True & False QZ06-QZ011

FISMA applies to both federal and state agencies.

False

Medical identity thieves exclusively consist of computer hackers or members of organized crime rings.

False

North Carolina law requires that notice be given in a "concrete and inconspicuous" form, which means that it can only be interpreted by legal counsel.

False

SOX Section 404 imposes criminal liability for fraudulent certifications. Under this section, CEOs and CFOs that knowingly certify fraudulent reports may be fined up to $1 million.

False

SOX requires companies to report accurate financial data. They must do this to protect their CEO and CFO from harm.

False

Substantial performance means that a party performs all material contract promises.

True

The Privacy Rule forbids a covered entity from requiring a person to sign an authorization in order to receive health care treatment. The entity can't condition benefit eligibility on signing an authorization; this is so covered entities can't force people to sign authorizations under pressure by withholding needed care.

True

Under the Privacy Act, a record is any information about a person that an agency maintains. It includes a person's educational, financial, medical, and criminal history information. The act requires agencies to keep accurate and complete records. It also states that an agency should store only the data that it needs to conduct business. It shouldn't store any extra or unnecessary data.

True

An infringer is a person who owns a patent but doesn't intend to make, use, or sell the invention. The term refers to a person who is overly aggressive and opportunistic.

False

An oral contract is not as enforceable as a contract that is written down.

False

Any time a covered entity discloses PHI, it must follow the maximum necessary rule. The amount disclosed must be able to satisfy the reason why the information is being used or disclosed and any other pertinent information.

False

California's Database Security Breach Notification Act law requires entities to notify California residents whenever a security breach occurs without any delays in notification if they reasonably believe that a breach has occurred.

False

Covered entities must train only their full-time employees on the Privacy Rule and its privacy policies and procedures.

False

Even if a person is intoxicated, as long he or she is over the age of 18 and mentally competent then the person has contractual capacity in all cases

False

Form 10-Q quarterly report is a very detailed disclosure of a company's financial condition.

False

In February 2014, the Obama administration passed a federal breach notification Law, which was created in response to the Target Corporation credit card breach in late 2013.

False

In certain circumstances, courts will enforce illegal contracts.

False

In the Federal Information Processing Standards (FIPS) created by NIST, there is one over-arching security category—high—wherein the loss of confidentiality, integrity, or availability has a severe or catastrophic adverse effect on the agency, its information assets, or people. A high impact event results in major damage to assets.

False

It is not considered copyright infringement to duplicate another person's content on your own Web page as long as you acknowledge their work by posting the URL their Web page.

False

The COSO Framework specifically states that all organizations should follow the Guide to Assessment of IT Risk (GAIT).

False

The Enron scandal proved that self-regulation has only benefits and little to no drawbacks, as evidenced by the role of their accounting firm, Arthur Andersen.

False

The SEC has five commissioners. The U.S. President must appoint them. They serve for five-year terms. All five commissioners can belong to the same political party.

False

A patent application contains the following basic parts: specifications, drawing, oath, and filing fees.

True

According to California law, entities don't need to give notice of a breach if the personal information in their computer system was encrypted; thus, they are granted safe harbor.

True

Although California law doesn't assess any penalties against an entity that doesn't follow the notification law, it does permit a person a private cause of action against those entities. People can sue the private entity for any damages they have because they didn't receive notification in a timely manner

True

An inspector general (IG) is an official who reviews the actions of a federal agency. An IG examines the agency's activities to make sure that it's operating efficiently and following good governance practices.

True

As defined by HIPAA, the term "covered entities" means: health care providers, health care clearinghouses, and health plans

True

Because Congress can't usually interfere in state matters, it can't create a uniform federal law in areas legislated by the states unless there's a compelling reason to do so. Thus, there is no existing federal law on information security.

True

Certain contracts that are not enforceable because of public policy reasons can include contracts that reduce commercial competition and contracts to commit a crime or other wrongdoing.

True

Congress hoped that the Sarbanes-Oxley Act of 2002 (SOX) reforms would prevent another Enron scandal. The main goal of SOX is to protect shareholders and investors from financial fraud. SOX increased corporate disclosure requirements.

True

Copyright owners allow others to use their copyrighted material by using a special kind of contract called a license.

True

Covered entities must keep records of how they disclose a person's PHI. Under the Privacy Rule, a person has the right to receive an accounting of how the covered entity has used or disclosed the person's PHI.

True

FISMA merges a number of different laws. All of these laws address different information security issues. Because no one law was comprehensive, Congress heard many reports that information security efforts at the federal level were not effective. Congress intended FISMA to be a strong law to fix this problem.

True

Health care operations are actions that support the covered entity's business.

True

In 1987, Congress passed the Computer Security Act (CSA). This was the first law to address federal computer security. Under the CSA, every federal agency had to inventory its IT systems. Agencies also had to create security plans for those systems and review their plans every year.

True

In 1992, COSO issued guidance on internal controls. The COSO framework says that internal controls are effective when they give the management of a company reasonable assurance that: 1) It understands how the entity's operational objectives are being achieved; 2) Its published financial statements are being prepared reliably; and 3) It's complying with applicable laws and regulations.

True

In general, a covered entity may disclose PHI to certain governmental entities without consent for certain purposes that include, but are not limited to, the following: to provide vital statistics, to control communicable diseases, and to report abuse and neglect.

True

In the context of property law, a person is a real person or other legal entity, which includes corporations, businesses, private organizations, and governments.

True

NIST created a FISMA Implementation Project to help it meet its FISMA duties. The project helped it create FISMA-related standards and guidelines in a timely manner. The project had two phases. In the first phase, NIST developed standards and guidelines to help agencies meet basic FISMA requirements. The documents developed in this phase helped agencies create their information security programs.

True

One of the main functions of the PCAOB is to set standards for how auditors review public companies. It has created standards related to auditing, ethics, independence, and quality control.

True

Public companies are required to file a number of financial disclosure statements with the SEC. These forms help investors understand the financial stability of a company. The most commonly filed forms are: 1) Form 10-K—Annual report, 2) Form 10-Q—Quarterly report, and 3) Form 8-K—Current report.

True

Some states require entities doing business within the state to follow basic information security practices, while other states are more aggressive and require entities to use specific security practices, such as encryption.

True

The ChoicePoint data breach is unique because if it weren't for the California breach notification law, ChoicePoint might not have notified any consumers at all about the data breach. Other states, such as Illinois, realized that their residents might not be able to protect themselves from identity theft in similar situations without these laws. Thirty-five states considered breach notification laws in 2005, and the ChoicePoint case is widely seen as the reason why other states have these laws.

True

The following is an example of an incidental disclosure: a customer at a pharmacy hears the pharmacist quietly discussing a medication with another customer.

True

The law states that fair use of a copyrighted work isn't copyright infringement, and that fair use is permitted in the following situations in order to promote free speech: criticism, news reporting, and teaching (including multiple copies for classroom use).

True

The reason why a trademark must be used in interstate commerce in order to be federally registered is that the federal government can regulate interstate commerce only under its Commerce Clause authority.

True

The rules stated in the Gramm-Leach-Bliley Act (GLBA) require that entities engaged in certain kinds of financial transactions need to follow privacy and information security rules that are designed to protect customers' personal information.

True

The term cyberwar specifically refers to conflicts between nations and their militaries. This is the main distinction between cyberwar and other types of information system attacks that are reported in the news media.

True

Though it is not a law, businesses that wish to accept credit cards for payment must follow the PCI DSS, which is enforced by major credit companies like Visa and MasterCard.

True

To establish a trade secret, the information that's to be protected must meet the following criteria: have value; be unknown; be unascertainable; and be protected.

True

Under the Privacy Rule, there are only two situations in which a covered entity must disclose PHI: 1) when a person requests access to his or her PHI, and 2) when a person requests that their PHI be sent directly to a third party.

True