Computer Security & Compliance: Laws, Policies, and Ethics

What is compliance in the context of information security?

Compliance is adherence to the rules and regulations that govern the information handled and the industry within which an organization operates.

What are the two types of compliance?

Regulatory Compliance and Industry Compliance.

What is Regulatory Compliance?

Adherence to laws specific to the industry, with legally mandated requirements.

What can happen if an organization fails to comply with regulatory requirements?

Non-compliance can result in fines, legal action, or business shutdown.

Give examples of regulatory compliance laws.

FISMA, HIPAA, SOX, CIPA, COPPA (US); Data Privacy Act (Philippines).

What is Industry Compliance?

Adherence to regulations not mandated by law but can severely impact business operations.

What is an example of Industry Compliance?

PCI DSS (Payment Card Industry Data Security Standard).

What types of controls do organizations use to achieve compliance?

Physical Controls, Administrative Controls, and Technical Controls.

What is an information security policy?

A formalized statement that defines how security will be implemented within an organization.

What is the purpose of an information security policy?

To protect the confidentiality, integrity, and availability (CIA) of sensitive data and resources.

What is an Acceptable Use Policy?

A policy that a user must agree to follow to be provided access to a network/Internet.

What does a Backup Policy define?

Backup schedules, retention, and recovery procedures.

What is the purpose of an Incident Response Policy?

To help IT staff detect, respond to, and recover from security incidents.

What is the purpose of a Data Classification Policy?

To categorize a company's stored information based on its sensitivity level.

What are the four data classification levels?

Public, Internal, Confidential, Restricted.

What is the lowest sensitivity level in data classification?

Public.

What is an example of Confidential data?

Employee records, student grades, financial data.

What does PCI DSS stand for?

Payment Card Industry Data Security Standard.

What is the scope of FISMA?

All US federal government agencies, state agencies, and private companies handling federal data.

What is the purpose of HIPAA?

To protect the rights and data of patients in the US healthcare system.

What does SOX regulate?

Financial data, operations, and assets of publicly-held companies.

What is the requirement of CIPA?

To prevent children from accessing obscene or harmful content over the Internet.

What does COPPA regulate?

Organizations collecting data from minors younger than 13.

What is Personally Identifiable Information (PII)?

Information that can identify an individual, such as name, address, SSN, phone number.

What is the highest level of data sensitivity?

Restricted.

What are the consequences of exposing Restricted data?

It could cause serious legal, financial, or reputational damage.

What are examples of Restricted data?

Source code, medical records, encryption keys, intellectual property.

What is the purpose of a Password Policy?

To establish rules for creating, storing, and utilizing secure passwords.

What is a Network Access Policy?

Defines who can access what network resources.

What is the purpose of RA 8792 (E-Commerce Act)?

Legalizes electronic/online transactions, documents, and signatures.

How does the E-Commerce Act promote e-commerce?

By providing a secure and predictable legal environment.

What is considered a criminal offense under the E-Commerce Act?

Hacking or unauthorized access to computer systems.

What does RA 10173 (Data Privacy Act) safeguard?

Individuals' personal data, especially in electronic transactions.

What is a key requirement of the Data Privacy Act?

Obtain lawful and informed consent before collecting personal data.

What must organizations do in case of data breaches according to the Data Privacy Act?

Notify the National Privacy Commission (NPC) and affected individuals.

What is the main requirement of RA 11934 (SIM Registration Act)?

All SIM cards must be registered before activation.

What illegal activities does the SIM Registration Act aim to combat?

Scam texts, cybercrime, and terrorism.

What is the purpose of RA 10175 (Cybercrime Prevention Act)?

Addresses and penalizes crimes committed through computer systems and the Internet.

What are some defined offenses under the Cybercrime Prevention Act?

Hacking, identity theft, cybersex, child pornography, and online libel.

What is the penalty for cyber-libel under the Cybercrime Prevention Act?

1-6 months imprisonment and/or a fine of ₱50,000-₱250,000.

What distinguishes laws from ethics in information security?

Laws tell you what you must NOT do, while ethics guide you on what you SHOULD do.

What is the principle of confidentiality in information security ethics?

Protect data from unauthorized access and respect privacy.

What does the integrity principle in information security entail?

Ensuring data accuracy and authenticity, avoiding tampering.

What is the availability principle in information security ethics?

Keeping systems accessible and functioning, prioritizing safety.

What is an example of a common ethical violation in information security?

Peeking at customer or employee records without authorization.

What is the ethical dilemma regarding access control?

Accessing a friend or relative's data when you have admin access is unethical.

What is gray hat hacking?

Exploiting vulnerabilities without permission, even without malicious intent.

What should professionals do regarding sensitive information after employment ends?

Protect sensitive information even after employment ends.

What is a critical concept to master regarding laws?

Understand the difference between regulatory compliance and industry compliance.

What is the main purpose of the Data Privacy Act?

To protect personal data in digital transactions.

What is the penalty for hacking under the Cybercrime Prevention Act?

6-12 years imprisonment and/or at least ₱200,000 fine.

What does the term 'ethical dilemma' refer to in information security?

Situations where a decision may conflict with ethical standards.

What is the importance of continuous learning in the professional code of ethics?

To maintain professional competence.

What is a common exam question type related to ethics?

Scenario-based ethics questions asking 'What would you do?'.

What should you consider when faced with an ethical scenario?

Do I have proper authorization? Is this action necessary for my job?