Advisory Security Policy
Provides instruction on acceptable and unacceptable activities
Informative Security Policy
Provides information from an education standpoint
Risk management involves:
identification, assessment, analyzation, and mitigation of risks
Measurement of information security issues at management levels is accomplished by what?
The risk management framework
What do risk profiles represent?
a cross-section of an organization’s comfort level of which risks it will and will not tolerate
Risk management measure the effect of security on what?
Security practitioner must consider what objectives?
business and security
What is NIST?
a U.S. government agency that develops a formal series of special publications that detail policies, procedures, and guidelines for the security of federal computer devices.
The NIST Risk Management Framework (RMF) is detailed in what publication?
NISP SP 800-39: Managing Information Security Risk
The NIST Risk Management Framework (RMF) includes what stages related to security controls?
What is ISO?
ISO is the world’s largest standards organization; it creates standard for many industries, including security and technology
What organizations are able to provide official accreditation to organization for demonstrating compliance with particular standard and guidelines?
NIST and ISO
Many partnership business models involve the exchange of information, making information security requirements what?
a cross-business issue
With regard to personnel, business models influence what?
how personnel are employed and whether to rely on in-house expertise or offshore talent
What are the two high-level types of partnerships?
formal and informal
Partners share in what?
operational responsibility, profits, and liabilities associate with a business
Policies associate with the user of information by a partner should be?
determined in advance and provided to customer(s) for approval
Customer data cannot be shared with other parties without:
notification of business purpose and (in the EU) customer consent, aka opt-in
Cloud computing helps organizations in what ways?
Reducing costs and improving productivity by utilizing applications, accessibility, storage, availability, and scalability
Prior to signing an agreement with a cloud provider, organizations must do what?
Determine the risk management and assessment processes the cloud provider implements
Reviewing service level agreements allows you to learn what?
the service offerings and promises of a cloud, outsourcing, or other provider
As businesses become global what practice with regard to personnel is becoming more common?
outsourcing of business functions, including information security activities
Merger and acquisitions can result in changes to many business processes, which requires what before completion?
Careful attention during due diligence periods, including attention to information security processes
What are managed security services?
Outsourced security and network services
Managed security services can include what?
- physical security
- vulnerability assessments
- penetration testing
- operation security monitoring
- compliance monitoring/auditing
- digital forensics
- other consulting efforts
What is the HIPAA Security Rule?
It standardizes the protection of PHI and requires administrative, physical, and technical safeguards
What is PHI
private health information
The GLBA’s provisions for financial organizations to protect the privacy of customer data is carried out by what?
the Safeguards Rule and the Privacy Rule
SOX is an abbreviation for what?
the Sarbanes-Oxley Act
SOX was created to do what?
Mandate publicly trade corporations to implement internal controls, auditing, and disclosure practices to protect businesses, investors, and customers from corporate scandals.
FISMA stands for what?
Federal Information Security Modernization Act
What is the purpose of FISMA?
To direct government agencies to enforce various security requirements on government networks and devices
PCI DSS stands for what?
Payment Card Industry Data Security Standard
What does PCI DSS require?
All organizations that process payment cards to protect both the transactions and the card holder data
EU directives 2002/58/EC & 2009/136/EC both require what?
telecoms and ISPs to offer security for their services and to notify customers of security threats
GDPR stands for what?
General Data Protection Regulation
In general, what does GDPR do?
Improves the security and privacy practices required when dealing with EU customer data
Organizations with international partnerships and locations with need to consider what with regard to export requirements?
Both local and foreign export requirements
Analysis of competitors will improve organization awareness of what with regard to security?
security standards, procedures, guidelines, and best practices
An internal audit can be used to do what?
Verify compliance with internal and external security requirements, as well as provide management with feedback on risk management efforts
The COBIT framework provides what?
a set of generally accepted measures, indicators, processes, and best practices to assist in maximizing the benefits of IT
COBIT stands for what?
Control Objectives for Information Technology
HITECH stands for what?
Health Information Technology for Economic and Clinical Health
The HITECH Act generally does what?
widens the scope of privacy and security protections available under HIPAA
Client and customer data requirements result in what?
Organizational security requirements
Top-level management evaluates security using what mindset?
a risk management mindset
Deperimeterization describes what?
The moving of organization boundaries from the edge of the network to wherever the user’s device is.
(This includes the edge network, cloud environment, Wi-Fi network, the user’s home network, or networks accessed while traveling)
How are teleworkers distinguished from telecommuters?
telecommuters work from home, whereas teleworkers travel to non-main office locations like branches or customer sites
What does COPE stand for with regard to mobile devices?
Corporate Owned/Personally Enabled
COPE describes what situation?
corporations buy devices but employees use them for personal and business needs
CYOD stands for what?
Choose your own device
A CYOD policy allows a business to do what?
Publish a limited list of devices that employees can buy, allowing the business to limit the disparity of devices to support while giving employees some level of choice
Enterprise standard operating environments provide what benefits to the organization?
reduce complexity, improve security, and reduce resource requirements for operations
What are the risk management steps, in order?
Security audit findings can be used for what?
to facilitate improvements in the security system
What is divestiture?
When an organization sells off one of its business units