S1 Flashcards

Question

Communicate | Privacy Framework Core

Answer 1

How should the org drive dialogue around privacy risks related to data processing activities

Answer 2

Set of security and privacy controls applicable to all info systems and now the standard for federal info security systems. Designed for protecting, care about effectiveness not cost

Answer 3

OMB - requires the controls for federal information systems FISMA - requires the implementation of minimum controls to protect federal info and info systems

Answer 4

Implement controls at the org level, which are adopted by info systems

Answer 5

Implement controls at the information system level

Answer 6

Implement controls at the org level where appropriate and the rest at the info system level

Answer 7

Detection and escalation: Cost to detect Notification: costs to notify parties Post-breach Response: Cost to rectify effects Loss of Business and Revenue: temp lost do to down time

Answer 8

Health Insurance Portability and Accountability Act required the department of health and human services to adopt national standards promoting health care privacy and security

Answer 9

Specifically governs electronic PHI. Under the security Rule all covered entities must: ensure the confidentiality, integrity, and availability of all electronic PHI; Protect against reasonably anticipated threats; Ensure compliance

Answer 10

Amended HIPPA: Increased penalties for HIPPA violations Required that patients receive the option to obtain records in electronic form Breach rule to notify within 60 days of discovery

Answer 11

European Unions general applicability law regulating the privacy of data

Answer 12

Data must be processed lawfully, fairly, and in a transparent manner

Answer 13

Data must be processed for specified, explicate, and legitimate purposes

Answer 14

Data processing must be adequate, relevant, and limited to what is necessary

Answer 15

Data must be accurate and kept updated

Answer 16

Data must be stored only for as long as necessary. storing it for longer periods is permitted for public interest archiving, scientific or historical research, or statistical purposes.

Answer 17

Data must be processed securely and protected against unauthorized access, accidental loss, destruction, or damage

Answer 18

A framework to apply to promote data security when processing payments

Answer 19

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor supplied defaults for system passwords

Answer 20

3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open networks

Answer 21

5. Protect all systems against malware and regularly update anti-virus software programs 6. Develop and maintain secure system applications

Answer 22

7. Restrict access to cardholder data through need to know restrictions 8. Identify and authenticate access to system components

Answer 23

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Answer 24

The Center for Internet Security. Controls are a recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.

Answer 25

Offense Informs Defense Focus Feasible Align Measurable

Answer 26

Controls should map to other top cybersecurity standards like NIST VS, COBIT, HIPPA

Answer 27

Controls should be simple and measurable, avoiding vague language

Answer 28

Controls are drafted based on data from actual CS attacker behavior and how to defend against it

Answer 29

Controls should help prioritize the most critical problems and avoid resolving every CS issue

Answer 30

All recommendations should be practical

Answer 31

Group is for small or mid sized orgs that have limited CS defense mechanisms in place

Answer 32

Group is for companies that have IT staff who support multiple departments that have various risk profiles and typically handle sensitive client data

Answer 33

Group for companies that have security experts in all domains within CS such as penetration testing, risk management, and application security.

Answer 34

Inventory and Control of Enterprise Assets: Helps orgs actively track and manage all IT assets connected to a company's IT infrastructure physically or virtually with a cloud environment

Answer 35

Provides recommendations for orgs to track and actively manage all software applications so that only authorized software can be installed

Answer 36

Helps orgs develop ways to securely manage the entire life cycle of their data

Answer 37

this control helps orgs establish and maintain secure baseline configurations for their enterprise assets

Answer 38

Outlines best practices for companies to manage credentials and authorization for user accounts, privileged user accounts, and service accounts for company hardware and software applications

Answer 39

Control expands on 5 by specifying the type of access that user accounts should have

Answer 40

Control assists org in continuously identifying and tracking vulnerabilities within its infrastructure so that it can remediate and eliminate weak points or windows

Answer 41

Control establishes an enterprise log management process so that organizations can be alerted and recover from an attack in real time

Answer 42

assists companies in preventing the installation and propagation of malware onto company assets and its network

Answer 43

Provides recommendations on how to detect and protect against cybercrime attempted through email or the internet

Answer 44

Establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets

Answer 45

This control establishes procedures and tools for managing and securing a company's network infrastructure. Network infrastrucutre is up to date, maintain a secure network architecture

Answer 46

Establishes processes for monitoring and defending a company's network infrastructure against internal and external security threats

Answer 47

Guides organizations in establishing a security awareness and training program to reduce cybersecurity risk

Answer 48

helps organizations develop processes to evaluate third party service providers that have access to sensitive data or that are responsible for managing some or all of a company's IT functions

Answer 49

establishes safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in house to detect, deter and resolve CS weaknesses before they are exploited

Answer 50

Provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential CS attacks

Answer 51

Control helps organizations test the sophistication of their CS defense system in place by simulating actual attacks in effort to find and exploit weakness.

Answer 52

Control Objectives for Information and Related Technologies provides a road map that organizations can use to implement best practices for IT governance and management.

Answer 53

Governance Distinct from Management (Distinct) End to end governance system (End to end) Tailored to enterprise needs (Tailored) Provide stakeholder Value (Value) Holistic approach (Holistic) Dynamic governance system (Dynamic)

Answer 54

Based on conceptual model Open and flexible Aligned to major standards

Answer 55

gov system should create value for the company's stakeholders by balancing benefits, risks, and resources

Answer 56

gov systems for IT can comprise diverse components, collectively providing a holistic model.

Answer 57

When a change in one gov system occurs, the impact on all others should be considered so that the system continues to meet the demands of the organization. continue to be relevant while adjusting as a new challenge arises

Answer 58

Management activities and governance systems should be clearly distinguished from each other because they have different functions

Answer 59

gov models should be customized to each individual company, using design factors to prioritize and tailor the system

Answer 60

All processes in the org involving info and tech should be factored into an end to end approach

Answer 61

One domain: evaluate, direct, and monitor (EDM): those charged with governance evaluate strategic objectives, direct management to achieve those objectives, and monitor whether they are being met

Answer 62

Four domains Align, plan and organize (APO) Build, acquire, and implement (BAI) Deliver, service, and support (DSS) Monitor, evaluate, and assess (MEA)

Answer 63

Those charged with governance evaluate strategic objectives, direct managment to achieve those objectives, and monitor wheather objectives are being met. 5 objectives: ensuring business delivery, governance framwork setting, risk optimization, resouce optimization, and stakeholder engagment

Answer 64

Focuses on aligning information tech overall strategy, planning how to utilize technology in business operation of the organization, and organizing the resources for their most effective and efficient usage. 14 objectives - managed data is most significant

Answer 65

Addresses the building, acquiring, and implementation of information technology solutions in the organizations business processes. 11 objectives, offering guidance on requirements definition, identifying solutions, managing capacity, availability, org change...

Answer 66

Addresses the delivery, service, and support of IT services. 6 objectives - service request is most important

Answer 67

Addresses information tech conformance to the company's performance targets and control objectives along with external requirements. Accomplished through continuous monitoring, evaluation, and assessment of info tech systems. 4 objectives - managed system of internal control is most important

Answer 68

Components are factors that either collectively or individually contribute to the successful execution of a company's governance system over information technology and systems.

Answer 69

Influence the design of a companys IT goverance system, with a total of 11 factors to consider

Answer 70

Designed so that companies could adopt its recommendations in a way that is customized to their own needs

Answer 71

Introduces the core concepts of the framework

Answer 72

Provides a outline of the 40 management and governance objectives, components and references

Answer 73

Covers design topics that influence governance as well as a guideline for designing a customized gov system

Answer 74

Provides a road map for continuous improvements when designing information tech gov systems -used in conjunction with design guide

Answer 75

activities to achieve goals

Answer 76

decision making entities

Answer 77

These serve as the guide for turning desired behavior into practice

Answer 78

info needed for gov system to work

Answer 79

These factors influence the success of all management and governance activities

Answer 80

These are needed so that sound decisions are made, corrective actions are taken when necessary, and critical objectives are complete

Answer 81

gov system tools and resources needed for info tech processing

Answer 82

IT governance strategies generally include a primary strategy and a secondary strategy. Examples include growth/acquisition, innovations/differentiation, cost leadership

Answer 83

Goals support the strategy and are structured based on the balanced scorecard dimensions, which are financial, customer, internal, and growth

Answer 84

Addresses current risk exposure for the organization and maps out which risks exceed the orgz risk appetite

Answer 85

Common issues include regular IT audit findings of poor IT quality or control, insufficient IT resources, frustration between IT and different departments, hidden IT spending, problems with data quality, and non compliance with applicable regulations.

Answer 86

the environment in which the company operates. The threat landscape may be classified as normal or high because of geopolitical threats or issues, the industry sector, or economic issues.

Answer 87

Compliance demands on the company can be classified as low, normal, or high. Classifications are intuitive, with low requirements implying minimal compliance demands, normal compliance indicating that the organization is typical of its industry

Answer 88

Categorized as: Support - system that is not critical for operating a business or maintaining continuity Factory - system that will have an immediate impact in business operations and continuity if it fails Turnaround - system that drives innovation for the business but s not required for critical business operations Strategic - system that is crucial for both innovation and business operations

Answer 89

Sourcing is the type of IT procurement model the company adopts, ranging from outsourcing, to cloud based, built in house, or a hybrid of any of these sources

Answer 90

First mover strategy - emerging technologies are adopted as soon as possible to gain an edge Follower strategy - emerging technologies are adopted after they are prove Slow-adopter strategy - very late to adopt new tech

Answer 91

Two enterprise sizes are defined - large companies with total full-time employee count of more than 250, and small/mid companies with 50 to 250 full time employees

Answer 92

governance policies, process, and procedures -risk management strategy -awareness and training -monitoring review

Answer 93

-security and awareness training -information access management -Contingency plans