Domain 1 - Security and Risk Management Flashcards
ITIL - Four Foundations
- Service
- Change
- Release
- Configuration
ISO 27005
Risk management framework - The standard doesn’t specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:
Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
Keep stakeholders informed throughout the process; and
Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Copyright
Protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70
years after author dies
Trademarks
Words, names, product shape, symbol, color or a combination used to identify products
and distinguish them from competitor products (McDonald’s M) @10 years
SOX Section 302
CEO’s and CFO’s can be sent to jail when information they sign is incorrect
SOX Section 404
Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.
The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
COSO Initiative
Framework to work with Sarbanes-Oxley 404. COSO is a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence compliance
COBIT
Examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and
reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated
industry.
Incident
An event that has potential to do harm
Breach
Incident that results in disclosure or potential disclosure of data
Data Disclosure
Unauthorized acquisition of personal information
Threat Event
Threat events are accidental and intentional exploitation of vulnerabilities
GLBA
It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
1974 US Privacy Act
Protection of PII on federal databases
1980 Organization for Economic Cooperation and Development (OECD)
Provides guidelines for datacollection, specifications, safeguards
1986 (amended in 1996) US Computer Fraud and Abuse Act.
Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment.
1986 Electronic Communications Privacy Act
Prohibits eavesdropping or interception w/o distinguishing private/public data. Was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer , added new provisions prohibiting access to stored electronic communications,
1991 US Federal Sentencing Guidelines
Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations.
1996 US Economic and Protection of Propriety Information Act
Industrial and corporate espionage
HITECH
Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and
security requirements. One of the changes is a change in the way the law treats business associates
(BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a
covered entity and a BA must be govern ed by a written contract known as a business associate
agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA
enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach
notification requirement.
Separation of duties
Assigns parts of tasks to different individuals thus no single person has total control of the system’s security mechanisms; prevent collusion
Least privilege -
A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest time. Three types: Read only, Read/write and Access/change
Two-man control
Two persons review and approve the work of each other, for very sensitive operations