Domain 1 Flashcards
Requires federal agencies to take extra security measures to prevent unauthorized access to computers that hold sensitive info.
Requires security awareness training to employees.
Assigns NIST for InfoSec and NSA for Crypto
U.S. Computer Security Act of 1987
Prevents unauthorized use or disclosure of information, ensuring that only those who are authorized to access information can do so.
Confidentiality
Includes names, addresses, Social Security numbers, contact information, and financial or medical data.
Personally Identifiable Information (PII)
Includes all information in PII but also includes a patient’s medical records and healthcare payment history.
Personal Health Information (PHI)
Safeguards the accuracy and completeness of information and processing methods.
Integrity
Ensures that authorized users have reliable and timely access to information, and associated systems and assets when needed.
Availability
General purpose statement that says what the org is, what it does, and why it exists
Mission Statement
Conduct that a reasonable person exercises in a given situation, which provides a standard for determining negligence.
Due Care
If an organization fails to follow a standard of due care
Culpable Negligence
Prudent management and execution of Due Care
Due Diligence
Comprised of a set of activities undertaken by an organization in its attempts to abide by applicable laws, regulations, and standards.
Compliance
- Classified national defense or foreign relations information
- Records of financial institutions or credit reporting agencies
- Government computers
U.S. Computer Fraud and Abuse Act
- Prohibits eavesdropping, interception, or unauthorized monitoring of wire, oral, or electronic communications.
- Provides legal basis for network monitoring
U.S. Electronic Communications Privacy Act (ECPA)
- Establish written standards of conduct for organizations, provide relief in sentencing for organizations that have demonstrated due diligence, and place responsibility for due care on Sr. Mgmt.
- Fines up to $290 Million
U.S. Federal Sentencing Guidelines
- Combats industrial espionage, particularly when such activity benefits a foreign entity.
- Criminal offense to take, download, receive, or possess trade secret information that has been obtained w/o owner authorization
U.S. Economic Espionage Act
Enacted to combat the use of computer technology to produce and distribute pornography involving children, including adults portraying children
U.S. Child Pornography Prevention Act
- Authority to intercept wire, oral, & electronic communications relating to computer fraud and abuse offenses
- Authorizes access to Voicemail with search warrant
- Expands list and clarifies scope
- Allows ISP’s to disclose customer information to law enforcement in emergency situations, w/o exposing provider to civil liability suits
- Clarifies LEO authority to trace communications on the Internet and other computer networks
U.S. Patriot Act
- Established the Public Company Accounting Oversight Board (PCAOB)
- Established new standards for entities including auditing, governance, and financial disclosures
Sarbanes-Oxley Act (SOX)
Extends the Computer Security Act by requiring regular audits of U.S. government information systems and organizations providing information services to the U.S. federal government
U.S. Federal Information Systems Management Act (FISMA)
Establishes standards for sending commercial e-mail, charges the U.S. Federal Trade Commission (FTC) with enforcement provisions, and provides penalties that include fines and imprisonment
U.S. Can-SPAM Act
Permits U.S.- based organizations to certify themselves as properly handling private data belonging to citizens
Safe Harbor
Defines 3 criminal offenses related to computer crime: unauthorized access, unauthorized modification, and hindering authorized access
The Computer Misuse Act
Attempts to protect intellectual property rights by using access control technologies to prevent unauthorized copying or distribution of protected digital media
Digital Rights Management (DRM)
NIST SP800-53 discusses a set of security controls as what type of security tool?
A baseline
