5.3 Organizational Security Policies Flashcards
NDA
Non Disclosure Agreement: legal contract outlining the confidential material or information that will be shared by the pen-tester and the organization during an assessment ; There may be two NDAs in use: One from the organization to the pen-tester and another from the pen-tester to the organization
SOW
Scope of Work is a formal document stating what will and will not be performed during a penetration test. It should also contain the assessment’s size and scope and a list of the assessment’s objectives
MSA
Master Service Agreement is a contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements. The MSA is used when a pen-tester will be on retainer for a multi-year contract
Corporate Policy
documented set of broad guidelines, formulated after analyzing all internal and external factors that can affect an organization’s objectives, operations, and plans
Separation of Duties
concept of having more than one person required to complete a particular task to prevent fraud and error
Dual Control
requires both people to act together. For example, a nuclear missile system uses dual control and requires two people to each turn a different key simultaneously to allow for a missile launch to occur
Mandatory Vacation Policy
policy requires that all users take time away from work to enjoy a break from their day to day routine of their jobs. But, there is a major side benefit to mandatory vacations regarding your company’s security posture. It will require the company to have another employee fill in for the vacationing employee’s normal roles and responsibilities by requiring mandatory vacations. The employee who is filling in might come across fraud, abuse, or theft that the vacationing employee is a part of
Privacy Policy
how information should be properly stored and secured
