Priciples of Information Security 5th Edition - Chapter 3 Review Questions
What is a policy? How does it differ from a law?
A policy is a formalized body of expectations that describe acceptable and unacceptable employee behaviors in the workplace. The difference between a policy and a law is that ignorance of a policy is an acceptable defense.
What is due care? Why would an organization want to make sure it exercises due care in its usual course of operations?
An organization increases its liability if it refuses to take measures known as due care. Due care has been taken when an organization makes sure that every employee knows what is acceptable or unacceptable behavior, and knows the consequences of illegal or unethical actions. The more active a role an organization takes in observing the due care concept; the less likely it will be liable for its employees' illegal and/or unethical actions.
2. What is civil law and what does it accomplish?
Civil law comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people.
3. What are the primary examples of public law?
Criminal, administrative, and constitutional law.
What is the best method for preventing an illegal or unethical activity?
Deterrence is the best method for preventing an illegal or unethical activity. In order for deterrence to be effective, those affected by the deterrence must, fear the penalty, have an expectation of detection/apprehension and expect that if apprehended, the penalty will be applied.
How does due diligence differ from due care? Why are both important?
Due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort. Due care has been taken when an organization makes sure that every employee knows what is acceptable or unacceptable behavior, and knows the consequences of illegal or unethical actions. They are both important because an organization not practicing both due diligence and due care increase their chance of being found liable should an incident occur.
What is intellectual property (IP)? Is it afforded the same protection in every country of the world? What laws currently protect it in the United States and Europe?
Executives working in firms covered by this law will seek assurance on the reliability and quality of information systems from senior information technology managers. In turn, IT managers will likely ask information security managers to verify the confidentiality and integrity of those same information systems in a process known in the industry as sub- certification.
What are the three general categories of unethical and illegal behavior?
Ignorance Accident Intent
What is privacy in an information security context?
Privacy is not absolute freedom from observation, but rather it is a more precise "state of being free from unsanctioned intrusion."
How do people from varying ethnic backgrounds differ in their views of computer ethics?
Some countries are more relaxed than others when dealing with intellectual property restrictions than others. Studies on ethics and computer use reveal that people of different nationalities have different perspectives' difficulties arise when one's nationality ethical behavior violates the ethics of another national group
Of the information security organizations listed that have codes of ethics, which has been established for the longest time? When was it founded?
The ACM, The Association of Computing Machinery was established in 1947 as "the world's first educational and scientific computing society."
Of the organizations listed that have a code of ethics, which is focused on auditing and control?
The Information Systems Audit and Control Association (ISACA).
4. Which law amended the Computer Fraud and Abuse Act of 1986, and what did it change?
The National Information Infrastructure Protection Act of 1996 amended the Computer Fraud and Abuse Act of 1986. It modified several sections of the CFAA and increased the penalties for selected crimes.
How has the PATRIOT Act been revised since its original passage?
The PATRIOT Act revision amendment made permanent 14 of the 16 expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity. The act also reset an expiration date written into the so-called sunset clause for certain types of wire taps under the Foreign Intelligence Surveillance Act of 1978 (FISA), and revised many of the criminal penalties and procedures associated with criminal and terrorist activities. In 2011, the PATRIOT Sunset Act provided another extension of certain provisions of the USA Patriot Act, specifically those related to wiretaps, searching of business records, and the surveillance of people with suspected ties to terrorism.
Which law was created specifically to deal with encryption policy in the United States?
The Security and Freedom Through Encryption Act of 1999 clarifies the use of encryption for people in the US and permits all persons in the U.S. to buy or sell any encryption product.
1. What is the difference between law and ethics?
The key difference between laws and ethics is that laws carry the authority of a governing body and ethics do not. Ethics, in turn, are based on cultural mores.
If you work for a financial service organization such as a bank or credit union, which law from 1999 affects your use of customer data? What impact does it have?
The law from 1999 that affects the use of customer data by financial institutions is the Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999. Specifically, this Act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. It also requires due notice to customers, so that they can request that their information not be shared with third parties. Also, the act ensures that the privacy policies in effect in an organization are both fully disclosed when a customer initiates a business relationship and distributed at least annually for the duration of the professional association.
What is the primary purpose of the USA PATRIOT Act?
U.S.A. PATRIOT Act of 2001 modified existing laws to provide law enforcement agencies with broader latitude in order to combat terrorism-related activities.
What is another name for the Kennedy-Kassebaum Act (1996) and why is it important to organizations that are not in the health-care industry?
Another name is the The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the confidentiality and security of health-care data by establishing and, enforcing standards and by standardizing electronic data interchange. It impacts all health-care organizations including doctors' practices, health clinics, life insurers, and universities, as well as some organizations which have self-insured employee health programs or manage data related to health-care. Beyond the basic privacy guidelines, the act requires organizations that retain health-care information to use information security mechanisms to protect this information, as well as policies and procedures to maintain this security. It also requires a comprehensive assessment of the organization's information security systems, policies, and procedures. HIPAA provides guidelines for the use of electronic signatures based on security standards that ensure message integrity, user authentication, and nonrepudiation. There is no specification of particular security technologies for each of the security requirements, only that security must be implemented to ensure the privacy of health-care information. The privacy standards of HIPAA severely restrict the dissemination and distribution of private health information without documented consent. The standards provide patients with the right to know who has access to their information and who has accessed it. The standards also restrict the use of health information to the minimum necessary for the health-care services required.
What is intellectual property (IP)? Is it afforded the same protection in every country of the world? What laws currently protect it in the United States and Europe?
Intellectual property is recognized as a protected asset in the United States. The U.S. copyright laws extend this privilege to the published word, including electronic formats. Fair use of copyrighted materials includes their use to support news reporting, teaching, scholarship, and a number of other related activities, so long as the use is for educational or library purposes, not for profit, and is not excessive. As long as proper acknowledgment is provided to the original author of such works, including a proper description of the location of source materials (citation), and the work is not represented as one's own, it is entirely permissible to include portions of someone else's work as reference. U.S. Copyright law governs the protection of IP in the US. The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by the World Trade Organization (WTO), and negotiated over the years 1986-94, introduced intellectual property rules into the multilateral trade system. The Digital Millennium Copyright Act (DMCA) is the American contribution to an international effort by the World Intellectual Properties Organization (WIPO) to reduce the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright protection measures. This American law was created in response to the 1995 adoption of Directive 95/46/EC by the European Union, which added protection for individuals with regard to the processing of personal data and the use and movement of such data. The United Kingdom has also already implemented a version of this law called the Database Right, in order to comply with Directive 95/46/EC.
