Sec+ Chapter 16: Security Policies, Standards, and Compliance Flashcards
(35 cards)
NIST
National Institute of Standards for Technology
ISO
International Organization for Standardization
Information security policy framework
Series of documents that describe an orgs cybersecurity program and contain:
1) Policies
2) Standards
3) Procedures
4) Guidelines
Policies
High level statements of management intent
EX: InfoSec policy, AUP, Data governance policy, Data classification policy, Data retention policy, Credential management policy, Password policy, Continuous monitoring policy, Code of conduct, Asset management
Standards
Requirements that describe how an org will carry out its InfoSec policies
EX: Configuration settings for common OS, controls for highly sensitive info, etc
Procedures
Detailed step by step processes that individuals or orgs must follow in specific circumstances
A consistent process for achieving a security objective
EX: Monitoring procedures, Evidence production procedures, Patching procedures
Guidelines
Best practices and recommendations related to a given concept, tech, or task
Least privilege
People should only get the minimum set of permissions they need to carry out their job
Separation of duties
Takes two different and sensitive tasks and creates a rule that no single person may have the privileges required to perform both tasks
EX: One person has half the safe combo, another person has the other half
Two person control
Requires the participation of two people to perform a single action
Job rotation
Takes employees with sensitive roles and periodically moves them to other positions in the organization
Mandatory vacations
Forces employees to take annual vacations of a week or more consecutive time, revoking their access privileges during that time
A way we can identify fraud, especially in high security environments
Clean desk policy
Limits the amount of paper left exposed on unattended desks
Any time you get up from your desk, you have to clean your desk and lock everything away
MSA
Master service agreement
Umbrella contract for the work a vendor does with an org over extended period of time
SLA
Service level agreement
Specifies the conditions of service provided by the vendor and the remedies to the customer if the vendor fails to meet the SLA
EX: Uptime or response time agreements
MOU
Memorandum of understanding
An informal letter sent between two parties so they understand the requirements for a business process
Doesn’t have the binding qualities of a contract, but informs both sides of expectations
BPA
Business partnership agreement
When two orgs agree to do business with each other in a partnership
Details owner stake, financial contract, decision making agreements, contingences, etc
EOL /EOSL
End of life
Manufacturer stops selling a product, but may continue supporting the product
End of service life
When a manufacturer stops selling and stops supporting a product
Both of these are also used to ensure there’s an orderly transition when a vendor relationship ends
HIPAA
Health insurance portability and accountability act
Security and rules affecting healthcare providers, insurers, and clearinghouses
PCI DSS
Payment card industry data security standard
Rules about the storage, processing, and transmission of credit and debit card info
GLBA
Gramm leach bailey act
Requires US financial institutions have a formal security program and designate an individual as having overall responsibility for that program
SOX
Sarbanes Oxley Act
Requires publicly traded US companies to have a strong degree of assurance for the IT systems that store and process financial records
GDPR
General data protection regulation
Security and privacy requirements to protect the privacy of personal info for EU residents worldwide
FERPA
Family educational rights and privacy act
Requires US educational institutions to implement security and privacy controls for student educational records
