Chapter 16: Policy and Compliance
These are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement. In these, the assessor typically gathers information by interviewing employees, rather than performing actual testing of controls.
Assessments
These require rigorous, formal testing of controls and result in a formal statement regarding the entity's compliance.
Audit
This is a formal review of an organization's security program or specific compliance issues conducted on behalf of a third party.
Audit
This document prepared by ISACA, divides information technology activities into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate
COBIT
This is a set of best practices for IT governance, developed by ISACA
COBIT
This is policy that describes expected behavior of employees and affiliates and serves as a backstop for situations not specifically addressed in policy. ___________________ of ___________________/___________________
Code of Conduct/Ethics
These controls are designed to mitigate the risk associated with exceptions made to a security policy.
Compensating
These controls seek to prevent/discourage an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences and warning signs are examples.
Deterrent
This is a set of procedures that describe how the organization will respond to subpoenas court orders, and other legitimate request to produce digital evidence. ______________________ ______________________ procedures
Evidence Protection
Inevitably, unforeseen circumstances will arise that require a deviation from the requirements. These are called _________________________
Exceptions
This law requires that educational institutions implement security and privacy controls for student educational records.
FERPA
This law requires that government agencies and other organizations operating on behalf of government agencies comply with a series of security standards.
FISMA
In the NIST Security Framework, this is a set of five security functions that apply across all industries and sectors: the ___________________________ ________________
Framework Core
This law covers financial institutions. It requires that they have a formal security program and designate an individual as having overall responsibility for that program.
GLBA
These provide best practices and recommendations related to a given concept, technology, or task. Compliance with these is not (usually) mandatory.
Guidelines
This law includes security and privacy rules that affect healthcare providers, health insurers and health information clearinghouses.
HIPAA
The ISO publishes this document, which provides standards for Information Security controls for 14 categories.
ISO 27001
ITSM
IT Service Management
The five core activities: Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement, are described in this framework:
ITIL
This is a framework that offers a comprehensive approach to IT service management within the modern enterprise.
ITIL
The Framework Core lists five security functions. They are: _____________, __________________, _____________________, ____________________, ______________________
Identify, Protect, Detect, Respond, Recover
In the NIST Cybersecurity Framework, these assess how an organization is positioned to meet cybersecurity objectives: The Framework ____________________________ _______________________
Implementation Tiers
This is a policy that provides high-level authority and guidance for the security program _______________________ ________________________ policy
Information Security
This contains a series of documents designed to describe the organization's cybersecurity program. __________________ ________________________ ______________________ ______________________
Information Security Policy Framework
ISACA
Information Systems Audit and Control Association
ITIL
Information Technology Infrastructure Library
ISO
International Organization for Standardization
These security controls are procedural mechanisms that focus on the mechanics of the risk management process. Examples: Periodic risk assessments, security planning exercises; incorporation of security into the organization's change management, service acquisition, and project management practices. _______________________________ controls
Managerial
In the NIST Cybersecurity Framework, the Implementation Tiers are arranged into four levels that describe the current and desired positioning of an organization; the levels are: Tier 1: Partial, Tier 2: Risk Informed, Tier 3: Repeatable, Tier 4: Adaptive. This is known as a __________________________ ______________________
Maturity Model
Security Controls are categorized on their _____________________ of _____________________ ; the way they achieve their objectives.
Mechanism of Action
This is a set of procedures that describe how the organization will perform security monitoring activities , including the possible use of continuous monitoring technology. _________________________ procedures
Monitoring
This organization is responsible for developing cybersecurity standards across the U.S. federal government.
NIST
This document, released in 2014, is designed to assist organizations attempting to meet one or more of the following five objectives: * Describe their current cybersecurity posture * Describe their target state for cybersecurity * Identify and prioritize opportunities for improvement * Assess progress toward the target * Communicate among internal and external stakeholders This document is known as the __________________ __________________________ ___________________________
NIST Cybersecurity Framework
NIST
National Institute for Standards and Technology
These security controls include the processes that we put into place to manage technology in a secure manner. These include user access reviews, log monitoring, and vulnerability management. ____________________________ controls
Operational
This standard provides detailed rules about the storage, processing, and transmission of credit and debit card information.
PCI DSS
This is a policy that sets forth requirements for password length, complexity, reuse, and similar issues. _____________________ policy
Password
This is a set of procedures that describe the frequency and process of applying patches to applications and systems under the organization's care. ___________________ procedures
Patching
These controls impact the physical world. Examples: Fences, perimeter lighting, locks, fire suppression systems, burglar alarms
Physical
These are high-level statements of management intent. Compliance with these is mandatory.
Policies
An organization's Information Security Policy Framework usually includes these four different types of documents: ______________________ _________________________ _________________________ ________________________
Policies, Standards, Procedures, Guidelines
This requires high-level approval, usually from the CEO
Policy
__________________ _______________________ should lay out the requirements for receiving an exception and the individual or committee with the authority to approve exceptions
Policy Frameworks
This type of security framework mandates the controls that an organization must implement, with little flexibility for interpretation. _____________________________ Framework
Prescriptive
These controls are intended to stop a security issue before it occurs. Firewalls and encryption are examples.
Preventive
These are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances. They can be similar to checklists, and ensure a consistent process for achieving a security objective.
Procedures
In the NIST Cybersecurity Framework, these describe how a specific organization might approach the security functions covered by the framework core: Framework __________________________
Profiles
This type of security framework provides high-level control objectives and then allows the organization to design situation-appropriate controls based on their own assessment of the risk environment. _______________-______________________ Framework
Risk-Based
This law applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records.
SOX
These are specific measures that fulfill the security objectives of an organization. ________________________ ____________________
Security Controls
These are used to assist with the creation of an organization's security policy; they provide a standardized approach to developing cybersecurity programs. ________________________ _________________________
Security Framework
These provide mandatory requirements describing how an organization will carry out its information security policies.
Standards
These security controls enforce CIA in the digital space. Examples are: firewall rules, access control lists. IPS, Encryption ________________________ controls
Technical
There are three different categories of security control. They are: __________________________, _________________________, ____________________
Technical, Operational, Managerial
True or False: Audits may be conducted by internal audit groups at the request of management, or by external audit firms at the request of an organization's governing body or a regulator.
True
According to the PCI DSS Exception Process, a compensating control must provide a _____________________ level of defense as the original requirement
similar
According to the PCI DSS Exception Process, a compensating control must meet the _____________________ and __________________________ of the original requirement.
intent, rigor
According to the PCI DSS Exception Process, a compensating control must be ____________________ and ___________________________ other PCI DSS requirements.
Above, Beyond
This is a policy that provides network and system users with clear direction on permissible uses of information resources ___________________________ ___________________ policy
Acceptable Use
This is a policy that describes the account life cycle from provisioning through active use and decommissioning. _____________________ ________________________ policy
Account Management
These controls identify security events that have already occurred, or are occurring at the moment. Cameras and IDS systems are examples.
Detective
This is a policy that describes the organization's approach to monitoring and informs employees that their activity is subject to monitoring in the workplace. _________________________ ______________________ policy
Continuous Monitoring
These are statements of a desired security state, that are laid out in security policy frameworks. _______________________ ___________________________
Control Objectives
COBIT
Control Objectives for Information and Related Technology
These controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example.
Corrective
These laws describe the requirements that individual states place on organizations that suffer data breaches, regarding notification of individuals affected by the breach. ___________________ ___________________ ____________________________
Data Breach Notification
This is a policy that describes the classification structure used y the organization and the process used to properly assign classifications to data. ___________________ ___________________________ policy
Data Classification
This is a policy that clearly states the ownership of information created or used by the organization ________________________ ______________________ policy
Data Ownership
This is a policy that outlines what information the organization will maintain and the length of time different categories of work product will be retained prior to destruction. ______________________ _____________________ policy
Data Retention
Many exception processes require the use of ___________________________ __________________________ to mitigate the risk associated with exceptions to security standards.
compensating controls
Security Controls can be divided into types, based on their desired ___________________
effect