IS ASSURANCE W5-6

Question 1

Compliance and Trust:

Answer 1

Regulatory compliance
Risk management:
Building trust

Question 2

Helps organizations meet data privacy regulations and industry standards,avoiding hefty fines and legal repercussions.

Answer 2

Regulatory compliance:

Question 3

Proactive identification and mitigation of security vulnerabilities,minimizing potential damage from cyberattacks.

Answer 3

Risk management:

Question 4

Demonstrates to stakeholders,customers,and partners a commitment to protecting their data,boosting overall reputation and confidence.

Answer 4

Building trust:

Question 5

Operational Efficiency and Effectiveness:

Answer 5

Improved decision-making:
Resilient infrastructure:
Cost savings:

Question 6

Ensures data accuracy and integrity,leading to sound business decisions based on reliable information.

Answer 6

Improved decision-making:

Question 7

Minimizes downtime and disruptions caused by security incidents,maintaining operational continuity.

Answer 7

Resilient infrastructure:

Question 8

Prevents financial losses from data breaches,ransomware attacks,and regulatory fines.

Answer 8

Cost savings:

Question 9

Self-replicating programs that spread through systems,damaging files and disrupting operations.Ex:WannaCry ransomware attack.

Answer 9

Viruses

Question 10

Similar to viruses but propagate without user interaction.Ex:Morris Worm,which impacted early internet infrastructure.

Answer 10

Worms

Question 11

Encrypts files,demanding a ransom payment for decryption.Ex:Ryuk ransomware attack on hospitals.

Answer 11

Ransomware

Question 12

Disguised as legitimate software,granting attackers access once downloaded.Ex:Emotet malware used for data theft.

Answer 12

Trojan horses

Question 13

Targeted emails impersonating trusted individuals or organizations,tricking users into revealing sensitive information.

Answer 13

Spear phishing

Question 14

Similar to phishing but uses SMS text messages.

Answer 14

Smishing

Question 15

Uses phone calls to impersonate legitimate entities and exploit trust.

Answer 15

Vishing

Question 16

Lures users with attractive offers or fake urgency to click malicious links or download attachments.

Answer 16

Baiting

Question 17

Data Breaches:

Answer 17

SQL injection
Cross-site scripting (XSS)
Man-in-the-middle attacks:
Zero-day attacks

Question 18

Exploiting vulnerabilities in database queries to steal data.

Answer 18

SQL injection

Question 19

Injecting malicious scripts into websites to steal user data.

Answer 19

Cross-site scripting (XSS)

Question 20

Intercepting communication between users and websites to steal data.

Answer 20

Man-in-the-middle attacks

Question 21

Exploiting unknown vulnerabilities before software vendors release patches.

Answer 21

Zero-day attacks

Question 22

Disgruntled employees stealing data or sabotaging systems.

Answer 22

Insider Threats:

Question 23

Contractors or vendors with unauthorized access exploiting vulnerabilities.

Answer 23

Insider Threats:

Question 24

Deepfakes used for social engineering attacks.

Answer 24

Artificial Intelligence (AI):

Question 25

Insecure IoT devices creating entry points for attackers. Botnets formed from compromised IoT devices launching large-scale attacks.

Answer 25

Internet of Things (IoT):

Question 26

While still in development, its potential to break current encryption methods poses a future challenge.

Answer 26

Quantum Computing:

Question 27

Here are some key principles of secure software development:

Answer 27

Static Code Analysis: Continuous Security Testing: Security Awareness and Training:

Question 28

Automated tools are used to scan code for potential security vulnerabilities before deployment. This helps catch issues early on and makes it easier to fix them.

Answer 28

Static Code Analysis:

Question 29

Security testing is not a one-time event, but rather a continuous process that integrates with the development workflow. This includes automating security testing and integrating it into the build and deployment process.

Answer 29

Continuous Security Testing:

Question 30

Developers need to be aware of security best practices and the latest threats. Regular training and awareness programs are essential for building a security-conscious development culture.

Answer 30

Security Awareness and Training:

Question 31

Laws

Answer 31

Data Privacy Act of 2012 (DPA): Cybercrime Prevention Act of 2012 (CPA): Electronic Commerce Act of 2000 (ECA): Other Relevant Laws:

Question 32

This landmark law regulates the collection, processing, and storage of personal information, empowering individuals with control over their data and requiring entities to implement reasonable security measures.

Answer 32

Data Privacy Act of 2012 (DPA):

Question 33

This law criminalizes various cybercrimes, including hacking, data breaches, and cyberbullying.

Answer 33

Cybercrime Prevention Act of 2012 (CPA):

Question 34

This law establishes the legal framework for electronic transactions, including provisions on data protection and electronic signatures.

Answer 34

Electronic Commerce Act of 2000 (ECA):

Question 35

Several other laws touch upon information security, such as the Access Devices Regulation Act, Anti-Photo and Video Voyeurism Act, and Anti-Child Pornography Act.

Answer 35

Other Relevant Laws:

Question 36

Ethical Considerations:

Answer 36

Balancing Privacy and Security Cyberbullying and Online Harassment: Digital Divide and Accessibility:

Question 37

Similar to global concerns, striking a balance between individual privacy and national security remains a challenge. The Philippine government faces pressure to access data for security purposes, sometimes raising concerns about potential privacy violations.

Answer 37

Balancing Privacy and Security

Question 38

The Philippines has a significant online harassment problem, and ethical considerations surround legal responses and platform responsibilities.

Answer 38

Cyberbullying and Online Harassment:

Question 40

Ensuring equitable access to technology and digital literacy is crucial for ethical information security practices.

Answer 40

Digital Divide and Accessibility:

Question 41

Enshrines basic ethical principles like accountability, public service, and integrity for public officials and employees.

Answer 41

1987 Philippine Constitution:

Question 42

Establishes a code of conduct and ethical standards for public officials and employees.

Answer 42

Republic Act No. 6713

Question 43

Mandates organizations to implement responsible data handling practices and safeguard personal information.

Answer 43

Data Privacy Act of 2012 (DPA):

Question 44

Depending on the industry or sector, additional laws and regulations might influence ethical codes.

Answer 44

Other Relevant Laws:

Question 45

Ethical Concerns in Information Security:

Answer 45

Privacy Surveillance Data Ownership and Control Algorithmic Bias: Vulnerability Disclosure: Cyberwarfare

Question 46

Balancing the need for security with individual privacy rights is a major challenge. Collecting, storing, and using personal data ethically requires transparency, consent, and secure handling practices.

Answer 46

Privacy

Question 47

Justifying and implementing surveillance activities ethically requires clear objectives, transparency, and respect for individual privacy.

Answer 47

Surveillance

Question 48

Determining who owns and controls data, along with responsible data sharing practices, are crucial ethical considerations.

Answer 48

Data Ownership and Control: 

Question 49

Ensuring algorithms used in information security systems are fair, unbiased, and do not discriminate against specific groups is ethically important.

Answer 49

Algorithmic Bias: 

Question 50

Disclosing security vulnerabilities responsibly, balancing the need to inform affected parties with mitigating potential harm, poses ethical dilemmas.

Answer 50

Vulnerability Disclosure: 

Question 51

 Ethical issues surround the use of cyber weapons, the targeting of civilian infrastructure, and the potential for unintended consequences.

Answer 51

Cyberwarfare

Question 52

Ethical Principles for Information Security:

Answer 52

Privacy Transparency Accountability Fairness Proportionality Legality

Question 53

Respect individual privacy rights by minimizing data collection, obtaining informed consent, and implementing robust security measures.

Answer 53

Privacy

Question 54

Be transparent about data practices, including collection, use, and retention policies.

Answer 54

Transparency

Question 55

Be accountable for data security and address breaches responsibly.

Answer 55

Accountability

Question 56

 Treat all individuals fairly and avoid algorithmic bias in information security systems.

Answer 56

Fairness

Question 57

Implement security measures proportionate to the risk and avoid overly intrusive practices.

Answer 57

Proportionality

Question 58

Comply with relevant data privacy and security laws and regulations

Answer 58

Legality

Question 59

Demonstrating a commitment to ethical information security practices builds trust with stakeholders and customers.

Answer 59

Enhanced Public Trust: 

Question 60

Adhering to ethical principles helps organizations avoid legal repercussions associated with data breaches and privacy violations.

Answer 60

Reduced Legal Risks:

Question 61

Ethical considerations can guide informed decisions about data handling, surveillance, and security measures.

Answer 61

Improved Decision-Making:

Question 62

 Fostering an ethical culture within an organization encourages responsible behavior and contributes to stronger overall security.

Answer 62

Stronger Security Culture:

Question 63

General Principles:

Answer 63

State sovereignty:  Non-intervention Proportional response:  Due diligence

Question 64

Each state has the right to govern its own cyberspace and take measures to protect its critical infrastructure and information.

Answer 64

State sovereignty: 

Question 65

No state should interfere with the legitimate activities of another state in cyberspace.

Answer 65

Non-intervention

Question 66

Any use of force in response to a cyberattack must be necessary and proportionate to the harm suffered.

Answer 66

Proportional response: 

Question 67

States have a duty to take reasonable measures to prevent their territory from being used for cyberattacks against other states.

Answer 67

Due diligence

Question 68

Treaties and Agreements:

Answer 68

Budapest Convention on Cybercrime:  Convention on Certain Conventional Weapons (CCW):  International Telecommunication Union (ITU) Constitution and Regulations:  Various regional agreements: 

Question 69

Focuses on criminalizing cyber offenses like illegal access, data interference, and computer fraud, promoting international cooperation in investigations and prosecutions.

Answer 69

Budapest Convention on Cybercrime:

Question 70

Prohibits the use of or development of blinding laser weapons, potentially applicable to some cyberattacks causing physical harm.

Answer 70

Convention on Certain Conventional Weapons (CCW): 

Question 71

Affirm the right to access and use information and communication technologies (ICTs) peacefully and responsibly.

Answer 71

International Telecommunication Union (ITU) Constitution and Regulations: 

Question 72

 Additional treaties like the African Union Convention on Cyber Security and Personal Data Protection address regional concerns and cooperation frameworks.

Answer 72

Various regional agreements: 

Question 73

Current Developments:

Answer 73

United Nations Group of Governmental Experts (GGE): Multistakeholder initiatives:

Question 74

Regularly discusses and makes recommendations on norms, state behavior, and responsible use of ICTs in cyberspace.

Answer 74

United Nations Group of Governmental Experts (GGE):

Question 75

Non-governmental organizations, businesses, and technical experts participate in developing best practices and norms for responsible cyber behavior.

Answer 75

Multistakeholder initiatives: