Study online at https://quizlet.com/_dcg8k6
1. information se- "protecting information and information systems from unauthorized access, use,
curity disclosure, disruption, modification, or destruction." - US law
protection of digital assets.
2. secure it's difficult to define when you're truly secure. when you can spot insecurities, you
can take steps to mitigate these issues. although you'll never get to a truly secure
state, you can take steps in the right direction.
m; as you increase the level of security, you decrease the level of productivity. the
cost of security should never outstrip the value of what it's protecting.
3. data at rest and data at rest is stored data not in the process of being moved; usually protected
in motion (and in with encryption at the level of the file or the entire storage device.
use)
data in motion is data that is in the process of being moved; usually protected
with encryption, but in this case the encryption protects the network protocol or
the path of the data.
data in use is the data that is actively being accessed at the moment. protection
includes permissions and authentication of users. could be conflated with data in
motion.
4. defense by layer the layers of your defense-in-depth strategy will vary depending on situation and
environment.
logical (nonphysical) layers: external network, network perimeter, internal net-
work, host, application, and data layers as areas to place your defenses.
m; defenses for layers can appear in more than one area. penetration testing, for
example, can and should be used in all layers.
5. payment card in-
dustry data secu-
, D430: Fundamentals of Information Security - PASSED
Study online at https://quizlet.com/_dcg8k6
rity standard (PCI a widely accepted set of policies and procedures intended to optimize the security
DSS) of credit, debit and cash card transactions and protect cardholders against misuse
of their personal information.
6. health insur- a federal law that required the creation of national standards to protect sensitive
ance portability patient health information from being disclosed without the patient's consent or
and accountabil- knowledge.
ity act of 1996
(HIPAA)
7. federal infor- requires each federal agency to develop, document, and implement an informa-
mation security tion security program to protect its information and information systems.
management act
(FISMA) m; applies to US federal government agencies, all state agencies that administer
federal programs, and private companies that support, sell to, or receive grant
money from the federal government.
8. federal risk defines rules for government agencies contracting with cloud providers; applies
and authoriza- to both cloud platform providers and companies providing software as a service
tion manage- (SaaS) tools that are based in the cloud.
ment program
(FedRAMP)
9. sarbanes-oxley regulates the financial practice and governance for publicly held companies.
act (SOX)
m; designed to protect investors and the general public by establishing require-
ments regarding reporting and disclosure practices.
places specific requirements on an organization's electronic recordkeeping, in-
cluding the integrity of records, retention periods for certain kinds of information,
and methods of storing electronic communications.
10.
, D430: Fundamentals of Information Security - PASSED
Study online at https://quizlet.com/_dcg8k6
gramm-leach-blileyrequires financial institutions to safeguard their customers financial data and
act (GLBA) identifiable information.
m; mandates the disclosure of an institution's information collection and informa-
tion sharing practices and establishes requirements for providing privacy notices
and opt-outs to consumers.
11. children's inter- requires schools and libraries to prevent children from accessing obscene or
net protection harmful content over the internet.
act (CIPA)
12. children's online protects the privacy of minors younger than 13 by restricting organizations from
privacy protec- collecting their PII (personally identifiable information), requiring the organiza-
tion act (COPPA) tions to post a privacy policy online, make reasonable efforts to obtain parental
consent, and notify parents that information is being collected.
13. family education- defines how institutions must handle student records to protect their privacy and
al rights and pri- how people can view or share them.
vacy act (FERPA)
14. international a body first created in 1926 to set standards between nations.
organization for
standardization the 27000/27k series of THIS covers information security; 27000, 27001, 27002.
(ISO) these documents lay out best practices for managing risk, controls, privacy, tech-
nical issues, and a wide array of other specifics.
15. national insti- provides guidelines for many topics in computing and technology, including risk
tute of standards management.
and technology
(NIST) m; two commonly referenced publications on risk management are SP 800-37
and SP 800-53.
SP 800-37 lays out the risk management framework in six steps: categorize, select,
implement, assess, authorize, and monitor.
, D430: Fundamentals of Information Security - PASSED
Study online at https://quizlet.com/_dcg8k6
16. confidentiality refers to our ability to protect data from those who are not authorized to view it.
(CIA triad)
m; can be compromised in a number of ways; losing laptop with data, someone
looking over your shoulder while entering password, email attachments sent to
wrong people, attackers could penetrate your system.
17. integrity (CIA tri- the ability to prevent people from changing your data in an unauthorized or
ad) undesirable manner.
m; must have the means to prevent unauthorized changes to data and the ability
to reverse unauthorized changes.
is particularly important when it concerns data that provides the foundation for
other decisions; an attacker could alter data from medical tests which can harm
the patient.
18. availability (CIA the ability to access our data when we need it.
triad)
m; THIS can be be lost due to power outages, operating system or application
problems, network attacks, or compromising of a system.
when the issues are caused by an attacker it is called a denial-of-service (DoS)
attack.
19. integrity (parker- THIS is the same as from the CIA triad, however this version doesn't account
ian hexad) for authorized, but incorrect, modification of data; the data must be whole and
completely unchanged.
20. possession/con- in the parkerian hexad, THIS refers to the physical disposition of the media on
trol (parkerian which the data is stored; enabling you to discuss the loss of data in the physical
hexad) sense.