Regulations and Standards Flashcards

1
Q

Computer Security Act of 1987

A

The Computer Security Act was enacted to improve the security and privacy of sensitive information in federal computer systems It requires federal agencies to identify their systems that contain sensitive information, establish security plans, and train personnel in security measures. The act also empowered the National Institute of Standards and Technology (NIST) to develop standards and guidelines to ensure the security of federal computer systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

GDPR General Data Protection Regulation

A

The GDPR is a European Union regulation that came into effect in 2018, aimed at protecting the personal data and privacy of individuals within the EU It applies to all organizations processing the personal data of EU residents, regardless of where the organization is located. GDPR gives individuals control over their personal data and imposes strict requirements on data handling, with hefty penalties for non-compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

California Consumer Privacy Act (CCPA)

A

The CCPA is a state law in California that enhances privacy rights and consumer protection for residents of California. It gives consumers the right to know what personal data is being collected about them, the right to request deletion of their data, and the right to opt out of the sale of their data. The law also imposes obligations on businesses to safeguard personal data and to be transparent about data practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Family Educational Rights and Privacy Act (FERPA)

A

FERPA is a U.S. federal law that protects the privacy of student education records. It gives parents certain rights with respect to their children’s education records, which transfer to the students themselves when they reach 18 years of age or attend a school beyond the high school level. Schools must have written permission from the parent or eligible student to release any information from a student’s education record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Payment Card Industry Data Security Standard (PCI DSS)

A

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Developed by major credit card companies, PCI DSS** aims to protect cardholder data and reduce credit card fraud** through stringent security controls across all systems that handle payment information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Gramm-Leach-Bliley Act (GLBA)

A

The GLBA, also known as the Financial Services Modernization Act of 1999, requires financial institutions in the United States to explain their information-sharing practices to customers and safeguard sensitive data. The act includes provisions for protecting personal financial information and preventing unauthorized access to or use of such data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Sarbanes-Oxley Act (SOX)

A

SOX is a U.S. federal law enacted in 2002 to protect investors from fraudulent accounting activities by corporations. It mandates strict reforms to improve financial disclosures and prevent accounting fraud, including requirements for internal controls and procedures for financial reporting, as well as certifications of financial statements by CEOs and CFOs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Federal Information Security Management Act (FISMA)

A

FISMA is a U.S. federal law that requires federal agencies and their contractors to develop, document, and implement programs to secure their information systems. It emphasizes the importance of risk management and aims to protect federal data from threats by setting security standards and guidelines for information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Federal Information Processing Standards (FIPS)

A

FIPS are publicly available standards developed by the U.S. federal government for use in computer systems by non-military government agencies and contractors. They cover various aspects of information security, including cryptographic standards, to ensure secure processing, storage, and transmission of sensitive data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ISO/IEC 27001

A

ISO/IEC 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its primary purpose is to help organizations protect their information systematically by managing risks related to data security, confidentiality, integrity, and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO/IEC 27002

A

ISO/IEC 27002 provides a set of best practices and guidelines for implementing the information security controls outlined in ISO/IEC 27001. It serves as a reference for selecting controls within the ISMS, offering a detailed explanation of how to implement security controls to mitigate risks and enhance overall security posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO/IEC 27017

A

ISO/IEC 27017 is a standard that provides guidelines for information security controls specifically for cloud services. It extends the ISO/IEC 27002 standard to include cloud-specific information security controls, addressing the unique risks and challenges associated with cloud computing environments, including both cloud service providers and customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO/IEC 27018

A

ISO/IEC 27018 focuses on the protection of personally identifiable information (PII) in public cloud computing environments. It provides guidelines to cloud service providers for implementing security controls that safeguard PII, ensuring that personal data is handled in compliance with applicable privacy regulations and with transparency regarding data processing activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO 27701

A

ISO 27701 is an** extension of ISO/IEC 27001** and ISO/IEC 27002 that provides guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It is designed to help organizations manage privacy risks and comply with data protection regulations such as GDPR by integrating privacy into their ISMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ISO 31000

A

ISO 31000 is an international standard for risk management that provides principles, a framework, and a process for managing risk. It is applicable to any organization, regardless of size, industry, or sector, and helps organizations identify, assess, and manage risks effectively to improve decision-making, governance, and resilience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

NIST SP 800-53

A

NIST Special Publication 800-53 provides a comprehensive catalog of security and privacy controls for federal information systems and organizations. It outlines controls that organizations can implement to protect against threats and manage risks. The purpose of SP 800-53 is to support compliance with the Federal Information Security Management Act (FISMA) and to promote a robust and consistent approach to securing federal information systems.

13
Q

NIST Special Publication 800-63

A

NIST SP 800-63 provides guidelines for digital identity management, including identity proofing, registration, and authentication. It is divided into several volumes that cover the different levels of assurance for identity verification and authentication mechanisms. The purpose of SP 800-63 is to** ensure that organizations implement strong and secure methods for verifying the identities of users accessing their systems.**

14
Q

NIST Special Publication 800-88

A

NIST SP 800-88 offers guidelines for media sanitization, ensuring that data is securely erased from storage devices when they are no longer needed or are being disposed of. The publication outlines different methods for sanitization, such as clearing, purging, and destroying, to prevent unauthorized access to sensitive information. The purpose of SP 800-88 is to protect data confidentiality by securely erasing data from devices before they are reused or discarded.

15
Q

NIST SP 800-37

A

NIST SP 800-37 provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. It details a structured process for managing security and privacy risks through categorizing systems, selecting and implementing controls, assessing effectiveness, and continuous monitoring. The purpose of** SP 800-37 is to help organizations manage risks associated with information systems** and ensure compliance with federal security requirements.

16
Q

NIST Cybersecurity Framework

A

The NIST Cybersecurity Framework is a voluntary framework that provides a policy framework of computer security guidance for how private sector organizations in the U.S. can assess and improve their ability to prevent, detect, and respond to cyber-attacks. The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover. The purpose of the NIST Cybersecurity Framework is to help organizations manage cybersecurity risk in a structured and effective way, improving resilience against cyber threats.

17
Q

NIST Four-Phase Incident Response Process

A

Preparation: Establishing and maintaining an incident response capability.
Detection and Analysis: Identifying and analyzing potential incidents.
Containment, Eradication, and Recovery: Containing the incident to prevent further damage, eliminating the threat, and recovering systems.
Post-Incident Activity: Conducting a post-mortem analysis to learn from the incident and improve future response efforts.

18
Q

NIST post-quantum cryptography standards

A

CRYSTALS-Kyber
CRYSTALS-Dilithium
FLACON
SPHINCS+

19
Q

COPPA

A

The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in 1998 designed to protect the privacy of children under the age of 13 when they are online. COPPA imposes specific requirements on websites and online services that are directed at children or knowingly collect personal information from children. The law requires these services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. It also mandates that privacy policies be clearly posted, detailing what data is being collected, how it is used, and how parents can review or delete their child’s information. The primary purpose of COPPA is to give parents control over the information collected from their children online, ensuring their privacy and safety.