Information Technology /Security+ (SY0-701): Lesson 14: Summarize Security Governance Part 2
Security+ (SY0-701): Lesson 14: Summarize Security Governance Part 2
This deck covers key concepts and standards related to security governance, including regulatory standards, internal policies, and roles in data governance.
Define the 'ISO/IEC 27017' standard
Extension to ISO 27001 and specific to cloud services.
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/30
Key Terms
Term
Definition
Define the 'ISO/IEC 27017' standard
Extension to ISO 27001 and specific to cloud services.
Define the 'NIST (National Institute of Standards and Technology) Special Publication 800-63' standard
A US government standard for digital identity guidelines, including password and access control requirements.
Define the 'PCI DSS (Payment Card Industry Data Security Standard)' standard
For organizations that handle credit cards from major card providers, including requirements for protecting cardholder data.
Define the 'FIPS (Federal Information Processing Standards)' standard
Developed by NIST for federal computer systems in the United States that specify requirements for cryptography.
How do regulatory standards facilitate auditing?
By providing a benchmark for evaluating organizational compliance and security practices.
What is the difference between standards and policies?
Standards focus on implementation, whereas policies focus on business practices.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Define the 'ISO/IEC 27017' standard | Extension to ISO 27001 and specific to cloud services. |
Define the 'NIST (National Institute of Standards and Technology) Special Publication 800-63' standard | A US government standard for digital identity guidelines, including password and access control requirements. |
Define the 'PCI DSS (Payment Card Industry Data Security Standard)' standard | For organizations that handle credit cards from major card providers, including requirements for protecting cardholder data. |
Define the 'FIPS (Federal Information Processing Standards)' standard | Developed by NIST for federal computer systems in the United States that specify requirements for cryptography. |
How do regulatory standards facilitate auditing? | By providing a benchmark for evaluating organizational compliance and security practices. |
What is the difference between standards and policies? | Standards focus on implementation, whereas policies focus on business practices. |
What is the purpose of an internal password standard set by an organization? | Describes the specific technical requirements required to design and implement authentication systems as well as how passwords are managed within those systems. |
What should be outlined in a password standard? | Hashing algorithms; Salting mechanisms; Secure password transmission; Password resets; Use of Password managers. |
What is the purpose of an internal access control standard set by an organization? | To ensure that only authorized individuals can access the systems and data they need to do their jobs; Protects sensitive data and prevents accidental change/damage. |
What should be outlined in an access control standard? | Access control models; Acceptable methods to verify identities; Privilege Management; Authentication Protocols; Session management; Auditing of access. |
What is the purpose of internal physical security standards? | To define the protection of the infrastructure comprising the IT environment. |
What should be outlined in a physical security standard? | Building security/physical access controls; Workstation security; Datacenter/server room security; Equipment disposal; Visitor management. |
What is the purpose of internal encryption standards? | To identify the acceptable cipher suites and expected procedures needed to provide assurance that data remains protected. |
What should be outlined in an encryption standard? | Encryption Algorithms; Key Length; Key Management. |
Define 'Due diligence' | A legal term meaning that responsible persons have not been negligent in discharging their duties. |
Define the 'Sarbanes-Oxley Act (SOX)' law | Dictates requirements for the storage and retention of documents relating to an organization's financial and business operations. |
Define 'Federal Information Security Management Act (FISMA)' | Governs the security of data processed by federal government agencies. |
Define 'General Data Protection Regulation (GDPR)' | Provisions and requirements protecting the personal data of European Union (EU) citizens. |
What is the purpose of General Data Protection Regulation (GDPR)? | EU citizens personal data cannot be collected, processed, or retained without the individual's informed consent, unless there are other overriding considerations. |
Define 'informed consent' in regards to General Data Protection Regulation (GDPR) | Data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legal jargon. |
How does General Data Protection Regulation (GDPR) protect subjects? | By giving data subjects (users) rights to withdraw consent, and to inspect, amend, or erase data held about them. |
Define the 'California Consumer Privacy Act (CCPA)' and its purpose | Provides California residents the right to know what personal information businesses collect about them, the purpose of collecting this data, and with whom they share it. |
Define 'centralized security governance' | Decision-making authority primarily rests with a single core group or department that establishes policies, procedures, and guidelines. |
Define 'decentralized security governance' | Distributes decision-making authority to different groups or departments to facilitate security-focused decisions based on localized needs and priorities. |
Define a 'hybrid security governance' | Specific security processes and decisions are centralized, while others are delegated to business units or departments. |
What is the role of a governance committee? | SMEs and operational leaders that focus on specific issues, such as security, risk management, audit, or compliance providing in-depth analysis, recommendations, and operational support to the governance board to help drive decisions. |
What is the role of a governance board? | Executives with the ultimate decision-making authority and is responsible for setting the strategic direction and policies of the organization. |
What are the 4 roles of security/data governance? |
|
Define the role of an 'owner' in security/data governance | An executive role that identifies what level of classification and sensitivity the data has, decides who should have access to it, and what level of security should be applied. |
Define the role of a 'controller' in security/data governance | The entity ensures data processing activities adhere to all legal requirements; Helps maintain legal and regulatory compliance. |