Domain 1 Flashcards
1
Q
The rise of privacy and regulation
A
- 1948 the United nations adopted the Universal Declaration of human rights
- article 12
- no one shall be subjected to arbitrary interference with his privacy family home or correspondence nor to attacks upon his honor and reputation everyone has the right to the protection of the law against such interference of attacks - organization For Economic Cooperation and development
- collection limitation
- data quality
- purpose specification
- use limitation
- security safeguards
- openness principle
- individual participation
- accountability
-CALPS AIR
2
Q
Organizational governance processes
A
- governance committees are required for most nonprofit organizations
- The following decisions can affect organizational security
- Acquisition
- Merger
- Divestiture
- An example would be the Marriott hotel problem in 2018 and 2020
The breach happened through the Starwood network which had been compromised in 2014 before the acquisition in 2016 - Also an example of the Marriott not practicing due diligence with respect to information security functions or companies
3
Q
organizational roles and responsibilities
A
- Senior management
- C-Suite - security manager/security officer/security director
- seeing a person with an organization Responsible for advising senior management on security matters
- represents the organization security needs and groups and meetings such as configuration management boards and similar committees
- security managers should not report to the same role or department that overseas the information technology due to conflicts of interest - Configuration management board
- typically 2 steps deciding what and then taking the steps to implement it - administrators/technicians
- Typically have security duties such as secure configuration secure networking and reporting of potential incidents
- positions in this category include but are not limited to
tech support
help desk personnel - security personnel
- administrators
- analyst
- incident responded
- may include personnel from other disciplines other than IT security - users
4
Q
ISO/IEC 27000 Series
A
- 27000 & 27001 define terminology
- 27002 provides a catalog of security controls
- 27003 provides ISMS implementation guidance
- 27005 is concerned with risk management
5
Q
National Institute of standards (NIST) and technologies and federal information processing standards (FIPS)
A
- a special publication is a guideline that can assist in meeting the requirements outlined in a FIPS document
- FIPS 199 standards for security categorization of federal information and information systems
- FIPS 200 minimum security requirements for federal information and information systems
- NIST 800 - 53 security and privacy controls for federal information systems and organizations
- NIST SP 800 – 59 guidelines for identifying a information system as a national security system
- NIST SP 800 – 60 guide for mapping types of information and information systems to security categories
- NIST SP 800 – 37 guide for applying the risk management frameworks with federal information systems
- NIST SP 800 – 39 managing information security risk
- NIST SP 800 - 30 guide for conducting risk assessments
- NIST SP 800 - 64 security considerations in these system development life cycle
6
Q
federal risk and authorization management program
A
- risk framework designed specifically for assessing cloud provider risks
- standardized approach to security assessment authorization and continuous monitoring
- result of close collaboration with agencies like the General Services agency NIST’s office of management and budget Department of Defense Department of Homeland security National Security Agency federal chief information officers councils and other working groups
7
Q
General data protection regulation (GDPR)
A
- codify 6 broad principles regarding the use of personal data
- lawfulness
- purpose limitation
- data minimization
- accuracy
- storage limitation
- integrity and confidentiality - LFACSI – Easy way to remember
- It Is Lawful
- Does the purpose Fit
- Is it adequate and minimal
- Is it Correct
- Are we Storing it for the right time
- Is it secure - specifies a accountability principle which states
- right to be forgotten
- right to access
- right of restriction
- notice of completion
- right to data portability
- right to object
8
Q
FEDRAMP
A
- Standardized approach to security and continuation monitoring for cloud products and services
- result of close collaboration
- central to this strategy is the joint authorization board
- tasked with reviewing security assessment packages based on a prioritized approach
9
Q
Due diligence and due care
A
- Due diligence is to investigate
- examples include
risk assessment
background check
regulatory research
o Any action that supports do care - do care is to act
- examples
employee training
implementing role based access control
installing security mechanisms
10
Q
Privacy Shield and Safe harbor
A
- Implemented and developed as a EU US agreement
- struck down in July 2020 because a plaintiff was climbing the privacy Shields did not protect EU people from being exposed to US National Security surveillance activities
- court did not strike down standard contractual clauses which many major U.S. companies such as Microsoft have been using in their contracts
11
Q
Investigations
A
- five types of investigation
- administrative
- civil
- regulatory
- criminal
- industry standards
12
Q
administrative investigation
A
- entire process contained within the organization and exists solely as an internal function
- Usually carry when incident is result of some inside activity
13
Q
Civil Investigation
A
- Involves a court but not a prosecutor
- apply when a victim sues the office of party
- can have a civil and criminal investigation
- Typically based on the preponderance of evidence which means 5149 split in the evidence presented would be decided in favor of the party with 51
14
Q
regulatory investigation
A
- can conduct their own investigations with or without law enforcement and require the target to acquire and present information to regulate or engage
- can have their own official who acts as special prosecutors and may hold administrative hearings
15
Q
Non disclosure agreements
A
- different types of NDA’s
- unilateral NDA - only one party discloses information to another party +-
- bilateral NDA - two parties share information with one another
- multilateral NDA - three or more parties want to share information with No Fear
