IS ASSURANCE W5-6 Flashcards
Compliance and Trust:
Regulatory compliance
Risk management:
Building trust
Helps organizations meet data privacy regulations and industry standards,avoiding hefty fines and legal repercussions.
Regulatory compliance:
Proactive identification and mitigation of security vulnerabilities,minimizing potential damage from cyberattacks.
Risk management:
Demonstrates to stakeholders,customers,and partners a commitment to protecting their data,boosting overall reputation and confidence.
Building trust:
Operational Efficiency and Effectiveness:
Improved decision-making:
Resilient infrastructure:
Cost savings:
Ensures data accuracy and integrity,leading to sound business decisions based on reliable information.
Improved decision-making:
Minimizes downtime and disruptions caused by security incidents,maintaining operational continuity.
Resilient infrastructure:
Prevents financial losses from data breaches,ransomware attacks,and regulatory fines.
Cost savings:
Self-replicating programs that spread through systems,damaging files and disrupting operations.Ex:WannaCry ransomware attack.
Viruses
Similar to viruses but propagate without user interaction.Ex:Morris Worm,which impacted early internet infrastructure.
Worms
Encrypts files,demanding a ransom payment for decryption.Ex:Ryuk ransomware attack on hospitals.
Ransomware
Disguised as legitimate software,granting attackers access once downloaded.Ex:Emotet malware used for data theft.
Trojan horses
Targeted emails impersonating trusted individuals or organizations,tricking users into revealing sensitive information.
Spear phishing
Similar to phishing but uses SMS text messages.
Smishing
Uses phone calls to impersonate legitimate entities and exploit trust.
Vishing
Lures users with attractive offers or fake urgency to click malicious links or download attachments.
Baiting
Data Breaches:
SQL injection
Cross-site scripting (XSS)
Man-in-the-middle attacks:
Zero-day attacks
Exploiting vulnerabilities in database queries to steal data.
SQL injection
Injecting malicious scripts into websites to steal user data.
Cross-site scripting (XSS)
Intercepting communication between users and websites to steal data.
Man-in-the-middle attacks
Exploiting unknown vulnerabilities before software vendors release patches.
Zero-day attacks
Disgruntled employees stealing data or sabotaging systems.
Insider Threats:
Contractors or vendors with unauthorized access exploiting vulnerabilities.
Insider Threats:
Deepfakes used for social engineering attacks.
Artificial Intelligence (AI):
Insecure IoT devices creating entry points for attackers.
Botnets formed from compromised IoT devices launching large-scale attacks.
Internet of Things (IoT):
While still in development,its potential to break current encryption methods poses a future challenge.
Quantum Computing:
Here are some key principles of secure software development:
Static Code Analysis:
Continuous Security Testing:
Security Awareness and Training:
Automated tools are used to scan code for potential security vulnerabilities before deployment. This helps catch issues early on and makes it easier to fix them.
Static Code Analysis:
Security testing is not a one-time event, but rather a continuous process that integrates with the development workflow. This includes automating security testing and integrating it into the build and deployment process.
Continuous Security Testing:
Developers need to be aware of security best practices and the latest threats. Regular training and awareness programs are essential for building a security-conscious development culture.
Security Awareness and Training:
Laws
Data Privacy Act of 2012 (DPA):
Cybercrime Prevention Act of 2012 (CPA):
Electronic Commerce Act of 2000 (ECA):
Other Relevant Laws:
This landmark law regulates the collection, processing, and storage of personal information, empowering individuals with control over their data and requiring entities to implement reasonable security measures.
Data Privacy Act of 2012 (DPA):
This law criminalizes various cybercrimes, including hacking, data breaches, and cyberbullying.
Cybercrime Prevention Act of 2012 (CPA):
This law establishes the legal framework for electronic transactions, including provisions on data protection and electronic signatures.
Electronic Commerce Act of 2000 (ECA):
Several other laws touch upon information security, such as the Access Devices Regulation Act, Anti-Photo and Video Voyeurism Act, and Anti-Child Pornography Act.
Other Relevant Laws:
Ethical Considerations:
Balancing Privacy and Security
Cyberbullying and Online Harassment:
Digital Divide and Accessibility:
Similar to global concerns, striking a balance between individual privacy and national security remains a challenge. The Philippine government faces pressure to access data for security purposes, sometimes raising concerns about potential privacy violations.
Balancing Privacy and Security
The Philippines has a significant online harassment problem, and ethical considerations surround legal responses and platform responsibilities.
Cyberbullying and Online Harassment:
Ensuring equitable access to technology and digital literacy is crucial for ethical information security practices.
Digital Divide and Accessibility:
Enshrines basic ethical principles like accountability, public service, and integrity for public officials and employees.
1987 Philippine Constitution:
Establishes a code of conduct and ethical standards for public officials and employees.
Republic Act No. 6713
Mandates organizations to implement responsible data handling practices and safeguard personal information.
Data Privacy Act of 2012 (DPA):
Depending on the industry or sector, additional laws and regulations might influence ethical codes.
Other Relevant Laws:
Ethical Concerns in Information Security:
Privacy
Surveillance
Data Ownership and Control
Algorithmic Bias:
Vulnerability Disclosure:
Cyberwarfare
Balancing the need for security with individual privacy rights is a major challenge. Collecting, storing, and using personal data ethically requires transparency, consent, and secure handling practices.
Privacy
Justifying and implementing surveillance activities ethically requires clear objectives, transparency, and respect for individual privacy.
Surveillance
Determining who owns and controls data, along with responsible data sharing practices, are crucial ethical considerations.
Data Ownership and Control:
Ensuring algorithms used in information security systems are fair, unbiased, and do not discriminate against specific groups is ethically important.
Algorithmic Bias:
Disclosing security vulnerabilities responsibly, balancing the need to inform affected parties with mitigating potential harm, poses ethical dilemmas.
Vulnerability Disclosure:
Ethical issues surround the use of cyber weapons, the targeting of civilian infrastructure, and the potential for unintended consequences.
Cyberwarfare
Ethical Principles for Information Security:
Privacy
Transparency
Accountability
Fairness
Proportionality
Legality
Respect individual privacy rights by minimizing data collection, obtaining informed consent, and implementing robust security measures.
Privacy
Be transparent about data practices, including collection, use, and retention policies.
Transparency
Be accountable for data security and address breaches responsibly.
Accountability
Treat all individuals fairly and avoid algorithmic bias in information security systems.
Fairness
Implement security measures proportionate to the risk and avoid overly intrusive practices.
Proportionality
Comply with relevant data privacy and security laws and regulations
Legality
Demonstrating a commitment to ethical information security practices builds trust with stakeholders and customers.
Enhanced Public Trust:
Adhering to ethical principles helps organizations avoid legal repercussions associated with data breaches and privacy violations.
Reduced Legal Risks:
Ethical considerations can guide informed decisions about data handling, surveillance, and security measures.
Improved Decision-Making:
Fostering an ethical culture within an organization encourages responsible behavior and contributes to stronger overall security.
Stronger Security Culture:
General Principles:
State sovereignty:
Non-intervention
Proportional response:
Due diligence
Each state has the right to govern its own cyberspace and take measures to protect its critical infrastructure and information.
State sovereignty:
No state should interfere with the legitimate activities of another state in cyberspace.
Non-intervention
Any use of force in response to a cyberattack must be necessary and proportionate to the harm suffered.
Proportional response:
States have a duty to take reasonable measures to prevent their territory from being used for cyberattacks against other states.
Due diligence
Treaties and Agreements:
Budapest Convention on Cybercrime:
Convention on Certain Conventional Weapons (CCW):
International Telecommunication Union (ITU) Constitution and Regulations:
Various regional agreements:
Focuses on criminalizing cyber offenses like illegal access,data interference,and computer fraud,promoting international cooperation in investigations and prosecutions.
Budapest Convention on Cybercrime:
Prohibits the use of or development of blinding laser weapons,potentially applicable to some cyberattacks causing physical harm.
Convention on Certain Conventional Weapons (CCW):
Affirm the right to access and use information and communication technologies (ICTs) peacefully and responsibly.
International Telecommunication Union (ITU) Constitution and Regulations:
Additional treaties like the African Union Convention on Cyber Security and Personal Data Protection address regional concerns and cooperation frameworks.
Various regional agreements:
Current Developments:
United Nations Group of Governmental Experts (GGE):
Multistakeholder initiatives:
Regularly discusses and makes recommendations on norms,state behavior,and responsible use of ICTs in cyberspace.
United Nations Group of Governmental Experts (GGE):
Non-governmental organizations,businesses,and technical experts participate in developing best practices and norms for responsible cyber behavior.
Multistakeholder initiatives:
