Domain 1: (Security and Risk Management) Flashcards
When evaluating a third party for your security integration, what should you consider?
On-site assessment
Document exchange and review
Process/policy review
Third-party audit
What are the six phases of the RMF?
Categorize
Select
Implement
Assess
Authorize
Monitor
What was designed for critical infrastructure and commercial orgs?
Cybersecurity framework
What are the five functions of the cybersecurity framework?
Identify
Protect
Detect
Respond
Recover
What was crafted by the British gov, is a set of recommended best practices for optimization of IT services, and is used as a starting point for a customized IT security solution?
ITIL
Describe due diligence.
Establishing a plan, policy, and process to protect the interests of an org.
Knowing what should be done and planning for it
Developing a formalized security structure
Describe due care.
Practicing the individual activities that maintain the policies, plans, and processes implemented
The continued application of the security structure onto the IT infrastructure of an org
Doing the right action at the right time
What contains prohibitions against acts such as murder, assault, robbery, and arson?
Criminal law
What type of laws create the framework of government, budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws?
Civil law
What type of laws are in the form of executive orders, policies, procedures, and regulations that govern the daily operations of the agency and is published in the Code of Federal Regulations (CFR).
Administrative law
What act protects computers used by the gov or the interstate commerce from a variety of abuses?
Computer fraud and abuse act CFAA
What act makes it a crime to invade the electronic privacy of an individual?
Electronic communications privacy act ECPA
What requires senior executives to take personal responsibility for ensuring the due care that ordinary, individuals would exercise in the same situation?
Prudent person rule
What standard is required for use in federal computing systems and also used as a industry cybersecurity benchmark?
NISP SP 800-53
What standard is commonly used with enforcing compliance with contractual requirements for federal contractors ?
NIST SP 800-171
What is a set of standards designed to serve as a risk-based framework for securing information and systems?
NIST Cybersecurity Framework
What was created to protect copy-prevention mechanisms placed on digital media?
DMCA, Digital Millennium Copyright Act
What is the best way to protect computer software?
Trade secret protection
What was enacted in support and protection of companies with trade secrets?
Economic Espionage Act of 1996
What type of licensing is commonly found for high-priced or highly specialized software ?
Contractual license agreements
What license is commonly used on the outside of software packaging and agreement is acknowledged by breaking the seal on the package ?
Shrink-wrap license agreements
What type of agreement is accepted by clicking an acknowledgment button when installing software ?
Click-through license agreements
What type of agreement is more extreme than click-through agreements and users are known for accidentally accepting without reading the terms ?
Cloud services license agreements
What law mandates that agencies maintain only records that are necessary for conducting their business and to destroy those records when no longer needed ?
Privacy Act of 1974
What makes it a crime to invade the electronic privacy of an individual
Broadens the Federal Wiretap Act
Makes it illegal to monitor mobile telephone conversations
ECPA, Electronic communications privacy act of 1986
What amended the ECPA of 1986
Requires all communications carriers to make wiretaps possible for law enforcement with appropriate court order
CALEA, Communications assistance for law enforcement act of 1994
What requires strict security measures for orgs that process and store medical information?
HIPPA, Health insurance portability and accountability act of 1996