Section 30 - Policies and Procedures Flashcards

1
Q

Policies are one part of a larger concept known as…?

A

IT governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is IT governance?

A

This is used to provide us a comprehensive security management framework for the organization to build on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you apply IT governance?

A

By using:

  1. Policies
  2. Standards
  3. Baselines
  4. Guidelines
  5. Procedures
  6. Information Classification
  7. Lifecycle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are “policies”?

A

These are used to define the role of security inside of an organization and it establishes the desired end state for that security program

*** This is usually provided by senior management and clarifies the level in which the company is going to enforce security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Policies tend to be very broad and they provide the basic foundation upon which is going to be built?

A

Standards
Baselines
Guidelines
Procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security policies are built to fill in one of three levels. What are these levels called?

A

Organizational
System-specific
Issue-specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are organizational security policies?

A

These provide direction and goals. They give you the framework to meet the business goals and define the roles, responsibilities and terms associated with it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are system specific policies?

A

These address the security of a specific technology, application, network or computer system.

*** These are very technical and focus on protecting a certain piece of system or technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are issue-specific policies?

A

These are built to address a specific security issue such as email privacy, employee termination procedures, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Policies can be further separated down into one of three categories inside of information security. What are these categories called?

A

Regulatory
Advisory
Informative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are regulatory policies?

A

These address mandatory standards and laws that are going to affect the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are advisory policies?

A

These provide guidance on what is and what is not considered an acceptable activity

*** The most common type of this policy is called a AUP (acceptable use policy) that tells employees what they can/can’t do on a network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are informative policies?

A

This focuses on a certain topic and it’s designed to be educational.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are “standards”?

A

These are used to implement a policy in an organization

This includes things like mandatory actions, steps or rules that are needed to achieve the desired level of security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are “baselines”?

A

These are created as reference points

They are used to document any kind of system so you can look back later and compare it for analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a “guideline”?

A

These are not required actions but they are recommended ones.

For this reason, they tend to be flexible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are “procedures”?

A

A detailed step-by-step instruction that is created to ensure personnel can perform a given action

*** This is where your policies turn into actionable steps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is an important distinction to remember for procedure vs a policy?

A

A policy is something that gives you generic guidance to the organization

A procedure is very specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is data classification based on?

A

The value to the organization and the sensitivity of that information if it’s going to be disclosed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Who decides the level of data classification?

A

The data owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is considered sensitive data?

A

Any information that can result in the loss of security or loss of advantage to a company, especially if it’s accessed by unauthorized persons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

There are two different classification schemes that are normally used by organizations. This is based on whether…?

A

you’re a commercial business or a governmental one

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

If you are a commercial business, you will use one of four potential classification levels. These are…?

A

These go from lowest to highest:

Public
Sensitive
Private
Confidential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is commercial public data?

A

Data that would have no impact to your company if it were released

*** This is usually information that’s posted to your website and other platforms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is commercial sensitive data?

A

Might have a minimal impact if released

** Such as financial data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is commercial private data?

A

This is data that customers or those outside of a business do not need access to.

*** Such as personnel records, salary information, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is commercial confidential data?

A

This would seriously affect the business if disclosed.

This contains items such as trade secrets, intellectual property data, source code, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are the five different classification levels for the government?

A

Unclassified
Sensitive but unclassified
Confidential
Secret
Top Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is unclassified government data?

A

Generally can be released to the public either in general or under the Freedom of Information act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is sensitive but unclassified government data?

A

This includes things like medical records, personnel files and other things that won’t hurt national security but would impact those who’s data was being used inside of it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is confidential government data?

A

Includes data such as trade secrets and other information that can seriously affect the government if unauthorized disclosure were to happen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is secret government data?

A

This includes things like military deployment data, defensive postures and other information that could seriously damage national security if disclosure were to happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the difference between secret and confidential government data?

A

Confidential - would seriously affect us

Secret - would seriously damage us

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is top secret government data?

A

This includes things like weapon system blueprints or other information that would gravely damage national security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is data ownership?

A

This is the process of identifying the person responsible for the confidentiality, integrity, availability and privacy of the information assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

In an enterprise environment, there are different roles that fall under this idea of data ownership. This includes…?

A

Data Owner
Data Steward
Data Custodian
Privacy Officer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the data owner role?

A

A senior executive with the ultimate responsibility for maintaining the CIA of the information asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the data steward role?

A

They are focused on the quality of the data and the associated metadata

*** They make sure that the data is appropriately labeled and classified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the data custodian role?

A

They are responsible for handling the management of the system on which the data assets are stored

*** These are the system administrators who enforce the access control, the encryption, the back up and recovery measures, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the privacy officer role?

A

They are responsible for the oversight of any kind of privacy-related data

*** Things like PII, SPI or PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What does PII stand for?

A

Personally Identifiable Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

If a piece of data can be used either by itself or in combination with some other piece of data to identify a singular person, then it’s considered…?

A

PII

*** your name, driver’s license number, social security, date of birth, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is the Federal Privacy Act of 1974?

A

A law designed to help protect against the disclosure of data include PII and PHI

This affects any U.S. government computer system that affects, stores, uses or disseminates PII. If you work for the government or a contractor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is HIPAA?

A

HIPAA is the Health Insurance Portability and Accountability Act and it affects health care providers, facilities, insurance companies, and other medical data clearinghouses. If your organization is processing or storing medical data, you’re likely going to be affected by HIPAA. It’s enforced by the Department of Health and Human Services
in the United States and it provides you with the standards and procedures that have to be used, at a minimum, for storing, using, and transmitting medical information and healthcare data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is SOX?

A

Sarbanes-Oxley

This was originally enacted by Congress back in 2002 as the Public Company Accounting Reform and Investor Protection Act of 2002,but you’re almost always going to hear it referred to as SOX or Sarbanes-Oxley.If your organization is a publicly-traded U.S. corporation,it’s affected by this regulation and it has to follow certain accounting methods and financial reporting requirements.Now, the important thing to keep in mind with Sarbanes-Oxley is that if you fail to follow it,your senior leadership, like your CEO,can actually receive jail time for it.
So, Sarbanes-Oxley is a big deal and all of those accounting methods and financial reporting,that’s all data that’s being stored on your IT systems,so, you’re going to get involved with this as an IT professional.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What is GLBA?

A

Gramm-Leach-Biley Act of 1999

Now, this affects banks, mortgage companies, loan offices,insurance companies, investment companies, and credit card providers.Basically, if you work for a financial institution,this is going to affect you. GLBA directly affects the security of personal identifiable information and it prohibits sharing of financial information with any third parties and it also provides guidelines for securing that financial information.

47
Q

What FISMA?

A

Federal Information System Security Management Act

Requires each agency in the government to develop, document and implement an agency-wide information systems security program to help protect their data.

48
Q

What is PCI DSS?

A

Payment Card Industry Data Security Standard

This is an agreement that any organization who collects, stores, or processes credit card information for a customer has to follow.

*** This is not a law or regulation but a contractual obligation. An annual external audit must be performed to maintain compliance.

49
Q

What is HAVA?

A

Help America Vote Act of 2002

Designed to help replace the old punch card systems back in the voting machines that we used and it provides regulations that governs the security, confidentiality and integrity of personal information that’s collected, stored or processed during the election process.

50
Q

What is SB 1386?

A

Now, it was created in 2003 and requires any California business that stores computerized personal information to immediately disclose any breach of security that it becomes aware of.

51
Q

When thinking about the CIA triad, what do each of these align to?

A

Confidentiality = encryption

Integrity = hashing

Availability = Redundancy

52
Q

When we talk about security controls, we are focusing on what attributes of the processing system?

A

CIA

*** So if you say data is encrypted, this is a security protocol. This is confidentiality. If something is hashed, then you have integrity of it which is also security.

53
Q

When we talk about privacy, we’re talking about a ___ ___ ___ that arises when you’re collecting and processing personal data to ensure the rights of the subject’s data.

A

data governance requirement

*** If I collect information from you, like your name, email or credit card info I have an obligation to keep that private.

54
Q

What is GDPR?

A

General Data Protection Regulation

This says that personal data cannot be collected, processed, or retained without the individual’s informed consent.

*** This is a law inside of Europe

55
Q

What does “informed consent” mean?

A

This means that the data must be collected and processed only for the stated purpose and that purpose must be clearly described to the user in plain language, not legalese.

This also gives users the right to withdraw consent at any time. In addition to inspecting, amending and erasing data that’s held about them. (AKA - “right to be forgotten”)

56
Q

What are some technologies we can use to help ensure the privacy of our customers?

A

De-identification

57
Q

What is “de-identification”?

A

This is the methods and technologies that remove identifying information from data before we distribute that data

*** This is useful because once data is de-identified you can use it again for other purposes.

58
Q

What are some concepts that fall under the idea of “de-identification”?

A

Data Masking

Tokenization

Aggregation and Banding

Re-identification

59
Q

What is data masking?

A

A de-identification method used where a generic or placeholder label is substituted in for real data while preserving the structure or format of the original data

*** An example of this is when you give your credit card information to someone and they mask those numbers with XXX’s to provide privacy (think of banking info.) This is simply covering up data.

60
Q

What is “tokenization”?

A

This is using another number to represent the information

*** If someone were to go into a database and look of your social, it would just be a made up number.

61
Q

What is “aggregation and banding”?

A

This is where you de-identify people by gathering the data and generalizing it to protect the individuals involved.

*** For example, if you were a subject in a medical trial, instead of identifying you individually they would say “out of 100 people who participated, 90% didn’t have side effects.”

62
Q

What is “re-identification”?

A

This is an attack that combines de-identified data sets with other data resources, things that you know, to discover how secure the de-identification method is.

** For example, taking a survey that asks how old you are, what your martial status is, what your gender is. This information can help narrow down who that person is later on.

63
Q

What is an “organization’s privacy policy”?

A

This privacy policy is going to govern the labeling of data to ensure that all employees understand what data they’re looking at and handling it.

64
Q

What is AUP?

A

Acceptable Use Policy

This policy is used to define the rules and restrict how computer, network, or other systems can be used.

** For example, your company might have a policy that states you can’t use the internet to browse porn sites while at work. Then based on this policy, the security team can monitor your website requests at the proxy.

65
Q

What is “change management”?

A

This is a policy that has a structured way of changing the state of a computer system, network or IT procedure.

*** So once you have created a good baseline, you can control the configuration changes to be made to that through change management.

66
Q

What is “separation of duties”?

A

This is a preventative type of administrative control that is designed to prevent fraud and abuse by distributing various tasks and approval authorities across a number of different users.

*** For example, you may have access to request a check be sent to an employee but you couldn’t also approve that same request. It would have to go to someone else to approve.

67
Q

There is a specific type of separation of duties called ___ ___, where both people have to be present at the same time to do it.

A

dual control

68
Q

Another type of separation of duties is known as ___ ___. This occurs when two people each have half the knowledge of how to do something.

A

Split knowledge

69
Q

This policy is a detective type of administrative control. Different users are trained to perform the tasks of the same position in order to prevent and identify fraud that could occur if one employee had the job the entire time to themself.

A

job rotation

*** because multiple users can do the same job they are able to rotate out different people

70
Q

What is “due diligence”?

A

Ensuring the IT infrastructure risks are known and managed properly.

71
Q

How is due diligence achieved?

A

By conducting proper risk assessment and risk management activities

72
Q

What is “due care”?

A

The mitigation actions that an organization takes to defend itself against risks that have been identified during due diligence.

73
Q

What is “due process”?

A

A legal tern that refers to how a organization must respect and safeguard personnel’s rights.

** For the exam, think about this as a something used to protect a person from the government but it can also protect your organization from frivolous lawsuits.

74
Q

When it comes to user training, what are the three different terms you should know?

A

Security Awareness Training

Security Training

Security Education

75
Q

What is security awareness training?

A

This is used to reinforce the importance of having users help you secure the organization’s valuable resources.

*** This includes educating your end users on the current threats facing the organization, phishing campaigns, how to protect passwords and what to do in an event. All employees should do this at least annually.

76
Q

What is security training?

A

This is used to teach the organization’s personnel the skills they need to perform their job in a more secure manner.

*** This is focused on IT staff and administrators and other technical employees.

77
Q

What is security education?

A

This is more general in nature. It is designed for IT professionals to gain more expertise to better manage the security programs at their organizations but it’s less procedural and more generalized.

78
Q

Whenever you’re dealing with vendors, you’re going to need to have some agreements in place. List some examples of these.

A

NDAs
MOUs
SLAs
ISAs
BPAs

79
Q

What is an NDA?

A

Non-disclosure agreement

Agreement between two parties that define what data is considered confidential and can’t be shared outside of that relationship.

This is an administrative control that is legally binding.

80
Q

What is an MOU?

A

Memorandum of Understanding

Non-binding agreement between two or more organizations to detail what common line of action they’re intending to take.

*** often referred to as a letter of intent. It is a kind of formality to the agreement that was made. This means it is not legally binding.

81
Q

What is an SLA?

A

Service Level Agreement

This agreement is concerned with the ability to support and respond to problems within a given time frame while providing the agreed-upon level of service to the user.

*** This outlines the responsibilities, guarantees and warranties for a given service and its components. You will often see these with your ISP when providing you a modem. Their SLA outlines their agreements to you.

82
Q

What is an ISA?

A

Interconnection Service Agreement

This is an agreement that allows the owners and operators of the two IT systems to document what technical requirements each organization has to meet

*** This is an agreement that focuses on connecting two systems from two different organizations

83
Q

What is a BPA?

A

Business Partner Agreement

This is conducted between two business partners that establishes the conditions of their relationship

*** things like each person’s responsibility, their revenue, system and data sharing details.

84
Q

What is a “degaussing process”

A

Exposes a hard drive to a power magnetic field and this causes the previously written data to be wiped from the drive and the drive becomes blank again.

85
Q

How does “purging” work?

A

Also known as sanitizing, is the act of removing data in such a way that it cannot be reconstructed using any known forensic techniques.

86
Q

What is a “clearing” technique?

A

The removal of data with a certain amount of assurance that it can’t be reconstructed.

*** this can be recovered with forensics

87
Q

What are five enterprise security architecture frameworks?

A

SABSA

COBIT

NIST Special Publication 800-54

ISO 27000 Series

ITIL

88
Q

What is SABSA?

A

An enterprise security architecture framework

Sherwood Applied Business Security Architecture

A risk-driven architecture and it seeks to consider the security problem by thinking about the what, where, when, why, who and how of a problem.

They think about it as it intersects with six different layers. Operational, component, physical, logical, conceptual and contextual layers.

89
Q

What is COBIT?

A

An enterprise security architecture framework

Control Objectives for Information and Related Technology

A security controlled development framework that divides IT into four domains:

Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate

90
Q

What is the NIST Special Publication 800-54?

A

A security protocol framework developed by US department of commerce. Each control is placed into one of three categories:

Technical
Operational
Management

91
Q

What is the ISO 27000 series?

A

An international framework for information security standards

92
Q

What is ITIL?

A

A framework that used to be known as the IT Infrastructure Library because it was focused on service operations and security of our networks.

It is now ITIL 4

** It now does things like running servers for organizations

93
Q

What is the de facto standard for IT service management?

A

ITIL 4

94
Q

What should you know on the exam in regards to frameworks?

A

That they are a basis for our policies, our procedures and our standards.

95
Q

What is CIS?

A

Center for Internet Security

Creates a framework that’s based on a consensus-developed secure configuration guidelines for hardening, these are known as benchmarks, as well as some prescriptive, prioritized and simplified sets of cybersecurity best practices, known as configuration guides.

*** This will be on Comptia test

96
Q

What is a CIS benchmark?

A

Step by step instruction for hardening your devices

97
Q

What is RMF?

A

Risk Management Framework

Integrates security and risk management activities into the system development lifecycle early on. This way, we can do this as an approach to security control selection and specification that considers the effectiveness, efficiency and constraints due to the different laws, directives, executive orders, policies, standards and regulations.

*** Developed for the federal government’s use.

98
Q

What should you know for the exam when it comes to the Risk Management Framework?

A

It is made by MIST and it’s used in federal government systems

99
Q

What are the frameworks made by MIST?

A

RMF - Risk Management Framework

CSF - Cybersecurity Framework

100
Q

What is CSF?

A

Cybersecurity Framework

This is a set of industry standards and best practices created by MIST to help organizations manage their cybersecurity risks.

101
Q

Often times, CSF and RMF work together inside of an organization. True or False?

A

True

102
Q

What are the five category functions of CSF?

A

Identify
Protect
Detect
Respond
Recover

103
Q

What is ISO 27001?

A

An international organization for standardization

It details the requirements for establishing, implementing, maintaining, and continually improving an information security management or ISMS.

*** For the test, it is important to know that it is a basic procedure for cybersecurity and is an international standard.

104
Q

What is ISO 27002?

A

Again, an international standard and it provides best practice recommendations on information security controls for use for those responsible for initiating, implementing, or maintaining ISMSs.

105
Q

Usually, ISO 27001 and 27002 work together. True or False?

A

True

27001 - we’re talking about the requirements for establishing and maintaining these systems

27002 - we’re specifically talking about the controls that we’re going to choose to protect those systems

106
Q

What is ISO 27701?

A

Another international standard that acts as a privacy extension to the ISO 27001.

Enhances the existing ISMS with additional requirements in order to establish, implement, maintain and continually improve privacy information management systems.

*** this basically adds controls to protect those systems

107
Q

What is ISO 31000?

A

An international standard for enterprise risk arrangement and it provides a universally recognized paradigm for practitioners and compaines to employ risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between different industries

*** This takes how RMF is used in the US and tries to do it globally. They want everyone to use the same risk management framework.

108
Q

What is SOC?

A

System and Organization Controls

A suite of reports that are going to be produced during an audit.

Used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

109
Q

What is SOC 2?

A

It is a trusted services criteria. (When you go and look at the manual for SOC, it’ll tell you what those requirements are as part of that audit.)

110
Q

What is SOC Type II

A

This is going to address the operational effectiveness of the specified control over a given period of time. Usually, 9 to 12 months.

111
Q

What is the Cloud Control Matrix?

A

This is a framework that’s designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a given cloud provider

112
Q

What is the Cloud Security Alliance?

A

a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.

113
Q

What is the Reference Architecture?

A

This is a methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to access where their internal IT and their cloud providers are in terms of security capabilities, and to plan a roadmap to meet the security needs of their business.

*** Essentially, we’re saying… this is the thing we’re building towards, and this is how we want to build it to make sure it’s secure. Gives us the outline of what we want and how we want everything to match up.

114
Q
A