6) Monitor: Constantly monitor to ensure you’re in compliance

Question 28

ISO 27001

Answer 28

Standard focused on information security

Information security, cybersecurity and privacy protection — Information security management systems — Requirements

Question 29

ISO 27002

Answer 29

Goes beyond control objectives and describes the actual controls an org may implement to meet cybersecurity objectives

Question 30

ISO 27701

Answer 30

Contains standard guidance for managing privacy controls

Extension to 27001 and 27002

Question 31

ISO 31000

Answer 31

Guidelines for general risk management programs

Not specific to cybersecurity or privacy

Question 32

Audit

Answer 32

Formal review of an org’s security program or specific compliance issues conducted on behalf of a third party

Question 33

Assessments

Answer 33

Less formal reviews of security controls requested by the security org itself in an effort to improve processes

Question 34

CIS CSC

Answer 34

Center for internet security critical security controls for effective cyber defense

Designed to help improve security posture of an organization, focused into controls across 20 areas

Segmented by organization size (small and large need different controls), and written by technologists for technologists

Question 35

CSA