Chapter 1 - Organizational Security and Compliance

Ace your homework & exams now with Quizwiz!

3 main phase of Risk Analysts & Assessment

(1) Asset identification (2) Risk analysis (3) Risk likelihood and impact

SLA policy

(a) policies and procedures that a company performs to support the SLA agreement, including services performed

Exam Tip

Agreements should consider the business context of the organizations

Communicates network changes and outages

Change management policies

To ensure security policies are being followed requires?

Continued monitoring and auditing

Use ______ to protect integrity and privacy of data, and adhere to government-regulated compliance policies for data protection.

Data loss prevention (DLP)

cost of the risk management solution exceed value of the asset if it's lost

Example: > file server & data = $35,000 >proposed security solution = $150,000

Security Policies

general organizational security including physical access, access control to data, and security through structures and data security principles

Least privilege

grants users only the access rights they need

Cost of solutions

identify a cost-effective solution to protect assets

3 types of Business Partners Agreements

(1) General Partnerships (2) Limited (3) Joint Ventures

Risk Management Options (options based on nature and probability of risk and total cost of the solution)

(1) avoidance (2) transference (3) acceptance (4) mitigation (5) deterrence

3 Risk Control Types (each is separate but cooperative layer in overall risk management strategy)

(1) management (2) operational (3) technical

2 generally accepted ways to perform Risk Analysis

(1) qualitative (2) quantitative

Risk Management Options

(a) Avoidance (b) Transference (c) Acceptance (d) Mitigation (e) Deterrence

Risk mitigation strategies and policies include:

(a) Change management (b) Incident response (c) Auditing (d) User permission reviews (e) Data loss prevention

Most common data protection regulations include:

(a) HIPAA (b) SOX (c) PCI (d) EUDPD (Euro Union Data Protection)

Access Control Policies

(a) Least privilege (b) Separation of duties (c) Job rotation (d) Mandatory vacations

Acceptable Use Policies include:

(a) Legality (b) Uniqueness to your environment (c) Completeness (d) Adaptability (e) Protection for employees

Organizational Policies to Reduce Risk

(a) Security (b) Network Access (c) Human Resources

Joint Ventures

(a) begin same was as general partnership (b) but shorter time frame (c) often single project

Incident Management & Response Policy

(a) clearly defined policy can help contain a problem and provide quick recovery to normal ops (b) should cover each type of compromised security scenario and list the procedures to follow when they happen

MOA/MOU - Memorandums of agreement and understanding

(a) common in government sector (b) relate terms of cooperation between two organizations to seek common goal (c) detail the distinct roles and responsibilities of both parties (d) often high-level, accompanied by more tech docs (e) like interconnection security agreement

Best Practices: operational [risk]

(a) company-wide policies that must be created, distributed, and used to educate employees on how to conduct their day-to-day activities (b) improvement initiatives to make organizational processes more efficient and effective

Operational [risk]

(a) concerned with how you conduct your daily organizational business (b) minimize the security risk to your organization and its business activities

Best Practices: [risk]management

(a) controls encompassing managerial, technical, and operational aspects of the organization (b) includes: implementation of an overall risk management framework, efforts to improve documentation

Risk Analysis

(a) deals with identifying, assessing, and reducing the risk of security breaches against company assets

SOX - Sarbanes-Oxley Act

(a) defines standards for publicly held companies and accounting firms (b) storage, access, communications, auditing of financial data

BPA - Business Partners Agreements

(a) describes how a new business will be conduced among partners (b) 3 types

Technical [risk]

(a) describes the actual technical measures used to prevent security risks

NIST 800-47 "Security Guide for Interconnection Information Technology Systems"

(a) details lifecycle of interconnection information systems that includes: -planning, establishing, maintaining, and disconnecting the interconnection

ISA - Interconnection security agreement

(a) details technical framework in which two info systems--even those owned by single organization--will directly connect and share data securely (b) NIST guide 800-47 "Security Guide for Interconnection Information Technology Systems" (c) will have an accompanying diagram depicting the connection

General Partnerships

(a) devised under assumption that all profits and liabilities will be divided equally among the business partners

Data Loss Prevention and Regulatory Compliance (DLP)

(a) focused on preventing loss of data and protecting its confidentiality and privacy (b) company's own data, or any customer data stored & communicated (c) protect data in storage & transit (d) DLP mitigation techniques require use of both inbound via network security and outbound via content filters & encryption

User Rights and Permissions Reviews

(a) helps guard against existing security lapses in user rights policies from employee movement in the company (b) needs close cooperation with human resources and department heads to be proactively notified when employee's positions and responsibilities change

Management risk controls?

(a) high-level risk management (b) assessment (c) mitigation plans that define your overall organization security

Asset Identification

(a) identify and quantify the company's assets, worth (b) established beyond mere capital costs--acquisition costs, maintenance, value of asset to company/competitor, what clients would pay for asset or server, cost of replacement, cost of compromise

Risk assessment and mitigation deals with:

(a) identifying (b) assessing (c) reducing the risk of security breaches against company assets

EUDPD - EU Data Protection Directive

(a) multinational (b) provide privacy protection for stored and transmitted user data

Change Management Policy

(a) official company procedures used to identify and communicate current or forthcoming changes to some aspect of the company's networks and comm services

[risk] Management

(a) ongoing high-level function w/in your organization (b) begins with risk assessment and analysis to identify the risk of security breaches against company assets (c) assessing the probability of a risk and estimating its impact, and defining the steps to reduce the level of that risk (d) solutions need proper analyze and budget for cost-effective solutions

Best Practices: technical [risk]

(a) physical access controls (fencing, security passes, surveillance) (b) environmental controls (fire suppression, temp controls) (c) deep-level network and system security (firewalls, a/v, content filters, other net security devices) (d) better coding practices

Most compliance regulations & standards include these key factors for data security:

(a) proper protection of data through network security principles and tech (firewalls & antimalware devices) (b) strong user account & password management for access control (c) use of encryption (d) extensive logging and auditing to monitor and analyze reports, have audit trails for evidence

Audits

(a) routine audits of security procedures & policies are integral part of continuous security awareness (b) review and analyze data logs to compare to current policies and level of incidents that occur (c) access to logs should be preserved and analyzed (d) audits performed at all levels

Employee termination process includes

(a) securing the work area (b) returning id and company equipment (c) suspending computer accounts

Operational risk controls?

(a) security for day-to-day organizational business activities

HIPAA - Health Insurance Portability and Accountability Act

(a) set of compliance regulations (b) protects confidential patient data

Acceptable Use Policy

(a) set of established guidelines for the appropriate use of computer networks within an organization

Limited Partnerships

(a) similar to General, but more complex (b) allows partners to have limited liability & corresponding input based on the investment percentage

PCI - Payment Card Industry

(a) standards defined for companies that process credit card transactions (b) prevent against fraud and identify theft (c) guide for storing and communicating financial data

To best protect organizational assets, important to consider best practices encompassing:

(a) technical (b) managerial (c) operational

Technical risk controls?

(a) technical measures deployed to mitigate security risks

Due Care, Diligence, Process

(a) terms that apply to the implementation and enforcement of company-wide security policies

Avoidance

(a) typically used when cost to mitigate a threat, unlikely or has little impact, means it is not worth implementing (b) take certain steps to avoid risk altogether, benefits not worth great security risk

SLA - Service Level Agreement

(a) understanding among a supplier of services and the users of those services that service in question will be available for certain % of time

What is used so that procedures are in place to deal with security incidents?

Incident response policy

Which Organizational Policy also includes user education and vigilant monitoring/testing to make sure plans are adhered to & activities are constantly analyzed to protect against new threats?

Operational risk control

Policy that describes distribution, protection, and confidentiality of customer data?

Privacy

Unplanned changes in your network could indicate

Security breaches

Template and procedures for risk mitigation is called?

Security policies

Which controls perform the bulk of the risk mitigation and deterrence that have been defined in your organizational risk analysis?

Technical risk control

Annual Loss Expectancy (ALE)

calculated by multiplying the ARO x SLE

Annual Rate of Occurrence (ARO)

chance of a risk occurring

Separation of duties

ensures that one single individual isn't tasked with high-security and high-risk responsibilities

Due diligence

ensures these security policies are properly implemented

Company practices due diligence by

implementing and maintaining these security procedures at all times to protect the company's facilities, assets, employees

False positive

legitimate action that is perceived as a risk or threat

Privacy policies

must be easy to find and provide information on how to opt out of any use of personal information

Job rotation

no employee retains the same amount of access control for a particular responsibility for a period of time, prevents internal corruption

Specific separation of duties ensures

one individual isn't tasked with high-security and high-risk responsibilities

Users should have

only the access rights they need to perform their job functions

Using Organizational Policies to Reduce Risk

organizational security is critical for company's risk management plan and needs proper detail, communication, and adherence by employees activities through use of policies

Single Loss Expectancy (SLE)

potential loss of revenue based on a specific period of downtime

Due process

process ensures an impartial and fair inquiry into violations of company policies

Qualitative

risk analysis includes intangible factors in determining costs

Quantitative

risk analysis is strict dollar-amount calculation of exact cost of the loss or a specific company asset because of a disaster

False negative

security issue that has passed your security controls as legitimate action, this one is worse

Acceptable use policy

set of established guidelines for the appropriate use of computer networks

Mitigation

specific risks must be mitigated using countermeasures

Due care

taking the necessary responsibility and steps to protect the company and the employees

Risk Assessment

use to understand current risks, their probability and impact, and the solutions to prevent them

Mandatory vacations

use vacation at specific times of the year or use all of their vacation days allotted for single year, helps detect fraud or other anomalies


Related study sets

Chapter 1: Introduction to Law and Ethics

View Set