IS4550 CHAPTER 3 Flashcards
Established rules on how consumers and their information should be handled during an e-commerce transaction is called ___.
CONSUMER RIGHTS
The laws that set expectations on how your personal information should be protected and limits place on how the data should be shared is called ___.
DATA PRIVACY
___ is defined as 1. Information that supports a conclusion or 2. Material presented to a regulator to show compliance.
EVIDENCE
A formal process to identify threats, potential attacks, and impacts to an an organization is called ___.
INFORMATION SECURITY RISK ASSESSMENT
A framework that contains a comprehensive list of concepts, practices, and processes for managing IT services is called ___.
INFORMATION TECHNOLOGY AND INFRASTRUCTURE LIBRARY (ITIL)
Software that blocks access to specific sites on the Internet is called ___.
INTERNET FILTERS
The practice of agreeing to use of personal information beyond its original purpose is called ___.
OPT-IN
The practice of declining persuasion to use personal information beyond its original purpose is called ___.
OPT-OUT
A worldwide information security standard that describes how to protect credit card information is called ___.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)
In e-commerce, broadly deals with how personal information is handled and what it is used for is called ___.
PERSONAL PRIVACY
A formal process to identify threats, potential attacks, and impacts to an organization is called ___.
RISK ASSESSMENT
When related to compliance, it’s the mapping of regulatory requirements to policies and controls is called ___.
SECURITY CONTROL MAPPING
A person who buys stock in a company (investor) is called ___.
SHAREHOLDER
A widely accepted auditing standard created by the American Institute of Certified Public Accountants and examines an organizations control environment is called ___.
STATEMENT ON AUDITING STANDARD 70 (SAS 70)
- When creating laws and regulations, the government’s sole concern is the privacy of the individual.
TRUE OR FALSE
FALSE
- Which of the following are pressures on creating security policies?
- Shareholder value
- Regulations
- Technology vulnerabilities and limitations
- 2 and 3 only
- All the above
Shareholder value
Regulations
Technology vulnerabilities and limitations
All the above
- Which of the following laws require proper security controls for handling privacy data?
- HIPAA
- GLBA
- FERPA
- 2 & 3 only
- All the above
HIPAA
GLBA
FERPA
All the above
- Which of the following are control objectives for PCI DSS?
- Maintain an information security policy
- Protect cardholder data
- Alert when credit cards are illegally used
- 1 & 2 only
- None of the above
Maintain an information security policy
Protect cardholder data
1 & 2 only
- A SAS 70 audit is popular because it allows a service auditor to review an organization’s ___ and issue an independent opinion.
Control environment
- Health care providers are those that process and facilitate billing.
TRUE OR FALSE
FALSE
- The law that attempts to limit children’s exposure to sexually explicit material is ___.
CIPA
- It is easier to quantify leading practices than best practices.
TRUE OR FALSE
TRUE
- You should always write new security policies each time a new regulation is issued.
TRUE OR FALSE
FALSE
- What should you ask for to gain confidence that a vendor’s security controls are adequate?
- A SAS 70 Type I audit
- A SAS 70 Type II audit
- A list of all internal audits
- All the above
A SAS 70 Type II audit
- Why is it important to map regulatory requirements to policies and controls?
- To demonstrate compliance to regulators
- To ensure regulatory requirements are covered
- To demonstrate the importance of a security control
- All the above
To demonstrate compliance to regulators
To ensure regulatory requirements are covered
To demonstrate the importance of a security control
All the above
