Section 30 - Policies and Procedures Flashcards
Policies are one part of a larger concept known as…?
IT governance
What is IT governance?
This is used to provide us a comprehensive security management framework for the organization to build on.
How do you apply IT governance?
By using:
- Policies
- Standards
- Baselines
- Guidelines
- Procedures
- Information Classification
- Lifecycle
What are “policies”?
These are used to define the role of security inside of an organization and it establishes the desired end state for that security program
*** This is usually provided by senior management and clarifies the level in which the company is going to enforce security
Policies tend to be very broad and they provide the basic foundation upon which is going to be built?
Standards
Baselines
Guidelines
Procedures
Security policies are built to fill in one of three levels. What are these levels called?
Organizational
System-specific
Issue-specific
What are organizational security policies?
These provide direction and goals. They give you the framework to meet the business goals and define the roles, responsibilities and terms associated with it.
What are system specific policies?
These address the security of a specific technology, application, network or computer system.
*** These are very technical and focus on protecting a certain piece of system or technology.
What are issue-specific policies?
These are built to address a specific security issue such as email privacy, employee termination procedures, etc.
Policies can be further separated down into one of three categories inside of information security. What are these categories called?
Regulatory
Advisory
Informative
What are regulatory policies?
These address mandatory standards and laws that are going to affect the organization
What are advisory policies?
These provide guidance on what is and what is not considered an acceptable activity
*** The most common type of this policy is called a AUP (acceptable use policy) that tells employees what they can/can’t do on a network
What are informative policies?
This focuses on a certain topic and it’s designed to be educational.
What are “standards”?
These are used to implement a policy in an organization
This includes things like mandatory actions, steps or rules that are needed to achieve the desired level of security
What are “baselines”?
These are created as reference points
They are used to document any kind of system so you can look back later and compare it for analysis
What is a “guideline”?
These are not required actions but they are recommended ones.
For this reason, they tend to be flexible.
What are “procedures”?
A detailed step-by-step instruction that is created to ensure personnel can perform a given action
*** This is where your policies turn into actionable steps
What is an important distinction to remember for procedure vs a policy?
A policy is something that gives you generic guidance to the organization
A procedure is very specific
What is data classification based on?
The value to the organization and the sensitivity of that information if it’s going to be disclosed
Who decides the level of data classification?
The data owner
What is considered sensitive data?
Any information that can result in the loss of security or loss of advantage to a company, especially if it’s accessed by unauthorized persons.
There are two different classification schemes that are normally used by organizations. This is based on whether…?
you’re a commercial business or a governmental one
If you are a commercial business, you will use one of four potential classification levels. These are…?
These go from lowest to highest:
Public
Sensitive
Private
Confidential
What is commercial public data?
Data that would have no impact to your company if it were released
*** This is usually information that’s posted to your website and other platforms
What is commercial sensitive data?
Might have a minimal impact if released
** Such as financial data
What is commercial private data?
This is data that customers or those outside of a business do not need access to.
*** Such as personnel records, salary information, etc.
What is commercial confidential data?
This would seriously affect the business if disclosed.
This contains items such as trade secrets, intellectual property data, source code, etc.
What are the five different classification levels for the government?
Unclassified
Sensitive but unclassified
Confidential
Secret
Top Secret
What is unclassified government data?
Generally can be released to the public either in general or under the Freedom of Information act
What is sensitive but unclassified government data?
This includes things like medical records, personnel files and other things that won’t hurt national security but would impact those who’s data was being used inside of it
What is confidential government data?
Includes data such as trade secrets and other information that can seriously affect the government if unauthorized disclosure were to happen
What is secret government data?
This includes things like military deployment data, defensive postures and other information that could seriously damage national security if disclosure were to happen.
What is the difference between secret and confidential government data?
Confidential - would seriously affect us
Secret - would seriously damage us
What is top secret government data?
This includes things like weapon system blueprints or other information that would gravely damage national security
What is data ownership?
This is the process of identifying the person responsible for the confidentiality, integrity, availability and privacy of the information assets.
In an enterprise environment, there are different roles that fall under this idea of data ownership. This includes…?
Data Owner
Data Steward
Data Custodian
Privacy Officer
What is the data owner role?
A senior executive with the ultimate responsibility for maintaining the CIA of the information asset
What is the data steward role?
They are focused on the quality of the data and the associated metadata
*** They make sure that the data is appropriately labeled and classified
What is the data custodian role?
They are responsible for handling the management of the system on which the data assets are stored
*** These are the system administrators who enforce the access control, the encryption, the back up and recovery measures, etc.
What is the privacy officer role?
They are responsible for the oversight of any kind of privacy-related data
*** Things like PII, SPI or PHI
What does PII stand for?
Personally Identifiable Information
If a piece of data can be used either by itself or in combination with some other piece of data to identify a singular person, then it’s considered…?
PII
*** your name, driver’s license number, social security, date of birth, etc.
What is the Federal Privacy Act of 1974?
A law designed to help protect against the disclosure of data include PII and PHI
This affects any U.S. government computer system that affects, stores, uses or disseminates PII. If you work for the government or a contractor
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act and it affects health care providers, facilities, insurance companies, and other medical data clearinghouses. If your organization is processing or storing medical data, you’re likely going to be affected by HIPAA. It’s enforced by the Department of Health and Human Services
in the United States and it provides you with the standards and procedures that have to be used, at a minimum, for storing, using, and transmitting medical information and healthcare data.
What is SOX?
Sarbanes-Oxley
This was originally enacted by Congress back in 2002 as the Public Company Accounting Reform and Investor Protection Act of 2002,but you’re almost always going to hear it referred to as SOX or Sarbanes-Oxley.If your organization is a publicly-traded U.S. corporation,it’s affected by this regulation and it has to follow certain accounting methods and financial reporting requirements.Now, the important thing to keep in mind with Sarbanes-Oxley is that if you fail to follow it,your senior leadership, like your CEO,can actually receive jail time for it.
So, Sarbanes-Oxley is a big deal and all of those accounting methods and financial reporting,that’s all data that’s being stored on your IT systems,so, you’re going to get involved with this as an IT professional.