Module 2
National Information Infrastructure Protection Act of 1996 modified which Act?
Computer Fraud and Abuse Act
The CPMT conducts the BIA in three stages but does not
Determine mission/business processes and recovery criticality, identify recovery priorities for system resources, identify resources requirements.
The ______ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
EISP
The ____ attempts to prevent trade secrets from being illegally shared.
Economic Espionage Act
This act is a collection of statues that regulate the interception of wire, electronic, and oral communications.
Electronic Communications Privacy Act
_______ is the legal obligation of an entity that extends beyond criminal or contract law.
liability
The state purposes of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security________
managment
The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any _______ purpose.
marketing
The _____ of an organization are the intermediate states obtained to achieve progress toward a goal or goals.
objectives
_____ controls address personnel security, physical security, and the protection of production inputs and outputs.
operational
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.
people
Managerial directives that specify acceptable and unacceptable employee behavior in the workplace are known as __________.
policies
___________ law regulates the structure and administration of government agencies and their relationships with citizens employees, and other government.
public
A ______ plan is a plan for the organization's intended strategic efforts over the next severl years.
strategic
Some policies may need a(n) ____________________ indicating their expiration date.
sunset clause
The ______ of 1999 provides guidance on the use of encrypiton and provides protection form goverment intervention.
Security and Freedom through Encryption Act.
Which country reported the least tolerant attitudes toward personal use of organizational computing resources?
Singapore
_____ often function as standards or procedures to be used when configuring or maintaining systems.
SysSPs
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799
The SETA program is a control measure designed to reduce the instances of ______ security breaches by employees.
accidental
It is good practice, however, for policy _____ to solicit input both form technically adept information security experts and from business-focused managers in each community of interest when making revisions to security policies.
administrators
A ________ is a document containing contact information for the people to be notified in the event of an incident.
alert roster
A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes _____
controls have been bypassed, ineffective and failed
______ are the fixed moral attitudes or sutoms of a particular group.
cultural mores
The difference between a policy and a law is the ignorance of a law is an acceptable defense. (T/F)
flase
A security ________ is and outline of the overall information security strategy for the organizations and a roadmap for planned changes to the information security environment of the organizations.
framework.
The Computer _________ and Abuse Act of 1986 is the cornerstone of many computer related federal laws and enformcment efforts.
fraud
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to _____.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
A ______ is a plan or course of action that conveys instructions from and organizations senior managments to those who make decisions, take actions, and perform other duties
policy
_______ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information
redundancy
RAID is an acronym for a _____ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.
redundant
According to NIST SP 800-14's security principles, security should ________.
support the mission of the organization, require a comprehensive and integrated approach, and be cost-effective
___________-specific serurtiy policies often function as standards or procedures to be used when configuring or maintaining systems.
systems
According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depth on the value of the information obtained and whether the offense is judged to have been committed for each of the following except______-
to harass
Good security programs begin and end with policy. (T/F)
true
You can create a single comprehensive ISSP document covering all infomation security issues. (T/F)
true
Criminal laws addresses activities and conduct harmful to society and is categorized as private or public. (T/F)
True
Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective. (T/F)
True
Each policy should contain procedures and a timetable for periodic review. (T/F)
True
A standard is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions, take actions, and perform other duties. (T/F)
False
For policy to become enforceable it only needs to be distributed, read, understood, and agreed to. (T/F)
False
The ISSP sets out the requirements that must be met by the information security blueprint or framework. (T/F)
False
The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. (T/F)
False
Laws and policies and their associated penalties only deter if the following conditions are present.
Fear of penalty, probability of being caught and of being administered.
Laws pliciesm and their associated penalties only provide deterrence if three conditions are present. List and describe them
Fear of penalty: potential offenders must fear the penalty. Probability of being apprehended: potential offenders must believe there is a strong possibility of being caught. Probability of penalty being applied: potential offenders must believe that the penalty will be administrated.
What is the subject of the Computer Security Act>
Federal Agency Information Security
The subject of the Sarbanes-Oxley Act
Financial Reporting
Is also known as the Gramm-Leach_Bliley Act
Financial Services Modernization Act
Redundancy can be implemented at a number of points throughout the security architecture, such as in _______.
Firewalls, proxy servers and access controls
What is the purpose of security education, training. and awareness (SETA)?
Improve awareness of the need to protect system resources, developing skills and knowledge so computer users can perform their jobs more securely.
The Health Insurance Portability and Accountability Act of 1996, also known as the _____ Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.
Kennedy-Kessebaum
_______ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
The goals of information security governance include all but
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
The _____ defines stiffer penalties for prosecution of terrorist crimes.
USA Patriot Act
What three purposes does the ISSP serve?
1. Addresses specific areas of technology, such as authorized and prohibited usage of equipment, policies, liability, and systems management. 2. Requires frequent updates. 3. Contains a statement on the organization's position on specific issues.
List the five fundamental principles of HIPAA.
1. Consumer control of medical information 2. Boundaries on the use of medical information 3. Accountability for the privacy of private information 4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual 5. Security of health information
This acts defines and formalizes laws to counter threats from computer related acts and offenses.
Computer Fraud and Abuse Act of 1986
What are the requirements for a policy to become enforceable?
Dissemination (distribution)- the organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Review (reading)- The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for illiterate, non-English reading. and reading-impaired employees Comprehension (understanding)- The organization must be able to demonstrate that the employee understood the requirements and content of the policy. Compliance (agreement)- The organization must be able to demonstrate that the employee agrees to comply with the policy, through act or affirmation. Uniform enforcement- The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.
The transfer of large batches of data to an off-site facility is called ____.
electronic vaulting
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ____.
blueprint
Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage _______.
by accident
____ law comprises a wide variety of laws that govern a nation or state.
civil
A _____ site provides only rudimentary services and facilities.
cold
Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
damage assessment
Standards may be published, scrutinized, and ratified by a group, as in formal or ____ standards.
de jure
____ is a strategy for the protection of information assets that uses mulitple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
defense in depth.
Security _____ are the areas of trust within which users can freely communicate.
domains
Criminal or unethical ____ goes to the state of mind of the individual performing the act.
intent
The Council of Europe adopted the Convention of CyberCrime in 2001 to oversee range of security functions associated with ____ activities
internet
"Long arm _____" refers to the long arm of the law reaching across the country or around the world to draw an accused individual into its court systems whenever it can establish jurisdiction.
jurisdiction
__________ are rules that mandate or prohibit certain behavior and are enforced by the state
laws