A triangle presents the three principles of information security, confidentiality, integrity, and availability, which are stated on each side of a triangle. Confidentiality, representing the security goal of protecting information from unauthorized access at all stages of its life cycle, is indicated by three boxes of D V D-R devices; integrity, representing the security goal of data correctness and accuracy, is indicated by a main server; availability, representing the security goal of making sure information systems operate reliably, is indicated by two desktop units accompanied by a monitor and a keyboard, and a server.
The window is represented by a scale with, Day 0: Vulnerability is discovered, listed on the left end, and Day n: Vulnerability eliminated or mitigated, listed on the right end. Across the scale, Day 0 to Day n: period when vulnerability is susceptible to threat and exploit, is listed.
There is a set of doors that leads to a secure area from an unsecured area. Two persons enter a mantrap, a controlled access area room, through this set of doors. On closure of this set of doors, the second set of doors open to a secured area, such as a research laboratory or data center.
The U.S. Supreme Court, also termed the court of last resort, is at a higher level, and controls the 13 U.S. circuit courts of appeals or courts of appellate jurisdiction; the courts of appeals in turn control the 94 U.S. district courts or courts of original jurisdiction, asterisk. Text for asterisk reads, This figure does not include the structure for special courts of limited jurisdiction.
The State Supreme Court, also termed the state court of last resort, functions as the court of appellate jurisdiction, and final arbiter of issues of state law; state supreme court decisions on issues of U.S. constitutional or federal law are appealed to the U.S. Supreme Court. The State Supreme court is shown at a higher level and controls the state court of appeals or state intermediate appellate court, which is the court of appellate jurisdiction; the state courts of appeals in turn control the state trial courts, which are the courts of original jurisdiction.
The three primary standards of proof are proof beyond a reasonable doubt, highest burden of proof as in criminal cases; clear and convincing evidence and preponderance of the evidence, moderate burden of proof as in civil cases; and not arbitrary or capricious, lowest burden of proof as in administrative cases.
The Federal Reserve board of Governors controls the 12 regional Federal Reserve banks, located in Atlanta, Boston, Chicago, Cleveland, Dallas, Kansas City, Minneapolis, New York, Philadelphia, Richmond, San Francisco, and Saint Louis. The regional Federal Reserve banks control the 24 Federal Reserve branches, located throughout the U.S.
The heading of the form is as follows. Facts: What does [Name of Financial Institution] do with your personal information? The form is divided into three tables, and a mail-in form. The first table consists of three rows and two columns, with the first column containing a one-word question, and the second column, the explanation. The row entries are as follows. Row 1: Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do. Row 2: What? The types of personal information we collect and share depend on the product or service you have with us. This information can include: Social Security number and [income]; [account balances] and [payment history]; [credit history] and [credit scores]. Row 3: How? All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons [name of financial institution] chooses to share; and whether you can limit this sharing. The column headings in the second table are as follows: Reasons we can share your personal information; Does [name of financial institution] share? and, Can you limit this sharing? The last two columns are empty to be filled in. The entries in the first column are as follows. Row 1: For our everyday business purposes— such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus. Row 2: For our marketing purposes— to offer our products and services to you. Row 3: For joint marketing with other financial companies. Row 4: For our affiliates’ everyday business purposes— information about your transactions and experiences. Row 5: For our affiliates’ everyday business purposes— information about your creditworthiness. Row 6: For our affiliates to market to you. Row 7: For nonaffiliates to market to you. The row entries in the third table are as follows. Row 1: To limit our sharing. Call [phone number]—our menu will prompt you through your choice(s); Visit us online: [website]; Mail the form below. Please note: If you are a new customer, we can begin sharing your information [30] days from the date we sent this notice. When you are no longer our customer, we continue to share your information as described in this notice. However, you can contact us at any time to limit our sharing. Row 2: Questions? Call [phone number] or go to [website]. The mail-in form has two columns. The text in the first column read, Leave blank or [If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. A checkbox, followed by the text, Apply my choices only to me]. The text in the second column read, Mark any/all you want to limit: A checkbox, followed by the text, Do not share information about my creditworthiness with your affiliates for their everyday business purposes. A checkbox, followed by the text, Do not allow your affiliates to use my personal information to market to me. A checkbox, followed by the text, Do not share my personal information with nonaffiliates to market their products and services to me. The text at the bottom of the form reads as follows, Name, an entry field; Address, an entry field, City, State, Zip, an entry field, Account Number, entry field, Mail to: [Name of Financial Institution] [Address1] [Address2] [City], [State] [ZIP].
The table consists of four tables. The heading of the first table reads, Who we are. The row entry is as follows. Who is providing this notice? [insert]. The heading of the second table reads, What we do. There are two columns, with the question raised in the first column, and the second column holding the explanation. The row entries are as follows. Row 1: How does [name of financial institution] protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings. [insert]. Row 2: How does [name of financial institution] collect my personal information? We collect your personal information, for example, when you [open an account] or [deposit money]; [pay your bills] or [apply for a loan]; [use your credit or debit card]. [We also collect your personal information from other companies.] or [We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.] Row 3: Why can’t I limit all sharing? Federal law gives you the right to limit only: sharing for affiliates’ everyday business purposes—information about your creditworthiness; affiliates from using your information to market to you; sharing for nonaffiliates to market to you. State laws and individual companies may give you additional rights to limit sharing. [See below for more on your rights under state law.] Row 4: What happens when I limit sharing for an account I hold jointly with someone else? [Your choices will apply to everyone on your account.] or [Your choices will apply to everyone on your account—unless you tell us otherwise.] The third table lists the definitions in one column, and the explanation in the next column. The row entries are as follows. Row 1. Affiliates: Companies related by common ownership or control. They can be financial and nonfinancial companies. [affiliate information]. Row 2. Nonaffiliates: Companies not related by common ownership or control. They can be financial and nonfinancial companies. [nonaffiliate information]. Joint marketing: A formal agreement between nonaffiliated financial companies that together market financial products or services to you. [joint marketing information]. The fourth table shows the heading, Other important information, and the text below it reads, [insert other important information].
The content from the world wide web, categorized as acceptable content allowed and unacceptable content blocked, is accessed through the internet, which then passes through a network security system, the firewall; the firewall connects to the proxy server that has a content filter blocking all content marked as unacceptable. Only the acceptable content is made available to all users of a facility.
The six steps to protect federal I T systems are as follows: Categorize information systems; Select security controls; Implement security controls; Assess security controls; Authorize information systems for processing; and Continuously monitor security controls.
There are four blocks from left to right. The text in the first block reads, Notification required in 30 days following the discovery of a security breach. A vertical line separates the first and the second blocks, and is labeled Day 30. The text in the second block reads, Entity fined $1,000 per day for failure to notify within this time period, lasts for 30 days. A vertical line separates the second and the third blocks, and is labeled Day 60. The text in the third block reads, Entity fined $50,000 for each 30-day period for failure to notify within this time period which lasts for 180 days after notification date. A vertical line separates the third and the fourth blocks, and is labeled Day 180. The text in the fourth block reads, Entity may be fined $500,000 for failure to notify after this period.
The decision tree begins with the question, Has there been a breach of a computer system or does the entity reasonably believe that a breach has occurred, being raised. If the reply is a No, no notification is required. If the reply is a Yes, the question, Did the computer system contain personal information, is raised. If the reply is a Yes, a check is done if the personal information was encrypted, if the reply is a Yes, no notification is required, but if personal information had not been encrypted, notification is likely required, and the question, Does the breach notification law allow substitute notification in some situations, is raised. If yes, a check is done if the substitute notification requirements have been met. If the reply is a No, affected individuals must receive written notice of security breach, and on a Yes, an alternate notice is provided according to the law.
A triangle presents the three principles of information security, confidentiality, integrity, and availability, which are stated on each side of a triangle. Confidentiality, representing the security goal of protecting information from unauthorized access at all stages of its life cycle, is indicated by three boxes of D V D-R devices; integrity, representing the security goal of data correctness and accuracy, is indicated by a main server; availability, representing the security goal of making sure information systems operate reliably, is indicated by two desktop units accompanied by a monitor and a keyboard, and a server.
The layer at the bottom of a pyramid is labeled strategic which involves setting of broad, long-range goals; in the middle is tactical planning, which involves the identification of specific, short-range objectives; and at the top is operational, where the setting or work standards and schedules are planned. An arrow points from bottom to top, with long-term planning, broad scope, indicated at the bottom, and day-to-day planning, specific scope, indicated at the top.
The layer at the bottom of a pyramid is labeled policies which are the highest-level governance documents; in the middle is standards; and the top is labeled procedures which refer to step-by-step instructions. An arrow points from bottom to top, with broad scope, rarely change, indicated at the bottom, and specific scope, change frequently, indicated at the top.
The seven steps in a policy development process are as follows: Policy development, stakeholder review, management approval, communication to employees, document compliance and exceptions, continued awareness, and maintenance and review.
The four steps in the process are as follows: Implement policies and controls in response to risk analysis, train employees to respond to risk, continuously monitor policies and controls for effectiveness, and risk analysis.
The processes from top to bottom are as follows: Develop the D R and B C policy; conduct a business impact analysis; identify threats and potential controls; determine recovery strategy; and design and maintain the plan.
The table shows four columns: safeguard type, preventive, detective, and corrective. Row entries are as follows. Row 1. Administrative, Organization hiring policy, Organization periodic background checks policy, Discipline policy. Row 2. Technical (Logical), Least privilege principle, Antivirus software, Updating firewall rules to block an attack. Row 3. Physical, Locks on doors to critical areas, Burglar alarms, Locking a door that was inadvertently left unlocked.
The table shows four columns: name, position, appointing president, and date term began. Row entries are as follows. Row 1. John G. Roberts, Chief Justice, George W. Bush, September 2005. Row 2. Clarence Thomas, Associate Justice, George H. W. Bush, October 1991. Row 3. Ruth Bader Ginsburg, Associate Justice, Bill Clinton, August 1993. Row 4. Stephen Breyer, Associate Justice, Bill Clinton, August 1994. Row 5. Samuel Alito, Associate Justice, George W. Bush, January 2006. Row 6. Sonia Sotomayor, Associate Justice, Barack Obama, August 2009. Row 7. Elena Kagan, Associate Justice, Barack Obama, August 2010. Row 8. Neil Gorsuch, Associate Justice, Donald Trump, April 2017. Row 9. Brett Kavanaugh, Associate Justice, Donald Trump, October 2018.
The table shows four columns: security control area (F I P S 200), low-impact system controls (S P 800-53), moderate-impact controls (S P 800-53), and high-impact system controls (S P 800-53). Row entries are as follows. Row 1. Security control area (F I P S 200): Access control (wireless access controls). Low-impact system controls (S P 800-53): Federal agencies must establish use restrictions for wireless access, configuration requirements, and implementation guidance and authorize wireless access to an information system before allowing access. Moderate-impact controls (S P 800-53): In addition to implementing low-impact controls, the agency must also protect wireless access to the system using authentication and encryption. High-impact system controls (S P 800-53): In addition to implementing low- and moderate-impact controls, the agency must also identify users allowed to configure wireless networking capabilities and limit wireless communications to organization-controlled boundaries.
The matrix shows the likelihood and impact rating level. Data from the matrix, presented in the format, Impact, Likelihood: Rating, are as follows. Low, Low: Low. Low, Medium: Low–Medium. Low, High: Medium–High. Medium, Low: Low–Medium. Medium, Medium: Medium. Medium, High: Medium–High. High, Low: Medium–High. High, Medium: Medium–High. High, High: High.
The table shows six columns: vulnerability, threat source, threat, threat likelihood, threat impact, and risk level. Row entries are as follows. Row 1. Data center has few physical security controls to prevent unauthorized access to data center hardware; Unauthorized users; Theft of data center hardware; Medium; High; Medium–high. Row 2. Failure to remove user accounts in a timely manner when an employee leaves the organization; Disgruntled terminated employees; Theft of sensitive company data; High; High; High. Row 3. No access controls for sensitive files stored on I T resources; Curious employees; Review of data without need to know; Medium; Low; Low–medium.