Chapter 1: The Information Security Environment

Question 1

Code of ethics?

Answer 1

A code of ethics provides guidance to staff on
ethical standards and how to achieve them, as well as details on the organization’s values and vision and how they plan to implement them.

Question 2

Code of ethics - examples?

Answer 2

The Ten Commandments, the Declaration of Geneva, the Hippocratic Oath, …

Question 3

Professional Ethics.

Answer 3

A code of ethics serves as a guide to the principles that are designed to help professionals conduct business with honesty and integrity.

In many cases, professional ethics will be based on local and international legislation, standards, religious code, and heritage.

Question 4

Enron & SOX

Answer 4

Arthur Andersen was providing Enron with both business consulting and audit services. This is usually perceived as an inherent conflict of interest.

In the middle of an investigation by regulators, Arthur Andersen executives ordered Arthur Andersen employees to shred thousands of pages of documents and delete volumes of electronic data detailing its audit services to Enron.

Arthur Andersen’s viability as a business was lost, and it ceased auditing operations.

SOX was created in response to this affair.

Question 5

Sarbanes–Oxley Act

SOX

Answer 5

Congress created the Sarbanes–Oxley Act
(SOX) and amended the Federal Rules of Evidence.

SOX requires a greater level of transparency in financial reporting by publicly traded corporations.

Data owner cannot delete or destroy any information (physical or electronic) once the data owner receives notice of a pending legal action or investigation.

Question 6

CIA Triad

Answer 6

Maintaining the confidentiality, integrity, and availability of assets is the basic goal of information security.

Question 7

Confidentiality

Answer 7

Confidentiality is generally interpreted to mean
that unauthorized disclosure of information (to someone who does not have a valid need to know) can potentially cause harm to the owner and holder of the information.

Question 8

Integrity

Answer 8

Data is kept free from unauthorized modifications throughout the life of that data.

Question 9

Availability

Answer 9

Data is available when it is needed, where it is needed, and in the form that is needed.

Question 10

Authenticity

Answer 10

Authentic information is genuine - it comes from a trusted authority, in a trustworthy, reliable, and verifiable fashion.

Question 11

Non-repudiation

Answer 11

Non-repudiation is the ability of a system to prevent, deny, and detect attempts to deny the authorship, integrity, transmission, or modification of information
within or leaving that system.

Question 12

Privacy

Answer 12

An individual’s right to privacy means that what they do
in a private place, what they say to someone else, or what they write down and keep from public view cannot be forcibly taken from them by others without the due process of law.

The right to privacy is a basic human right; it is mentioned in over 150 national constitutions.

In 1948, the United Nations adopted the Universal Declaration of Human Rights.

In 1980, the OECD published its Privacy Guidelines. Protecting the data that could be used to identify that person, their personally identifiable information (PII), is the basis of maintaining the individual’s right to privacy.

In 2018, EU General Data Protection Regulation (GDPR) is considered by many to be a turning point in the approach to privacy on both a legislative and an organizational level.

Question 13

Due care

Answer 13

Due care requires a person to take all reasonable and prudent actions to plan and carry out any task or responsibility assigned to them.

Question 14

Due diligence

Answer 14

Due diligence requires a person to take all reasonable and prudent actions to monitor, control, manage, and, as necessary, redirect or alter the plans and actions they are responsible for.

Question 15

Prudent actions

Answer 15

Prudent actions are generally considered as those that other people with similar backgrounds of experience, education, and authority would take in the same circumstances.

Question 16

Reasonable actions

Answer 16

Reasonable actions are those where the decisions to take that action, and the use of available information for that decision making, has a clear, logical, and thoughtful justification.

Question 17

System Organizational Controls (SOC) reports

Answer 17

As a response to SOX compliance requirements, AICPA developed their series of attestation reporting requirements.

They focus on internal control over financial reporting, as well as on audits.

Question 18

Governance

Answer 18

Governance is the process of running an organization. It is the process that defines how decisions are being made, by whom and how they are implemented throughout the organization.

Question 19

Alignment

Answer 19

Alignment is the process of fitting plans and resources together to achieve goals and objectives.

Question 20

Security governance - Alignment

Answer 20

The security practitioner must first understand how
the organization functions and what its goals are, and only then determine how security is incorporated to best enhance those functions and goals.

Question 21

Governance committee

Answer 21

Some companies make use of a governance committee to determine how decisions are made within the organization.
Governance committees are required for most nonprofit organizations; the governance committee recruits and selects board members and determines if the board as a whole (and individual members) are performing optimally.

Question 22

Acquisition, Merger, Divestiture

Answer 22

Organizational decisions can affect security.

Example: Marriott, 2018.

Question 23

Organizational Roles and Responsibilities

Answer 23

Senior management
Security manager/security officer/security director
Security personnel
Administrators/technicians
Users

Question 24

Legal Environment

Answer 24

An organization’s legal environment is influenced by local legislation and regulation in every location the organization operates in, as well as local standards and contractual requirements.

Question 25

Compliance

Answer 25

Compliance is adherence to a mandate, regardless of its source.

Organizations are often reviewed to determine compliance with applicable mandates. Often, the tools, processes, and activities used to perform compliance reviews are referred to as audits
(or auditing).

Question 26

Privacy Protection

Answer 26

Privacy is the BASIC HUMAN right of a human being to control the manner and extent to which information about him or her is distributed.

Question 27

Is Privacy Shield Dead?

Answer 27

As the GDPR was being published, the U.S. developed
concepts known as Safe Harbor and the Privacy Shield, which were voluntary for U.S. organizations wishing to do business with EU persons or organizations.

Privacy Shield taken down by CJEU in 2020.

Question 28

The Right to Be Forgotten

Answer 28

EU citizens have the right to request that information that pertains to them is deleted when it no longer serves its intended purpose or has become obsolete or inaccurate.

Question 29

Data Portability

Answer 29

The 1996 HIPAA, the 2018 GDPR, and other comparable frameworks define the circumstances in which a data subject has the right to request that data about them held by one data controller be made available in a form that lets the subject transfer that data to another controller for use.

Question 30

Data Localization

Answer 30

National legal frameworks place specific requirements for protection, tracking, and audit of information that either crosses a national border or applies to a data subject located within their jurisdiction.

Russia - data about any Russian citizen must be physically located within the territory of the Russian Federation.

EU - GDPR specifies conditions that must be met before privacy-related information can be transferred
out of the EU to a system in a country that does not comply with GDPR’s requirements. –> problem for U.S. companies especially.

Question 31

Cybercrimes and Data Breaches

Answer 31

Cybercrime is an act that involves the use of information, information systems, or information
technologies in ways that violate the laws that pertain to the system and the information in question.