Information Security and Legal Issues Flashcards

Flashcards covering key concepts related to information security maintenance, legal issues, and ethical considerations.

Why is there a need to maintain the Info Sec program?

Because of changes arising from sale and purchase of assets, creation of new vulnerabilities, shifting business priorities, new alliances, end of long-standing relationships, personnel changes, technology, and processes.

What are the areas of Info Sec covered by NIST SP 800-100?

Information Security Governance, SDLC, Awareness and Training, Capital Planning & Investment Control, Interconnecting systems, Performance measures, Security Planning, IT Contingency Planning, Risk Management, Certification, Accreditation, and Security Assessments, Security Services and Products Acquisition, Incident response, and Configuration (or Change) Management

What are the activities monitored under Information Security Governance according to NIST SP 800-100?

Ongoing initiatives, updated policies and procedures, and whether the aim of controls is being met.

What areas are monitored within SDLC according to NIST SP 800-100?

Configuration management (CM) and control, and continuous monitoring and assessment.

List monitoring activities for Awareness and Training based on NIST SP 800-100.

Monitor compliance and effectiveness, automated tracking system, follow-up and corrective action, and updated training and awareness materials.

What is the Select-Control-Evaluate process related to?

Capital Planning & Investment Control (CPIC)

What NIST document provides guidance for interconnecting systems?

NIST SP 800-47

What is evaluated during IT Contingency Planning according to NIST SP 800-100?

Regular review of contingency plans to ensure these are up to date and evaluation and updating of business impact analysis (BIA).

What are the Monitoring Activities in Incident Response based on NIST SP 800-100?

Incident response life cycle (Preparation -> Detection & Analysis -> Containment, Eradication & Recovery -> Post-Incident Activity), Help desk, and Problem management

What are the steps in the Security Maintenance Model?

External monitoring, Internal monitoring, Planning and risk assessment, Vulnerability assessment and remediation, and Readiness and review

What are the elements of External Monitoring?

Monitoring, Escalation, Incident Response

What actions constitute Internal Monitoring?

Inventory, IT governance process, Real-time monitoring of IT activity (IDPS, Difference analysis), and Monitoring internal state of networks and systems

What activities occur during Planning and Risk Assessment?

Formal information security program review process, Follow-up activities, Coordination with IT project teams, and Integrating a mindset of risk assessment

What are key actions during Vulnerability Assessment and Remediation?

Documented vulnerability assessment procedures, Background information and tested recommendation procedures, Tracking vulnerabilities until remediation, Communicating vulnerabilities, Reporting, and Decision to accept risk of loss

What areas are assessed during vulnerability assessments?

Internet, Intranet, Platform security validation, Wireless, and Modem

What types of Penetration testing are there?

White box, Black box, and Grey box

What elements are part of Readiness and Review?

Policy review, Program review, and Rehearsals

What are the possible causes of Unethical Behavior?

Ignorance, Accident, and Intent

List Federal Security Laws to Combat IT Crimes

Sarbanes–Oxley Act of 2002, Computer Fraud and Abuse Act, 1984, Computer Security Act, 1987, Homeland Security Act of 2002 with the Cyber Security Enhancement Act, Payment Card Industry Data Security Standards of 2004, Federal Information Security Management Act of 2002, Electronic Signature Laws – Uniform Electronic Transactions Act of 1999 and Electronic Signatures in Global and National Commerce Act of 2000

List Federal Privacy Laws to Combat IT Crimes

Privacy Act of 1974, Electronic Communications Privacy Act, 1986, Communications Decency Act, 1996, Children's Online Privacy Protection Act, 1998, Health Insurance Portability & Accountability Act, 1996, The Health Information Technology for Economic and Clinical Health, 2009, Gram-Leach-Bliley Act, 1999, USA PATRIOT Act, 2001