Section 30 Policies and Procedures Flashcards
Defines the role of security in an organization and establishes the desired end state of the security program.
Policies
Provide a general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms.
Organizational Policies
Address the security needs of a specific technology, application, network, or computer system.
System Specific Policies
Category based on the value to the organization and the sensitivity of the information if it were to be disclosed.
Data Classification
Any information that can result in a loss of security, or loss of advantage to a company, if accessed by unauthorized persons.
Sensitive Data
Has no impacts to the company if released and is often posted in the open source environment.
Public Data
Contains data that should only be used within the organization.
Private Data
Highest classification level that contains items that contain trade secrets, intellectual prperty data, source code, and other types that would seriously affect that business if disclosed.
Confidential Data
Items that wouldn’t hurt national security if released but could impact those whose data is contained in it.
Sensitive But Unclassified
The process of identifying the person responsible for the confidentiality, integrity, availability,
Data Ownership
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information assets.
Data Owner
A role focused on the quality of the data and associated metadata.
Data Steward
A role responsible for handling the management of the system on which the data assets are stored.
Data Custodian
A role responsible for the oversight of any PII/SPI/PHI assets managed by the company.
Privacy Officer
A piece of data that can be used either by itself or in combination with some other pieces of data to identify a single person.
Personal Identifiable Information (PII)
Affects US government computer systems that collects, stores, uses, or disseminates personally identifiable information.
Privacy Act of 1974
Affects healthcare providers, facilities, insurance companies, and medical data clearing houses.
Health Insurance Portability and Accountability Act (HIPPA)
Affects publicly traded US corporations and requires certain accounting methods and financial reporting requirements.
Sarbanes Oxley (SOX)
Affects banks, mortgage companies, loan offices, insurance companies, investment companies, and credit card providers.
Gramm Leach Bliley Act (GLBA)
Requires each agency to develop, document, and implement an agency wide information system security program to protect their data.
Federal Information Security Management Act (FISMA) 2002
Provides regulations that govern the security, confidentiality, and integrity of the personal information collected, stored, or processed during the election and voting process.
Help America Vote Act (HAVA) of 2002
A data governance requirement that arises when collecting and processing personal data to ensure the rights of the subject’s data.
Privacy
Personal data cannot be collected, processed, or retained without the individual’s informed consent.
General Data Protection Regulation (GDPR)
Methods and technologies that remove identifying information from data before it is distributed.
Deidentification
A deidentification method where generic or or placeholder labels are substituted for real data while preserving the structure or format of the original data.
Data Masking
A deidentificaiton method where a unique token is substituted for real data.
Tokenization
A deidentification technique where data is generalized to protect the individuals involved.
Aggregation/Bonding
An attack that combines a deidentified dataset with other data sources to discover how secure the deidentification method used is.
Reidentification
Defines the rules that restrict how a computer, network, or other systems may be used.
Acceptable use Policy
Defines the structured way of changing the state of a computer system, network, or IT procedure.
Change Management Policy
Different users are trained to perform the tasks of the same position to help prevent and identify fraud that could occur if only one employee had the job.
Job Rotation
Dictates what type of things need to be done when a employee is hired, fired, or quits.
Onboarding the offboarding Policy
Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence
Due Care
A legal term that refers to how an organization must respect and safeguard personnel’s rights.
Due Process
A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, executive orders, policies, standards, or regulations.
Risk Management Framework (RMF)
A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks.
Cybersecurity Framework (CSF)
An international standard that details requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS).
ISO 27001
An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS).
ISO 27002
An international standard that acts as a privacy extension to the ISO 27001 to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).
ISO 27701
An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace existing standards, methodologies and paradigms that different between industries, subject, matters, and regions.
ISO 31000
A suite of reports produced during on audit which is used by service organizations to issue validation reports of internal controls over those information systems to the users of those services.
System and Organization Controls (SOC)
Designed to provide fundamentals security principles to guide cloud customers in assessing the overall security risk of a cloud provider.
Cloud Control Mix (CMM)
A methodology and a set of tools that enable security architects, enterprise architectures and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
Cloud Security Alliance’s Reference Architecture (CSARA)
