Information Security 6 Flashcards

1
Q

What are the three threat categories in information asset protection?

A
  1. Intentional
  2. Natural
  3. Inadvertent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

To assess these types of threats, one must identify potential adversaries and evaluate their capability and intention to target key information assets.

A

Intentional Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

These types of threats can be attributed to inadequate employee training, misunderstandings, lack of attention to detail, lax security enforcement, pressure to produce deliverables, and insufficient staffing.

A

Inadvertent threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does layered protection apply to information protection?

A
  1. Apply multiple levels of protection to information assets
  2. Ensure that layers of protection complement each other
  3. Build a coordinated strategy that integrates families of protective measures (e.g. technical, physical, access control)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access to internal information should be restricted to which groups?

A

Company personnel and those who have signed a nondisclosure agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How should obsolete prototypes, models, and test items be disposed of?

A

They should be destroyed so that they can’t be reverse engineered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a patent?

A

Information that has the government rant of a right, privilege, or authority to exclude others from making, using, marketing, selling, offering for sale, or importing an invention for a specified period granted to the inventor if the device or process is novel, useful, and non-obvious.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a trademark?

A

Legal protection for words, names, symbols, devices, or images applied to products or used in connections with goods or services to identify their source

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a copyright?

A

A property right in an original work of authorship fixed in any tangible medium of expression, giving the holder the exclusive right to reproduce, adapt, distribute, perform, and display the work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the best way to start addressing infringements of patents, copyrights, an trademarks?

A

By registering those rights.h

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are four response options when a copyright has been violated?

A
  1. Hire legal counsel
  2. Informing the proper authorities
  3. Conducting investigations, raids and seizures
  4. Initiating civil litigation, administrative proceedings, and criminal prosecutions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What qualifies something as a trade secret?

A
  1. The information added value or benefit to the owner
  2. The trade secret was specifically identified
  3. The owner provided a reasonable level of protection for the information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a non-disclosure agreement?

A

A legal contract that establishes a relationship between two or more parties outlining confidentiality and the responsibility of protecting information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is proprietary information?

A

Information of value, owned by an entity or entrusted to it, which has not been disclosed publicly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the two primary aspects of recovery after an information loss?

A
  1. Return to normal business operations as soon as possible
  2. Implement measures to prevent a recurrence.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is confidentiality?

A

The ability to control the authorization to observe, access, share, or disseminate information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When is it appropriate to recycle papers that contain proprietary information?

A

When the papers have been properly destroyed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is data mining?

A

Software-driven collection of open-source data and public information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are three ways to solidify confidentiality expectations in employees and business partners?

A
  1. Confidentiality
  2. Intellectual property
  3. Nondisclosure agreements.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is counterfeiting?

A

The manufacturing or distribution of goods under someone else’s name, and without their permission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is piracy?

A

The act of copying, stealing, reproducing, transmitting, or selling the intellectual property of another without consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What three aspects of information must be protected?

A
  1. Confidentiality
  2. Integrity
  3. Availability.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What should be included in regularly performed information asset protection risk assessments?

A

Risk monitoring to address changes in security requirements as well as changes in the nature of the information assets, threats, frequency of threat occurrence, vulnerabilities, and impacts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are five business impacts of an information asset loss event?

A
  1. Loss of company reputation/image/goodwill
  2. Loss of competitive advantage in one product/service
  3. Reducted projected/anticipated returns or profitability
  4. Loss of core business technology or process
  5. Loss of competitive advantage in multiple products/services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

To what extent should information asset protection programs be tailored?

A

The organization’s size, type, strategy, mission, and operating environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the purpose of marking information that warrants protection?

A

The marking distinguishes the sensitivity of the information and the degree of protection warranted.

27
Q

What personnel matters play a role in information asset protection programs?

A
  1. Due diligence investigations of potential partners
  2. Standard reemployment screening
  3. Vetting of subcontractors, vendors, and consultants
28
Q

What are some data protection measures that should be incorporated in the information asset protection program?

A
  1. Establishing specific privacy policies that comply with legal, regulatory, and contractual obligations
  2. Ensure systems and procedures are in place to safeguard personal information and privacy of customers and third-parties
  3. Providing a mechanism to investigate potential or actual PII- related incidents
  4. Establishing procedures for destruction or disposition when information is no longer needed.
29
Q

Informational assets can take what physical forms?

A
  1. Prototypes and models
  2. Manufacturing processes and equipment
30
Q

What business activity raises specific risks to a company’s information?

A

The establishment of relationships, such as partnerships or outsourcing agreements

31
Q

What is the purpose of operations security (OPSEC) or information risk management?

A
  1. To view the big picture and identify any protection gaps that remain despite current security measures
  2. Small bits of information taken from several different courses can be combined to reveal sensitive information.
32
Q

What is the primary risk of attending a trade show?

A

Elicitation

33
Q

What is offshoring?

A

The practice of placing information assets in other jurisdictions.

34
Q

What should be included in an offshoring business agreement to protect information assets?

A

Commitments from the external partner organization to agree to protect the information assets and acknowledgment that they will comply with the policies and procedures established by the client organization.

35
Q

The strategies used to safeguard information assets typically include what thee components?

A
  1. Security measures
  2. Legal protections
  3. Management practices.
36
Q

What must accompany legal protections in order for them to have effect?

A

The organization must be prepared to enforce them.

37
Q

What is an advantage of designing something a trade secret?

A

Trade secrets do not have to be registered or shared with any outside agency.

38
Q

What details are included in a non-disclosure agreement?

A
  1. The definition of ‘confidential information’
  2. Obligations of the receiving party
  3. Time period for which the agreement is valid
  4. Any exclusions
39
Q

On what does the effectivesness of an information security program ultimately depend?

A

People’s behavior

40
Q

What is the purpose of destroying information assets that are no longer needed?

A

Proper destruction reduces the risk of sensitive information being compromised and helps ensure compliance with relevant guidelines.

41
Q

What are technical surveillance countermeasures (TSCM)?

A

Services, equipment, and techniques designed to locate, identify, and neutralize technical surveillance activities.

42
Q

What should be regularly inspected as part of the TSCM (technical surveillance countermeasures) effort?

A

Telecommunications equipment, cables, and terminals

43
Q

What are three key steps to take after an information loss?

A
  1. Investigation
  2. Damage assessment
  3. Recovery and follow-up.
44
Q

What should occur during an information loss investigation?

A
  1. Thoroughly investigate known and suspected compromises of information
  2. Establish an investigative plan and coordinate with counsel
  3. Identify investigative resources
  4. Establish and maintain liaison.
45
Q

What should occur during damage assessment after an information loss?

A
  1. Determine the information that was compromised
  2. Determine the implications of the compromise
  3. Report the impacts.
46
Q

How should the information asset protection program operate at all levels?

A

An enterprise-wide program with commitment and support of top management should guide the overall planning and implementation of the program.
The ability to assess risk and implement coordinated risk management and protective programs should also exist at the regional, business unity, departmental, project, and individual transaction level.

47
Q

What is the purpose of measuring an information asset protection program?

A

Measuring provides the basis to determine if the program objectives are being met and to ensure the program’s continuing suitability, adequacy, and effectiveness.

48
Q

Information asset protection program policies, and procedures should be established to direct and guide what behaviors?

A

Organizational and individual behaviors related to the proper creation, identification, labeling, storage, handling, transmission, and disposal of information assets.

49
Q

What must be considered when identifying information assets?

A

The various forms in which the assets exist.

50
Q

What are four levels of information classification?

A
  1. Highly restricted
  2. Restricted
  3. Internal use
  4. Unrestricted
51
Q

This classification level is used for information that could allow a competitor to take action that could seriously damage an organization’s competitive position in the marketplace or the disclosure of which could cause significant damage to their organization’s financial or competitive position, brand, or reputation.

A

Highly restricted

52
Q

This classification level is used for information that is organizationally of competitively sensitive or could introduce legal or employee privacy risks.

A

Restricted

53
Q

This classification level is used for information generated within the organization that is not intended for public distribution.

A

Internal use

54
Q

This classification is used for information that can be shared within the organization and outside of the organization.

A

Unrestricted

55
Q

What are examples of physical security components including in an organization’s information asset protection program?

A
  1. Prevention on-premise physical access to information technology systems and components
  2. Ensure that digital information processed, stored, or transmitted off-premise is secured in a manner consistent with on-premise
  3. Prevent the introduction of equipment that may be used to compromise information, systems, or people
  4. Controlling access and/or isolating information based on level of trust
  5. Implement role-based access to facilities
56
Q

What are examples of physical forms of information assets?

A
  1. Documents
  2. Hardcopy records
  3. Data storage devices
  4. Models
  5. Prototypes
  6. Test products
57
Q

What three tasks should be performed during employee separating or offboarding to protect information assets?

A
  1. Manage termination processes such that separated individuals have access to information assets removed according to agreed upon timelines
  2. Manage physical asset return in a controlled manner based on the policy
  3. Physically erase information from personal devices based on company policy.
58
Q

When should additional screening be conducted during employment?

A

In cases where an individual changes positions, roles, or responsibilities, and requires a higher level of trust or may post a higher risk to physical or digital security.

59
Q

What are two examples of frameworks and/or standards organizations can adopt to safeguard its electronic/digital information?

A
  1. International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) series 27000
  2. US National Institute for Standards and Technology (NIST) series 800.
60
Q

What should be covered in the information security policy to reduce risks to information assets during travel?

A
  1. Zero footprint
  2. Secure network access
  3. Encryption
  4. Multi-factor authentication
  5. Physical protection of information and devices
  6. Incident reporting procedures
  7. Procedures for examining and/or clearing devices
61
Q

What differentiates information security and cybersecurity?

A

Information security refers to the protection of all information or data, irrespective of form.
Cybersecurity refers to the protection of information and data in systems, networks, and programs.

62
Q

What are intellectual property rights?

A

Intangible rights protecting the realization of ideas and concepts resulting in commercially valuable products.

63
Q

What is the Internet of things (IoT)?

A

A system of interrelated computing devices, mechanical, and digital machines provided with unique identifiers (UIDs) with the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

64
Q

What is a root cause analysis?

A

A technique used to identify the conditions that initiate the occurrence of an undesired activity or state.