Leg, Inv and Comp Flashcards
What are the three major categories of law in the US
Civil, criminal and adminstrative
Under criminal law, what does burden of proof mean?
Judge or jury must believe beyond a reasonable doubt that the defendant is guilty.
Classifications in criminal law are split into two categories. What are they?
Felony and misdemeanour
Civil Penalties do not provide a jail term, and instead provide financial restitution to the victim. True or False?
True
What three types of civil penalties are there?
Compensatory (damages, legal fees, lost profits)
Punitive (punish the offender)
Statutory (violating the law)
Under civil law, what does burden of proof mean?
Judge or Jury believes they are guilty based on evidence
Liability and due care relate to civil law and which other type?
Administrative
If the cost of implementing a safeguard is less than the cost of the estimated loss, could an organisation be held liable?
Yes
What does proximate causation mean?
An action taken or not taken was part of a sequence of events that resulted in negative consequences.
Which rule requires an individual to perform the following duties?
- In good faith
- In the best interests of the enterprise
- With the care and diligence that ordinary, prudent people in a similar position would exercise under similar circumstances
The Prudent Man Rule
In information security the steps that an individual or organisations take to perform their duties and implement information security best practices are otherwise known as what?
Due care
in the context of information security, research into risk identification and risk management can otherwise be known as what?
Due diligence
What term is used to describe an organisation that fails to follow a standard of due care in the protection of its assets
Culpable Negligence
Which type of law defines standards of performance and conduct for major industries, organisations and officials?
Administrative (Regulatory)
What is a mixed law system otherwise known as, ie religious and civil for example?
Pluralistic
A novice or less experienced hacker can otherwise be known as what?
Script Kiddie
An ideological attack is commonly known by which term?
Hactivism
Intellectual Property is protected under US law under which 4 classifications?
Trade Secrets
Copyright
Patents
Trademarks
International protection for patents is otherwise known as?
The Patent Cooperation Treaty
A newly granted patent is valid for how many years?
20
The grant of a property right to an inventor is otherwise known as what?
Patent
A word, name, symbol or device is commonly protected by what?
Trademark
In the US which Act is used to protect trademarks?
The Trademark Law Treaty Implementation Act
What term is used to protect authors of “original works of authorship” whether published or not?
Copyright
Object code or documentation would commonly be protect by what?
Copyright
Traditionally how long does a copyright of works last for?
An authors lifetime plus 70 years
In the US which Act is used to protect copyright?
The Copyright Act 1976
Proprietary or business related information that a company or individual uses and has exclusive rights to is commonly known as what?
Trade Secret
The following are requirements of which type of intellectual property?
- must be genuine and not obvious
- must provide the owner a competitive or economic advantage
- must be reasonably protect from disclosure
Trade Secret
The EU Privacy Rules define what requirements? 7 in total
- collected lawfully and fairly
- used for original purpose that it was collected for and for a reasonable period only
- must be accurate and up to date
- must be accessible to individuals whom data it is
- individuals have the right to correct their data
- cannot be disclosed to third parties unless required by law or consent granted by individual
- transmission of personal data to locations where the location does not have equivalent privacy laws is prohibited
The US Federal Privacy Act 1974 is used to protect what?
records and information maintained by US government agencies about US citizens and lawful permanent residents
The US Federal Privacy Act 1974 has which requirements? 3
- no agency may disclose information about an individual, unless written request received by individual
- provisions for individual access to their information
- provisions for amendments of that information by the individual concerned
The US Health Insurance Portability and Accountability Act 1996 (HIPAA) is used to protect what?
individually identifiable health information
Which 3 organisations must comply with HIPAA?
Health Insurers (Payers) Health Providers (Hospitals) Healthcare clearinghouses (public or private entity that facilitates or processes non-standard data elements of health information into standard data elements), e.g. data warehouse.
The following are provisions of which law?
- broadens the scope of HIPAA compliance to include additional third parties such as pharmacies, claims processing/billing companies, persons performing legal/accounting/admin work.
- promotes the adoption of electronic health records
- notification when the security/privacy of unsecured electronic healthcare information has been breached.
- issuance of technical guidance on the technologies/methodologies used to render electronic information unusable in the event that it’s breached.
HITECH - US Health Information Technology for Economic and Clinical Health Act 2009
regarding HITECH, what are the two notification requirements depending on amount of data breached?
- if over 500, breach must be reported to HHS, media outlets and individuals affected.
- if less than 500, breach must be reported to HHS secretary annually and to individuals affected.
Which Act requires financial institutions to protect their customers personal identifiable information?
US Gramm-Leach-Bliley Financial Services Modernization Act PL 106-102 (GLBA)
What are the 3 rules of GLBA?
- Financial Privacy Rule
- Safeguard Rule
- Pretexting Protection
What is the financial privacy rule in relation to GLBA?
Requires each financial institution to provide information to each customer regarding the protection of each customers personal information
What is the safeguard rule in relation to GLBA?
Requires each financial institution to develop a formal written security plan
What is Pretexting Protection in relation to GLBA?
Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private customer information
What are the 8 principles of the data protection act?
- Information process fairly and lawfully
- obtained for one or more specified and lawful purposes and not processed other than for the original reason for which it was obtained
- personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed
- Shall be accurate and up to date where necessary
- shall not be kept longer than necessary, ie purpose for which it was originally obtained
- shall be processed in accordance with the rights of the data subject
- appropriate technical/organisational measures taken to protect information
- Shall not be transferred to a country/territory outside the European Economic Area, unless they have equivalent privacy rights in place
What are the 6 principles of PCI-DSS
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regular monitor and test networks
- Maintain an information security policy
What are the two requirements of PCI-DSS Principle 1: Build and maintain a secure network?
- Install and maintain a firewall configuration to protect cardholder data.
- Don’t use vendor supplied defaults for system password or other security parameters
What are the two requirements of PCI-DSS Principle 2: Protect Cardholder data?
- Protect stored cardholder data
2. Encrypt transmission of cardholder data across open/public networks.
What are the two requirements of PCI-DSS Principle 3: Maintain a vulnerability management program?
- use and reguarly update Anti-virus software
2. Develop and maintain secure systems and applications
What are the three requirements of PCI-DSS Principle 4: Implement strong access control measures?
- restrict access to cardholder data by business need to know
- assign a unique ID to each person that has computer access
- restrict physical access to cardholder data