CHP 14 Flashcards
Policies
rules. The framework for operations, decision-making, and behaviors, setting the rules for a compliant and ethical corporate culture.
SDLC
SDLC policies govern software development within an organization.
ISO/IEC 27001
An international standard that provides an information security management system (ISMS) framework to ensure adequate and proportionate security controls are in place.
CDE
The Cardholder Data Environment (CDE) refers to the network of people, processes, and technologies that store, process, or transmit cardholder data.
ISO/IEC 27002
This is a companion standard to ISO 27001 and provides detailed guidance on specific controls to include in an ISMS.
ISO/IEC 27017
An extension to ISO 27001 and specific to cloud services.
ISO/IEC 27018
Another addition to ISO 27001, and specific to protecting personally identifiable information (PII) in public clouds.
FIPS
FIPS (Federal Information Processing Standards) —FIPS are standards and guidelines developed by NIST for federal computer systems in the United States that specify requirements for cryptography.
SOX
the Sarbanes-Oxley Act (SOX) mandates the implementation of risk assessments, internal controls, and audit procedures.
FISMA
Federal Information Security Management Act (FISMA)
FISMA, or the Federal Information Security Management Act, is a United States law enacted in 2002 to protect government information and operations against threats.
GLBA
a United States federal law that mandates financial institutions to protect the privacy of consumers’ personal financial information.
PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities.
Healthcare
Health Insurance Portability and Accountability Act (HIPAA) (United States)
The General Data Protection Regulation (GDPR) (European Union)
Financial Services
Gramm-Leach-Bliley Act (GLBA) (United States)
Payment Card Industry Data Security Standard (PCI DSS ) (Contractual obligation)
Telecommunications
Communications Assistance for Law Enforcement Act (CALEA ) (United States )
“Allows LE to tap phones”
Energy
North American Electric Reliability Corporation (NERC) (United States and Canada)
Education & Children
Family Educational Rights and Privacy Act (FERPA) (United States)
Children’s Internet Protection Act (CIPA) (United States)
Children’s Online Privacy Protection Act (COPPA) (United States )
Government
Federal Information Security Modernization Act (FISMA) (United States )
Criminal Justice Information Services (CJIS ) Security Policy (United States )
The Government Security Classifications (GSC) (United Kingdom)
Several mission-essential applications stopped working the morning after implementing a mandatory security update. As a result, implementing the security updates introduced several instabilities in existing software. What could have prevented this from occurring?
A.Stakeholders
B.Change management
C.Dependencies
D.Request for change
B
A properly implemented change plan helps keep business operations moving forward. Restarts, dependencies, and downtime go hand-in-hand with change management. When is the BEST time to implement changes? (Select the two best options.)
A.After the workday
B.Off-peak times
C.Peak times
D.Maintenance windows
B D
A healthcare provider’s IT manager wants to automate routine tasks within its network security management. This automation will free up IT staff time and enhance system defenses. Potential risks are a concern, and the manager wants to implement automation securely. What strategies should the IT manager prioritize to achieve secure automation, considering both efficiency and potential risks?
A.Implementing a manual approval process for all automated tasks
B.Utilizing automation tools with built-in security features and compliance monitoring
C.Introducing a proprietary system for automation without collaboration with security experts
D.Outsourcing the development of automation scripts to a specialized cybersecurity firm
B
A manager reprimands an IT employee because the employee did not follow instructions on the server build. Each server’s configuration was different, including different software and settings. What should the employee have followed to build the server correctly?
A.Standards
B.Access control models
C.Policy
D.Guidelines
A
An IT manager prepares a proposal to implement change management. Before being able to start the program, the manager needs support from key personnel within every department. What key personnel does the manager need support from?
A.Controller
B.Owner
C.Stakeholders
D.Processor
C