ISC Deck 1 Flashcards
HIPAA Components
Privacy Rule - Standards
Security Rule - Protect/Safeguards
Breach Notifications - Notify, no more than 60 days
Enforcement - civil/criminal punishment
Framework Tiers
Tier 1 - Partial - No integration/formal processes; ad-hoc
Tier 2 - Awareness; basis understanding company-wide but NOT formal
Tier 3 - Repeatable - Formal processes and integration
Tier 4 - Adaptable - Tier 3 plus prioritization of continuous improvement.
HIPAA Covered Entities
Must transmit protected health information (PHI) electronically.
Three Components of NIST Framework
Framework Core (ID, protect, detect, respond, recover)
Framework Tiers -Assess current risk mgmt
Framework Profile - establish baseline for current and find desired.
NIST Privacy Framework Additions
Govern
Control
Communicate
HIPAA for Treatment
Normally PHI should only be the minimum necessary, but for TREATMENT, this does not apply and the provider can view all of it to better understand patient.
GDPR Objectives
Give EU individuals more control over personal data
Harmonize data protection laws across EU
GDPR Rights
Right of Access
Right of Erasure
Right to Object
Right to Data Portability
GDPR Principles
Lawfulness: legal basis, transparent
Purpose Limitation: defined purpose
Data Minimization: minimum necessary data
Storage Limitation: retention
Integrity and Confidentiality
Gateway vs Router
Gateway and routers do similar things in that they transmit packets across networks. Gateways are more advanced in that they translate protocols which is when packets are not in the same format and need to be understood in order to be transmitted.
DSI Layers
Path of data in a network to a receiving device
Application (7): interface with data
Presentation (6): converts data in correct form; encryption
Session (5): communication is established
Transport (4); rules on how data is transferred
Network (3): address to ensure proper destination
Data Link (2): formatted for transmission; data packets
Physical (1): converts to bit
IaaS vs PaaS
Both reduce cap exp, increase scalability of business
IaaS allows control over OS, firewalls and uptime
PaaS is normally focused on one function, which in many cases is developing an application and not having to worry about the underlying infrastructure management.
AIS Audit Trail
Invoice - Journal - Ledger - TB - F/S Reports
Cloud Computing Deployment Models
Public
Private
Hybrid
Community - purpose is to share with industry peers
Disaster Recovery Plan
Focus on IT disruptions
1. Assess Risk
2. ID
3. Develop
4. Determine Responsibilities
5. Test
Cold Site vs Hot Site
Hot site is the most available in event of disaster. Both software and hardware are available almost immediately
Cold site takes a few days since not all hardware/software is readily available
Business Continuity vs DRP
Encompasses all critical business functions, not jus IT.
Types of Backups
Full - all data; backup is time consuming but recovery is most simple
Differential - all data that has changed since last full backup; backup can be most time consuming; recovery is in the middle.
Incremental - only data that has been altered; recovery is most complicated but backup is least time consuming.
Change Management Conversion Methods
Direct - most risky
Parallel - Least Risky
Pilot
Phased
System Description in SOC 1 and SOC 2 report
Comprehensive overview of services organizations system. Includes details about
Software
Infrastructure
People
Procedures
Data
SOC 2 vs SOC 3
Both are concerned with the trusted services criteria.
SOC3 provides less detail since they are summary reports for GENERAL use. Can be used for marketing and provide assurance at a high level.
SOC2 provides more detail since it is for a specific audience with knowledge
Database Management System
Set of programs that manages a database (creates, accesses, modifies) - PRIMARY Function
Management Assertion in SOC Engagement
From service org management asserting accuracy and completeness of the system description and operating effectiveness of controls (Type 2 only)
Data Mining
distilling previously unknown relationships in an existing database. Uses pattern recognition and statistical methods
Presentation of Test Results for SOC report
Should be very specific, showing results, number of exceptions out of total population. Describe the nature (what is being tested for) and the extent (number of exceptions) in a clear and precise way.
What is a primary key?
a field that uniquely identifies a row or record in a database table. Cannot be null and every table must have one. Done in order to maintain file integrity.
Example. a record is a row of info. lets say for a customer table, there are customer addresses, dates of sale, balances and customer ID. The customer ID would be a primary since it uniquely identifies the record as there is only ONE customer ID for that customer.
Trusted Services Criteria
Security
Privacy
Confidentiality
Availability
Processing Integrity
Distributed Data Processing system
A system where there are are many different users with access to the main computer in different locations. Can be risky since control is now decentralized
Validity Checks
ensures that only authorized data is entered into and accepted by the system. For example, if someone mistype a sales order, the validity check will detect the transposition.
Outsourcing Data Processing
Pros: lower cap exp, predictability, superior service quality, and greater expertise supplied by specialists.
Cons: inflexibility, lack of control, and concerns about confidentiality.
