Policies & Procedures

Question 1

Baseline

Answer 1

Created as reference points which are documented for use as a method of comparison during an analysis conducted in the future

Question 2

Government Data Classifications

Answer 2

Unclassified Data
Can be released to the public

Sensitive but Unclassified
Items that wouldn’t hurt national security if released but could impact those whose data is contained in it

Confidential Data
Data that could seriously affect the government if unauthorized disclosure were to happen

Secret Data
Data that could seriously damage national security if disclosed

Top Secret Data
Data that could gravely damage national security if it were known to those who are not authorized for this level of information

Question 3

Data Owner

Answer 3

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset

The data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls

Question 4

Data Steward

Answer 4

Responsible for maintaining quality of data

Responsible for data accuracy, privacy, & security

Question 5

Data Custodian

Answer 5

A role responsible for handling the management of the system on which the data assets are stored

Question 6

PCI DSS

Answer 6

Payment Card Industry Data Security Standard:

Contractual obligation to protect card information

Question 7

GDPR

Answer 7

General Data Protection Regulation:
Personal data cannot be collected processed or retained without the individual’s informed consent

GDPR also provides the right for a user to withdraw consent, to inspect, amend, or erase data held about them
GDPR requires data breach notification within 72 hours

Question 8

Deidentification

Answer 8

Methods and technologies that remove identifying information from data before it is distributed

Deidentification is often implemented as part of database design

Question 9

Data Masking

Answer 9

Deidentification Method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data

Question 10

Tokenization

Answer 10

A deidentification method where a unique token is substituted for real data

Question 11

Aggregation/Banding

Answer 11

A deidentification technique where data is generalized to protect the individuals involved

Question 12

Reidentification

Answer 12

An attack that combines a deidentification dataset with other data source to discover how secure the deidentification method used is

Question 13

Due Diligence

Answer 13

Ensuring that IT infrastructure risks are known and managed properly

Question 14

Due Care

Answer 14

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

Question 15

ISA

Answer 15

Interconnection Security Agreement:
An agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet

Question 16

BPA (Business Partnership Agreement)

Answer 16

Business Partnership Agreement:
Conducted between two business partners that establishes the conditions of their relationship

A BPA can also include security requirements

Question 17

Degaussing

Answer 17

Exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive

Question 18

Purging (Sanitizing)

Answer 18

Act of removing data in such a way that it cannot be reconstructed using any known forensic techniques

Question 19

Clearing

Answer 19

Removal of data with a certain amount of assurance that it cannot be reconstructed

Question 20

CIS

Answer 20

Center for Internet Security: Created by NIST

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Improve cyber defenses (20 key actions)
Categorized for different organization sizes
Designed for implementation (written for IT pros)

Question 21

RMF

Answer 21

Risk Management Framework: Developed by NIST for the Federal Government
A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification

6 Steps
Categorize - define environment
Select - pick controls
Implement - define proper implementation
Asses - determine if controls are working
Authorize - Make a decision to authorize a system
Monitor - check for ongoing compliance

Question 22

CSF

Answer 22

Cybersecurity Framework: Developed by NIST
A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

5 Category Functions: Identify, Protect, Detect, Respond, Recover

Question 23

ISO 27000 (4 Provisions)

Answer 23

International standard

27001: Basic procedure for cybersecurity (international standard) - focused on establishing/maintaining info systems
27002: International standard focused on information security controls (to protect those systems)
27701: Adding privacy to ISMS (privacy extension for ISO 27001)
31000: Attempt to create global risk management framework

Question 24

SOC

Answer 24

System & Organization Controls:
A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

Audit & Compliance

SOC 2 = Trusted Services Criteria
Tells you what requirements are part of an audit

Type I audit:
Tests controls in place at a particular point in time

Type II audit:
Addresses the operational effectiveness of the specified controls over a period of time (usually 9-12 months)

Question 25

Cloud Security Alliance’s Cloud Control Matrix

Answer 25

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

Cloud-specific security controls
Controls are mapped to standards/best practices/regulations

Question 26

Cloud Security Alliance’s Reference Architecture

Answer 26

Methodology & tools
Assess internal IT groups & cloud providers
Determine security capabilities
Build a roadmap

Question 27

User Training: Gamification & Capture the Flag

Answer 27

Gamification
Score points, compete with others, collect badges

Capture the flag
Security competition
Hack into a server to steal data (the flag)
Can involve highly technical simulations
Practical learning environment

Question 28

MSA

Answer 28

Measured Systems Analysis:
Used with quality management systems
Assess the measurement process
Don’t make decisions based on incorrect data

Question 29

EOL vs. EOSL

Answer 29

EOL (End of Life)
Manufacturer stops selling product
May continue supporting it
Important for security patches/updates

EOSL (End of Service Life)
Manufacturer stops selling & supporting a product
No ongoing security patches/updates

Question 30

Data Retention

Answer 30

Keep files that change frequently for version control

Recover from virus infection

Question 31

Data Controller

Answer 31

Manages the purposes & means by which personal data is processed

Question 32

Data Processor

Answer 32

Work on behalf of the data controller
Often a third-party or different group

Examples:
Payroll department = data controller
Defines payroll amounts & timeframes

Payroll company = data processor
Processes payroll & stores employee info

Question 33

Data Protection Officer

Answer 33

Responsible for the organization’s data privacy policies

Sets policies, implements processes & procedures