ITN 267 Final Exam

disclosures made to carry out treatment, payment, and health care activities

A covered entity doesn't have to account for every PHI disclosure that it makes. The Privacy Rule states that some kinds of disclosures don't have to be included in an accounting. Any disclosure not specifically excluded must be included and tracked. Which of the following disclosures does not need to be tracked?

Admissible Evidence

A judge or jury can consider only _______________ evidence when deciding cases

computer forensic examiner certifications

CCE, CCFE, CFCE, and GCFA are all examples of:

When performing computer forensics, what is a potential source of digital evidence? Answer:

Cell Phone

Intentional torts - Intentional torts most often occur when the defendant intended to commit the tort. Most torts involving _______________________ are intentional torts.

Computers and cyberspace

Federal Information Security Management Act (FISMA)

Congress created the _____________ in response to the September 11, 2001, terrorist attacks.

FISMA "Federal Information Security Management Act "

Congress created the ______________ in response to the September 11, 2001, terrorist attacks.

PATRIOT Act - The federal government uses the PATRIOT Act to prosecute many different computer crimes, as when it charged a 20-year old University of Tennessee student with unauthorized e-mail access. In late 2008, the student accessed vice presidential candidate Sarah Palin's personal Yahoo! e-mail account. The student then posted her e-mail messages online.

FALSE

There's a growing trend in states such as California and North Carolina to specify the types of information that should be included in a breach notice. Such content should be sure to fit the following criteria: describe the incident in general terms; describe the type of personal information that was involved in the breach; describe how the entity is going to protect the personal information from additional unauthorized access; and advise the person being notified to review his or her account statements and purchases access to his/he credit report from a recommended list of vendors.

FALSE

Which doctrine prevents the government from using illegally gathered evidence at a criminal trial?

Fruit of the Poisonous Tree

Under SEC rules, internal controls over financial reporting (ICFR) are processes that provide reasonable assurance that financial reports are reliable. Which of the following is NOT assured by the ICFR

IT controls that contain financial data are maintained

Digital Millennium Copyright Act

In 1998, Congress passed the _________________________.This law helps protect copyrights in the multimedia world. It also contains provisions that help insulate Internet service providers from the actions of their customers

Which if the following is not an exception to the Fourth Amendment's search warrant requirement

Interference

It attempts to regulate businesses outside of Massachusetts by requiring businesses to encrypt the personal data of Massachusetts residents

Massachusett's "Standards for the Protection of Personal Information of Residents of the Commonwealth" was released in September 2008 and is known for being "unique" in terms of its data protection standard. Which of the following statements best captures that uniqueness?

protected health information (PHI)

PHI refers to:

Intellectual property law

Patents, trademarks, and copyrights are all types of _________________

intellectual property

Patents, trademarks, and copyrights are all types of _________________.

Locard's exchange principle

People leave trace evidence whenever they interact with other people and with their surroundings

SOX section 302

SOX ______________ requires CEOs and CFOs to certify a company's SEC reports

According to California law, entities don't need to give notice of a breach if the personal information in their computer system was encrypted; thus they are granted safe harbor.

TRUE

Although California law doesn't assess any penalties against an entity that doesn't follow the notification law, it does permit a person a private cause of action against those entities. People can sue the private entity for any damages they have because they didn't receive notification in a timely manner.

TRUE

Gramm-Leach-Bliley Act (GLBA) - The rules states in the Gramm-Leach Bliley Act (GLBA) requires that entities engaged in certain kinds of financial transactions need to follow privacy and information security rules that are designed to protect customers' personal information.

TRUE

In general, many states criminalize the same behavior that federal cybercrime laws address

TRUE

guilt beyond a reasonable doubt - If a criminal case goes to trial, the government must prove the defendant's guilt beyond a reasonable doubt. Though reasonable doubt doesn't mean that a juror is 100 percent convinced of the defendant's guilt, it does mean that a juror must be fully satisfied that the prosecution has eliminated reasonable doubt about the defendant's guilt.

TRUE

The Privacy Rule

The HIPAA _________________ dictates how covered entities must protect the privacy of personal health information

three

The U.S. Securities and Exchange Commission reviews a public company's Form 10-K at least once every ____________ years

Identity Theft and Assumption Deterrence Act

The _______________ makes identify theft a federal crime.

California's Database Security Breach Notification Act

The __________________ was created after a security breach at a state-operated data facility.

Office of Management and Budget (OMB)

The ______________________ requires all federal agencies to create a breach notification plan.

Cybersquatting

The bad faith registration of a domain name that's a registered trademark or trade name of another entity is referred to as

Sarbanes-Oxley Act

The main goal of ______________ is to protect shareholders and investors from financial fraud.

Which of the following is not a reason an examiner might reject a trademark?

The proposed trademark may disparage or falsely suggest a connection with persons who have been dead less than 100 years

Daubert

What is a test for measuring the reliability of a scientific methodology

Computer Security Act (CSA)

What was the first federal law to address federal computer security?

California

What was the first state to have a breach notification law?

Sixth

Which amendment to the U.S. Constitution guarantees defendants a speedy trial?

HIPAA regulates discrimination based on health history while COBRA ensures health coverage continues

Which of the following is true about COBRA and HIPAA?

States have different laws about what constitutes a breach.

Which of the following statements summarizes why a breach notification is hard for entities?

Public companies are required to file one comprehensive financial disclosure statement with the SEC.

Which of the following was not one of the outcomes of the Enron scandal?

Form 8-K disclosure requirement

acquiring an inheritance

Which of the following items is not part of the in "SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach" that NIST uses to create a risk management framework (RMF) approach to FISMA compliance?

monitor security controls only when necessary

best evidence rule

that the original documents be used at trial

HIPAA "Health Insurance Portability and Accountability Act"

- Before ____________________, many workers experienced "job lock" and were afraid that they would lose health care benefits if they changed jobs. - ____________________was created by Congress to make health insurance portable. - ___________________ forbids a new employer's health plan from denying health coverage for some reasons and prohibits discrimination against workers based on certain conditions such as pregnancy.

State Courts, Federal Courts, International laws

- Federal courts can hear only the following kinds of cases: 1) Disputes regarding federal laws or constitutional issues and 2) Disputes between residents of different states where the amount of money in controversy is greater than $75,000. (True) - The Supreme Court has exclusive original jurisdiction to decide cases about disputes between state governments and exercises this original jurisdiction with frequency. (FALSE) - The U.S. Supreme Court is the final source of authority for issues involving U.S. federal laws. (TRUE)

OMB

- In May 2007, the _________________________________ required all federal agencies to create a breach notification plan. This instruction was issued in response to a large data breach at the Department of Veterans Affairs.

Computer Fraud and Abuse Act

- In a situation where phishing attackers attempt to steal personal information, which of the following federal acts can be used to prosecute such a crime? - What is the first piece of federal legislation that identified computer crimes as distinct offenses

"SOX" - Sarbanes-Oxley Act

- The Enron scandal and similar corporate scandals led to the creation of which of the following? - The main goal of ______________ is to protect shareholders and investors from financial fraud

Office of Foreign Assets Control (OFAC)

- The ________________ enforces trade sanctions and embargoes and prohibits trade with certain people in other countries. The______________________enforces trade sanctions and embargoes

California Database Security Breach Notification Act

- The _____________________ was created after a security breach at a state-operated data facility. - The purpose of the _________________ was to give state residents timely information about a breach so that they can protect themselves

Patents

- Which of the following has the longest period of protection? - Unlike ______________, trade secrets aren't registered. A person or business doesn't have to meet any registration or procedural formalities for protection

internal controls over financial reporting (ICFR)

- _______________are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable

After the ChoicePoint breach, 46 states, including the District of Columbia, have created breach notification laws. Although, most states used the California law as a model, there are some differences. Which of the following is not one of the differences?

- maximum requirements for encryption

E-Government Act of 2002

-Under the ____________________, federal agencies must 1) review their IT systems for privacy risks; 2) post privacy policies on their Web sites; 3) post machine-readable privacy policies on their Web sites; and 4) report privacy activities to the OMB.

COBRA benefits

18 months

Trade Secrets

A ______________ protects the formulas, processes, methods, and information that give a business a competitive edge

balance sheet

A company's _______________________ provides a summary of the company's financial condition at a certain period.

Property Interest

A legal owner of property has the right to use that property in any way they want to, and the power to give those rights to another. This is called _____________.

it must be distinctive

A trademark has two criteria: 1) it must be used in interstate commerce and 2) _____________________

Federal Rules of Evidence

At the federal level, what is the name of the main guidance regarding the submission of evidence at trial

California's Database Security Breach Notification Act law requires entities to notify California residents whenever a security breach occurs without any delays in notification if they reasonably believe that a breach has occurred.

FALSE

The Public Company Accounting Oversight Board - The Public Company Accounting Oversight Board has five members. The SEC selects these members and appoints them to staggered terms. All members must be CPAs.

FALSE

National Institute of Standards and Technology (NIST)

FISMA requires the Department of Commerce to create information security standards and guidelines. To which of the following organizations did the Department of Commerce delegate this responsibility?

The primary goal of computer forensics is to:

Find evidence that helps investigators analyze an event or incident

SOX section 906

SOX _______________ imposes criminal liability for fraudulent financial certifications

how long the company has been in existence

SOX requires the SEC to review a public company's Form 10-K and Form 10-Q reports at least once every three years. It must do this to try to detect fraud and inaccurate financial statements that could harm the investing public. SOX states the factors that the SEC should consider when deciding to conduct a review. Which of the following is not one of the factors that SEC must consider?

Arraignment - Once a grand jury returns an indictment, the next step in the criminal process is the arraignment. After this hearing, a court must inform the defendant about the charges and advise the defendant about his or her legal and constitutional rights.

TRUE

Because Congress can't usually interfere in state matters, it can't create a uniform federal law in areas legislated by the states unless there's a compelling reason to do so. Thus, there is no existing federal law on information security.

TRUE

Tortious conduct - Tortious conduct is wrongful conduct that is unreasonable given the situation.

TRUE

Security Rule

The HIPAA ______________________ states how covered entities must protect the confidentiality, integrity, and availability of electronic personal health information.

mens rea, actus reus, causation

To prove a crime has been committed, a government must prove which of the following?

safe harbor

What is a legal concept that protects an entity from legal liability and is written into the law? Entities that encrypt the personal information that they own or maintain do not have to follow the notification requirements of this concept if they have a data breach.

Volatile

What is the name of data that is stored in memory

Fruit of the Poisonous Tree

Which doctrine prevents the government from using illegally gathered evidence at a criminal trial?

student ID

Which of the follow does not count as personal information, as designated by California's Database Security Breach Notification Act?

Analyst Conflicts of Interest (Title V)

Which of the following SOX titles establishes rules to make sure that securities analysts can give independent opinions about a public company's stock risk?

Export Administration Regulations (EAR)

Which of the following are types of export control regulations?

International Traffic in Arms Regulations (ITAR)

Which of the following are types of export control regulations?

what the greatest economic advantage will be to the national market as it relates to the area under consideration

Which of the following conditions is not taken under consideration by Congress when determining if an area is ripe for federal legislation?

requires former employers to continue paying health insurance premiums for a minimum of one year

Which of the following is not true about the Consolidated Omnibus Budget Reconciliation Act of 1986?

potential employers

Which of the following parties is not among those who would share an individual's health information?

SOC-1

Which of the following reports, which generally are shared only between the organizations that are doing business with one another, are used by auditors to assess the ICFR at one entity that does business with another entity?

Trademark

_____________ are used to protect words, logos, and symbols that identify a product or services

Tort

_______________ law uses the reasonable person standard to determine whether a person acted appropriately

Design

_______________ patents protect the visual appearance of a product

Strict liability

_________________ means that an inventor can hold an infringer liable for violating a patent even if the infringer acted unwittingly

Export control regulations

__________________ restrict the transmission of certain types of information to non-U.S. citizens or non-permanent residents who are located in the United State

Internal controls

______________________ are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)

_______________________ covers unsolicited commercial e-mail messages and requires commercial e-mail senders to meet certain requirements

Subordinate plans

__________________________ must be in place for securing networks, facilities, and systems or groups of IT systems. They are intended for technologies or system components that are a part of the larger information security program.

Utility

__________________________ patents are used for inventions and discoveries related to machines manufactured products, processes and compositions of matter

FISMA requires federal agencies to secure national security systems using a risk-based approach, but this does not apply to ________________ information.

classified

Which of the following is not one of the federal information security challenges the federal CIO spoke of at the House of Representatives subcommittee meeting in March 2010

the culture within the federal government of not complying with reporting requirements