GRC Concepts

Question 1

Information Flow model

Answer 1

A model that focuses on the flow of information to ensure that security is maintained and enforced no matter how information flows.

Question 2

Noninterference model

Answer 2

A model that seeks to ensure that objects and subject of different levels don’t interfere with objects and subjects of other levels. The noninterference model can be used to avoid convert channel attacks.

Question 3

Lattice Model

Answer 3

Subjects are assigned security clearances. Objects are assigned security labels.

Question 4

Take-Grant model

Answer 4

A model that dictates how rights can be passed from one subject to another or from a subject to an object

Question 5

Bell–LaPadula model

Answer 5

A confidentiality focused security model built on a state machine model employing no read up, no write down mandatory access controls.

Question 6

Biba model

Answer 6

An integrity focused security model employing no read down, no write up mandatory access controls.

Question 7

Simple Security Axiom

Answer 7

Subjects cannot read information at a higher classification level (no read up)

Question 8

Star Security Axiom

Answer 8

Subjects cannot write information at a lower classification level (no write down)

Question 9

Simple Integrity Axiom

Answer 9

subjects cannot read information at a lower classification (no read down)

Question 10

Star Integrity Axiom

Answer 10

subjects cannot write information at a higher classification (no write up)

Question 11

Clark-Wilson model

Answer 11

An integrity focused security model enforced through well-formed transactions. It uses a relationship of subject, program and object. Subjects do not have direct access to objects. Objects must be accessed through programs.

Question 12

Brewer and Nash model (aka Chinese Wall)

Answer 12

A security model designed to avoid conflicts of interest. It creates a conflict class that defines which security domains are potentially in conflict and prevents any subject with access to one domain that belongs to a specific conflict class from accessing other domains that belong to the same conflict class.

Question 13

Graham–Denning model

Answer 13

A security model focused on the secure creation and deletion of both subjects and objects.

Question 14

Fourth Amendment

Answer 14

Protection from unreasonable search and seizure by the government.

Question 15

Computer Fraud and Abuse Act (CFAA)

Answer 15

A US law enacted in 1984 to exclusively cover computer crimes that cross state boundaries to avoid infringing on states’ rights.

Question 16

Federal Information Security Management Act (FISMA)

Answer 16

A US law passed in 2002 that requires that federal agencies implement an information security program. The National Institute of Standards and Technology (NIST), is responsible for developing the FISMA implementation guidelines, outlining the elements of an effective information security program.

Question 17

Digital Millennium Copyright Act

Answer 17

A law that establishes the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder and limits the liability of Internet service providers when their circuits are used by criminals violating the copyright law.

Question 18

Economic Espionage Act of 1996

Answer 18

A law that states that anyone found guilty of stealing trade secrets from a US corporation with the intention of benefiting a foreign government may be fined up to $500,000 and imprisoned for up to 15 years and that anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years.

Question 19

Copyrights

Answer 19

Law that guarantees the creators of “original works of authorship” protection against the unauthorized duplication of their work (70 years after creator’s death or 95 years after creator’s death for corporations).

Question 20

Trademark

Answer 20

A registered word, slogan, or logo used to identify a company and its products or services–renew every 10 years.

Question 21

Patent

Answer 21

Allows invention’s creator the sole right to make and sell that invention for a set period of time (20 years).

Question 22

Trade Secret

Answer 22

Intellectual property that is absolutely critical to a business and would cause significant damage if it were disclosed to competitors and/or the public. To preserve trade secret status, you must implement adequate controls within your organization to ensure that only authorized personnel with a need to know the secrets have access to them. You must also ensure anyone with type of access is bound by a non-disclosure agreement (NDA) that prohibits them from sharing the information with others.

Question 23

Privacy Act of 1974

Answer 23

A law that mandates that government agencies maintain only records that are necessary to conduct their business and destroy those records when they are no longer needed for a legitimate function of government. It provides a formal procedure for individuals to gain access to records the government maintains about them and to request that incorrect records be amended.

Question 24

Electronic Communications Privacy Act (ECPA)

Answer 24

The law that makes it a crime to invade an individual’s electronic privacy. It protects against the monitoring of email and voicemail communications and prevents providers of those services from making unauthorized disclosures of their content.

Question 25

Health Insurance Portability and Accountability Act (HIPAA)

Answer 25

A law passed in 1996 that made numerous changes to the laws governing health insurance and health maintenance organizations (HMOs). Among the provisions of HIPAA are privacy regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.

Question 26

Health Information Technology for Economic and Clinical Health Act (HITECH)

Answer 26

A law passed in 2009, updating many of HIPAA’s privacy and security requirements. One of the changes mandated by the new regulations is a change in the way the law treats business associates (BAs), organizations that handle protected health information (PHI) on behalf of a HIPAA-covered entity. Under the new regulation, business associates are directly subject to HIPAA. HITECH also introduced new data breach notification requirements.

Question 27

Identity Theft and Assumption Deterrence Act

Answer 27

An act that makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating it.

Question 28

General Data Protection Regulation (GDPR)

Answer 28

European Union law that provides a single, harmonized law covering data security and privacy. The directive outlines key rights of the individual about whom data is held and/or processed:

           Right to access the data
           Right to know the data’s source
           Right to correct inaccurate data
           Right to withhold consent
           Right of legal action should they be violated

Question 29

USA Patriot Act

Answer 29

An act implemented after the September 11, 2001, terrorist attacks. It greatly broadened the powers of law enforcement organizations and intelligence agencies across a number of areas, including the monitoring of electronic communications.

Question 30

Gramm–Leach–Bliley Act (GLBA)

Answer 30

A law passed in 1999 that mandates confidentiality and integrity of consumer financial information for financial institutions.

Question 31

Sarbanes-Oxley Act of 2002

Answer 31

A law passed in 2002, in response to accounting scandals in the late 90s, that created regulatory compliance mandates for financial reporting of publicly traded companies.

Question 32

Payment Card Industry Data Security Standard (PCI-DSS)

Answer 32

A set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.