network and security foundations ch 14. codes and standards

Examples of HA technologies are

load balancing, Virtual Router Redundancy Protocol (VRRP), active-active firewall appliances, and VMware vSphere HA.

Backing up company data is

one of the most important functions in IT operations; it is a key for data loss prevention and disaster recovery.

FERPA (Family Educational Rights and Privacy Act)

A federal law that requires all educational institutions to protect the privacy of student education records. protects them in any format. can't disclose without written permission.

Hot site:

A hot site is a full-blown operational facility with power, cooling, and equipment racked and powered up and connected to the network. It is a duplicate of the current data center.

international export controls

generally refers to the federal laws and regulations governing the export of materials, data, technical information, services, technologies, software, and hardware to foreign countries based on national security, foreign policy, and trade sanctions.

A non-disclosure agreement (NDA)

is a legal agreement to bind a party or parties to not disclose or not share specific information.

Portable Fire Extinguishers (29 CFR 1910.157)

. Employers may exempt themselves from most of the portable fire extinguisher requirements if they develop a written emergency action plan that is complete and in compliance with 29 CFR 1910.38: Employers must mount, locate, and identify portable fire extinguishers for easy employee access. Portable fire extinguishers cannot have carbon tetrachloride or chlorobromo-methane extinguishing agents. Employers must remove from service portable fire extinguishers that use soldered or riveted shell self-generating soda acid, self-generating foam, and gas cartridge water. Employers must provide, select, and distribute portable extinguishers based on the class of anticipated workplace fires; fire extinguishers are classified by their ability to handle specific classes and sizes of fires. Employers are responsible for the inspection, maintenance, and testing of all portable fire extinguishers in the workplace. Employers must ensure that portable fire extinguishers are fully charged, operable, and kept in their designated place at all times. Employers must provide equivalent protection when extinguishers are removed for maintenance or recharging. Portable fire extinguishers must be subjected to annual maintenance checks. The maintenance date must be recorded, and the record must be retained for one year after the last entry or for the extinguisher's shell life. Employers must have trained persons with suitable testing equipment, and facilities must conduct hydrostatic testing on portable fire extinguishers. Employers must remove portable fire extinguishers that fail hydrostatic pressure testing. In addition to these requirements, employers must provide training upon initial assignment and at least annually for employees who use fire extinguishers. The training program must familiarize employees with the general principles of fire extinguisher use, fire hazards, and the use of appropriate equipment.

business continuity plan

identifies the key products and services of the organization and devises strategies to enable those key assets to stay operational.

A statement of work (SOW)

is a document often used in conjunction with an MSA. Whereas an MSA defines general terms of service, an SOW has all the specifics of the service. SOWs define in detail the deliverables, schedules, and time lines, roles and responsibilities, and price agreed by all parties. Under one MSA, there may be multiple SOWs. SOWs are common in the information technology field when organizations engage third-party companies to implement or deploy new IT services. SOWs are used to define what the service provider is committing to deliver as well as to outline the steps and procedures of work to be done.

HIPAA (Health Insurance Portability and Accountability Act)

is a federal law that requires all health-related agencies to protect the personally identifiable information (PII) of patients

Master Service Agreement (MSA)

is an agreement wherein the supplier(s) provides predetermined services over a specified period of time with total costs not to exceed an amount previously agreed upon. The purpose of an MSA is to speed up and simplify the process for future subsequent agreements.

PCI DSS

payment card industry data security standard - credit card, prevent identity theft. not a federal law. holds banks and merchants accountable for any credit card breach.

redundent circuits

power systems use HA to supply electrical power to two or more dffernent sources or separate feeds from the electrical company

The three major export control regulations are

the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC).

National Fire Protection Association (NFPA)

works closely with OSHA, not mandatory but ensures OSHA compliance

Maintenance, Safeguards, and Operational Features for Exit Routes (29 CFR 1910.37)

29 CFR 1910.37 specifies requirements for employers to properly maintain exit routes in order to prepare the workplace for a successful emergency evacuation and minimize further danger to employees: Each exit route must be free of explosive or highly flammable furnishings and other decorations. Exit routes must be arranged so employees will not have to travel toward a high-hazard area. Each exit route must not be obstructed by any materials or equipment. It must not go through locked doors or dead-end corridors. Safeguards designed to protect employees, such as sprinkler systems, alarm systems, exit lighting, and fire doors, must be working properly. There must be adequate lighting for each exit route. Each exit must be clearly visible and marked by a sign reading "Exit." Each exit door must be free of decorations or signs that obscure the visibility of the exit door. If the direction to the exit is not apparent, signs must be posted to show the direction to the exit. Each exit sign must be illuminated, and the word "Exit" must be in plainly legible letters. Fire-retardant paints or solutions must be maintained often enough to renew their properties. During construction, repairs, or alterations, exit routes must be maintained and available at all times. Employers must install and maintain an operable alarm system to alert employees of fire and other emergencies.

Emergency Action Plans (29 CFR 1910.38)

An employer must have an emergency action plan (EAP). An emergency action plan facilitates and organizes employer and employee actions during workplace emergencies. If there are more than 10 employees, the plan must be in writing, and it must be kept in the workplace and available for employee review. An emergency action plan must include the following, at a minimum: Procedures for reporting fires and other emergencies Procedures for emergency evacuation, including the type of evacuation and exit route assignments Procedures for employees who stay behind to continue critical plant operations Procedures to account for all employees after evacuation Procedures for employees performing rescue or medical duties Names or job titles of persons who can be contacted for further information or explanation of duties under the plan In addition, employers should have an alarm system to alert employees. Employers must designate and train enough people to assist in the safe and orderly emergency evacuation of employees. Employers must review the emergency action plan with each employee when the plan is initially developed, when an employee is initially hired to the job, when actions or responsibilities under the plan change, or when the plan changes.

Design and Construction Requirements for Exit Routes (29 CFR 1910.36)

An exit route is a continuous and unobstructed path of travel from any location within a workplace to a place of safety. 29 CFR 1910.36 specifies the basic location requirements for the proper design and construction of exit routes: Each exit route must be a permanent part of the workplace. Each exit must be separated from other parts of the workplace, and the separation materials must be fire resistant. An opening into an exit must be protected by a self-closing fire door that remains closed and must be limited to only allow exit access. The number of exit routes must be adequate for all employees to be able to evacuate safely during an emergency. Each exit discharge must lead directly outside or to a street, a walkway, a refuge area, a public way, or an open space, which must be large enough to accommodate the building occupants. Each exit door must be unlocked from the inside so employees can open the exit door at all times. A side-hinged exit door must be used so that the door can swing out in the direction of exit travel. An exit route must be at least 7 feet, 6 inches high and at least 28 inches wide at all points. An outdoor exit route is permitted, with the same height and width requirement as the indoor exit route.

Fire Prevention Plans (29 CFR 1910.39)

As with having an emergency action plan, an employer is required to have a fire prevention plan (FPP). As a matter of fact, the emergency action plan and fire prevention plan typically go hand in hand. Many organizations combine the two plans into one document. The written fire prevention plan must be available to the employees and kept at the workplace. For employers with 10 or fewer employees, the plan may be communicated orally. The purpose of the fire prevention plan is to prevent a fire from occurring or spreading in a workplace. A fire prevention plan must include the following, at a minimum: A list of all major fire hazards, proper handling and storage procedures for hazardous materials, potential ignition sources and their control, and the type of fire protection equipment necessary to control each major hazard Procedures to control accumulations of flammable and combustible waste materials Procedures for regular maintenance of safeguards installed and heat-producing equipment to prevent the accidental ignition of combustible materials The names or job titles of employees responsible for maintaining equipment to prevent or control sources of ignition or fires The names or job titles of employees responsible for the control of fuel source hazards In addition, employers must inform employees of any fire hazards they may be exposed to and must review with each employee the fire prevention plan necessary for self-protection.

Fire Detection Systems (29 CFR 1910.164)

Automatic fire detection systems, when combined with other elements of an emergency response and evacuation plan, can significantly reduce property damage, personal injuries, and loss of life due to fire in the workplace. Automatic fire detection systems do this by using electronic sensors to detect the smoke, heat, or flames from a fire and providing early warning. Their main function is to quickly identify a developing fire and alert building occupants and emergency response personnel before extensive damage occurs. 29 CFR 1910.164 includes the following requirements: Employers must restore all fire detection systems and components to normal operating condition as promptly as possible after each test or alarm. Employers must maintain all systems in an operable condition. Employers are responsible for servicing, testing, and adjusting fire detectors and fire detection systems as often as needed to maintain proper reliability and operating condition. The work must be performed by a trained person. Fire detectors must be cleaned at regular periodic intervals. Employers must ensure that fire detection equipment is from mechanical or physical impact, weather, and corrosion. Employers must ensure that fire detectors are supported independently of their attachment to wires or tubing. Fire detection systems installed for the purpose of actuating fire extinguishment or suppression systems must operate in time to control or extinguish a fire. Fire detection systems installed for the purpose of employee alarm or evacuation systems must provide a warning in time for emergency action and safe escape of employees. Employers cannot delay alarms or devices initiated by fire detector actuation for more than 30 seconds unless it is necessary for the immediate safety of employees, which then must be addressed in the emergency action plan. Employers must ensure that the number, spacing, and location of fire detectors is based upon design data obtained from field experience or tests, engineering surveys, the manufacturer's recommendations, or a recognized testing laboratory listing.

An IT organization can use the guidance of NIST's Framework for Improving Critical Infrastructure Cybersecurity to help facilitate compliance. The following are components of this framework:

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization's risk strategy. The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. The policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Access to assets and associated facilities is limited to authorized users, processes, or devices and to authorized activities and transactions. The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage the protection of information systems and assets. Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Anomalous activity is detected in a timely manner, and the potential impact of events is understood. The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events. Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Analysis is conducted to ensure adequate response and support recovery activities. Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Recovery planning and processes are improved by incorporating lessons learned into future activities. Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet service providers, owners of attacking systems, victims, other CSIRTs (computer security incidence response teams), and vendors.

Hazard Communication (29 CFR 1910.1200)

The purpose of 29 CFR 1910.1200 is to ensure that the hazards of all chemicals are classified and the information concerning the classified hazards is communicated to employers and employees. It requires that the chemical manufacturer, distributor, or importer provide safety data sheets (SDS), formerly known as material safety data sheets (MSDS), for each hazardous chemical it produces or imports. An employer must have an SDS in the workplace for each hazardous chemical it uses. The SDS includes information such as product identifier or manufacturer, physical and chemical properties, chemical hazards, chemical ingredients and composition, first-aid measures, fire-fighting measures, accidental release measures, handling and storage, personal protection, chemical stability and hazardous reactions, and toxicological information. A network technician needs to be aware of this particularly because network closets are sometimes used incorrectly to temporarily store chemicals. The safety data sheets provide workers and emergency personnel with procedures for handling chemicals in a safe manner.

Employee Alarm Systems (29 CFR 1910.165)

The purpose of the employee alarm systems standard is to reduce the severity of workplace accidents and injuries by ensuring that alarm systems operate properly and procedures are in place to alert employees to workplace emergencies. This standard includes the following requirements: An employee alarm must be perceived above ambient noise or light levels by all employees. It must be distinctive and recognizable as a signal to evacuate the work area. Employers must explain to each employee the preferred means of reporting emergencies. If telephones serve as a means of reporting emergencies, emergency telephone numbers must be posted near telephones or employee notice boards and in other conspicuous locations. Employers must establish procedures for sounding emergency alarms in the workplace. For employers with 10 or fewer employees, direct voice communication is an acceptable procedure. All devices, components, combinations of devices, or systems constructed and installed must be approved by OSHA. All employee alarm systems must be restored to normal operating condition as promptly as possible after each test or alarm. Employers must ensure that all employee alarm systems are maintained in operating condition. Employers must test the reliability and adequacy of both supervised and un-supervised employee alarm systems. Supervised alarm systems can monitor the condition of their detectors and circuitry, whereas unsupervised alarm systems cannot. Unsupervised employee alarm systems must be tested every two months. Supervised employee alarm systems installed after January 1, 1981, must be tested at least annually and working properly in supervised mode. Employers must maintain or replace power supplies to the systems as often as is necessary to ensure fully operational condition. Employers must ensure that employee alarms are serviced, maintained, and tested by properly trained persons. Employers must ensure that manually operated actuation devices for use in conjunction with employee alarms are unobstructed and readily accessible.

Fixed Extinguishing Systems (29 CFR 1910.160)

This standard includes the following requirements: If the system becomes inoperable, employers must notify employees and take any necessary temporary precautions to ensure their safety until the system is restored to operating order. Any defects or impairments must be properly corrected by trained personnel. A distinctive alarm or signaling system must be capable of being perceived above ambient noise or light levels when the extinguishing system is discharging. Effective safeguards must be provided to warn employees against entering discharge areas where the atmosphere remains hazardous to employee safety or health. Hazard warning or caution signs must be posted at the entrance to and inside areas protected by fixed extinguishing systems that use agents in concentrations known to be hazardous to employee safety and health. Fixed extinguishing systems must be inspected annually by a knowledgeable person to ensure that the systems are maintained in good operating condition. The weight and pressure of refillable containers must be checked at least semi-annually. Factory-charged nonrefillable containers that have no means of pressure indication must be weighed at least semi-annually. If a container shows a loss in net weight of more than 5%, it must be replaced. Inspection and maintenance dates must be recorded, and the record of the last semi-annual check must be maintained until the container is checked again or for the life of the container, whichever is less. Employers must ensure that the designated employees who inspect, maintain, operate, or repair fixed extinguishing systems are regularly trained, and their training must be reviewed annually. Chlorobromomethane or carbon tetrachloride may not be used as an extinguishing agent where employees may be exposed. Fixed extinguishing systems installed in the presence of corrosive atmospheres must be constructed of noncorrosive material or otherwise protected against corrosion. Automatic detection equipment must be approved, installed, and maintained in accordance with the fire detection system. All systems designed for and installed in areas with climatic extremes must operate effectively at the expected extreme temperatures. At least one manual station must be provided for discharge activation of each fixed extinguishing system. Manual operating devices must be identified as to the hazard against which they will provide protection. Employers must provide and ensure the use of the personal protective equipment needed for immediate rescue of employees trapped in hazardous atmospheres created by an agent discharge.

Memorandum of Understanding (MOU)

An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement.

High availability (HA)

It refers to information technology systems being in continuous operation for a long time, with minimal downtime. - hospitals and data centers, which are intended to be in operation 100% of the time.

Acceptable Use Policy

Requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet

role separation

Spreading out the work, reduces conflict/competition

HA eliminates single points of failure by

adding high redundancy. It also provides fault tolerance, which allows the ability to failover to a redundant system when a service fails. When there is a failure—whether it is a hardware failure, network failure, or software failure—HA systems must be able to detect failures and to fail over to the redundant system. An HA reliable/redundant system might make it so that failures are not seen, but failures must be noted in the maintenance log.

According to ISO 22301 2012, which is a standard for business continuity management systems,

business continuity is a corporate capability

master license agreement (MLA)

defines the owner rights, terms, and conditions related to intellectual property. common in software to define how it can be used and distributed.

OSH Act - Occupational Safety and Health Act OSHA- Occupational Safety and Health Administration

every employer must comply with all applicable OSHA standards

incident response policy

what it sounds like. 6 steps Preparation Identification Containment Eradication Recovery Follow-up

UPS

Uninterruptible Power Supply

cold site

A cold site is an empty facility with only power and cooling, but no equipment or racks.

Warm site:

A warm site is a not-yet-operational facility with power, cooling, and rack space; the equipment is onsite but not racked or powered up.

OHSA regulations are in

Code of Federal Regulations (CFR) title 29 part 1910 (29 CFR 1910)

GLBA (Gramm-Leach-Bliley Act)

Federal law enacted in 1999 to control the ways that financial institutions deal with the private information of individuals

service agreements

Legal docs (which are negotiated) that describe the expectations of both the purchaser and provider.

Service Level Agreement (SLA)

Part of a service contract where the service expectations are formally defined.

Incremental backup:

These backups only include data that has changed since the previous backup copy. The first incremental backup copy is a full backup, and subsequent backups are the differences from the previous copies. This type of backup generally takes the least time and the least storage space.

Full backup:

This is the most complete type of backup, where all data is copied to a designed backup location or medium. A full backup can take a long time, depending on the size of the source. It also can take up a large amount of storage space if archives need to be kept.

MTTR (Mean Time to Recover or Repair):

This metric measures the average time it takes to bring a system back from failure.

MTBF (Mean Time Between Failure):

This metric measures the system's reliability by identifying the average time between failures.

Differential backup:

This type of backup includes all data that has changed since the last full backup. The first differential backup copy is a full backup, and the subsequent backups are the differences from the previous full backup copy. Differential backups take less time and less storage space than do full backups.

FISMA (Federal Information Security Management Act)

a federal law that was developed to protect government information, operations, and assets against security threats.

password policy

A collection of settings to control password characteristics such as length and complexity.

disaster recovery plan

A disaster recovery plan outlines the process or procedures to recover the services quickly and effectively from both expected and unexpected disruptions in times of crisis.

MTTF (Mean Time to Failure):

This metric predicts the equipment runtime before a failure requires the equipment to be replaced.