Section 30: Policies and Procedures

Question 1

Data Owner

Answer 1

Responsible for labeling the asset and ensuring that it is protected with appropriate controls

Question 2

Data Steward

Answer 2

A role focused on the quality of the data and associated metadata. Works for the data owner.

Question 3

Data Custodian

Answer 3

A role responsible for handling the management of the system on which the data assets are stored.

Question 4

Privacy Officer

Answer 4

A role responsible for the oversight of any PII, etc. assets managed by the company

Question 5

SOX

Answer 5

Affects publicly traded US corporations and requires certain accounting methods and financial reporting requirements

Question 6

GLBA

Answer 6

Act that affects financial institutions and PII.

Question 7

FISMA Act of 2002

Answer 7

All about cybersecurity and to create more across the federal government.

Question 8

PCI DSS

Answer 8

Contractual obligation if you want to be in compliance for payments

Question 9

Deidentification

Answer 9

Methods and technologies that remove identifying information from data before it is distributed

Question 10

Data Masking

Answer 10

placing generic labels in place of the real stuff. It’s like covering it up

Question 11

Tokenization

Answer 11

A deidentification method where a unique token is substituted for real data

Question 12

Acceptable Use Policy

Answer 12

Defines the rules that restrict how a computer, network, or other systems may be used

Question 13

Change Management Policy

Answer 13

Defines the structured way of changing the state of a computer system, network, or IT procedure

Question 14

Separation of Duties

Answer 14

Sort of like a checks and balances system where you separate out different things so one person doesn’t have to much power

Question 15

Job Rotation

Answer 15

Different users are trained to perform the tasks of the same position to help prevent and identify fraud that could occur if only one employee had the job

Question 16

Due Care

Answer 16

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence.

Question 17

Due Process

Answer 17

A legal term that refers to how an organization must respect and safeguard personnel’s rights

Question 18

Security Awareness Training

Answer 18

Used to reinforce to users the importance of their help in securing the organization’s information

Question 19

Security Training

Answer 19

Used to teach the organization’s personnel the skills they need to perform their job in a more secure manner (more general in nature)

Question 20

Memorandum of Understanding (MOU)

Answer 20

Formal version of a gentleman’s agreement, except people sign it. Letter of intent.

Question 21

Service-Level Agreement (SLA)

Answer 21

An agreement concerned with the ability to support and respond to problems within a given timeframe and continuing to provide the agreed upon level of service to the user

Question 22

Five steps of Disposal

Answer 22

define what equipment will be disposed

pick a place for it to live

analyze equipment and what’s going to be done with it

sanitize the drives, etc.

Throw away or recycle the device

Question 23

Five steps of Disposal

Answer 23

define what equipment will be disposed

pick a place for it to live

analyze equipment and what’s going to be done with it

sanitize the drives, etc.

Throw away or recycle the device

Question 24

Center for Internet Security (CIS)

Answer 24

Tells us “What are the things we should be using in order to be up to snuff for security?”

Question 25

Risk Management Framework (RMF)

Answer 25

A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification.

Question 26

Cybersecurity Framework 5 steps

Answer 26

Identify

Protect

Detect

Respond

Recover

Question 27

ISO 27001

Answer 27

An international standard basic cybersecurity framework