ch 3
40. According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except __________. a. for purposes of commercial advantage b. for private financial gain c. to harass d. in furtherance of a criminal act
to harrass
82. Laws, policies, and their associated penalties only provide deterrence if three conditions are present. List and describe them.
Fear of penalty Probability of being caught Probability of penalty being administered
70. The __________ Act of 1966 allows any person to request access to federal agency records or information not determined to be a matter of national security.
Freedom of Information
83. What are the provisions of the Digital Millennium Copyright Act (DMCA)?
It is a crime to circumvent anti-piracy measures that are built into commercial software. It is a crime to manufacture, sell or distribute code-cracking devices that illegally copy software. However, it is not a crime to crack copyright protection devices in order to conduct encryption research, assess product interoperability or test the security of computer systems. Under certain circumstances, nonprofit libraries, archives and education institutions are exempt from the anti-circumvention provisions.
43. The Health Insurance Portability and Accountability Act of 1996, also known as the __________ Act, protects the confidentiality and security of health-care data by establishing and enforcing standards and by standardizing electronic data interchange. a. Gramm-Leach-Bliley b. Kennedy-Kessebaum c. Privacy d. HITECH
Kennedy-Kessebaum
58. __________ are rules that mandate or prohibit certain behavior and are enforced by the government.
Laws
60. __________ is the legal obligation of an entity that extends beyond criminal or contract law.
Liability
64. The __________ Act of 2001 provides law enforcement agencies with broader latitude in order to combat terrorism-related activities.
USA PATRIOT
48. The __________ defines stiffer penalties for prosecution of terrorist crimes. a. USA PATRIOT Act b. Sarbanes-Oxley Act c. Gramm-Leach-Bliley Act d. Economic Espionage Act
USA PATRIOT Act
71. The __________ is the American contribution to an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright protection measures.
either one: a. Digital Millennium Copyright Act (DMCA) b. Digital Millennium Copyright Act c. DMCA
67. The __________ Act of 1999 contains a number of provisions focusing on facilitating affiliation among banks, securities firms, and insurance companies.
either one: a. Financial Services Modernization b. Gramm-Leach-Bliley c. GLB
77. The _________ is a professional association that focuses on auditing, control, and security and whose membership comprises both technical and managerial professionals.
either one: a. Information Systems Audit and Control Association (ISACA) b. Information Systems Audit and Control Association c. ISACA
69. The __________ Act seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies.
either one: a. Sarbanes-Oxley b. Corporate and Auditing Accountability and Responsibility c. SOX
44. Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? a. Electronic Communications Privacy Act b. Financial Services Modernization Act c. Sarbanes-Oxley Act d. Economic Espionage Act
electronic communications privacy act
11. Cultural differences can make it difficult to determine what is ethical and not ethical between cultures, except when it comes to the use of computers, where ethics are considered universal.
f
12. Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms.
f
15. Employees are not deterred by the potential loss of certification or professional accreditation resulting from a breach of a code of conduct, because this loss has no effect on employees' marketability and earning power.
f
16. The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, those resources.
f
2. The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not.
f
22. Ethics are the moral attitudes or customs of a particular group.
f
23. Civil law addresses activities and conduct harmful to society and is actively enforced by the state. _________________________
f
25. The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they release information about national security without permission. _________________________
f
27. Intellectual privacy is recognized as a protected asset in the United States. _________________________
f
28. The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _________________________
f
3. The difference between a policy and a law is that ignorance of a law is an acceptable defense.
f
30. In a study on software license infringement, licenses from the United States were significantly more permissive than those from the Netherlands and other countries. _________________________
f
33. The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _________________________
f
34. The U.S. Secret Service is currently within the Department of the Treasury. _________________________
f
4. For policy to become enforceable, it only needs to be distributed, read, understood, and agreed to.
f
6. The Computer Security Act of 1987 is the cornerstone of many computer-related federal laws and enforcement efforts; it was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984.
f
7. In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access.
f
8. The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement, but it has been well received by supporters of individual rights in the United States.
f
9. The United States has implemented a version of the DMCA law called the Database Right, in order to comply with Directive 95/46/EC.
f
46. What is the subject of the Computer Security Act? a. Federal agency information security b. Telecommunications common carriers c. Cryptography software vendors d. All of the above
federal agency information security
51. What is the subject of the Sarbanes-Oxley Act? a. Banking b. Financial reporting c. Privacy d. Trade secrets
financial reporting
45. Which of the following acts is also widely known as the Gramm-Leach-Bliley Act? a. Financial Services Modernization Act b. Communications Act c. Computer Security Act d. Health Insurance Portability and Accountability Act
financial services modernization act
39. The Computer __________ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts. a. Violence b. Fraud c. Theft d. Usage
fraud
73. The low overall degree of tolerance for __________ system use may be a function of the easy association between the common crimes of breaking and entering, trespassing, theft, and destruction of property to their computer-related counterparts.
illicit
55. Criminal or unethical __________ goes to the state of mind of the individual performing the act. a. attitude b. intent c. accident d. All of the above
intent
52. The Council of Europe adopted the Convention of Cybercrime in 2001 to oversee a range of security functions associated with __________ activities. a. online terrorist b. electronic commerce c. cyberactivist d. Internet
internet
61. "Long arm __________" refers to the long arm of the law reaching across the country or around the world to draw an accused individual into its court systems whenever it can establish jurisdiction.
jurisdiction
42. The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any __________ purposes. a. troubleshooting b. billing c. customer service d. marketing
marketing
72. Software license infringement is also often called software __________.
piracy
62. Guidelines that dictate certain behavior within an organization are known as __________.
policies
63. Family law, commercial law, and labor law are all encompassed by __________ law.
private
38. __________ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. a. Public b. Private c. Civil d. Criminal
public
79. The Payment Card Industry Data Security Standards (PCI DSS) are designed to enhance the __________ of customers' account data.
security
50. The __________ of 1999 provides guidance on the use of encryption and provides protection from government intervention. a. Prepper Act b. Economic Espionage Act c. USA PATRIOT Act d. Security and Freedom through Encryption Act
security and freedom through encryption act
53. Which of the following countries reported the least tolerant attitudes toward personal use of organizational computing resources? a. Australia b. United States c. Singapore d. Sweden
singapore
1. Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective.
t
10. Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality's ethical behavior violates the ethics of another national group.
t
13. Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.
t
14. Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught.
t
17. The Department of Homeland Security works with academic campuses nationally, focusing on resilience, recruitment, internationalization, growing academic maturity, and academic research.
t
18. The Secret Service is charged with safeguarding the nation's financial infrastructure and payments systems to preserve the integrity of the economy.
t
19. Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with public and private organizations and the academic community.
t
20. The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer network operations to gain a decision advantage for the United States and its allies under all circumstances.
t
21. The FTC recommends that people place an initial fraud alert (among other things) when they suspect they are victims of identity theft.
t
24. Privacy is the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality._________________________
t
26. The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage. _________________________
t
29. The Digital Millennium Copyright Act is the American law created in response to Directive 95/46/EC, adopted in 1995 by the European Union. _________________________
t
31. Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _________________________
t
32. The code of ethics put forth by (ISC)2 focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession." _________________________
t
35. The communications networks of the United States carry(ies) more funds than all of the armored cars in the world combined. _________________________
t
36. The Federal Bureau of Investigation's National InfraGard Program serves its members in four basic ways: Maintains an intrusion alert network using encrypted e-mail; maintains a secure Web site for communication about suspicious activity or intrusions; sponsors local chapter activities; and operates a help desk for questions. _________________________
t
5. Criminal laws address activities and conduct harmful to society and is categorized as private or public.
t
57. In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies __________. a. provide security awareness training b. periodic assessment of risk c. develop policies and procedures based on risk assessments d. All of the above
*a. provide security awareness training
80. List the five fundamental principles of HIPAA.
1. Consumer control of medical information 2. Boundaries on the use of medical information 3. Accountability for the privacy of private information 4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual 5. Security of health information
81. What are the requirements for a policy to become enforceable?
1. Dissemination (Distribution) - The policy is readily available for review, electronically or otherwise. 2. Review (Reading) - The policy must be available to all, including non-English, illiterate, reading-impaired, etc. for example by making recordings or alternate language versions of the policy available. 3. Comprehension (Understanding) - The organization must be able to demonstrate that requirements are understood by the employee, usually by testing or other assessment of the policy. 4. Compliancy (Agreement) - The organization must be able to demonstrate that the employee agreed to comply with the policy though act or affirmation. Commonly used techniques include signed documents or logon banners. 5. Uniform enforcement - The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.
65. __________ information is a form of collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group.
Aggregate
78. __________ is the unauthorized taking of personally identifiable information with the intent of committing fraud or another illegal or unethical purpose.
Correct Answer(s): a. Identity theft b. ID theft
59. __________ are the fixed moral attitudes or customs of a particular group.
Cultural mores
68. The __________ Act of 1996 attempts to prevent trade secrets from being illegally shared.
Economic Espionage
49. The __________ attempts to prevent trade secrets from being illegally shared. a. Electronic Communications Privacy Act b. Sarbanes-Oxley Act c. Financial Services Modernization Act d. Economic Espionage Act
Economic Espionage Act
66. The __________ Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral communications.
Electronic Communication Privacy
54. Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage __________. a. with intent b. by accident c. with malice d. with negligence
by accident
37. __________ law comprises a wide variety of laws that govern a nation or state.
civil
41. The National Information Infrastructure Protection Act of 1996 modified which act? a. USA PATRIOT Act b. USA PATRIOT Improvement and Reauthorization Act c. Computer Security Act d. Computer Fraud and Abuse Act
computer fraud and abuse act
47. Which of the following acts defines and formalizes laws to counter threats from computer-related acts and offenses? a. Electronic Communications Privacy Act of 1986 b. Freedom of Information Act (FOIA) of 1966 c. Computer Fraud and Abuse Act of 1986 d. All of the above
computer fraud and abuse act of 1986
56. Laws, policies, and their associated penalties only deter if which of the following conditions is present? a. Fear of penalty b. Probability of being caught c. Probability of penalty being administered d. All of the above:
d. All of the above:
74. Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is __________.
education
76. The __________ is a nonprofit organization that focuses on the development and implementation of information security certifications and credentials.
either one a. International Information Systems Security Certification Consortium, Inc. (ISC)2 b. International Information Systems Security Certification Consortium, Inc. (ISC)2 c. International Information Systems Security Certification Consortium, Inc. d. (ISC)2 e. (ISC)2 f. ISC2
75. The __________ is a respected professional society that was established in 1947 as "the world's first educational and scientific computing society."
either one: a. Association of Computing Machinery b. ACM