M2 - Privacy and Data Security Standards

Question 1

What are the “covered entities” under the Health Insurance and Portability Act (HIPAA)

Answer 1

-health care providers that transmit health information electronically
-health plans
-health care clearing houses (an institution that electronically transmits different types of medical claims data to insurance carriers)
-Service providers who need access to PHI to perform services for covered entities

Question 2

The privacy rule permits a covered entity to use and disclose PHI with no further authorization required to:

Answer 2

-To the individual
-For treatment, payment and health care operations
-Incident to an otherwise permitted use and disclosure
-With valid authorization
-After giving the individual the opportunity to agree or object
-As a limited (redacted) dataset for research, public health or health care operations
-For public interest and benefit activities provided by the law

Question 3

Under security rule all covered entities must comply with the following:

Answer 3

-Ensure the confidentiality, integrity and availability of all electronic PHI
-Protect against reasonably anticipated threats to the security of the info
-Protect against reasonably anticipated impermissible uses or disclosures; and
-Ensure compliance by the covered entity’s workforce

Question 4

General Data Protection Regulation (GDPR)

Answer 4

For data processors located within the EU—even those who actually process the data outside of the EU—the scope of GDPR fully applies. Regardless of the locations of individual clients

Question 5

What are the two general categories of data breaches?

Answer 5

Unintentional Data Breach: A breach resulting from negligence or error.

Intentional Data Breach: A breach resulting from bad actors illegally gaining access to data.

Question 6

What are three examples of safeguards for covered entities or business associates?

Answer 6

Administrative safeguards, physical safeguards, and technical safeguards.

Question 7

What are the six principles that must be followed when processing data in compliance with GDPR?

Answer 7

Lawfulness, Fairness, Transparency
Purpose Limitation
Data Minimization
Accuracy
Storage Limitation
Integrity and Confidentiality

Question 8

What are the six goals of the PCI DSS?

Answer 8

Build and maintain a secure network and systems
Protect account data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

Question 9

Explain the principles by which the CIS Controls were designed.

Answer 9

Align: Controls should map to top cybersecurity standards.
Measurable: Controls should be simple and measurable.
Offense Informs Defense: Controls are drafted based on data from actual cyberattacks and defense against them.
Focus: Controls should help prioritize the most critical problems.
Feasible: All recommendations should be practical.

Question 10

Describe the intent of Control 01: Inventory and Control of Enterprise Assets.

Answer 10

Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise

Question 11

Describe the intent of Control 02: Inventory and Control of Software Assets.

Answer 11

Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Question 12

Describe the intent of Control 03: Data Protection.

Answer 12

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Question 13

Describe the intent of Control 04: Secure Configuration of Enterprise Assets and Software.

Answer 13

Establish and maintain the secure configuration of enterprise assets and software.

Question 14

Describe the intent of Control 05: Account Management.

Answer 14

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts as well as service accounts, to enterprise assets and software.

Question 15

Describe the intent of Control 06: Access Control Management.

Answer 15

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Question 16

Describe the intent of Control 07: Continuous Vulnerability Management.

Answer 16

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

Question 17

Describe the intent of Control 08: Audit Log Management.

Answer 17

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Question 18

Describe the intent of Control 09: Email and Web Browser Protections.

Answer 18

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Question 19

Describe the intent of Control 10: Malware Defenses.

Answer 19

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Question 20

Describe the intent of Control 11: Data Recovery.

Answer 20

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Question 21

Describe the intent of Control 12: Network Infrastructure Management.

Answer 21

Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable network services and access points.

Question 22

Describe the intent of Control 13: Network Monitoring and Defense.

Answer 22

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Question 23

Describe the intent of Control 14: Security Awareness and Skills Training.

Answer 23

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Question 24

Describe the intent of Control 15: Service Provider Management.

Answer 24

Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.

Question 25

Describe the intent of Control 16: Application Software Security.

Answer 25

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Question 26

Describe the intent of Control 17: Incident Response Management.

Answer 26

Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack.

Question 27

Describe the intent of Control 18: Penetration Testing.

Answer 27

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.