CSCS Training Flashcards
IoT
Internet of Things
IoMT
Internet of Medical Things
Mirai
Japanese word for the “future”
CCPA
California Consumer Privacy Act
When did the CCPA go into affect?
January 1, 2020
What does CCPA grant people?
It grants California residents’ new privacy rights and will provide California residents with more control over their personal information.
DBIR
Data Breach Investigations Report
Ransomware
When the hacker takes the owners information and makes him pay money to get his own files back.
GLB
Gramm Leach Bliley
GLB applies to financial institutions in the USA
Banks, securities firms, insurance companies, and other companies selling financial products
What is 21 CFR Part 11 designed for?
To prevent fraud while permitting the widest possible use of electronic technology.
What is the 21 CFR Part 11 effective date?
1997
NERC
North American Electric Reliability Council
CIP
Critical Infrastructure Protection
CIP Standards
CIP-002 Critical Cyber Assets CIP-003 Security Management Controls CIP-004 Personnel and Training CIP-005 Electronic Security CIP-006 Physical Security CIP-007 Systems Security Management CIP-008 Incident Reporting Response Planning CIP-009 Recovery Planning
SOX
Sarbanes Oxley Act
Who is responsible for misrepresentation of financial data?
SOX
What is Title I of the SOX legislation?
Public Company Accounting Oversight Board
PCAOB
Public Company Accounting Oversight Board
What is Title II for the SOX legislation?
Auditor Independence
What is Title III for the SOX legislation?
Corporate Responsibility
What is Title IV for the SOX legislation?
Enhanced Financial Disclosures?
SEC
Securities and Exchange Commission
COSO
Committee of Sponsoring Organizations
Define COSO
An acceptable framework to define internal controls for financial reporting systems.
How many titles are in the SOX?
11
What is the SOX title V?
Analyst Conflicts and Interests
What is Title VI of the SOX?
Commission Resources and Authority
What is Title VII of the SOX?
Studies and Reports
What is Title VIII of the SOX?
Corporate and Criminal Fraud Accountability
What is section 802?
Criminal Penalties for Altering Documents
What is Title IX of the SOW?
White-Collar Crime Penalty Enhancements
What is Title X of SOX?
Corporate Tax Returns
What is Title XI of SOX?
Corporate Fraud and Accountability
FTC
Federal Trade Commission
What is the FTC strategic goals?
Protect Consumers, Maintain Competition, and Advance Organizational Performance
AICPA
American Institute of Certified Public Accounts
SOC
Service Organization Controls
SOC 2
Controls at service organization that are relevant to security, availability, and processing integrity
5 Trust Service Principals
Security, Availability, Processing integrity, Confidentiality, and Privacy
Which country has PIP?
Japan
PIP
Personal Information Protection
When did PIP get effective
May 2003
Which country has PIPEDA?
Canada
PIPEDA
Personal Information Protection and Electronic Document Act
When did PIPEDA become effective?
April 2000
Benefits of ISO
A reduction in security incidents, confidence to interested parties, reduction in financial losses, reduction in costs for correction, protection of brand and reputation, tender advantage, and consistency across sites
ISO 27799
Defines guidelines to support the interpretation and implementation in health informatics of ISO
ISO
Information Security Organization
What does ISO 27799 apply to?
Health information in all aspects
Structure of ISO standards
- Scope
- Normative References
- Terms and Definitions
- Context of Organizations
- Leadership
- Planning
- Support
- Operation
- Performance Evaluation
- Improvements
ISO 27001 specifies the requirements
Establishing, implementing, maintaining, and frontally improving ISMS
ISMS
Information Security Management System
What does the IMS preserve?
CIA which is Confidentiality, Integrity, and Availability.
What is scope?
Provide an overview of ISMS and terms and definitions commonly used in the ISMS family of standards
How many Terms and Definitions are there?
89
Examples of Terms and Definitions?
Confidentiality, Control Objective, Level of Risk, Process, Risk Analysis, and Vulnerability
ISMS benefits
Reduction in security incidents, confidence to interested policies, reduction in financial losses, protection of brand and reputation, competitive, and consistency across sites.
Context of the Organization
- 1 Understanding the organization and its context
- 2 Understanding the needs and expectations of the interested parties
- 3 Determining the scope
- 4 Information Security Management System
HIPAA
Healthcare
Leadership
- 1 Leadership and Commitment
- 2 Policy
- 3 Organizational roles
Planning addresses what?
Risk and Opportunities
Planning shall
Define and apply an information security risk treatment process
Support
Shall determine and provide the resources needed for establishment, implementation, maintenance, and to continue to improve ISMS
Operation
Shall plan, implement, and control the process needed to meet information security requirements, and the implement the actions in 6.1
7.1
Resources
7.2
Competence
7.3
Awareness
7.4
Communications
7.5
Documented Information
6.1
Actions to Address risk and opportunities
6.2
Information security objective and planning to achieve them
5.1
Leadership and Commitment
5.2
Policy
5.3
Organizational roles, responsibilities, and authorities
4.1
Understanding the organization and its context
4.2
Understanding the needs and expectations of the interested parties
4.3
Determining the scope
4.4
Information Security Management System
Performance Evaluation
Shall evaluate the information security performance and the effectiveness of the information security management system
9.1
Monitoring, measurement, analysis, and evaluation
9.2
Internal audit
9.3
Management Review
Improvement
Corrective actions shall be reasonable to the effects of the nonconformities encountered
10.1
Nonconformity and corrective action
10.2
Continual Improvement
Documentation Requirements
Scope of ISMS Information security policy Information security risk assessment process Information security risk treatment process Statement of applicability Information security objectives Evidence of competence Documented evidence Operation planning and control Risk assessments results Risk treatments results Evidence of monitoring and measurement Evidence of monitoring and measurement Evidence of audit programs and results Evidence of management reviews/results Evidence of nonconformities and subsequent actions Evidence or results of corrective actions
What is ISO 27002 designed for?
Reference for selecting controls within the process of implementing an ISMS based ISO 27001 or to guide for developing their own information security guidelines
What does ISO 27002 discuss?
Information security requirements Selection of Controls Developing guidelines Lifecycle considerations Related Standards
Security Control Clauses
Information Security Policies, Organization of Information Security, Human Resources Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operation Security, System Acquisition, Supplier Relationships, Information Security Incident Management, Information Security Aspects of Business Continuity Management
Information security policies should include
Business strategy
Regulations, legislation, and contracts
Current and Projected Information Security Threat Environment
Information Security Policies
To provide management direction and support for information security in accordance with business requirements
Information Security Policy is approved by what?
The highest level of management and sets out the organization’s approach to managing its information security objectives
Information Security Policies Controls what?
Policies for information security and the review of the policies for information security
Who publishes DBR?
Verizon
Which agency introduced CFR Part II?
FDA
Categories for Identity
Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, Supply Chain Risk Management
Categories for Protect
Identify Management and Access Control, Awareness Control, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology
Detect categories
Anomalies and Events, Security Continuous Monitoring, and Detection Processes
Respond categories
Response planning, communications, analysis, mitigation, and improvements
Recover categories
Recovery planning, improvements, and communications
