Info Tech Chapter 3
An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __________ to identify anything that is missing.
Gap Analysis
National Do Not Call Registry
Registry provides a choice for consumers as to whether they receive telemarketing calls at home
Privacy Act of 1974
Act imposes limits on personal information collected by US federal agencies
LAN-to-WAN Domain
Bridge between the LAN and WAN. WAN is a network that covers a large area, often connecting multiple LANs.
What is a VPN?
Example of a remote access solution that creates an encrypted communications tunnel over a public network.
Comprehensive security assessment
Provides a more targeted, concise, and technical review of information systems; involves control reviews and identification of vulnerabilities
Electronic Communications Privacy Act of 2000
Regulates and protects the privacy of e-mail and other electronic communications
Workstation Domain
The end users' operating environment
Policies
General statements that address the operational goals of an organization.
Regarding privacy, what is a common characteristic of "personal information"?
It can be used to identify a person
HIPAA
Privacy rule within Title II of this act is concerned with the security and privacy of health data.
Frameworks
Provide a blueprint for implementing high-level controls within an organization (COBIT)
Control Standards
Provide specific security controls (NIST 800-53 and ISO/IEC 27002).
High-level Security Assessment
Provides an overall view of the information systems and is useful when examining across a broad scope
System/Application Domain
Systems on the network that provide the applications and software for users.
High-impact systems
Systems that process or store sensitive information
Gramm-Leach-Bliley Act (GLBA)
The Financial Privacy Rule within the act is concerned with the collection and disclosure of personal financial information.
User Domain
The end users of the systems, including how they authenticate into the systems
Privacy Management
The right and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.
What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?
Configuration and Change Management
Configuration and Change Management
Process of controlling systems throughout their life cycle to make sure they are operating as intended in accordance with security policies and standards
Remote Acces Domain
The access infrastructures for users accessing remote systems.
Internal Standards
Describe mandatory processes or objectives that align with the goals of the policies.
SB1386
California Security Breach Information Act regulates the privacy of personal information.
What are examples of the WAN domain?
Channel/Data Service Unit, codecs and backbone circuits.
Gap Analysis
Comparison between desired outcome and actual outcome that helps identify what is missing.
ISO/IEC 27002
Compliance with legal and regulatory requirements. Compliance with security policies and standards and technical compliance.
WAN Domain
Equipment and activities outside of the LAN and beyond the LAN-to-WAN domain
LAN Domain
Equipment that makes up the local area network. A computer network for communications between systems covering a small physical area
Children's Online Privacy Protection Act (COPPA)
This act contains provisions of Web sites collecting personal information from children under 13 years of age.
Preproduction security assessment
Used for new systems prior to being placed in production; may also be used for systems after having undergone a significant change
An acceptable use policy (AUP) is part of the _____________ Domain.
User Domain
In an IT infrastructure, the end users' operating environment is called the _____________.
Workstation Domain
