Security Programme management and oversight 5.1 Flashcards
Security Policy Guidelines.
What rules are you following to provide CIA.
Security Policies answer the what and the why.
Information security policy
A big list of all security related policies.
Acceptable Use Policy
Acceptable Use Policy
Defines what users are able to do with the technology has been provided to them.
Business Continuity
Plan for when technology does not work.
Disaster Recovery plan
It should be ready to respond to disaster
Security Incidents
policy to be able to react to different events.
Incident response team
Specialised team to respond to a security incident.
NIST
National institute of standards and technology.
Incident response lifecycle:
Preparation, Detection, Containment, Post-incident Activity.
SDLC
Systems development cycle
AGILE VS WATERFUL
Change management
Policies which need to be followed in relation to making a change.
Security Standards
A formal definition for using security technologies and processes.
Many standards are already available
ISO (International Organisation for Standardisation).
NIST (National Institute of Standards and Technology)
Passwords
Ensure a specific set of password policies are being used when setting a password.
Access control
Define which access control types are used. Determine which information, at what time.
Physical Security - Standards
Rules and Policies regarding physical security controls.
Encryption - standards
Password storage (Encrypted).
Data encryption standards depending on the state of data.
Regulations are often mandated.
Security standards are often mandated by regulations. Sox Hippa.
Legal - Oversight.
The Security team is often tasked with the legal responsibilities.
Disclosure, Reporting illegal activities, Holding data required for legal proceedings.
Industry -
The industry may require specific security consideration.
Geographical Security
May be different standards depending on where you are in the world.
Security Procedures - Change management
Scope of change
Risk of change
Create a plan
Change control board
Have a back out plan.
On boarding
Bringing someone into the building,
New Accounts will need to be created.
Off boarding
What should happens when users decide to leave the organisation. What happens to the data on any of their devices.
Playbook
Conditional steps to follow,
For example; investigate a data breach, recover from ransomware.
Often Integrated into a SOAR platform.
SOAR
Security Orchestration, Automation and Response.
Monitoring and Revision
Look for opportunities to tweak security systems to enhance security.
Governance Structures
Board - Panel of specialists which set the tasks or requirements for the committees.
Centralised/Decentralised
Centralised governance is located in one location with a group of decision makers. Decentralised governance spreads the decision-making process around to other individuals or locations.
Data Responsibility
Who is responsible what data. For example: Treasurer is responsible for all financial data.
Data controller
Manages how the data will be used.
Manages the purposes and means by which personal data is processed.
Eg: Payroll Controller
Data processor
Processes the data on behalf of the data controller. Often a third-party or different group.
Eg: Py roll processor.
Data Custodian/ Steward
Making sure that the data is being handled in a way which is compliance to laws and standards set. Responsible for accuracy, privacy and security.
Responsible for determining what type of user has access to what type of data.
