ITC 4600 Quiz #2

Ace your homework & exams now with Quizwiz!

One of the first attempts to protect federal computer systems by establishing minimum acceptable security practice

Computer Security Act

Addresses violations harmful to society and is actively enforced and prosecuted by the state

Criminal Law

Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.

Cultural Mores

Focuses on enhancing the security of the critical infrastructure in the United States

Cybersecurity Act

The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place is known as ___________.

Deterrence

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.

Digital Forensics

A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as ____________.

E-Discovery

Defines socially acceptable behaviors

Ethics

The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.

Ethics

A compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information (T/F)

False

Ethics carry the sanction of a governing authority. (T/F)

False

ISACA is a professional association with a focus on authorization, control, and security.(T/F)

False

Information ambiguation occurs when pieces of nonprivate data are combined to create information that violates privacy. (T/F)

False

InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence ​professionals.​ (T/F)

False

It is the responsibility of InfoSec professionals to understand state laws and bills. (T/F)

False

To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996.​ (T/F)

False

Laws and policies and their associated penalties only deter if three conditions are present. What are these conditions?

Fear of penalty—Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay. Probability of being caught—There must be a strong possibility that perpetrators of illegal or unethical acts will be caught. Probability of penalty being administered—The organization must be willing and able to impose the penalty.

Briefly describe five different types of laws.

1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.

Information ____________ occurs when pieces of nonprivate data are combined to create information that violates privacy.

Aggregation

Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?

All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person. However, agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute. FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that should be consulted for access to state and local records.

A collection of statutes that regulates the interception of wire, electronic, and oral communications

Electronic Communications Privacy Act (ECPA)

Due diligence requires that an organization make a valid and ongoing effort to protect others (T/F)

True

Which law addresses privacy and security concerns associated with the electronic transmission of PHI? a. USA PATRIOT Act of 2001 b. Health Information Technology for Economic and Clinical Health Act c. American Recovery and Reinvestment Act d. National Information Infrastructure Protection Act of 1996

b. Health Information Technology for Economic and Clinical Health Act

Another key U.S. federal agency is _________, which is responsible for coordinating, directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information. a.) Homeland Security b.) The National Security Agency c.) The Federal Bureau of Investigation d.) InfraGard

b.) The National Security Agency

Digital forensics can be used for two key purposes: ________ or _________. a.) e-discovery: to perform root cause analysis b.) to investigate allegations of digital malfeasance: to perform root cause analysis c.) To solicit testimony: to perform root cause analysis d.) to investigate allegations of digital malfeasance: to solicit testimony

b.) to investigate allegations of digital malfeasance: to perform root cause analysis

A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as ____________. a.) Indexing b.) E-Discovery c.) Forensics d.) Root Cause Analysis

b.)E-Discovery

Any court can impose its authority over an individual or organization if it can establish which of the following? a.) Jurisprudence b.) Sovereignty c.) Liability d.) Jurisdiction

d.) Jurisdiction

Discuss the three general categories of unethical behavior that organizations should try to control.

Ignorance: Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. ​ Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. ​ Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.

The study of what makes actions right or wrong, also known as moral theory

Normative Ethics

Describe the foundations and frameworks of ethics.

Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act? Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations... it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences

A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?

Policies must be: Effectively written Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)

Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments

Public Law

The Computer Security Act charges the National Bureau of Standards, in cooperation with the National Security Agency (NSA), with the development of five standards and guidelines establishing minimum acceptable security practices. What are three of these principles?

Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies

What is a key difference between law and ethics?

The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.

Deterrence is the best method for preventing an illegal or unethical activity (T/F)

True

The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies. (T/F)

True

The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.(T/F)

True

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls. a. deterrence b. rehabilitation c. remediation d. persecution

a. deterrence

Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? a. fear of humiliation b. fear of penalty c. probability of being caught d. probability of being penalized

a. fear of humiliation

The most complex part of an investigation is usually __________. a.) Analysis for potential EM b.) Requesting potential EM c.) Preventing the destruction of potential EM d.) Protecting potential EM

a.) Analysis for potential EM

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________. a.) Digital forensics b.) Crime scene investigation c.) Criminal investigation d.) E-discovery

a.) Digital forensics

In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________. a.) Identifying relevant items of evidentiary value b.) Acquiring (seizing) the evidence without alteration or damage c.) Analyzing the data without risking modification or unauthorized access d.) A Investigating allegations of digital malfeasance

a.) Identifying relevant items of evidentiary value

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________. a.) Search warrant b.) Forensic clue c.) Affidavit d.) Subpoena

a.) Search Warrant

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)? a. Normative ethics b. Deontological ethics c. Meta-ethics d. Applied ethics

b. Deontological ethics

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons? a. For purposes of commercial advantage b. For political advantage c. For private financial gain d. In furtherance of a criminal act

b. For political advantage

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them? a. Sarbanes-Oxley b. HIPAA c. Gramm-Leach-Bliley d. ECPA

b. HIPAA

_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present. a. Expansion b. Portable c. Satellite transceiver d. Desktop computer

b. Portable

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. ignorance b. malice c. intent d. accident

b. malice

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as ____________. a.) Evidence b.) Evidentiary Material c.) Digital Forensics d.) E-Discovery

b.) Evidentiary Material

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?a. Applied ethics b. Deontological ethics c. Descriptive ethics d. Normative ethics

c. Descriptive ethics

This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.a. CyberWatch b. Homeland Security c. InfraGard d. CyberGard

c. InfraGard

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system? a. National Information Infrastructure Protection Act b. The Telecommunications Deregulation and Competition Act c. The Computer Security Act d. Computer Fraud and Abuse Act

c. The Computer Security Act

Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures? a. U.S. Copyright Law b. PCI DSS c. European Council Cybercrime Convention d. DMCA

d. DMCA

Which law extends protection to intellectual property, which includes words published in electronic formats? a. Freedom of Information Act b. Sarbanes-Oxley Act c. Security and Freedom through Encryption Act d. U.S. Copyright Law

d. U.S. Copyright Law

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community? a. virtue b. utilitarian c. fairness or justice d. common good

d. common good

Which of the following is NOT used to categorize some types of law? a. statutory b. regulatory c. constitutional d. international

d. international

Which of the following is compensation for a wrong committed by an individual or organization ? a. jurisdiction b. liability c. due diligence d. restitution

d. restitution

selecting the appropriate law enforcement agency depends on __________. a. the network provider the hacker used b. what kind of computer the hacker used c. how many perpetrators were involved d. the type of crime committed

d. the type of crime committed

A more recently created area of law related to information secuirty specifies a requirement for organizations to notify affected parties when they ahve experienced a specififed type of information loss. This is commonly known as a ___________ law. a.) Notification b.) Spill c.) Compromise d.) Breach

d.) Breach

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications? a. National Information Infrastructure Protection Act of 1996 b. Federal Privacy Act of 1974 c. The Electronic Communications Privacy Act of 1986 d. The Telecommunications Deregulation and Competition Act of 1996

c. The Electronic Communications Privacy Act of 1986

Which subset of civil law regulates the relationships among individuals and among individuals and organizations? a. criminal b. public c. private d. tort

c. private

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________. a.) Subpoena b.) Forensic finding c.) Affidavit d.) Search warrant

c.) Affidavit

The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________. a.) Crime scene investigation b.) Data imaging c.) Forensics d.) Evidentiary material

c.) Forensics

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals. a. SANS b. ISACA c. ACM d. (ISC)2

d. (ISC)2

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.

Affidavit

An approach that applies moral codes to actions drawn from realistic situations

Applied Ethics

this is known as the standard of __________.

Due Care

The penalty for violating the National Information Infrastructure Protection Act of 1996 depends on the value of the information obtained and whether the offense is judged to have been committed for one of three reasons. What are those reasons?

For purposes of commercial advantage For private financial gain In furtherance of a criminal act

_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.

Portable

___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.

Tort Law


Related study sets

online question bank starting with chapter 25-17

View Set

Honors Anatomy & Physiology - Skull Bones

View Set