Chapter 15

Question 1

U.S. Compliance Laws

Answer 1

Organizations entrusted with sensitive data should take steps to protect data

U.S. doesn’t have one comprehensive data protection law

Many federal data protection laws focus on specific types of data
Require organizations to use security controls to protect the different kinds of data that they collect

Laws are not optional

Question 2

Organizations collect sensitive data called personally identifiable information (PII), which includes:

Answer 2

First, middle, and last name
Home mailing address
Social Security number
Driver’s license number
Financial account data
Health data and biometric data
Authentication credentials

Question 3

Privacy

Answer 3

A person’s right to control the use and disclosure of his or her own personal information

Question 4

Control

Answer 4

A person can decide how his or her data can be collected, used, and shared with third parties

Question 5

Information security

Answer 5

The process used to keep data private

Question 6

____ is the process; ____ is the result

Answer 6

Security is the process; privacy is a result

Question 7

Federal Information Security

Answer 7

Federal government is the largest creator and user of information in the United States

Government IT systems hold:

Data that are critical for government operations
Data that are important for running the business of the federal government
Sensitive military data

Question 8

Federal Information SecurityManagement Act (FISMA) of 2002

Answer 8

Applies to federal agencies and their IT systems

Federal agencies fall under the executive branch of the U.S. government

The Office of Management and Budget (OMB) is responsible for FISMA compliance

Question 9

FISMA: Purpose and Main Requirements (9)

Answer 9

Risk assessments
Annual inventory
Policies and procedures 
Subordinate plans 
Security awareness training 
Testing and evaluation 
Remedial actions 
Incident response
Continuity of operations

Question 10

FISMA: Purpose and Main Requirements (cont.)

An agency must:

Answer 10

Protect the IT systems that support its operations

Test its IT systems at least yearly

Review the information security controls on IT systems

Apply some types of controls and make sure they work

Monitor its security risk

Question 11

Federal Information Security Modernization Act (FISMA) of 2014

Answer 11

Clearly defines the roles, responsibilities, accountabilities, requirements, and practices needed to fully implement FISMA security controls and requirements

Question 12

Role of the National Institute of Standards and Technology (NIST)

Answer 12

Creates guidance that all federal agencies use for their information security programs

Creates standards that agencies use to classify their data and IT systems

Creates guidelines and minimum information security controls for IT systems

Creates Federal Information Processing Standards (FIPSs) and Special Publications (SPs)

Question 13

National Security Systems (NSSs)

Answer 13

Secure using a risk-based approach
Include systems used for:
         Intelligence activities
         National defense
         Foreign policy
         Military activities

Committee on National Security Systems (CNSS) oversees FISMA activities

Use the same six-step process as the NIST RMF

Question 14

Health Insurance Portability and Accountability Act (HIPAA): Purpose and Scope

Answer 14

Contains data protection rules that address security and privacy of personally identifiable health information

Department of Health and Human Services (HHS) responsible for rules and compliance

Protected health information (PHI) is any individually identifiable information about a person’s health

Covers health care providers and business associates

Question 15

Main Requirements of the HIPAA Privacy Rule

Answer 15

Determines how covered entities must protect the privacy of PHI

Covered entities may not use or disclose a person’s PHI without his or her written consent

Exceptions allow a covered entity to share a person’s PHI without a person’s written consent

A covered entity must inform people about how it uses and discloses PHI

Question 16

HIPAA Oversight

Answer 16

HHS oversees compliance with the HIPAA Privacy and Security Rules

HHS delegated this function to Office for Civil Rights (OCR)

OCR enforces HIPAA compliance

HITECH Act defined a tiered system for assessing the level of each HIPAA violation: Tiers A-D

Question 17

Gramm-Leach-Bliley Act (GLBA)

Answer 17

Addresses privacy and security of consumer financial information

Federal Financial Institutions Examination Council (FFIEC) regulatory committee services the U.S. banking community

FFIEC Council developed a Cybersecurity Assessment Tool used to identify bank or financial institution’s cybersecurity maturity

FFIEC complements a banking or financial organization’s ongoing risk management program and cybersecurity implementations

Question 18

GLBA: Purpose and Scope

Answer 18

Financial institutions must follow GLBA privacy and security rules to help mitigate data breaches and identity theft

GLBA requires financial institutions to protect consumers’ nonpublic financial information (NPI)
NPI is personally identifiable financial information that a consumer gives to a financial institution

Question 19

Main Requirements of the GLBA Privacy Rule

Answer 19

Protect the security and confidentiality of customer data

Protect against threats to the security or integrity of customer data

Protect against unauthorized access to or use of customer data that could result in harm to a customer

Require a financial institution to create a written information security program

Question 20

Sarbanes-Oxley (SOX) Act: Purpose and Scope

Answer 20

Protects investors from financial fraud

Applies to publicly traded companies that must register with the Securities and Exchange Commission (SEC)

Requires companies to verify the accuracy of their financial information

Section 404 requires an organization’s executive officers to establish, maintain, review, and report on effectiveness of the company’s internal controls over financial reporting (ICFR)

Question 21

SOX Control Certification Requirements

Answer 21

A company must create, document, and test its ICFR

It must report on its ICFR every year

After a company makes its yearly report, outside auditors must review it to make sure the ICFR work

ICFR are processes that provide reasonable assurance that an organization’s financial reports are reliable

Question 22

Family Educational Rights and Privacy Act (FERPA)

Answer 22

Educational institutions can collect and store student data:

Demographic information
Address and contact information
Parental demographic information
Parental address and contact information
Grade information
Disciplinary information

Question 23

FERPA: Main Requirements

Answer 23

Students (or their parents, if the student is under 18) have the following rights:

To know what data are in the student’s student record and the right to inspect and review that record
To request that a school correct errors in a student record    To consent to have certain kinds of student data released

Question 24

CIPA: Main Requirements

Answer 24

Covered schools and libraries must filter offensive Internet content so children can’t get to it

Technology protection measure (TPM) is any technology that can block or filter the objectionable content

Schools and libraries must adopt and enforce an Internet safety policy to comply with CIPA

A library or school must be able to disable the TPM for any adult if that adult needs to use a computer

Question 25

Payment Card Industry Data Security Standard (PCI DSS): Purpose and Scope

Answer 25

Assists merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from reaches and theft of cardholder data

Helps vendors understand and implement PCI standards and requirements for ensuring secure payment solutions are properly implemented