DETAILED ANSWERSLATEST

1

DETAILED ANSWERS|LATEST

PASS information security - ANSWER "protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction." - US law

protection of digital assets.

secure - ANSWER it's difficult to define when you're truly secure. when you can spot insecurities, you can take steps to mitigate these issues. although you'll never get to a truly secure state, you can take steps in the right direction.

m; as you increase the level of security, you decrease the level of productivity. the cost of security should never outstrip the value of what it's protecting.

data at rest and in motion (and in use) - ANSWER data at rest is stored data not in the process of being moved; usually protected with encryption at the level of the file or the entire storage device.

data in motion is data that is in the process of being moved; usually protected with encryption, but in this case the encryption protects the network protocol or the path of the data.

data in use is the data that is actively being accessed at the moment. protection includes permissions and authentication of users. could be conflated with data in motion.

defense by layer - ANSWER the layers of your defense-in-depth strategy will vary depending on situation and environment.

• / 4

2

logical (nonphysical) layers: external network, network perimeter, internal network, host, application, and data layers as areas to place your defenses.

m; defenses for layers can appear in more than one area. penetration testing, for example, can and should be used in all layers.

payment card industry data security standard (PCI DSS) - ANSWER a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

health insurance portability and accountability act of 1996 (HIPAA) - ANSWER a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

federal information security management act (FISMA) - ANSWER requires each federal agency to develop, document, and implement an information security program to protect its information and information systems.

m; applies to US federal government agencies, all state agencies that administer federal programs, and private companies that support, sell to, or receive grant money from the federal government.

federal risk and authorization management program (FedRAMP) - ANSWER defines rules for government agencies contracting with cloud providers; applies to both cloud platform providers and companies providing software as a service (SaaS) tools that are based in the cloud.

sarbanes-oxley act (SOX) - ANSWER regulates the financial practice and governance for publicly held companies.

m; designed to protect investors and the general public by establishing requirements regarding reporting and disclosure practices. 2 / 4

3

places specific requirements on an organization's electronic recordkeeping, including the integrity of records, retention periods for certain kinds of information, and methods of storing electronic communications.

gramm-leach-bliley act (GLBA) - ANSWER requires financial institutions to safeguard their customers financial data and identifiable information.

m; mandates the disclosure of an institution's information collection and information sharing practices and establishes requirements for providing privacy notices and opt-outs to consumers.

children's internet protection act (CIPA) - ANSWER requires schools and libraries to prevent children from accessing obscene or harmful content over the internet.

children's online privacy protection act (COPPA) - ANSWER protects the privacy of minors younger than 13 by restricting organizations from collecting their PII (personally identifiable information), requiring the organizations to post a privacy policy online, make reasonable efforts to obtain parental consent, and notify parents that information is being collected.

family educational rights and privacy act (FERPA) - ANSWER defines how institutions must handle student records to protect their privacy and how people can view or share them.

international organization for standardization (ISO) - ANSWER a body first created in 1926 to set standards between nations.

the 27000/27k series of THIS covers information security; 27000, 27001, 27002. these documents lay out best practices for managing risk, controls, privacy, technical issues, and a wide array of other specifics.

• / 4

4

national institute of standards and technology (NIST) - ANSWER provides guidelines for many topics in computing and technology, including risk management.

m; two commonly referenced publications on risk management are SP 800-37 and SP 800- 53.

SP 800-37 lays out the risk management framework in six steps: categorize, select, implement, assess, authorize, and monitor.

confidentiality (CIA triad) - ANSWER refers to our ability to protect data from those who are not authorized to view it.

m; can be compromised in a number of ways; losing laptop with data, someone looking over your shoulder while entering password, email attachments sent to wrong people, attackers could penetrate your system.

integrity (CIA triad) - ANSWER the ability to prevent people from changing your data in an unauthorized or undesirable manner.

m; must have the means to prevent unauthorized changes to data and the ability to reverse unauthorized changes.

is particularly important when it concerns data that provides the foundation for other decisions; an attacker could alter data from medical tests which can harm the patient.

availability (CIA triad) - ANSWER the ability to access our data when we need it.

m; THIS can be be lost due to power outages, operating system or application problems, network attacks, or compromising of a system.

• / 4