Chapter 15

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y? A. Customer B. Covered entity C. Business associate D. Consumer

A. Customer: Main Requirements of the GLBA Privacy Rule Explanation: The Gramm-Leach-Bliley Act (GLBA) distinguishes between customers and consumers for its notice requirements. A consumer is any person who gets a consumer financial product or service from a financial institution. A customer is a consumer who has a continuing relationship with the institution. An example of a consumer without a customer relationship is a person who withdraws cash from an ATM that doesn't belong to his or her personal bank. The person is a consumer of the bank's ATM service, but he or she is not a customer of that bank.

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)? A. Family Policy Compliance Office (FPCO) B. Department of Defense (DOD) C. Federal Communications Commission (FCC) D. Federal Trade Commission (FTC)

A. Family Policy Compliance Office (FPCO): Family Educational Rights and Privacy Act Explanation: FPCO oversees FERPA compliance. FPCO has the authority to review and investigate FERPA complaints.

Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records? A. Health Insurance Portability and Accountability Act (HIPAA) B. Sarbanes-Oxley (SOX) Act C. Payment Card Industry Data Security Standard (PCI DSS) D. Gramm-Leach-Bliley Act (GLBA)

A. Health Insurance Portability and Accountability Act (HIPAA): Compliance Is the Law Explanation: While all of the laws listed may impact a hospital, only HIPAA applies specifically to health records.

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve? A. Integrity B. Accountability C. Availability D. Confidentiality

A. Integrity: SOX Control Certification Requirements Explanation: Integrity controls prevent the unauthorized modification of information, which would include the accurate maintenance of financial information.

Bobbi recently discovered that an email program used within her health care practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place? A. Tier A B. Tier B C. Tier C D. Tier D

A. Tier A: The Health Insurance Portability and Accountability Act Explanation: Tier A represents violations for which the offender didn't realize that he or she violated the act and would have handled the matter differently if he or she had. This results in a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year.

Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system? A. Family Educational Rights and Privacy Act (FERPA) B. Federal Information Security Management Act (FISMA) C. Gramm-Leach-Bliley Act (GLBA) D. Sarbanes-Oxley (SOX) Act

B. Federal Information Security Management Act (FISMA): Compliance Is the Law Explanation: The Federal Information Security Management Act of 2002 contains specific guidance for those responsible for running federal information systems.

What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries? A. National Security Administration (NSA) B. National Institute of Standards and Technology (NIST) C. Department of Defense (DoD) D. Federal Communications Commission (FCC)

B. National Institute of Standards and Technology (NIST): The Role of the National Institute of Standards and Technology Explanation: NIST creates standards that agencies use to classify their data and IT systems. It also creates guidelines and minimum information security controls for IT systems. Agencies must follow these standards and guidelines.

What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act? A. Non-profit organizations B. Publicly traded companies C. Government agencies D. Privately held companies

B. Publicly traded companies: Purpose and Scope Explanation: The main goal of SOX is to protect investors from financial fraud. SOX supplements other federal securities laws. It applies to publicly traded companies that must register with the Securities and Exchange Commission.

Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor? A. Qualified security assessor (QSA) B. Self-assessment vendor (SAV) C. Approved scanning vendor (ASV) D. Independent Scanning Assessor (ISA)

C. Approved scanning vendor (ASV): Payment Card Industry Data Security Standard Explanation: Quarterly vulnerability assessment scanning must be performed by an approved scanning vendor (ASV). This requires the company to perform patch remediation prior to rescanning to verify a passing grade. SAV and ISA are made up acronyms.

Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing? A. Implement security controls in IT systems. B. Assess security controls for effectiveness. C. Authorize the IT system for processing. D. Continuously monitor security controls.

C. Authorize the IT system for processing.: The Role of the National Institute of Standards and Technology Explanation: During the authorization step, an agency specifically accepts the risks of operation prior to allowing the system to operate. This process used to be known in Federal Information Security Management Act (FISMA) terminology as certification and accreditation.

Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals? A. Chief information officer (CIO) B. Chief technology officer (CTO) C. Chief information security officer (CISO) D. Chief financial officer (CFO)

C. Chief information security officer (CISO): The Federal Information Security Management Act of 2002 Explanation: Under the Federal Information Security Management Act (FISMA), agencies must name a senior official in charge of information security. In most cases, this is the chief information security officer (CISO). These officials must be information security professionals with security experience.

. Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational Rights and Privacy Act (FERPA)? A. Right to inspect student records B. Right to request correction of errors C. Right to delete unwanted information from records D. Right to consent to data release

C. Right to delete unwanted information from records: The Family Educational Rights and Privacy Act Explanation: Under FERPA, students (or the parents of a minor student) have the right to know what data are in the student's student record and the right to inspect and review that record. They also have the right to request that a school correct errors in a student record and consent to have certain kinds of student data released. FERPA does not provide the ability to remove unwanted information from records.

Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS) self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use? A. SAQ A B. SAQ B C. SAQ C D. SAQ D

C. SAQ C: Self-Assessment Questionnaire Explanation: SAQ C is for merchants with payment application systems connected to the Internet who also have no electronic cardholder data storage.

Which of the following items would generally NOT be considered personally identifiable information (PII)? A. Name B. Driver's license number C. Trade secret D. Social Security number

C. Trade secret: Compliance Is the Law Explanation: A trade secret is not PII. PII is information that you can use to uniquely identify an individual. PII includes names, addresses, Social Security and driver's license numbers, financial account information, health records, and credentials.

Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)? A. Covered entity as a health plan B. Covered entity as a health care clearinghouse C. Covered entity as a provider D. Business associate of a covered entity

D. Business associate of a covered entity: The Health Insurance Portability and Accountability Act Explanation: Under HIPAA, a business associate is an organization that performs a health care activity for a covered entity. Covered entities may outsource some health care functions, such as claims and billing, to these organizations.

Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors? A. Children's Online Privacy Protection Act (COPPA) B. Sarbanes-Oxley Act (SOX) C. Family Educational Rights and Privacy Act (FERPA) D. Children's Internet Protection Act (CIPA)

D. Children's Internet Protection Act (CIPA): The Children's Internet Protection Act Explanation: The purpose of CIPA is to protect our children from exposure to offensive Internet content. CIPA requires public school systems and public library systems that participate in E-Rate federal funding to be in compliance with CIPA.

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X? A. Customer B. Covered entity C. Business associate D. Consumer

D. Consumer: Main Requirements of the GLBA Privacy Rule Explanation: The Gramm-Leach-Bliley Act (GLBA) distinguishes between customers and consumers for its notice requirements. A consumer is any person who gets a consumer financial product or service from a financial institution. A customer is a consumer who has a continuing relationship with the institution. An example of a consumer without a customer relationship is a person who withdraws cash from an ATM that doesn't belong to his or her personal bank. The person is a consumer of the bank's ATM service, but he or she is not a customer of that bank.

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process? A. Securities and Exchange Commission (SEC) B. Federal Trade Commission (FTC) C. Federal Deposit Insurance Corporation (FDIC) D. Federal Communications Commission (FCC)

D. Federal Communications Commission (FCC): Purpose and Scope Explanation: The FCC is not involved in the GLBA oversight process. Agencies with GLBA oversight responsibilities are the SEC, Federal Reserve System (the Fed), FDIC, National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and FTC.

Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records? A. Encryption B. Truncation C. Hashing D. Masking

D. Masking: Compliance Is the Law Explanation: Organizations typically implement role-based access control mechanisms in their applications to ensure the confidentiality of sensitive data. Masking is used to "X out" pertinent characters of sensitive data.

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances? A. Addressable B. Standard C. Security D. Required

D. Required: Main Requirements of the HIPAA Security Rule Explanation: Some HIPAA security safeguards are required. Covered entities must implement them.