Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
62 Cards in this Set
- Front
- Back
|
Information Security Policy Framework |
Contains a series of documents designed to describe the organization’s cybersecurity program. It includes: Policies Standards Procedures Guidelines |
|
|
Policies |
High level statements of management intent. Compliance with policies is mandatory and includes: - Statement of importance - Requirement that all staff and contracts protect the CIA of information and systems - Statement of information ownership - Designation of CISO or executive responsible for cybersecurity issues - Delegation of authority so CISO can create standards, procedures and guidelines that implement the policy |
|
|
Information Security Policy |
Provides high level authority and guidance for security program |
|
|
Acceptable Use Policy |
Provides network and system users with clear direction on permissible uses of information |
|
|
Data Governance Policy |
States the ownership of information created or used by the organization |
|
|
Data Classification Policy |
Describes the classification structure used by the organization and the process used to properly assign classifications to data |
|
|
Data Retention Policy |
Outlines what information the organization will maintain and the length of time different categories of work product will be retained prior to destruction |
|
|
Credential management Policy |
Describes the account lifecycle from provisioning through active use and decommissioning. |
|
|
Password Policy |
Sets forth requirements for password length, complexity, reuse, and similar issues |
|
|
Continuous Monitoring Policy |
Describes the organization’s approach to monitoring and informs employees that their activity is subject to monitoring in the workplace. |
|
|
Code of Conduct/Ethics |
Describes expected behavior of employees and affiliates and covers situations not specifically addressed in policy. |
|
|
Change Management and Change Control Policy |
Describes how the organization will review, approve, and implement proposed changes to information systems in a manner that manages both cybersecurity and operational risk |
|
|
Asset Management Policy |
Describes the process that the organization will follow for accepting new assets into inventory, tracking those assets over their lifetime, and properly disposing of them at the end of their useful life. |
|
|
Standards |
Mandatory requirements describing how an organization will carry out its information security policies. This may include configuration settings for OS, controls for highly sensitive information. These are approved at a lower organizational level and may change more regularly |
|
|
Procedures |
Detailed, step by step processes that individuals and organizations must follow in specific circumstances. These ensure a consistent process for achieving a security objective. Compliance with procedures is mandatory. |
|
|
Monitoring Procedures |
Describe how the organization will perform security monitory activities. |
|
|
Evidence Production Procedure |
Describes how the organization will respond to subpoenas, court orders, and other legitimate requests to produce digital evidence |
|
|
Patching Procedure |
Describes the frequency and process of applying patches to applications and systems under the organization’s care |
|
|
Guidelines |
Best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory. |
|
|
Compensating Controls |
Mitigate the risk associated with exceptions to security standards. They balance the fact that it simply isn’t possible to implement every required security control in every circumstance with the desire to manage risk to the greatest feasible degree. |
|
|
Least Privilege |
Individuals should be granted only the minimum set of permissions necessary to carry out their job functions. |
|
|
Privilege Creep |
Occurs when an employee moves from job to job within the organization, accumulating new privileges, but never has the privileges associated with past duties revoked. |
|
|
Separation of Duties |
For extremely sensitive job functions, creates a rule that no single person may have the privileges required to perform both tasks. |
|
|
Two Person Control |
Similar to separation of duties, instead of preventing the same person from holding two different privileges that are sensitive when used together, two person control requires the participation of two people to perform a single sensitive action. |
|
|
Job Rotation |
Take employees with sensitive roles and move them periodically to other positions in the organization. This is due to fraud typically requiring ongoing concealment activities. |
|
|
Mandatory Vacations |
Forcing employees to take annual vacations of a week or more consecutive time and revoking their access privileges during that vacation time. |
|
|
Clean Desk Space |
Limiting the amount of paper left exposed on unattended employee desks. |
|
|
Onboarding and Offboarding |
Organization retains control of its assets and handles the granting and revocation of credentials and privileges in an orderly manner. |
|
|
Background Checks |
Used to uncover criminal activity or other past behavior that may indicate that a potential employee poses an undetected risk to the organization. |
|
|
Non disclosure Agreement |
Employees protect any confidential information that they gain access to in the course of their employment. |
|
|
Role Based Training |
Individuals receive the appropriate level of training based on their job responsibilities. |
|
|
Phishing Simulations |
Send users fake phishing messages to test their skills. Users who click on the simulated phishing message are sent to a training program designed to help them better recognize fraudulent messages |
|
|
Master Service Agreement |
It is an umbrella contract for the work of a vendor over an extended time. |
|
|
Scope of Work |
Each time a new project is created with a vendor this details the specifics of the project and is part of the Master Service Agreement |
|
|
Service Level Agreement |
Specify the conditions of the service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the Service Level Agreement. These fails are mainly availability, data durability, and response time. |
|
|
Business Partnership Agreements |
Two organizations agree to do business with each other in a partnership |
|
|
HIPAA |
Security and privacy rules that affect health-care providers, insurers, and health information clearinghouses in the US. |
|
|
PCI DSS |
Provides detailed rules about the storage, processing, and transmission of credit and debit card information. It is not a law but a contractual obligation that applies to credit card merchants and service providers worldwide. |
|
|
Gramm-Leach-Bliley Act (GLBA) |
Covers US financial institutions and requires them to have formal security programs and designate an individual who has overall responsibility for that program. |
|
|
Sarbanes-Oxley Act (SOX) |
Applies to financial records of US publicly traded companies and requires that they have a strong degree of assurance for the IT systems that store and process those records. |
|
|
General Data Protection Regulation (GDPR) |
Security and privacy requirements for the personal information of European Union resident worldwide. |
|
|
Family Educational Right and Privacy Act (FERPA) |
Educational institutions implement security and privacy controls for student educational records. |
|
|
Data Breach Notification Laws |
Individual states have their own requirements on notification of individuals affected by a breach. |
|
|
National Institute for Standards and Technology (NIST) |
Responsible for developing cybersecurity standards across the US federal government. It is very applicable to the private sector due to its availability to public domains and its very high quality. It helps organizations: - Describe their current cybersecurity posture - Describe their target state for cybersecurity - Identify and prioritize opportunities for improvement - Assess progress toward the target state - Communicate to internal and external stakeholders about cybersecurity risk |
|
|
NIST Framework Core |
Set of 5 security functions: Identify Protect Detect Respond Recover |
|
|
NIST Framework Implementation |
Assesses how an organization is positioned to meet cybersecurity objectives often through a maturity model |
|
|
NIST Framework Profiles |
Describe how a specific organization might approach the security functions covered by the Framework Core. Organizations use it to describe its current state and desired future state. |
|
|
NIST Risk Management Framework (RMF) |
Provides a formalized process that federal agencies must follow to select, implement, and assess risk based security and privacy controls. Along with that it describes the process for authorizing system use. Not used in the private sector |
|
|
International Organization for Standardization (ISO) |
Series of standards that offer best practices for cybersecurity and privacy. The 4 most common are: ISO 27001 ISO 27002 ISO 27701 ISO 31000 |
|
|
ISO 27001 |
Document for Information technology, Security Techniques, Information security management systems, and Requirements. It has the following categories: Information security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisitions, development, and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance with internal requirements, such as policies, and with external requirements, such as laws |
|
|
ISO 27002 |
Goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives. Controls include: Select information security controls Implement information security controls Develop information security management guidelines |
|
|
ISO 27701 |
Contains standard guidance for managing privacy controls. |
|
|
ISO 31000 |
Provides guidelines for risk management programs |
|
|
Center for Internet Security (CIS) |
Industry organization that publishes hundreds of benchmarks for commonly used platforms |
|
|
Quality Control Procedures |
Verifies that an organization has sufficient security controls in place and that those security controls are functioning properly. Includes procedures for conducting regular internal tests of security controls and formal evaluations of the organizations security program through assessments and audits |
|
|
Audits |
Formal reviews of an organization’s security program or specific compliance issues conducted on behalf of a third party. They may be conducted by internal audit groups at the request of management or by external audit firms. |
|
|
Assessments |
Less floral reviews of security controls requested by the organization itself as an effort to engage in process improvement. An assessor gathers information by interviewing employees and taking them at their word |
|
|
SOC 1 |
Assess the organization’s controls that might impact the accuracy of financial reporting. |
|
|
SOC 2 |
Assess the organization’s controls that effect the security and privacy of information stored in a system. Results are confidential. |
|
|
SOC 3 |
Assess the organizations controls that affect the security and privacy of information stored in a system. Results are intended for public disclosure |
|
|
SOC Type 1 Reports |
Provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls. |
|
|
SOC Type 2 Report |
Goes further than Type 1 Reports. Provide the auditors opinion on the operating effectiveness of the controls. The auditor confirms that the controls are functioning properly. |
