Data Security Flashcards

1
Q

Masking/ encryption will

A

render the data unreadable without the keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

13 guiding priciples of data security

A
  1. responsible trustee of data
  2. comply with regulations
  3. Use CRUD matrices to help map data access needs
  4. data security policy should be updated and approved by the data governance council (DGSC)
    5.identify application security requirements on projects
  5. classify all enterprise data for confidentiality
  6. Passwords show follow complexity guidlines
  7. security role groups
  8. request, track and approve all user and group authorisations
  9. centrally manage user identity data and group membership data
  10. use views or partitions to restrict access to sensitive columns or specific views
  11. strictly limit and consider every use of share or service user accounts
  12. monitor data access activity to understand trends
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Classifications of data

A

PII, business critical financially critical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Password best practise

A

3/4 random words

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Goldilocks Principle

A

balance must be met based on the damage/harm that could be caused

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Four sources of data security requirements

A
  • business needs
  • government regulations
  • stakeholder concerns
  • legitimate business concerns
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Security control legislation EU

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security control legislation EU

A
  • EU GDPR
  • BASEL II and Solvency II
  • BCBS 239 Basel committee
  • PCI-DSS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security control legislation US

A
  • HIPAA
  • Sarbanes-Oxley Act
  • CCPA
  • CPRA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Four As

A

Authentication
Authorisation
Access
Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Sarbanes-Oxley Act

A

prevents unauthorised modification of financial transactions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Solvency II

A

Protecting lineage of data feeding risk models

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Active Audit

A

Parsing instructions and data before its returned to the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Passive Audit

A

Looking what has happened

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CCPA

A

statute to enhance privacy right and consumer protection (california)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ISO standards

A

set out critical requirements for information secuirty standard in an organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

ISO/IEC 29100

A

about the technology e.g. firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ISO/IEC 27001

A

how to manage information security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

ISO/IEC 27701

A

extension of 27001 relating to GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Standards should influence

A
  • access control
  • use of devices
  • disposal processes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

CIA

A

confidentiality, integrity, availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

CIA Integrity

A

preventing undetectable modification of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

3 categories of controls

A
  • Administrative controls
  • Logical controls
  • physical ocntrols
24
Q

Administrative controls

A

precedural security e.g., training, policies

25
Q

Logical controls

A

software security e.g., passwords, firewalls, encryption

26
Q

Physical Controls

A

Workplace Security e.g., doors, locks, CCTV, sprinkler system

27
Q

Risk Assessment Stages

A
  1. categorise the threats e.g., environmental vs manmade
  2. categorise the vulnerabilities e.g., physical, technological, human
  3. Probability - what’s the likelihood that a threat exploits a vulnerability
  4. Impact - how will this effect the organisation
  5. Give a suggested mitigation
28
Q

How does ISO 27001 suggest to treat risks

A
  • terminate the risk
  • treat the risk
  • transfer the risk
  • tolerate the risk (accept the risk)
29
Q

IT Security Threats: Privilege Escalation

A

Exploiting the bugs in software.
Mechanism that people use to load further bad software, to use it as a node for further attacks

30
Q

IT Security Threat: Root kits

A

Activated as system boots up (hard to detect), allow the installation of files and accounts to intercept sensitive information

31
Q

IT Security Treat: Ransomware

A

Malware that encrypts your data and payment is demanded before the data is returned

32
Q

SMART

A

specific, measurable, achievable. realistic, timely

33
Q

The planning development and execution of security policies and procedures to provide proper authentication, authorisation access and auditing of data and information assets

A

Data security management

34
Q

HIPAA is relevant

A

for US healthcare providers

35
Q

PCI-DSS is relevant for

A

online card payments

36
Q

The implementation and administration of database security is the responsibility of

A

The DBA

37
Q

Responsibility of the data governance council in defining an information security policy

A

review and approve the high-level data security policy

38
Q

What is the benefit of using role groups to implement data security policies

A

reduces the effort to assign access rights to users if they inherit rights from their group

39
Q

Different ways to encrypt

A

Hash, private key, public key & Obfuscation/masking

40
Q

Two types of masking

A

persistent & dynamic

41
Q

Persistant masking

A

Permanently alters the data

42
Q

Persistant masking two types

A

in flight (moving between source and place e.g. between production and non production)
in place (when source and destination are the same)

43
Q

Dynamic Masking

A

Changes the appearance without changing the data

44
Q

Temporal variance

A

move dates + - a number of days (type of masking)

45
Q

cookie

A

a small data file that is downloaded on to a computers hard drive, to identify returning visitors and profile their preferences

46
Q

DMZ

A

The area of the edge/ perimeter of an organisation, with a firewall between it and the organisation.

47
Q

One of the main approaches to managing sensitive data is classifying them and enforcing a common standard. This process is also part of:

A

Metadata Management

48
Q

Guiding Principles for data security

A
  • requires collaboration
  • enterprise wide approach
  • proactive management
49
Q

Authentication

A

verifying the user identities of those who are accessing your data

50
Q

Classifying data (important metadata)

A

define confidentiality levels

51
Q

encrypting data at rest

A

encrypting data when it’s stored on a device

52
Q

secure data in transit

A

encrypting data which its being transitted between locations

53
Q

Which role is responsible for determining the right confidentiality levels

A

data stewards

54
Q

Organisations are turning increasingly into cloud based computing environments. What are some measures needed to adapt to this new emergence?

A

Tweaking or creating a new data security management policy centered on cloud computing
Data security policies must account for distribution of data across different service models
ed to adhere to the same security policy as the rest of the organisation
In cloud computing, defining chain of custody of data and defining ownership and custodianship rights should be a priority
Internal cloud data-center architecture need to adhere to the same security policy as the rest of the organisation

55
Q

One of the main approaches to managing sensitive data is classifying them and enforcing a common standard. This process is also part of:

A

Metadata Management

56
Q

While the Information security team enforces and protects the network, which role is responsible for determining the right confidentiality levels?

A

Data stewards