Information Security Governance Flashcards Preview

CISSP > Information Security Governance > Flashcards

Flashcards in Information Security Governance Deck (34):
1

Is a guideline discretionary or mandatory?

A guideline is discretionary.

2

Is a policy discretionary or mandatory?

A policy is mandatory.

3

All policies should contain what basic components?

Purpose.
Scope.
Responsibilities.
Compliance.

4

What is the purpose of a policy?

The need for the policy, typically to protect the confidentiality, integrity, and availability of protected data.

5

What is the scope of a policy?

The scope describes what systems, people, facilities, and organizations are included in the policy. To avoid confusion, any related entities not in scope should be documented.

6

What is the responsiblities of a policy?

Responsibilities include responsibilities of the information security staff, policy, and management teams as well as all members of the organization.

7

What is compliance in terms of being one of the basic components of a policy?

Compliance describes two related issues: how to judge the effectiveness of the policies (how well they are working), and what happens when policy is violated (the sanction). All policy must have "teeth": a policy that forbids accessing explicit content on the Internet is not useful if there are no consequences for doing so.

8

Are procedures mandatory or discretionary?

Procedures are mandatory.

9

What is a procedure?

A procedure is a step by step guide for accomplishing a task.

10

Are standards mandatory or discretionary?

Standards are mandatory.

11

Why are standards important and necessary?

Standards lower the Total Cost of Ownership of a safeguard. Standards also support disaster recovery.

12

Are guidelines mandatory or discretionary?

Guidelines are discretionary.

13

What is a guideline and what is an example?

A guideline is a recommendation or advice. An example of a guideline is "to create a strong password, take the first letter of each word in a sentence, and mix in some numbers and symbols."

14

What is a baseline?

Baselines are uniform ways of implementing a standard. "Harden the system by applying the Center for Internet Security Linux benchmarks" is an example of a baseline. The system must meet the baseline described by those benchmarks.

15

Besides technical risks, what else can pose the biggest risk to an organization?

People can pose the biggest risk to an organization.

16

Besides technical risks, what else can be considered the biggest risk to an organization?

People can be considered the biggest risk.

17

What are ways to mitigate the risk users pose to an organization?

Background checks should be performed, contractors need to be securely managed, and users must be properly trained and made aware of security risks. Controls such as Non-Disclosure Agreements and related employment agreements are a recommended personnel security control.

18

What is the difference between security awareness and training?

Security awareness modifies the behavior of users while training provides a skill set.

19

What is an example of awareness?

Reminding users never to share accounts or write their passwords down.

20

What types of checks should be done against an individual before hiring them?

Criminal records check should be conducted as well as verification of employment history, education, and certifications. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty in regards to the hiring process. More thorough background checks should be done for roles with heightened privileges, such as access to money or classified information. These checks can include a financial investigation, a more thorough criminal records check, and interviews with friends, neighbors, and current and former coworkers.

21

What types of checks should be done against an individual before hiring them?

Criminal records check should be conducted as well as verification of employment history, education, and certifications. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty in regards to the hiring process. More thorough background checks should be done for roles with heightened privileges, such as access to money or classified information. These checks can include a financial investigation, a more thorough criminal records check, and interviews with friends, neighbors, and current and former coworkers.

22

What should be done immediately when an employee is terminated?

Termination should result in immediate revocation of all employee access.

23

What does a fair termination process look like?

A progressive discipline process includes:
- Coaching
- Formal discussion
- Verbal warning meeting, with Human Resources attendance (perhaps multiple warnings)
- Written warning meeting, with Human Resources attendance (perhaps multiple warnings)
- Termination

24

Why is it important to consider how a vendor with access to multiple organizations' systems manage access?

Many vendors will re-use the same credentials across multiple sites, manually synchronizing passwords. This increases the risk of stolen, guessed, or cracked credentials being reused to access the organization.

25

Why is it important to consider how a vendor with access to multiple organizations' systems manage access?

Many vendors will re-use the same credentials across multiple sites, manually synchronizing passwords. This increases the risk of stolen, guessed, or cracked credentials being reused to access the organization.

26

Is training third party personnel for security awareness necessary? What about background checks?

Yes, third party personnel with access to sensitive data must be trained and made aware of risks, just as employees are. Background checks may also be required depending on the level of access. Information security polcies, procedures, and other guidance should apply as well. Additional policies regarding ownership of data and intellectual property should be developed. Clear rule dictating where and when a 3rd party may access or store data must be developed.

27

Is training third party personnel for security awareness necessary? What about background checks?

Yes, third party personnel with access to sensitive data must be trained and made aware of risks, just as employees are. Background checks may also be required depending on the level of access. Information security polcies, procedures, and other guidance should apply as well. Additional policies regarding ownership of data and intellectual property should be developed. Clear rule dictating where and when a 3rd party may access or store data must be developed.

28

What are ways of mitigating the risk of vendor systems in an organizations site?

The same process of hardening systems within the organization should be done on the vendor's systems. However, it should be discussed with the vendor who should be responsible for this task. Who is responsible for patching and securing vendor systems that exists onsite at the client?

29

What is outsourcing?

Outsourcing is the use of a third party to provide Information Technology support services that were previously performed in-house.

30

What is outsourcing?

Outsourcing is the use of a third party to provide Information Technology support services that were previously performed in-house.

31

What is offshoring?

Offshoring is outsourcing to another country.

32

What is the advantage of outsourcing?

Outsourcing can lower the Total Cost of Ownership by providing IT services at a lower cost. The may enhance the information technology resources and skill set and resources available to a company (especially a small company), which can improve confidentiality, integrity, and availability of data.

33

What is the risk of outsourcing?

Outsourcing to offshore resources can raise privacy and regulatory issues. For example, a U.S. company that offshores data to Australia where there is no HIPAA, SOX, or GLBA.

34

What can be done to mitigate the risks of outsourcing?

A thorough and accurate Risk Analysis must be performed before outsourcing or offshoring sensitive data. If the data will reside in another country, you must ensure that laws and regulations governing the data are followed, even beyond the laws of the offshored jurisdiction. This can be done contractually: the Australian company can agree to follow HIPAA via contract, for example.