Section 30 - Policies and Procedures Flashcards
Policies are one part of a larger concept known as…?
IT governance
What is IT governance?
This is used to provide us a comprehensive security management framework for the organization to build on.
How do you apply IT governance?
By using:
- Policies
- Standards
- Baselines
- Guidelines
- Procedures
- Information Classification
- Lifecycle
What are “policies”?
These are used to define the role of security inside of an organization and it establishes the desired end state for that security program
*** This is usually provided by senior management and clarifies the level in which the company is going to enforce security
Policies tend to be very broad and they provide the basic foundation upon which is going to be built?
Standards
Baselines
Guidelines
Procedures
Security policies are built to fill in one of three levels. What are these levels called?
Organizational
System-specific
Issue-specific
What are organizational security policies?
These provide direction and goals. They give you the framework to meet the business goals and define the roles, responsibilities and terms associated with it.
What are system specific policies?
These address the security of a specific technology, application, network or computer system.
*** These are very technical and focus on protecting a certain piece of system or technology.
What are issue-specific policies?
These are built to address a specific security issue such as email privacy, employee termination procedures, etc.
Policies can be further separated down into one of three categories inside of information security. What are these categories called?
Regulatory
Advisory
Informative
What are regulatory policies?
These address mandatory standards and laws that are going to affect the organization
What are advisory policies?
These provide guidance on what is and what is not considered an acceptable activity
*** The most common type of this policy is called a AUP (acceptable use policy) that tells employees what they can/can’t do on a network
What are informative policies?
This focuses on a certain topic and it’s designed to be educational.
What are “standards”?
These are used to implement a policy in an organization
This includes things like mandatory actions, steps or rules that are needed to achieve the desired level of security
What are “baselines”?
These are created as reference points
They are used to document any kind of system so you can look back later and compare it for analysis
What is a “guideline”?
These are not required actions but they are recommended ones.
For this reason, they tend to be flexible.
What are “procedures”?
A detailed step-by-step instruction that is created to ensure personnel can perform a given action
*** This is where your policies turn into actionable steps
What is an important distinction to remember for procedure vs a policy?
A policy is something that gives you generic guidance to the organization
A procedure is very specific
What is data classification based on?
The value to the organization and the sensitivity of that information if it’s going to be disclosed
Who decides the level of data classification?
The data owner
What is considered sensitive data?
Any information that can result in the loss of security or loss of advantage to a company, especially if it’s accessed by unauthorized persons.
There are two different classification schemes that are normally used by organizations. This is based on whether…?
you’re a commercial business or a governmental one
If you are a commercial business, you will use one of four potential classification levels. These are…?
These go from lowest to highest:
Public
Sensitive
Private
Confidential
What is commercial public data?
Data that would have no impact to your company if it were released
*** This is usually information that’s posted to your website and other platforms
What is commercial sensitive data?
Might have a minimal impact if released
** Such as financial data
What is commercial private data?
This is data that customers or those outside of a business do not need access to.
*** Such as personnel records, salary information, etc.
What is commercial confidential data?
This would seriously affect the business if disclosed.
This contains items such as trade secrets, intellectual property data, source code, etc.
What are the five different classification levels for the government?
Unclassified
Sensitive but unclassified
Confidential
Secret
Top Secret
What is unclassified government data?
Generally can be released to the public either in general or under the Freedom of Information act
What is sensitive but unclassified government data?
This includes things like medical records, personnel files and other things that won’t hurt national security but would impact those who’s data was being used inside of it
What is confidential government data?
Includes data such as trade secrets and other information that can seriously affect the government if unauthorized disclosure were to happen
What is secret government data?
This includes things like military deployment data, defensive postures and other information that could seriously damage national security if disclosure were to happen.
What is the difference between secret and confidential government data?
Confidential - would seriously affect us
Secret - would seriously damage us
What is top secret government data?
This includes things like weapon system blueprints or other information that would gravely damage national security
What is data ownership?
This is the process of identifying the person responsible for the confidentiality, integrity, availability and privacy of the information assets.
In an enterprise environment, there are different roles that fall under this idea of data ownership. This includes…?
Data Owner
Data Steward
Data Custodian
Privacy Officer
What is the data owner role?
A senior executive with the ultimate responsibility for maintaining the CIA of the information asset
What is the data steward role?
They are focused on the quality of the data and the associated metadata
*** They make sure that the data is appropriately labeled and classified
What is the data custodian role?
They are responsible for handling the management of the system on which the data assets are stored
*** These are the system administrators who enforce the access control, the encryption, the back up and recovery measures, etc.
What is the privacy officer role?
They are responsible for the oversight of any kind of privacy-related data
*** Things like PII, SPI or PHI
What does PII stand for?
Personally Identifiable Information
If a piece of data can be used either by itself or in combination with some other piece of data to identify a singular person, then it’s considered…?
PII
*** your name, driver’s license number, social security, date of birth, etc.
What is the Federal Privacy Act of 1974?
A law designed to help protect against the disclosure of data include PII and PHI
This affects any U.S. government computer system that affects, stores, uses or disseminates PII. If you work for the government or a contractor
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act and it affects health care providers, facilities, insurance companies, and other medical data clearinghouses. If your organization is processing or storing medical data, you’re likely going to be affected by HIPAA. It’s enforced by the Department of Health and Human Services
in the United States and it provides you with the standards and procedures that have to be used, at a minimum, for storing, using, and transmitting medical information and healthcare data.
What is SOX?
Sarbanes-Oxley
This was originally enacted by Congress back in 2002 as the Public Company Accounting Reform and Investor Protection Act of 2002,but you’re almost always going to hear it referred to as SOX or Sarbanes-Oxley.If your organization is a publicly-traded U.S. corporation,it’s affected by this regulation and it has to follow certain accounting methods and financial reporting requirements.Now, the important thing to keep in mind with Sarbanes-Oxley is that if you fail to follow it,your senior leadership, like your CEO,can actually receive jail time for it.
So, Sarbanes-Oxley is a big deal and all of those accounting methods and financial reporting,that’s all data that’s being stored on your IT systems,so, you’re going to get involved with this as an IT professional.
What is GLBA?
Gramm-Leach-Biley Act of 1999
Now, this affects banks, mortgage companies, loan offices,insurance companies, investment companies, and credit card providers.Basically, if you work for a financial institution,this is going to affect you. GLBA directly affects the security of personal identifiable information and it prohibits sharing of financial information with any third parties and it also provides guidelines for securing that financial information.
What FISMA?
Federal Information System Security Management Act
Requires each agency in the government to develop, document and implement an agency-wide information systems security program to help protect their data.
What is PCI DSS?
Payment Card Industry Data Security Standard
This is an agreement that any organization who collects, stores, or processes credit card information for a customer has to follow.
*** This is not a law or regulation but a contractual obligation. An annual external audit must be performed to maintain compliance.
What is HAVA?
Help America Vote Act of 2002
Designed to help replace the old punch card systems back in the voting machines that we used and it provides regulations that governs the security, confidentiality and integrity of personal information that’s collected, stored or processed during the election process.
What is SB 1386?
Now, it was created in 2003 and requires any California business that stores computerized personal information to immediately disclose any breach of security that it becomes aware of.
When thinking about the CIA triad, what do each of these align to?
Confidentiality = encryption
Integrity = hashing
Availability = Redundancy
When we talk about security controls, we are focusing on what attributes of the processing system?
CIA
*** So if you say data is encrypted, this is a security protocol. This is confidentiality. If something is hashed, then you have integrity of it which is also security.
When we talk about privacy, we’re talking about a ___ ___ ___ that arises when you’re collecting and processing personal data to ensure the rights of the subject’s data.
data governance requirement
*** If I collect information from you, like your name, email or credit card info I have an obligation to keep that private.
What is GDPR?
General Data Protection Regulation
This says that personal data cannot be collected, processed, or retained without the individual’s informed consent.
*** This is a law inside of Europe
What does “informed consent” mean?
This means that the data must be collected and processed only for the stated purpose and that purpose must be clearly described to the user in plain language, not legalese.
This also gives users the right to withdraw consent at any time. In addition to inspecting, amending and erasing data that’s held about them. (AKA - “right to be forgotten”)
What are some technologies we can use to help ensure the privacy of our customers?
De-identification
What is “de-identification”?
This is the methods and technologies that remove identifying information from data before we distribute that data
*** This is useful because once data is de-identified you can use it again for other purposes.
What are some concepts that fall under the idea of “de-identification”?
Data Masking
Tokenization
Aggregation and Banding
Re-identification
What is data masking?
A de-identification method used where a generic or placeholder label is substituted in for real data while preserving the structure or format of the original data
*** An example of this is when you give your credit card information to someone and they mask those numbers with XXX’s to provide privacy (think of banking info.) This is simply covering up data.
What is “tokenization”?
This is using another number to represent the information
*** If someone were to go into a database and look of your social, it would just be a made up number.
What is “aggregation and banding”?
This is where you de-identify people by gathering the data and generalizing it to protect the individuals involved.
*** For example, if you were a subject in a medical trial, instead of identifying you individually they would say “out of 100 people who participated, 90% didn’t have side effects.”
What is “re-identification”?
This is an attack that combines de-identified data sets with other data resources, things that you know, to discover how secure the de-identification method is.
** For example, taking a survey that asks how old you are, what your martial status is, what your gender is. This information can help narrow down who that person is later on.
What is an “organization’s privacy policy”?
This privacy policy is going to govern the labeling of data to ensure that all employees understand what data they’re looking at and handling it.
What is AUP?
Acceptable Use Policy
This policy is used to define the rules and restrict how computer, network, or other systems can be used.
** For example, your company might have a policy that states you can’t use the internet to browse porn sites while at work. Then based on this policy, the security team can monitor your website requests at the proxy.
What is “change management”?
This is a policy that has a structured way of changing the state of a computer system, network or IT procedure.
*** So once you have created a good baseline, you can control the configuration changes to be made to that through change management.
What is “separation of duties”?
This is a preventative type of administrative control that is designed to prevent fraud and abuse by distributing various tasks and approval authorities across a number of different users.
*** For example, you may have access to request a check be sent to an employee but you couldn’t also approve that same request. It would have to go to someone else to approve.
There is a specific type of separation of duties called ___ ___, where both people have to be present at the same time to do it.
dual control
Another type of separation of duties is known as ___ ___. This occurs when two people each have half the knowledge of how to do something.
Split knowledge
This policy is a detective type of administrative control. Different users are trained to perform the tasks of the same position in order to prevent and identify fraud that could occur if one employee had the job the entire time to themself.
job rotation
*** because multiple users can do the same job they are able to rotate out different people
What is “due diligence”?
Ensuring the IT infrastructure risks are known and managed properly.
How is due diligence achieved?
By conducting proper risk assessment and risk management activities
What is “due care”?
The mitigation actions that an organization takes to defend itself against risks that have been identified during due diligence.
What is “due process”?
A legal tern that refers to how a organization must respect and safeguard personnel’s rights.
** For the exam, think about this as a something used to protect a person from the government but it can also protect your organization from frivolous lawsuits.
When it comes to user training, what are the three different terms you should know?
Security Awareness Training
Security Training
Security Education
What is security awareness training?
This is used to reinforce the importance of having users help you secure the organization’s valuable resources.
*** This includes educating your end users on the current threats facing the organization, phishing campaigns, how to protect passwords and what to do in an event. All employees should do this at least annually.
What is security training?
This is used to teach the organization’s personnel the skills they need to perform their job in a more secure manner.
*** This is focused on IT staff and administrators and other technical employees.
What is security education?
This is more general in nature. It is designed for IT professionals to gain more expertise to better manage the security programs at their organizations but it’s less procedural and more generalized.
Whenever you’re dealing with vendors, you’re going to need to have some agreements in place. List some examples of these.
NDAs
MOUs
SLAs
ISAs
BPAs
What is an NDA?
Non-disclosure agreement
Agreement between two parties that define what data is considered confidential and can’t be shared outside of that relationship.
This is an administrative control that is legally binding.
What is an MOU?
Memorandum of Understanding
Non-binding agreement between two or more organizations to detail what common line of action they’re intending to take.
*** often referred to as a letter of intent. It is a kind of formality to the agreement that was made. This means it is not legally binding.
What is an SLA?
Service Level Agreement
This agreement is concerned with the ability to support and respond to problems within a given time frame while providing the agreed-upon level of service to the user.
*** This outlines the responsibilities, guarantees and warranties for a given service and its components. You will often see these with your ISP when providing you a modem. Their SLA outlines their agreements to you.
What is an ISA?
Interconnection Service Agreement
This is an agreement that allows the owners and operators of the two IT systems to document what technical requirements each organization has to meet
*** This is an agreement that focuses on connecting two systems from two different organizations
What is a BPA?
Business Partner Agreement
This is conducted between two business partners that establishes the conditions of their relationship
*** things like each person’s responsibility, their revenue, system and data sharing details.
What is a “degaussing process”
Exposes a hard drive to a power magnetic field and this causes the previously written data to be wiped from the drive and the drive becomes blank again.
How does “purging” work?
Also known as sanitizing, is the act of removing data in such a way that it cannot be reconstructed using any known forensic techniques.
What is a “clearing” technique?
The removal of data with a certain amount of assurance that it can’t be reconstructed.
*** this can be recovered with forensics
What are five enterprise security architecture frameworks?
SABSA
COBIT
NIST Special Publication 800-54
ISO 27000 Series
ITIL
What is SABSA?
An enterprise security architecture framework
Sherwood Applied Business Security Architecture
A risk-driven architecture and it seeks to consider the security problem by thinking about the what, where, when, why, who and how of a problem.
They think about it as it intersects with six different layers. Operational, component, physical, logical, conceptual and contextual layers.
What is COBIT?
An enterprise security architecture framework
Control Objectives for Information and Related Technology
A security controlled development framework that divides IT into four domains:
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
What is the NIST Special Publication 800-54?
A security protocol framework developed by US department of commerce. Each control is placed into one of three categories:
Technical
Operational
Management
What is the ISO 27000 series?
An international framework for information security standards
What is ITIL?
A framework that used to be known as the IT Infrastructure Library because it was focused on service operations and security of our networks.
It is now ITIL 4
** It now does things like running servers for organizations
What is the de facto standard for IT service management?
ITIL 4
What should you know on the exam in regards to frameworks?
That they are a basis for our policies, our procedures and our standards.
What is CIS?
Center for Internet Security
Creates a framework that’s based on a consensus-developed secure configuration guidelines for hardening, these are known as benchmarks, as well as some prescriptive, prioritized and simplified sets of cybersecurity best practices, known as configuration guides.
*** This will be on Comptia test
What is a CIS benchmark?
Step by step instruction for hardening your devices
What is RMF?
Risk Management Framework
Integrates security and risk management activities into the system development lifecycle early on. This way, we can do this as an approach to security control selection and specification that considers the effectiveness, efficiency and constraints due to the different laws, directives, executive orders, policies, standards and regulations.
*** Developed for the federal government’s use.
What should you know for the exam when it comes to the Risk Management Framework?
It is made by MIST and it’s used in federal government systems
What are the frameworks made by MIST?
RMF - Risk Management Framework
CSF - Cybersecurity Framework
What is CSF?
Cybersecurity Framework
This is a set of industry standards and best practices created by MIST to help organizations manage their cybersecurity risks.
Often times, CSF and RMF work together inside of an organization. True or False?
True
What are the five category functions of CSF?
Identify
Protect
Detect
Respond
Recover
What is ISO 27001?
An international organization for standardization
It details the requirements for establishing, implementing, maintaining, and continually improving an information security management or ISMS.
*** For the test, it is important to know that it is a basic procedure for cybersecurity and is an international standard.
What is ISO 27002?
Again, an international standard and it provides best practice recommendations on information security controls for use for those responsible for initiating, implementing, or maintaining ISMSs.
Usually, ISO 27001 and 27002 work together. True or False?
True
27001 - we’re talking about the requirements for establishing and maintaining these systems
27002 - we’re specifically talking about the controls that we’re going to choose to protect those systems
What is ISO 27701?
Another international standard that acts as a privacy extension to the ISO 27001.
Enhances the existing ISMS with additional requirements in order to establish, implement, maintain and continually improve privacy information management systems.
*** this basically adds controls to protect those systems
What is ISO 31000?
An international standard for enterprise risk arrangement and it provides a universally recognized paradigm for practitioners and compaines to employ risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between different industries
*** This takes how RMF is used in the US and tries to do it globally. They want everyone to use the same risk management framework.
What is SOC?
System and Organization Controls
A suite of reports that are going to be produced during an audit.
Used by service organizations to issue validated reports of internal controls over those information systems to the users of those services
What is SOC 2?
It is a trusted services criteria. (When you go and look at the manual for SOC, it’ll tell you what those requirements are as part of that audit.)
What is SOC Type II
This is going to address the operational effectiveness of the specified control over a given period of time. Usually, 9 to 12 months.
What is the Cloud Control Matrix?
This is a framework that’s designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a given cloud provider
What is the Cloud Security Alliance?
a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.
What is the Reference Architecture?
This is a methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to access where their internal IT and their cloud providers are in terms of security capabilities, and to plan a roadmap to meet the security needs of their business.
*** Essentially, we’re saying… this is the thing we’re building towards, and this is how we want to build it to make sure it’s secure. Gives us the outline of what we want and how we want everything to match up.