Chapter 3 (Security policies and standards)
Terms in this set (56)
What is a Security Policy?
a large document made up of many sub-documents that defines the company's security strategy. It's a document that all personnel in the organization need to follow.
What is a policy?
A sub-document in a security policy that covers a specific area of concern.
What is the first step in creating a security policy?
Obtain approval from upper management.
What parts should exist in every security policy?
What are three types of policies?
Standard, guideline and procedures
What is a standard?
a policy that needs to be followed and typically covers as a specific area of security. Failure to follow a standard will result in disciplinary action.
What is a guideline?
recommendations on how to follow security best practices/
What is a procedure?
a document that has step-by-steps procedures showing how to configure a system or device or how to implement security solutions.
Why would an organization implement policies?
an organization may implement policies so that they are compliant with regulations in their industry or to follow specific standards.
What is the international standards organization (ISO 17799)?
It's a standard that was created by international standards organization, which specifies best practices for information security management.
What are some of the domains in management of information security?
Physical and environmental security
Communication and operation management
What is Health insurance portability and Accountability ACT (HIPPA)?
a U.S standard whose key area of concern is to protect any individual identifiable health information and to control access to that information.
What is Personal Identifiable information (PII)?
Any information that can uniquely identify a person.
What are some examples of PII?
National Identification number ( such as SSN) and Drivers License number.
What is security control?
It's a control that is used to identify any mechanism that is used to protect an asset within the organization, such as Anti-virus software and Access control lists.
What are the benefits of having a security policy?
Ensure that the organization stays compliant with industry regulations and laws.
Ensure the organization follows security best practices and adhere to standards.
What are two policies that will affect the user?
Acceptable use policy and password policy
what is the acceptable use policy?
An important policy that lets the users know what the company considers acceptable use of its assets such as the internet, email, laptops, and mobile devices.
What parts is typically covered in a Acceptable use policy?
Acceptable use of internet, emails, laptops and mobile devices.
What is a password Policy?
An important policy to all personnel that will set the standard for a password.
What are the required parts in a password policy?
Minimum password length, password history, maximum password age, minimum password age, and password complexity.
What are some popular policies that guide administrators to follow best practices?
Change Policy management, Secure Disposal of computes, and Service Level Agreement.
What is a change management policy?
A process to follow when implementing a change to the network.
What are the benefits of having a change management policy?
It should reduce mistakes in configuration because a process can ensure that the change will be properly restored.
What is the secure disposal of computers policy?
It's a policy that ensures the administrators on what to do when disposing a computer.
What is a service level agreement?
a contract, or agreement, between your company and anyone providing services to the organization. The service level agreement sets the maximum amount of downtime that is allowed for assets such as internet and email and is an important element of the security policy
Used to educate employees and customers as to how and why information is collected from its customers and how that information will be used.
What is Classification of information?
Defines the different classification of information, such as top secret, secret, and what clearance level is needed to access the information.
Why should you assign a classification level to information?
Determines the amount of effort used to secure the information.
Should a Classification policy explain when information should be declassified?
What is the difference between classification label and security clearance?
Classification label will be placed on the asset or information. Security clearance will be set for employees.
What's the military and organization classification system?
What are some other policies that exist in an organization?
Remote Access Policy
Incident Response policy
Physical Security Policy
What can policies can human resource enforce to assist with security in an organization?
Hiring Policy, Termination Policy, Mandatory Vacations, job rotation, separation of policies, and least privilege.
How can Hiring Policy help?
Help create a more secure environment for your organization by starting with the hiring of honest and good-willed individuals.
What are some parts included in a hiring policy?
Drug Screening, interview process, contact references, background check, sign a non-compete and NDA.
How can a termination policy help secure an organization?
It provides the steps needed to terminate an employee.
What is a friendly termination?
An employee leaving on good terms and normally for noncompetitive reasons. With this termination, you will want to host an exit interview and document the reasons for the employee leaving the company.
What is a unfriendly termination?
An employee being let go from the company or leaving on bad terms. With this termination, security will need to escort the employee out of the building.
Why should an organization implement mandatory vacations?
It will help detect fraudulent or suspicious activities within the organization because another employee will need to take over the job role while someone is on vacation.
Why should an organization implement Job rotation?
Ensures employees are not committing any fraudulent activities.
Why should an organization implement Separation of duties?
Ensures multiple people are involved in the process to help avoid fraudulent activity by an employee.
Why are security policies designed?
To reduce the risk of a security incident by defining security best practices that fit your organization.
What is the first major decision when creating a security training program?
Identify what type of information to expose to the different types of employees withing the organization.
What are the basic concepts should you educate Business users?
Password best practices, social engineering, virus protection, and the important of physical security.
What are the basic concepts should you educate Technical team?
Educated on technical solutions that offer security such as IDS, firewalls, and malware protection solutions.
What are the basic concepts should you educate Management?
Educate management on why they should support security initiatives being proposed by giving them examples of past occurrences where business have lost huge amounts of money due to security incidents.
- Find laws and regulations that require the organization to makean effort to protect its assets, or find past cases where an organization has been help legally accountable for not implementing appropriate security measures to protect its assets.
-Cases where insurance companies have found violations in the insurance policy due to a company not making efforts to secure its assets.
What is an awareness policy?
A policy that indicates to employees on ways to reduce the likelihood of a security event occuring.
What are recommended delivery methods to deliver the awareness training?
Seminars, Lunch and Learn, CBT's, intranet site, and videons on demand.
What are some user habits that you want to focus on?
Password behavior, Data handling, clean desk policy, tailgating, personally owned devices, new threats and security trends, Social network, AND P2P.
What are some tips to ensure users are using good password behavior?
- At least 8 characters
What is a clean desk policy?
a policy that requires the users to ensure that any sensitive documents are stored away in a secure location at all times and not left in plain view on someones desk.
What is tailgating?
a method intruders use to bypass the physical security controls put in a place by a company.
What is a phishing attack?
An employee receives an email asking them to click the link provided to visit a site.
What are zero day exploits?
attacks on software or hardware that has just come out, and the vendor of the software or hardware is not aware of the exploits yet.
Why should an a security administrator have training metrics?
Guage the success of your security tranining.