Privacy, Licensing, and Policies

Question 1

Incident response: First response

Answer 1

• Identify the issue - Logs, in person, monitoring data
• Report to proper channels - Don’t delay
• Collect and protect information relating to an event
• Many different data sources
and protection mechanisms

Question 2

Incident response: Documentation

Answer 2

• Security policy
• An ongoing challenge
• Documentation must be available
• No questions
• Documentation always changes
• Constant updating
• Have a process in place
• Use the wiki model

Question 3

Incident response: Chain of custody

Answer 3

• Control evidence
• Maintain integrity
• Everyone who contacts the evidence
• Avoid tampering
• Use hashes
• Label and catalog everything
• Seal, store, and protect
• Digital signatures

Question 4

Licensing / EULA

Answer 4

• Closed source / Commercial
• Source code is private
• End user gets compiled executable
• Free and Open Source (FOSS)
• Source code is freely available
• End user can compile their own executable
• End User Licensing Agreement
• Determines how the software can be used
• Digital Rights Management (DRM)
• Used to manage the use of software

Question 5

PII - Personally identifiable information

Answer 5

• Part of your privacy policy
• How will you handle PII?
• Not everyone realizes the importance of this data
• It becomes a “normal” part of the day
• It can be easy to forget its importance

Question 6

PCI DSS

Answer 6

• Payment Card Industry
• Data Security Standard (PCI DSS)
• A standard for protecting credit cards
• Six control objectives
• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

Question 7

GDPR - General Data Protection Regulation

Answer 7

• European Union regulation
• Data protection and privacy for individuals in the EU
• Name, address, photo, email address, bank details,
posts on social networking websites, medical
information, a computer’s IP address, etc.

• Controls export of personal data
• Users can decide where their data goes
• Gives individuals control of their personal data
• A right to be forgotten
• Site privacy policy
• Details all of the privacy rights for a user

Question 8

PHI - Protected Health Information

Answer 8

• Health information associated with an individual
• Health status, health care records, payments
for health care, and much more
• United States legal team

• Data between providers
• Must maintain similar security requirements

• HIPAA regulations
• Health Insurance Portability and Accountability Act of
1996