Security Policy and Controls Flashcards
What are the four major categories controls are divided into?
The control itself and its purpose, the attributes of the control, the implementation guidance given, and ‘other’
What should a top level policy contain?
A top level policy should contain definitions of information security, objectives and principles; commitments to meeting specific security requirements; assignments of general and specific responsibilities; and processes for handling deviations and exceptions
Give 3 examples of policy topics
Choose from: access control, physical and environmental safety, asset management, information transfer, secure configuration, networking security, information security incident management, backup, cryptography, information classification, management of technical vulnerabilities, secure development
What is the difference between a policy and a procedure?
A policy gives the principles, rules and responsibilities, a procedure describes the specific steps to achieve the goal
Where are internal policies the most useful?
Inside larger and more complex organisations, where those defining the controls are separate from those implementing them
When should policies be reviewed?
Policies should be reviewed in specific intervals or when there are significant changes made to them
What is the difference between preventive versus reactive security controls?
Preventive controls are those that help to prevent security breaches, while reactive controls are those that detect and rectify security breaches after they occur
What is the Classification of Information control?
It is the procedures for classifying and organising information
What is the Privacy and Protection of PII control?
Privacy and Protection of Personally Identifiable Information
What is the Collection of Evidence control?
The procedures for documenting, identifying, collecting and preserving evidence
What is the Screening control?
Background checks on all members should be carried out
What is the Responsibilities after Termination control?
Information Security responsibilities and duties that remain after termination should be defined
What is the Terms and Conditions of Employment control?
The employment contract should describe information security responsibilities
What should be covered in the Terms and Conditions of Employment?
Confidentiality agreements, legal responsibilities and rights, information classification responsibilities, and actions to be taken if staff breach policies
What is the Disciplinary Process control?
A process that communicates the punishment that would occur should a member commit a security violation