Sec+ Chapter 16: Security Policies, Standards, and Compliance Flashcards
NIST
National Institute of Standards for Technology
ISO
International Organization for Standardization
Information security policy framework
Series of documents that describe an orgs cybersecurity program and contain:
1) Policies
2) Standards
3) Procedures
4) Guidelines
Policies
High level statements of management intent
EX: InfoSec policy, AUP, Data governance policy, Data classification policy, Data retention policy, Credential management policy, Password policy, Continuous monitoring policy, Code of conduct, Asset management
Standards
Requirements that describe how an org will carry out its InfoSec policies
EX: Configuration settings for common OS, controls for highly sensitive info, etc
Procedures
Detailed step by step processes that individuals or orgs must follow in specific circumstances
A consistent process for achieving a security objective
EX: Monitoring procedures, Evidence production procedures, Patching procedures
Guidelines
Best practices and recommendations related to a given concept, tech, or task
Least privilege
People should only get the minimum set of permissions they need to carry out their job
Separation of duties
Takes two different and sensitive tasks and creates a rule that no single person may have the privileges required to perform both tasks
EX: One person has half the safe combo, another person has the other half
Two person control
Requires the participation of two people to perform a single action
Job rotation
Takes employees with sensitive roles and periodically moves them to other positions in the organization
Mandatory vacations
Forces employees to take annual vacations of a week or more consecutive time, revoking their access privileges during that time
A way we can identify fraud, especially in high security environments
Clean desk policy
Limits the amount of paper left exposed on unattended desks
Any time you get up from your desk, you have to clean your desk and lock everything away
MSA
Master service agreement
Umbrella contract for the work a vendor does with an org over extended period of time
SLA
Service level agreement
Specifies the conditions of service provided by the vendor and the remedies to the customer if the vendor fails to meet the SLA
EX: Uptime or response time agreements
MOU
Memorandum of understanding
An informal letter sent between two parties so they understand the requirements for a business process
Doesn’t have the binding qualities of a contract, but informs both sides of expectations
BPA
Business partnership agreement
When two orgs agree to do business with each other in a partnership
Details owner stake, financial contract, decision making agreements, contingences, etc
EOL /EOSL
End of life
Manufacturer stops selling a product, but may continue supporting the product
End of service life
When a manufacturer stops selling and stops supporting a product
Both of these are also used to ensure there’s an orderly transition when a vendor relationship ends
HIPAA
Health insurance portability and accountability act
Security and rules affecting healthcare providers, insurers, and clearinghouses
PCI DSS
Payment card industry data security standard
Rules about the storage, processing, and transmission of credit and debit card info
GLBA
Gramm leach bailey act
Requires US financial institutions have a formal security program and designate an individual as having overall responsibility for that program
SOX
Sarbanes Oxley Act
Requires publicly traded US companies to have a strong degree of assurance for the IT systems that store and process financial records
GDPR
General data protection regulation
Security and privacy requirements to protect the privacy of personal info for EU residents worldwide
FERPA
Family educational rights and privacy act
Requires US educational institutions to implement security and privacy controls for student educational records
Data breach notification laws
The requirements that individual states place on orgs that suffer data breaches regarding notification of affected individuals
NIST CSF
NIST cybersecurity framework
Voluntary commercial framework designed to assist orgs attempting to meet one or more of the following five objectives:
1) Describe current cybersecurity posture
2) Describe target state for cybersecurity
3) ID and prioritize opptys for improvement
4) Asses progress towards target state
5) Communicate among stakeholders about cybersecurity risk
Comprised of three major areas
1) Framework core: Identify, protect, detect, respond, and recover
2) Framework implementation tiers: Where an org understands what their approach to cybersecurity will be and what tools and processes are needed to manage risks
3) Framework profile: Policies, guidelines, and standards are compared to implementations based on framework core
NIST RMF
NIST risk management framework
Mandatory framework for US federal agencies or anyone handling federal data, ensures security and privacy
Six step process:
1) Categorize: Define the environment
2) Select: Pick appropriate controls for security and privacy
3) Implement: Define proper implementation of policies
4) Assess: Determine if policies are working properly
5) Authorize: Make a decision to authorize a system
6) Monitor: Constantly monitor to ensure you’re in compliance
ISO 27001
Standard focused on information security
Information security, cybersecurity and privacy protection — Information security management systems — Requirements
ISO 27002
Goes beyond control objectives and describes the actual controls an org may implement to meet cybersecurity objectives
ISO 27701
Contains standard guidance for managing privacy controls
Extension to 27001 and 27002
ISO 31000
Guidelines for general risk management programs
Not specific to cybersecurity or privacy
Audit
Formal review of an org’s security program or specific compliance issues conducted on behalf of a third party
Assessments
Less formal reviews of security controls requested by the security org itself in an effort to improve processes
CIS CSC
Center for internet security critical security controls for effective cyber defense
Designed to help improve security posture of an organization, focused into controls across 20 areas
Segmented by organization size (small and large need different controls), and written by technologists for technologists
CSA
