CIPP Foundations II - A Survey of Global Privacy Laws and Industry Practices Flashcards
• Global perspectives and data protection models • The U.S. approach to information privacy • The EU Data Protection Directive • Data protection in Asia,Africa and the Middle East • Sectors of privacy law, including healthcare, financial, telecommunications, marketing, human resources
What are the infrastructure elements that require protection?
computer hardware, network hardware, network systems, computer platforms
What does network hardware refer to?
equipment such as routers, switches, gateways and access points that facilitate the use and management of a computer network.
What are network servers?
centralized computers that may contain business information accessible to many users, often simultaneously.
What are the two broad categories of network systems?
Local area networks (LANs) and wide area networks (WANs)
What is a LAN?
Local area network - exist within an operational facility, considered within local operational control and are relatively easy to manage.
What is a WAN?
Wide area network - may involve coordination between several groups, are considered outside of local operational control and are relatively difficult to manage.
What is the most common type of LAN connection?
Ethernet
What types of connections are becoming increasingly common with WANs?
Optical connections - they use complex light wave patterns to transmit information rather than electrical impulses.
What network systems must be managed in order to ensure effective information security?
Internet, the cloud, intranet, extranet, private branch exchange (PBX), remote access connectivity, mobile and wireless network connectivity, VoIP, email
When is an extranet formed?
When two or more corporate intranets are connected.
What do PBX systems control?
telephone interactions, store VM, and perform many other functions related to telephony.
What should be used to manage mobile connectivity?
Virtual Private Networks (VPNs)
What is a VPN?
A system that incorporates authentication and encryption schemes in order to create a secure connection to an organizational LAN that is made available to authorized users over the Internet.
What are two common threats to mobile and wireless network connectivity?
Data interception and data emmulation
What is VoIP?
Voice over Internet protocol - allows telephone calls to be made over a private WAN or the Internet itself.
What are the three general categories of computer platforms?
mainframes, servers, and desktops/smaller computers
Should business-critical information be exclusively stored on desktops or other personal computers?
No. Business-critical info should be managed in a centralized manner where it can be secured, backed up and included in a disaster recovery plan.
What are security controls?
The processes used to ensure the security of an information system. It is important that a control monitoring process be set up to provide prompt notification in the event that any of the controls fail.
What are the three main types of security controls?
Preventative, Detective & Corrective
What are the two types of data encryption - generally?
Encryption in communication AND encryption at rest (encryption on data stored locally)
What is decryption?
The function used to reverse the encryption of information and reveal it in plain text.
Is Encryption a good way to ensure authentication?
No, encryption is a good means of ensuring confidentiality, but it is not good for authentication as it does not verify that the person who claims to have sent the message is the true sender.
What is Encryption?
The process of obscuring information, often through the use of a cryptographic scheme, to make the data unreadable without special knowledge.
What is the dual purpose of information security systems?
Providing access to the end user while protecting the data from other end users.
What are some important things that retention schedules should address?
Record types (levels of sensitivity), retention periods (duration of storage), should be based on demonstrated business needs, should be based on any applicable regulatory requirements.
EXTRA CREDIT - How does a traditional computer hard drive work?
It uses a magnet to change the polarity of charged particles on the surface of the magnetic disc. (Remember the eBay example on pg. 91).
What is the measure by which information should be protected?
Information should be protected in accordance with the value of the asset - the higher the value, the greater the security
What are criteria on which asset value should be based for information security purposes?
(1) Sensitivity and confidentiality (2) potential liability (3) intelligence value (4) criticality to the business
What does effective risk management balance?
The potential for loss with the cost of security protection and management.
What are three of the most common information classification levels?
(1) confidential (2) sensitive (3) public
Define “Confidential” information
Information that, if disclosed, would cause the business to be seriously compromised or outright fail. - HIGHLY SECURE & PRIVATE
Define “Sensitive” Information
Important business information that it intended for internal use only. SHOULD REMAIN SECURE
Define “Public” information
information that may be safely shared with the public at large.
What are 9 terms that a contract for outsourcing IT functions should address?
(1) Security roles/responsibilities (2) Requirements for data protection that ensure the third party matches the standards of the organization (3) information ownership and appropriate use (4) physical and logical access controls (5) security control testing of the third party (6) service continuity (7) an incident coordination process (8) the right to conduct audits (9) a clear statement of respective liabilities
Should an employee ever have greater information access that is necessary to capably perform her or his job function?
No - access should be tied to the role the employee plays - and access may require further management approval.
What are three basic security principles upon which “role-based access controls” are based?
(1) Segregation of duties (2) least privilege (3) need to know or access
What is nonrepudiation?
The ability to ensure that neither the originator nor the receiver can dispute the validity of a transaction or access request.
What are the ways in which authentication identifies an individual account user?
What you know, what you have, who you are?
What is the concept of “out of wallet”
That your passwords or “what you know” (i.e. answers to verification questions) should not be knowable even if an outsider gains access to the information inside a user’s wallet.
What is multifactor authentication?
the use of two or more types of credentials for account authentication. Ex. a password combined with a passcard, biometric identifier, or out of band (e.g. when a bank sends a passcode to your phone to verify a new device being used to access account information). Two-factor schemes typically consist of what you know and what you have, and checks each before authenticating the access request.
What is an example of “one-factor” authentication
A password
What are some industry-standard password conventions in use today?
system pws should be independently assigned and used, blank-field pws should never be used/allowed, at least 8 characters (or as long as the system supports), upper/lowercase/numbers/at least one special character, active cycling at least every 30 days, existing pws should be retired and replaced with new pws, inactive accts or accts of departed/terminated employees should be disabled completely, pws should not be broadly familiar to individuals, avoid common dictionary words or well-known numbers or bdays.
What is the intent of a complex password scheme?
To prevent “brute force” attacks.
What is PKI?
Public Key Infrastructure - a system of digital certificates, certificate authorities and other registration entities that verifies the validly of each party involved in an electronic transaction through the use of cryptographic (coded or encrypted) signatures.
What does PKI enable?
PKI enables users of insecure public networks (such as the Internet) to privately and securely authenticate with each other and to exchange electronic data and/or digital currency.
What are the two unique tokens (identifiers) PKI schemes permit a sender to create?
Public Key - allows anyone to encrypt data and send it securely to the recipient. Private Key - allows the recipient to unlock the data signature and view the contents of the message in a readable format such as plain text.
What are 4 assurances PKI can offer?
- Data has not been altered or corrupted in transit. 2. the source of the data is who or what it claims to be. 3. the transmitted data has remained private and secure while in transit. 4. the transmitted data may be introduced as evidence in a court of law.
What is a digital signature?
A means for ensuring the authenticity of an electronic document.
How does a digital signature work?
If the document is altered after the sig is attached then the value associated with the doc is altered and the signature is rendered invalid.
What is the certificate protocol most commonly used in connection with electronic docs?
DSS - Digital Signature Standard
What is the public-key cryptography on which DSS is based?
DSA - Digital Signature Algorithm.
How does the role of public and private keys differ between encryption and digital signatures?
Encryption - sender used recipient’s public key when sending the msg, and recipient uses their private key to decode. Digital Signature - sender first uses their own private key, and the recipient then uses the sender’s public key to decode the msg and determine its authenticity and that it hasnt been modified in transit.
What is Authorization?
The process of determining if the end user, once authenticated, is permitted to have access to the desired resource.
What is an important concept to consider with authorization?
Segregation of powers - limited power - no one person should have complete access to all business systems and for business continuity purposes, no one person should be the only person that can perform and single, essential function.
What changes as an employee’s role changes?
System access levels.
Describe some important concepts involved with HR information security.
Defining roles and responsibilities prior to employment, following policies and procedures, changes or termination of employment, outsourcing (formal vendor security qualification protocols and audits), disciplinary processes, HR roles in IS differing by stages of employment, background checks.
What is another element of IS besides technical and administrative controls?
Physical and environmental controls.
What are some of the simplest, yet dangerous, system vulnerabilities?
A logged-on, empty workstation and improper internet/email use.
Access to passwords should be treated like what?
Like access to the systems themselves.
What are straightforward, relatively easy to implement, protections against system intrusions of the software variety?
Antivirus solutions
What are some types of virus programs?
Backdoors, Trojans, keyloggers, etc.
What are two ways to deploy antivirus protection?
(1) maintaining a centralized mail server with antivirus capabilities that scan incoming and outgoing msgs (2) scanning all incoming data for virus signatures in data streams.
What is a firewall?
A software program that resides at the network router or server level and is configured with a policy that allows only certain types of traffic to access the network.
Should technical measures be used to block access to potentially dangerous sites?
Yes
What does it mean to “control the perimeter”?
Managing technologies and processes that are designed to secure an entire network environment by preventing penetration from the outside.
What are some different perimeter control methods?
network and host-based firewalls, malware detection and antivirus application suites, access control lists (with antispoofing) on networks, host and network-based IDSs, host and network-bases IPSs, connection encryption schemes such as VPNs, SSL and IPSEC protocols, strong user, email and device encryption.
How can IS professionals monitor the success of IDS, IPS, and other perimeter controls?
use and analysis of log files.
What are log files?
“Event reports” that are generated automatically based on the originating system, computer, software application or software tool.
What are the three log types?
Application log, system log, security log
What is recorded in the log files?
Natural and suspect events (anomalies) - many computer systems record such entries including UNIX, Linux and Windows.
What are some external threats?
Exploit tools, malicious code, layered attacks.
What is a network-layered attack?
These exploit the basic network protocol in order to gain any available advantage. The generally involve spoofing (falsifying a network address) or DoS attacks.
What is a DoS attack?
Denial of Service - a brute force method that overloads the capacity of a website’s domain to respond to incoming requests such that it renders the server inoperable.
What is a good preventative strategy to avoid vulnerabilities caused by applications that “listen to Internet server ports to track suspicious activity?
deactivate unnecessary network services and block unused or idle network ports.
What is a good methods for preventing network-layer attacks?
Firewalls on both network perimeters and hosts.
What is an application-layer attack?
These exploit flaws in the network applications that are installed on the network servers. These are the most common type of exploit because they give a hacker options.
What is a good way to prevent application-layer attacks?
Regularly apply all relevant and current patches and updates to applications. Disable all unnecessary services that listen for network traffic in case they contain a vulnerability that can be exploited.
What are some important concepts for disaster recovery?
Off-site storage of mission-critical systems, replication, data fail-over capacity, data/hardware AND application recovery.
What are two challenges to co-location?
Keeping the data synchronized and maintaining system security at multiple locations.
What are some important components of a Business Continuance Plan?
Regular data backups. NOTE: Backups are only as good as their recoverability. Proper database management (this is central to ensuring effective privacy).
Describe the Life Cycle of Incident Management.
- Discovery of an incident 2. containment and analysis 3. notification 4. eradication and prevention.
Names some situations that might lead to discovering an incident.
- numerous failed login attempts 2. sudden use of an idle or long-dormant access account, use during off-hours, presence of an unauthorized access account, unfamiliar programs or files, weak user pws, changes in file permissions, social engineering, unknown devices, gaps in system logs (a common way of discovering an incident), alerts or red flags from data loss prevention software, device inventories do not match up with devices currently in circulation or storage.
What are two common, yet oft-overlooked, sources of data breaches?
third-party mistakes and employee negligence.
Is it important to establish a highly secure log host?
Yes
What is the next step after an incident is discovered?
Containment and analysis
What does the containment step of the incident management lifecycle entail?
stopping the unauthorized practice, recovering the records, shutting down the breached system, revoking access or correcting any weakness in physical security. It may also involve notifying the police if criminal activity was involved.
Why is an initial analysis necessary once an incident has been contained?
To determine which systems and networks were impacted.
What should be done if a system has been comprised?
It should be immediately disconnected for the network and powered down (take into account if wether shutdown would cause valuable data to be lost), the hard drive removed, and the data restored from backup onto a new drive. A full system audit must be performed to make sure that the vulnerability that was once exploited is not inadvertently restored or reactivated.
What is required after initial containment?
- An in-depth, complete analysis. 2. Documentation of the incident.
What are computer forensics?
The discipline of assessing and examining an information system for relevant clues after it has been compromised by an exploit.
What pieces of information should be gathered during the analysis of an incident?
- What type of information was affected 2. the number of people who were impacted 3. groups that were impacted. This analysis will inform the organization’s notification obligations.
What was the beginning of notification following a data breach becoming a legal requirement?
Senate Bill 1386 in California in 2003.
Know the states and countries that have a data breach notification requirement.
46+ States, Germany, Austria, South Korea, Mexico, many jurisdictions are considering federal and/or state or provincial laws. An EU-wide notification requirement is being considered. Many organizations and regulators consider notification mandatory even if not legally required.
Define Data Breach
An incident where PII had been lost or subject to unauthorized acquisition, access, disclosure or destruction in a manner that compromises its security, confidentiality or integrity.
What are some of the various provisions of breach notifications laws?
The trigger for notification, whom to notify, timing of notification, contents of notices, methods of providing notifications.
Are organizations always legally obligated to notify individuals affected by data breach?
No, in some jurisdictions organizations are legally required to notify affected individuals only if there is some degree of harm to the individual, while in other jurisdictions all data breaches must be notified.
Who are some possible recipients of a breach report?
Regulators, law enforcement, affected individuals, insurers, relevant service providers, the media, any other stakeholders.
When does a party have to notify affected individuals of a breach?
It depends - it may range from 24 hours to “in the most expedient time possible” to “within a reasonable amount of time.” Notification may be delayed when law enforcement is involved, or when delay is necessary to restore the reasonable integrity of the information systems.
What is included in a breach notification?
nature of the incident, type of PI breached, assistance the org is offering to the individual, steps an individual can take to protect themselves, point of contact.
How can parties affected by a breach be notified?
direct mail, telephone, email, fax, publication in a newspaper or on a company website.
Who generally is required to notify affected individuals of a data breach?
The organization in the direct relationship with the individual.
What is the final step of incident management?
Eradication and Prevention
What is the goal of investigating the root cause of a breach?
To ultimately take steps to remediate any gaps discovered in security, process or training.
Should internal reports of all data breaches be maintained?
Yes, such reports allow the organization to monitor for patterns that would underlie systemic issues.
What are some ways to prevent future breaches?
Implementing a comprehensive IS program, implement ATP safeguards that are proportionate to the needs of the org, encryption, updating privacy notices and retention schedules, etc.
What might be included when documenting a breach?
Who was notified and when, details on the cause and scope of the incident, data incident was discovered, how an incident was discovered, steps the org has taken to mitigate the harm.
When should employees be notified about an incident response protocol being changed?
Any time the protocol is changed.
What types of systems are important to build into your security program along with ATP controls?
Systems for monitoring and compliance.
For what should information privacy and security procedures be assessed?
Compliance with published policy as well as with applicable laws and regulations.
Are self-assessments or third-party audits more valuable to an organization trying to audit their security programs?
Both admin controls are important - self-assessments should be performed regularly as a best-practice and third-party audits can be very beneficial for numerous reasons, including the ability of an org to leverage the additional experience and expertise of the third-party.
What is IS a central business function?
Because IT enables virtually every other type of business activity within the organization. Security must be considered a formal business function for an org to be successful.
What serves as the bedrock of consumer and stakeholder trust established by the org?
Privacy and information security measures together.
What was the precursor to the Internet?
ARPAnet - a military computer network developed in the 1960s by ARPA.
What is the World Wide Web?
An information-sharing model that is built on top of the Internet.
What were the two key technologies on which the web functioned historically?
Hypertext transfer protocol (HTTP) - an application protocol that manages data communication over the Internet. It defines how messages are formatted and transmitted over a TCP/IP network for websites. It also defines what actions web servers and browsers take in response to various commands & HTML (hypertext markup language) - a content-authoring language used to create web pages.
Who developed HTML in the early 1990s?
Sir Tim Berners-Lee
What was the first web browser application?
Mozilla - developed by the US-based National Center for Supercomputing Applications (NCSA)
Who developed Netscape?
Mark Andreessen - a young NCSA student and author of Mozilla.
What is the most recent version of the HTML standard?
HTML5
What is XML
Extensible markup language - another language that facilitates the transport, creation, retrieval and storage of documents. XML can potentially create automatic data processing scenarios so privacy issues are an important consideration.