Information Security Operations Chapter 2

Questions and Answers

According to the Purpose Specification Principle, reasons for collecting personal data should be determined after data collection.

False

What does the Data Quality Principle aim at?

Accuracy and completeness of data

According to the Use Limitation Principle Security, release or disclosure of personal data should be limited to the purposes it was gathered for unless the data subject agrees to the release or it is __________ by law.

required

Which principle relates to restrictions on search and seizure of information and property, self-incrimination, and disclosure of information held by the government to plaintiffs or the public?

Fourth Amendment

What does DIKW stand for in the DIKW knowledge pyramid?

Data, Information, Knowledge, Wisdom

Privacy and confidentiality are the same concepts in information security.

False

GDPR is a law binding upon all persons, businesses, or organizations doing anything involving the data related to an EU person. GDPR stands for General Data Protection ________________.

Regulation

What is the term for the ethical principles that an organization follows, even if not explicitly written down?

codes of ethics

What are the main components of the CIA triad?

Confidentiality, Integrity, Availability

Confidentiality is solely about keeping secrets.

False

The _____ triad combines confidentiality, integrity, and availability.

CIA

Which of the following is considered business confidential information?

Proprietary information and customer complaints

What are the main purposes of legal protections for intellectual property?

Limited time monopoly for commercial use and to publish the idea to stimulate adoption.

Copyrights protect the ideas, processes, or procedures for accomplishing tasks.

False

How is most commercially available software protected?

By copyrights

Which principles are considered the three most important when developing, implementing, and monitoring people-focused information security risk mitigation controls?

Need to know, separation of duties, least privilege

What does the principle of 'least privilege' require in terms of access to information?

minimum level of authority and decision-making capability required for the assigned task

Separation of duties effectively isolates information workers with ____.

accountability boundaries

What is the fundamental concept related to preventing a party from denying that they took an action, sent a message, or received a message?

Nonrepudiation

Nonrepudiation ensures that the recipient understood and agreed with the message received.

False

What is the term used to describe the process of confirming metadata about the creation, transmission, and receipt of information?

Authentication

______ allows an authenticated identity to perform a specific set of tasks.

Authorization

What is the primary consideration when implementing separation of duties?

Documentation

Which compensating controls can be used in cases where it is difficult to split the performance of a task?

All of the above

What is one of the primary responsibilities of a security professional according to the text?

Overseeing incident response activities

The Systems Security Certified Practitioner (SSCP) is not required to be familiar with common tools for responding to threats and attacks.

False

What are the 'three dues' of responsibilities mentioned in the text?

due care, due diligence, due process

Every action taken by a security professional requires them to understand the needs of their employers or clients, and act within the scope of their job and responsibilities, demonstrating ____________.

professional ethics

Match the following ethical principles to their descriptions:

Adhere to the highest ethical standards of behavior = Canon or principle: Protect society, the common good, necessary public trust and confidence, and the infrastructure Behave correctly and set the example for others to follow = Canon or principle: Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals = Canon or principle: Provide diligent and competent service to principals Advance and protect the profession = Canon or principle: Advance and protect the profession

What are businesses and organizations required to have in force to control the use of company-provided IT systems?

acceptable use policies

What does Copyleft provide the opportunity for?

To freely distribute ideas or practices

Corporate espionage activities can legally include attempts to break into a competitor's property or systems.

True

Integrity, in the context of information systems, refers to both the __________ and the processes that are integral to the system.

information

Study Notes

Security Operations and Administration

• Security operations and administration involve a wide range of tasks and functions, including maintaining a secure environment for business functions and physical security of a campus and data center.
• A security professional should have a working familiarity with each of these tasks and functions.

Incident Response

• Incident response activities include:
  • Conducting investigations
  • Handling material that may be used as evidence in criminal prosecution and/or civil suits
  • Performing forensic analysis

Tools for Mitigating, Detecting, and Responding to Threats

• Common tools for mitigating, detecting, and responding to threats and attacks include:
  • Event logging to enhance security efforts
  • Knowledge of the importance and use of event logging

Disaster Recovery

• Security practitioners may need to manage how the organization deals with emergencies, including disaster recovery.

Supporting Business Functions

• Supporting business functions involves:
  • Incorporating security policy and practices with normal daily activities
  • Maintaining an accurate and detailed asset inventory
  • Tracking the security posture and readiness of information technology (IT) assets through the use of configuration/change management
  • Ensuring personnel are trained and given adequate support for their own safety and security

Complying with Codes of Ethics

• As a security professional, it is essential to:
  • Work, act, and think in ways that comply with and support the codes of ethics that are fundamental parts of the workplace, profession, and society at large
  • Adhere to and support the (ISC)2 Code of Ethics
  • Understand the needs of employers or clients
  • Listen, observe, gather data, and ask questions
  • Make recommendations, offer advice, or take action within the scope of job and responsibilities

(ISC)2 Code of Ethics

• The (ISC)2 Code of Ethics:
  • Requires strict adherence to the highest ethical standards of behavior
  • Includes a preamble that emphasizes the safety and welfare of society, duty to principals, and duty to each other
  • Consists of four canons or principles to abide by:
    • Protect society, the common good, necessary public trust and confidence, and the infrastructure
    • Act honorably, honestly, justly, responsibly, and legally
    • Provide diligent and competent service to principals
    • Advance and protect the profession

Organizational Code of Ethics

• Most organizations have a code of ethics that:
  • Shapes their policies and guides their decisions, setting goals, and taking actions
  • Guides the efforts of employees, team members, and associates
  • May be extended to partners, customers, or clients
  • Can be the basis of decisions to admonish, discipline, or terminate relationships with employees

Understanding Security Concepts

• Key security concepts include:
  • Confidentiality: limits on who is allowed to view the information, including copying it to another form
  • Integrity: the information stays complete and correct when retrieved, displayed, or acted upon
  • Availability: the information is presented to the user in a timely manner when required and in a form and format that meets the user's needs
  • Authenticity: only previously approved, known, and trusted users or processes have been able to create, modify, move, or copy the information
  • Utility: the content of the information, its form and content, and its presentation or delivery to the user meet the user's needs
  • Possession or control: the information is legally owned or held by a known, authorized user, such that the user has authority to exert control over its use, access, modification, or movement
  • Safety: the system and its information, by design, do not cause harm or damage to others, their property, or their lives
  • Privacy: information that attests to or relates to the identity of a person, or links specific activities to that identity, must be protected from being accessed, viewed, copied, modified, or otherwise used by unauthorized persons or systems
  • Nonrepudiation: users who created, used, viewed, or accessed the information, or shared it with others, cannot later deny that they did so
  • Transparency: the information can be reviewed, audited, and made visible or shared with competent authorities for regulatory, legal, or other processes that serve the public good### Information Security Concepts
• CIANA (Confidentiality, Integrity, Availability, Non-repudiation, and Authentication) is a framework for information security that emphasizes both non-repudiation and authentication.
• Confidentiality refers to the protection of sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction.
• Confidentiality involves sharing secrets with others, but with the agreement that they will not share that information with anyone else without consent.
• Examples of confidential information include:
  • Proprietary information
  • Trade secrets
  • Business plans
  • Private data
  • Customer information
  • Intellectual property

Intellectual Property

• Intellectual property refers to the ideas and expressions of those ideas that are protected by law.
• Types of intellectual property protection include:
  • Patents: protect ideas, processes, and procedures
  • Copyrights: protect artistic expressions of ideas
  • Trademarks: protect logos, symbols, and brand identities
  • Trade secrets: protect unpublished ideas and confidential information
• Intellectual property protection is essential for businesses and individuals to maintain a competitive advantage.
• Failure to protect intellectual property can lead to loss of business, revenue, and reputation.

Protecting Intellectual Property

• Protection of intellectual property involves:
  • Labeling and declaring ownership of the idea
  • Classifying and marking the information
  • Instituting procedures to enforce restrictions
  • Using digital rights management (DRM) and copy protection mechanisms
• Software and digital expressions are protected by copyright and licensed for use.
• Creative Commons licenses, also known as copyleft, allow for the free use of intellectual property with attribution.

Corporate Espionage

• Corporate espionage refers to the illegal gathering of information about competitors or rivals.
• It is a violation of confidentiality and can be considered a form of industrial or corporate espionage.
• Some nations encourage corporate espionage to gather business intelligence, while others consider it a violation of sovereignty.
• The boundary between corporate espionage and national intelligence services is often blurry.### Corporate-Level Espionage
• Corporate-level espionage activities may include:
  • Establishing business relationships to gain access to e-business information
  • Gathering product service or maintenance manuals and data
  • Recruiting key personnel from the target firm
  • Engaging in competitive information-seeking arrangements with suppliers, vendors, or customers
  • Probing and penetration efforts against the target's websites and online presence
  • Social engineering efforts to gather intelligence data
  • Unauthorized entry or breaking into the target's property, facilities, or systems
• All of these techniques can be used by third parties, such as hackers, to maintain plausible deniability

Integrity

• Integrity refers to the completeness, correctness, and reliability of information and processes
• In information systems, integrity applies to both the information and the processes that provide functions
• There are two ways to measure integrity:
  • Binary: either the system has integrity or it does not
  • Threshold-based: the system has a minimum level of integrity to function reliably

Trustworthiness

• Trustworthiness is perceptual and can be compromised by attacks such as Stuxnet
• Defense against compromised trustworthiness: find a separate and distinct means for verifying what systems are telling you

DIKW (Data, Information, Knowledge, Wisdom)

• Data: individual facts, observations, or elements of a measurement
• Information: data plus conclusions or inferences
• Knowledge: broader, more general conclusions or principles derived from lots of information
• Wisdom: insightful application of knowledge

Availability

• Availability refers to having the right information at the right time and in the right form
• Availability is key to making informed decisions
• There are three aspects of availability:
  • Information is available when needed
  • Information is in a usable form
  • Information is meaningful

Accountability

• Accountability refers to the need to know that investments in information and systems are paying off
• Organizations have three functional needs for accountability:
  • Gathering information about the use of corporate information and IT systems
  • Consolidating, analyzing, and auditing usage information
  • Using review results to inform decision-making

Privacy

• Privacy is the reasonable expectation that personal information and conversations will be kept confidential
• Privacy is separate and distinct from confidentiality
• Legal and cultural definitions of privacy abound, but fundamentally it means having control over who has access to personal information
• Businesses need to have a reasonable expectation that problems or issues will stay within the set of people who need to be aware of them and involved in their resolution

Privacy in Law and Practice

• Privacy is related to three main principles:
  • Restrictions on search and seizure of information and property
  • Self-incrimination
  • Disclosure of information held by the government
• The European Union's General Data Protection Regulation (GDPR) is a law that binds all persons, businesses, or organizations doing anything involving the data related to an EU person
• GDPR provides specific functional requirements for organizations' use of information and requires informed consent from users

Other Key Legal and Ethical Frameworks for Privacy

• Universal Declaration of Human Rights (Article 12)
• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Description

This quiz covers the day-to-day information security operations, where planning decisions are put into practice, including threat assessments and risk management.