module 7
Risk management
the process of identifying, prioritizing, and addressing risks.
ISO/IEC 27002
An update to the ISO 17799 standard
Nonpublic personal information (NPI)
Any personally identifiable financial information that a consumer provides to a financial institution. This term is defined by the Gramm-Leach-Bliley Act.
Publicly traded companies
Companies owned by a number of different investors, who own shares of their stock
Recommendations
Formal term for ITU-T international standards
Electronic protected health information (EPHI)
Patient health information that is computer based. It is PHI stored electronically
Technology protection measure (TPM)
Technology used to filter content from which children are to be protected
True
The Federal Information Security Management Act (FISMA) of 2014 defines the roles, responsibilities, accountabilities, requirements, and practices that are needed to fully implement FISMA security controls and requirements. True/False
True
The International Electrotechnical Commission (IEC) was instrumental in the development of standards for electrical measurements, including gauss, hertz, and weber. True/False?
True
The Internet Architecture Board (IAB) is a subcommittee of the IETF. True/False?
False
The main goal of the Gramm-Leach-Bliley Act (GLBA) is to protect investors from financial fraud. True/False?
True
Visa, MasterCard, and other payment card vendors helped to create the Payment Card Industry Data Security Standard (PCI DSS). True/False?
Qualified security assessor (QSA)
a certified individual qualified and authorized to perform PCI compliance assessment
Protected health information (PHI)
any individually identifiable information that relates to the physical or mental condition or the provision of healthcare to an individual
Privately held companies
A company held by a small group of private investors
Covered entity
Health plans, health care clearinghouses, and health care providers who transmit health information by electronic means.
International Telecommnication Union (ITU)
The main united nations agency responsible for managing and promoting information and technology issues
Report of compliance (ROC)
defined by the PCI Data Security Standard, this is a summary of the assessment activities performed during an audit, It is included as part of the Attestation of Compliance
Directory information
information that is publicly available about users of a computer system, such as students at a school
American National Standards Institute (ANSI)
A US standards organization whose goal is to empower its members and constitutents to strengthen the US marketplace position in the global economy, while helping to ensure the safety and health of consumers and the protection of the environment.
Internet Engineering Task Force (IETF)
A standards organization that develops and promotes Internet standards.
ISO 17799
An international security standard that documents a comprehensive set of controls that represent information system best practics
Request for comments (RFC)
documents are how standards and protocols are defined and published for all to see on the IETF website.
World Wide Web Consortium (W3C)
An organization formed in 1994 to develop and publish standards for the World Wide Web
Chief information security officer (CISO)
Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals?
Authorize the IT system for processing.
Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing?
International Electrotechnical Commission (IEC)
The predominant organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes
Miller test
The three-prong approach defined by the US supreme court to decide whether to label something as obscene.
National Institute of Standards and Technology (NIST)
a federal agency within the US department of Commerce whose mission is to promote US innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
Standards
a mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization
Approved scanning vendor (ASV)
a qualified and approved company able to perform payment card Industry (PCI) vulnerability assessment scans
Electrotechnology
the collective body of knowledge addressed by the International Electrotechnical Commission (IEC)
Control objectives
the goal or final outcome of what a control or requirement must achieve when implemented correctly
Sarbanes-Oxley Act of 2002
A US federal law requiring officers of publicly traded companies to have accurate and audited financial statements.
Minimum necessary rule
A rule that covered entities may disclose only the amount of protected health information absolutely necessary to carry out a particular function
False
All request for comments (RFC) originate from the Internet Engineering Task Force (IETF). True/False?
Personally identifiable information
Data that can be used to individual identify a person
Attestation of compliance (AOC)
Defined by the PCI Data Science Security Standard, this is an annual written statement of an organization's compliance signed by the Chief Executive Officer with any gaps or compensating security controls identified and documented.
Self-assessment questionnaire (SAQ)
Defined by the PCI Data Security Standard, this is a series of yes-or-no questions used to guide the organization toward determining their own compliance with the standard's requirements
Business associates
Under HIPAA, organizations that perform a health care activity on behalf of a covered entity
True
Under the Federal Information Security Management Act (FISMA), all federal agencies must report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT). True/False
Network
Which term accurately describes Layer 3 of the Open Systems Interconnection (OSI) model?
International Organization for Standardization (ISO)
an international nongovernmental organization with the goal of developing and publishing international standards
Compliance
the act of following laws, rules, and regulations that apply to your organization and its use of IT systems, applications, and data.
ITU Telecommunication Sector (ITU-T)
the committee of the ITU responsible for ensuring the efficient and effective production of standards covering all fields of telecommunciations for all nations.