Leg, Inv and Comp Flashcards Preview

CISSP > Leg, Inv and Comp > Flashcards

Flashcards in Leg, Inv and Comp Deck (119)
Loading flashcards...
1
Q

What are the three major categories of law in the US

A

Civil, criminal and adminstrative

2
Q

Under criminal law, what does burden of proof mean?

A

Judge or jury must believe beyond a reasonable doubt that the defendant is guilty.

3
Q

Classifications in criminal law are split into two categories. What are they?

A

Felony and misdemeanour

4
Q

Civil Penalties do not provide a jail term, and instead provide financial restitution to the victim. True or False?

A

True

5
Q

What three types of civil penalties are there?

A

Compensatory (damages, legal fees, lost profits)
Punitive (punish the offender)
Statutory (violating the law)

6
Q

Under civil law, what does burden of proof mean?

A

Judge or Jury believes they are guilty based on evidence

7
Q

Liability and due care relate to civil law and which other type?

A

Administrative

8
Q

If the cost of implementing a safeguard is less than the cost of the estimated loss, could an organisation be held liable?

A

Yes

9
Q

What does proximate causation mean?

A

An action taken or not taken was part of a sequence of events that resulted in negative consequences.

10
Q

Which rule requires an individual to perform the following duties?

  • In good faith
  • In the best interests of the enterprise
  • With the care and diligence that ordinary, prudent people in a similar position would exercise under similar circumstances
A

The Prudent Man Rule

11
Q

In information security the steps that an individual or organisations take to perform their duties and implement information security best practices are otherwise known as what?

A

Due care

12
Q

in the context of information security, research into risk identification and risk management can otherwise be known as what?

A

Due diligence

13
Q

What term is used to describe an organisation that fails to follow a standard of due care in the protection of its assets

A

Culpable Negligence

14
Q

Which type of law defines standards of performance and conduct for major industries, organisations and officials?

A

Administrative (Regulatory)

15
Q

What is a mixed law system otherwise known as, ie religious and civil for example?

A

Pluralistic

16
Q

A novice or less experienced hacker can otherwise be known as what?

A

Script Kiddie

17
Q

An ideological attack is commonly known by which term?

A

Hactivism

18
Q

Intellectual Property is protected under US law under which 4 classifications?

A

Trade Secrets
Copyright
Patents
Trademarks

19
Q

International protection for patents is otherwise known as?

A

The Patent Cooperation Treaty

20
Q

A newly granted patent is valid for how many years?

A

20

21
Q

The grant of a property right to an inventor is otherwise known as what?

A

Patent

22
Q

A word, name, symbol or device is commonly protected by what?

A

Trademark

23
Q

In the US which Act is used to protect trademarks?

A

The Trademark Law Treaty Implementation Act

24
Q

What term is used to protect authors of “original works of authorship” whether published or not?

A

Copyright

25
Q

Object code or documentation would commonly be protect by what?

A

Copyright

26
Q

Traditionally how long does a copyright of works last for?

A

An authors lifetime plus 70 years

27
Q

In the US which Act is used to protect copyright?

A

The Copyright Act 1976

28
Q

Proprietary or business related information that a company or individual uses and has exclusive rights to is commonly known as what?

A

Trade Secret

29
Q

The following are requirements of which type of intellectual property?

  • must be genuine and not obvious
  • must provide the owner a competitive or economic advantage
  • must be reasonably protect from disclosure
A

Trade Secret

30
Q

The EU Privacy Rules define what requirements? 7 in total

A
  • collected lawfully and fairly
  • used for original purpose that it was collected for and for a reasonable period only
  • must be accurate and up to date
  • must be accessible to individuals whom data it is
  • individuals have the right to correct their data
  • cannot be disclosed to third parties unless required by law or consent granted by individual
  • transmission of personal data to locations where the location does not have equivalent privacy laws is prohibited
31
Q

The US Federal Privacy Act 1974 is used to protect what?

A

records and information maintained by US government agencies about US citizens and lawful permanent residents

32
Q

The US Federal Privacy Act 1974 has which requirements? 3

A
  • no agency may disclose information about an individual, unless written request received by individual
  • provisions for individual access to their information
  • provisions for amendments of that information by the individual concerned
33
Q

The US Health Insurance Portability and Accountability Act 1996 (HIPAA) is used to protect what?

A

individually identifiable health information

34
Q

Which 3 organisations must comply with HIPAA?

A
Health Insurers (Payers)
Health Providers (Hospitals)
Healthcare clearinghouses (public or private entity that facilitates or processes non-standard data elements of health information into standard data elements), e.g. data warehouse.
35
Q

The following are provisions of which law?

  • broadens the scope of HIPAA compliance to include additional third parties such as pharmacies, claims processing/billing companies, persons performing legal/accounting/admin work.
  • promotes the adoption of electronic health records
  • notification when the security/privacy of unsecured electronic healthcare information has been breached.
  • issuance of technical guidance on the technologies/methodologies used to render electronic information unusable in the event that it’s breached.
A

HITECH - US Health Information Technology for Economic and Clinical Health Act 2009

36
Q

regarding HITECH, what are the two notification requirements depending on amount of data breached?

A
  • if over 500, breach must be reported to HHS, media outlets and individuals affected.
  • if less than 500, breach must be reported to HHS secretary annually and to individuals affected.
37
Q

Which Act requires financial institutions to protect their customers personal identifiable information?

A

US Gramm-Leach-Bliley Financial Services Modernization Act PL 106-102 (GLBA)

38
Q

What are the 3 rules of GLBA?

A
  • Financial Privacy Rule
  • Safeguard Rule
  • Pretexting Protection
39
Q

What is the financial privacy rule in relation to GLBA?

A

Requires each financial institution to provide information to each customer regarding the protection of each customers personal information

40
Q

What is the safeguard rule in relation to GLBA?

A

Requires each financial institution to develop a formal written security plan

41
Q

What is Pretexting Protection in relation to GLBA?

A

Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private customer information

42
Q

What are the 8 principles of the data protection act?

A
  • Information process fairly and lawfully
  • obtained for one or more specified and lawful purposes and not processed other than for the original reason for which it was obtained
  • personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed
  • Shall be accurate and up to date where necessary
  • shall not be kept longer than necessary, ie purpose for which it was originally obtained
  • shall be processed in accordance with the rights of the data subject
  • appropriate technical/organisational measures taken to protect information
  • Shall not be transferred to a country/territory outside the European Economic Area, unless they have equivalent privacy rights in place
43
Q

What are the 6 principles of PCI-DSS

A
  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regular monitor and test networks
  6. Maintain an information security policy
44
Q

What are the two requirements of PCI-DSS Principle 1: Build and maintain a secure network?

A
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Don’t use vendor supplied defaults for system password or other security parameters
45
Q

What are the two requirements of PCI-DSS Principle 2: Protect Cardholder data?

A
  1. Protect stored cardholder data

2. Encrypt transmission of cardholder data across open/public networks.

46
Q

What are the two requirements of PCI-DSS Principle 3: Maintain a vulnerability management program?

A
  1. use and reguarly update Anti-virus software

2. Develop and maintain secure systems and applications

47
Q

What are the three requirements of PCI-DSS Principle 4: Implement strong access control measures?

A
  1. restrict access to cardholder data by business need to know
  2. assign a unique ID to each person that has computer access
  3. restrict physical access to cardholder data
48
Q

What are the two requirements of PCI-DSS Principle 5: Reguarly monitor and test networks?

A
  1. Track and monitor all access to network resources and cardholder data
  2. reguarly test security systems and processes
49
Q

What is the one requirement of PCI-DSS Principle 6: Maintain an information security policy?

A
  1. maintain a policy that addresses information security
50
Q

What is the main disclosure Act called in the US? (not currently legal)

A

Data Accountability and Trust Act (DATA)

51
Q

Which Act covers the following 3 areas?

  • classified national defence or foreign relation information
  • records of financial institutions or credit reporting agencies
  • government computers
A

The US Computer Fraud and Abuse Act 1986

52
Q

What are the three offences established by the US Computer Fraud and Abuse Act 1986?

A
  • Unauthorised access to a federal computer for purposes of fraud (felony)
  • Altering, damaging or destroying information on a federal interest computer (felony)
  • trafficking in computer passwords or similar information (Misdemeanour)
53
Q

A “protected” computer is otherwise known as what in the Computer Fraud and Abuse Act 1986?

A

Federal

54
Q

Amendments to the Computer Fraud and Abuse Act 1986 include what 5 provisions in relation to computer crime?

A
  • Unauthorised access to a computer that results in disclosure of US defence information.
  • unauthorised access to a “protected computer”
  • unauthorised access to a “protected” computer that affects use of that computer
  • unauthorised access to a “protected” computer causing damage or intentionally transmitting malicious code that causes damage to a “protected” computer
  • transmission of interstate or foreign commerce communication threatening to cause damage to a “protected” computer.
55
Q

What is the main computer crime act in the US?

A

The Computer Fraud and Abuse Act 1986

56
Q

In the US which Act provides the legal basis for network monitoring?

A

The US Electronic Communications Privacy Act 1986 (ECPA)

57
Q

Which Act provides the following:

  • requires federal agencies to take extra measures to prevent unauthorised access to computers containing sensitive information
  • identify and develop security plans for sensitive systems
  • security-related awareness training for employees
  • assigns formal government responsibility to NIST (National Institute of Standards and Technology) for computer security standards.
  • assigns cryptography to the National Security Agency (NSA) for classified government/military systems
A

US Computer Security Act 1987

58
Q

The US Federal Sentencing Guidelines 1991 provides which 3 things?

A
  • written standards of conduct for organisations
  • relief in sentencing for organisations that have demonstrated due diligence
  • responsibility for due care on senior management
59
Q

The US Economic Espionage Act 1996 provides what main thing?

A

industrial espionage, ie trade secrets from other organisations

60
Q

Which act in the US targets Child pornography?

A

US Child Pornography Prevention Act 1996

61
Q

The USA Patriot Act 2001 stands for what?

A

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001

62
Q

Sections of relevance in the USA PATRIOT Act 2001

A
  • Authority to intercept wire, oral and electronic communications relating to computer fraud and abuse offences
  • Seizure of voicemail messages pursuant to warrants
  • Scope of subpoenas for records of electronic communication
  • Clarification of scope
  • Emergency disclosure of electronic communication to protect life or limb
  • Pen Register and Trap and Trace Authority under FISA (Foreign Intelligence Surveillance Act)
  • Interception of Computer Trespasser Communications
  • Nationwide service of search warrants for electronic evidence
  • Deterrence and prevention of cyber-terrorism
  • Additional defence to civil actions relating to preserving records in response to government requests
  • development and support of cyber-security forensic capabilities
63
Q

What is a pen/trap device?

A

pen register shows outgoing number called from a phone and a trap and trace device that shows incoming numbers to that phone.

64
Q

Which act was introduced to create and strengthen existing standards for public corporations and public accounting firms including auditing, governance and financial disclosures?

A

The US Sarbanes-Oxley Act of 2002

65
Q

What does the US CAN-SPAM Act 2003 (Controlling the Assault of Non-solicited Pornography and Marketing) provide?

A

Establishes standards for sending commercial email messages

66
Q

Directive 95/46/EC on the protection of personal data (1995 EU) states what?

A

that personal data should not be processed at all unless certain conditions have been met. (relates to European citizens)

67
Q

Which Act permits US based organisations to certify themselves as properly handling private data belonging to European citizens?

A

Safe Harbour Act 1998

68
Q

What is the purpose of the Council of Europe’s Convention on Cybercrime (2001)?

A

requires criminal laws to be established in signatory nations for computer hacking activities, child pornography and intellectual property violations. also attempts to improve international cooperation with respect to monitoring, investigations and prosecutions

69
Q

What are the three offences relating to computer crime in the Computer Misuse Act 1990? UK (known as cybercrime act 2001 in Australia)

A
  • unauthorised access whether successful or unsuccessful
  • unauthorised modification
  • hindering authorised access (Denial of Service)
70
Q

Most evidence gathered in a computer crime case is generally categorised as what?

  • Direct evidence
  • Real evidence
  • Documentary evidence
  • Demonstrative evidence
A
  • Documentary evidence
71
Q
What is original, unaltered evidence defined as?
Best
Secondary
Corroborative
Conclusive
Circumstantial
A

Best

72
Q
What would a duplicate or copy of evidence such as tape backup, screen capture or photograph be defined as?
Best
Secondary
Corroborative
Conclusive
Circumstantial
A

Secondary

73
Q
What type of evidence supports or substantiates other evidence presented in a case?
Best
Secondary
Corroborative
Conclusive
Circumstantial
A

Corroborative

74
Q
What type of evidence would be defined as irrefutable?
Best
Secondary
Corroborative
Conclusive
Circumstantial
A

Conclusive

75
Q
What type of evidence would you associate relevant facts that you can't directly or conclusively connect to other events be commonly known as?
Best
Secondary
Corroborative
Conclusive
Circumstantial
A

Circumstantial

76
Q

Can data that’s extracted from a computer be considered best evidence?

A

Yes, if it is a fair and accurate representation of the original data.

77
Q

What type of rule defines evidence that is not based on personal, first-hand knowledge of a witness, but rather comes from other sources?

A

Hearsay rule

78
Q

Do some courts consider a computer stored record containing a human statement as hearsay evidence?

A

Yes

79
Q

Do some courts consider computer generated records untouched by humans as hearsay evidence?

A

No

80
Q

What is the common applied test of admissibility for computer records called?

A

business records exception

81
Q

What are the 5 criteria for business records exception?

A
  • made at or near the time the event occurred
  • made by or transmitted by a person who has knowledge of the business process
  • made and relied on during regular conduct of the business
  • kept for motives that tend to assure their accuracy
  • in the custody of the witness on a regular basis
82
Q

what is the difference between entrapment and enticement?

A

entrapment encourages someone to commit a crime whereas enticement lures someone towards some evidence after the crime has already occurred (honey pot)

83
Q

What are the 5 stages of the evidence life-cycle?

A
  1. Collection and identification
  2. Analysis
  3. Storage, preservation and transportation
  4. Presentation in court
  5. Return to victim (owner)
84
Q

What are the 4 circumstances in which law enforcement agencies can seize computer’s or electronic evidence?

A
  1. Voluntary or consensual
  2. Subpoena
  3. Search Warrant or Writ of possession
  4. Exigent circumstances
85
Q

What is the difference between a subpoena and a search warrant?

A

Subpoena issued to individual and search warrant issued to law enforcement agency

86
Q

What are exigent circumstances?

A

If probable cause exists and the destruction of evidence is imminent, that evidence may be searched or seized without a warrant

87
Q

When recording information in an evidence log, what 3 things must be captured?

A

Description of evidence
Name of person that has collect evidence
date, time, location and circumstances

88
Q

What 4 areas are mentioned in the guidelines for how information should be marked?

A
  • Mark the evidence
  • or use an evidence tag
  • seal the evidence
  • protect the evidence
89
Q

What is a MOM test in relation to conducting investigations?

A

Did the suspect have the Motive, Opportunity and Means.

90
Q

What are the 6 steps of incident response?

A
  1. Determine whether a security incident has occurred
  2. Notify the appropriate people about the incident
  3. Contain the incident (or damage)
  4. Assess the damage
  5. Recover normal operations
  6. Evaluate incident response effectiveness
91
Q

What is the difference between an investigation and incident response?

A

Investigation involves the gathering of evidence for possible prosecution. incident response focuses on containing the damage and resuming normal operations

92
Q

What is the computer game fallacy?

A

any computer, system or network that is not properly protected is fair game.

93
Q

what is the law abiding citizen fallacy?

A

if no physical theft is involved, an activity isn’t really stealing

94
Q

What is the Shatterproof Fallacy?

A

Any damage done will have a limited effect

95
Q

What is the candy from a baby fallacy?

A

It’s so easy, it can’t be wrong

96
Q

What is the hackers fallacy?

A

Computers provide a valuable means of learning, that will in turn benefit society.

97
Q

What is the difference between a hacker and a cracker?

A

A cracker always does it at the expense of others

98
Q

What is the free information fallacy?

A

Any and all information should be free so should be obtained through any means

99
Q

What are the four canons in the ISC code of ethics?

A
  1. Protect society, the commonwealth and the infrastructure
  2. Act honourably, honestly, justly, responsibly and legally
  3. Provide diligent and competent service to principles
  4. Advance and protect the profession
100
Q

What is the Internet Architecture Board? (ethics and the internet RFC 1087)

A

defines unethical and unacceptable behaviour on the internet

101
Q

What is the Computer Ethics Institute?

A

ten commandments of computer ethics.

102
Q

Wat is Tort Law?

A

deals with civil wrongs against an individual or business entity. compensation normally involves monetary values

103
Q

What is customary law?

A

regionalised systems that reflect the society’s norms and values based on programmatic wisdom and traditions.

104
Q

Computer crimes can often be categorised into which 3 categories?

A

Computer as a tool
computers as the target of the crime
computers incidental to the crime.

105
Q

What is the Council of European (COE) COnvention on Cybercrime?

A

international response to criminal behaviours

106
Q

What organisation oversees interantional patent and trademark efforts?

A

WIPO World Intellectual property Organisatoin

107
Q

What is an EULA?

A

End User Licensing Agreement

108
Q

What is the difference between a master agreement and EULA?

A

master agreement sets out general overall conditions whereas EULA is more granular.

109
Q

What is PII?

A

Personally Identifiable Information

110
Q

What is the OECD (Organisation for Economic Cooperation and Development?

A

defines principles for securing personal information. broadly classifies principles based on differing internal laws and regulations

111
Q

What Legal principles can be used as a checklist to determine whether employee monitoring is justified?

A

EU Directive (7 principles)

112
Q

In the US which Act outlines minimum ethic requirements for computer use?

A

The 1991 US Federal Sentencing Guidelines for Organisations. (FSGO)

113
Q

What is CEI?

A

Computer Ethics Institute. 10 commandments

114
Q

What is the Internet Activities/Architecture Board?

A

ethical behaviour on internet

115
Q

What is the National Computer Ethics and Responsibilities Campaign? (NCERC)

A

goal is to foster computer ethics awareness and education.

116
Q

What is the Golden rule with regards ethics?

A

treat others as you wish to be treated

117
Q

What is Kant’s categorical imperative with regards ethics?

A

if an action is not right for everyone it is not right for anyone.

118
Q

What is Descarts rule of change with regards ethics?

A

if an action is not repeatable at all times, it is not right at any time.

119
Q

ulitarian?

A

acheives the most good