D430: Fundamentals of Information
Security - PASSED
information security - CORRECT ANSWER-"protecting information and
information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction." - US law
protection of digital assets.
secure - CORRECT ANSWER-it's difficult to define when you're truly secure.
when you can spot insecurities, you can take steps to mitigate these issues.
although you'll never get to a truly secure state, you can take steps in the right
direction.
m; as you increase the level of security, you decrease the level of productivity.
the cost of security should never outstrip the value of what it's protecting.
data at rest and in motion (and in use) - CORRECT ANSWER-data at rest is
stored data not in the process of being moved; usually protected with encryption
at the level of the file or the entire storage device.
data in motion is data that is in the process of being moved; usually protected
with encryption, but in this case the encryption protects the network protocol or
the path of the data.
data in use is the data that is actively being accessed at the moment. protection
includes permissions and authentication of users. could be conflated with data in
motion.
defense by layer - CORRECT ANSWER-the layers of your defense-in-depth
strategy will vary depending on situation and environment.
,logical (nonphysical) layers: external network, network perimeter, internal
network, host, application, and data layers as areas to place your defenses.
m; defenses for layers can appear in more than one area. penetration testing, for
example, can and should be used in all layers.
payment card industry data security standard (PCI DSS) - CORRECT
ANSWER-a widely accepted set of policies and procedures intended to optimize
the security of credit, debit and cash card transactions and protect cardholders
against misuse of their personal information.
health insurance portability and accountability act of 1996 (HIPAA) - CORRECT
ANSWER-a federal law that required the creation of national standards to protect
sensitive patient health information from being disclosed without the patient's
consent or knowledge.
federal information security management act (FISMA) - CORRECT
ANSWER-requires each federal agency to develop, document, and implement an
information security program to protect its information and information systems.
m; applies to US federal government agencies, all state agencies that administer
federal programs, and private companies that support, sell to, or receive grant
money from the federal government.
federal risk and authorization management program (FedRAMP) - CORRECT
ANSWER-defines rules for government agencies contracting with cloud
providers; applies to both cloud platform providers and companies providing
software as a service (SaaS) tools that are based in the cloud.
sarbanes-oxley act (SOX) - CORRECT ANSWER-regulates the financial practice
and governance for publicly held companies.
m; designed to protect investors and the general public by establishing
requirements regarding reporting and disclosure practices.
,places specific requirements on an organization's electronic recordkeeping,
including the integrity of records, retention periods for certain kinds of
information, and methods of storing electronic communications.
gramm-leach-bliley act (GLBA) - CORRECT ANSWER-requires financial
institutions to safeguard their customers financial data and identifiable
information.
m; mandates the disclosure of an institution's information collection and
information sharing practices and establishes requirements for providing privacy
notices and opt-outs to consumers.
children's internet protection act (CIPA) - CORRECT ANSWER-requires schools
and libraries to prevent children from accessing obscene or harmful content over
the internet.
children's online privacy protection act (COPPA) - CORRECT ANSWER-protects
the privacy of minors younger than 13 by restricting organizations from collecting
their PII (personally identifiable information), requiring the organizations to post a
privacy policy online, make reasonable efforts to obtain parental consent, and
notify parents that information is being collected.
family educational rights and privacy act (FERPA) - CORRECT ANSWER-defines
how institutions must handle student records to protect their privacy and how
people can view or share them.
international organization for standardization (ISO) - CORRECT ANSWER-a
body first created in 1926 to set standards between nations.
the 27000/27k series of THIS covers information security; 27000, 27001, 27002.
these documents lay out best practices for managing risk, controls, privacy,
technical issues, and a wide array of other specifics.
national institute of standards and technology (NIST) - CORRECT
ANSWER-provides guidelines for many topics in computing and technology,
including risk management.
, m; two commonly referenced publications on risk management are SP 800-37
and SP 800-53.
SP 800-37 lays out the risk management framework in six steps: categorize,
select, implement, assess, authorize, and monitor.
confidentiality (CIA triad) - CORRECT ANSWER-refers to our ability to protect
data from those who are not authorized to view it.
m; can be compromised in a number of ways; losing laptop with data, someone
looking over your shoulder while entering password, email attachments sent to
wrong people, attackers could penetrate your system.
integrity (CIA triad) - CORRECT ANSWER-the ability to prevent people from
changing your data in an unauthorized or undesirable manner.
m; must have the means to prevent unauthorized changes to data and the ability
to reverse unauthorized changes.
is particularly important when it concerns data that provides the foundation for
other decisions; an attacker could alter data from medical tests which can harm
the patient.
availability (CIA triad) - CORRECT ANSWER-the ability to access our data when
we need it.
m; THIS can be be lost due to power outages, operating system or application
problems, network attacks, or compromising of a system.
when the issues are caused by an attacker it is called a denial-of-service (DoS)
attack.
integrity (parkerian hexad) - CORRECT ANSWER-THIS is the same as from the
CIA triad, however this version doesn't account for authorized, but incorrect,
modification of data; the data must be whole and completely unchanged.
Security - PASSED
information security - CORRECT ANSWER-"protecting information and
information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction." - US law
protection of digital assets.
secure - CORRECT ANSWER-it's difficult to define when you're truly secure.
when you can spot insecurities, you can take steps to mitigate these issues.
although you'll never get to a truly secure state, you can take steps in the right
direction.
m; as you increase the level of security, you decrease the level of productivity.
the cost of security should never outstrip the value of what it's protecting.
data at rest and in motion (and in use) - CORRECT ANSWER-data at rest is
stored data not in the process of being moved; usually protected with encryption
at the level of the file or the entire storage device.
data in motion is data that is in the process of being moved; usually protected
with encryption, but in this case the encryption protects the network protocol or
the path of the data.
data in use is the data that is actively being accessed at the moment. protection
includes permissions and authentication of users. could be conflated with data in
motion.
defense by layer - CORRECT ANSWER-the layers of your defense-in-depth
strategy will vary depending on situation and environment.
,logical (nonphysical) layers: external network, network perimeter, internal
network, host, application, and data layers as areas to place your defenses.
m; defenses for layers can appear in more than one area. penetration testing, for
example, can and should be used in all layers.
payment card industry data security standard (PCI DSS) - CORRECT
ANSWER-a widely accepted set of policies and procedures intended to optimize
the security of credit, debit and cash card transactions and protect cardholders
against misuse of their personal information.
health insurance portability and accountability act of 1996 (HIPAA) - CORRECT
ANSWER-a federal law that required the creation of national standards to protect
sensitive patient health information from being disclosed without the patient's
consent or knowledge.
federal information security management act (FISMA) - CORRECT
ANSWER-requires each federal agency to develop, document, and implement an
information security program to protect its information and information systems.
m; applies to US federal government agencies, all state agencies that administer
federal programs, and private companies that support, sell to, or receive grant
money from the federal government.
federal risk and authorization management program (FedRAMP) - CORRECT
ANSWER-defines rules for government agencies contracting with cloud
providers; applies to both cloud platform providers and companies providing
software as a service (SaaS) tools that are based in the cloud.
sarbanes-oxley act (SOX) - CORRECT ANSWER-regulates the financial practice
and governance for publicly held companies.
m; designed to protect investors and the general public by establishing
requirements regarding reporting and disclosure practices.
,places specific requirements on an organization's electronic recordkeeping,
including the integrity of records, retention periods for certain kinds of
information, and methods of storing electronic communications.
gramm-leach-bliley act (GLBA) - CORRECT ANSWER-requires financial
institutions to safeguard their customers financial data and identifiable
information.
m; mandates the disclosure of an institution's information collection and
information sharing practices and establishes requirements for providing privacy
notices and opt-outs to consumers.
children's internet protection act (CIPA) - CORRECT ANSWER-requires schools
and libraries to prevent children from accessing obscene or harmful content over
the internet.
children's online privacy protection act (COPPA) - CORRECT ANSWER-protects
the privacy of minors younger than 13 by restricting organizations from collecting
their PII (personally identifiable information), requiring the organizations to post a
privacy policy online, make reasonable efforts to obtain parental consent, and
notify parents that information is being collected.
family educational rights and privacy act (FERPA) - CORRECT ANSWER-defines
how institutions must handle student records to protect their privacy and how
people can view or share them.
international organization for standardization (ISO) - CORRECT ANSWER-a
body first created in 1926 to set standards between nations.
the 27000/27k series of THIS covers information security; 27000, 27001, 27002.
these documents lay out best practices for managing risk, controls, privacy,
technical issues, and a wide array of other specifics.
national institute of standards and technology (NIST) - CORRECT
ANSWER-provides guidelines for many topics in computing and technology,
including risk management.
, m; two commonly referenced publications on risk management are SP 800-37
and SP 800-53.
SP 800-37 lays out the risk management framework in six steps: categorize,
select, implement, assess, authorize, and monitor.
confidentiality (CIA triad) - CORRECT ANSWER-refers to our ability to protect
data from those who are not authorized to view it.
m; can be compromised in a number of ways; losing laptop with data, someone
looking over your shoulder while entering password, email attachments sent to
wrong people, attackers could penetrate your system.
integrity (CIA triad) - CORRECT ANSWER-the ability to prevent people from
changing your data in an unauthorized or undesirable manner.
m; must have the means to prevent unauthorized changes to data and the ability
to reverse unauthorized changes.
is particularly important when it concerns data that provides the foundation for
other decisions; an attacker could alter data from medical tests which can harm
the patient.
availability (CIA triad) - CORRECT ANSWER-the ability to access our data when
we need it.
m; THIS can be be lost due to power outages, operating system or application
problems, network attacks, or compromising of a system.
when the issues are caused by an attacker it is called a denial-of-service (DoS)
attack.
integrity (parkerian hexad) - CORRECT ANSWER-THIS is the same as from the
CIA triad, however this version doesn't account for authorized, but incorrect,
modification of data; the data must be whole and completely unchanged.
