Testout Security Pro Chapter 3 - Policies, Procedures & Awareness
California Database Security Breach Act of 2003
A California state law that specifies that any agency, person, government entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or is believed to have been stolen.
Gramm-Leach-Bliley Act of 1999
A US federal law designed to protect private information held at financial institutions.
Patriot Act of 2001
A US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.
Children's Online Privacy Protection Act of 1998 (COPPA)
A US federal law that requires organizations that provide online services designed for children below the age of 13 to obtain parental consent prior to collecting a child's personal information.
Sarbanes-Oxley Act of 2002
A US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems.
Health Insurance Portability and Accountability Act of 1996 (HIPPA)
A US federal law that specifies that all organizations must protect the health information that they maintain.
Waterfall Planning
A development model sequential in its layout, with phases that contain a series of instructions that must be executed and documented before the next phase can begin.
Agile
A development model that breaks development into smaller time frames called sprints.
Extreme Programming
A development model that values simplicity, feedback, courage, and communication and brings the entire team of developers, managers, and customers together so that adequate feedback and evaluations can be provided.
Clean Room
A development model used for high-quality software where all levels of development are tested for bugs and defects with the goal of finding problems before they can mature.
Ad Hoc
A development model where qualified developers are given a project without a consistent team, funding, or schedule.
Code Escrow Agreement
A document that specifies the storage and conditions of release of source code.
Organizational Security Policy
A high-level overview of the corporate security program.
Non-Disclosure Agreement
A legal contract between an organization and an employee that specifies that the employee is not to disclose the organization's confidential or proprietary information to anyone outside the organization.
Non-Compete Agreement
A legal contract between the organization and the employee that specifies that the employee is not to work for a competing organization for a specified time after the employee leaves the organization.
Social Engineering
A malicious attempt to fraudulently acquire sensitive information that is usually accomplished using impersonations.
Countermeasure
A means of mitigating the potential risk.
Computer-Aided Software Engineering (CASE)
A method of using computers to help with the systematic analysis, development, design, and implementation of software.
Structured Programming
A method used by programmers that uses layering, modularity, and segmenting to allow for optimal control over coherence, security, accuracy, and comprehensibility.
Spiral
A mix of the waterfall model and the prototype model in which a prototype is developed and tested using the waterfall method.
Threat Vector
A path or means that an attacker can use to compromise the security of a system.
Business Continuity Plan
A plan for recovering and restoring critical functions after a catastrophic disaster or extended disruption.
Disaster Recovery Plan (DRP)
A plan for resumption of applications, data access, hardware, communications, and other IT infrastructure in case of disaster.
Acceptable Use Policy (AUP)
A policy that defines how users should use the information and network resources in an organization.
Password Policy
A policy that detail the requirements for passwords used in an organization.
User Management Policy
A policy that identify actions to follow when employee status changes to ensure the security of the system, including hiring new employees, promoting and transferring employees, and terminating employees.
Privacy Policy
A policy that outlines how the organization will secure private information for employees, clients, and customers.
Change Management and Configuration Management Policy
A policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.
Authorized Access Policy (AAP)
A policy that specifies access controls that are employed on a network.
Human Resources (HR) Policy
A policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.
User Education and Awareness Policy
A policy with provisions for user education and awareness training.
Remote Wipe
A procedure to remotely clear specific, sensitive data on a mobile device.
Manageable Network Plan
A process created by the National Security Agency (NSA) to assist in making a network manageable, defensible, and secure.
Succession Planning
A process for identifying and developing internal people with the potential to fill key positions within the organization at some point in the future.
Guideline
A recommendation that is used when a specific standard or procedure does not exist.
Regulation
A requirement published by a government or other licensing body that must be followed.
Asset
A resource that has value to an organization.
Code of Ethics
A set of rules or standards that help individuals to act ethically in various situations.
Collusion
A situation in which multiple employees conspire to commit fraud or theft.
Vishing
A social engineering attack that exploits voice-over-IP telephone services to gain access to an individual's personal and financial information, including their government ID number, bank account numbers, or credit card numbers.
Email Hoax
A social engineering attack that preys on email recipients who are fearful and will believe most information if it is presented in a professional manner.
Spear Phishing
A social engineering attack that targets specific individuals within a company to gain access to information that will allow the attacker to gain commercial advantage or commit fraud.
Phishing
A social engineering attack that usually involves sending emails that are purported to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Watering Hole
A social engineering attack where the victim is a group like an organization, an industry, or a region and where the attacker guesses or observes which websites the group uses and infects one or more of them with malware.
Whaling
A spear phishing attack targeted that targets senior executives and high-profile victims.
Baseline
A standard that dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.
Procedure
A step-by-step process that outlines how to implement a specific action.
Cost-Benefit Analysis
A systematic approach to calculating and comparing the benefits and costs of a course of action in a given situation.
Software Development Life Cycle (SDLC)
A systematic, seven-phase method for design, development, and change management used for software development and the implementation of system and security projects.
Prototype
A type of iterative development that was made to combat the weaknesses of waterfall-based models.
Critical Business Functions (CBF)
Activities that are vital to your organization's survival and to the resumption of business operations.
Milestone
An action or event marking a significant change when implementing a manageable network plan.
Scarcity
An active social engineering technique that attempts to make people believe that if they don't act quickly, they will miss out on an item, opportunity, or experience.
Urgency
An active social engineering technique that attempts to make people believe they must act quickly to avoid imminent damage or suffering.
Authority
An active social engineering technique that involves the impersonation of legal, organizational, and social authorities.
Consensus
An active social engineering technique that leverages peoples' willingness to perform an act if others have already performed the act.
Familiarity
An active social engineering technique that leverages peoples' willingness to perform an act requested by someone they are familiar with.
Intimidation
An active social engineering technique that usually involves an attacker impersonating a manager or director to frighten lower-level employees to gain information.
Service Level Agreement (SLA)
An agreement between a customer and provider that guarantees the quality of a network service provider's care to a subscriber.
Asset Classification
An asset prioritization method that identifies the appropriate value and protection levels by grouping similar assets and comparing the valuation of different classifications.
Sensitivity vs. Risk
An asset prioritization method that uses a chart to qualify the value of an asset based on sensitivity and risk.
Comparative
An asset prioritization method that uses a ranking based on an arbitrary scale that is compatible with the organization's industry.
Delphi
An asset prioritization method that uses an anonymous survey to determine the value of an asset.
Term
Definition
Tailgating or Piggybacking
Entering a secure building by following an authorized employee through a secure door without providing identification.
Virus Hoax
False reports about non-existent viruses that often claim to do impossible things that cause recipients to take drastic action, like shutting down their network.
Passive Social Engineering
Gathering information or gaining access to secure areas by taking advantage of peoples' unintentional actions.
Active Social Engineering
Gathering information or gaining access to secure areas through direct interaction with users.
Eavesdropping
Listening to a conversation between employees discussing sensitive topics.
Shoulder Surfing
Looking over the shoulder of someone working on a computer to view usernames, passwords, or account numbers.
Object-Oriented Programming (OOP)
Programming based on the organization of objects rather than actions that uses pre-assembled programming code in a self-contained module that encapsulates a segment of data and its processing instructions.
Mobile Device Management (MDM)
Software that allows IT administrators to control, secure, and enforce policies on smartphones, tablets, and other endpoints.
Business Impact Analysis (BIA)
The Identification and prioritization of BCFs, a calculation of a timeframe for recovering them, and estimation of the tangible and intangible impact on the organization.
Onboarding
The activities involved in setting up the work environment for new employees.
Offboarding
The activities involved when an employee resigns, retires, or is terminated.
Provisioning
The configuration, deployment, and management of IT system resources, including mobile devices.
Risk Management
The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact.
Risk
The likelihood of a vulnerability being exploited.
Threat Probability
The likelihood that a particular threat will occur that exploits a specific vulnerability.
Interoperability Agreement
The means through which organizations (public administrations or businesses) formalize cooperation with one another.
Onboarding
The period when a third-party relationship is initiated.
Off-Boarding
The period when a third-party relationship is terminated.
Residual risk
The portion of risk that remains after the implementation of a countermeasure.
Risk Assessment
The practice of determining which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if the identified threat occurs.
Principle of Least Privilege
The practice of granting each user or group of users only the necessary access to do their job or perform their official duties.
Dumpster Diving
The process of looking in the trash for sensitive information that was not properly disposed of.
Loss
The real damage to an asset that reduces its confidentiality, integrity, or availability.
Fraud
The use of deception to divert company assets or profits to an employee.
Exposure
The vulnerability to losses from a threat agent.