Data Security Flashcards

1
Q

Masking/ encryption will

A

render the data unreadable without the keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

13 guiding priciples of data security

A
  1. responsible trustee of data
  2. comply with regulations
  3. Use CRUD matrices to help map data access needs
  4. data security policy should be updated and approved by the data governance council (DGSC)
    5.identify application security requirements on projects
  5. classify all enterprise data for confidentiality
  6. Passwords show follow complexity guidlines
  7. security role groups
  8. request, track and approve all user and group authorisations
  9. centrally manage user identity data and group membership data
  10. use views or partitions to restrict access to sensitive columns or specific views
  11. strictly limit and consider every use of share or service user accounts
  12. monitor data access activity to understand trends
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Classifications of data

A

PII, business critical financially critical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Password best practise

A

3/4 random words

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Goldilocks Principle

A

balance must be met based on the damage/harm that could be caused

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Four sources of data security requirements

A
  • business needs
  • government regulations
  • stakeholder concerns
  • legitimate business concerns
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Security control legislation EU

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security control legislation EU

A
  • EU GDPR
  • BASEL II and Solvency II
  • BCBS 239 Basel committee
  • PCI-DSS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security control legislation US

A
  • HIPAA
  • Sarbanes-Oxley Act
  • CCPA
  • CPRA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Four As

A

Authentication
Authorisation
Access
Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Sarbanes-Oxley Act

A

prevents unauthorised modification of financial transactions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Solvency II

A

Protecting lineage of data feeding risk models

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Active Audit

A

Parsing instructions and data before its returned to the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Passive Audit

A

Looking what has happened

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CCPA

A

statute to enhance privacy right and consumer protection (california)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ISO standards

A

set out critical requirements for information secuirty standard in an organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

ISO/IEC 29100

A

about the technology e.g. firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ISO/IEC 27001

A

how to manage information security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

ISO/IEC 27701

A

extension of 27001 relating to GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Standards should influence

A
  • access control
  • use of devices
  • disposal processes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

CIA

A

confidentiality, integrity, availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

CIA Integrity

A

preventing undetectable modification of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

3 categories of controls

A
  • Administrative controls
  • Logical controls
  • physical ocntrols
24
Q

Administrative controls

A

precedural security e.g., training, policies

25
Logical controls
software security e.g., passwords, firewalls, encryption
26
Physical Controls
Workplace Security e.g., doors, locks, CCTV, sprinkler system
27
Risk Assessment Stages
1. categorise the threats e.g., environmental vs manmade 2. categorise the vulnerabilities e.g., physical, technological, human 3. Probability - what's the likelihood that a threat exploits a vulnerability 4. Impact - how will this effect the organisation 5. Give a suggested mitigation
28
How does ISO 27001 suggest to treat risks
- terminate the risk - treat the risk - transfer the risk - tolerate the risk (accept the risk)
29
IT Security Threats: Privilege Escalation
Exploiting the bugs in software. Mechanism that people use to load further bad software, to use it as a node for further attacks
30
IT Security Threat: Root kits
Activated as system boots up (hard to detect), allow the installation of files and accounts to intercept sensitive information
31
IT Security Treat: Ransomware
Malware that encrypts your data and payment is demanded before the data is returned
32
SMART
specific, measurable, achievable. realistic, timely
33
The planning development and execution of security policies and procedures to provide proper authentication, authorisation access and auditing of data and information assets
Data security management
34
HIPAA is relevant
for US healthcare providers
35
PCI-DSS is relevant for
online card payments
36
The implementation and administration of database security is the responsibility of
The DBA
37
Responsibility of the data governance council in defining an information security policy
review and approve the high-level data security policy
38
What is the benefit of using role groups to implement data security policies
reduces the effort to assign access rights to users if they inherit rights from their group
39
Different ways to encrypt
Hash, private key, public key & Obfuscation/masking
40
Two types of masking
persistent & dynamic
41
Persistant masking
Permanently alters the data
42
Persistant masking two types
in flight (moving between source and place e.g. between production and non production) in place (when source and destination are the same)
43
Dynamic Masking
Changes the appearance without changing the data
44
Temporal variance
move dates + - a number of days (type of masking)
45
cookie
a small data file that is downloaded on to a computers hard drive, to identify returning visitors and profile their preferences
46
DMZ
The area of the edge/ perimeter of an organisation, with a firewall between it and the organisation.
47
One of the main approaches to managing sensitive data is classifying them and enforcing a common standard. This process is also part of:
Metadata Management
48
Guiding Principles for data security
- requires collaboration - enterprise wide approach - proactive management
49
Authentication
verifying the user identities of those who are accessing your data
50
Classifying data (important metadata)
define confidentiality levels
51
encrypting data at rest
encrypting data when it's stored on a device
52
secure data in transit
encrypting data which its being transitted between locations
53
Which role is responsible for determining the right confidentiality levels
data stewards
54
Organisations are turning increasingly into cloud based computing environments. What are some measures needed to adapt to this new emergence?
Tweaking or creating a new data security management policy centered on cloud computing Data security policies must account for distribution of data across different service models ed to adhere to the same security policy as the rest of the organisation In cloud computing, defining chain of custody of data and defining ownership and custodianship rights should be a priority Internal cloud data-center architecture need to adhere to the same security policy as the rest of the organisation
55
One of the main approaches to managing sensitive data is classifying them and enforcing a common standard. This process is also part of:
Metadata Management
56
While the Information security team enforces and protects the network, which role is responsible for determining the right confidentiality levels?
Data stewards