Fundamental Information Security Chapter 15: U.S. Compliance Laws

Betty visits a local library with her young children. She notices that someone using a computer terminal in the library is visiting pornographic websites. What law requires that the library filter offensive web content for minors? Children's Online Privacy Protection Act (COPPA) Sarbanes-Oxley Act (SOX) Family Educational Rights and Privacy Act (FERPA) Children's Internet Protection Act (CIPA)

Children's Internet Protection Act (CIPA)

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank Y? Customer Covered entity Business associate Consumer

Customer

Privacy is the process used to keep data private. True Fals

False

Privacy is the process used to keep data private. True False

False

Sarbanes-Oxley Act (SOX) Section 404 compliance requirements are highly specific. True False

False

Special Publications (SPs) are standards created by the National Institute of Standards and Technology (NIST). True False

False

The Family Educational Rights and Privacy Act (FERPA) requires that specific information security controls be implemented to protect student records. True False

False

The Gramm-Leach-Bliley Act (GLBA) applies to the financial activities of both consumers and privately held companies. True False

False

Under the Gramm-Leach-Bliley Act (GLBA), a customer is any person who gets a consumer financial product or service from a financial institution. True False

False

Under the Health Insurance Portability and Accountability Act (HIPAA), a security incident is any impermissible use or disclosure of unsecured PHI that harms its security or privacy. True False

False

What entity is responsible for overseeing compliance with Family Educational Rights and Privacy Act (FERPA)? Family Policy Compliance Office (FPCO) Department of Defense (DOD) Federal Communications Commission (FCC) Federal Trade Commission (FTC)

Family Policy Compliance Office (FPCO)

Which of the following agencies is NOT involved in the Gramm-Leach-Bliley Act (GLBA) oversight process? Securities and Exchange Commission (SEC) Federal Trade Commission (FTC) Federal Deposit Insurance Corporation (FDIC) Federal Communications Commission (FCC)

Federal Communications Commission (FCC)

Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system? Family Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act (FISMA) Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley (SOX) Act

Federal Information Security Management Act (FISMA)

Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records? Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Act Payment Card Industry Data Security Standard (PCI DSS) Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Tim is implementing a set of controls designed to ensure that financial reports, records, and data are accurately maintained. What information security goal is Tim attempting to achieve? Integrity Accountability Availability Confidentiality

Integrity

Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records? Encryption Truncation Hashing Masking

Masking

Which of the following items would generally NOT be considered personally identifiable information (PII)? Name Driver's license number Trade secret Social Security number

Trade secret

The main goal of the Gramm-Leach-Bliley Act (GLBA) is to protect investors from financial fraud. True False

False

What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries? National Security Administration (NSA) National Institute of Standards and Technology (NIST) Department of Defense (DoD) Federal Communications Commission (FCC)

National Institute of Standards and Technology (NIST)

What type of organizations are required to comply with the Sarbanes-Oxley (SOX) Act? Non-profit organizations Publicly traded companies Government agencies Privately held companies

Publicly traded companies

The Federal Information Security Management Act (FISMA) of 2014 defines the roles, responsibilities, accountabilities, requirements, and practices that are needed to fully implement FISMA security controls and requirements. True False

True

Alan withdraws cash from an ATM belonging to Bank X that is coming from his account with Bank Y. What is Alan's relationship with Bank X? Owner Covered entity Business associate Consumer

Consumer

Taylor is a security professional working for a retail organization. She is hiring a firm to conduct the Payment Card Industry Data Security Standard (PCI DSS) required quarterly vulnerability scans. What credential should she seek in a vendor? Qualified security assessor (QSA) Self-assessment vendor (SAV) Approved scanning vendor (ASV) Independent Scanning Assessor (ISA)

Approved scanning vendor (ASV)

Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing? Implement security controls in IT systems. Assess security controls for effectiveness. Authorize the IT system for processing. Continuously monitor security controls.

Authorize the IT system for processing.

Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)? Covered entity as a health plan Covered entity as a healthcare clearinghouse Covered entity as a provider Business associate of a covered entity

Business associate of a covered entity

Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals? Chief information officer (CIO) Chief technology officer (CTO) Chief information security officer (CISO) Chief financial officer (CFO)

Chief information security officer (CISO)

The Centers for Medicare & Medicaid Services (CMS) investigates and responds to complaints from people who claim that a covered entity has violated the Health Insurance Portability and Accountability Act (HIPAA). True False

False

The Payment Card Industry (PCI) Council has only one priority: to assist merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from breaches and theft of cardholder data. True False

False

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, what type of safeguards must be implemented by all covered entities, regardless of the circumstances? Addressable Standard Security Required

Required

Taylor is preparing to submit her company's Payment Card Industry Data Security Standard (PCI DSS)self-assessment questionnaire. The company uses a payment application that is connected to the Internet but does not conduct e-commerce. What self-assessment questionnaire (SAQ) should she use? SAQ A SAQ B SAQ C SAQ D

SAQ C

Bobbi recently discovered that an email program used within her healthcare practice was sending sensitive medical information to patients without using encryption. She immediately corrected the problem because it violated the company's security policy and standard rules. What level of the Health Insurance Portability and Accountability Act (HIPAA) violation likely took place? Tier A Tier B Tier C Tier D

Tier A

Compliance not only includes the actual state of being compliant, but it also includes the steps and processes taken to become compliant. True False

True

Information systems security is about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise. True False

True

Sarbanes-Oxley Act (SOX) Section 404 requires an organization's executive officers to establish, maintain, review, and report on the effectiveness of the company's internal controls over financial reporting (ICFR). True False

True