4180824
| Question | Answer |
| Points of Vulnerability | Man-in-the-Middle Rogue Access Points Session Hijacking Denial of Service (DoS) |
| Wireless Challenges | Lack of user authentication Weak Encryption Poor Network Management |
| Intrusions | Known Vulnerabilities Configuration Errors Fix: Patch in a timely manner (effective cyber security strategy) |
| Japan - PIP (Personal Information Protection Act) Effective: May 2003 Compliance: May 2005 | Applies to: National & Local Gov't Private Companies Protects against: Loss of personal data Unauthorized Access Unauthorized Disclosure |
| Canada - PIPEDA (Personal Information Protection & Electronic Document Act) Effective: April 2000 Compliance: January 2004 | Rules for: Collection Use Disclosure 10 FIPs |
| 10 FIPs (Fair Information Principles) | 1. Accountability 2. Identifying Purposes 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, Retention 6. Accuracy 7. Safeguards 8. Openness 9. Individual Access 10. Challenging Compliance |
| Australia - FPA (Federal Privacy Act) Effective: December 2001 | Protect the privacy of individuals Regulate credit providers & credit reporting agencies 11 IPPs 10 NPPs |
| 11 IPPs (Information Privacy Principles) | 1. Manner & purpose of collection 2. Collecting directly from individuals 3. Collecting information generally 4. Storage & Security 5-7. Access & Amendment 8-10: Information Use 11: Disclosure |
| 10 NPPs (National Privacy Principles) | 1. Collection 2. Use & Disclosure 3. Info Quality 4. Info Security 5. Openness 6. Access & Correction 7. Identifiers 8. Anonymity 9. Transborder Data Flow 10. Sensitive Information |
| European Union - DPD (Data Protection Directive) Effective: October 1995 | Covers processing of personal data, automatically processed, & manual data in a filing system 95/46 |
| United Kingdom The Turnbull Guidance (Internal Control: Guidance for Directors on the Combined Code) Effective: December 2000 | Companies to manage identified internal & external risk within the organization |
| United Kingdom - DPA (Data Protection Act) Effective: 1998 | Prevent: Unauthorized or unlawful processing Accidental loss or damage to data |
| United Kingdom F of IA (Freedom of Information Act) Compliance: January 2005 | Prevent: Altering or corruption of public authority information Ensure: Uptime |
| United States - GLB Act (Gramm-Leach-Bliley Act) Effective: November 1999 | Provisions for: Confidentiality, Integrity, Availability in the areas of: Admin, Physical, & Tech Safeguards Applies to: Banks, Security firms, Insurance companies, & sellers of financial products |
| United States - 21 CFR Part 11 (Title 21 of the US Code of Federal Regulations Part 11) Published: August 2003 | Ensure authenticity, integrity, confidentiality, & non-repudiation of electronic records (part of the FDA) |
| NERC's - CSS North American Electric Reliability Council Cyber Security Standards | Requires power utilities to assess and enhance their security environments (Critical Infrastructure Protection - CIP) |
| Critical Infrastructure Protection (CIP) | CIP-002: Critical Cyber Assets CIP-003: Security Management Controls CIP-004 Personnel & Training CIP-005: Electronic Security CIP-006: Physical Security CIP-007: Systems Security Management |
| Deter and Detect Attacks | Firewalls Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) |
| SOX Penalties (for knowingly signing a false financial report) | A corporate officer $1 million up to 10 years in prison |
| SOX Titles and Sections | 11 Titles 4 Sections |
| Title I | Public Company Accounting Oversight Board |
| Title II | Auditor Independence |
| Title III | Corporate Responsibility Section 302 Corporate Responsibility for Financial Reports |
| Title IV | Enhanced Financial Disclosures Section 404: Mgmt Assessment of internal Controls Section 409: Real Time Issuer Disclosures |
| Title V | Analyst Conflicts of Interest |
| Title VI | Commission Resources and Authority |
| Title VII | Studies and Reports |
| Title VIII | Corporate and Criminal Fraud Accountability Section 802: Criminal Penalties for Altering Documents |
| Title IX | White-Collar Crime Penalty Enhancements |
| Title X | Corporate Tax Returns |
| Title XI | Corporate Fraud and Accountability |
| Section 302 | Corporate Responsibility for Financial Reports Company's mgmt must ensure & demonstrate that financial data is accurate and complete - quarterly and annually Effective: July 2002 |
| Section 404 | Mgmt Assessment of Internal Controls Corporate mgmt, executives, and financial officers implement controls to protect and annually monitor and report of the effectiveness of the controls |
| Section 409 | Real Time Disclosure of Issues Real-time reporting of material events that could impact a company's financial performance |
| Public Company Accounting Oversight Board (PCAOB) | An audit of internal control over financial reporting performed in conjunction with an audit of financial statements |
| The Securities and Exchange Commission (SEC) | indicated that the Committee of Sponsoring Organizations Internal Control (COSO) is acceptable to define internal controls for financial reporting systems |
| COSO 5 Aspects of effective internal controls | 1. The Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communications 5. Monitoring |
| Complementary to COSO | Control Objectives for Information and Related Technology (COBIT) established by IT Governance Institute (ITGI) ISO 27000 for Information Security Mgmt Systems |
| COBIT 5 Domains | 1. Align, Plan, & Organize (APO) 2. Build, Acquire, & Implement (BAI) 3. Deliver, Service, & Support (DSS) 4. Monitor, Evaluate, & Assess (MEA) 5. Evaluate, Direct, & Monitor (EDM) |
| COBIT (1) Align, Plan, & Organize (APO) | 1. Mng IT Mgmt Framework 2. Mng Strategy 3. Mng Enterprise Architecture 4. Mng Innovation 5. Mng Portfolio 6. Mng Budget & Costs 7. Mng HR 8. Mng Relationships 9. Mng Service Agreements 10. Mng Suppliers 11. Mng Quality 12. Mng Risk 13. Mng Security |
| COBIT (2) Build, Acquire, & Implement (BAI) | 1. Mng Programs & Projects 2. Mng Requirements Definition 3. Mng Solutions Identification & Build 4. Mng Availability & Capacity 5. Mng Organizational Change Enablement 6. Mng Changes 7. Mng Change Acceptance & Transitioning 8. Mng Knowledge 9. Mng Assets 10. Mng Configurations |
| COBIT (3) Deliver, Service, & Support (DSS) | 1. Mng Operations 2. Mng Service Requests & Incidents 3. Mng Problems 4. Mng Continuity 5. Mng Security Services 6. Mng Business Process Controls |
| COBIT (4) Monitor, Evaluate, & Assess (MEA) | 1. MEA Performance and Conformance 2. MEA System of Internal Controls 3. MEA Compliance with External Req'ts |
| COBIT (5) Evaluate, Direct, & Monitor (EDM) | 1. Ensure Governance Framework Setting & Maintenance 2. Ensure Benefits Delivery 3. Ensure Risk Optimization 4. Ensure Resource Optimization 5. Ensure Stakeholder Transparency |
| COBIT Security Objectives 37 Steps | Read Chapter 2 Slides 27 to 41 |
| Payment Card Industry (PCI) Data Security Standard (DSS) | Applies to all who store, process, or transmit cardholder data |
| PCI Penalties | 2006: over $5Mil $5K/mth increasing to $25K/mth Compromised cards: $25 per card up to $500K |
| 12 PCI DSS Requirements 6 Control Objectives | 1. Build & Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Mgmt Program 4. Implement Strong Access Control Measures 5. Regularly Monitor & Test Networks 6. Maintain an Information Security Policy |
| (1) Build & Maintain a Secure Network | A . Firewall Configuration B. No Vendor Defaults |
| (2) Protect Cardholder Data | A. Protect Stored Cardholder Data (mask Primary Account Number PAN) B. Encrypt Transmission (SSL/TLS and IPSEC) |
| (3) Maintain a Vulnerability Mgmt Program | A. Update Anti-Virus Software B. Maintain Secure Systems & Applications (patches, separate environments) |
| (4) Implement Strong Access Control Measures | A. Restrict Access (need to know) B. Assign Unique IDs C. Restrict Physical Access |
| (5) Regularly Monitor & test Networks | A. Track & Monitor All Access B. Regularly Test Security Processes (Pen tests; Network-Layer and Application-Layer) |
| (6) Maintain an Information Security Policy | A. Maintain Policy (awareness program) |
| PCI Next Steps | Pre-Assessment & Gap Analysis |
| HITECH Meaningful Use (Health Information Technology for Economic and Clinical Health) Effective: February 17, 2009 | Ensure adequate privacy and security protections for PHI through use of policies, procedures, & technologies over EHR |
| Meaningful Penalties | CMS will withhold payment until violations are resolved |
| HIPAA Mandate 164.308(a)(1)(ii)(A) | Organizations need to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, & availability of EPHI held by the organization |
| HIPAA Audit Evidence | 1. Entity-wide Security Plan 2. Risk Analysis & Mgmt Plan 3. Security Violation Monitoring Rpts 4. Vulnerability Scanning Plans 5. Network Pen Testing Policy and Procs 6. Access Control Lists 7. Patch Mgmt Plans 8. Encryption Measures |
| Personal Identifiable Information (PII) |
Want to create your own Flashcards for free with GoConqr? Learn more.