Udemy-Domain 1 Flashcards
the opposite of CIA is ___
Disclosure, Destruction and Alteration
Type 1 authentication is \_\_\_, type 2 is \_\_\_, type 3 is \_\_\_, type 4 is \_\_\_, type 5 is \_\_\_
- something you know
- something you have
- something you are (inherent)
- somewhere you are
- something you do
a cookie on your PC could be a type ___ authentication
2 (something you have)
the IP/Mac address of your computer could serve as a type ___ authentication
4 (somewhere you are)
a pattern unlock on a cellphone could serve as a type ___ authentication
5 (something you do)
the risk appetite of an organization could be ___, ___ or ___
aggressive; neutral; adverse
OCTAVE
Self Directed risk management (Operationally Critical Threat, Asset and Vulnerability Evaluation)
COBIT
Goals for IT - stakeholder needs are mapped down to IT related goals (Control Objectives for Information and related Technologies)
COSO
Goals for an entire organization (Committee Of Sponsoring Organizations)
ITIL
IT service management (Information Technology Infrastructure Library)
FRAP
Analyses one business unit/application/system at a time in a roundtable with Internal employees. Impact analyzed, threats and risks prioritized (Facilitated Risk Analysis Process)
PCI-DSS
Payment Card Industry Data Security Standard
ISO 27001
framework of Requirements for establishing, implementing and improving an information security management system (Plan, Do, Check, Act)
ISO 27002
framework of practical advise on implementing security controls in 10 domains
ISO 27004
framework of metrics of success for an information security management system
ISO 27005
framework for a Standards based approach to risk management
ISO 27799
framework of directives on how to protect PHI
Criminal standard of proof is ___,
the victim is ___
and possible punishments include ___
for the purpose of ___
- “beyond a reasonable doubt”
- society
- incarceration, death or fines
- deterrence
Civil/tort standard of proof is ___,
possible punishments include ___
for the purpose of ___
- majority of the proof (“preponderance of the evidence”)
- financial fines
- compensating the victims
Administrative/regulatory standard of proof is ___
“more likely than not”
Due Diligence is satisfied by ___, but Due Care is satisfied by ___
research; action (what would a prudent person do?)
negligence is the opposite of ___
Due Care
___ determines your liability for an event
Due Care
Real evidence is ___,
Direct evidence is ___,
- physical objects
- first-hand witness testimony
the Basic Evidence rule says that evidence should be ___ (5)
- accurate
- relevant
- convincing
- complete
- authentic
logs and documents from systems are considered ___ evidence
secondary
the ___ protects against unreasonable search and seizure
fourth amendment
___ circumstances may allow certain searches and seizures if there is immediate threat to human life or destruction of evidence
exigent
(illegal) entrapment is ___ but (legal) enticement is ___
persuading someone to commit a crime (creating intent/motive); making a crime easier (presenting means/opportunity)
copyrights are granted ___ for ___ years,
trademarks are granted ___ for ___ years
- automatically; 70/95
- after registration; 10
trade secrets are protected by ___
company security only
using a cryptographic algorithm without permission could be a ___ infringement
patent
using software without a license could be a ___ infringement
copyright
HIPAA laws apply to ___, ___ and ___
health care providers; insurers; clearinghouses (claims handlers)
HIPAA has 3 rules:
Privacy rule, Security rule and Breach Notification rule
HIPAA requires security controls in the following layers:
administrative, technical and physical
general Breach Notification laws belong to the ___ jurisdiction, and often contain exclusions if the data is ___
state (none exist in Alabama or South Dakota); encrypted
the ___ (act) protects electronic communications against warrantless wiretapping in the US, but was weakened by the Patriot act
ECPA (Electronic Communications Privacy Act)
most computer crimes are prosecuted under the ___ (act)
CFAA (Computer Fraud and Abuse Act)
consumer financial information is protected by the ___ (act)
GLBA (Gramm-Leach-Bliley Act)
the GLBA, which protects consumer financial data, is driven by the ___ (council)
FFIEC (Federal Financial Institutions Examination Council)
the ___ (act) regulates the financial reporting of publicly traded companies in the financial services industry
SOX (Sarbanes-Oxley act)
the ___ provides international guidelines for data privacy
OECD (Organization for Economic Cooperation and Development)
the OECD guidelines for data protection have 8 driving principles:
- ___
- ___
- purpose specification
- use limitation
- security safeguards
- openness
- ___
- ___
- collection limitation
- data quality
… - individual participation
- accountability
the ___ agreement has import/export control for arms and dual-use (commercial and wartime application) technologies including cryptography, for 41 countries
Wassenaar
the OECD guidelines for data protection have 8 driving principles:
- collection limitation
- data quality
- ___
- ___
- ___
- ___
- individual participation
- accountability
- purpose specification
- use limitation
- security safeguards
- openness
an SLA with a vendor often includes your right to ___ and ___ their IT systems
audit; penetration test
having a customer in Europe automatically makes you subject to the ___
GDPR (General Data Protection Regulation)
violation of a GDPR regulation could mean a fine of ___
20 million pounds or up to 4% of annual worldwide turnover, whichever is greater
GDPR provisions:
- Restrictions (police/military can still unmask)
- Right to access
- Right to erasure (“to be forgotten”)
- ___
- ___
- ___
- ___
- Data portability (electronic format)
- Breach notification (72 hrs)
- Privacy by design (and “need to know” for completion of duties retained only)
- Data protection officers appointed
GDPR provisions:
- ___
- ___
- ___
- Data portability (electronic format)
- Breach notification (72 hrs)
- Privacy by design (and “need to know” for completion of duties retained only)
- Data protection officers appointed
- Restrictions (police/military can still unmask)
- Right to access
- Right to erasure (“to be forgotten”)
ICS2 Code of Ethics Preamble:
- Safety and welfare of Society and the Common Good
- Duty to our Principles, and to each other
- Requires that we Adhere, and be seen to Adhere to the Highest ethical standards of behavior
ICS2 Code of Ethics Canons:
- Protect Society, the common good, necessary public trust and confidence, and the infrastructure
- Act honorably, honestly, justly, responsibly and legally.
- Provide diligent and competent service to principles
- Advance and protect the profession
Ten Commandments of the Computer Ethics Institute:
- ___
- ___
- ___
- ___
- Thou shalt not us a computer to bear false witness
- Thou shalt not copy or use proprietary software for which you have not paid
- Thou shalt not use other people’s computer resources without authorization or proper compensation
- Thou shalt not appropriate other people’s intellectual output
- Thou shalt think about the social consequences of the program you are writing or the system you are designing
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
- Thou shalt not use a computer to harm other people
- Thou shalt not interfere with other people’s computer work
- Thou shalt not snoop around in other people’s computer files
- Thou shalt not use a computer to steal
Ten Commandments of the Computer Ethics Institute:
- Thou shalt not use a computer to harm other people
- Thou shalt not interfere with other people’s computer work
- Thou shalt not snoop around in other people’s computer files
- Thou shalt not use a computer to steal
- ___
- ___
- ___
- Thou shalt not appropriate other people’s intellectual output
- Thou shalt think about the social consequences of the program you are writing or the system you are designing
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
- Thou shalt not us a computer to bear false witness
- Thou shalt not copy or use proprietary software for which you have not paid
- Thou shalt not use other people’s computer resources without authorization or proper compensation
Ten Commandments of the Computer Ethics Institute:
- Thou shalt not use a computer to harm other people
- Thou shalt not interfere with other people’s computer work
- Thou shalt not snoop around in other people’s computer files
- Thou shalt not use a computer to steal
- Thou shalt not us a computer to bear false witness
- Thou shalt not copy or use proprietary software for which you have not paid
- Thou shalt not use other people’s computer resources without authorization or proper compensation
- ___
- ___
- ___
- Thou shalt not appropriate other people’s intellectual output
- Thou shalt think about the social consequences of the program you are writing or the system you are designing
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
IAB’s Unethical Behavior:
- Seeks to gain unauthorized access to the resources of the Internet
- Disrupts the intended use of the internet
- ___ by:
a) ___
b) ___
- Wastes resources (people, capacity, computer) by:
a) destroying the integrity of computer-based information
b) compromising the privacy of users
The 5 levels of (internal) Information Security Governance are:
- Policies (Mandatory, high level, non-specific)
- Standards (Mandatory, specific use of technology)
- Guidelines (non-Mandatory recommendations)
- ___
- ___
- Procedures (Mandatory step-by-step guides)
5. Baseline/Benchmarks (non-Mandatory minimums)
Personnel Security Principles:
- ___
- ___
- ___
- Employee Termination Practices (warnings, and deprovisioning)
- Vendors, Consultants and Contractor Security (ensure they have training and meet our standards)
- Outsourcing and Offshoring
- Awareness (necessary to change behavior)
- Training (create a skillset)
- Hiring Practices (Background check, NDA)
Personnel Security Principles:
- Awareness (necessary to change behavior)
- Training (create a skillset)
- Hiring Practices (Background check, NDA)
- ___
- ___
- ___
- Employee Termination Practices (warnings, and deprovisioning)
- Vendors, Consultants and Contractor Security (ensure they have training and meet our standards)
- Outsourcing and Offshoring
6 Types of Access Control:
- Preventative
- Detective
- Corrective
- Recovery (backups, alternate sites..)
- Deterrent
- Compensating
AV
Asset Value
EF
Exposure Factor (% of Asset Value)
SLE
Single Loss Expectancy (AV x EF = cost of one incident)
ARO
Annual Rate of Occurrence
ALE
Annualized Loss Expectancy
TCO
Total Cost of Ownership (mitigated cost upfront + normally operational)
US framework publication for risk analysis
NIST 800-30 (National Institute of Standards and Technology)
NIST 800-30 Risk Management 9 step process
- ___
- ___
- ___
- Control Analysis
- Likelihood Determination
- Impact Analysis (loss of CIA)
- Risk Determination (from 5 and 6)
- Control Recommendations (consider all types and categories of controls)
- Results Documentation
- System Characteristics (scope, boundaries, sensitivity)
- Threat Identification
- Vulnerability Identification
NIST 800-30 Risk Management 9 step process
- System Characteristics (scope, boundaries, sensitivity)
- Threat Identification
- Vulnerability Identification
- ___
- ___
- ___
- Risk Determination (from 5 and 6)
- Control Recommendations (consider all types and categories of controls)
- Results Documentation
- Control Analysis
- Likelihood Determination
- Impact Analysis (loss of CIA)
NIST 800-30 Risk Management 9 step process
- System Characteristics (scope, boundaries, sensitivity)
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Determination
- Impact Analysis (loss of CIA)
- ___
- ___
- ___
- Risk Determination (from 5 and 6)
- Control Recommendations (consider all types and categories of controls)
- Results Documentation
Circumstantial evidence is ___,
Corroborative evidence is ___
and heresay is ___
- facts supporting an assertion or other evidence
- support for facts or elements of a case
- testimony by one without first-hand knowledge (not admissible)
Patents are granted ___ for ___ years, and must be ___, ___ and ___
- after application; 20; novel, useful, non-obvious
IAB’s Unethical Behavior:
- ___
- ___
- Wastes resources (people, capacity, computer) by:
a) destroying the integrity of computer-based information
b) compromising the privacy of users
- Seeks to gain unauthorized access to the resources of the Internet
- Disrupts the intended use of the internet
The 5 levels of (internal) Information Security Governance are:
- ___
- ___
- ___
- Procedures (Mandatory step-by-step guides)
- Baseline/Benchmarks (non-Mandatory minimums)
- Policies (Mandatory, high level, non-specific)
- Standards (Mandatory, specific use of technology)
- Guidelines (non-Mandatory recommendations)
