Regulations and Standards

Question 1

Computer Security Act of 1987

Answer 1

The Computer Security Act was enacted to improve the security and privacy of sensitive information in federal computer systems It requires federal agencies to identify their systems that contain sensitive information, establish security plans, and train personnel in security measures. The act also empowered the National Institute of Standards and Technology (NIST) to develop standards and guidelines to ensure the security of federal computer systems.

Question 2

GDPR General Data Protection Regulation

Answer 2

The GDPR is a European Union regulation that came into effect in 2018, aimed at protecting the personal data and privacy of individuals within the EU It applies to all organizations processing the personal data of EU residents, regardless of where the organization is located. GDPR gives individuals control over their personal data and imposes strict requirements on data handling, with hefty penalties for non-compliance.

Question 3

California Consumer Privacy Act (CCPA)

Answer 3

The CCPA is a state law in California that enhances privacy rights and consumer protection for residents of California. It gives consumers the right to know what personal data is being collected about them, the right to request deletion of their data, and the right to opt out of the sale of their data. The law also imposes obligations on businesses to safeguard personal data and to be transparent about data practices.

Question 4

Family Educational Rights and Privacy Act (FERPA)

Answer 4

FERPA is a U.S. federal law that protects the privacy of student education records. It gives parents certain rights with respect to their children’s education records, which transfer to the students themselves when they reach 18 years of age or attend a school beyond the high school level. Schools must have written permission from the parent or eligible student to release any information from a student’s education record.

Question 5

Payment Card Industry Data Security Standard (PCI DSS)

Answer 5

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Developed by major credit card companies, PCI DSS** aims to protect cardholder data and reduce credit card fraud** through stringent security controls across all systems that handle payment information.

Question 6

Gramm-Leach-Bliley Act (GLBA)

Answer 6

The GLBA, also known as the Financial Services Modernization Act of 1999, requires financial institutions in the United States to explain their information-sharing practices to customers and safeguard sensitive data. The act includes provisions for protecting personal financial information and preventing unauthorized access to or use of such data.

Question 7

Sarbanes-Oxley Act (SOX)

Answer 7

SOX is a U.S. federal law enacted in 2002 to protect investors from fraudulent accounting activities by corporations. It mandates strict reforms to improve financial disclosures and prevent accounting fraud, including requirements for internal controls and procedures for financial reporting, as well as certifications of financial statements by CEOs and CFOs.

Question 8

Federal Information Security Management Act (FISMA)

Answer 8

FISMA is a U.S. federal law that requires federal agencies and their contractors to develop, document, and implement programs to secure their information systems. It emphasizes the importance of risk management and aims to protect federal data from threats by setting security standards and guidelines for information systems.

Question 9

Federal Information Processing Standards (FIPS)

Answer 9

FIPS are publicly available standards developed by the U.S. federal government for use in computer systems by non-military government agencies and contractors. They cover various aspects of information security, including cryptographic standards, to ensure secure processing, storage, and transmission of sensitive data.

Question 10

ISO/IEC 27001

Answer 10

ISO/IEC 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its primary purpose is to help organizations protect their information systematically by managing risks related to data security, confidentiality, integrity, and availability.

Question 11

ISO/IEC 27002

Answer 11

ISO/IEC 27002 provides a set of best practices and guidelines for implementing the information security controls outlined in ISO/IEC 27001. It serves as a reference for selecting controls within the ISMS, offering a detailed explanation of how to implement security controls to mitigate risks and enhance overall security posture.

Question 11

ISO/IEC 27017

Answer 11

ISO/IEC 27017 is a standard that provides guidelines for information security controls specifically for cloud services. It extends the ISO/IEC 27002 standard to include cloud-specific information security controls, addressing the unique risks and challenges associated with cloud computing environments, including both cloud service providers and customers.

Question 11

ISO/IEC 27018

Answer 11

ISO/IEC 27018 focuses on the protection of personally identifiable information (PII) in public cloud computing environments. It provides guidelines to cloud service providers for implementing security controls that safeguard PII, ensuring that personal data is handled in compliance with applicable privacy regulations and with transparency regarding data processing activities.

Question 11

ISO 27701

Answer 11

ISO 27701 is an** extension of ISO/IEC 27001** and ISO/IEC 27002 that provides guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It is designed to help organizations manage privacy risks and comply with data protection regulations such as GDPR by integrating privacy into their ISMS.

Question 12

ISO 31000

Answer 12

ISO 31000 is an international standard for risk management that provides principles, a framework, and a process for managing risk. It is applicable to any organization, regardless of size, industry, or sector, and helps organizations identify, assess, and manage risks effectively to improve decision-making, governance, and resilience.

Question 12

NIST SP 800-53

Answer 12

NIST Special Publication 800-53 provides a comprehensive catalog of security and privacy controls for federal information systems and organizations. It outlines controls that organizations can implement to protect against threats and manage risks. The purpose of SP 800-53 is to support compliance with the Federal Information Security Management Act (FISMA) and to promote a robust and consistent approach to securing federal information systems.

Question 13

NIST Special Publication 800-63

Answer 13

NIST SP 800-63 provides guidelines for digital identity management, including identity proofing, registration, and authentication. It is divided into several volumes that cover the different levels of assurance for identity verification and authentication mechanisms. The purpose of SP 800-63 is to** ensure that organizations implement strong and secure methods for verifying the identities of users accessing their systems.**

Question 14

NIST Special Publication 800-88

Answer 14

NIST SP 800-88 offers guidelines for media sanitization, ensuring that data is securely erased from storage devices when they are no longer needed or are being disposed of. The publication outlines different methods for sanitization, such as clearing, purging, and destroying, to prevent unauthorized access to sensitive information. The purpose of SP 800-88 is to protect data confidentiality by securely erasing data from devices before they are reused or discarded.

Question 15

NIST SP 800-37

Answer 15

NIST SP 800-37 provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. It details a structured process for managing security and privacy risks through categorizing systems, selecting and implementing controls, assessing effectiveness, and continuous monitoring. The purpose of** SP 800-37 is to help organizations manage risks associated with information systems** and ensure compliance with federal security requirements.

Question 16

NIST Cybersecurity Framework

Answer 16

The NIST Cybersecurity Framework is a voluntary framework that provides a policy framework of computer security guidance for how private sector organizations in the U.S. can assess and improve their ability to prevent, detect, and respond to cyber-attacks. The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover. The purpose of the NIST Cybersecurity Framework is to help organizations manage cybersecurity risk in a structured and effective way, improving resilience against cyber threats.

Question 17

NIST Four-Phase Incident Response Process

Answer 17

Preparation: Establishing and maintaining an incident response capability.
Detection and Analysis: Identifying and analyzing potential incidents.
Containment, Eradication, and Recovery: Containing the incident to prevent further damage, eliminating the threat, and recovering systems.
Post-Incident Activity: Conducting a post-mortem analysis to learn from the incident and improve future response efforts.

Question 18

NIST post-quantum cryptography standards

Answer 18

CRYSTALS-Kyber
CRYSTALS-Dilithium
FLACON
SPHINCS+

Question 19

COPPA

Answer 19

The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in 1998 designed to protect the privacy of children under the age of 13 when they are online. COPPA imposes specific requirements on websites and online services that are directed at children or knowingly collect personal information from children. The law requires these services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children. It also mandates that privacy policies be clearly posted, detailing what data is being collected, how it is used, and how parents can review or delete their child’s information. The primary purpose of COPPA is to give parents control over the information collected from their children online, ensuring their privacy and safety.