1.1 Planning & Scoping Flashcards
Compare and contrast governance, risk, and compliance concepts.
What is the Payment Card Industry Data Security Standard (PCI DSS)?
This standard specifies the controls that must be in place to securely handle credit card data. Controls include methods to minimize vulnerabilities, employ strong access control, along with consistently testing and monitoring the infrastructure.
What is the General Data Protection Regulation (GDPR)
This is a law outlining specific requirements on how consumer data is protected. Main components include:
-Companies require permission to gather data
-Permission can be rescinded at any time
-Affects anyone doing business with residents of the EU or Britain
-Restrict data collection
-Violation Reporting
What is an Non-Disclosure Agreement (NDA)?
An NDA is a legal document that stipulates the parties will not share confidential information information, knowledge, or materials with unauthorized third parties.
What information is usually included in a legal waiver?
-Names of the entity or individuals that are authorized to perform the PenTest
-What specific networks, hosts and applications are to be included in the PenTest
-The validity period of the authorization
-Proper data handling techniques
-Reporting guidelines and chain of command
-Guidelines that outline when testing is to be terminated.
What is a Master Service Agreement (MSA)?
An MSA is a contract that establishes precedence and guidelines for any business documents that are executed between the two parties. This includes details on project scope, compensation specifics, required permits, safety guidelines and insurances.
What is a Statement of Work (SOW)?
A SOW is a document that defines the expectations for a specific business arrangement. It typically includes a list of deliverables, responsibilities of both parties, payment milestones, schedules and other terms.
What is a Service-Level Agreement (SLA)?
An SLA is a contract that outlines the detailed terms under which a service is provided, including reasons the contract may be terminated. It defines the level of services expected by a customer from a supplier.
