CISSP - Chapter 4
The GDPR Regulation specific suggestions for what kinds of security actions might be considered "appropriate to the risk" include?
1. The pseudonymisation and/or encryption of personal data. 2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data. 3. The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident. 4.Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensure the security of the processing.
The document that releases the hacker from any disruptions caused by the penetration test is:
A Liability release
What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances? A. Privacy Act B. Electronic Communications Privacy Act C. Health Insurance Portability and Accountability Act D. Gramm-Leach-Bliley Act
A. Privacy Act The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.
Which one of the following is not a requirement that Internet service providers must satisfy in order to gain protection under the "transitory activities" clause of the Digital Millennium Copyright Act? A. The service provider and the originator of the message must be located in different states. B. The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider. C. Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary. D. The transmission must be originated by a person other than the provider.
A. The service provider and the originator of the message must be located in different states. The Digital Millennium Copyright Act does not include any geographical location requirements for protection under the "transitory activities" exemption. The other options are three of the five mandatory requirements. The other two requirements are that the service provider must not determine the recipients of the material and the material must be transmitted with no modification to its content.
Organization for Economic Cooperation and Development (OECD) Principles
Around privacy Eight core principles 1. Collection Limitation - limit collection information to a minimum 2. Data Quality - maintain quality at the highest level 3. Purpose Specification - only use data for that purpose 4. Use Limitation - limit data only to it's use 5. Security Safeguards - CIA 6. Openness - very open what your doing and why you are doing it. transparency 7. Individual Participation - opt in, seek consent 8. Data Controller Accountability - Keeping accountability.
What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act? A. Healthcare B. Banking C. Law enforcement D. Defense contractors
B. Banking The Gramm-Leach-Bliley Act provides, among other things, regulations regarding the way financial institutions can handle private information belonging to their customers.
What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A. Privacy Act B. Fourth Amendment C. Second Amendment D. Gramm-Leach-Bliley Act
B. Fourth Amendment The Fourth Amendment to the U.S. Constitution sets the "probable cause" standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property.
What framework allows U.S. companies to certify compliance with EU privacy laws? A. COBiT B. Privacy Shield C. Privacy Lock D. EuroLock
B. Privacy Shield The Privacy Shield framework, governed by the U.S. Department of Commerce and Federal Trade Commission, allows U.S. companies to certify compliance with EU data protection law
Which one of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it? A. Standard license agreement B. Shrink-wrap agreement C. Click-wrap agreement D. Verbal agreement
B. Shrink-wrap agreement Shrink-wrap license agreements become effective when the user opens a software package. Click-wrap agreements require the user to click a button during the installation process to accept the terms of the license agreement. Standard license agreements require that the user sign a written agreement prior to using the software. Verbal agreements are not normally used for software licensing but also require some active degree of participation by the software user.
What are the major international intellectual property protection treaties?
Berne Convention Universal Copyright Covention WIPO copyright treaty
What is the standard duration of patent protection in the United States? A. 14 years from the application date B. 14 years from the date the patent is granted C. 20 years from the application date D. 20 years from the date the patent is granted
C. 20 years from the application date U.S. patent law provides for an exclusivity period of 20 years beginning at the time the patent application is submitted to the Patent and Trademark Office.
Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer systems? A. Computer Security Act B. National Infrastructure Protection Act C. Computer Fraud and Abuse Act D. Electronic Communications Privacy Act
C. Computer Fraud and Abuse Act The Computer Fraud and Abuse Act, as amended, provides criminal and civil penalties for those individuals convicted of using viruses, worms, Trojan horses, and other types of malicious code to cause damage to computer systems.
Which one of the following is the comprehensive EU law that governs data privacy that was passed in 2016 and goes into effect in 2018? A. DPD B. GLBA C. GDPR D. SOX
C. GDPR The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that protects personal information of EU residents worldwide. The law is scheduled to go into effect in 2018.
Which federal government agency has responsibility for ensuring the security of government computer systems that are not used to process sensitive and/or classified information? A. National Security Agency B. Federal Bureau of Investigation C. National Institute of Standards and Technology D. Secret Service
C. National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is charged with the security management of all federal government computer systems that are not used to process sensitive national security information. The National Security Agency (part of the Department of Defense) is responsible for managing those systems that do process classified and/or sensitive information.
What compliance obligation relates to the processing of credit card information? A. SOX B. HIPAA C. PCI DSS D. FERPA
C. PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in storing, transmitting, and processing credit card information.
Explain the various types of software license agreements
Contractual license agreements are written agreements between a software vendor and user. Shrink wrap agreements are written on software packaging and take effect when a user opens the package. Click through agreements are included in a package but require the user to accept the terms before the software installation process.
What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures? A. Criminal law B. Common law C. Civil law D. Administrative law
D. Administrative law Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.
Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs? A. Copyright B. Trademark C. Patent D. Trade secret
D. Trade secret Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely.
________________ must be designed into products and services from the earliest stage of development aka privacy by design when speaking around GDPR.
Data Protection Safeguards
Explain the Data Protection Officers role around GDPR
Data protection officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve "regular and systematic monitoring of data subjects on a large scale" or where the entity conducts large-scale processing of "special categories of personal data" (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like). The Regulation requires that they have "expert knowledge of the data protection law and practices." The level of which should be determined in the particular according to the data processing operations carried out and the protection required for personal data processed by the controller or processor."
What is the Electronic Communications Privacy Act of 1986
ECPA make it illegal to monitor or easdrop or intercept oral communications, wire communications or electronic communications without permissions of the parties involved. must share rights that you will be monitoring
What is standardization?
Formalized guidance that allows us align with the organization
Explain E-privacy regulation and why GDPR need it
Global reach and penalty. It is designed to regulate the use of personal information across all electronic communications including telephony.
What is Health Insurance Portability and Accountability Act?
HIPAA requires those in the healthcare industry to maintain the security of consumers data and protect health information
What are the key components of the GDPR
Harmonized across and beyond the EU - organizations outside the EU are subject to the jurisdiction of the EU regulators just by collecting data concerning an EU resident.
Explain the import / export control
Import - access and bring it in Export - taking to other countries International Traffic in Arms Regulations (ITAR) - what is considered exportable. US Centric Export Administration Regulations (EAR) - Under what conditions can we export The Wassenaar Arrangement - Dual Use Goods
Explain Data Subject Access Requests around GDPR
Individuals will have more information on how their data is processed and this information should be available in a clear understandable way. DSAR's must be executed "without undue delay and at the latest within one month of receipt of the request"
Fines and Enforcement within GDPR
Regulators will now have authority to issue penalties equal to the greater of 10 million euros or 2% of the entity's global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.
Explain the differences in criminal, civil and administrative law
criminal law protects society against acts that violate the basic principles we believe in. civil law provides the framework for the transaction of business between people and organizations. Violations of civil law are brought the court and argued between both parties. Administrative law is used by government agencies to effectively carry out their day to day business.
Biggest control of confidentiality
encryption
Explain cyber crime
engaging in criminal enterprise act to cause harm through a digital means.
What is an financial audit
examine financial statements of an organization and provide an opinion on their accuracy.
biggest control of integrity
hashing/message digest
What is a trademark
least of three with the protection it provides. recognizable sign, design or uniquely express related to products or services. Example McDonald's arches, Nike swoosh or "Just Do It", UPS brown color.
What is disclosure
making "secret" information public
Security policies are _________ and must be followed?
mandatory
What is the computer fraud and abuse act
prevents individuals from accessing federal government computers without authorization
What is GLB
prohibitions against failing to safeguard consumers' personal information in the banking industry
What is the Economic Espionage Act of 1996
prohibits individuals from stealing or misusing trade secrets
Explain the basic provision of the digital millennium copyright act 1998
prohibits the circumvention of copy protection mechanism placed in digital media and limits the liability of internet service providers for the activities of their users.
What is a Data Disclosure
proof of individual stealing data
What are white hat hackers
security professional, pentesters, or security researchers breaking into computer systems with permission of the system owner
What are gray hat hackers
skilled hackers conducting security research without permission from the system owners but with no malicious intent
What is a black hat hacker
skilled hackers that exploit systems without authorization
What is an incident
some sort of occurrence or event. May or may not have a negative impact. **** A incident that is a negative impact is a BREACH
what are script kiddies
unskilled attacker using hacking tools (scripts) created by other people
What is the Federal Information Resources Management Regulation
using, managing and acquiring computer resources in the federal government
Violations of GDPR obligations
violations of obligations related to legal justifications for processing (including consent), data subject rights, and cross border data transfers may result in penalties of the greater of 20 million euros or 4% of the entity's global gross revenue per instance. think cloud providers that may exist or fail over to EU
What is a breach
when an individual gains access to your system and "may" have had access to private or confidential information.
What is personal data around GDPR
"Personal Data" is defined in both the Directive and the GDPR as any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as: Name Identification Number location data online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. There is no distinction between personal data bout individuals in there private, public or work roles - the person is the person.
What's a vulnerability?
A Vulnerability is an opennes to an attack or loss
The Children's Online Privacy Protection Act was designed to protect the privacy of children using the internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent? A. 13 B. 14 C. 15 D. 16
A. 13 The Children's Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age of 13 before any information is collected (other than basic information required to obtain that consent).
Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property protection. Which type of protection is best suited to his needs? A. Copyright B. Trademark C. Patent D. Trade secret
A. Copyright Copyright law is the only type of intellectual property protection available to Matthew. It covers only the specific software code that Matthew used. It does not cover the process or ideas behind the software. Trademark protection is not appropriate for this type of situation. Patent protection does not apply to mathematical algorithms. Matthew can't seek trade secret protection because he plans to publish the algorithm in a public technical journal.
Which of these terms is related to the expected rate of threat happening? AV ARO EF RTO
ARO
What is a guideline
Best practice recommendation
What is SOX?
Sarbanes-Oxley Act requires accurate financial record keeping for publicly traded companies
What is an audit
confirm organizations are compliant with governing regulations
What is the Federal Privacy Act of 1974
requires written permission by government agencies before disclosing any private information. First time any action was taken with technology and privacy.
ISC2 Code of Ethics Canons:
1) protect society, the common good, necessary public trust and confidence, and the infrastructure****(Do no harm and protect the individual at all cost) 2) act honorably, honestly, justly, responsibly, legally 3) provide diligent and competent service to principles 4) advance and protect the profession
ISC2 Code of Ethics Preamble:
1) the safety and welfare of society and the common good, duty to our principles, and to each other require that we adhere, and be seen to adhere, to the highest ethical standards of behavior 2) therefore, strict adhere to this Code is a condition of certification
The Data protection officer's tasks around GDPR are to include?
1. Informing and advising the controller or processor of it's employees of the their obligations to comply with the GDPR and other data protection laws. 2. Monitoring compliance including managing internal data protection activities, training data processing staff, and conducting internal audits. 3. Advising with regard to data protect impact assessments when required under Article 33 4. Working and cooperating with the controller's processor's designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data. 5. Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten and related rights.
When assesing the effect of cybercrime, you need to evaluate areas such as:
1. Loss of intellectual property and/or sensitive data (PIA) 2. Damage to brand image/reputation 3. Penalties and compensatory payments 4. Cost of countermeasures
What five rights are associated with a copyright?
1. Reproduce the work in any form, language, or medium 2. Adapt or derive more works from it 3. Make and distribute its copies 4. Perform it in public 5. Display or exhibit it in public
Individual rights of GDPR*****
1. Right to be informed - we treat your data this way, we don't to this and we do do that. 2.The right of access - right to obtain information about them and what is being done 3.The right to rectification - i'm not john b smith i'm john e smith and I need that corrected. 4. The right to erasure - right to be forgotten 5. The right to restrict processing - if I have put in my place of right to erasure, then the company has the right to keep the data for a certain amount of time but must stop processing my data. 6. Right to data portability - data must be movable and not locked per vendor 7. The right to object - right to object to restrict processing if it isn't performed in a reasonable amount of time. 8. Rights in relation to automated decision making and profiling - preventing automated profiling
Governance, Risk Management and Compliance (GRC)
A business term used to group the three close-related disciplines responsible for the protection of assets and operations. This is looped into the conversation around, contractual, legal, industry standard and regulatory requirements. AUDITABILITY
What is a "security policy" or policy
A document created by senior management that identifies the role of security in the organization. Strategic. Direction, focus and boundaries
Which law governs information security operations at federal agencies? A. FISMA B. FERPA C. CFAA D. ECPA
A. FISMA The Federal Information Security Management Act (FISMA) includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the National Institute for Standards and Technology (NIST).
What act updated the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA)? A. HITECH B. CALEA C. CFAA D. CCCA
A. HITECH The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 amended the privacy and security requirements of HIPAA.
What are Advanced Persistent Threats
APT are adversaries that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objective by using multiple attack vectors. Often work for or sponsored by governments
Explain Breach and Notification within GDPR
According to the regulation a "personal data breach" is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"
What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? A. Government-owned systems B. Federal interest systems C. Systems used in interstate commerce D. Systems located in the United States
C. Systems used in interstate commerce The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.
Which one of the following laws is not designed to protect the privacy rights of consumers and internet users? A. Health Insurance Portability and Accountability Act B. Identity Theft Assumption and Deterrence Act C. USA PATRIOT Act D. Gramm-Leach-Bliley Act
C. USA PATRIOT Act The USA PATRIOT Act was adopted in the wake of the September 11, 2001, terrorist attacks. It broadens the powers of the government to monitor communications between private citizens and therefore actually weakens the privacy rights of consumers and internet users. The other laws mentioned all contain provisions designed to enhance individual privacy rights.
Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A. © B. ® C. ™ D. †
C. ™ Richard's product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark, and Richard can begin using the ® symbol.
Explain the notification requirements placed on organizations that experience a data breach
California implemented the first statewide requirement to notify individuals of a data breach of their personal information. All but three states eventually followed suit with similar laws. Currently, federal law only requires the notification of individuals when a HIPAA covered entity breaches their protected health information.
What is the name of process that involves the transport of evidence before a trial?
Chain of custody
When an IT auditor reviews application access controls through assessing if the last 15 accounts that were granted access appropriately, what activity is the IT auditor performing?
Compliance Testing
Explain the differences among copyrights, trademarks, patents and trade secrets
Copyrights protect original works of authorship, such as books, articles, poems, and songs. Trademarks are names, slogans, and logos that identify a company, product, or service. Patents provide protection to the creators of new inventions. Trade secret law protects the operating secrets of a firm.
What is the General Data Protection Regulation (GDPR)?
EU designed to enable individuals to better control their personal data. The Data Protection Directive which is designed to enable the police and criminal justice sectors to ensure that the data of victims, witnesses and suspects of crimes are duly protected in the context of a criminal investigation or a law enforcement action.
Which of the following is not used to oversee and/or improve the security performance of employees? Mandatory Vacations Exit Interviews Awareness Annual supervisor reviews
Exit Interviews
A CISSP is calculating asset values for a financial query. The percentage of asset value that is likely to be lost due to an incident is referred to as?
Exposure factor
What is KPI
Key Performance Indicator ::These are metrics used to help an organization define and evaluate how successful it is, typically in terms of making progress towards its long-term organizational goals
Explain the importance of a well rounded compliance program?
Most organizations are subject to a wide variety of legal and regulatory requirements related to information security. Building a compliance program ensure that you become and remain compliant with these overlapping requirements.
What is PCI
Payment Card Industry (PCI) Data Security Standard (PCIDSS). Not a US law it is a international standard requires organizations that handle payment cards to take sageguards to ensure the safe handling of this critical information. framework
List the four types of security documents
Policies - security policies are the most high level document Standards - how to implement policies Guidelines or baselines - recommendations Procedures - mandatory and how policies, standards, baselines and guidelines will be implemented in a given situation. ex: new user account policy
What is a copyright
Protects published or unpublished original work (never seen before) usually for it's author's life plus 50 years. Also software can be copyrighted.
Which of the following is NOT one of three things needed to commit a computer crime? Oppurtunity Motive Means Skill
Skill
What is a procedure
Step by step method of accomplishing something (tactical)
Explain the basic provisions of the major laws designed to protect society against computer crime
The computer fraud and abuse act protects computers used by government or in interstate commerce from a variety of abuses. The electronic privacy acts (ECPA) makes it a crime to invade the electronic privacy of an individual.
Explain how to incorporate security into the procurement and vendor governance process
The expanded use of cloud services by many organizations requires added attention to conducting reviews of information security controls during the vendor selection process and as part of ongoing vendor governance.
Privacy management around GDPR
The regulation mandates a "Risk Based Approach:" where the appropriate organizational controls must be developed according to the degree of risk associated with the processing activities.
Explain controllers and processors within GDPR
The regulation separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide "sufficient guarantees to implement appropriate technical and organizational measures" to meet the Regulation's requirements and protect data subjects rights. A data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller's behalf.
Explain Legitimate Interests and Direct Marketing within GDPR
The regulation specifically recognizes that the processing of data for "direct marketing purposes" can be considered as a legitimate interest.
Explain the major laws that govern privacy of personal information in both the Unites States and the European Union
The united states has a number of privacy laws that affect the governments user of information as well as the use of information by specific industries, such as financial services companies and healthcare organizations that handle sensitive information. The EU has a more comprehensive General Data Protection Regulation that governs the use and exchange of personal information.
What is the first step in the risk assessment process
To plan for and prepare for the risk assessment
Which form of intellectual property contains an "intent to use" clause which provides protection for a registration you intend to use but may not necessarily be using at the current time.
Trademark
What is a patent
You apply to a government to receive a patent, you are a investor or assignee and lasts for typically 20 years.
What is an breach
an occurrence or event that has a negative outcome
Explain profiling around GDPR
any automated processing of personal data to determine certain criteria about a person. Individuals have the rights not to be subject to the results of automated decision making, including profiling. So individuals can opt out of profiling.
what are hacktivists
black hat hackers motivated by political reasons
Organization code of ethics
code of ethics within the organization. One size fits One
_______________ are also known as safeguards or countermeasures
controls
Only put controls in place that are ______________ effective
cost
What is an event / exploit in regards to a vulnerability or threat exposure?
instance of loss is experienced
Explain the basic provisions of the economic espionage act of 1996
provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government.
What is the 1991 US Federal Sentencing Guidelines
provides sentencing guidelines for white collar crimes and enhancements for using technology with those crimes.
What is a loss in regards to a vulnerability or threat exposure?
real or perceived devaluation of an asset
What is the Computer Security Act of 1987
requires government agencies to locate sensitive systems, provide security training and develop computer security plans for any systems that contain sensitive information.
What is the Office of Management and Budget Circular A-130
requires that federal agencies that security programs in place