Security And risk Management Flashcards
Need to know access
Confidentiality
Information processed correctly and not modified by unauthorized persons and protecting data in transit
Integrity
Ensuring systems are up and running so that persons can use them when they need them
Availability
Who get access- who is authorized to speak behave access to the system
Availability
Lashes, digital signatures, parity bits, separation of duties
Integrity
Remote sites, backups, high availability, RAID levels,
Availability
Validates appropriate policies, procedures and standards and guidelines are implemented to ensure business operations
Information Security Management
Things measured on a long-term trends and illustrate the day-to-day workload
Metrics
Who is responsible for Security
Everyone
Who is ultimately responsible for Security
Executive Management/Executive Level
Who does security report too?
Chain of command
Detecting- pre-emptive measure made to avoid harm to other persons or their property
Due Diligence
Caring is correcting
Due Care
Legal term used to describe the care a “reasonable person” would exercise under given circumstances
Due Care
Examples: Background checks of employee credit checks of business partners Information security assessments Penetration testing Contingency testing of backup systems
Due Diligence
Dual use goods
Wassenaar Arrangement
3 types of access control
Administrative
Physical
Technical
Name 2 types of Risk
Likelihood
Impact
What is C.I.A?
Confidentiality; Availability and Integrity
idea that is certified and made public
Patent
Expression of an idea
Copyright
What organization concisely defines intellectual property?
World Intellectual Property Organization (WIPO)
What laws explain what is an export?
International Traffic in Arms Regulations Act (ITAR:1976)
What laws explain What is deemed export?
Export Administration Regulations Act Security (EAR:1979)
What is the most common Dual-Use goods?
Cryptography
Right and Obligations of individuals and Organizations with respect to the collection, use, retention and disclosure of personal information
Privacy
Limits collection of personal data
Collection Limitation Principle
data that should be relevant to the purposes for which they are to be used and to the extent necessary for those purpose
Data Quality Principle
Personal data collected is specified not later than at the time of data collection and the subsequent use is limited to the fulfillment
Purpose Specification Principle
data should not be disclosed , made available or used for purpose other than those specified except; with consent of the data subject
use Limitation Principle
Personal data protected by Security Safeguards
Security Safeguard Principle
openness of general policy about developments, practices and policies respect to personal data
Openness Principle
An event that has the potential to do harm
Incident
An event that is measurable or observable occurrence that involves any asset
Incident
An incident that results in the disclosure or potential exposure of data
Breach
Unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information
Data Disclosure
provides a common language for describing security incidents in a structured and repeatable manner
VERIS (The Vocabulary for Event Recording and Incident Sharing)
Regulates the handling of personal information about individuals
Privacy Act
sets national standards for the security of electronically protected health information
Health Insurance Portability and Accountability Act (HIPPA)
certify the accuracy of financial information and penalties for fraudulent activity by providing outside auditors to review accuracy of financial statements
Sarbanes-Oxley Act
standard that requires notice of data breaches of personal data breach to the competent national authority no later than 24 hours after detection
Regulation for Electronic Communications Service
Ethical Standard that protects country
Global responsibilities
Ethical Standard Protect State
National standard
Ethical Standard Protect Company
Organizational standard
What you do when no one is there to navigate what you do legally or illegal
Personal Standard
Code of Ethic Canons
Protect Society (people)
Act Honorably (Honor)
Provide diligent and competent service to principals (Boss)
Advance and protect the profession (profession)
components that support the implementation of security policy
Procedure, standards, guidelines, and baselines
4 Steps in a BIA
Gather information, perform a vulnerability assessment, analyzing the information, Document the results
An event or situation that if occurred, would prevent the organization from operating in its normal manner, if at all
Threat
The amount of time the organization can function without that application before significant impact occurs
Recovery Time Objective (RTO) or Maximum Tolerable Downtime (MTD)
How quickly you need to have that application information available after downtime has occurred
Recovery Time Objective (RTO)
Refers to the point in time which data must be restored in order to successfully resume processing between the last backup and when the event occured
Recovery Point Objective (RPO)
Reduce Risk of Collusion between individuals
Job Rotation
to not have the same capability to execute all of the steps of a particular process
Separation of Duties
access to sensitive data to do there job
Need to know
Guidance that analyze risks and manage mitigation in alignment with business and compliance objective
GRC- Governance Risk Management and Compliance
Data Protection Directive (DPD), Personal Information Protection and Electronic Documents Acts (PIPEDA), Personally Identifiable Information (PII), HIPAA and Gramm-Leach Bliley ACt (GLBA), Payment Card Industry (PCI) are all examples of what?
Privacy Requirements Compliance