Requirements

Question 1

Data Classification - Impact Analysis NIST FIPS 199

Answer 1

Provides a framework for classifying data based on impacts across the three standard dimensions: confidentiality, integrity, and availability.

Question 2

Data Classification - Impact Analysis NIST SP 800 - 18

Answer 2

Provides a framework for classifying data based on impacts across the three standard dimensions: confidentiality, integrity, and availability.

Question 3

Data Classification - Impact Analysis - First Step

Answer 3

Identify High, Medium, Low impact data. Maybe based on impacts to people, customers or financial loss.

Question 4

ISO 2700X Series

Answer 4

This series defines the relevant vocabulary, a code of practice, management system implementation guidance, metrics, and risk management principles.
- More than 20 standards in place.
- Is what ISO 900X is for Quality.
- Broad in scope, it is designed to be applicable to all shapes and sizes of organizations.

Question 5

ISO/ IEC 15408 Common Criteria

Answer 5

A framework where security functional and assurance requirements can be specified in precise terms, allowing vendors to implement and/ or make claims about the security attributes of their products.
- Target of Evaluation
- Protection Profiles: set of security requirements for OS, firewalls etc.
- Evaluation Assurance Level : 7 levels

Question 6

ISO/ IEC 9126: Software Engineering – Product Quality

Answer 6

This four-part standard addresses some of the critical issues that adversely affect the outcome of a software development project.

• defines six quality characteristics that can be used to measure the quality of software: Functionality, Reliability, Usability, Efficiency Maintainability and Portability.

Question 7

ISO/ IEC/ IEEE 12207: Systems and Software Engineering – Software Life Cycle Processes

Answer 7

Establishes a set of processes covering the lifecycle of the software. Each process has a defined set of activities, tasks, and outcomes associated with it. It acts to provide a common structure so all parties associated with the software development effort can communicate through a common vocabulary.

Question 8

ISO/ IEC 33001: 2015 Information Technology – Process Assessment

Answer 8

Process assessment is also known as SPICE. Updated to Software Process Improvement and Capability Determination.
- used for process capability determination and process improvement efforts related to software development.
- Six levels 0 to 5

Question 9

Federal Information Security Management Act (FISMA)

Answer 9

Federal Information Security Management Act of 2002 (FISMA) is a federal law that requires each federal agency to implement an agency-wide information security program.
NIST developed Risk Management Framework detailed in NIST SP 800-39

Question 10

Federal Information Processing Standards (FIPS)

Answer 10

Are mandatory sets of requirements on federal agencies and specific contractors.
Developed by NIST.

Question 11

FIPS 140 Series

Answer 11

Security Requirements for cryptographic modules

Question 12

FIPS 186-3

Answer 12

Digital Signature Standard (DSS)

Question 13

FIPS 190-4

Answer 13

Secure Hash Standard (SHS)

Question 14

FIPS 197

Answer 14

Advanced Encryption Standard (AES)

Question 15

FIPS 200

Answer 15

Minimum security requirements for Federal Information and Information Systems

Question 16

SAFECode

Answer 16

SAFECode is dedicated to communicating best practices that have been used successfully by member firms.
- industry backed org.

Question 17

NIST SP 800-39

Answer 17

Risk Management Framework as six steps guidelines.
1. Categorize Security systems
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls

Question 18

NIST SP 800 152

Answer 18

A profile for US Federal cryptographic key management system

Question 19

NIST SP 800 107

Answer 19

Recommendations for Applications using approved hash algorithms

Question 20

NIST SP 800 100

Answer 20

Information Security Handbook, a guide for managers

Question 21

NIST SP 800 63

Answer 21

Digital Identity Guidelines

Question 22

NIST SP 800 53

Answer 22

Security and privacy controls for Information systems and organizations.

Question 23

NIST SP 800 30

Answer 23

Guide for conducting risk assessments

Question 24

Sarbanes-Oxley Act of 2002

Answer 24

The information systems used for financial accounting must have some form of security control over integrity so that all may have confidence in the numbers being reported by the system.
- Was a reaction to several major accounting and corporate scandals, costing investors billions and shaking public confidence in the stock markets.

Question 25

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act

Answer 25

contains elements designed to protect consumers’ personal financial information (PFI).
The three primary rules worth noting are
1. The Financial Privacy Rule, which governs the collection and disclosure of PFI, including companies that are nonfinancial in nature 2. The Safeguards Rule, which applies to financial institutions and covers the design, implementation, and maintenance of safeguards deployed to protect PFI
3. The Pretexting Protections, which addresses the use of pretexting (falsely pretending) to obtain PFI

Question 26

HIPAA and HITECH

Answer 26

Healthcare Insurance Portability and Accountability Act (HIPAA) deals with personal health information (PHI).
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA) and is designed to enhance privacy provisions of electronic personal health information records.

Question 27

Payment Card Industry Data Security Standard (PCI DSS)

Answer 27

Details the contractual requirements for members that accept and process bank cards. Includes requirements for security management, policies and procedures, network architecture, software design, and other critical protective measures for all systems associated with the processing and storing of cardholder data.

Payment Application (PA) DSS standard is a set of requirements used by software vendors to validate that a payment application is compliant with the requirements associated with PCI DSS. when creating applications designed to handle cardholder data, compliance with PA DSS signals that the software is properly designed.

PIN Transaction Security (PTS): security aspects associated with the Card PIN are governed by the PTS standard.

Question 28

Privacy-Enhancing Technologies

Answer 28

Include small application programs called cookie cutters that are designed to prevent the transfer of cookies between browsers and web servers.

Question 29

Requirements Traceability Matrix (RTM)

Answer 29

a grid that assists the development team in tracking and managing requirements and implementation details.
Consists of: Requirement ID, Requirement Description, Requirement Source, Test objectives, Validation Methods, Use cases.

Question 30

Misuse cases can help in

Answer 30

• Can be used to help document the types of nonfunctional or quality requirements, such as reliability, resiliency, maintainability, testability, and so on.
• Usability is one of the hallmarks of use cases and has a role in misuse cases as well.
• can examine a system from an attacker’s point of view, whether the attacker is an inside threat or an outside one.

Question 31

NIST SP 800 60

Answer 31

Data classification: Guide for Mapping Types of Information and Information Systems to Security Categories

Question 32

ISO 27001

Answer 32

implementing an information classification system