study set 2 Flashcards
What is it called when a data owner accepts the certification?
Accreditation
IAAA
A frame work: Identification Authentication Authorization Accountability
EF
Exposure Factor
the % of loss that is expected from an risk event
Privacy Act of 1974 applies to who?
applies only to federal Agencies
What are the 8 steps to EDRM
The Electronic Discovery Reference Model
- Identification
- Preservation
- Collection
- processing
- review
- Analysis
- Production
- Presentation
OEP
Occupant Emergency Plan
A privacy Policy needs to cover what 4 items?
- Collection
- Use
- Disclosure
- Protection
Vertical Control?
example Top secret, secret, etc…
Proactive Controls are?
Safeguards
‘IT’ logs and Documents are what type of Evidence?
Secondary Evidence
What is committee of sponsoring organizations of the treadway commission called?
COSO
Typosquatting
URL Hijacking
ISO 27799 standard is focused around?
Protecting PHI
Keylogger is a threat to what CIA
Confidentiality
GDPR
updated EU Law for 2018
“NEED TO KNOW” is what type of control?
Horizontal Control
Tangible and physical objects are what type of evidence
Real evidence
Hard drives, usb sticks but not the data on them.
What are 3 Corrective Controls
- anti-virus
- Patches
- IPS
What act is for Identity theft
(ITADA) Identity Theft and Assumption Deterrence Act
The First step of a BCP should perform?
(BOA) Business Organization Analysis
What is the correct way to dispose of a SSD Drive?
Incinerate
SOX
Sarbanes - Oxlet Act of 2002
Publicly traded companies have regulation on financial reports
The 3 Rules of HIPAA
- privacy Rule
- security Rules
- Breach notification Rules
Developed Guidelines for International Data is properly protected in a Globalized Economy
(OECD) Organization for Economic Co-operation and development
MOA /MOU
Memorandums of Agreement / understanding for Essential personnel
The Military or DOD Data Classification
- Top Secret
- Secret
- Confidential
- Unclassified
IPS / IDS ensure what of CIA
Availability
STRIDE
Is a Threat categorization scheme from Microsoft
spoofing tampering repudiation info disclosure DOS attack Elevation of privilege
Supporting facts and elements are what type of evidence?
Collaborative
Not a fact on it’s own
When you see something, what type of evidence?
Direct Evidence
Who Defines the acceptable level of risk?
Security Steering Committee
What policy would address on how to deal with Data no longer Needed?
Data Destruction Policy
4 CIA Confidentiality threats
- Attacks on Encryption
- Social Engineering
- Key Logger
- IOT internet of Things
“The Majority of the proof” relate to what law?
Civil Law
Cybersquatting
domain squatting
Counterfeiting is ?
an attack on trademarks
“Beyond a Reasonable Doubt”
Criminal Law
What are the Business Data Classifications
High Sensitive
sensitive
internal
public
Security Steering Committee Is Responsible for?
Is Responsible for making Decisions on Tactical and strategic security issues.
Members are asked to join
Software code is a threat to what CIA
Availability
Exigent circumstance is?
Immediate threat to Human life or evidence destruction.
Only applies to law enforcement or “ under the color of law”
ISO 27002 is focused on?
ITSM
Password hashing with salting is what part of the CIA?
Integrity
the 5 ISC2 code of Ethics
- Protect the Society
- The Common Good
- Public Trust & confidence
- Provide diligent and competent service
- Advance and protect the profession
Retention policy deals with?
How long to backup
Where to Keep the backup
What do we Keep
What is the self Directed Rick Evaluation methodology
OCTAVE
Which attack would you be seeing if you saw a SYN packet with the source and the destination as the same address?
LAND attack (Local Area Network Denial attack )
three authentication responses a RADIUS server returns
access-accept,
access-reject,
access-challenge
