Security Policies and Procedures Flashcards
What should an Information Security Policy cover?
- Cover end-to-end security processes across the organization
- It should be enforceable, practical, regularly updated in response to business needs and evolving threats, and focused on business goals.
What are the three levels of security documentation?
- Policies, Standards, Procedures.
Policies, Standards, Procedures.
- Policies (high level business rule, the WHAT)
The what? The purpose? - Standards (the HOW?)
The how, who will implement, who is responsible, who will be affected) - Procedures-Technical Controls
Step by step instruction that people will follow
What does the 3-2-1 rule for backup entail?
3 copies, 2 media/medium, 1 copy off site
This rule ensures data redundancy and security.
What are the characteristics of Information Security Policies?
Should not be optional, should not refer to specific technical platforms, they act as a contract between the organization and stakeholders
Characteristics of Security Standards
provide the necessary level of detail to make a security policy practical across the entire organization
What are the four types of Information Security?
- Application Security
- Network Security
- Cloud Security
- Cryptography
These types address various dimensions of security needs.
Why do companies need to meet information security standards?
- Prevent Cyber Attacks
- Increased awareness of risk
- Enhanced reputation
- Legal trouble/fines
Compliance with standards helps mitigate risks.
What are the two primary Information Security Standards?
- ISO 27001
- ISO 27002
These standards provide frameworks for managing information security.
What are the three principles of Information Security?
- Confidentiality - the information is only available to the intended parties
- Integrity - the information is complete when accessed and/or transferred
- Availability - the information is immediately available when requested
These principles ensure proper handling of information.
Characteristics of Security Procedures
The procedure would outline a set of steps
What are key elements of an Information Security Policy?
- Purpose
- Audience
- Information Security Objectives
- Authority and Access Control Policy
- Data Classification
- Security Awareness Training
- Responsibilities and Duties of Employees
- Encryption policy
- Data backup policy
- References to regulations and compliance standards
These elements guide the implementation of the policy.
What are best practices for Information Security Management?
- Acceptable use policy (AUP)
- Access control policy (ACP)
- Change management policy
- Incident response (IR) policy
- Remote access policy
- Email/communication policy
- Disaster recovery policy
- Business continuity plan (BCP)
- Data classification policy
- IT operations and administration policy
- SaaS and cloud policy
- Identity and access management (IAM) policy
- Data security policy
- Privacy Regulations
- Personal and mobile devices policy
These practices help organizations manage security effectively.
What situations demonstrate the payoff of strong policies, standards, and procedures?
- You experience a breach
- You have to discipline/dismiss an employee for inappropriate use of technology
- Vendors demand evidence of your security program
- A user accidentally gives their credentials to a hacker
- An entry-level employee makes a bad choice on a firewall setting
These situations highlight the importance of having robust security measures in place.
What defines Security Culture?
Ideas, customs, and social behaviors of a group that influence its security
A strong security culture enhances employee engagement and responsibility.
What are the benefits of a strong Security Culture?
- Increased compliance with protective measures
- Reduced risk of security incidents
- Employees identify and report concerns
- Greater sense of security among employees
- Enhanced security without large expenditure
A positive culture leads to proactive security behavior.
What are the seven dimensions of Security Culture?
- Attitudes
- Behaviors
- Cognition
- Communication
- Compliance
- Norms
- Responsibilities
These dimensions encompass the various aspects that shape an organization’s security culture.
What is the general purpose of an information security policy?
Establish a general approach to information security
An information security policy serves as a foundational document that guides an organization’s security efforts.
What should an information security policy document?
Security measures and user access control policies
This documentation is essential for ensuring that all users understand their responsibilities regarding information security.
What is a key aim of an information security policy in relation to compromised information assets?
Detect and minimize the impact of compromised information assets
Compromised assets include misuse of data, networks, mobile devices, computers, and applications.
How does an information security policy protect an organization?
Protect the reputation of the organization
A strong security policy helps maintain trust with stakeholders and customers.
What legal and regulatory requirements should an information security policy comply with?
Legal and regulatory requirements like NIST
Compliance with standards such as NIST ensures that the organization meets industry benchmarks for security.
What type of consumer data should an information security policy aim to protect?
Consumer’s data, such as credit card numbers
Protecting sensitive consumer information is crucial for maintaining customer trust and legal compliance.
What mechanisms should an information security policy provide?
Effective mechanisms to respond to complaints and queries related to cyber security risks
This includes addressing concerns about phishing, malware, and ransomware.
Fill in the blank: An information security policy should limit access to key information technology assets to those who have an _______.
acceptable use
This principle ensures that only authorized users can access sensitive information.
- Cover end-to-end security processes across the organization
- It should be enforceable, practical, regularly updated in response to business needs and evolving threats, and focused on business goals.
Information Security Policy
- Policies, Standards, Procedures.
Three levels of security documentation
3 copies, 2 media/medium, 1 copy off site
This rule ensures data redundancy and security.
3-2-1 rule for backup
Should not be optional, should not refer to specific technical platforms, they act as a contract between the organization and stakeholders
Characteristics of Information Security Policies
provide the necessary level of detail to make a security policy practical across the entire organization
Characteristics of Security Standards
- Application Security
- Network Security
- Cloud Security
- Cryptography
These types address various dimensions of security needs.
Four types of Information Security
- ISO 27001
- ISO 27002
These standards provide frameworks for managing information security.
Two primary Information Security Standards
- Confidentiality - the information is only available to the intended parties
- Integrity - the information is complete when accessed and/or transferred
- Availability - the information is immediately available when requested
These principles ensure proper handling of information.
Three principles of Information Security
The procedure would outline a set of steps
Characteristics of Security Procedures
- Purpose
- Audience
- Information Security Objectives
- Authority and Access Control Policy
- Data Classification
- Security Awareness Training
- Responsibilities and Duties of Employees
- Encryption policy
- Data backup policy
- References to regulations and compliance standards
These elements guide the implementation of the policy.
Key elements of an Information Security Policy
- Acceptable use policy (AUP)
- Access control policy (ACP)
- Change management policy
- Incident response (IR) policy
- Remote access policy
- Email/communication policy
- Disaster recovery policy
- Business continuity plan (BCP)
- Data classification policy
- IT operations and administration policy
- SaaS and cloud policy
- Identity and access management (IAM) policy
- Data security policy
- Privacy Regulations
- Personal and mobile devices policy
These practices help organizations manage security effectively.
Best practices for Information Security Management
Ideas, customs, and social behaviors of a group that influence its security
A strong security culture enhances employee engagement and responsibility.
Security Culture
- Increased compliance with protective measures
- Reduced risk of security incidents
- Employees identify and report concerns
- Greater sense of security among employees
- Enhanced security without large expenditure
A positive culture leads to proactive security behavior.
Benefits of a strong Security Culture
- Attitudes
- Behaviors
- Cognition
- Communication
- Compliance
- Norms
- Responsibilities
These dimensions encompass the various aspects that shape an organization’s security culture.
Seven dimensions of Security Culture
