A formal definition for using security technologies and processes –Complete documentation reduces security risk –Everyone understands the expectations These may be written in-house –Your requirements may be unique Many standards are already available –ISO (International Organization for Standardization) –NIST (National Institute of Standards and Technology)

What makes a good password? –Every organization has their own requirements –Create a formal password complexity policy Define acceptable authentication methods –No local accounts, only LDAP to the AD database, etc. Create policies for secure password resets –Avoid unauthorized resets and access Other password policies –Password change frequency, secure password storage requirements, password manager options, etc.

How does an organization control access to data? –Determine which information, at what time –And under which circumstances Define which access control types can be used –No discretionary, mandatory only, etc. Determine how a user gets access –Require privilege documentation Document how access may be removed –Security issue, expiration, contract renewals, etc.

Rules and policies regarding physical security controls –Doors, building access, property security Granting physical access –Different for employees vs. visitors Define specific physical security systems –Electronic door locks, ongoing monitoring, motion detection, etc. Additional security concerns –Mandatory escorts, off-boarding, etc

Define specific standards for encrypting and securing data –All things cryptographic –Can include implementation standards Password storage –Methods and techniques Data encryption minimums –Algorithms for data in use, data in transit, data at rest –Will probably be different for each state

5.1 Security Standards Flashcards by Dylan Myers

Security standards

A formal definition for using security technologies
and processes
–Complete documentation reduces security risk
–Everyone understands the expectations
These may be written in-house
–Your requirements may be unique
Many standards are already available
–ISO (International Organization for Standardization)
–NIST (National Institute of Standards and Technology)

How well did you know this?

Not at all

Perfectly

Password

What makes a good password?
–Every organization has their own requirements
–Create a formal password complexity policy
Define acceptable authentication methods
–No local accounts, only LDAP to the AD database, etc.
Create policies for secure password resets
–Avoid unauthorized resets and access
Other password policies
–Password change frequency, secure password storage
requirements, password manager options, etc.

How well did you know this?

Not at all

Perfectly

Access control

How does an organization control access to data?
–Determine which information, at what time
–And under which circumstances
Define which access control types can be used
–No discretionary, mandatory only, etc.
Determine how a user gets access
–Require privilege documentation
Document how access may be removed
–Security issue, expiration, contract renewals, etc.

How well did you know this?

Not at all

Perfectly

Physical security

Rules and policies regarding physical security controls
–Doors, building access, property security
Granting physical access
–Different for employees vs. visitors
Define specific physical security systems
–Electronic door locks, ongoing monitoring,
motion detection, etc.
Additional security concerns
–Mandatory escorts, off-boarding, etc

How well did you know this?

Not at all

Perfectly

Encryption

Define specific standards for encrypting and
securing data
–All things cryptographic
–Can include implementation standards
Password storage
–Methods and techniques
Data encryption minimums
–Algorithms for data in use, data in transit,
data at rest
–Will probably be different for each state

How well did you know this?

Not at all

Perfectly

5.1 Security Standards Flashcards

(5 cards)