ITN 267 Legal Issues in Information Security
Which of the following statements best fits the highest burden of proof? "clear and convincing evidence" "not arbitrary or capricious" "beyond a reasonable doubt" "preponderance of the evidence"
"clear and convincing evidence" "not arbitrary or capricious" "beyond a reasonable doubt" "preponderance of the evidence"
COBRA benefits generally last a maximum of: 18 months 6 months 1 year 2 years
18 months 6 months 1 year 2 years
What story best exemplifies defamation? A high school sophomore runs against a high school junior for the position of Student Body President. The junior is the incumbent, and the sophomore fears he will lose to his more experienced competition. To reduce his competitor's popularity, the sophomore spreads rumors that the junior behaves unethically—peeks into the girl's locker room after gym class, steals money from the student government's treasury, etc. While playing a one-on-one game of basketball with his little brother, the basketball bounces into the sophomore's face leaving him with a black eye. The next day, he starts the rumor that he got the black eye when the junior punched him. The principal hears this rumor and asks the sophomore if it is true, and the sophomore confirms that it is. The junior loses the election and gets suspended from school. A woman makes a reservation for her family at a fine restaurant to celebrate her grandmother's 100th birthday three months in advance. When the family arrives, she learns that the restaurant does not have the reservation. Furthermore, the restaurant refuses to accommodate the grandmother's party guests. The waiter tells the granddaughter, "I don't have time for this. If you don't leave, I'm going to call the police," and this makes the grandmother cry. The whole event leaves the granddaughter furious. She goes home and writes a scathing review on Yelp, tells the story of what happened on her blog and in her Facebook status, and calls all her friends to tell them what happened and advises them never to go to that restaurant. The event winds up getting some local news coverage as a human-interest story, and the restaurant loses a substantial amount of business as a result. A woman becomes a famous actress after breaking up with her boyfriend. The ex-boyfriend calls the woman hoping to get back together, but she decides she does not want to date him and hangs up. Angry, he sells embarrassing photos he took of her when they were still dating to a tabloid. A man is frustrated that his co-worker seems to always outshine him in meetings, so the man sneaks into his co-worker's office while the co-worker is in the bathroom and deletes the calendar reminder about the next weekly meeting from the co-worker's cell phone.
A high school sophomore runs against a high school junior for the position of Student Body President. The junior is the incumbent, and the sophomore fears he will lose to his more experienced competition. To reduce his competitor's popularity, the sophomore spreads rumors that the junior behaves unethically—peeks into the girl's locker room after gym class, steals money from the student government's treasury, etc. While playing a one-on-one game of basketball with his little brother, the basketball bounces into the sophomore's face leaving him with a black eye. The next day, he starts the rumor that he got the black eye when the junior punched him. The principal hears this rumor and asks the sophomore if it is true, and the sophomore confirms that it is. The junior loses the election and gets suspended from school. A woman makes a reservation for her family at a fine restaurant to celebrate her grandmother's 100th birthday three months in advance. When the family arrives, she learns that the restaurant does not have the reservation. Furthermore, the restaurant refuses to accommodate the grandmother's party guests. The waiter tells the granddaughter, "I don't have time for this. If you don't leave, I'm going to call the police," and this makes the grandmother cry. The whole event leaves the granddaughter furious. She goes home and writes a scathing review on Yelp, tells the story of what happened on her blog and in her Facebook status, and calls all her friends to tell them what happened and advises them never to go to that restaurant. The event winds up getting some local news coverage as a human-interest story, and the restaurant loses a substantial amount of business as a result. A woman becomes a famous actress after breaking up with her boyfriend. The ex-boyfriend calls the woman hoping to get back together, but she decides she does not want to date him and hangs up. Angry, he sells embarrassing photos he took of her when they were still dating to a tabloid. A man is frustrated that his co-worker seems to always outshine him in meetings, so the man sneaks into his co-worker's office while the co-worker is in the bathroom and deletes the calendar reminder about the next weekly meeting from the co-worker's cell phone.
What situation would be an example of an exploit? A major league baseball pitcher takes his daughter to a carnival and plays a game wherein he can earn prizes if he can use a beanbag to knock over all of the cans stacked in a pyramid formation in the game's booth. In each of the 10 rounds of the carnival game that the pitcher plays, he knocks down all the cans, and he wins his daughter the largest stuffed animal prize in the booth. A film reel catches fire in the middle of a crowded showing of a popular new release film. The film is ruined. Due to the cinema's policy, all of the people in that audience receive refunds for the price of their tickets. A man discovers someone's lost wallet. When the man attempts to use the credit cards found in the wallet, he finds that they have been reported as stolen and he is unable use the cards to carry out any transactions. An art thief sneaks into a museum and steals a famous painting and then sneaks out of the museum without being caught by security because the thief identified and traveled through the museum via blind spots of the museum's security cameras. After the incident, the museum increases the number of security guards and cameras guarding the museum at all times.
A major league baseball pitcher takes his daughter to a carnival and plays a game wherein he can earn prizes if he can use a beanbag to knock over all of the cans stacked in a pyramid formation in the game's booth. In each of the 10 rounds of the carnival game that the pitcher plays, he knocks down all the cans, and he wins his daughter the largest stuffed animal prize in the booth. A film reel catches fire in the middle of a crowded showing of a popular new release film. The film is ruined. Due to the cinema's policy, all of the people in that audience receive refunds for the price of their tickets. A man discovers someone's lost wallet. When the man attempts to use the credit cards found in the wallet, he finds that they have been reported as stolen and he is unable use the cards to carry out any transactions. An art thief sneaks into a museum and steals a famous painting and then sneaks out of the museum without being caught by security because the thief identified and traveled through the museum via blind spots of the museum's security cameras. After the incident, the museum increases the number of security guards and cameras guarding the museum at all times.
The District of Columbia and 45 states have enacted breach notification laws, which require an organization to notify state residents if it experiences a security breach that involves the personal information of the residents. Which group of four states does not have a breach notification law? Alabama, Kentucky, New Mexico, and South Dakota Alabama, Arizona, New Mexico, and South Dakota Alabama, Kentucky, West Virginia, and South Dakota Alabama, Kentucky, New Mexico, and Wisconsin
Alabama, Kentucky, New Mexico, and South Dakota Alabama, Arizona, New Mexico, and South Dakota Alabama, Kentucky, West Virginia, and South Dakota Alabama, Kentucky, New Mexico, and Wisconsin
The Payment Card Industry Security Standards Council (PCI Council) is made up of representatives of the major credit card companies. The major credit card companies are also called credit card brands. Which of the following is not one of the major brands? American Express Chase Bank Visa JCB International
American Express Chase Bank Visa JCB International
Which of the following questions does not apply to an audit? Are the rules being followed? How are the rules being followed? Are employees meeting their responsibilities? What are the rules?
Are the rules being followed? How are the rules being followed? Are employees meeting their responsibilities? What are the rules?
______________ means that only people with the right permission can access and use information. Authorized agent Encryption Confidentiality Integrity
Authorized agent Encryption Confidentiality Integrity
The _______________________, also known as the Currency and Foreign Transactions Reporting Act, was created to fight drug trafficking, money laundering, and other crimes. Bank Secrecy Act of 1970 Gramm-Leach-Bliley Act National Bank Act of 1864 Bank Holding Company Act of 1956
Bank Secrecy Act of 1970 Gramm-Leach-Bliley Act National Bank Act of 1864 Bank Holding Company Act of 1956
____________________ forbids a new employer's health plan from denying health coverage for some reasons and prohibits discrimination against workers based on certain conditions such as pregnancy. COBRA HIPAA Department of Health and Human Services (HHS) HITECH
COBRA HIPAA Department of Health and Human Services (HHS) HITECH
Before ____________________, many workers experienced "job lock" and were afraid that they would lose health care benefits if they changed jobs. COBRA HITECH the creation of the Department of Health and Human Services (HHS) HIPAA
COBRA HITECH the creation of the Department of Health and Human Services (HHS) HIPAA
Which of the following is a true statement regarding COPPA and CIPA rules? COPPA defines a minor as anyone under the age of 17 years, while CIPA defines a minor as someone under the age of 13 years. COPPA defines a minor as anyone under the age of 13 years, while CIPA defines a minor as someone under the age of 17 years. Both define a minor as anyone under the age of 17 years. Both define a minor as anyone under the age of 13 years.
COPPA defines a minor as anyone under the age of 17 years, while CIPA defines a minor as someone under the age of 13 years. COPPA defines a minor as anyone under the age of 13 years, while CIPA defines a minor as someone under the age of 17 years. Both define a minor as anyone under the age of 17 years. Both define a minor as anyone under the age of 13 years.
The first state to enact anti-spyware legislation was: California Texas Michigan Utah
California Texas Michigan Utah
The Family Policy Compliance Office (FPCO) provides oversight for the ____________________. Children's Online Privacy Protection Act (COPPA) Children's Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA)
Children's Online Privacy Protection Act (COPPA) Children's Internet Protection Act (CIPA) Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA)
Collection and use of a child's personal information, such as name, e-mail address, or social security number, by a Web site operate is governed by: Children's Online Privacy Protection Act (COPPA) Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Children's Internet Protection Act (CIPA)
Children's Online Privacy Protection Act (COPPA) Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Children's Internet Protection Act (CIPA)
__________________ is a body of law developed because of legal tradition and court cases. Common law Administrative law Public law Privacy law
Common law Administrative law Public law Privacy law
A company that created virtual online gaming worlds agreed to pay $3 million in 2011 to settle charges with the FTC. The FTC alleged that the company improperly collected and disclosed the personal information of thousands of children without parental consent. This is the largest civil penalty so far in a Children's Internet Protection Act (CIPA) action. True or false?
False
A contract tells an organization how it must act and the consequences for failing to act properly. True or false?
False
A covered entity is required, upon a person's request, to correct data in the person's PHI. True or false?
False
A high quality security system is prepared and able to identify and respond to all threats and risks and repair all vulnerabilities that may befall the system. True or false?
False
A keystroke logger is harmful code intentionally left on a computer system. It lies dormant for a certain period, and when specific conditions are met, it "explodes" and carries out its malicious function. True or false?
False
A security breach is the term used to describe when a person's personally identifiable information is used without permission to commit other crimes. True or false?
False
All information—no matter how sensitive—should have the extensive protection of safeguards. True or false?
False
An employee's off-duty Internet activity is not considered a privacy concern, so employers are not likely to search the Internet for information related to potential and current employees, nor will they view employee postings on blogs, Web pages, or e-mail lists. True or false?
False
Any time a covered entity discloses PHI, it must follow the maximum necessary rule. The amount disclosed must be able to satisfy the reason why the information is being used or disclosed and any other pertinent information. True or false?
False
Every state in the U.S. permits that employers can practice computer or Internet-use monitoring when the employer provides the equipment to the employee. True or false?
False
First-party cookies are set by one Web site but readable by another site, and third-party cookies are exchanged between a user's browser and the Web site the user is visiting. True or false?
False
Form 10-Q quarterly report is a very detailed disclosure of a company's financial condition. True or false?
False
In order for a privacy policy to be COPPA-compliant, it needs to provide notice of how the information will be used in some cases and must offer a general description of possible methods used to collect information. True or false?
False
In situations when a covered entity may use or disclose PHI to the extent that it's required by law, the covered entity may only do so in response to a subpoena issued by a grand jury. True or false?
False
In the U.S. federal system, the U.S. Court of Appeals is the court of last resort. True or false?
False
Individual consumers are the targets of hackers far more often that financial institutions. True or false?
False
It is not possible that a student record will contain additional information outside the scope of FERPA. FERPA requires schools to reveal this data when access to an educational record is requested. For example, a school will be expected to reveal parental financial records, confidential letters of recommendation, or statements of recommendation. True or false?
False
Physical safeguards, also called logical safeguards, and are applied in the hardware and software of information systems. True or false?
False
RFID technology poses privacy concerns in that it can track a person's movements and daily habits. However, you can only be tracked by RFID technology if an RFID tag had been inserted under your skin. True or false?
False
SOX Section 404 imposes criminal liability for fraudulent certifications. Under this section, CEOs and CFOs that knowingly certify fraudulent reports may be fined up to $1 million. True or false?
False
SOX requires companies to report accurate financial data. They must do this to protect their CEO and CFO from harm. True or false?
False
States usually have two appellate courts: a state intermediate appellate court and a state supreme court. States usually have both types of courts. True or false?
False
Supreme Court nominees are required to be highly respected state or federal judges or highly respected attorneys. True or false?
False
The American Library Association and the American Civil Liberties Union sued the U.S. government. They claimed CIPA violated the free speech rights of adults. In 2002 the U.S. District Court for the Eastern District of Pennsylvania agreed that CIPA violated First Amendment rights. The U.S. District Court said that the government could not enforce CIPA. The U.S. government appealed that decision, and the lawsuit went to the U.S. Supreme Court. In United States et al. v. American Library Association, Inc. et al. in 2003, the U.S. Supreme Court struck down the law as unconstitutional. True or false?
False
The C-I-A triad refers to the way that the Central Intelligence Agencies classifies sensitive information. True or false?
False
The COPPA is the same as the Child Online Protection Act (COPA), the purpose of which is to protect minors from access to harmful material on the Internet. True or false?
False
The Consumer Financial Protection Bureau (CFPB) and the Office of the Comptroller of the Currency (OCC) were created in 2010. The purpose of the CFPB and OCC is to protect consumers in the financial industry. Unlike the Fed, FDIC, NCUA, and OCC, which regulate financial institutions directly, the CFPB and the OCC focus solely on consumers. True or false?
False
The DSS offers a single approach to safeguarding sensitive cardholder data for all credit card issuers. It recommends 12 basic categories of security requirements that should be followed in order to protect credit card data. True or false?
False
The Enron scandal proved that self-regulation has only benefits and little to no drawbacks, as evidenced by the role of their accounting firm, Arthur Andersen. True or false?
False
The FCC rules specifically state that the U.S. federal government may establish the criteria for making a determination that a filter is CIPA compliant. True or false?
False
The FDIC insures deposit accounts in the event of bank failure. If a bank fails, the FDIC returns the money that a customer put in the bank, no matter how great or small the amount. True or false?
False
The FTC enforces GLBA for any financial institution that isn't regulated by one of the other agencies. Like the other agencies, the FTC may bring an action against any financial institution that doesn't comply with GLBA. The FTC rarely pursues GLBA enforcement actions. True or false?
False
The O.J. Simpson criminal and civil trials illustrate the basic difference between criminal and civil law, because O.J. Simpson was found "guilty" of murder in the criminal case, and he was found not liable in the civil case. The reason for the apparently inconsistent results is that the murder case was in the criminal system and the wrongful death case was a civil action. True or false?
False
The Office of the Comptroller of the Currency (OCC) is led by a comptroller, which is an elected position. True or false?
False
The Patriot Act got its name, because it is designed to protect Americans from terrorists trying to gain information that could lead to another attack like 9/11. True of false?
False
The Public Company Accounting Oversight Board has five members. The SEC selects these members and appoints them to staggered terms. All members must be CPAs. True or false?
False
The SEC requires that CEO and CFO each must certify that the executive is responsible for creating internal controls and procedures that are designed to bring material information about the company to the executive's attention, and the controls are reviewed 90 days prior to filing the report True or false?
False
The Supreme Court is under obligation to review a decision from the U.S. Court of Appeals, as guaranteed by the writ of certiorari. True or false?
False
The U.S. Supreme Court is the final source of authority for issues involving U.S. federal laws. True or false?
False
The United States Code is the United States' comprehensive data privacy law. True or false?
False
The United States Code is updated and published every time a new law is created in the United States. True or false?
False
The United States has one comprehensive data protection law and relies on the Federal Trade Commission (FTC) to ensure compliance. True or false?
False
The following is an example of an inadvertent disclosure: a patient going to a hospital to pay a bill briefly views another patient's payment information on the billing clerk's computer monitor. The first patient can see this information only briefly before the clerk accesses the patient's own record. True or false?
False
There is no risk in clicking an e-mail link, as long as the link doesn't force you to enter personal information. True or false?
False
Vulnerability is anything that can cause harm to an information system. True or false?
False
When a Red Flag is detected, it is necessary to conduct a thorough investigation no matter the circumstances of the situation. True or false?
False
When reviewing a legal issue, an attorney or court only reviews whether the issue involves a question that can be answered by the U.S. Constitution or a state constitution as a last resort. True or false?
False
While each federal district court also has its own bankruptcy court. The Constitution gives state governments the sole power over bankruptcy law. True or false?
False
While external and internal attackers are both deliberate threats, only internal attackers seek to embarrass an organization. True or false?
False
The ________________________ protects the personal information of children online. Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Children's Online Privacy Protection Act (COPPA) Children's Internet Protection Act (CIPA)
Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Children's Online Privacy Protection Act (COPPA) Children's Internet Protection Act (CIPA)
The purpose of the ______________________ is to address financial uncertainty and provide the nation with a more stable economy. Federal Deposit Insurance Corporation Federal Reserve System Office of Thrift Supervision Office of the Comptroller of the Currency
Federal Deposit Insurance Corporation Federal Reserve System Office of Thrift Supervision Office of the Comptroller of the Currency
The mission of the _____________________ is to protect consumers and to make sure that business is competitive by eliminating practices harmful to business. Federal Financial Institutions Examination Council (FFIEC) Office of Thrift Supervision Federal Trade Commission (FTC) National Credit Union Administration (NCUA)
Federal Financial Institutions Examination Council (FFIEC) Office of Thrift Supervision Federal Trade Commission (FTC) National Credit Union Administration (NCUA)
Sponsored by five U.S. financial organizations, ___________ is a nonprofit organization that was established in 1985 to identify factors that contributed to fraudulent financial reporting. GAAP COSO IFRS PCAOB
GAAP COSO IFRS PCAOB
A merchant of an e-commerce Web site wants to accept credit cards as a form of payment. Which of the following must the merchant follow to ensure the safety of those payments? GLBA SOX PCI DSS FISMA
GLBA SOX PCI DSS FISMA
The Enron scandal and similar corporate scandals led to the creation of which of the following? Gramm-Leach-Bliley Act Securities and Exchange Commission Sarbanes-Oxley Act Public Company Accounting Oversight Board
Gramm-Leach-Bliley Act Securities and Exchange Commission Sarbanes-Oxley Act Public Company Accounting Oversight Board
Which of the following was enacted by Congress in response to growth in identity theft crime? Gramm-Leach-Bliley Act (GLBA) Federal Trade Commission (FTC) Fair and Accurate Credit Transaction Act (FACTA) of 2003 Federal Reserve System
Gramm-Leach-Bliley Act (GLBA) Federal Trade Commission (FTC) Fair and Accurate Credit Transaction Act (FACTA) of 2003 Federal Reserve System
____________ was created by Congress to make health insurance portable. HIPAA CIPA HITECH Act FERPA
HIPAA CIPA HITECH Act FERPA
___________________ allows employees and their families to continue health coverage when they lose or change a job. HITECH Department of Health and Human Services (HHS) HIPAA COBRA
HITECH Department of Health and Human Services (HHS) HIPAA COBRA
Which of the following was not one of the outcomes of the Enron scandal? Investors started to significantly lose confidence in large public companies. Public companies are required to file one comprehensive financial disclosure statement with the SEC. The SEC began to require that the accuracy of financial statements be certified in a number of different ways. The SEC began to require more information to be reported on its financial statements.
Investors started to significantly lose confidence in large public companies. Public companies are required to file one comprehensive financial disclosure statement with the SEC. The SEC began to require that the accuracy of financial statements be certified in a number of different ways. The SEC began to require more information to be reported on its financial statements.
Which of the following is a true statement about the Court of Appeals? It does not review the facts of a case or additional evidence. Both A and B are correct. Neither A nor B are correct. It's a court of appellate jurisdiction.
It does not review the facts of a case or additional evidence. Both A and B are correct. Neither A nor B are correct. It's a court of appellate jurisdiction.
What makes a distributed denial of service attack "distributed"? It involves technological and physical systems to launch the attack. It involves many IP addresses. It attacks multiple systems. It involves multiple systems to launch the attack.
It involves technological and physical systems to launch the attack. It involves many IP addresses. It attacks multiple systems. It involves multiple systems to launch the attack.
Which of the following best defines a technology protection measure (TPM)? It is technology that provides monitoring protocols that track a child's online activities. It is technology that accepts Internet requests from clients, retrieves the pages, and serves them to the client. It is any technology that can block or filter the objectionable content. It is technology that offers age-verification protocols that restrict online access to adults.
It is technology that provides monitoring protocols that track a child's online activities. It is technology that accepts Internet requests from clients, retrieves the pages, and serves them to the client. It is any technology that can block or filter the objectionable content. It is technology that offers age-verification protocols that restrict online access to adults.
Which of the following statements summarizes why the window of vulnerability is shrinking? More people are interested in information security, and have developed the skills to find new vulnerabilities. There are also fewer people with the skills needed to create vulnerabilities. People are not inclined to attack vulnerability for financial gain. People are getting better at enduring and recovering from exploits.
More people are interested in information security, and have developed the skills to find new vulnerabilities. There are also fewer people with the skills needed to create vulnerabilities. People are not inclined to attack vulnerability for financial gain. People are getting better at enduring and recovering from exploits.
The ________________________ is also known as the Financial Services Modernization Act. National Bank Act of 1864 Gramm-Leach-Bliley Act Bank Holding Company Act of 1956 Bank Secrecy Act of 1970
National Bank Act of 1864 Gramm-Leach-Bliley Act Bank Holding Company Act of 1956 Bank Secrecy Act of 1970
Based on the descriptions given, what film does NOT exemplify the concept of social engineering? Ocean's Eleven: A team of 11 men of with various areas of expertise work together to rob $150,000,000 from a Casino. In order for the plan to work, the men must gain access to sensitive security information about vaults, security cameras, and safeguards by gaining the trust of various people who work in the casino. Paper Moon: A con man meets a recently orphaned nine-year-old girl and he agrees to take her to live with her aunt, who lives very far away. On their way to her aunt's house, the girl sees that the con man routinely visits recently widowed women pretending to be a bible salesman coming to collect money that the deceased husband owes for the fancy, personalized bibles they allegedly purchased before dying. The widows are usually grief stricken, and they agree to pay him after he earns their trust. On their journey, the girl joins the con and pretends to be his daughter, and they become a formidable duo. The Sting: Two grifters create an elaborate plan to rob a mob boss of a substantial amount of money. The grifters' plan relies on understanding the personalities and gaining the trust of the mob boss and the people who surround him. Office Space: Three friends and disgruntled coworkers at a tech company discover that the company's accounting system has a computer glitch that calculates certain financial information to six decimal points, but only records the first two decimal points in the accounting files and then regularly discards the remaining fractions of pennies. When the trio learns their jobs are in jeopardy, they create a computer program that diverts the discarded fractions of pennies into a bank account they share. They believe that the company will continue to pay them in installments small enough that the company will never notice but that will lead to a very large amount of money over time.
Ocean's Eleven: A team of 11 men of with various areas of expertise work together to rob $150,000,000 from a Casino. In order for the plan to work, the men must gain access to sensitive security information about vaults, security cameras, and safeguards by gaining the trust of various people who work in the casino. Paper Moon: A con man meets a recently orphaned nine-year-old girl and he agrees to take her to live with her aunt, who lives very far away. On their way to her aunt's house, the girl sees that the con man routinely visits recently widowed women pretending to be a bible salesman coming to collect money that the deceased husband owes for the fancy, personalized bibles they allegedly purchased before dying. The widows are usually grief stricken, and they agree to pay him after he earns their trust. On their journey, the girl joins the con and pretends to be his daughter, and they become a formidable duo. The Sting: Two grifters create an elaborate plan to rob a mob boss of a substantial amount of money. The grifters' plan relies on understanding the personalities and gaining the trust of the mob boss and the people who surround him. Office Space: Three friends and disgruntled coworkers at a tech company discover that the company's accounting system has a computer glitch that calculates certain financial information to six decimal points, but only records the first two decimal points in the accounting files and then regularly discards the remaining fractions of pennies. When the trio learns their jobs are in jeopardy, they create a computer program that diverts the discarded fractions of pennies into a bank account they share. They believe that the company will continue to pay them in installments small enough that the company will never notice but that will lead to a very large amount of money over time.
Which Gramm-Leach-Bliley Act rule requires federal bank regulatory agencies, the SEC, and the FTC to issue security standards for the institutions that they regulate? Pretexting Rule Privacy Rule Red Flags Rule Safeguards Rule
Pretexting Rule Privacy Rule Red Flags Rule Safeguards Rule
Which statement about privacy is NOT true? Privacy means that a person can specify the collection, use, and sharing of their data. Privacy means that a person has control over their personal data. Privacy is a simple term that describes a number of different but related concepts. Most traditional views on privacy include the belief that the government's power to interfere in the privacy of its citizens is limited.
Privacy means that a person can specify the collection, use, and sharing of their data. Privacy means that a person has control over their personal data. Privacy is a simple term that describes a number of different but related concepts. Most traditional views on privacy include the belief that the government's power to interfere in the privacy of its citizens is limited.
The main goal of ______________ is to protect shareholders and investors from financial fraud. Public Company Accounting Oversight Board Gramm-Leach-Bliley Act Sarbanes-Oxley Act (SOX) Securities and Exchange Commission
Public Company Accounting Oversight Board Gramm-Leach-Bliley Act Sarbanes-Oxley Act (SOX) Securities and Exchange Commission
The HIPAA ______________________ states how covered entities must protect the confidentiality, integrity, and availability of electronic personal health information. Red Flag Rule Security Rule Administrative Simplification Rule Privacy Rule
Red Flag Rule Security Rule Administrative Simplification Rule Privacy Rule
___________________ refers to applying safeguards designed to lower risks to a level deemed acceptable but without eliminating such risks. Risk avoidance Residual risk Risk mitigation Risk transfer
Risk avoidance Residual risk Risk mitigation Risk transfer
_______________ is the process of reviewing known vulnerabilities and threats. Risk mitigation Risk engineering Risk analysis Risk avoidance
Risk mitigation Risk engineering Risk analysis Risk avoidance
Which of the following reports, which generally are shared only between the organizations that are doing business with one another, are used by auditors to assess the ICFR at one entity that does business with another entity? SOC-2 SOC-3 SOC-4 SOC-1
SOC-2 SOC-3 SOC-4 SOC-1
In what ways can you classify safeguards? Safeguards can only be classified based on how they act. Safeguards can be classified by how they work or how they act. There is no difference between how something works and how something acts. There is only one way to classify safeguards. Safeguards can only be classified based on how they work.
Safeguards can only be classified based on how they act. Safeguards can be classified by how they work or how they act. There is no difference between how something works and how something acts. There is only one way to classify safeguards. Safeguards can only be classified based on how they work.
SOX ______________ requires CEOs and CFOs to certify a company's SEC reports. Section 302 Section 708 Section 906 Section 404
Section 302 Section 708 Section 906 Section 404
SOX ___________ imposes criminal liability for fraudulent financial certifications. Section 404 Section 708 Section 906 Section 302
Section 404 Section 708 Section 906 Section 302
SOX _________ requires a company's executive management to report on the effectiveness of the company's internal controls over financial reporting (ICFR). Section 708 Section 404 Section 302 Section 903
Section 708 Section 404 Section 302 Section 903
____________ is demonstrated by the processes and procedures that an organization uses to meet the law. Security An administrative procedure An audit Compliance
Security An administrative procedure An audit Compliance
Which of the following is not a true statement? State constitutions are nearly identical versions of the U.S. Constitution. State governments existed before the federal government. The U.S. Constitution primarily describes the relationship between the federal government and the states. State constitutions primarily describe the relationship between a state and its citizens.
State constitutions are nearly identical versions of the U.S. Constitution. State governments existed before the federal government. The U.S. Constitution primarily describes the relationship between the federal government and the states. State constitutions primarily describe the relationship between a state and its citizens.
Which of the following SOX titles establishes rules to make sure that securities analysts can give independent opinions about a public company's stock risk? Studies and Reports (Title VII) Commission Resources and Authority (Title VI) Enhanced Financial Disclosures (Title IV) Analyst Conflicts of Interest (Title V)
Studies and Reports (Title VII) Commission Resources and Authority (Title VI) Enhanced Financial Disclosures (Title IV) Analyst Conflicts of Interest (Title V)
_____________________ are tools that filter offensive content. Technology protection measures (TPM) Network databases Spam blockers Proxy servers
Technology protection measures (TPM) Network databases Spam blockers Proxy servers
The state with some of the strictest patient privacy protections is: Texas Alabama Virginia California
Texas Alabama Virginia California
To be COPPA-compliant, a privacy policy must provide "assurance that participation is not conditioned on data collection." Which of the following statements offer the best explanation of this criterion? This includes the name, mailing address, telephone number, and e-mail address of all operators collecting or using the information collected on the Web site. A Web site can't require children to submit contact details in order to be allowed to use the site. Web sites are not allowed to collect more information than necessary for a child to participate in an activity. The Web site must state whether collected information is shared with a third party. Web sites must state how the information will be used. It must be specific.
This includes the name, mailing address, telephone number, and e-mail address of all operators collecting or using the information collected on the Web site. A Web site can't require children to submit contact details in order to be allowed to use the site. Web sites are not allowed to collect more information than necessary for a child to participate in an activity. The Web site must state whether collected information is shared with a third party. Web sites must state how the information will be used. It must be specific.
_______________ governs the prosecution of those charged with serious offenses against public order, such as murder. Tort law Civil law Administrative law Criminal law
Tort law Civil law Administrative law Criminal law
A limited data set is PHI that doesn't contain any data that identifies a person. True or false?
True
A major privacy concern of social networking includes information sharing. True or false?
True
A material change is a significant change in an organization's operating practices. Material changes can affect how people understand their rights or interact with an organization. True or false?
True
An educational record includes any personal and education data on a student maintained by an educational agency or institution. True or false?
True
An employer can monitor computer or Internet use in a number of ways, including the following: by employing keystroke loggers to monitor keystrokes made in a certain period or the number of Web sites visited and by tracking how much time employees spend in software applications provided for work purposes to measure productivity. True or false?
True
Appellate jurisdiction is the power of a court to review a decision made by a lower court True or false?
True
As defined by HIPAA, the term "covered entities" means: health care providers, health care clearinghouses, and health plans True or false?
True
Confidential describes information that could cause damage to U.S. security if disclosedto an unauthorized person. This is the lowest data classification level. True or false?
True
Covered entities must keep records of how they disclose a person's PHI. Under the Privacy Rule, a person has the right to receive an accounting of how the covered entity has used or disclosed the person's PHI. True or false?
True
FERPA has four main requirements: Annual notification, access to education records, amendment of education records, and disclosure of education records. True or false?
True
FERPA requires schools to provide an annual notification to students and parents. This notice lets parents and eligible students know what their FERPA rights are. The annual notification also must state how to file a complaint with the Department of Education if the school violates any of FERPA's provisions. True or false?
True
Federal courts can hear only the following kinds of cases: 1) Disputes regarding federal laws or constitutional issues and 2) Disputes between residents of different states where the amount of money in controversy is greater than $75,000. True or false?
True
Health care operations are actions that support the covered entity's business. True or false?
True
Identity Theft Prevention Programs are required to detect, prevent, and mitigate identity theft in covered accounts. The written program must address both new and existing covered accounts. True or false?
True
In 1973, the U.S. Supreme Court decided that for material to be identified as "obscene," it must meet three conditions: 1) appeals predominantly to prurient interests—prurient indicates a morbid, degrading, and unhealthy interest in sex; 2) depicts or describes sexual conduct in a patently offensive way, and 3) lacks serious literary, artistic, political, or scientific value. True or false?
True
In the common law, courts decide cases by referring to established legal principles and the customs and values of society. They also look at decisions made in earlier cases to see if the cases are similar. If the cases are similar, a new case should reach a similar result. True or false?
True
In the federal system, intermediate appellate courts are called the U.S. Courts of Appeals. There are 13 Courts of Appeals. The 94 district courts are grouped into 12 geographical circuits. True or false?
True
Integrity means that information systems and their data are accurate. True or false?
True
Phishing, social engineering, shoulder surfing, and dumpster diving are all examples of people-based privacy concerns. True or false?
True
Physical safeguards are actions that an organization takes to protect its actual, tangible resources. They keep unauthorized individuals out of controlled areas. True or False?
True
Pretexting, which is also known as social engineering, is the act of trying to gain access to customer information without proper authority to do so. True or false?
True
SOC audits review the service organization's control activities related to the services that it provides to its customers. These audits review the IT controls on the outsourced service. A SOC audit helps a service organization show that they have proper safeguards in place to protect their customer's data. True or false?
True
SOX sections 302 and 906 were created in response to the Enron scandal. True or false?
True
Sometimes a vulnerability is exploited so soon after it is discovered that there is no time to apply a patch to the system quickly enough to prevent that data from being compromised. True or false?
True
The Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1980 protects patient information about alcohol or drug abuse. This law applies to any federally assisted alcohol or drug abuse treatment program, and it states that these programs may not disclose patient information without consent. True or false?
True
The Electronic Communications Privacy Act prohibits employers from accessing an employee's personal e-mail account. True or false?
True
The Federal Financial Institutions Examination Council (FFIEC) promotes uniform practices among the federal financial institutions. Its purpose is to: 1) establish principles and standards for the examination of federal financial institutions; 2) develop a uniform reporting system for federal financial institutions; 3) conduct training for federal bank examiners; 4) make recommendations regarding bank supervision matters, and 5) encourage the adoption of uniform principles and standards by federal and state banks. True or false?
True
The Fourth Amendment protects federal employees from unreasonable government search and seizure. The federal government must provide employees with notice if it intends to monitor the electronic communications of its employees. True or false?
True
The Gramm-Leach-Bliley Act requires financial institutions to protect consumer financial information by complying with the Privacy Rule, the Safeguards Rule, and the Pretexting Rule True or false?
True
The National Bank Act of 1864 established the national banking system in the United States. The Act still governs U.S. national banks even though Congress has updated it many times since 1864. True or false?
True
The PCI Council was formed in 2006 to create safeguards designed to protect credit card data. Any merchant or service provider who accepts credit cards must follow the safeguards. True or false?
True
The Privacy Rule forbids a covered entity from requiring a person to sign an authorization in order to receive health care treatment. The entity can't condition benefit eligibility on signing an authorization; this is so covered entities can't force people to sign authorizations under pressure by withholding needed care. True or false?
True
The Red Flags Rule doesn't permit a private right of action, which means that individuals can't sue financial institutions or creditors if they violate the Red Flags Rule. True or false?
True
The definition of Web site or online service includes standard Web sites, mobile apps, Internet gaming platforms, and advertising networks. True or false?
True
The penalties for failing to retain records for the right amount of time can be severe. SOX makes it a crime for a person or company to knowingly and willfully violate its records retention provisions. A person who violates this provision can face fines and up to 10 years in prison. True or false?
True
The primary purpose of CIPA is to protect minors from accessing offensive content on the Internet. Offensive content includes any visual depictions that are any of the following: obscene, child pornography, or harmful to minors. True or false?
True
The three conditions for defining obscenity are known as the Miller test. True or false?
True
How might the average person use cookies in a beneficial way? You read an interesting New York Times article, and you leave an opinion about it in the comments section. You play a computer-based video game. You publish a post on your blog. You save an image of a relaxing, cloud-filled sky that appears every time you log-on to your Twitter account.
You read an interesting New York Times article, and you leave an opinion about it in the comments section. You play a computer-based video game. You publish a post on your blog. You save an image of a relaxing, cloud-filled sky that appears every time you log-on to your Twitter account.
Which of the following must be protected per PCI DSS requirements? a print server for internal company use only a backup file server for a software testing department both B and C an e-commerce Web server
a print server for internal company use only a backup file server for a software testing department both B and C an e-commerce Web server
In the legal system, compliance is the action of following applicable laws and rules and regulations. Which of the following processes would not be used to demonstrate compliance: allowing employees in an organization to create policies for self-governance documents to comply with legal or regulatory requirements at the employees' discretion developing and implementing monitoring systems in computer systems to alert the organization if security measures required by law or regulation are compromised comparing compliance requirements against an organization's daily practices, and modifying those practices as needed creating training and awareness activities that educate employees about compliance requirements
allowing employees in an organization to create policies for self-governance documents to comply with legal or regulatory requirements at the employees' discretion developing and implementing monitoring systems in computer systems to alert the organization if security measures required by law or regulation are compromised comparing compliance requirements against an organization's daily practices, and modifying those practices as needed creating training and awareness activities that educate employees about compliance requirements
In which of the following circumstances would a library need to disable a TPM? at the request of anyone over the age of 17 at the request of any school official at the request of a child with a document of written consent from his/her parent at the request of an adult to view content for research or other lawful purpose
at the request of anyone over the age of 17 at the request of any school official at the request of a child with a document of written consent from his/her parent at the request of an adult to view content for research or other lawful purpose
All of the following are types of information included on a Form 10-K except: auditor's report financial statements explanation of how the company is organized and operates lists of employees and subcontractors
auditor's report financial statements explanation of how the company is organized and operates lists of employees and subcontractors
All of the following are eligibility requirements for the president of the United States except: both A and B must be a resident of the United States for at least 14 years at the time of election neither A nor B must be at least 35 years old
both A and B must be a resident of the United States for at least 14 years at the time of election neither A nor B must be at least 35 years old
Regarding pre-existing conditions, HIPAA: both A and B neither A nor B only allows employer-provided health plans to look back six months for pre-existing conditions in most instances limits the amount of time health plans can require an individual to "sit out" of coverage to no more than 12 months
both A and B neither A nor B only allows employer-provided health plans to look back six months for pre-existing conditions in most instances limits the amount of time health plans can require an individual to "sit out" of coverage to no more than 12 months
The __________________ framework of COSO refers to the identification and review of threats that are internal and external to the organization. control environment monitoring risk assessment control activities
control environment monitoring risk assessment control activities
A ______________ is some kind of wrongful act that harms or hurts a person. criminal act breach tort defamation
criminal act breach tort defamation
Which of following is not one of the steps in the data life cycle? data collection data accounting data use data storage
data collection data accounting data use data storage
All of the following are true statements about the American legal system except: decisions by each branch of government may be overturned by administrative agency courts each branch of government is subject to review by the other branches (balances) Answer each branch has a separate sphere of authority (checks) defined by the U.S. Constitution
decisions by each branch of government may be overturned by administrative agency courts each branch of government is subject to review by the other branches (balances) each branch has a separate sphere of authority (checks) defined by the U.S. Constitution
Schools may make the following type of disclosure without obtaining parental or student consent: disclosure of any information to any school official with a need to know disclosure to press for purposes of article promotion disclosure of grades or test scores disclosure of school disciplinary records
disclosure of any information to any school official with a need to know disclosure to press for purposes of article promotion disclosure of grades or test scores disclosure of school disciplinary records
A covered entity doesn't have to account for every PHI disclosure that it makes. The Privacy Rule states that some kinds of disclosures don't have to be included in an accounting. Any disclosure not specifically excluded must be included and tracked. Which of the following disclosures does not need to be tracked? disclosures made to carry out treatment, payment, and health care activities disclosures to HHS for its compliance functions disclosures required by law disclosures required for public health activities
disclosures made to carry out treatment, payment, and health care activities disclosures to HHS for its compliance functions disclosures required by law disclosures required for public health activities
Stocks and bonds are called ___________. dividends profits assets securities
dividends profits assets securities
A single point of failure is a piece of hardware or application that is key to ________________________. ensuring that individuals with proper permission can use systems and retrieve data in a dependable manner the success of safeguards the functioning of the entire system specifying how long systems may be offline before an organization starts to lose money
ensuring that individuals with proper permission can use systems and retrieve data in a dependable manner the success of safeguards the functioning of the entire system specifying how long systems may be offline before an organization starts to lose money
The three branches of the federal government are: executive, legislative, and oversight executive, legislative, and congressional executive, legislative, and judicial congressional, senatorial, and executive
executive, legislative, and oversight executive, legislative, and congressional executive, legislative, and judicial congressional, senatorial, and executive
Because their employer is the government, public employees receive ___________ protections. few special no extra
few special no extra
Which of the following is not one of the events that that triggers a Form 8-K disclosure requirement? filing for bankruptcy selling off significant assets getting a loan acquiring an inheritance
filing for bankruptcy selling off significant assets getting a loan acquiring an inheritance
With respect to protected health information, HIPAA: forbids the creation of any state laws protecting health information prohibits state laws that are contrary to HIPAA requires state laws to mirror HIPAA rules is automatically the controlling law in the event of a conflict with a state law
forbids the creation of any state laws protecting health information prohibits state laws that are contrary to HIPAA requires state laws to mirror HIPAA rules is automatically the controlling law in the event of a conflict with a state law
A(n) _____________ is a formal request for a higher authority to review the decision of a lower court. holding appeal writ of certiorari pleading
holding appeal writ of certiorari pleading
SOX requires the SEC to review a public company's Form 10-K and Form 10-Q reports at least once every three years. It must do this to try to detect fraud and inaccurate financial statements that could harm the investing public. SOX states the factors that the SEC should consider when deciding to conduct a review. Which of the following is not one of the factors that SEC must consider? how long the company has been in existence whether a company has amended its financial reports the difference between a company's stock price and its earnings how much stock the company has issued
how long the company has been in existence whether a company has amended its financial reports the difference between a company's stock price and its earnings how much stock the company has issued
Which of the following parties is not among those who would share an individual's health information? insurance companies government agencies like Medicaid or Medicare treatment providers potential employers
insurance companies government agencies like Medicaid or Medicare treatment providers potential employers
What is a small string of text that a Web site stores on a user's computer? malware spyware adware cookie
malware spyware adware cookie
Under FERPA, which of the following may be disclosed in a school directory without consent? name, address, and telephone number grades earned social security number student ID number
name, address, and telephone number grades earned social security number student ID number
Audits are ___________ performed by independent organizations. never occasionally always seldom
never occasionally always seldom
FERPA applies to any education agencies or institutions that receive funding from the U.S. Department of Education (ED). Which of the following in not an educational agency or institution? non-profit organizations that offer educational programs primary and secondary schools vocational colleges community colleges
non-profit organizations that offer educational programs primary and secondary schools vocational colleges community colleges
COPPA requires Web site operators collecting information from children to: obtain a signed acceptable use policy from children obtain a signed acceptable use policy from at least one parent review all parental permissions annually obtain parental consent
obtain a signed acceptable use policy from children obtain a signed acceptable use policy from at least one parent review all parental permissions annually obtain parental consent
Which of following is not one of the categories of vulnerabilities? people domain facility process
people domain facility process
A ______________ is the official schedule of a court and the events in cases pending before a court. pleading service brief docket
pleading service brief docket
A company's _______________________ provides a summary of the company's financial condition at a certain period. profit and loss statement prospectus balance sheet futures contract
profit and loss statement prospectus balance sheet futures contract
Which of the following is not true about the Consolidated Omnibus Budget Reconciliation Act of 1986? requires former employers to continue paying health insurance premiums for a minimum of one year applies to health coverage offered by federal, state, and local governments covers employer-provided health plans that have 20 or more employees applies to both employees that leave voluntarily or are terminated
requires former employers to continue paying health insurance premiums for a minimum of one year applies to health coverage offered by federal, state, and local governments covers employer-provided health plans that have 20 or more employees applies to both employees that leave voluntarily or are terminated
What are the four privacy torts that still exist today? right to privacy, reasonable person standard, fair information practice principles, and the Wiretap Act intrusion into seclusion, portrayal in a false light, appropriation of likeness or identity, and public disclosure of private facts in the U.S. Constitution, the First Amendment, Third Amendment, Fourth Amendment, and Fifth Amendment ECPA, Privacy Act, E-Government Act, and Patriot Act
right to privacy, reasonable person standard, fair information practice principles, and the Wiretap Act intrusion into seclusion, portrayal in a false light, appropriation of likeness or identity, and public disclosure of private facts in the U.S. Constitution, the First Amendment, Third Amendment, Fourth Amendment, and Fifth Amendment ECPA, Privacy Act, E-Government Act, and Patriot Act
What is the process of applying safeguards to avoid a negative impact? risk mitigation risk transfer risk avoidance risk analysis
risk mitigation risk transfer risk avoidance risk analysis
All of the following are characteristics of HIPAA except: simplifies how health insurance is administered requires that employers offer health coverage used to fight health insurance fraud and eliminate waste protects the privacy and security of personally identifiable health information
simplifies how health insurance is administered requires that employers offer health coverage used to fight health insurance fraud and eliminate waste protects the privacy and security of personally identifiable health information
A ____________________ is owned by many investors in the form of stock. sole proprietorship public company closed corporation privately held company
sole proprietorship public company closed corporation privately held company
In January 2007, TJX disclosed that hackers had breached its credit card systems. The company reported that the attackers might have accessed credit card data going back to 2002. It reported that 45.7 million credit and debit card numbers might have been disclosed. At the time, the breach was believed to be the largest ever. Banks and customers sued TJX in connection with the breach. State governments also sued the company for failing to protect the credit card information of state residents. Given the nature of this breach, which federal agency opened an investigation? the Federal Reserve System the Federal Deposit Insurance Corporation the Consumer Financial Protection Bureau the Federal Trade Commission
the Federal Reserve System the Federal Deposit Insurance Corporation the Consumer Financial Protection Bureau the Federal Trade Commission
The Federal Reserve reports directly to: the U.S. Congress the U.S. Supreme Court the Senate the president
the U.S. Congress the U.S. Supreme Court the Senate the president
Which of the following statements best captures the function of the Federal Trade Commission (FTC)? to promote consumer protection and eliminate practices that are harmful to competitive business to create the penalties for individuals and organizations that violate rules to make frequent reports to the president on its actions to be one of the most important regulatory authorities for consumer and some business practice issues
to promote consumer protection and eliminate practices that are harmful to competitive business to create the penalties for individuals and organizations that violate rules to make frequent reports to the president on its actions to be one of the most important regulatory authorities for consumer and some business practice issues
___________________ is used to assess the vulnerabilities and threats that could harm electronic protected health information (EPHI). workforce security security management processing risk analysis information access management
workforce security security management processing risk analysis information access management