Section 30 Policies and Procedures

Question 1

Defines the role of security in an organization and establishes the desired end state of the security program.

Answer 1

Policies

Question 2

Provide a general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms.

Answer 2

Organizational Policies

Question 3

Address the security needs of a specific technology, application, network, or computer system.

Answer 3

System Specific Policies

Question 4

Category based on the value to the organization and the sensitivity of the information if it were to be disclosed.

Answer 4

Data Classification

Question 5

Any information that can result in a loss of security, or loss of advantage to a company, if accessed by unauthorized persons.

Answer 5

Sensitive Data

Question 6

Has no impacts to the company if released and is often posted in the open source environment.

Answer 6

Public Data

Question 7

Contains data that should only be used within the organization.

Answer 7

Private Data

Question 8

Highest classification level that contains items that contain trade secrets, intellectual prperty data, source code, and other types that would seriously affect that business if disclosed.

Answer 8

Confidential Data

Question 9

Items that wouldn’t hurt national security if released but could impact those whose data is contained in it.

Answer 9

Sensitive But Unclassified

Question 10

The process of identifying the person responsible for the confidentiality, integrity, availability,

Answer 10

Data Ownership

Question 11

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information assets.

Answer 11

Data Owner

Question 12

A role focused on the quality of the data and associated metadata.

Answer 12

Data Steward

Question 13

A role responsible for handling the management of the system on which the data assets are stored.

Answer 13

Data Custodian

Question 14

A role responsible for the oversight of any PII/SPI/PHI assets managed by the company.

Answer 14

Privacy Officer

Question 15

A piece of data that can be used either by itself or in combination with some other pieces of data to identify a single person.

Answer 15

Personal Identifiable Information (PII)

Question 16

Affects US government computer systems that collects, stores, uses, or disseminates personally identifiable information.

Answer 16

Privacy Act of 1974

Question 17

Affects healthcare providers, facilities, insurance companies, and medical data clearing houses.

Answer 17

Health Insurance Portability and Accountability Act (HIPPA)

Question 18

Affects publicly traded US corporations and requires certain accounting methods and financial reporting requirements.

Answer 18

Sarbanes Oxley (SOX)

Question 19

Affects banks, mortgage companies, loan offices, insurance companies, investment companies, and credit card providers.

Answer 19

Gramm Leach Bliley Act (GLBA)

Question 20

Requires each agency to develop, document, and implement an agency wide information system security program to protect their data.

Answer 20

Federal Information Security Management Act (FISMA) 2002

Question 21

Provides regulations that govern the security, confidentiality, and integrity of the personal information collected, stored, or processed during the election and voting process.

Answer 21

Help America Vote Act (HAVA) of 2002

Question 22

A data governance requirement that arises when collecting and processing personal data to ensure the rights of the subject’s data.

Answer 22

Privacy

Question 23

Personal data cannot be collected, processed, or retained without the individual’s informed consent.

Answer 23

General Data Protection Regulation (GDPR)

Question 24

Methods and technologies that remove identifying information from data before it is distributed.

Answer 24

Deidentification

Question 25

A deidentification method where generic or or placeholder labels are substituted for real data while preserving the structure or format of the original data.

Answer 25

Data Masking

Question 26

A deidentificaiton method where a unique token is substituted for real data.

Answer 26

Tokenization

Question 27

A deidentification technique where data is generalized to protect the individuals involved.

Answer 27

Aggregation/Bonding

Question 28

An attack that combines a deidentified dataset with other data sources to discover how secure the deidentification method used is.

Answer 28

Reidentification

Question 29

Defines the rules that restrict how a computer, network, or other systems may be used.

Answer 29

Acceptable use Policy

Question 30

Defines the structured way of changing the state of a computer system, network, or IT procedure.

Answer 30

Change Management Policy

Question 31

Different users are trained to perform the tasks of the same position to help prevent and identify fraud that could occur if only one employee had the job.

Answer 31

Job Rotation

Question 32

Dictates what type of things need to be done when a employee is hired, fired, or quits.

Answer 32

Onboarding the offboarding Policy

Question 33

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

Answer 33

Due Care

Question 34

A legal term that refers to how an organization must respect and safeguard personnel’s rights.

Answer 34

Due Process

Question 35

A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations.

Answer 35

Risk Management Framework (RMF)

Question 36

A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks.

Answer 36

Cybersecurity Framework (CSF)

Question 37

An international standard that details requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS).

Answer 37

ISO 27001

Question 38

An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS).

Answer 38

ISO 27002

Question 39

An international standard that acts as a privacy extension to the ISO 27001 to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).

Answer 39

ISO 27701

Question 40

An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace existing standards, methodologies and paradigms that different between industries, subject, matters, and regions.

Answer 40

ISO 31000

Question 41

A suite of reports produced during on audit which is used by service organizations to issue validation reports of internal controls over those information systems to the users of those services.

Answer 41

System and Organization Controls (SOC)

Question 42

Designed to provide fundamentals security principles to guide cloud customers in assessing the overall security risk of a cloud provider.

Answer 42

Cloud Control Mix (CMM)

Question 43

A methodology and a set of tools that enable security architects, enterprise architectures and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.

Answer 43

Cloud Security Alliance’s Reference Architecture (CSARA)