Policies and Procedures Flashcards

1
Q

Defines the role of security in an organization and establishes the desired
end state of the security program

A

Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Provide general direction and goals, a framework to meet the business
goals, and define the roles, responsibilities, and terms

A

Organizational Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Address the security needs of a specific technology, application, network,
or computer system

A

System Specific Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Built to address a specific security issue, such as email privacy, employee
termination procedures, or other specific issues

A

Issue Specific Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Created as reference points which are documented for use as a method
of comparison during an analysis conducted in the future

A

Baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Detailed step-by-step instructions that are created to ensure personnel
can perform a given action

A

Procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Category based on the value to the organization and the sensitivity of the
information if it were to be disclosed

A

Data Classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Any information that can result in a loss of security, or loss of advantage
to a company, if accessed by unauthorized persons

A

Sensitives Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Has no impact to the company if released and is often posted in
the open-source environment.

A

Public Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  • Contains data that should only be used within the organization
A

Private Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Highest classification level that contains items such as trade
secrets, intellectual property data, source code, and other types
that would seriously affect the business if disclosed

A

Confidential Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Items that wouldn’t hurt national security if released but could
impact those whose data is contained in it

A

Sensitive but Unclassified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data that could seriously affect the government if unauthorized
disclosure were to happen

A

Confidential Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data that could seriously damage national security if disclosed

A

Secret Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Data that could gravely damage national security if it were known
to those who are not authorized for this level of information

A

Top Secret Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The process of identifying the person responsible for the confidentiality, integrity
availability and privacy of information assets

A

Data Ownership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A senior (executive) role with ultimate responsibility for maintaining the
confidentiality, integrity and availability of the information asset

A

Data Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A role focussed on the quality of the data and associated metadata

A

Data Steward

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A role responsible for handling the management of the system on which
the data assets are stored

A

Data Custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A role responsible for the oversight of any PII/SPI/PHI assets managed by
the company

A

Privacy Officer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A piece of data that can be used either by itself or in combination with
some other pieces of data to identify a single person

A

Personal Identifiable Information (PII)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Affects U.S. government computer systems that collects, stores, uses, or
disseminates personally identifiable information

A

Privacy Act of 1974

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Affects healthcare providers, facilities, insurance companies, and medical
data clearing houses

A

Health Insurance Portability and Accountability Act (HIPAA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Affects publicly-traded U.S. corporations and requires certain accounting
methods and financial reporting requirements

A

Sarbanes-Oxley (SOX)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Affects banks, mortgage companies, loan offices, insurance companies,
investment companies, and credit card providers

A

Gramm-Leach_Billey ACT (GLBA)

26
Q

equires each agency to develop, document, and implement an agencywide information systems security program to protect their data

A

o Federal Information Security Management (FISMA) Act of 2002

27
Q

Provides regulations that govern the security, confidentiality, and
integrity of the personal information collected, stored, or processed
during the election and voting process

A

Help America Vote Act (HAVA) of 2002

28
Q

Any type of information or asset should consider how a compromise of that
information can threaten the three core security attributes of the CIA Triad

A

Legal Requirements

29
Q

A data governance requirement that arises when collecting and
processing personal data to ensure the rights of the subject’s data

A

Privacy

30
Q

Personal data cannot be collected processed or retained without the
individual’s informed consent

A

General Data PRotection Regulation (GDPR)

31
Q

methods and technologies that remove identifying information from data
before it is distributed

A

Deidentification

32
Q

Deidentification Method where generic or placeholder labels are
substituted for real data while preserving the structure or format of the
original data

A

Data Masking

33
Q

A deidentification method where a unique token is substituted for real
data

A

Tokenization

34
Q

A deidentification technique where data is generalized to protect the
individuals involved

A

Aggregation/Banding

35
Q

An attack that combines a deidentification dataset with other data source
to discover how secure the deidentification method used is

A

Reidentification

36
Q

Defines the rules that restrict how a computer, network, or other systems
may be used

A

Acceptable Use Policy

37
Q

Defines the structured way of changing the state of a computer system,
network, or IT procedure

A

Change Management Policy

38
Q

Different users are trained to perform the tasks of the same position to
help prevent and identify fraud that could occur if only one employee
had the job

A

Job Rotation

39
Q

Dictates what type of things need to be done when an employee is hired,
fired, or quits

A

Onboarding and Offboarding Policy

40
Q

Ensuring that IT infrastructure risks are known and managed properly

A

Due Diligence

41
Q

Mitigation actions that an organization takes to defend against the risks
that have been uncovered during due diligence

A

Due Care

42
Q

A legal term that refers to how an organization must respect and
safeguard personnel’s rights

A

Due Process

43
Q

Agreement between two parties that defines what data is considered
confidential and cannot be shared outside of the relationship

A

Non Disclosure Agreement (NDA)

44
Q

A non-binding agreement between two or more organizations to detail
an intended common line of action

A

Memorandum of Understanding (MOU)

45
Q

An agreement concerned with the ability to support and respond to
problems within a given timeframe and continuing to provide the agreed
upon level of service to the user

A

Service Level Agreement (SLA)

46
Q

An agreement for the owners and operators of the IT systems to
document what technical requirements each organization must meet

A

Interconnection Security Agreement (ISA)

47
Q

Conducted between two business partners that establishes the
conditions of their relationship

A

Business Partnership Agreement (BPA)

48
Q

Exposes the hard drive to a powerful magnetic field which in turn causes
previously-written data to be wiped from the drive

A

Degaussing

49
Q

Act of removing data in such a way that it cannot be reconstructed using
any known forensic techniques

A

Purging (Sanitizing)

50
Q

Removal of data with a certain amount of assurance that it cannot be
reconstructed

A

Clearing

51
Q

A security framework that divides IT into four domains: Plan and
Organize, Acquire and Implement, Deliver and Support, and Monitor and
Evaluate

A

Control Objectives for Information and Related Technology (COBIT)

52
Q

Consensus-developed secure configuration guidelines for hardening
(benchmarks) and prescriptive, prioritized, and simplified sets of
cybersecurity best practices (configuration guides)

A

Center for Internet Security

53
Q

A process that integrates security and risk management activities into the
system development life cycle through an approach to security control
selection and specification that considers effectiveness, efficiency, and
constraints due to applicable laws, directives, Executive Orders, policies,
standards, or regulations

A

Risk Management Framework (RMF)

54
Q

A set of industry standards and best practices created by NIST to help
organizations manage cybersecurity risks

A

Cybersecurity Framework (CSF)

55
Q

An international standard that details requirements for establishing,
implementing, maintaining and continually improving an information
security management system (ISMS)

A

ISO 27001

56
Q

An international standard that provides best practice recommendations
on information security controls for use by those responsible for
initiating, implementing, or maintaining information security
management systems (ISMS)

A

ISO 27002

57
Q

An international standard that acts as a privacy extension to the ISO
27001 to enhance the existing Information Security Management System
(ISMS) with additional requirements in order to establish, implement,
maintain, and continually improve a Privacy Information Management
System (PIMS)

A

ISO 27701

58
Q

An international standard for enterprise risk management that provides a
universally recognized paradigm for practitioners and companies
employing risk management processes to replace the myriad of existing
standards, methodologies, and paradigms that differed between
industries, subject matters, and regions

A

ISO 31000

59
Q

A suite of reports produced during an audit which is used by service
organizations to issue validated reports of internal controls over those
information systems to the users of those services

A

System and Organization Controls (SOC)

60
Q

Designed to provide fundamental security principles to guide cloud
vendors and to assist prospective cloud customers in assessing the overall
security risk of a cloud provider

A

Cloud Security Alliance’s Cloud Control Matrix

61
Q

A methodology and a set of tools that enable security architects,
enterprise architects, and risk management professionals to leverage a
common set of solutions that fulfill their common needs to be able to
assess where their internal IT and their cloud providers are in terms of
security capabilities and to plan a roadmap to meet the security needs of
their business

A

Cloud Security Alliance’s Reference Architecture