Week 4

Cards (29)

  • Family Education Rights and Privacy Act (FERPA)—Passed in 1974, this federal law was an early measure to protect the privacy of student education records. It applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA, schools must receive written permission from a parent or an eligible student before releasing any information contained in a student’s education record.
  • Federal Financial Institutions Examination Council (FFIEC)—The FFIEC was initiated in 1979 to establish a standard for security controls and maturity assessments, which include an inherent risk profile assessment and a cybersecurity maturity assessment. Using these two benchmarks, financial organizations can assess their current risk profile and their current cybersecurity maturity level based on performing these self-assessments internal to their organization.
  • Children’s Online Privacy Protection Act of 1998 (COPPA)— COPPA restricts how online information is collected from children under 13 years of age. COPPA was made effective in 2000 and gained additional consent requirements in 2013. It dictates what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent, and what responsibilities an operator has to protect children’s privacy and safety online.
  • Gramm-Leach-Bliley Act (GLBA):
    • Passed in 1999
    • Addresses information security concerns in the financial industry
    • Requires financial institutions to provide clients with a privacy notice explaining what information is gathered, where it is shared, and how it is protected
    • Companies must provide clients with this notice before entering into a business agreement
  • Government Information Security Reform Act (Security Reform Act) of 2000:
    • Focuses on management and evaluation of the security of unclassified and national security systems
    • Formalized existing Office of Management and Budget security policies
    • Restated security responsibilities contained in the Computer Security Act of 1987
  • USA PATRIOT Act of 2001:
    • Passed 45 days after the September 11, 2001 attacks
    • Expanded U.S. law enforcement agencies' authority to fight terrorism in the U.S. and abroad
    • Enhanced law enforcement agencies' access to information related to ongoing investigations
  • Federal Information Security Management Act (FISMA):
    • Enacted in 2002
    • Recognizes the importance of information security to the national security and economic health of the U.S.
    • Requires every federal agency to develop and maintain formal information security programs, including security awareness efforts, secure access to computer resources, strict acceptable use policies (AUPs), and formal incident response and contingency planning
  • EU General Data Protection Regulation (GDPR) of 2016:
    • The world’s most comprehensive law on personal data and privacy protection
    • Covers how data on EU citizens is collected, stored, and used
    • Governs data that flows into or out of the EU
    • Focuses on giving control of private data back to the individual
    • Organizations handling private data must inform data owners how their data will be handled and request specific authorization to collect and use it
    • Individuals can demand that their personal data be deleted on demand
  • Payment Card Industry Data Security Standard (PCI DSS v3.2.1):
    • Released in 2018 as the latest update to the 2004 industry standard
    • Affects any organization processing or storing credit card information
    • Developed by the founding payment brands of the PCI Security Standards Council
    • Includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures
  • California Consumer Privacy Act (CCPA) of 2018:
    • Similar to the GDPR and also called “GDPR lite”
    • Focuses on individual privacy and rights of data owners
    • Covers all California consumers and impacts any organizations that interact with them
  • California Security Breach Information Act (SB 1386) of 2003:
    • Requires companies storing customer data electronically to notify customers of any security breach
    • Mandates immediate notification to affected customers if unencrypted information is stolen from the company's computer system
    • Other similar bills restrict financial institutions from sharing nonpublic personal client information with affiliates and third parties
  • Health Insurance Portability and Accountability Act (HIPAA) effective from April 14, 2006:
    • Governs how doctors, hospitals, and health care providers handle personal medical information
    • Requires medical records, billing, and patient information to be handled to maintain patient privacy
    • Guarantees patients access to their medical records, ability to correct errors, and information on personal information usage
    • Patients must receive notifications of privacy procedures each time they submit medical information to ensure awareness of HIPAA requirements
  • Sarbanes-Oxley Act (SOX)—Sarbanes-Oxley, which became law in July 2002, introduced sweeping changes to the way corporate governance and financial practices are regulated. As a direct result of several public financial scandals, SOX established the Public Company Accounting Oversight Board (PCAOB), which is responsible for overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. SOX also dictates policies that address auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
  • Types of DRP tests:
    • Checklist test: participants follow steps on the DRP checklist and provide feedback; used for training and awareness
    • Structured walk-through: also known as a tabletop exercise or a conference room test; uses role-playing to simulate a disaster and evaluate the DRP’s effectiveness
    • Simulation test: more realistic than a structured walk-through; uses role-playing to simulate a disaster's effects without affecting live operations
    • Parallel test: evaluates DRP effectiveness by enabling full processing capability at an alternate data center without interrupting the primary data center
    • Full-interruption test: interrupts the primary data center and transfers processing capability to an alternate site; the most complete test
  • Preventive components of a DRP:
    • Local mirroring of disk systems and use of data protection technology, such as a redundant array of independent disks (RAID) or storage area network (SAN) system - -
    • Surge protectors to minimize the effect of power surges on delicate electronic equipment
    • Uninterruptible power supply (UPS) and/or a backup generator to keep systems going in the event of a power failure
    • Fire prevention systems
    • Antivirus software and other security controls
  • Endpoint device security controls for mobility and BYOD environments:
    • Mobile device management (MDM): software agent for monitoring, controlling, and data wiping business data from personally owned devices
    • Device access control: ensures personally owned devices conform to the BYOD policy with proper access controls
    • Removable storage: follows BYOD policy and AUP for data backups
    • Disabling unused features: disallows specific applications and features according to the BYOD policy and AUP
  • Endpoint device security controls for mobility and BYOD environments:
    • Full device encryption: requires laptops, tablets, and smartphones to be equipped with data encryption to mitigate the risk of a lost or stolen device
    • Remote wiping: enables organizations to initiate remote wiping of data or email in case of loss or theft
    • Lockout: requires device screen savers with lockout timers following the organization’s security policies
    • Screen locks: require a password-protected screen-lock function for device access
    • Global positioning system (GPS): uses satellite and/or cellular communications to pinpoint the physical location of the device
    • Application control: allows for application or device control
    • Storage segmentation: separates personal data from business data on shared devices
    • Asset tracking: tracks all IT assets connected to the infrastructure
    • Inventory control: IT–asset inventories for proper change management and incident response
  • The OCTAVE approach defines a risk-based strategic assessment and planning technique for security and is a self-directed approach
  • There are two versions of OCTAVE: OCTAVE FORTE (for large organizations) and OCTAVE Allegro (for organizations with fewer than 100 people)
  • ISO/IEC 27005:2018 is an ISO standard describing information security risk management in a generic manner
  • ISO/IEC 27005:2018 documents include examples of approaches to information security risk assessment and lists of possible threats, vulnerabilities, and security controls
  • Recovery Point Objective (RPO) describes the target state of recovered data that allows an organization to continue normal processing
  • RPO is the maximum amount of data loss that is acceptable
  • RPO provides direction on how to back up data, what policies are needed regarding recovery, and whether loss prevention or loss correction is a better option
  • Recovery Time Objective (RTO) expresses the maximum allowable time in which to recover the function
  • RTO helps determine the best recovery options and specifies the requirements for recovery time
  • Business recovery requirements identify other business functions that must already be in place for the specified recovery function to occur and help in determining the recovery sequence
  • Technical recovery requirements define the technical prerequisites needed to support each critical business function
  • Technical recovery requirements dictate which IT infrastructure components must be in place