Section 3: Security Governance and Compliance Flashcards
Due Care
Reasonable efforts made by an organization to prevent harm to individuals or assets
Encompasses the responsibility of an organization to protect its stakeholders from foreseeable risks, including implementing appropriate security measures that align with industry standards and best practices
Due Diligence
Activities used to ensure compliance with due care
Researching requirements and ensure due care obligations remain compliant with organization requirements
Requires ongoing assessments and evaluations of security practices to identify gaps and make necessary improvements
FTC Act
Federal Trade Commission Act protects consumers from unfair competition or deceptive acts or practices that affect commerce- includes the protection of PII
GLBA
Gramm-Leach-Bliley Act focuses on safeguarding financial data and prevent sharing to third party organizations without customer consent
ECPA
Electronic Communications Privacy Act
Defines the collection of electronic communications and defines how the US government can access it
HIPAA
Health Insurance Portability and Accountability Act
Creates federal requirements for the collection, management, and protection of certain health related information
HITECH
Health Information Technology for Economic and Clinical Health Act
Mandates how organizations must handle PHI on behalf of a HIPAA covered entity
GINA
Genetic Information Non-Disclosure Act
Protects individuals from the unauthorized use, disclosure, or sale of genetic related information
SOX
Sarbanes-Oxley Act
Protects investors against accounting fraud and requires the reporting of financial information to company investors
PCI DSS
Payment Card Industry Data Security Standard
Global payment card industry standard aimed at protecting credit card theft and fraud of the cardholder
PCI DSS Requirements
Install and maintain firewall
Do not use vendor supplied default credentials for systems
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware and regularly update AV software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
GDPR
General Data Protection Regulation (European Union)
Went into effect 2018
Increased scope of previous data privacy regulations
Controller (GDPR)
Person, public authority, agency or other body which determines the purposes and means of the processing of personal data
Processor (GDPR)
Person, public authority, agency, or other body which processes personal data on behalf of the controller
GDPR Subject Rights
Access to any collected information
Rectification (update or correct) information
Erasure or “to be forgotten”
Restriction of processing and how the data is used
Data portability to reuse the data as subject sees fit
Object to any further processing
Patent
Provides exclusive legal rights of an invention
Creator has full ownership and can control how it may be used by others
Unique software code, hardware components, mechanical parts, exercise equipment
Trademark
Identifies exclusive goods or services from an individual or organization
Purpose is to uniquely distinguish a good or service from competing products
Company name, slogan, symbol, logo, etc
Copyright
Provides exclusive rights of artistic works
Author has full ownership and can control how the material may be used by others
Book, song lyrics, video, movie script, photograph, painting, etc
Trade Secret
Provides exclusive protection of a secret method or technique that gives an organization an advantage
Something that gives an organization its edge in business over a competitor
Recipe, process, initial design
Licensing
Provides a legal agreement that outlines the specific terms of use for a product
Permission from the license issuer to use their product in a specified manner
Perpetual License
Authorized use for the lifetime of the product
EULA
End User License Agreement
A binding agreement between the user and the license issuer
Creative Commons (CC)
Free use of copyrighted materials license
Wassenaar Arrangement
Export controls for conventional arms and dual-use goods and technologies
“The aim is also to prevent the acquisition of these items by terrorists”
Wassenaar Category 5 Part 1
Telecommunications
Wassenaar Category 5 Part 2
Information Security with a focus on cryptography and cyber weapons
CFAA
Computer Fraud and Abuse Act
NIIPA
National Information Infrastructure Protection Act of 1996
FISMA
Federal Information Security Modernization Act
Security controls for government agencies
Active Attacks
Attempt to exploit a vulnerability to cause damage or gain unauthorized access
Passive Attacks
Attempt to gather information to attack the system without affecting operations
Doxxing
Public release of sensitive information regarding an individual or organization
Policy
Defines the high-level mandate to comply with external compliance requirements
Unlikely to change, while all other documents are typically fluid
Standard
Consistent set or requirements to comply with the organizational policy
Procedure
Highly detailed instructions on how to implement a standard
Baseline
Defines the specific requirements necessary to comply with a standard
Guideline
Best practice recommendation to implement a standard or baseline
