SECTION 5: SECURITY POLICIES, AWARENESS & GOVERNANCE (Chapters 13 & 14)

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/24

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 3:48 PM on 4/22/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

25 Terms

1
New cards

WHEN TO IMPLEMENT SECURITY POLICIES

Time your rollout so it doesn't clash with other big organizational events (e.g., don't roll out a major policy during a product launch). When you have flexibility, use it. When regulations require specific timelines, you don't have that flexibility.

2
New cards

Best practice

Use an "early adopter" — a pilot team that implements the policy first, proving its value before it rolls out to everyone.

3
New cards

SECURITY AWARENESS PROGRAM

An ongoing campaign (not a one-time event) to educate employees about security and change their behavior. It is often the first impression users have of the security program. Success is measured by whether employees actually apply what they've learned on the job.

4
New cards

TOOLS TO GET LEADERSHIP BUY-IN

Town hall meetings, Online training tools, CBT (Computer-Based Training) / Classroom training, Early adopter strategy, Front-line managers, Executive visibility.

5
New cards

Town hall meetings

Announce and discuss new policies with large groups.

6
New cards

Online training tools

Assign, track, and prove completion of awareness training.

7
New cards

CBT (Computer-Based Training) / Classroom training

Deliver formal security education.

8
New cards

Early adopter strategy

Pilot the policy with one team; use their success story to win over others.

9
New cards

Front-line managers

They know their teams and can translate the security message in a way that resonates.

10
New cards

Executive visibility

Leaders who visibly follow and enforce policies send a powerful message to the whole organization.

11
New cards

FEEDBACK IN CYBERSECURITY POLICIES

Policies must have a feedback loop from employees back to the security team. Policies can have unintended consequences. Front-line managers surface those problems so the security team can fix them. Without feedback, policies become outdated and disconnected from real operations — leading to non-compliance.

12
New cards

CONTROLS — FOUR OR FIVE TYPES

GOVERNANCE, CONTROLS (general), AUTOMATED CONTROLS, MANUAL CONTROLS, PERVASIVE CONTROLS.

13
New cards

GOVERNANCE

Sets strategic direction; monitors results after the fact.

14
New cards

CONTROLS (general)

Any mechanism that reduces risk or enforces policy. Can be manual or automated.

15
New cards

AUTOMATED CONTROLS

Technology does the work — never sleeps, always consistent. Limitation: Can only handle what it was programmed for; can't deal with the unexpected.

16
New cards

MANUAL CONTROLS

A human does the work. Best for low-volume tasks that require judgment (e.g., background checks, log reviews, access reviews, attestations). Steps and judgment criteria must be clearly defined.

17
New cards

PERVASIVE CONTROLS

A control used across a large number of systems or applications (e.g., a single password system used everywhere). A weakness in a pervasive control is a weakness everywhere. Regulators pay close attention to these.

18
New cards

FRONT-LINE MANAGEMENT

The managers and supervisors directly responsible for making sure their teams follow security policies. They train their staff, answer questions, apply policies consistently, catch problems, and report issues back up the chain. They are directly accountable for how well policies are implemented on the ground.

19
New cards

GLBA

GRAMM-LEACH-BLILEY ACT; A U.S. law requiring financial institutions to protect customers' personal financial information. Key points:

1. The board (or its committee) must oversee the security program.

2. Organizations must promptly notify regulators of any unauthorized access to customer financial records.

3. The bank remains accountable even if a vendor is handling the data.

20
New cards

SECURITY THRESHOLD

A minimum cutoff used to decide when a breach is big enough to require regulatory reporting. For example, regulators may set a threshold at 1,000 records before notification is required. Even a small breach can matter though — especially if it reveals a weakness in a pervasive control.

21
New cards

Also used in IDS/anomaly detection

A threshold defines how far network activity can deviate from normal before an alert is triggered.

22
New cards

LAW

Set by government. Establishes the legal threshold.

23
New cards

REGULATION

Issued by a regulatory agency under the authority of a law. Defines what an organization must DO to meet that law.

24
New cards

SECURITY POLICY

Written by the organization. Defines HOW it will meet the regulatory requirements.

25
New cards

Key point

Law always beats policy in court. A policy violation isn't automatically a law violation. Laws and regulations don't cover every risk.