Untitled Quiz

Questions and Answers

What does the 2011 Data Privacy Act in the Philippines primarily aim to achieve?

Enhance data security and privacy rights (correct)

Facilitate easier access to public records

Encourage businesses to collect more data

Increase tax revenues from organizations

What could happen to organizations that fail to comply with data privacy requirements in the Philippines?

They are exempt from regulations

They may receive government grants

They could face serious fines and legal action (correct)

They will gain more customers

Which of the following is NOT a typical identification information according to the content?

Occupation

Spouse’s name

Bank account number (correct)

Citizenship

What primary purpose does the Optical Media Act serve in the Philippines?

To protect local artists from piracy

Which form of intellectual property is NOT mentioned in the content?

Industrial designs

Under Philippine copyright law, what types of works are specifically protected?

Computer programs and video games

What does identity theft typically involve, based on the provided information?

Misusing someone’s identifying information for harmful purposes

Which element is a fundamental aspect of data privacy laws mentioned?

Legal access to personal information

What is the primary purpose of a security audit?

To evaluate adherence to defined requirements

What is the difference between a security audit and a vulnerability evaluation?

A vulnerability evaluation identifies potential security weaknesses.

What does penetration testing involve?

Attempting various attacks to test system defenses

Which of the following best describes cryptology?

The method of keeping communications inaccessible to unauthorized individuals

In the context of security monitoring, which aspect is NOT typically assessed?

Accuracy of data entries by users

What is illustrated by the Security Controls Address Risk model?

The cyclical nature of security management

When conducting a security assessment, which element is essential?

A comprehensive review of the existing security policies

Which approach may enhance the effectiveness of security assessments?

Combining multiple assessment methods such as audits and evaluations

What does MTD stand for in the context of business continuity?

Maximum Tolerable Disruption

Which files are generally considered unnecessary for data backup?

Installed programs

What type of backup process is best suited for files updated several times a day?

Real-time backups

Which factor does NOT play a role in determining where to back up data?

Quality of internet connection

What is the primary purpose of backing up data?

To ensure data retrieval after loss

Which of the following describes a step in the disaster recovery process?

Restoring damaged systems

What is essential during the activation of a disaster response program?

Implementing all relevant methods and procedures

When evaluating backup strategies, which of these is NOT a relevant factor?

Brand reputation of software

What is the main purpose of cryptography?

To ensure message confidentiality.

Which term refers to the original message before it is encrypted?

Plaintext

What does the process of enciphering involve?

Altering plaintext to create ciphertext.

What is referred to as the secret version of plaintext?

Ciphertext

Which of the following correctly describes a key in the context of cryptography?

A data element needed for both encoding and decoding.

What common practice is NOT associated with mitigating risks in information security?

Neglecting system configurations

How is plaintext typically represented in coded form?

Without spaces and in all lowercase.

What is a potential drawback of retrofitting security onto an existing network?

It can be expensive and difficult to implement properly.

What is the significance of having a response plan for each identified risk?

It allows for a structured approach to handling risks if they materialize.

What does the Recovery Point Objective (RPO) indicate?

The average amount of data loss that can occur without significant impact.

Which of the following stages comes first in the Business Continuity Plan (BCP)?

Business as usual

What outcome is expected if the Maximum Tolerable Downtime (MTD) is exceeded?

Severe harm to the enterprise's profitability.

What is the purpose of a Work Recovery Period (WRT)?

To confirm program or data integrity post-recovery.

Who primarily handles the function of restoring systems after a disaster?

Administrators of server, network, and storage.

Which stage follows 'Disaster' in the Business Continuity Plan (BCP)?

Recovery

What does the Recovery Time Objective (RTO) measure?

The overall time required to restore critical services.

What is the primary function of a firewall?

Establishes a barrier between trusted and untrusted networks

What distinguishes a host-based firewall from a network-based firewall?

It runs on individual host computers

What is one of the advantages of using a firewall?

Hides internal system names from external hosts

Which of the following is a disadvantage of firewalls?

Concentration of security in one location

What is meant by application gateways in the context of firewalls?

They require users to pass through the firewall before accessing further services

Which network access types may be impacted by a firewall?

Telnet, FTP, NFS

Why might a firewall be considered a risk in a network environment?

A compromised firewall can endanger other less protected systems

What does protocol filtering by a firewall accomplish?

Filters out unnecessary or insecure protocols

Study Notes

Risk Management and Risk Control

• Project risk management and risk analysis tracks how risks are handled against the schedule and new risks.
• Risk management identifies events affecting project outputs, assigns qualitative and quantitative weights to their possibility and consequences, generates alternative execution paths, and implements a plan for each risk identified.
• Monitoring and control of risks require a risk management plan, risk register/tracker, and risk response plan.

Business Continuity Management (BCM)

• Business Continuity Plan (BCP) is a plan for business processes to continue during accidents or emergencies.
• Organizations analyze potential risks and prepare with a BCP to ensure effective handling of issues.
• BCP development includes identifying threats stopping regular business, evaluating critical activities for continuity, and listing executives and their contact details.
• Disaster Recovery Plan (DRP) outlines how a company restarts its operation immediately after an unplanned event.

Disaster Recovery Plan (DRP)

• DRP is a recorded method for restarting operations after an unplanned event.
• The objective is to help the organization handle data loss and restore functionality.
• DRP provides step-by-step procedures to minimize disruption and quickly resume critical functions.
• Disruptions include extreme weather events, illegal activities, civil unrest, terrorism, and organizational/program failures.

Assessing Maximum Tolerable Downtime (MTD)

• MTD is the time during which a process is inaccessible causing irreparable effects.
• MTD can be measured in hours, days, or longer, depending on the process.
• Stages include: Business as usual, Disaster, Recovery, and Resume Production.
• Recovery Point Objective (RPO) specifies average data loss over time.
• Recovery Time Objective (RTO) specifies the overall manageable time to get critical services back online.

Review and Test the Plan

• Regularly review and update BCP (Business Continuity Plan).
• BCP testing uses various methods (audit strategy, walk-through test, simulation test, full recovery test).
• Vendor involvement helps in precise, reliable, and valuable feedback for improvement.
• Document test outcomes and actionable conclusions.

Testing for Disaster Recovery Plan (DRP)

• DRP testing uses various techniques; there's no "one-size-fits-all" approach.
• Testing should occur at least once a year to assess recovery from disasters.
• Active participation by various stakeholders is important and functional.
• Logging and filing are important parts of recording test and drill results.

Backing up Data

• Data backup is as important as disaster preparedness.
• Backing up data enables recovery of lost data and is analogous to rewinding a computer.
• Identify and categorize needed files (system files, directories, operating system, installed programs, temporary files) for backup and manage backup frequency based on usage patterns (daily, real-time).

Where to Back Up Your Data

• Multiple backup media options depend on backup size, setup, complexity, portability, security, and budget.
• Various examples of media options like external hard drives, USB flash drives, Network Attached Storage (NAS), and Cloud backups are mentioned.

Different Backup and Recovery Types

• Backup types include full backups (copying all data), incremental backups (copying only altered data since the last backup), and differential backups (copying everything changed since last full backup).

Phases of Incident Response

• Incident responses typically have six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Guidelines for Activation Based on Case Analysis

• DRP (Disaster Recovery Plan) activation depends on specific event types,
• Assessment criteria and decision-making processes must be clear.
• Effective communication of activation is crucial.

Recovery Alternatives

• Organizations need options if their location becomes inoperable.
• Recovery methods cover dedicated business locations (e.g. a backup data center, an alternative facility), commercially rented facilities (e.g. data centers for disaster recovery), and arrangements with internal or external facilities.
• Categorizing facilities by cost (hot site, warm site, cold site, multiple sites) is helpful;

Cybersecurity in Our Country

• Cybercrime Prevention Act 2012 (CPA) and the Access Devices Regulation Act of 1998 (ADRA) define cybercrime acts.
• The Electronic Commerce Act 2000 (ECA) allows recognition of electronic records and signatures in legal proceedings.
• The 2012 Data Privacy Act (DPA) manages and safeguards personal data.

Privacy

• Privacy is a key concern in 21st-century information security.
• The 2011 Data Privacy Act outlines data security and privacy rights for organizations operating in the country.

Identity Theft

• Identity theft is a serious crime involving the unauthorized acquisition and use of someone else's identity.
• It involves acquiring and using identifying information such as name, date of birth, citizenship, address of residence, contact number, and spouse's name etc

Intellectual Property

• Intellectual property (IP) encompasses intangible creations of the human mind, such as copyrights, trademarks, patents, and trade secrets.
• IP rights protect creators' ownership and control over their works and expressions.

Philippine Copyright Law

• Philippine copyright law (Republic Act No. 8293) is based on the United States copyright law system and protects trademarks, patents, and other intellectual property types.

Ethics and Information Security

• Ethical guidelines are important when using and managing technology.
• The text provides guidelines for ethical conduct and avoidance of harming others through use of technology.
• It emphasizes ethical considerations when pursuing projects and avoiding harm.

Pre-Test/Post-Test

• The pre- and post-tests cover topics like different types of access controls, biometric recognition, logical access control solutions, and authentication types.
• Different types of authentication like knowledge, ownership, characteristics, location, and action are also covered.

Cryptography

• Cryptology deals with secure communications by making messages inaccessible to unauthorized individuals.
• Cryptography creates confidentiality; cryptanalysis breaks those systems.
• Cryptography has military ties, and a key function of cryptology is converting letters to numbers, for example, in military codes.
• Plaintext is the original message and ciphertext is encrypted message.
• Cryptography uses various methods, such as monoalphabetic and polyalphabetic systems.

Network Security

• Network security is concerned with protecting all aspects, systems, and operations for a network.
• Network design strategies involve considering budgets, availability requirements, risk tolerance, scope and future growth for the system.
• Firewalls are important for protecting network systems, controlling who can access services, and maintaining secure communications;
• Firewalls can be host-based or network-based for separate applications.
• Authentication is important for a secure network.

Auditing, Testing and Monitoring

• Security audits assess a business's info system security; comparing it to a set of standards.
• Security audits also evaluate the protection of physical configurations, processing, and user practices.
• Security audit evaluations help determine the effectiveness of security controls.
• Auditing may also involve vulnerability evaluation via secret tests/attacks, to determine whether a system can handle malicious attacks.