3.3.1 Laws and Regulations

Question 1

What provides a framework for ensuring the effectiveness of information security controls in government. This legislation is intended to protect government information, operations, and assets from any natural or manmade threat.

Answer 1

The Federal Information Security Modernization Act (FISMA)

Question 2

What does the HIPAA provide?

Answer 2

Sets limits on the use and disclosure of patient information without authorization and grants individuals rights over their own health records.

Question 2

FERPA stands for and does what?

Answer 2

FAMILY EDUCATION RIGHTS AND PRIVACY ACT - Requires all schools that receive funds from programs administered by the U.S. Department of Education to comply with standards regarding the disclosure and maintenance of educational records, including educational information, personally identifiable information, and directory information.

Question 3

What regulates the financial practice and governance of corporations. ________is designed to protect investors and the general public by establishing requirements regarding reporting and disclosure practices.

Answer 3

Sarbanes-Oxley Act (SOX)

Question 3

The Gramm-Leach-Bliley Act (GLBA) does what?

Answer 3

Protects the customers of financial institutions, essentially any company offering financial products or services, financial or investment advice, or insurance. The GLBA Privacy Rule requires financial institutions to safeguard a consumer’s “nonpublic personal information,” or NPI.

Question 4

Why might a compliance audit be a positive occurrence?

Answer 4

Preparing for the audits can help educate participants and and provide opportunities to find and fix problems.

Question 5

What type of data is COPPA concerned with?

Answer 5

Children’s Online Privacy Protection Act. Protects under 13 yrs old, privacy, PII, must make reasonable attempt for parental consent - must post privacy policy online.

Question 6

How do compliance and security relate to each other?

Answer 6

Compliance fills a business need rather than a technical security need.

Question 7

What issues might make conducting an international information security program difficult?

Answer 7

Laws are

Question 8

Which NIST Special Publication forms the basis for FISMA and FedRAMP?

Answer 8

NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations

Question 9

Why are industry regulations, such as PCI DSS, important?

Answer 9

Protects data, provides security for transactions and necessary security controls. A vendor could lose their ability to process credit card payments.

Question 10

What are the potential impacts of being out of compliance?

Answer 10

industry - could lose support of that company, hefty fines.
Regulatory - jail time

Question 11

What set of ISO standards might be useful for an information security program?

Answer 11

ISO 27000 - Info Sec Standards

Question 12

What two items are an indicator of which sets of compliance standards your company might fall under?

Answer 12

Industry and location

Question 13

What’s the difference in Regulatory compliance and industry compliance. BTW, what IS compliance?

Answer 13

Compliance refers to adhering to established guidelines, standards, or laws set by regulatory bodies or industries.
Regulatory compliance is mandated by government legislation, whereas industry compliance is often set by industry organizations.

Question 14

Organizations implement _________, _______ , __________ controls to comply with standards and regulations. Each type of control addresses different aspects of security.

Answer 14

Organizations implement administrative, technical, and physical controls to comply with standards and regulations. Each type of control addresses different aspects of security:

1. Administrative Controls: These are policies, procedures, and guidelines that govern the organization’s security practices. They include risk management policies, security awareness training, incident response plans, and access control policies. Administrative controls help ensure that employees understand their roles and responsibilities regarding security.
2. Technical Controls: These involve the use of technology to protect information and systems. Examples include firewalls, intrusion detection systems, encryption, antivirus software, and access control mechanisms. Technical controls are critical for protecting data from unauthorized access and ensuring the integrity and confidentiality of information.
3. Physical Controls: These are measures taken to protect physical assets and facilities from unauthorized access or damage. Examples include security guards, surveillance cameras, access control systems (like key cards), and secure areas for sensitive equipment. Physical controls help safeguard the organization’s infrastructure and prevent physical threats.

Together, these controls create a comprehensive security framework that addresses various vulnerabilities and helps organizations comply with relevant standards and regulations.

Question 15

What four activities are involved with maintaining compliance.

Answer 15

Monitoring
Review
Document
Report

Question 16

What Act protects children from accessing obscene materials at schools and libraries?

Answer 16

The Act that protects children from accessing obscene materials at schools and libraries is the Children’s Internet Protection Act (CIPA). Enacted in 2000, CIPA aims to ensure that schools and libraries take appropriate measures to protect minors from exposure to harmful content on the internet.

Key provisions of CIPA include:

1. Internet Safety Policies: Schools and libraries that receive federal funding for internet access must develop and implement internet safety policies that include measures to block or filter access to visual depictions that are obscene, child pornography, or harmful to minors.
2. Filtering Requirements: CIPA requires that schools and libraries use technology protection measures (filters) to prevent minors from accessing inappropriate content online. This includes blocking access to websites that contain obscene materials or that are otherwise harmful to minors.
3. Parental Involvement: CIPA encourages schools and libraries to involve parents in discussions about internet safety and to provide parents with the option to request that their children be allowed access to specific sites that may be blocked by the filtering measures.
4. Compliance Monitoring: Schools and libraries must monitor the effectiveness of their internet safety policies and filtering measures to ensure they are adequately protecting minors from harmful content.

CIPA is part of a broader effort to create a safe online environment for children and to address concerns about the potential dangers of the internet in educational and public settings.

Question 17

An Authority to Operate (AOR) is granted by which government compliance standard?

Answer 17

FISMA

Question 18

What does FED-RaMp stand for what what do they govern?

Answer 18

Federal Risk and Authorization Management program. Covers cloud based technologies.

Question 19

What Data collection regulation protects European Union members from collection without their consent?

Answer 19

GDPR - General Data Protection Regulation

Question 20

What is the name of the body that created a standard across nations?

Answer 20

ISO - International Standard Organization

Question 21

What part of the CIA triad does block chain provide?

Answer 21

Integrity; You can say this wasn’t altered with a high degree of certainty.

Question 22

What are the 6 risk management framework steps forming the basis of many security programs?

Answer 22

The six risk management framework steps that form the basis of many security programs are:

1. Categorize: Identify and categorize information systems and the data they process based on the impact that a security breach could have on the organization. This step involves assessing the types of information processed and determining the appropriate security controls needed based on the categorization (low, moderate, or high impact).
2. Select: After categorization, the next step is to select the appropriate security controls to protect the information systems. This involves referencing frameworks and guidelines (such as NIST SP 800-53) to choose controls that align with the identified risks and organizational requirements.
3. Implement: This step involves the actual implementation of the selected security controls. Organizations deploy technical, administrative, and physical controls as outlined in their security plans to mitigate identified risks and protect their information systems.
4. Assess: Once controls are implemented, organizations must assess their effectiveness. This assessment includes evaluating how well the controls are functioning and determining whether they are adequately mitigating the identified risks. This may involve testing, evaluating, and reviewing the controls.
5. Authorize: After assessing the controls, the next step is to authorize the system for operation. This involves a formal decision by management to accept the risk associated with the information system, based on the assessment results. This step often includes the approval of a security authorization package.
6. Monitor: The final step involves continuous monitoring of the information systems and their security controls. Organizations must regularly review and update their risk management practices, assess changes in the risk environment, and ensure that controls remain effective over time.

These steps provide a structured approach to managing risks within an organization and are essential for developing and maintaining effective security programs.

Question 23

What are the three cloud offerings?

Answer 23

Infrastructure as a Service
Platform as a service
Software as a service

Question 24

To send an email which cloud model would you use?

Answer 24

SaaS - need to keep things simplified. Why build a server, configure mail software (IaaS)?

Question 25

In a cloud model, who takes responsibility for the portions of the the environment the user can’t control?

Answer 25

The cloud provider.

Question 26

Why do cloud services pose technological challenges related to compliance?

Answer 26

Because they are shared resources. If using cloud resources on same host server as another company, that company’s lack of security could impact your system as well.

Question 27

Privacy Issues can also be referred as?

Answer 27

PII

Question 27

Dictionary definition of ____________ is “the state or condition of being free from being observed or disturbed by other people”

Answer 27

privacy

Question 27

What four procedural rights does the Federal Privacy Act of 1974 provide to Americans?

Answer 27

First, it requires government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called ‘fair information practices,’ when gathering and handling personal data. Third, it places restrictions on how agencies can share an individual’s data with other people and agencies. Fourth and finally, it lets individuals sue the government for violating its provisions” [6].

Question 28

SOX regulates ____________ _________ and _____________ of publicly traded companies

Answer 28

records retention; accuracy

Question 29

Which type of algorithm is an asymmetric key?

ECC

MD5

SHA

DES

Answer 29

ECC; It’s an example of public key cryptography based on elliptic curves over infinite fields