Security Policies (3.1)

Ace your homework & exams now with Quizwiz!

California Database SecurityBreach Act of 2003

A California state law that specifies that any agency, person, government entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or is believed to have been stolen.

Gramm-Leach-Bliley Act

A US federal law designed to protect private information held at financial institutions.

Patriot Act of 2001

A US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.

Children's Online PrivacyProtection Act of 1998 (COPPA)

A US federal law that requires organizations that provide online services designed for children below the age of 13 to obtain parental consent prior to collecting a child's personal information.

Sarbanes-Oxley Act of 2002

A US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems.

Health Insurance Portabilityand Accountability Act of 1996 (HIPPA)

A US federal law that specifies that all organizations must protect the health information that they maintain.

Baseline

A baseline dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards. Baselines are mandatory standards with which all systems must comply.

Code of Ethics

A code of ethics is a set of rules or standards that help you to act ethically in various situations. Because issues involved in various situations can be complex, the code of ethics does not prescribe actions to take for every situation. Rather, it identifies general principles of ethical behavior that can be applied to various situations. The code of ethics requires that everyone associated with the security policy: Conduct themselves in accordance with the highest standards of moral, ethical, and legal behavior. Not commit or be a party to any unlawful or unethical act that may negatively affect their professional reputation or the reputation of their profession. Appropriately report activity related to the profession that they believe to be unlawful and cooperate with resulting investigations.

Change Management and Configuration Management Policy

A configuration management policy provides a structured approach to securing company assets and making changes. Configuration management: Establishes hardware, software, and infrastructure configurations that are to be deployed universally throughout the corporation. Tracks and documents significant changes to the infrastructure. Assesses the risk of implementing new processes, hardware, or software. Ensures that proper testing and approval processes are followed before changes are allowed.

Code Escrow Agreement

A document that specifies the storage and conditions of release of source code.

Guideline

A guideline is a recommendation for use when a specific standard or procedure does not exist. Guidelines are considered non-compulsory and flexible.

Acceptable Use Policy (AUP)

A policy that defines how users should use the information and network resources in an organization. The acceptable use agreement might set expectations for user privacy when using company resources. Privacy is the right of individuals to keep personal information from unauthorized exposure or disclosure. In a business environment, businesses might need to be able to monitor and record actions taken by employees. Such monitoring might be viewed as a violation of individual privacy. To protect against legal issues: Define the types of actions and communications that will be monitored. For instance, it is typical for a business to reserve the right to monitor all activities performed on company computers, even if those activities might be of a personal nature. Clearly communicate all monitoring activities. Users should know that monitoring is being performed. Apply monitoring to all employees. Targeting specific employees could be grounds for discrimination. Comply with all legal requirements for privacy. For example, personal medical information is protected and cannot be shared without prior authorization.

Privacy Policy

A policy that outlines how the organization will secure private information for employees, clients, and customers.

Authorized Access Policy (AAP)

A policy that specifies access controls that are employed on a network.

Human Resources (HR) Policy

A policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.

Privacy

A privacy policy outlines how the organization will secure private information for employees, clients, and customers. The privacy policy outlines how personally identifiable information (PII) can be used and how it is protected from disclosure. PII items could include: Full name Address Telephone number Driver's license National identification number Credit card numbers Email address Various laws govern privacy and the organization's responsibility to protect private information. A few of the high profile laws are identified below. It is the responsibility of security professionals to become aware of and adhere to all of the laws that apply to their respective organizations. The Health Insurance Portability and Accountability Act (HIPAA) defines security guidelines that enforce the protection of privacy. Specifically, HIPAA protects the privacy of medical records, including the transmission of these records. The Sarbanes-Oxley Act (SARBOX) requires publicly traded companies to adhere to stringent reporting requirements and internal controls on electronic financial reporting systems. A key aspect of the law is the requirement for retaining copies of business records, including email, for a specified period of time. The Gramm-Leach-Bliley Act (GLBA) requires all banks and financial institutions to implement the following:Financial Privacy Rule - requires banks and financial institutions to alert customers to their policies and practices in disclosing customer information.Safeguards Rule - requires banks and financial institutions to develop a written information security plan detailing how they plan to protect electronic and paper files containing personally identifiable financial information.Pretexting Protection - requires banks and financial institutions to train their staff how to recognize social engineering exploits. The USA Patriot Act mandates organizations to provide information, including records and documents, to law enforcement agencies under the authority of a valid court order, subpoena, or other authorized agency. Many states mandate that when a security incident involving privacy occurs, organizations are obligated to inform users that their information could have been compromised. An example is the California Database Security Breach Act. The Children's Online Privacy Protection Act (COPPA) requires online services or websites designed for children under the age of 13 to:Obtain parental consent prior to the collection, use, disclosure, or display of a child's personal information.Allow children's participation without the need to disclose more personal information than is reasonably necessary to participate. A Privacy Threshold Assessment (PTA) is a required document that serves as the official determination by the Department of Homeland Security (DHS) as to whether a department program or system has privacy implications and whether additional privacy compliance documentation is required, such as a Privacy Impact Assessment (PIA) and System of Records Notice (SORN). The PTA is built into departmental processes for technology investments and security. PTAs expire and must be reviewed and re-certified every three years. The purpose of a PTA is to:Identify programs and systems that are privacy-sensitiveDemonstrate the inclusion of privacy considerations during the review of a program or systemProvide a record of the program or system and its privacy requirements at the DHS's Privacy OfficeDemonstrate compliance with privacy laws and regulations A Privacy Impact Assessment (PIA) is a process that assists organizations in identifying and minimizing the privacy risks of new projects or policies.

Procedure

A procedure is a step-by-step process that outlines how to implement a specific action. The design of a procedure is guided by goals defined in a policy, but go beyond the policy by identifying specific steps that are to be implemented. The use of consistent procedures ensures that the goals defined in a policy are met and that the actions of multiple administrators are consistent.

Regulation

A regulation (or law) is a requirement published by a government or other licensing body that must be followed. While you are not responsible for writing regulations, you are responsible for knowing which regulations apply to your organization and making sure that those regulations are understood and adhered to. Policies are often written in response to regulations.

Resource Allocation

A resource allocation policy outlines how resources are allocated. Resources could include: Staffing Technology Budgets

Change Control (Four Components of Operational Security)

Change control regulates changes to policies and practices that could impact security. The primary purpose of change control is to prevent unchecked change that could introduce reductions in security. Change control must be a formal, fully documented process. The following are the change control process steps: Identify the need for a change and submit it for approval. Conduct a feasibility analysis, including technical and budgetary considerations. Design the method for implementing the change. Implement the change. Test the implementation to make sure it conforms to the plan and that the change does not adversely affect confidentiality, integrity, and accessibility. Document the change. Analyze feedback. In the event that a change unintentionally diminishes security, an effective change control process includes rollback. A rollback makes it possible to revert the system back to the state it was in before the change was put into effect.

Due Care and Due Diligence (Prudent man rule)

Demonstrates that management has taken reasonable actions to ensure safety standards according to accepted best practices. The ability to demonstrate due care and due diligence protects the organization and its staff from accusations of negligence or incompetence in security-related issues.

Employee Management (Four Components of Operational Security)

Employee management reduces asset vulnerability from employees by implementing processes that include the following: Pre-employment processing Employee agreement documents Employee monitoring Termination procedures

Human Resources

Human resource policies related to security might include the following: Hiring policies identify processes to follow before hiring. For example, the policy might specify that pre-employment screening include:Employment, reference, and education history checksDrug screeningA background investigation or credit rating check Termination policies and procedures identify processes to be implemented when terminating employees. For example, the termination policy might specify that:Network access and user accounts are disabled immediatelyExit interviews are conductedEmployees are escorted at all times following terminationAll company property is returnedAppropriate documents are signed A requirement for job rotation cross-trains individuals and rotates users between positions on a regular basis. Job rotation helps to catch irregularities that could arise when one person is unsupervised over an area of responsibility. A requirement for mandatory vacations requires employees to take vacations of specified length. These vacations can be used to audit actions taken by the employee and provide a passage of time where problems caused by misconduct could become evident.

Password Policy

Password policies detail the requirements for passwords for the organization. This can include the following: The same password should never be used for different systems. Accounts should be disabled or locked out after a specified amount of failed login attempts. Passwords should never contain words, slang, or acronyms. Users should be required to change their passwords within a certain time frame and use a rotation policy. A strong password policy should be enforced. Strong passwords:Contain multiple character types (uppercase, lowercase, numbers, and symbols).Are a minimum length of eight characters or more.Use no part of a user name or email address.

Physical Security (Four Components of Operational Security)

Physical security is the protection of assets from physical threats. Physical security procedures include the following: Choosing a secure site and securing the facility Protecting both data and equipment from theft, destruction, or compromise Implementing environmental and safety measures to protect personnel and the facility Disposing of sensitive material that is no longer needed

User Education and Awareness Policy

Security awareness and training is designed to: Familiarize employees with the security policy. Communicate standards, procedures, and baselines that apply to the employee's job. Facilitate employee ownership and recognition of security responsibilities. Establish reporting procedures for suspected security violations. Role-based security awareness training which should be tailored for the role of the employee (role-based awareness training) Data owner System Administrator System owner User Privileged user Executive user When an updated version of a security plan is produced, the most critical activity to prevent is public release of older versions of the document. Even an out of date plan can provide sufficient information to attackers to perform serious security intrusions. When the security plan is updated, users should be made aware of the changes, the document should be distributed internally to appropriate parties, and all old versions should be destroyed.

Security Awareness (Four Components of Operational Security)

Security awareness is designed to: Familiarize employees with the security policy Communicate standards, procedures, and baselines that apply to an employee's job Facilitate employee ownership and recognition of security responsibilities Establish reporting procedures for suspected security violations Follow up and gather training metrics to validate:Employee complianceThe organization's security posture

Service Level Agreement (SLA)

Service Level Agreements (SLAs), sometimes called maintenance contracts, guarantee the quality of a network service provider's care to a subscriber. SLAs often include descriptions for the following: The mean time between failures (MTBF) identifies the average lifetime of a system or component. Components should be replaced about the time that the MTBF is reached. The mean time to repair (MTTR) identifies the average amount of time necessary to repair a failed component or to restore operations. SLAs can include guarantees for: Turn-around times Average response times Number of online users System utilization rates System uptimes Volume of transactions Production problems Keep in mind the following recommendations for SLAs: SLAs should define, in sufficient detail, any penalties incurred if the level of service is not maintained. In the information security realm, it is also vital that the provider's role in disaster recovery operations and continuity planning is clearly defined. Industry standard templates are frequently used as a starting point for SLA design, but must be tailored to the specific project or relationship to be effective. If you depend on an SLA for mission-critical code, you should consider a code escrow arrangement. Code escrow is a storage facility hosted by a trusted third party which will ensure access to the mission critical code even if the development company, the company with whom you have the SLA, goes out of business.

Organizational Security Policy

The organizational security policy is a high-level overview of the corporate security program. The organizational security policy: Is usually written by the security professionals, but must be wholly supported and endorsed by senior management Identifies roles and responsibilities to support and maintain the elements of the security program Identifies what is acceptable and unacceptable regarding security management Identifies the rules and responsibilities of the enforcement of the policy

Security Management

The overall security vision for an organization as well as the ongoing implementation and maintenance of security. The goal is to preserve the confidentiality, integrity, and availability of all critical and valuable assets. Senior management is responsible for security management. Senior management defines the corporate security posture or tone (the organization's outlook and approach to security) and provides funding for the security program.

User Management Policy

User management policies identify actions that must take place when employee status changes. The administrator of a network for an organization needs to be aware of new employees, employee advancements and transfers, and terminated employees to ensure the security of the system. All of these activities could result in changes to: Network access Equipment configuration Software configuration


Related study sets

Seven Habits - The Private Victory

View Set

Nursing Review - Chapters 2 and 3

View Set

FFL: quiz 3: conflicting worldviews

View Set

(Unit 3) Quiz 3.7 Softball and Baseball

View Set

S-95 SUPERVISION OF FIRE ALARM SYSTEMS

View Set

I (H) unit 4 Personal 9th, 5th amendment privacy Griswold v Connecticut and Roe v Wade

View Set