Section 3: Security Governance and Compliance

Question 1

Due Care

Answer 1

Reasonable efforts made by an organization to prevent harm to individuals or assets
Encompasses the responsibility of an organization to protect its stakeholders from foreseeable risks, including implementing appropriate security measures that align with industry standards and best practices

Question 2

Due Diligence

Answer 2

Activities used to ensure compliance with due care
Researching requirements and ensure due care obligations remain compliant with organization requirements
Requires ongoing assessments and evaluations of security practices to identify gaps and make necessary improvements

Question 3

FTC Act

Answer 3

Federal Trade Commission Act protects consumers from unfair competition or deceptive acts or practices that affect commerce- includes the protection of PII

Question 4

GLBA

Answer 4

Gramm-Leach-Bliley Act focuses on safeguarding financial data and prevent sharing to third party organizations without customer consent

Question 5

ECPA

Answer 5

Electronic Communications Privacy Act
Defines the collection of electronic communications and defines how the US government can access it

Question 6

HIPAA

Answer 6

Health Insurance Portability and Accountability Act
Creates federal requirements for the collection, management, and protection of certain health related information

Question 7

HITECH

Answer 7

Health Information Technology for Economic and Clinical Health Act
Mandates how organizations must handle PHI on behalf of a HIPAA covered entity

Question 8

GINA

Answer 8

Genetic Information Non-Disclosure Act
Protects individuals from the unauthorized use, disclosure, or sale of genetic related information

Question 9

SOX

Answer 9

Sarbanes-Oxley Act
Protects investors against accounting fraud and requires the reporting of financial information to company investors

Question 10

PCI DSS

Answer 10

Payment Card Industry Data Security Standard
Global payment card industry standard aimed at protecting credit card theft and fraud of the cardholder

Question 11

PCI DSS Requirements

Answer 11

Install and maintain firewall
Do not use vendor supplied default credentials for systems
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware and regularly update AV software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

Question 12

GDPR

Answer 12

General Data Protection Regulation (European Union)
Went into effect 2018
Increased scope of previous data privacy regulations

Question 13

Controller (GDPR)

Answer 13

Person, public authority, agency or other body which determines the purposes and means of the processing of personal data

Question 14

Processor (GDPR)

Answer 14

Person, public authority, agency, or other body which processes personal data on behalf of the controller

Question 15

GDPR Subject Rights

Answer 15

Access to any collected information
Rectification (update or correct) information
Erasure or “to be forgotten”
Restriction of processing and how the data is used
Data portability to reuse the data as subject sees fit
Object to any further processing

Question 16

Patent

Answer 16

Provides exclusive legal rights of an invention
Creator has full ownership and can control how it may be used by others
Unique software code, hardware components, mechanical parts, exercise equipment

Question 17

Trademark

Answer 17

Identifies exclusive goods or services from an individual or organization
Purpose is to uniquely distinguish a good or service from competing products
Company name, slogan, symbol, logo, etc

Question 18

Copyright

Answer 18

Provides exclusive rights of artistic works
Author has full ownership and can control how the material may be used by others
Book, song lyrics, video, movie script, photograph, painting, etc

Question 19

Trade Secret

Answer 19

Provides exclusive protection of a secret method or technique that gives an organization an advantage
Something that gives an organization its edge in business over a competitor
Recipe, process, initial design

Question 20

Licensing

Answer 20

Provides a legal agreement that outlines the specific terms of use for a product
Permission from the license issuer to use their product in a specified manner

Question 21

Perpetual License

Answer 21

Authorized use for the lifetime of the product

Question 22

EULA

Answer 22

End User License Agreement
A binding agreement between the user and the license issuer

Question 23

Creative Commons (CC)

Answer 23

Free use of copyrighted materials license

Question 24

Wassenaar Arrangement

Answer 24

Export controls for conventional arms and dual-use goods and technologies
“The aim is also to prevent the acquisition of these items by terrorists”

Question 25

Wassenaar Category 5 Part 1

Answer 25

Telecommunications

Question 26

Wassenaar Category 5 Part 2

Answer 26

Information Security with a focus on cryptography and cyber weapons

Question 27

CFAA

Answer 27

Computer Fraud and Abuse Act

Question 28

NIIPA

Answer 28

National Information Infrastructure Protection Act of 1996

Question 29

FISMA

Answer 29

Federal Information Security Modernization Act
Security controls for government agencies

Question 30

Active Attacks

Answer 30

Attempt to exploit a vulnerability to cause damage or gain unauthorized access

Question 31

Passive Attacks

Answer 31

Attempt to gather information to attack the system without affecting operations

Question 32

Doxxing

Answer 32

Public release of sensitive information regarding an individual or organization

Question 33

Policy

Answer 33

Defines the high-level mandate to comply with external compliance requirements
Unlikely to change, while all other documents are typically fluid

Question 34

Standard

Answer 34

Consistent set or requirements to comply with the organizational policy

Question 35

Procedure

Answer 35

Highly detailed instructions on how to implement a standard

Question 36

Baseline

Answer 36

Defines the specific requirements necessary to comply with a standard

Question 37

Guideline

Answer 37

Best practice recommendation to implement a standard or baseline