Chapter 16: Security Policies, Standards, and Compliance

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Memorandum of Understanding (MOU)

A letter written to document aspects of the relationship They are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings Commonly used between different business units within the same organization

NIST Risk Management Framework (RMF)

A mandatory standard for federal agencies that provides a formalized process that federal agencies must follow to select, implement, and assess risk-based security and privacy controls

Industry Standards

An organization may choose to follow commonly accepted standards as a best practice. Failure to follow them may be seen as negligent in the legal realm

Sarbanes-Oxley Act

Applies to the financial records of US publicly traded companies and requires that those companies have a strong degree of assurance for the IT systems that store and process those records

SOC 2 Engagements

Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. Audit results are confidential and are normally only shared outside the organization under an NDA

SOC 3 Engagements

Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. Audit results are intended for public discourse

SOC 1 Engagements

Assess the organization's controls that might impact the accuracy of financial reporting

The Framework Implementation

Assesses how an organization is positioned to meet cybersecurity objectives. A maturity model may be used, which describes the current and desired positioning of an organization along a continuum of progress. In the case of the NIST maturity model, organizations are assigned to one of four maturity model tiers

Data governance policy

Clearly states the ownership of information created or used by the organization

Service Organization Controls (SOC) Audit

Conducted by the American Institute for Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 18 (SSAE 18)

Information Security Policy Framework

Contains a series of documents designed to describe the organization's cybersecurity program: 1) Policies 2) Standards 3) Procedures 4) Guidelines

Gramm-Leach-Bliley Act (GLBA)

Covers US financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for the program

Credential Management Policy

Describes the account lifecycle from provisioning through active use and decommissioning. This policy should include specific requirements for personnel who are employees of the organization as well as third-party contractors. It should also include requirements for credentials used by devices, service accounts, and administrator/root accounts

Data classification policy

Describes the classification structure used by the organization and the process used to properly assign classifications to data

Continuous Monitoring Policy

Describes the organization's approach to monitoring and informs employees that their activity is subject to monitoring in the workplace

Asset Management

Describes the process that the organization will follow for accepting new assets (such as computers and mobile devices) into inventory, tracking those assets over their lifetime, and properly disposing of them at the end of their useful life

NIST Cybersecurity Framework (CSF)

Designed to assist organizations attempting to meet one or more of the following five objectives: 1) Describe their current cybersecurity posture 2) Describe their target state for cybersecurity 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process 4) Assess progress toward the target state 5) Communicate among internal and external stakeholders about cybersecurity risk

Benchmarks

Detailed configuration guides published by government agencies, vendors, and industry groups. They provide instruction on operating systems, web servers, application servers, and network infrastructure devices An example of one publisher is the Center for Internet Security (CIS)

Business Partnership agreements (BPAs)

Exist when two organizations agree to do business with each other in a partnership For example, if two companies jointly develop and market a product, the BPA might specify each partner's responsibilities and the division of profits

Mandatory Vacactions

Forcing employees to take an annual vacation that is at least one week long

Audits

Formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party. Require rigorous, formal testing of controls and result in a formal statement from the auditor regarding the entity's compliance. May be conducted by an internal team or an external company

Social Media

Organizations may choose to adopt social media policies that constrain the behavior of employees on social media, both on personal and professional accounts

Data Retention Policy

Outlines what information the organization will maintain and the length of time different categories or work product will be retained prior to destruction

Capture the Flag (CFT)

Programs that pit technologists against one another in an attempt to attack a system and achieve a specific goal, such as stealing a sensitive file. Participants gain an appreciation for attacker techniques and learn how to better defend their own systems against similar attacks

Master Service Level Agreements (MSA)

Provide an umbrella contract for the work that a vendor does with an organization over an extended period of time Typically includes detailed security and privacy requirements

Guidelines

Provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice

Standards

Provide mandatory requirements describing how an organization will carry out its information security policies These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective. Typically approved at a lower level and change more regularly

Payment Card Industry Data Security Standard (PCI DSS)

Provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers worldwide

ISO 31000

Provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk

Acceptable Use Policy (AUP)

Provides network and system users with clear direction on permissible uses of information resources

The International Organization for Standardization (ISO)

Publishes a series of standards that offer best practices for cybersecurity and privacy

Job rotation

Takes employees with sensitive roles and moves them periodically. The idea is that fraudulent activity often requires ongoing concealment, and workers would not be able to conceal their fraud if they get moved to a new duty

Offboarding

The process involved when employees leave an organization. Ensures that the organization retains control of its assets and handles the revocation of credentials and privileges in an orderly manner

User Security Training

Users at an organization should receive regular security awareness training to ensure that they understand the risks associated with your computing environment Should be role-based and may come in the form of computer-based training (CBT)

Quality Control Procedures

Verify that an organization has sufficient security controls in place and they are functioning properly Regular informal tests, as well as regular formal evaluations should be conducted. The formal evaluations should be either audits or assessments

Privilege Creep

When users move around within the organization and retain privileges even when they no longer need them

ISO 27701

Whereas ISO 27001 and ISO 27002 focus on cybersecurity controls, ISO 27701 contains standard guidance for managing privacy controls. ISO views this document as an extension to their ISO 27001 and ISO 27002 security standards

Service level agreement (SLA)

Written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA. SLAs commonly cover issues such as system availability, data durability, and response time

Information Security Policy

provides high-level authority and guidance for the security program

Onboarding

The process for hiring new employees

Type 2 Reports

A SOC report that goes further and also provides the auditor's opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly

Type 1 Reports

A SOC report that provides the auditor's opinion on the description provided by management and the suitability of the design of the controls

Procedures

A detailed, step-by-step process that individuals and organizations must follow in specific circumstances. Similar to checklists, they ensure a consistent process for achieving a security objective. Compliance with them is mandatory Examples of what they are used for: building new systems, releasing code to prod, responding to security incidents

Framework Core

A set of five security functions that apply across all industries and sectors: identify, protect, detect, respond, and recover

ISO 27002

A standard that goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives, such as: 1) Select information security controls 2) Implement information security controls 3) Develop information security management guidelines

Various data breach notification laws

Describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach

Code of Conduct/Ethics

Describes expected behavior of employees and affiliates and covers situations not specifically addressed in policy

Framework Profiles

Describe how a specific organization might approach the security functions covered by Framework Core. An organization might use a framework profile to describe its current state and then a separate profile to describe its desired future state

Monitoring Procedures

Describe how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology

Evidence Production Procedures

Describe how the organization will respond to subpoenas, court orders, and other legitimate requests to produce digital evidence.

Change Management and Change Control Policies

Describe how the organization will review, approve, and implement proposed changes to information systems in a manner that manages both cybersecurity and operational risk

Patching Procedures

Describe the frequency and process of applying patches to applications and systems under the organization's care

Separation of duties

Dividing responsibilities between two or more people to limit fraud. For example, two specific duties may yield a great amount of power when combined, so separation of duties ensures that one person cannot perform both

Statement of Work (SOW)

Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA

Policies

High-level statements of management intent. Compliance with them is mandatory. May contain broad statements, such as: 1) A statement on the importance of cybersecurity to the organization 2) Requirements that all staff and contracts take measures to protect the confidentiality, integrity, and availability of information and information systems 3) Statement on the ownership of information created and/or possessed by the organization 4) Designation of the chief information security officer (CISO) or another individual as the executive responsible for cybersecurity issues 5) Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy

NIST Cybersecurity Framework (CSF) Five Key Security Functions

Identify, protect, detect, respond, recover

General Data Protection Regulation (GDPR)

Implements security and privacy requirements for the personal information of European Union residents worldwide

Health Insurance Portability and Accountability Act (HIPAA)

Includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses in the United States

Assessments

Less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement. Employees are often interviewed and taken at their word, rather than conducting rigorous independent testing

Gamification

Making security training more fun by making it game-like

Nondisclosure agreements (NDAs)

Require that employees protect any confidential information that they gain access to in the course of their employment. Typically signed when hired. The employee typically receives reminders throughout employment and during exit interviews

Family Educational Rights and Privacy Act (FERPA)

Requires that US educational institutions implement security and privacy controls for student educational records

Clean Desk Policy

Requires that employees secure all information that is on paper when they leave their desk

National Institute for Standards and Technology (NIST)

Responsible for developing cybersecurity standards across the US federal government. The guidance and standard documents they produce have wide applicability and are often used by nongovernmental security analysts

Password policy

Sets forth requirements for password length, complexity, reuse, and similar issues

ISO 27001

The ISO (International Organization for Standardization) 27001 standard is a code of practice for implementing an information security management system, against which organizations can be certified. Covers 14 categories, such as information security policies, access control, etc.

Difference between NIST CSF and RMF

The RMF is a formal process for implementing security controls and authorizing system use CSF provides a broad structure for cybersecurity controls Both are mandatory for government agencies, but only the CSF is commonly used in private industry

Two person control

The organization of a task or process so that at least two individuals must work together to complete it. Also known as dual control.


Set pelajaran terkait

English with Smiling Sam 3. Unit 6. Hello, spring! Summer holidays

View Set

macroeconomics chapters 8&10 review problems

View Set

CompTIA 220-1001 Core 1 A+ Course Notes

View Set

Chapter 3 - Small Business Environment - Managing External Relations

View Set

Analysis of Social Problems CH 2

View Set

Chapter 26 Respiratory Function - PrepU questions

View Set