Quiz 15 - US Compliance Laws
Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor?
Approved scanning vendor (ASV)
Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals?
Chief information security officer (CISO)
Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors?
Children's Internet Protection Act (CIPA)
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X?
Consumer
Under the Gramm-Leach-Bliley Act (GLBA), a customer is any person who gets a consumer financial product or service from a financial institution.
False. A consumer is any person who gets a consumer financial product or service from a financial institution. A customer is a consumer who has a continuing relationship with the institution.
The Family Educational Rights and Privacy Act (FERPA) requires that specific information security controls be implemented to protect student records.
False. FERPA doesn't require that specific information security controls be implemented to protect student records.
Federal agencies fall under the legislative branch of the U.S. government.
False. Federal agencies fall under the executive branch of the U.S. government.
The Gramm-Leach-Bliley Act (GLBA) applies to the financial activities of both consumers and privately held companies.
False. Gramm-Leach-Bliley Act (GLBA) | A U.S. federal law requiring banking and financial institutions to protect customers' private data and have proper security controls in place.
Privacy is the process used to keep data private.
False. Information security is the process used to keep data private.
The Centers for Medicare & Medicaid Services (CMS) investigates and responds to complaints from people who claim that a covered entity has violated the Health Insurance Portability and Accountability Act (HIPAA).
False. Office for Civil Rights (OCR) investigates and responds to complaints from people who claim that a covered entity has violated the Health Insurance Portability and Accountability Act (HIPAA).
Sarbanes-Oxley Act (SOX) Section 404 compliance requirements are highly specific.
False. SOX Section 404 compliance isn't easy. Section 404 is very general about the types of ICFR that companies must implement. It doesn't give a good definition for ICFR generally. It doesn't address IT controls at all. In 2007, the SEC issued additional guidance to help companies assess ICFR during their Section 404 review. It did this in response to many complaints about the large scope of a Section 404 review.
The main goal of the Gramm-Leach-Bliley Act (GLBA) is to protect investors from financial fraud.
False. U.S. federal law requiring banking and financial institutions to protect customers' private data and have proper security controls in place.
Under the Health Insurance Portability and Accountability Act (HIPAA), a security incident is any impermissible use or disclosure of unsecured PHI that harms its security or privacy.
False. Under HIPAA, a breach is any impermissible use or disclosure of unsecured PHI that harms its security or privacy.
Special Publications (SPs) are standards created by the National Institute of Standards and Technology (NIST).
False. Special Publications are guidelines
What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)?
Family Policy Compliance Office (FPCO)
Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process?
Federal Communications Commission (FCC)
Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system?
Federal Information Security Management Act (FISMA)
Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records?
Health Insurance Portability and Accountability Act (HIPAA)
Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve?
Integrity
What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries?
National Institute of Standards and Technology (NIST)
What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act?
Publicly traded companies
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances?
Required
Which of the following is NOT one of the rights afforded to students (or the parents of a minor student) under the Family Educational Rights and Privacy Act (FERPA)?
Right to delete unwanted information from records
Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS) self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use?
SAQ C
Bobbi recently discovered that an email program used within her health care practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place?
Tier A
Which of the following items would generally NOT be considered personally identifiable information (PII)?
Trade secret
Compliance not only includes the actual state of being compliant, but it also includes the steps and processes taken to become compliant.
True.
Information systems security is about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise.
True.
Sarbanes-Oxley Act (SOX) Section 404 requires an organization's executive officers to establish, maintain, review, and report on the effectiveness of the company's internal controls over financial reporting (ICFR).
True.
Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing?
Authorize the IT system for processing.
Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)?
Business associate of a covered entity
Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y?
Consumer
The Payment Card Industry (PCI) Council has only one priority: to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data.
False. The PCI Council has two major priorities. Priority number one is to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data. Its second priority is to help vendors understand and implement the PCI standards and requirements for ensuring secure payment solutions are properly implemented.
Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records?
Masking
Protected health information (PHI) is any individually identifiable information about a person's health.
True.
The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool, which can be used as a self-assessment tool for identifying a bank or financial institution's cybersecurity maturity.
True.
The Federal Information Security Management Act (FISMA) of 2014 defines the roles, responsibilities, accountabilities, requirements, and practices that are needed to fully implement FISMA security controls and requirements.
True.
The Federal Trade Commission (FTC) Safeguards Rule requires a financial institution to create a written information security program that must state how the institution collects and uses customer data.
True.
Under Securities and Exchange Commission (SEC) rules, internal controls over financial reporting (ICFR) are processes that provide reasonable assurance that an organization's financial reports are reliable.
True.
Under the Federal Information Security Management Act (FISMA), all federal agencies must report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT).
True.