581 FINAL
Which of the following was not one of the outcomes of the Enron scandal?
Public companies are required to file one comprehensive financial disclosure statement with the Securities and Exchange Commission (SEC).
The Federal Information Security Modernization Act (FISMA) requires each federal agency to create an agency-wide information security program. Even agencies with national security systems must create these programs. What must be in place to measure the harm that could result from unauthorized access to or use of agency IT systems?
Risk assessments
The Sarbanes-Oxley Act (SOX) requires companies to monitor internal controls over financial reporting (ICFR) for outsourced operations. Many companies do this by asking their outsourcing companies to provide them with a System and Organization Controls (SOC) report after an audit. Which of the following is not true of SOC audits?
SOC audits are created by the outsourcing company.
The Enron scandal and similar corporate scandals led to the creation of which of the following?
SOX (Sarbanes-Oxley Act)
Sarbanes-Oxley Act (SOX) _________ requires a company's executive management to report on the effectiveness of the company's internal controls over financial reporting (ICFR).
Section 404
Which of the following statements summarizes why breach notification is hard for entities?
States have different laws about what constitutes a breach.
Which of the following is not true of national security systems (NSSs)?
The Department of Defense (DoD) ensures that agencies with an NSS create an information security program and test it each year.
Which of the following is not true of internal controls over financial reporting (ICFR)?
The Sarbanes-Oxley Act (SOX) describes the specific types of ICFR that companies must implement.
The California Database Security Breach Notification Act requires entities to give written notice to California residents, with exceptions. In which situation does an entity not have to provide written notices?
The entity prefers to notify via its website.
In 2002, Washington State created a data disposal law that requires an entity to take reasonable steps to destroy records that contain health and financial data when it determines that it no longer needs those records. Which of the following is specifically excluded from following this law?
The federal government
True or False? According to California law, entities do not need to give notice of a breach if the personal information in their computer system was encrypted; thus, they are granted safe harbor.
True
Which of the following conditions is not taken under consideration by Congress when determining if an area should fall under federal legislation?
What the greatest economic advantage will be to the national market as it relates to the area under consideration
Which of the following is included in a law's legislative history?
Which of the following is included in a law's legislative history?
Public companies are required to file a number of financial disclosure statements with the Securities and Exchange Commission (SEC). What type of document is Form 10-K?
annual report
Regarding state breach notification laws, what does an encryption safe harbor typically provide?
An entity does not need to give notice of a breach if the personal information in their computer system was encrypted.
Sponsored by five U.S. financial organizations, ___________ is a nonprofit organization that was established in 1985 to identify factors that contributed to fraudulent financial reporting.
COSO
The ___________ was the first law to address federal computer security and required every federal agency to create security plans for its IT systems.
Computer Security Act (CSA)
In 2009, the Yankees won the World Series. During a celebration parade in New York City, sports fans ran out of confetti. What did they use instead?
Documents containing readable personal information
Under the ____________________, federal agencies must post privacy policies on their websites that contain the same types of information that are in a privacy impact assessment (PIA).
E-Government Act of 2002
Maria needs financial information for a publicly traded company. Specifically, she is looking for the company's most recent Form 10-K report and SOX Section 404 report on internal controls. Which of the following is the best source for Maria?
EDGAR
Which of the following is an export control regulation?
ITAR
Which of the following statements best captures the role and responsibility of NIST?
NIST creates the standards and guidelines for non-national security systems to help agencies meet their Federal Information Security Modernization Act (FISMA) obligations.
The Federal Information Security Modernization Act (FISMA) requires the creation of information security standards and guidelines. Which of the following organizations was delegated this responsibility?
National Institute of Standards and Technology (NIST)
In 2015, background investigation records from the Office of Personnel Management (OPM) were stolen. The theft included sensitive personnel files on over 21.5 million current, former, and prospective federal employees and contractors, including almost 5.6 million records with fingerprints. The incident led to a congressional investigation and the resignation of some OPM leaders. What was the main reason the breach occurred?
OPM failed to prioritize its information security activities.
The ___________ enforces trade sanctions and embargoes.
Office of Foreign Assets Control (OFAC)
The _________________ requires all federal agencies to create a breach notification plan.
Office of Management and Budget (OMB)
Which of the following represents each shareholder's portion of a public company's earnings?
dividend
True or False? All Public Company Accounting Oversight Board (PCAOB) members must be certified public accountants (CPAs).
false
True or False? An agency's annual Federal Information Security Modernization Act (FISMA) report is considered classified.
false
True or False? Massachusetts has the nation's most flexible data protection laws.
false
True or False? The COSO Framework specifically states that all organizations should follow the Guide to Assessment of IT Risk (GAIT).
false
True or False? The Federal Information Security Management Act (FISMA) was originally the Federal Information Security Modernization Act.
false
True or False? The Sarbanes-Oxley Act (SOX) requires companies to report accurate financial data in order to protect their auditors from harm.
false
True or False? The U.S. Supreme Court found that the way that the Public Company Accounting Oversight Board (PCAOB) was created violates the separation of powers doctrine and could no longer continue to function.
false
The main purpose of the 2003 California Database Security Breach Notification Act was to:
give state residents timely information about a breach so that they can protect themselves.
Under the Sarbanes-Oxley Act (SOX), _________________ are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable.
internal controls
What is a legal concept that protects an entity from legal liability and is written into the law? Entities that encrypt the personal information that they own or maintain do not have to follow the notification requirements of this concept if they have a data breach.
safe harbor
Congress can create laws in areas where ________________ allow(s) it.
the U.S. Constitution
True or False? Agencies must follow NIST standards and guidelines for non-national security systems.
true
True or False? An inspector general (IG) is an official who reviews the actions of a federal agency.
true
True or False? As an outcome of the Enron scandal, the U.S. government prosecuted many of Enron's top executives for their involvement in its business dealings.
true
True or False? Called "private cause of action," California law allows people to sue private entities for any damages if the entity does not follow the data breach notification law.
true
True or False? If it were not for the California breach notification law, ChoicePoint might not have notified any consumers at all about its data breach.
true
True or False? It is a crime under the Sarbanes-Oxley Act (SOX) for any person, whether in a public or private company, to tamper with or destroy any record in an attempt to interfere with a federal investigation.
true
True or False? NIST Special Publications (SPs) are computer security guidelines.
true
True or False? One of the main functions of the Public Company Accounting Oversight Board (PCAOB) is to set standards for how auditors review public companies.
true
True or False? One of the provisions of the E-Government Act is that federal agencies must review their IT systems for privacy risks.
true
True or False? Per the Gramm-Leach-Bliley Act (GLBA), entities engaged in certain kinds of financial transactions must follow privacy and information security rules designed to protect customers' personal information.
true
True or False? Some states require entities doing business within the state to follow basic information security practices, while other states are more aggressive and require entities to use specific security practices, such as encryption.
true
True or False? The California Database Security Breach Notification Act applies to anyone who owns or uses computerized data that contains the unencrypted personal information of a California resident.
true
True or False? The Massachusetts and Nevada data protection laws require encryption.
true
True or False? The NIST Risk Management Framework (RMF) requires agencies to test their systems and approve them for operation.
true
True or False? The New York State data disposal law requires that any person or business destroying records must take action that is consistent with commonly accepted industry practices.
true
True or False? The Office of Management and Budget (OMB) requires agencies to report breaches of both paper and electronic information.
true
True or False? The Public Company Accounting Oversight Board (PCAOB), which oversees the audit of public companies, provides guidance on how an auditor performs an audit of a company's internal controls over financial reporting (ICFR).
true
True or False? The Securities and Exchange Commission (SEC) oversees most Sarbanes-Oxley Act (SOX) provisions.
true
True or False? The term "cyberwar" refers to conflicts between nations and their militaries.
true
True or False? Though the Payment Card Industry Data Security Standard (PCI DSS) is not a law, businesses that wish to accept credit cards for payment must follow PCI DSS, which is enforced by major credit companies such as Visa and MasterCard.
true
True or False? Under the Privacy Act, a "record" includes a person's educational, financial, medical, and criminal history information.
true
True or False? Under the Sarbanes-Oxley Act (SOX), disclosure controls bring events to the attention of executives so they can be reported to the Securities and Exchange Commission (SEC).
true
