Security Policy and Controls Flashcards

1
Q

What are the four major categories controls are divided into?

A

The control itself and its purpose, the attributes of the control, the implementation guidance given, and ‘other’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What should a top level policy contain?

A

A top level policy should contain definitions of information security, objectives and principles; commitments to meeting specific security requirements; assignments of general and specific responsibilities; and processes for handling deviations and exceptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Give 3 examples of policy topics

A

Choose from: access control, physical and environmental safety, asset management, information transfer, secure configuration, networking security, information security incident management, backup, cryptography, information classification, management of technical vulnerabilities, secure development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between a policy and a procedure?

A

A policy gives the principles, rules and responsibilities, a procedure describes the specific steps to achieve the goal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where are internal policies the most useful?

A

Inside larger and more complex organisations, where those defining the controls are separate from those implementing them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When should policies be reviewed?

A

Policies should be reviewed in specific intervals or when there are significant changes made to them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the difference between preventive versus reactive security controls?

A

Preventive controls are those that help to prevent security breaches, while reactive controls are those that detect and rectify security breaches after they occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the Classification of Information control?

A

It is the procedures for classifying and organising information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the Privacy and Protection of PII control?

A

Privacy and Protection of Personally Identifiable Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the Collection of Evidence control?

A

The procedures for documenting, identifying, collecting and preserving evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Screening control?

A

Background checks on all members should be carried out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the Responsibilities after Termination control?

A

Information Security responsibilities and duties that remain after termination should be defined

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Terms and Conditions of Employment control?

A

The employment contract should describe information security responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What should be covered in the Terms and Conditions of Employment?

A

Confidentiality agreements, legal responsibilities and rights, information classification responsibilities, and actions to be taken if staff breach policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the Disciplinary Process control?

A

A process that communicates the punishment that would occur should a member commit a security violation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the Confidentiality control?

A

Confidentiality reflecting the organisation’s needs should be identified and documented

17
Q

What is the Security Awareness control?

A

An information security awareness and training programme should be implemented

18
Q

What is the Remote Working control?

A

Security measures should be implemented if workers are working remotely

19
Q

What is the Information Security Event Reporting control?

A

There should be a way for personnel to report observed or suspected Security Events

20
Q

What is the Physical Entry control?

A

Any method used to prevent unauthorised physical access to systems, or logging all access

21
Q

What is the Clear Desk and Clear Screen control?

A

Clear desk for papers or drives and clear screens for information rules should be established

22
Q

What is the Storage Media control?

A

Storage Media should be managed through their lifecycle

23
Q

What is the Cabling Security control?

A

Cables carrying power, data or anything else should be protected

24
Q

What is the Secure Disposal control?

A

Items containing information should be verified to ensure that all information is removed before disposal

25
Q

What is the Physical Threat Protection control?

A

Protection against physical and environmental threats such as natural disasters should be implemented

26
Q

What is the Security of Assets Off-Premise control?

A

Off-site assets should still be protected

27
Q

What is the Privileged Access Rights control?

A

The use of privileged access rights should be restricted and controlled

28
Q

What is the Protection against Malware control?

A

Protection against malware should be implemented

29
Q

What is the Management of Technical Vulnerabilities control?

A

Information about technical vulnerabilities should be obtained and evaluated

30
Q

What is the Web Filtering control?

A

Access to external websites should be managed to reduce exposure