Note
Studied by 75 peopleNoteStudied by 610 peopleNoteStudied by 21 peopleNoteStudied by 45 peopleNoteStudied by 10 peopleNoteStudied by 272 peopleSSCP Domain 1
The purpose of security policies in an organization is to define expectations, rules, and responsibilities for securing assets and data.
There are 3 main types of security controls: Administrative, technical (logical), and physical controls.
"Least privilege" in security operations means giving users only the access needed to perform their job duties — no more, no less.
Separation of Duties (SoD) means no one person should control all critical aspects of a function to reduce fraud and error risk.
The principle of Need to Know means access should be granted only if information is required to perform a specific task.
Mandatory vacation in security controls involves forcing employees to take time off to detect fraudulent activity that may require their presence.
Policy: High-level direction.
Standard: Mandatory rules.
Guideline: Optional recommendations.
Procedure: Step-by-step instructions.
Configuration management is a structured approach to controlling changes to IT systems to maintain integrity and security.
Patch management is the process of identifying, acquiring, installing, and verifying software updates to address vulnerabilities.
Security awareness programs are important because they educate users about security risks and their role in preventing breaches.
Personnel security involves hiring practices, background checks, onboarding/offboarding, and role-based training.
Administrative controls are policies, procedures, and guidelines put in place by management to manage personnel and data.
Auditing and accountability in operations involves tracking user activity and ensuring actions can be linked to individuals.
Due Care: Acting responsibly to protect assets. Due Diligence: Ongoing activities to assess and mitigate risks.
Job rotation is regularly changing job roles to prevent collusion and identify suspicious activity.
Clean desk: No sensitive papers visible when unattended. Clear screen: Lock or log off when leaving the computer.
Privilege creep is the accumulation of unnecessary access rights over time.
Change management is a formal process to request, review, approve, and implement system modifications.
Onboarding: granting access when someone joins. Offboarding: revoking access when someone leaves.
Background screening is verifying a person's history and suitability for a position of trust.
NoteStudied by 75 peopleNoteStudied by 610 peopleNoteStudied by 21 peopleNoteStudied by 45 peopleNoteStudied by 10 peopleNoteStudied by 272 people