Liberty CSIS 340 Second Half - Robert Tucker

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Implementing policies and libraries entail 4 major steps

1. Building consensus on intent 2. Reviews and approvals for your documents 3. Publication of the documents 4. Awareness and training

Procedures and Guidelines

Answer Where, When, and How?

Policies and standards

Answers Who, What, and Why?

Family Educational Rights and Privacy Act (FERPA)

Applies to educational institutions such as college and universities. Information related to the educational process that can uniquely identify the student

Awareness and training

Awareness is obligated to make people understand that IT exists and need to be involved in. Train is detailed how to do that

Motivation

Combination of pride, self interest, and success

Building consensus on intent

Discussion on the intent of the policy

Integration Principle

Documents should be coordinated and integrated with each other. Should integrate with other relevant measures, practices and procedures.

(SP) 800-53

Geared to U.S. government agencies and their subcontractors

Reviews and approvals for your documents

Goal is to gain senior executive approval of the policy or standard

Data classification

Identifying value of data. Placing label on data. Level of protection based on data type.

Limited use of personal data

Key idea is that the company can use the information collected for the immediate service provided, or transaction made, such as a purchase.

Defense-in-depth principle

Overlapping layers of controls prevention, detection, and response

Least Privilege principle

People granted only enough privilege to accomplish tasks - no more

Pride

Perceived importance of work - Working on something that is important, understanding of the overall goals and objectives, creates competition and sense of self-worth

Three most common needs for classifying data

Protect, Retain, and Recover information

Publication of the documents

Publishing your policy and standards library depends on the communications tools available

Federal Information security Management Act (FISMA)

Requires government agencies to adopt a common set of information security standards - Creates mandatory requirements to ensure the integrity, confidentiality, and availability of data

Federal Information Security Management Act (FISMA)

Requires government agencies to adopt common set of information security standards. Creates mandatory requirements to ensure they integrity, confidentiaity, and availability of data.

Separation of duty principle

Responsibilities and privileges should be divided to inappropriate control of multiple key aspects

National Institute of Standards and Technology (NIST)

Responsible for developing FISMA-mandated information security standards and procedures

Self-interest

Rewards and discipline - self-preservation, those who achieve goals receive rewards

Security Posture

Risk appetite and risk tolerance

Multidisciplinary principle

States that the policy and standards library documents should be written to consider everyone - Contracts / who is the audience?

Children's Internet Protection Act (CIPA)

Tells schools and libraries that receive federal funding that they must block pornographic and explicit sexual material on their computers.

Full Disclosure

The concept that an individual should know what information about them is being collected. A company must give written notice on how it plans to use your information

Public interest

The concept that an organization has an obligation to the general public beyond its self-interest

Informed consent

The concept that someone is of legal age, has the needed facts, and is without undue pressure to make an informed judgment

Opt-in/Opt-out

The practice of asking permission on how person information can be used beyond its original purpose.

Organizational Culture

The traditions, customs, patterns of behavior, values, and beliefs shared by members of an organization.

Risk Appetite

Understanding risks and determining how much potential risk and related problems the business is willing to accept

Control Objectives for Information and Related Technology (COBIT)

Widely accepted framework that brings together business and control requirements with technical issues

Data Privacy

a company must tell an individual how personal information will be protected and limits placed on how the data will be shared

Detective or response controls

act like alarms and warnings (kick in after an incident begins)

Detective or Response Controls

act like alarms and warnings. kick in after an incident begins

Timeliness principle

all personnel, assigned agents, and third-party providers should act in a timely and coordinated manner to prevent and to respond to breaches of the security.

Family Educational Rights and Privacy Act (FERPA)

applies to educational institutions such as college and universities - any information related to the educational process that can uniquely identify the student

Commanders

are demanding and not tactful. They might come across as best as impolite, at worst rude and abrupt. They are forceful in an attempt to achieve stated goals. They can be agents for change, breaking from the past and overcoming barriers within the organization

Technical security controls

are the devices, protocols, and other technology used to protect assets - Include antivirus systems, cryptographic systems, firewalls, and more

Success

being on a winning team - individuals build confidence when frequently recognized for their successes. Measured as perception of how well you perform your work

Multidisciplinary principle

policy and standards library documents should be written to consider everyone affected, including technical, administrative, organizational, operational, commercial, educational, and legal personnel

Opt-in/opt-out

practice of asking permission on how personal information can be used beyond its original purpose

Physical security controls

prevent intentional or unintentional security threats - Include network access policies, firewall rules, and locks on wiring closets and server room doors

Preventive security controls

prevents security threats. (i.e. network access policies, firewall rules, locks on doors, Website Application Firewall (focuses on packet data rather than meta))

Risk Tolerance

relates to how much variance in the process an organization will accept

Separation of duty principle

responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss

Defense-in-depth-principle

security increases when it is implemented as a series of overlapping layers of controls and countermeasures that provide three elements to secure assets: prevention, detection, and response

Proportionality Principle

security levels, costs, practices, and procedures should be appropriate and proportionate to the value of the data and the degree of reliance on the system

Proportionality princple

security levels, costs, practices, and procedures should be appropriate and proportionate to the value of the data and the degree of reliance on the system. They should also be proportionate to the potential severity, probability, and extent of harm to the system or loss of data

democracy principle

security should be balanced against rights of customers, users, and others. Consider your users or partners when requiring information

Reassessment principle

security systems be periodically and aperiodically reassessed

Corrective controls

takes care of situation without getting far enough for recovery / before full incident

Children's Internet Protection Act (CIPA)

tells schools and libraries that receive federal funding that they must block pornographic and explicit sexual material on their computers

Full disclosure

the concept that individuals should know what information about them is being collected

Informed consent

the concept that someone is of legal age, has the needed facts, and is without undue pressure to make an informed judgement

Risk Tolerance

the dominant view within an organization of how much risk is acceptable

Accountability principle

the personal responsibility of information systems security should be explicit

Administrative controls

the policies, standards, and procedures that guide employees when conducting the organization's business

Authentication

the process used to prove the identity of the person

Democracy principle

the security of an information system should be balanced against the rights of customers, users, and other people affected by the system versus your rights as the owners and operators of these systems.

Reassessment principle

the security of information systems should be periodically reassessed.

Organizational Culture

the traditions, customs, patterns of behavior, values, and beliefs shared by members of an organization.

Ethics principle

the way information systems are designed, and the level of access to data reflected in the security controls, should operate in accordance with the organization's ethical standards. This includes the level of disclosure and access to customer data. (moving target)

Simplicity principle

try to favor small and simple safeguards over large and complex ones. Security is improved when its made simpler

Drifters

uncomfortable with structure and deadlines. They might be great with people and communications. What they lack in discipline may be offset by their creativity and thinking out of the box

drifter

unconfortable with deadlines, but might be great with people and communication. creative

adversary principle

who are your adversaries? Anticipate attack, and adversaries that could attack

timeliness principle

who makes what happen when personnel, agents, and 3rd party providers act in timely manner

Integration principle

your documents should be coordinated and integrated with each other. They should also integrate with other relevant measures, practices, and procedures for a coherent system of security

Simplicity principle

favor small and simple safeguards over large and complex

Reviews and approvals

gain senior executive approval of policy or standard

Recovery controls

help you put a system back into operation once an incident ends. Disaster recovery and tape backups fit into this category

Recovery

help you put system back into operations once incident ends

Corrective controls

help you respond to and fix a security incident. Corrective controls are also used to limit or stop further damage.

Risk Appetite

how much risk is your organization willing to accept to achieve its goal

Continuity principle

identify needs for recovery and continuity (bring back up to acceptable level of operation)

Continuity principle

identify your organization's needs for disaster recovery and continuity of operations. Prepare the organization and its information systems accordingly

Internal control principle

information security forms the core of an organization's information internal control systems

ISO/IEC 27000 series

internationally adopted standard, can be found in the information security management program of virtually any organization

Limited use of personal data

key idea is that the company can use the information collected only for immediate service provided

personality types

key to understanding how to motivate people

Awareness principle

owners, providers, and users of information systems, as well as other parties, should be informed of policies, responsibilities, practices, procedures, and organization for security of information systems

Least privilege principle

people should be granted only enough privilege to accomplish assigned tasks and no more

internal control principle

policies must mandate that internal controls must be used

Policy-centered principle

policies, standards, and procedures established as formal basis for managing the planning, control, evaluation

Policy-centered security principle

policies, standards, and procedures should be established as the formal basis for managing the planning, control, and evaluation of all information security activities

Administrative controls

policies, standards, and procedures that guide employees

implementing policies and standards

4 steps: Building consensus reviews and approvals publication of documents awareness and training

Data privacy

A company must tell an individual how personal information will be protected and limits placed on how the data will be shared

Principles for Policy and Standards Development

Accountability Principle, Awareness Principle, Ethics Principle, Multidisciplinary Principle, Proportionality principle

Health Insurance Portability and Accountability Act (HIPAA)

Defines someone's health record as protected health information

Public interest

concept that an organization has an obligation to the general public beyond its self-interest.

Adversary princple

controls, security strategies, architectures, and [policy library documents should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries who may intend to harm

Security classification

data classification drives what type of security you should use to protect the information

Health Insurance Portability and Accountability Act (HIPAA

defines someone's health record as protected health information

Commanders

demanding. can come across as impolite, rude abrupt. forceful to achieve goals, agent for change

publishing policies

depends on communication tools available

Physical security controls

devices controlling physical access

Technical security controls

devices, protocols, and other technology used to protect (i.e. antivirus, cryptographic systems, firewalls, etc.)

Building consensus

discussion on the intent of policy, need for policy


Ensembles d'études connexes

Chapter 8 Checkpoint Discovering Computers 2016

View Set

Argument Technique in Martin Luther King

View Set

FA Davis Chapter 31 Hyperlipidemia and Hypertension

View Set