IS 414 CH. 9

Question 1

What is the chapter about?

Answer 1

Preserving the confidentiality or an organization’s intellectual property AND Protecting the privacy of personal information it collects from customers, employees, suppliers, and business partners.
Encryption

Question 2

4 Actions taken to preserve confidentiality of sensitive info

Answer 2

1. Identify and classify info to be protected
2. Encrypt the information
3. Control access to the info
4. train employees to properly handle the info

Question 3

Identify and classify info to be protected

Answer 3

1. Find where info resides and who has access to it
2. Classify value in terms of its value to the organization
   * **classification is the responsibility of info owners, not info security professionals because only the former understand how the info is used.
3. Once classified, set of controls are deployed

Question 4

Encrypt the information

Answer 4

-Only way to protect info in transit over the internet
Sensitive info is exposed in plain view whenever it is being processed by a program, displayed on a monitor, or included in printed reports. Protecting confidentiality requires application of the principles of defense-in-depth, supplementing encryption with the two of the other components

Question 5

Control access to the info

Answer 5

Basic authentication and authorization controls need to be supplemented with additional digital and physical access controls
Importance of proper disposal of sensitive info

Question 6

Info Rights Management (IRM)

Answer 6

Software that offers the capacity not only to limit access to specific files or documents, but also to specify the actions (read. copy. print, download, etc) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files

Question 7

Data loss prevention (DLP) (preventative tool)

Answer 7

Software which works like antivirus programs in reverse, blocking outgoing messages (emails, instant messaging, etc) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect

Question 8

Digital Watermark

Answer 8

DLP should be supplemented by embedding code called a digital watermark in documents. The digital watermark is a detective control that enables an organization to identify confidential info that has been enclosed

Question 9

train employees to properly handle the info

Answer 9

Need to know what info that can share with outsiders and what info needs to be protected.
Need to be taught how to protect confidential data

Question 10

Privacy

Answer 10

focuses on protecting personal info about customers, employees, suppliers or business partners rather than organizational data
control used protect privacy are the same for protecting confidentiality
(i.e. 1. Identify and classify info to be protected
2. Encrypt the information
3. Control access to the info
4. train employees to properly handle the info)

Question 11

privacy controls

Answer 11

1. Find out what info the organization possess and where info resides and who has access to it
2. Put controls in

Question 12

data masking (tokenization)

Answer 12

program that protects privacy by replacing personal info with fake values

Question 13

privacy concerns

Answer 13

spam and identity theft

Question 14

spam

Answer 14

unsolicited email that contains either advertising or offensive content

Question 15

Controlling the Assault of Non-solicited Porn and Marketing (CAN-SPAM) key provisions

Answer 15

• sender’s identity must be clearly displayed in the header of the message
• subject field must clearly identify the messages as an ad or solicitation
• body must have opt-out option, 10 days to implement the request
• body must include the sender’s valid postal address
• should not sent commercial emails to randomly generated emails, have an opt-in button on website

Question 16

identity theft

Answer 16

assuming someone’s identity, usually for economic gain

Question 17

Privacy Regulations & Generally Accepted Privacy Principles (GAPP)

Answer 17

Management 
Notice 
Choice & Consent
Collection
Use and retention 
Access
Disclosure to third parties
Security 
Quality
Monitoring and enforcement

Question 18

Management

Answer 18

Organizations need to establish a set of procedures and policies for protecting the privacy of personal info they collect. Assign responsibility and accountability for implementing those policies and procedures to a specific person or group of employees

Question 19

Notice

Answer 19

Organization should provide notice about its privacy policies and practices at or before it collects personal info or as soon as reasonable after
Explain what info is collected, why its collected, how it will be used

Question 20

Choice & Consent

Answer 20

Organization must explain choices available to individuals and obtain their consent prior to collection and use of their personal info
US - opt out policy: organizations collect until customer objects
Europe: opt in policy: organizatoins cannot collect until customers approve

Question 21

Collection

Answer 21

Organization only collect the info needed to fulfill the purposes stated in its privacy policies. Concern is the use of the cookie - browsers can not accept cookies, and organizations have to abide by that

Question 22

Use and retention

Answer 22

Organization should use customers’ personal info only in the manner described in their stated privacy policies and retain that info only as long as it is needed to fulfill a legit business purpose.

Question 23

Access

Answer 23

Organization should provide individuals with the ability to access, review, correct, and delete the personal info stored about them

Question 24

Disclosure to third parties

Answer 24

Organization should disclose their customers’ info to third parties only in the situation and manners described in the privacy policies and only to parties who provide the same level of protection

Question 25

Security

Answer 25

Organization must take reasonable steps to protect customers’ personal info from loss or unauthorized disclosure

Question 26

Quality

Answer 26

Organization should maintain the integrity of their customers’ personal info and employ procedures to ensure that is reasonably accurate

Question 27

Monitoring and enforcement

Answer 27

Organization should assign one or more employee to be responsible for ensuring compliance with its stated policy and make sure employees are in compliance

Question 28

Cookie

Answer 28

a text file created by a website and stored on a visitor’s hard drive. cookies store info about who the user is and what the user has done on the site

Question 29

Encryption

Answer 29

the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext

encryption and decryption involve a key an algorithm

Question 30

decryption

Answer 30

transforming ciphertext back into plaintext

Question 31

Factors that influence encryption strength

Answer 31

1. key length
2. encryption algorithm
3. policies for managing the crytographic keys

Question 32

key length

Answer 32

longer keys provide stronger encryption by reducing the number of repeating blocks in the ciphertex, makes it harder to spot patterns in the text

Question 33

encryption algorithm

Answer 33

strong algorithm is difficult to break just by guessing, should not make their own, but purchase

Question 34

Managing cryptographic keys

Answer 34

if the keys have been stolen, then it is easily broken
keys must be stored securely and protected with strong access controls: (1) not storing in browser or any other file that other users of t hat system can readily access and (2) using a strong (And long) passphrase to protect the keys

Question 35

Symmetric encryption systems

Answer 35

encryption that use the same key to both encrypt and decrypt
advantages: speed
disadvantages: requires separate keys for everyone who wishes to communicate, must find secure way to share secret key with other party
risk issues: protecting shared secret key from loss or theft
primary use: encryption of large amounts of info

Question 36

Asymmetric encryption systems

Answer 36

encryption that uses two keys (one public, one private)
either key can encrypt, but only the other matching key can decrypt
advantages: everyone can use your public key to communicate with you, no need to store keys for each party with whom you communicate with, can be used to create legally binding digital signatures
disadvantages: slower, requires PKI to validate ownership of public keys
risk issues: protecting shared secret key from loss or theft
primary use: creation of digital signatures, secure exchange of symmetric keys via email

Question 37

public key

Answer 37

one of the keys used in Asymmetric encryption systems, widely distributed and available to everyone

Question 38

private key

Answer 38

one of the keys used in Asymmetric encryption systems, kept secret and known only to the owner of that pair of public and private keys

Question 39

key escrow

Answer 39

the process of storing a copy of an encryption key in a secure location

Question 40

hashing

Answer 40

transforming plaintext of any length into a short code called a hash

Question 41

hash

Answer 41

plaintext that has been transformed into short code

Question 42

hashing vs. encryption

Answer 42

HASHING: one way function (cannot “unhash” or reverse), any size input yields same fixed-size output

ENCRYPTION: reversible (able to decrypt), output size approximately same as input

Question 43

non repudiation

Answer 43

creating legally binding agreements that cannot be unilaterally repudiated by either party

Question 44

digital signature

Answer 44

a hash encrypted with the hash creator’s private key

1. document creator uses a hashing algorithm to generate a hashing of the original document
2. document creator uses his/her private key to encrypt the hash created in step 1
   result: the encrypted hash is a legally-binding digital signature

Question 45

digital certificate

Answer 45

an electronic document that certifies the identity of the owner of a particular public key and contains that party’s public key

Question 46

certificate authority

Answer 46

an organization that issues public and private keys and records the public key in a digital certificate

Question 47

public key infrastructure

Answer 47

the system for issuing pairs of public and private keys and corresponding digital certificates

Question 48

virtual private networks

Answer 48

using encryption and authentication to securely transfer information over the internet, thereby creating a “virtual” private network