CompTIA Security+ (SY0-601): Policies & Procedures

Created as reference points which are documented for use as a method of comparison during an analysis conducted in the future

Unclassified Data
Can be released to the public

Sensitive but Unclassified
Items that wouldn’t hurt national security if released but could impact those whose data is contained in it

Confidential Data
Data that could seriously affect the government if unauthorized disclosure were to happen

Secret Data
Data that could seriously damage national security if disclosed

Top Secret Data
Data that could gravely damage national security if it were known to those who are not authorized for this level of information

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity and availability of the information asset

The data owner is responsible for labeling the asset and ensuring that it is protected with appropriate controls

Responsible for maintaining quality of data

Responsible for data accuracy, privacy, & security

A role responsible for handling the management of the system on which the data assets are stored

Payment Card Industry Data Security Standard:

Contractual obligation to protect card information

General Data Protection Regulation:
Personal data cannot be collected processed or retained without the individual’s informed consent

GDPR also provides the right for a user to withdraw consent, to inspect, amend, or erase data held about them
GDPR requires data breach notification within 72 hours

Methods and technologies that remove identifying information from data before it is distributed

Deidentification is often implemented as part of database design

Deidentification Method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data

A deidentification method where a unique token is substituted for real data

A deidentification technique where data is generalized to protect the individuals involved

An attack that combines a deidentification dataset with other data source to discover how secure the deidentification method used is

Ensuring that IT infrastructure risks are known and managed properly

Mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence

Interconnection Security Agreement:
An agreement for the owners and operators of the IT systems to document what technical requirements each organization must meet

Business Partnership Agreement:
Conducted between two business partners that establishes the conditions of their relationship

A BPA can also include security requirements

Exposes the hard drive to a powerful magnetic field which in turn causes previously-written data to be wiped from the drive

Act of removing data in such a way that it cannot be reconstructed using any known forensic techniques

Removal of data with a certain amount of assurance that it cannot be reconstructed

Center for Internet Security: Created by NIST

Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)

Improve cyber defenses (20 key actions)
Categorized for different organization sizes
Designed for implementation (written for IT pros)

Risk Management Framework: Developed by NIST for the Federal Government
A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification

6 Steps
Categorize - define environment
Select - pick controls
Implement - define proper implementation
Asses - determine if controls are working
Authorize - Make a decision to authorize a system
Monitor - check for ongoing compliance

Cybersecurity Framework: Developed by NIST
A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks

5 Category Functions: Identify, Protect, Detect, Respond, Recover

International standard

27001: Basic procedure for cybersecurity (international standard) - focused on establishing/maintaining info systems
27002: International standard focused on information security controls (to protect those systems)
27701: Adding privacy to ISMS (privacy extension for ISO 27001)
31000: Attempt to create global risk management framework

System & Organization Controls:
A suite of reports produced during an audit which is used by service organizations to issue validated reports of internal controls over those information systems to the users of those services

Audit & Compliance

SOC 2 = Trusted Services Criteria
Tells you what requirements are part of an audit

Type I audit:
Tests controls in place at a particular point in time

Type II audit:
Addresses the operational effectiveness of the specified controls over a period of time (usually 9-12 months)

Designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider

Cloud-specific security controls
Controls are mapped to standards/best practices/regulations

Methodology & tools
Assess internal IT groups & cloud providers
Determine security capabilities
Build a roadmap

Gamification

Score points, compete with others, collect badges

Capture the flag

Security competition

Hack into a server to steal data (the flag)

Can involve highly technical simulations

Practical learning environment

Measured Systems Analysis:
Used with quality management systems
Assess the measurement process
Don’t make decisions based on incorrect data

EOL (End of Life)
Manufacturer stops selling product
May continue supporting it
Important for security patches/updates

EOSL (End of Service Life)
Manufacturer stops selling & supporting a product
No ongoing security patches/updates

Keep files that change frequently for version control

| Recover from virus infection

Manages the purposes & means by which personal data is processed

Work on behalf of the data controller
Often a third-party or different group

Examples:
Payroll department = data controller
Defines payroll amounts & timeframes

Payroll company = data processor
Processes payroll & stores employee info

Responsible for the organization’s data privacy policies

| Sets policies, implements processes & procedures