Udemy-Domain 1 Flashcards

1
Q

the opposite of CIA is ___

A

Disclosure, Destruction and Alteration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
Type 1 authentication is \_\_\_, 
type 2 is \_\_\_, 
type 3 is \_\_\_, 
type 4 is \_\_\_, 
type 5 is \_\_\_
A
  • something you know
  • something you have
  • something you are (inherent)
  • somewhere you are
  • something you do
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

a cookie on your PC could be a type ___ authentication

A

2 (something you have)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

the IP/Mac address of your computer could serve as a type ___ authentication

A

4 (somewhere you are)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

a pattern unlock on a cellphone could serve as a type ___ authentication

A

5 (something you do)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

the risk appetite of an organization could be ___, ___ or ___

A

aggressive; neutral; adverse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

OCTAVE

A

Self Directed risk management (Operationally Critical Threat, Asset and Vulnerability Evaluation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

COBIT

A

Goals for IT - stakeholder needs are mapped down to IT related goals (Control Objectives for Information and related Technologies)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

COSO

A

Goals for an entire organization (Committee Of Sponsoring Organizations)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ITIL

A

IT service management (Information Technology Infrastructure Library)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

FRAP

A

Analyses one business unit/application/system at a time in a roundtable with Internal employees. Impact analyzed, threats and risks prioritized (Facilitated Risk Analysis Process)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

PCI-DSS

A

Payment Card Industry Data Security Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ISO 27001

A

framework of Requirements for establishing, implementing and improving an information security management system (Plan, Do, Check, Act)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ISO 27002

A

framework of practical advise on implementing security controls in 10 domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ISO 27004

A

framework of metrics of success for an information security management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ISO 27005

A

framework for a Standards based approach to risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

ISO 27799

A

framework of directives on how to protect PHI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Criminal standard of proof is ___,
the victim is ___
and possible punishments include ___
for the purpose of ___

A
  • “beyond a reasonable doubt”
  • society
  • incarceration, death or fines
  • deterrence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Civil/tort standard of proof is ___,
possible punishments include ___
for the purpose of ___

A
  • majority of the proof (“preponderance of the evidence”)
  • financial fines
  • compensating the victims
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Administrative/regulatory standard of proof is ___

A

“more likely than not”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Due Diligence is satisfied by ___, but Due Care is satisfied by ___

A

research; action (what would a prudent person do?)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

negligence is the opposite of ___

A

Due Care

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

___ determines your liability for an event

A

Due Care

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Real evidence is ___,

Direct evidence is ___,

A
  • physical objects

- first-hand witness testimony

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

the Basic Evidence rule says that evidence should be ___ (5)

A
  1. accurate
  2. relevant
  3. convincing
  4. complete
  5. authentic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

logs and documents from systems are considered ___ evidence

A

secondary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

the ___ protects against unreasonable search and seizure

A

fourth amendment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

___ circumstances may allow certain searches and seizures if there is immediate threat to human life or destruction of evidence

A

exigent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

(illegal) entrapment is ___ but (legal) enticement is ___

A

persuading someone to commit a crime (creating intent/motive); making a crime easier (presenting means/opportunity)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

copyrights are granted ___ for ___ years,

trademarks are granted ___ for ___ years

A
  • automatically; 70/95

- after registration; 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

trade secrets are protected by ___

A

company security only

32
Q

using a cryptographic algorithm without permission could be a ___ infringement

A

patent

33
Q

using software without a license could be a ___ infringement

A

copyright

34
Q

HIPAA laws apply to ___, ___ and ___

A

health care providers; insurers; clearinghouses (claims handlers)

35
Q

HIPAA has 3 rules:

A

Privacy rule, Security rule and Breach Notification rule

36
Q

HIPAA requires security controls in the following layers:

A

administrative, technical and physical

37
Q

general Breach Notification laws belong to the ___ jurisdiction, and often contain exclusions if the data is ___

A

state (none exist in Alabama or South Dakota); encrypted

38
Q

the ___ (act) protects electronic communications against warrantless wiretapping in the US, but was weakened by the Patriot act

A

ECPA (Electronic Communications Privacy Act)

39
Q

most computer crimes are prosecuted under the ___ (act)

A

CFAA (Computer Fraud and Abuse Act)

40
Q

consumer financial information is protected by the ___ (act)

A

GLBA (Gramm-Leach-Bliley Act)

41
Q

the GLBA, which protects consumer financial data, is driven by the ___ (council)

A

FFIEC (Federal Financial Institutions Examination Council)

42
Q

the ___ (act) regulates the financial reporting of publicly traded companies in the financial services industry

A

SOX (Sarbanes-Oxley act)

43
Q

the ___ provides international guidelines for data privacy

A

OECD (Organization for Economic Cooperation and Development)

44
Q

the OECD guidelines for data protection have 8 driving principles:

  1. ___
  2. ___
  3. purpose specification
  4. use limitation
  5. security safeguards
  6. openness
  7. ___
  8. ___
A
  1. collection limitation
  2. data quality
  3. individual participation
  4. accountability
45
Q

the ___ agreement has import/export control for arms and dual-use (commercial and wartime application) technologies including cryptography, for 41 countries

A

Wassenaar

46
Q

the OECD guidelines for data protection have 8 driving principles:

  1. collection limitation
  2. data quality
  3. ___
  4. ___
  5. ___
  6. ___
  7. individual participation
  8. accountability
A
  1. purpose specification
  2. use limitation
  3. security safeguards
  4. openness
47
Q

an SLA with a vendor often includes your right to ___ and ___ their IT systems

A

audit; penetration test

48
Q

having a customer in Europe automatically makes you subject to the ___

A

GDPR (General Data Protection Regulation)

49
Q

violation of a GDPR regulation could mean a fine of ___

A

20 million pounds or up to 4% of annual worldwide turnover, whichever is greater

50
Q

GDPR provisions:

  1. Restrictions (police/military can still unmask)
  2. Right to access
  3. Right to erasure (“to be forgotten”)
  4. ___
  5. ___
  6. ___
  7. ___
A
  1. Data portability (electronic format)
  2. Breach notification (72 hrs)
  3. Privacy by design (and “need to know” for completion of duties retained only)
  4. Data protection officers appointed
51
Q

GDPR provisions:

  1. ___
  2. ___
  3. ___
  4. Data portability (electronic format)
  5. Breach notification (72 hrs)
  6. Privacy by design (and “need to know” for completion of duties retained only)
  7. Data protection officers appointed
A
  1. Restrictions (police/military can still unmask)
  2. Right to access
  3. Right to erasure (“to be forgotten”)
52
Q

ICS2 Code of Ethics Preamble:

A
  1. Safety and welfare of Society and the Common Good
  2. Duty to our Principles, and to each other
  3. Requires that we Adhere, and be seen to Adhere to the Highest ethical standards of behavior
53
Q

ICS2 Code of Ethics Canons:

A
  1. Protect Society, the common good, necessary public trust and confidence, and the infrastructure
  2. Act honorably, honestly, justly, responsibly and legally.
  3. Provide diligent and competent service to principles
  4. Advance and protect the profession
54
Q

Ten Commandments of the Computer Ethics Institute:

  1. ___
  2. ___
  3. ___
  4. ___
  5. Thou shalt not us a computer to bear false witness
  6. Thou shalt not copy or use proprietary software for which you have not paid
  7. Thou shalt not use other people’s computer resources without authorization or proper compensation
  8. Thou shalt not appropriate other people’s intellectual output
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
  10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
A
  1. Thou shalt not use a computer to harm other people
  2. Thou shalt not interfere with other people’s computer work
  3. Thou shalt not snoop around in other people’s computer files
  4. Thou shalt not use a computer to steal
55
Q

Ten Commandments of the Computer Ethics Institute:

  1. Thou shalt not use a computer to harm other people
  2. Thou shalt not interfere with other people’s computer work
  3. Thou shalt not snoop around in other people’s computer files
  4. Thou shalt not use a computer to steal
  5. ___
  6. ___
  7. ___
  8. Thou shalt not appropriate other people’s intellectual output
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
  10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
A
  1. Thou shalt not us a computer to bear false witness
  2. Thou shalt not copy or use proprietary software for which you have not paid
  3. Thou shalt not use other people’s computer resources without authorization or proper compensation
56
Q

Ten Commandments of the Computer Ethics Institute:

  1. Thou shalt not use a computer to harm other people
  2. Thou shalt not interfere with other people’s computer work
  3. Thou shalt not snoop around in other people’s computer files
  4. Thou shalt not use a computer to steal
  5. Thou shalt not us a computer to bear false witness
  6. Thou shalt not copy or use proprietary software for which you have not paid
  7. Thou shalt not use other people’s computer resources without authorization or proper compensation
  8. ___
  9. ___
  10. ___
A
  1. Thou shalt not appropriate other people’s intellectual output
  2. Thou shalt think about the social consequences of the program you are writing or the system you are designing
  3. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
57
Q

IAB’s Unethical Behavior:

  1. Seeks to gain unauthorized access to the resources of the Internet
  2. Disrupts the intended use of the internet
  3. ___ by:
    a) ___
    b) ___
A
  1. Wastes resources (people, capacity, computer) by:
    a) destroying the integrity of computer-based information
    b) compromising the privacy of users
58
Q

The 5 levels of (internal) Information Security Governance are:

  1. Policies (Mandatory, high level, non-specific)
  2. Standards (Mandatory, specific use of technology)
  3. Guidelines (non-Mandatory recommendations)
  4. ___
  5. ___
A
  1. Procedures (Mandatory step-by-step guides)

5. Baseline/Benchmarks (non-Mandatory minimums)

59
Q

Personnel Security Principles:

  1. ___
  2. ___
  3. ___
  4. Employee Termination Practices (warnings, and deprovisioning)
  5. Vendors, Consultants and Contractor Security (ensure they have training and meet our standards)
  6. Outsourcing and Offshoring
A
  1. Awareness (necessary to change behavior)
  2. Training (create a skillset)
  3. Hiring Practices (Background check, NDA)
60
Q

Personnel Security Principles:

  1. Awareness (necessary to change behavior)
  2. Training (create a skillset)
  3. Hiring Practices (Background check, NDA)
  4. ___
  5. ___
  6. ___
A
  1. Employee Termination Practices (warnings, and deprovisioning)
  2. Vendors, Consultants and Contractor Security (ensure they have training and meet our standards)
  3. Outsourcing and Offshoring
61
Q

6 Types of Access Control:

A
  1. Preventative
  2. Detective
  3. Corrective
  4. Recovery (backups, alternate sites..)
  5. Deterrent
  6. Compensating
62
Q

AV

A

Asset Value

63
Q

EF

A

Exposure Factor (% of Asset Value)

64
Q

SLE

A

Single Loss Expectancy (AV x EF = cost of one incident)

65
Q

ARO

A

Annual Rate of Occurrence

66
Q

ALE

A

Annualized Loss Expectancy

67
Q

TCO

A

Total Cost of Ownership (mitigated cost upfront + normally operational)

68
Q

US framework publication for risk analysis

A

NIST 800-30 (National Institute of Standards and Technology)

69
Q

NIST 800-30 Risk Management 9 step process

  1. ___
  2. ___
  3. ___
  4. Control Analysis
  5. Likelihood Determination
  6. Impact Analysis (loss of CIA)
  7. Risk Determination (from 5 and 6)
  8. Control Recommendations (consider all types and categories of controls)
  9. Results Documentation
A
  1. System Characteristics (scope, boundaries, sensitivity)
  2. Threat Identification
  3. Vulnerability Identification
70
Q

NIST 800-30 Risk Management 9 step process

  1. System Characteristics (scope, boundaries, sensitivity)
  2. Threat Identification
  3. Vulnerability Identification
  4. ___
  5. ___
  6. ___
  7. Risk Determination (from 5 and 6)
  8. Control Recommendations (consider all types and categories of controls)
  9. Results Documentation
A
  1. Control Analysis
  2. Likelihood Determination
  3. Impact Analysis (loss of CIA)
71
Q

NIST 800-30 Risk Management 9 step process

  1. System Characteristics (scope, boundaries, sensitivity)
  2. Threat Identification
  3. Vulnerability Identification
  4. Control Analysis
  5. Likelihood Determination
  6. Impact Analysis (loss of CIA)
  7. ___
  8. ___
  9. ___
A
  1. Risk Determination (from 5 and 6)
  2. Control Recommendations (consider all types and categories of controls)
  3. Results Documentation
72
Q

Circumstantial evidence is ___,
Corroborative evidence is ___
and heresay is ___

A
  • facts supporting an assertion or other evidence
  • support for facts or elements of a case
  • testimony by one without first-hand knowledge (not admissible)
73
Q

Patents are granted ___ for ___ years, and must be ___, ___ and ___

A
  • after application; 20; novel, useful, non-obvious
74
Q

IAB’s Unethical Behavior:

  1. ___
  2. ___
  3. Wastes resources (people, capacity, computer) by:
    a) destroying the integrity of computer-based information
    b) compromising the privacy of users
A
  1. Seeks to gain unauthorized access to the resources of the Internet
  2. Disrupts the intended use of the internet
75
Q

The 5 levels of (internal) Information Security Governance are:

  1. ___
  2. ___
  3. ___
  4. Procedures (Mandatory step-by-step guides)
  5. Baseline/Benchmarks (non-Mandatory minimums)
A
  1. Policies (Mandatory, high level, non-specific)
  2. Standards (Mandatory, specific use of technology)
  3. Guidelines (non-Mandatory recommendations)