Chapter 16: Policy and Compliance

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

These are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement. In these, the assessor typically gathers information by interviewing employees, rather than performing actual testing of controls.

Assessments

These require rigorous, formal testing of controls and result in a formal statement regarding the entity's compliance.

Audit

This is a formal review of an organization's security program or specific compliance issues conducted on behalf of a third party.

Audit

This document prepared by ISACA, divides information technology activities into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate

COBIT

This is a set of best practices for IT governance, developed by ISACA

COBIT

This is policy that describes expected behavior of employees and affiliates and serves as a backstop for situations not specifically addressed in policy. ___________________ of ___________________/___________________

Code of Conduct/Ethics

These controls are designed to mitigate the risk associated with exceptions made to a security policy.

Compensating

These controls seek to prevent/discourage an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences and warning signs are examples.

Deterrent

This is a set of procedures that describe how the organization will respond to subpoenas court orders, and other legitimate request to produce digital evidence. ______________________ ______________________ procedures

Evidence Protection

Inevitably, unforeseen circumstances will arise that require a deviation from the requirements. These are called _________________________

Exceptions

This law requires that educational institutions implement security and privacy controls for student educational records.

FERPA

This law requires that government agencies and other organizations operating on behalf of government agencies comply with a series of security standards.

FISMA

In the NIST Security Framework, this is a set of five security functions that apply across all industries and sectors: the ___________________________ ________________

Framework Core

This law covers financial institutions. It requires that they have a formal security program and designate an individual as having overall responsibility for that program.

GLBA

These provide best practices and recommendations related to a given concept, technology, or task. Compliance with these is not (usually) mandatory.

Guidelines

This law includes security and privacy rules that affect healthcare providers, health insurers and health information clearinghouses.

HIPAA

The ISO publishes this document, which provides standards for Information Security controls for 14 categories.

ISO 27001

ITSM

IT Service Management

The five core activities: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement, are described in this framework:

ITIL

This is a framework that offers a comprehensive approach to IT service management within the modern enterprise.

ITIL

The Framework Core lists five security functions. They are: _____________, __________________, _____________________, ____________________, ______________________

Identify, Protect, Detect, Respond, Recover

In the NIST Cybersecurity Framework, these assess how an organization is positioned to meet cybersecurity objectives: The Framework ____________________________ _______________________

Implementation Tiers

This is a policy that provides high-level authority and guidance for the security program _______________________ ________________________ policy

Information Security

This contains a series of documents designed to describe the organization's cybersecurity program. __________________ ________________________ ______________________ ______________________

Information Security Policy Framework

ISACA

Information Systems Audit and Control Association

ITIL

Information Technology Infrastructure Library

ISO

International Organization for Standardization

These security controls are procedural mechanisms that focus on the mechanics of the risk management process. Examples: Periodic risk assessments, security planning exercises; incorporation of security into the organization's change management, service acquisition, and project management practices. _______________________________ controls

Managerial

In the NIST Cybersecurity Framework, the Implementation Tiers are arranged into four levels that describe the current and desired positioning of an organization; the levels are: Tier 1: Partial, Tier 2: Risk Informed, Tier 3: Repeatable, Tier 4: Adaptive. This is known as a __________________________ ______________________

Maturity Model

Security Controls are categorized on their _____________________ of _____________________ ; the way they achieve their objectives.

Mechanism of Action

This is a set of procedures that describe how the organization will perform security monitoring activities , including the possible use of continuous monitoring technology. _________________________ procedures

Monitoring

This organization is responsible for developing cybersecurity standards across the U.S. federal government.

NIST

This document, released in 2014, is designed to assist organizations attempting to meet one or more of the following five objectives: * Describe their current cybersecurity posture * Describe their target state for cybersecurity * Identify and prioritize opportunities for improvement * Assess progress toward the target * Communicate among internal and external stakeholders This document is known as the __________________ __________________________ ___________________________

NIST Cybersecurity Framework

NIST

National Institute for Standards and Technology

These security controls include the processes that we put into place to manage technology in a secure manner. These include user access reviews, log monitoring, and vulnerability management. ____________________________ controls

Operational

This standard provides detailed rules about the storage, processing, and transmission of credit and debit card information.

PCI DSS

This is a policy that sets forth requirements for password length, complexity, reuse, and similar issues. _____________________ policy

Password

This is a set of procedures that describe the frequency and process of applying patches to applications and systems under the organization's care. ___________________ procedures

Patching

These controls impact the physical world. Examples: Fences, perimeter lighting, locks, fire suppression systems, burglar alarms

Physical

These are high-level statements of management intent. Compliance with these is mandatory.

Policies

An organization's Information Security Policy Framework usually includes these four different types of documents: ______________________ _________________________ _________________________ ________________________

Policies, Standards, Procedures, Guidelines

This requires high-level approval, usually from the CEO

Policy

__________________ _______________________ should lay out the requirements for receiving an exception and the individual or committee with the authority to approve exceptions

Policy Frameworks

This type of security framework mandates the controls that an organization must implement, with little flexibility for interpretation. _____________________________ Framework

Prescriptive

These controls are intended to stop a security issue before it occurs. Firewalls and encryption are examples.

Preventive

These are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances. They can be similar to checklists, and ensure a consistent process for achieving a security objective.

Procedures

In the NIST Cybersecurity Framework, these describe how a specific organization might approach the security functions covered by the framework core: Framework __________________________

Profiles

This type of security framework provides high-level control objectives and then allows the organization to design situation-appropriate controls based on their own assessment of the risk environment. _______________-______________________ Framework

Risk-Based

This law applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records.

SOX

These are specific measures that fulfill the security objectives of an organization. ________________________ ____________________

Security Controls

These are used to assist with the creation of an organization's security policy; they provide a standardized approach to developing cybersecurity programs. ________________________ _________________________

Security Framework

These provide mandatory requirements describing how an organization will carry out its information security policies.

Standards

These security controls enforce CIA in the digital space. Examples are: firewall rules, access control lists. IPS, Encryption ________________________ controls

Technical

There are three different categories of security control. They are: __________________________, _________________________, ____________________

Technical, Operational, Managerial

True or False: Audits may be conducted by internal audit groups at the request of management, or by external audit firms at the request of an organization's governing body or a regulator.

True

According to the PCI DSS Exception Process, a compensating control must provide a _____________________ level of defense as the original requirement

similar

According to the PCI DSS Exception Process, a compensating control must meet the _____________________ and __________________________ of the original requirement.

intent, rigor

According to the PCI DSS Exception Process, a compensating control must be ____________________ and ___________________________ other PCI DSS requirements.

Above, Beyond

This is a policy that provides network and system users with clear direction on permissible uses of information resources ___________________________ ___________________ policy

Acceptable Use

This is a policy that describes the account life cycle from provisioning through active use and decommissioning. _____________________ ________________________ policy

Account Management

These controls identify security events that have already occurred, or are occurring at the moment. Cameras and IDS systems are examples.

Detective

This is a policy that describes the organization's approach to monitoring and informs employees that their activity is subject to monitoring in the workplace. _________________________ ______________________ policy

Continuous Monitoring

These are statements of a desired security state, that are laid out in security policy frameworks. _______________________ ___________________________

Control Objectives

COBIT

Control Objectives for Information and Related Technology

These controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example.

Corrective

These laws describe the requirements that individual states place on organizations that suffer data breaches, regarding notification of individuals affected by the breach. ___________________ ___________________ ____________________________

Data Breach Notification

This is a policy that describes the classification structure used y the organization and the process used to properly assign classifications to data. ___________________ ___________________________ policy

Data Classification

This is a policy that clearly states the ownership of information created or used by the organization ________________________ ______________________ policy

Data Ownership

This is a policy that outlines what information the organization will maintain and the length of time different categories of work product will be retained prior to destruction. ______________________ _____________________ policy

Data Retention

Many exception processes require the use of ___________________________ __________________________ to mitigate the risk associated with exceptions to security standards.

compensating controls

Security Controls can be divided into types, based on their desired ___________________

effect


Ensembles d'études connexes

Bio 210 Chapter 17 From Gene to Protein

View Set

MGT-332-Exam #1: Modules 1-5 (Chapters 1, 3-6)

View Set

Database Management I: Section 4-6 Test

View Set

Chapter 32: Labor and Birth Complications

View Set

Accident and health insurance Basics questions

View Set

chapter 13 peripheral nervous system and reflex activity

View Set