Legal, Regulations, Standards

Question 1

Patent

Answer 1

Grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application. 20 years from time of application. Invention must be:
Novel (no one has this idea before)
Useful (possible to use or useful to someone)
Nonobvious (inventive work)

Question 2

Copyright

Answer 2

Granted 70 years after creators death or 95 years after creation (corporations). Automatic - no need registration

Question 3

Trade Secret

Answer 3

Tell no one, but if discovered, not protected

Question 4

Trademark (TM or (R).

Answer 4

Brands, logo, slogans - must be registered and renewable every 10 yrs

Question 5

PCI-DSS

Answer 5

Payment Card Industry - Data Security Standard
requires merchants and others to meet minimum set of requirements - security policies, devices, control techniques and monitoring

Question 6

SOX

Answer 6

Sarbanes Oxley Act of 2002. Financial Reporting of public traded companies

after ENRON and World Online debacle Independent review by external accountants.
Section 302: CEO’s CFO’s can be sent to jail when information they sign is incorrect. CEO SIGN
Section 404 is the about internal controls assessment: describing logical controls over accounting files; good auditing and information security.

Question 7

GLBA

Answer 7

Gramm-Leach-Bliley Act - For Financial institutions

Question 8

EU GDPR

Answer 8

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas

Question 9

HIPAA

Answer 9

Health Insurance Portability and Accountability Act
For Private Health Information by health insurers, providers
- 3 rules - Privacy rule, Security Rule and Breach notification rule
- mandates physical, admin and technical safeguards
- Risk Analysis is required

Question 10

Security Breach Notification

Answer 10

Each US state has different laws.

Question 11

ECPA

Answer 11

Electronic Communications Privacy Act

protect against warrantless wiretaping

Question 12

PATRIOT ACT

Answer 12

Expands law enforcement electronic monitoring capabilities

Question 13

CFAA

Answer 13

Computer Fraud and Abuse Act

- most commonly used law to prosecute computer crimes

Question 14

OECD Privacy Guidelines

Answer 14

30 member guidelines for protecting privacy (including US)

Question 15

Wassenaar Arrangement

Answer 15

Export/Import of arms and dual-use goods and technologies

• cryptology is dual use
• Iran, Iraq, China, Russia has strict import on too strong encryption

Question 16

ISC2 Preamble

Answer 16

The safety and welfare of society and common good, duty to our principles and to each other requires that we adhere, and be seen to adhere to the highest ethical standard of behavior

Question 17

Canons

Answer 17

1. Protect society, common good, necessary public trust and confidence, and the infrastructure
2. Act honorably, justly, honestly, responsibly, legally
3. Provide diligent and competent service to our principles
4. advance and protect the profession

Question 18

OCTAVE

Answer 18

Operationally Critical Threat, Asset, Vulnerability Evaluation - Self Directed Risk Mgt
is a security framework for determining risk level and planning defenses against cyber assaults. The framework defines a methodology to help organizations minimize exposure to likely threats, determine the likely consequences of an attack and deal with attacks that succeed.

Question 19

ITIL

Answer 19

Info Technology Infra Library - set of practices for IT Service Mgt

Question 20

COBIT

Answer 20

Control Objectives for IT
- Goals for IT - stakeholder needs mapped to IT related goals
COBIT provides an implementable “set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers

Question 21

COSO

Answer 21

Committee of Sponsoring Organisations
- Goals for entire organisation

Dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

Question 22

FRAP

Answer 22

Facilitated Risk Analysis Process
FRAP analyzes one system, application or segment of business processes at a time. FRAP assumes that additional efforts to develop precisely quantified risks are not cost effective because: such estimates are time consuming.

Question 23

ISO/IEC 27000

Answer 23

Information security management systems — Overview and vocabulary[

Question 24

ISO/IEC 27001

Answer 24

ISMS Requirements

Question 25

ISO/IEC 27002

Answer 25

Code of practice for ISMS

Question 26

ISO/IEC 27003

Answer 26

Implementable guidelines for ISMS

Question 27

ISO/IEC 27004

Answer 27

Monitor, measurement, analysis, evaluation for ISMS

Question 28

ISO/IEC 27005

Answer 28

Standards based approach to risk mgt

Question 29

ISO/IEC 27799

Answer 29

Directives on protecting PHI

Question 30

ISO/IEC 15408

Answer 30

Common Criteria
framework in which computer system users can specify their security functional and assurance requirements

Defines a protection profile that specifies the security requirements and protections of a product that is to be evaluated.

Products can be certified

• EAL0 –Inadequate assurance
• EAL1 –Functionally tested
• EAL2 –Structurally tested
• EAL3 –Methodically tested and checked
• EAL4 –Methodically designed, tested and reviewed
• EAL5 –Semi formally designed and tested
• EAL6 –Semi formally verified design and tested
• EAL7 –Formally verified design and tested

Question 31

ISO/IEC 21827

Answer 31

SSE-CMM (Maturity Model)