Day-5-27th march@Legal

Question 1

In US three types of common LAW

Answer 1

> Criminal
Civil (Tort)
Administrative

Question 2

criminal law

Answer 2

> crimes committed against society
beyond reasonable doubt
felony serious crime , normally in jail for more than 1 year
misdemeanor less serious crime , jail inprisonment for less than 1 year

Question 3

civil law

Answer 3

> Against individual or company that can create injury, loss ,damage, death > based upon the preponderance of evidence

Question 4

Criminal vs Civil

Answer 4

> both have punishment
civil has compensatory
criminal has deterrence
civil has statutory damages

Question 5

According to federal sentencing guideline

Answer 5

Sr corp officer are responsible personally if their org fails to comply with applicable laws .

Question 6

Administrative laws are regulatory laws

Answer 6

enforced by Govt agencies , penalty financial or imprisonment

Question 7

risk appetite vs risk tolerance

Answer 7

Risk appetite: amount and type of risk that an organization is willing to pursue or retain
Risk tolerance: organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives

Question 8

Intellectual Property organizations

Answer 8

USPTO ,WIPO, WCO,WTO,TRIP

Question 9

PRIVACY AND DATA PROTECTION LAWS PRINCIPALS

Answer 9

> must be collected fairly and lawfully
must only be used for the purposes for which it was collected
must be accurate and kept upto date
must be accessible to individuals who request a report on personal informations about themselves
individuals have the right to correct if there is any error
personal data cant be disclosed to other org
trnamission of personal data to locations is prohibited where equivalent security is not ensured

Question 10

us federal privacy act 1974

Answer 10

Personal informations stored by federal agencies cant disclose to any others

Question 11

HIPAA

Answer 11

privacy standards for PI health informations

Question 12

Hitech vs HIPAA

Answer 12

However, there is a difference between HIPAA and HITECH with regards to patients´ rights.

Prior to HITECH, patients were unable to find out who their ePHI had been disclosed to (both authorized and unauthorized where known). In 2011, the Department of Health & Human Services published a HITECH-required Rule that allows patients to request access reports. These reports explain to patients who accessed and viewed their ePHI and under what authority.

Question 13

HITRUST and HIPAA

Answer 13

hipaa is a framework or compliance law, hitrust is a company which help companies to achieve this law.

Question 14

GLBP

Answer 14

PII stored in Financial origanization

Question 15

PCI DSS Principles

Answer 15

Credit CARD industry
>build and maintain a secure network
>protect cardholder data
>maintain vulnerability management program
>implement strong access control
>regularly monitor and test network
>maintain an information security policy

Question 16

Computer Fraud and abuse act -crime

Answer 16

f federal -govt cmputers, f financial informations f foriegn relationship informations

Question 17

electronic communications and privacy act

Answer 17

unauthorized monitring or evesdropping wiretapping

>can access email but not voice email

Question 18

us computer security act

Answer 18

special security for compuers holding sensitive informations

Question 19

us federal sentencing guideline

Answer 19

due care violations for organizations

Question 20

us economic espionage act

Answer 20

patent trade secret protection

Question 21

us child pornography act

Answer 21

distribution of child pornography

Question 22

us patriot act

Answer 22

> wiretap is allowed > voice email access is allowed > mobile tap is allowed

Question 23

pen device

Answer 23

to collect outgoing number list from a phone number

Question 24

trap device

Answer 24

to collect incoming numbers

Question 25

SOX

Answer 25

financial audit of public companies

Question 26

safe harbor

Answer 26

agreement between us department of commerce and EU, t handle private data of EU citizens moving from EU to US

Question 27

evidence

Answer 27

> real evidence : from witness five sense
direct evidence : tangible objects from actual crime
documentary evidence : computer generated, computer stored , log files etc
demonstrative evidence from expert opinion hearsay rule

Question 28

hearsay documents

Answer 28

business records not directly related to crime

Question 29

entrapment or enticement

Answer 29

entrapment : someone commits a crime without having any intention, entricement : someone provoked to commit a crime . its legal

Question 30

chain of custody

Answer 30

provides accountability and protection for evidence throughout its entire life cycle

Question 31

evidence life cycle

Answer 31

>collection and identification
> analysis
> storage preservation transportation
>presentation in court
>return to victim

Question 32

subopena

Answer 32

order to an individual to submit evidence t court

Question 33

search warrant criminal case / writ of possession civil case

Answer 33

by court to police to search and seize specific evidence ,

Question 34

US federal sentencing guideline -due care failure

Answer 34

The 1991 U.S. Federal Sentencing Guidelines apply to the following white collar crimes that take place within an
organization:
Antitrust
Federal securities
Mail and wire fraud
Bribery
Contracts
Money laundering

Question 35

Wassenaar Arrangement

Answer 35

Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations.

Question 36

CSO role

Answer 36

The role of the chief security officer (CSO) should be self-governing and independent of all the other departments in the
organization. The CSO should report to the chief information officer (CIO), chief technology officer (CTO), or chief
executive officer (CEO) only to gain management approval for security implementation and to provide feedback on the
security process compliance. In an organization, an Information Technology security function should be led by a Chief
Security Officer.
The information technology function is responsible for carrying out infrastructure implementation based on directives
issued by the CSO. The security responsibilities of a CSO include not only the information technology function, but
extend to all the departments of the organization. The CSO might conduct a periodic meeting with managers from
different departments of the organization and make them aware of the security initiatives flowing in a top-down approach
from the senior managemen

Question 37

NCSC

Answer 37

The National Computer Security Center (NCSC) is a centralized agency that evaluates computer security products and
provides technical support to government offices and private firms.

Question 38

hipaa

Answer 38

HIPAA is enforced by Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS).

Question 39

Operate and Maintain

Answer 39

Ensure that all baselines are met.
Complete internal and external audits.
Complete tasks outlined in the blueprints.
Manage service level agreements as outlined in the blueprints

Question 40

exigent circumstances

Answer 40

when evidence might be destroyed

Question 41

IAB considered unethical behaviors

Answer 41

Seeking to gain unauthorized access to the resources of the Internet
Destroying the integrity of computer-based information
Disrupting the intended use of the Internet
Wasting resources, including people, capacity, and computers, through such actions
Compromising the privacy of users
Being negligent in the conduct of Internet experiments

Question 42

data haven

Answer 42

A data haven either has no laws or poorly enforced laws for information protection.

Question 43

Admin LAw vs Regulatory Law

Answer 43

Administrative law is
often called regulatory law. This type of law includes considered standards of performance or conduct expected by
government agencies from companies, industries, and certain officials

Question 44

Which things are covered under trade secret

Answer 44

Trade secrets consist of information and can include a formula, pattern, compilation, program, device, method, technique or process. To meet the most common definition of a trade secret, it must be used in business, and give an opportunity to obtain an economic advantage over competitors who do not know or use it.

Question 45

3 types of security controls

Answer 45

b. physical controls
c. technical controls
d. administrative controls

Question 46

incident response steps

Answer 46

1. Detection
2. Response
3. Reporting
4. Recovery
5. Remediation and review rca works here

Question 47

process guide

Answer 47

SDLCP-(Info Assurance Is Out Dated)

1. Initiate
2. Aquire
3. Implemet
4. Operations
5. Disposal

S-SDLCP (Re Do Damn Test Right)

1. Req Gather
2. Design
3. Develop
4. Test
5. Release

CMMI (I Really Defend My Opinion)

1. Initial
2. Repeatable
3. Defined
4. Managed
5. Optimized

BCP (IIPRCTM)….Sorry not so fun ;)

1. Initiation
2. BIA (Impact)
3. Preventative
4. Recovery
5. Continuity
6. Test
7. Manage/Maintain

Question 48

Which phase of the security management life cycle are you engaged if you are completing audits to ensure that your security settings meet baselines? Other activities might include completing tasks in blueprints, managed slas outlined in blueprints, doing audits to ensure baselines.

Answer 48

Operate and Maintain

Question 49

Which phase of the security management life cycle are you engaged if you are reviewing the audit results to assess if your organization’s security baselines are maintained? other activities in this phase include review logs, audit results, metrics, and slas. assess accomplishments, complete steering committees, Develop improvement steps for integration into the plan and organize phase.

Answer 49

Monitor and Evaluate

Question 50

data aggregator

Answer 50

a company that compiles, stores, and sells personal information

Question 51

You are implementing asset identification and change control blueprints. In which phase of the security management life
cycle are you engaged?

Answer 51

implement

Question 52

The Basel II Accord

Answer 52

The Basel II Accord is built on three main pillars: minimum capital requirements, supervision, and market discipline.
These pillars apply to financial institutions.

Question 53

BCP steps

police bia koreche
preventive recovery hisebe akta contigency plan
dar koriyeche , test ar maintain korte hobe

Answer 53

1. Develop the continuity planning policy statement.
2. Conduct the BIA.
3. Identify preventative controls.
4. Develop recovery strategies.
5. Develop the contingency plan.
6. Test the plan, and conduct training and exercises.
7. Maintain the plan.

Question 54

HIPAA gap analysis

Answer 54

HIPAA gap analysis applies to transactions, security, and privacy and does not address either accountability or
availability.

Question 55

Reverse engineering

Answer 55

Reverse engineering, in computer programming, is a technique used to analyze software in order to identify and understand the parts it is composed of

Question 56

bcp should be maintained

Answer 56

Infrastructure changes
Environment changes
Organizational changes
Hardware, software, and application changes
Personnel changes

Question 57

Which organization developed P3P

Answer 57

World Wide Web Consortium (W3C)

Question 58

privacy notice how to send

Answer 58

A privacy notice should be provided via a posted copy, a printed copy at the first service delivery, and a printed copy
available upon request by a covered entity to the patient.

Question 59

covered entities

Answer 59

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information

Question 60

delayed loss risk

Answer 60

that happens after a tangible resource is taken out