Information Security Operations Chapter 2
33 Questions
2 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

According to the Purpose Specification Principle, reasons for collecting personal data should be determined after data collection.

False

What does the Data Quality Principle aim at?

  • Length of time data is stored
  • Type of data collected
  • Quantity of data collected
  • Accuracy and completeness of data (correct)
  • According to the Use Limitation Principle Security, release or disclosure of personal data should be limited to the purposes it was gathered for unless the data subject agrees to the release or it is __________ by law.

    required

    Which principle relates to restrictions on search and seizure of information and property, self-incrimination, and disclosure of information held by the government to plaintiffs or the public?

    <p>Fourth Amendment</p> Signup and view all the answers

    What does DIKW stand for in the DIKW knowledge pyramid?

    <p>Data, Information, Knowledge, Wisdom</p> Signup and view all the answers

    Privacy and confidentiality are the same concepts in information security.

    <p>False</p> Signup and view all the answers

    GDPR is a law binding upon all persons, businesses, or organizations doing anything involving the data related to an EU person. GDPR stands for General Data Protection ________________.

    <p>Regulation</p> Signup and view all the answers

    What is the term for the ethical principles that an organization follows, even if not explicitly written down?

    <p>codes of ethics</p> Signup and view all the answers

    What are the main components of the CIA triad?

    <p>Confidentiality, Integrity, Availability</p> Signup and view all the answers

    Confidentiality is solely about keeping secrets.

    <p>False</p> Signup and view all the answers

    The _____ triad combines confidentiality, integrity, and availability.

    <p>CIA</p> Signup and view all the answers

    Which of the following is considered business confidential information?

    <p>Proprietary information and customer complaints</p> Signup and view all the answers

    What are the main purposes of legal protections for intellectual property?

    <p>Limited time monopoly for commercial use and to publish the idea to stimulate adoption.</p> Signup and view all the answers

    Copyrights protect the ideas, processes, or procedures for accomplishing tasks.

    <p>False</p> Signup and view all the answers

    How is most commercially available software protected?

    <p>By copyrights</p> Signup and view all the answers

    Which principles are considered the three most important when developing, implementing, and monitoring people-focused information security risk mitigation controls?

    <p>Need to know, separation of duties, least privilege</p> Signup and view all the answers

    What does the principle of 'least privilege' require in terms of access to information?

    <p>minimum level of authority and decision-making capability required for the assigned task</p> Signup and view all the answers

    Separation of duties effectively isolates information workers with ____.

    <p>accountability boundaries</p> Signup and view all the answers

    What is the fundamental concept related to preventing a party from denying that they took an action, sent a message, or received a message?

    <p>Nonrepudiation</p> Signup and view all the answers

    Nonrepudiation ensures that the recipient understood and agreed with the message received.

    <p>False</p> Signup and view all the answers

    What is the term used to describe the process of confirming metadata about the creation, transmission, and receipt of information?

    <p>Authentication</p> Signup and view all the answers

    ______ allows an authenticated identity to perform a specific set of tasks.

    <p>Authorization</p> Signup and view all the answers

    What is the primary consideration when implementing separation of duties?

    <p>Documentation</p> Signup and view all the answers

    Which compensating controls can be used in cases where it is difficult to split the performance of a task?

    <p>All of the above</p> Signup and view all the answers

    What is one of the primary responsibilities of a security professional according to the text?

    <p>Overseeing incident response activities</p> Signup and view all the answers

    The Systems Security Certified Practitioner (SSCP) is not required to be familiar with common tools for responding to threats and attacks.

    <p>False</p> Signup and view all the answers

    What are the 'three dues' of responsibilities mentioned in the text?

    <p>due care, due diligence, due process</p> Signup and view all the answers

    Every action taken by a security professional requires them to understand the needs of their employers or clients, and act within the scope of their job and responsibilities, demonstrating ____________.

    <p>professional ethics</p> Signup and view all the answers

    Match the following ethical principles to their descriptions:

    <p>Adhere to the highest ethical standards of behavior = Canon or principle: Protect society, the common good, necessary public trust and confidence, and the infrastructure Behave correctly and set the example for others to follow = Canon or principle: Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals = Canon or principle: Provide diligent and competent service to principals Advance and protect the profession = Canon or principle: Advance and protect the profession</p> Signup and view all the answers

    What are businesses and organizations required to have in force to control the use of company-provided IT systems?

    <p>acceptable use policies</p> Signup and view all the answers

    What does Copyleft provide the opportunity for?

    <p>To freely distribute ideas or practices</p> Signup and view all the answers

    Corporate espionage activities can legally include attempts to break into a competitor's property or systems.

    <p>True</p> Signup and view all the answers

    Integrity, in the context of information systems, refers to both the __________ and the processes that are integral to the system.

    <p>information</p> Signup and view all the answers

    Study Notes

    Security Operations and Administration

    • Security operations and administration involve a wide range of tasks and functions, including maintaining a secure environment for business functions and physical security of a campus and data center.
    • A security professional should have a working familiarity with each of these tasks and functions.

    Incident Response

    • Incident response activities include:
      • Conducting investigations
      • Handling material that may be used as evidence in criminal prosecution and/or civil suits
      • Performing forensic analysis

    Tools for Mitigating, Detecting, and Responding to Threats

    • Common tools for mitigating, detecting, and responding to threats and attacks include:
      • Event logging to enhance security efforts
      • Knowledge of the importance and use of event logging

    Disaster Recovery

    • Security practitioners may need to manage how the organization deals with emergencies, including disaster recovery.

    Supporting Business Functions

    • Supporting business functions involves:
      • Incorporating security policy and practices with normal daily activities
      • Maintaining an accurate and detailed asset inventory
      • Tracking the security posture and readiness of information technology (IT) assets through the use of configuration/change management
      • Ensuring personnel are trained and given adequate support for their own safety and security

    Complying with Codes of Ethics

    • As a security professional, it is essential to:
      • Work, act, and think in ways that comply with and support the codes of ethics that are fundamental parts of the workplace, profession, and society at large
      • Adhere to and support the (ISC)2 Code of Ethics
      • Understand the needs of employers or clients
      • Listen, observe, gather data, and ask questions
      • Make recommendations, offer advice, or take action within the scope of job and responsibilities

    (ISC)2 Code of Ethics

    • The (ISC)2 Code of Ethics:
      • Requires strict adherence to the highest ethical standards of behavior
      • Includes a preamble that emphasizes the safety and welfare of society, duty to principals, and duty to each other
      • Consists of four canons or principles to abide by:
        • Protect society, the common good, necessary public trust and confidence, and the infrastructure
        • Act honorably, honestly, justly, responsibly, and legally
        • Provide diligent and competent service to principals
        • Advance and protect the profession

    Organizational Code of Ethics

    • Most organizations have a code of ethics that:
      • Shapes their policies and guides their decisions, setting goals, and taking actions
      • Guides the efforts of employees, team members, and associates
      • May be extended to partners, customers, or clients
      • Can be the basis of decisions to admonish, discipline, or terminate relationships with employees

    Understanding Security Concepts

    • Key security concepts include:
      • Confidentiality: limits on who is allowed to view the information, including copying it to another form
      • Integrity: the information stays complete and correct when retrieved, displayed, or acted upon
      • Availability: the information is presented to the user in a timely manner when required and in a form and format that meets the user's needs
      • Authenticity: only previously approved, known, and trusted users or processes have been able to create, modify, move, or copy the information
      • Utility: the content of the information, its form and content, and its presentation or delivery to the user meet the user's needs
      • Possession or control: the information is legally owned or held by a known, authorized user, such that the user has authority to exert control over its use, access, modification, or movement
      • Safety: the system and its information, by design, do not cause harm or damage to others, their property, or their lives
      • Privacy: information that attests to or relates to the identity of a person, or links specific activities to that identity, must be protected from being accessed, viewed, copied, modified, or otherwise used by unauthorized persons or systems
      • Nonrepudiation: users who created, used, viewed, or accessed the information, or shared it with others, cannot later deny that they did so
      • Transparency: the information can be reviewed, audited, and made visible or shared with competent authorities for regulatory, legal, or other processes that serve the public good### Information Security Concepts
    • CIANA (Confidentiality, Integrity, Availability, Non-repudiation, and Authentication) is a framework for information security that emphasizes both non-repudiation and authentication.
    • Confidentiality refers to the protection of sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction.
    • Confidentiality involves sharing secrets with others, but with the agreement that they will not share that information with anyone else without consent.
    • Examples of confidential information include:
      • Proprietary information
      • Trade secrets
      • Business plans
      • Private data
      • Customer information
      • Intellectual property

    Intellectual Property

    • Intellectual property refers to the ideas and expressions of those ideas that are protected by law.
    • Types of intellectual property protection include:
      • Patents: protect ideas, processes, and procedures
      • Copyrights: protect artistic expressions of ideas
      • Trademarks: protect logos, symbols, and brand identities
      • Trade secrets: protect unpublished ideas and confidential information
    • Intellectual property protection is essential for businesses and individuals to maintain a competitive advantage.
    • Failure to protect intellectual property can lead to loss of business, revenue, and reputation.

    Protecting Intellectual Property

    • Protection of intellectual property involves:
      • Labeling and declaring ownership of the idea
      • Classifying and marking the information
      • Instituting procedures to enforce restrictions
      • Using digital rights management (DRM) and copy protection mechanisms
    • Software and digital expressions are protected by copyright and licensed for use.
    • Creative Commons licenses, also known as copyleft, allow for the free use of intellectual property with attribution.

    Corporate Espionage

    • Corporate espionage refers to the illegal gathering of information about competitors or rivals.
    • It is a violation of confidentiality and can be considered a form of industrial or corporate espionage.
    • Some nations encourage corporate espionage to gather business intelligence, while others consider it a violation of sovereignty.
    • The boundary between corporate espionage and national intelligence services is often blurry.### Corporate-Level Espionage
    • Corporate-level espionage activities may include:
      • Establishing business relationships to gain access to e-business information
      • Gathering product service or maintenance manuals and data
      • Recruiting key personnel from the target firm
      • Engaging in competitive information-seeking arrangements with suppliers, vendors, or customers
      • Probing and penetration efforts against the target's websites and online presence
      • Social engineering efforts to gather intelligence data
      • Unauthorized entry or breaking into the target's property, facilities, or systems
    • All of these techniques can be used by third parties, such as hackers, to maintain plausible deniability

    Integrity

    • Integrity refers to the completeness, correctness, and reliability of information and processes
    • In information systems, integrity applies to both the information and the processes that provide functions
    • There are two ways to measure integrity:
      • Binary: either the system has integrity or it does not
      • Threshold-based: the system has a minimum level of integrity to function reliably

    Trustworthiness

    • Trustworthiness is perceptual and can be compromised by attacks such as Stuxnet
    • Defense against compromised trustworthiness: find a separate and distinct means for verifying what systems are telling you

    DIKW (Data, Information, Knowledge, Wisdom)

    • Data: individual facts, observations, or elements of a measurement
    • Information: data plus conclusions or inferences
    • Knowledge: broader, more general conclusions or principles derived from lots of information
    • Wisdom: insightful application of knowledge

    Availability

    • Availability refers to having the right information at the right time and in the right form
    • Availability is key to making informed decisions
    • There are three aspects of availability:
      • Information is available when needed
      • Information is in a usable form
      • Information is meaningful

    Accountability

    • Accountability refers to the need to know that investments in information and systems are paying off
    • Organizations have three functional needs for accountability:
      • Gathering information about the use of corporate information and IT systems
      • Consolidating, analyzing, and auditing usage information
      • Using review results to inform decision-making

    Privacy

    • Privacy is the reasonable expectation that personal information and conversations will be kept confidential
    • Privacy is separate and distinct from confidentiality
    • Legal and cultural definitions of privacy abound, but fundamentally it means having control over who has access to personal information
    • Businesses need to have a reasonable expectation that problems or issues will stay within the set of people who need to be aware of them and involved in their resolution

    Privacy in Law and Practice

    • Privacy is related to three main principles:
      • Restrictions on search and seizure of information and property
      • Self-incrimination
      • Disclosure of information held by the government
    • The European Union's General Data Protection Regulation (GDPR) is a law that binds all persons, businesses, or organizations doing anything involving the data related to an EU person
    • GDPR provides specific functional requirements for organizations' use of information and requires informed consent from users
    • Universal Declaration of Human Rights (Article 12)
    • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    3-SSCP-CBK PDF

    Description

    This quiz covers the day-to-day information security operations, where planning decisions are put into practice, including threat assessments and risk management.

    More Like This

    Use Quizgecko on...
    Browser
    Browser