Untitled Quiz

Questions and Answers

What does the 2011 Data Privacy Act in the Philippines primarily aim to achieve?

• Enhance data security and privacy rights (correct)
• Facilitate easier access to public records
• Encourage businesses to collect more data
• Increase tax revenues from organizations

What could happen to organizations that fail to comply with data privacy requirements in the Philippines?

• They are exempt from regulations
• They may receive government grants
• They could face serious fines and legal action (correct)
• They will gain more customers

Which of the following is NOT a typical identification information according to the content?

• Occupation
• Spouse’s name
• Bank account number (correct)
• Citizenship

What primary purpose does the Optical Media Act serve in the Philippines?

To protect local artists from piracy (A)

Which form of intellectual property is NOT mentioned in the content?

Industrial designs (C)

Under Philippine copyright law, what types of works are specifically protected?

Computer programs and video games (C)

What does identity theft typically involve, based on the provided information?

Misusing someone’s identifying information for harmful purposes (A)

Which element is a fundamental aspect of data privacy laws mentioned?

Legal access to personal information (D)

What is the primary purpose of a security audit?

To evaluate adherence to defined requirements (D)

What is the difference between a security audit and a vulnerability evaluation?

A vulnerability evaluation identifies potential security weaknesses. (A)

What does penetration testing involve?

Attempting various attacks to test system defenses (B)

Which of the following best describes cryptology?

The method of keeping communications inaccessible to unauthorized individuals (A)

In the context of security monitoring, which aspect is NOT typically assessed?

Accuracy of data entries by users (D)

What is illustrated by the Security Controls Address Risk model?

The cyclical nature of security management (B)

When conducting a security assessment, which element is essential?

A comprehensive review of the existing security policies (B)

Which approach may enhance the effectiveness of security assessments?

Combining multiple assessment methods such as audits and evaluations (A)

What does MTD stand for in the context of business continuity?

Maximum Tolerable Disruption (D)

Which files are generally considered unnecessary for data backup?

Installed programs (A), Temporary files (B), System files and directories (C)

What type of backup process is best suited for files updated several times a day?

Real-time backups (D)

Which factor does NOT play a role in determining where to back up data?

Quality of internet connection (A)

What is the primary purpose of backing up data?

To ensure data retrieval after loss (C)

Which of the following describes a step in the disaster recovery process?

Restoring damaged systems (A)

What is essential during the activation of a disaster response program?

Implementing all relevant methods and procedures (D)

When evaluating backup strategies, which of these is NOT a relevant factor?

Brand reputation of software (C)

What is the main purpose of cryptography?

To ensure message confidentiality. (B)

Which term refers to the original message before it is encrypted?

Plaintext (A)

What does the process of enciphering involve?

Altering plaintext to create ciphertext. (A)

What is referred to as the secret version of plaintext?

Ciphertext (B)

Which of the following correctly describes a key in the context of cryptography?

A data element needed for both encoding and decoding. (A)

What common practice is NOT associated with mitigating risks in information security?

Neglecting system configurations (C)

How is plaintext typically represented in coded form?

Without spaces and in all lowercase. (C)

What is a potential drawback of retrofitting security onto an existing network?

It can be expensive and difficult to implement properly. (C)

What is the significance of having a response plan for each identified risk?

It allows for a structured approach to handling risks if they materialize. (A)

What does the Recovery Point Objective (RPO) indicate?

The average amount of data loss that can occur without significant impact. (C)

Which of the following stages comes first in the Business Continuity Plan (BCP)?

Business as usual (C)

What outcome is expected if the Maximum Tolerable Downtime (MTD) is exceeded?

Severe harm to the enterprise's profitability. (D)

What is the purpose of a Work Recovery Period (WRT)?

To confirm program or data integrity post-recovery. (B)

Who primarily handles the function of restoring systems after a disaster?

Administrators of server, network, and storage. (A)

Which stage follows 'Disaster' in the Business Continuity Plan (BCP)?

Recovery (C)

What does the Recovery Time Objective (RTO) measure?

The overall time required to restore critical services. (B)

What is the primary function of a firewall?

Establishes a barrier between trusted and untrusted networks (B)

What distinguishes a host-based firewall from a network-based firewall?

It runs on individual host computers (C)

What is one of the advantages of using a firewall?

Hides internal system names from external hosts (B)

Which of the following is a disadvantage of firewalls?

Concentration of security in one location (A)

What is meant by application gateways in the context of firewalls?

They require users to pass through the firewall before accessing further services (D)

Which network access types may be impacted by a firewall?

Telnet, FTP, NFS (D)

Why might a firewall be considered a risk in a network environment?

A compromised firewall can endanger other less protected systems (A)

What does protocol filtering by a firewall accomplish?

Filters out unnecessary or insecure protocols (A)

Flashcards

Project Risk Management

Tracking how risk responses are handled against the schedule and managing new project risks.

Risk Response Plan

A plan for dealing with identified risks, including alternative execution paths and emergency plans.

Business Continuity Plan (BCP)

A plan to keep business operations running during a disaster or disruption.

Maximum Tolerable Downtime (MTD)

The maximum acceptable time a system or process can be unavailable without causing significant harm.

Recovery Point Objective (RPO)

The maximum amount of data loss acceptable over time.

Recovery Time Objective (RTO)

The maximum time it takes to restore critical services and operations.

Work Recovery Period (WRT)

The acceptable time needed to confirm the integrity of programs and data after a recovery.

Business Continuity Management (BCM)

The overall process of planning for, and managing, continuity of business operations during disasters or other disruptions.

MTD

Minimum Time Duration; the sum of RTO and WRT, representing the shortest disruption a business process can handle without harm.

Data Backup

Creating copies of important files and data to recover in case of loss. It's like having a backup copy of files.

Data Backup Frequency

How often backups are made, depending on how frequently data changes.

Disaster Recovery Plan (DRP)

A strategy for recovering from a disaster, including data backups and system restoration.

Backup Media

The physical or digital storage for backups (e.g., external hard drives, cloud storage).

Backup Types

Different methods of creating backups (e.g., full backups, incremental backups, differential backups).

Disaster Response Program Activation

Initiating the procedures and methods of a disaster recovery plan.

Disaster Recovery Steps

The core actions taken to restore systems after a disaster, involving steps like assessing damage and restoring systems.

Data Privacy Act (Philippines)

A law passed in 2011 to safeguard personal information in the Philippines. It mandates organizations to protect data security and follow strict privacy regulations.

Data Security Requirements

Regulations that organizations must adhere to in order to protect personal data collected and processed, ensuring its safety and confidentiality.

Identity Theft

The crime of obtaining and using someone's personal information without their consent for illegal purposes, such as accessing their accounts or making fraudulent transactions.

Intellectual Property (IP)

A broad category that includes intangible assets created by human intellect, such as inventions, literary and artistic works, designs, and symbols. Examples include copyrights, trademarks, and patents.

Copyright

A legal right granted to creators of original works, such as books, music, and software, giving them exclusive rights to copy, share, or commercially exploit their work.

Trademark

A symbol, design, phrase, or other distinguishing mark used to identify and differentiate goods or services from those of competitors.

Patent

A legal right granting an inventor exclusive rights to their invention for a set period, preventing others from making, using, or selling it without permission.

Republic Act No. 8293 (Philippine Copyright Law)

Philippines' copyright law, heavily inspired by United States copyright law. This law protects various intellectual properties, including trademarks, patents, and even computer programs.

Cryptography

The practice of secure communication, ensuring confidentiality and integrity of information using codes and algorithms.

Cryptanalysis

The process of breaking or deciphering codes and algorithms used in cryptography to gain access to encrypted information.

Plaintext

The original message or information that you want to convey in a coded form. It's usually presented without spaces in lowercase letters.

Cipher

The process of altering plaintext into ciphertext or vice versa using a specific algorithm or method.

Ciphertext

The encrypted version of plaintext, created by applying a cipher to the original message.

Encipher/Decipher

Enciphering is the process of converting plaintext to ciphertext, while deciphering is the reverse process of converting ciphertext back to plaintext.

Security Audit

A thorough check of a business's information security, evaluating its compliance with specific requirements. It covers physical security, applications, data processing, and user practices.

Vulnerability Evaluation

A systematic analysis of an entire information system to identify potential security weaknesses or vulnerabilities.

Penetration Testing

A controlled attack simulation where a security specialist attempts various attacks, mimicking a real-world hacking scenario, to assess a device's resilience.

Cryptology

The study and practice of secure communication methods, making information unreadable to those without authorization.

What are the two parts Cryptology is divided into?

Cryptology is divided into: Cryptography, which focuses on creating secure communication methods, and cryptanalysis, which analyzes and breaks encryption techniques.

What are the security controls known as?

Security controls are commonly called the Security Cycle, representing a continuous process of assessing, implementing, and monitoring security measures.

What is the purpose of security monitoring for computer systems?

It collects data to detect potential threats and security breaches. Think of it as keeping an eye on the security of your computer network.

Why are security audits, vulnerability evaluations, and penetration testing important?

They help identify and mitigate security risks, ensuring the protection of sensitive information and assets.

Firewall

A security barrier that controls network traffic between a trusted internal network and an untrusted external network, like the internet.

Network-Based Firewall

A firewall that operates at the network level, controlling traffic between networks.

Host-Based Firewall

A firewall that runs on individual computers, controlling traffic in and out of that specific machine.

Concentration of security

A firewall centralizes security controls and logging, so all security actions are tracked in one place.

Protocol filtering

A firewall can block or allow specific network protocols and services based on security rules.

Information hiding

A firewall can conceal the names of internal systems and email addresses, making it harder for attackers to find targets.

Application gateway

A firewall acts as a middleman for connections, enforcing security rules before allowing access to a specific application or service.

Firewall disadvantages

Firewalls can sometimes block legitimate network access, and a compromised firewall can expose the entire network to attacks.

Study Notes

Risk Management and Risk Control

• Project risk management and risk analysis tracks how risks are handled against the schedule and new risks.
• Risk management identifies events affecting project outputs, assigns qualitative and quantitative weights to their possibility and consequences, generates alternative execution paths, and implements a plan for each risk identified.
• Monitoring and control of risks require a risk management plan, risk register/tracker, and risk response plan.

Business Continuity Management (BCM)

• Business Continuity Plan (BCP) is a plan for business processes to continue during accidents or emergencies.
• Organizations analyze potential risks and prepare with a BCP to ensure effective handling of issues.
• BCP development includes identifying threats stopping regular business, evaluating critical activities for continuity, and listing executives and their contact details.
• Disaster Recovery Plan (DRP) outlines how a company restarts its operation immediately after an unplanned event.

Disaster Recovery Plan (DRP)

• DRP is a recorded method for restarting operations after an unplanned event.
• The objective is to help the organization handle data loss and restore functionality.
• DRP provides step-by-step procedures to minimize disruption and quickly resume critical functions.
• Disruptions include extreme weather events, illegal activities, civil unrest, terrorism, and organizational/program failures.

Assessing Maximum Tolerable Downtime (MTD)

• MTD is the time during which a process is inaccessible causing irreparable effects.
• MTD can be measured in hours, days, or longer, depending on the process.
• Stages include: Business as usual, Disaster, Recovery, and Resume Production.
• Recovery Point Objective (RPO) specifies average data loss over time.
• Recovery Time Objective (RTO) specifies the overall manageable time to get critical services back online.

Review and Test the Plan

• Regularly review and update BCP (Business Continuity Plan).
• BCP testing uses various methods (audit strategy, walk-through test, simulation test, full recovery test).
• Vendor involvement helps in precise, reliable, and valuable feedback for improvement.
• Document test outcomes and actionable conclusions.

Testing for Disaster Recovery Plan (DRP)

• DRP testing uses various techniques; there's no "one-size-fits-all" approach.
• Testing should occur at least once a year to assess recovery from disasters.
• Active participation by various stakeholders is important and functional.
• Logging and filing are important parts of recording test and drill results.

Backing up Data

• Data backup is as important as disaster preparedness.
• Backing up data enables recovery of lost data and is analogous to rewinding a computer.
• Identify and categorize needed files (system files, directories, operating system, installed programs, temporary files) for backup and manage backup frequency based on usage patterns (daily, real-time).

Where to Back Up Your Data

• Multiple backup media options depend on backup size, setup, complexity, portability, security, and budget.
• Various examples of media options like external hard drives, USB flash drives, Network Attached Storage (NAS), and Cloud backups are mentioned.

Different Backup and Recovery Types

• Backup types include full backups (copying all data), incremental backups (copying only altered data since the last backup), and differential backups (copying everything changed since last full backup).

Phases of Incident Response

• Incident responses typically have six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Guidelines for Activation Based on Case Analysis

• DRP (Disaster Recovery Plan) activation depends on specific event types,
• Assessment criteria and decision-making processes must be clear.
• Effective communication of activation is crucial.

Recovery Alternatives

• Organizations need options if their location becomes inoperable.
• Recovery methods cover dedicated business locations (e.g. a backup data center, an alternative facility), commercially rented facilities (e.g. data centers for disaster recovery), and arrangements with internal or external facilities.
• Categorizing facilities by cost (hot site, warm site, cold site, multiple sites) is helpful;

Cybersecurity in Our Country

• Cybercrime Prevention Act 2012 (CPA) and the Access Devices Regulation Act of 1998 (ADRA) define cybercrime acts.
• The Electronic Commerce Act 2000 (ECA) allows recognition of electronic records and signatures in legal proceedings.
• The 2012 Data Privacy Act (DPA) manages and safeguards personal data.

Privacy

• Privacy is a key concern in 21st-century information security.
• The 2011 Data Privacy Act outlines data security and privacy rights for organizations operating in the country.

Identity Theft

• Identity theft is a serious crime involving the unauthorized acquisition and use of someone else's identity.
• It involves acquiring and using identifying information such as name, date of birth, citizenship, address of residence, contact number, and spouse's name etc

Intellectual Property

• Intellectual property (IP) encompasses intangible creations of the human mind, such as copyrights, trademarks, patents, and trade secrets.
• IP rights protect creators' ownership and control over their works and expressions.

Philippine Copyright Law

• Philippine copyright law (Republic Act No. 8293) is based on the United States copyright law system and protects trademarks, patents, and other intellectual property types.

Ethics and Information Security

• Ethical guidelines are important when using and managing technology.
• The text provides guidelines for ethical conduct and avoidance of harming others through use of technology.
• It emphasizes ethical considerations when pursuing projects and avoiding harm.

Pre-Test/Post-Test

• The pre- and post-tests cover topics like different types of access controls, biometric recognition, logical access control solutions, and authentication types.
• Different types of authentication like knowledge, ownership, characteristics, location, and action are also covered.

Cryptography

• Cryptology deals with secure communications by making messages inaccessible to unauthorized individuals.
• Cryptography creates confidentiality; cryptanalysis breaks those systems.
• Cryptography has military ties, and a key function of cryptology is converting letters to numbers, for example, in military codes.
• Plaintext is the original message and ciphertext is encrypted message.
• Cryptography uses various methods, such as monoalphabetic and polyalphabetic systems.

Network Security

• Network security is concerned with protecting all aspects, systems, and operations for a network.
• Network design strategies involve considering budgets, availability requirements, risk tolerance, scope and future growth for the system.
• Firewalls are important for protecting network systems, controlling who can access services, and maintaining secure communications;
• Firewalls can be host-based or network-based for separate applications.
• Authentication is important for a secure network.

Auditing, Testing and Monitoring

• Security audits assess a business's info system security; comparing it to a set of standards.
• Security audits also evaluate the protection of physical configurations, processing, and user practices.
• Security audit evaluations help determine the effectiveness of security controls.
• Auditing may also involve vulnerability evaluation via secret tests/attacks, to determine whether a system can handle malicious attacks.