Module 2

Ace your homework & exams now with Quizwiz!

National Information Infrastructure Protection Act of 1996 modified which Act?

Computer Fraud and Abuse Act

The CPMT conducts the BIA in three stages but does not

Determine mission/business processes and recovery criticality, identify recovery priorities for system resources, identify resources requirements.

The ______ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.

EISP

The ____ attempts to prevent trade secrets from being illegally shared.

Economic Espionage Act

This act is a collection of statues that regulate the interception of wire, electronic, and oral communications.

Electronic Communications Privacy Act

_______ is the legal obligation of an entity that extends beyond criminal or contract law.

liability

The state purposes of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security________

managment

The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any _______ purpose.

marketing

The _____ of an organization are the intermediate states obtained to achieve progress toward a goal or goals.

objectives

_____ controls address personnel security, physical security, and the protection of production inputs and outputs.

operational

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.

people

Managerial directives that specify acceptable and unacceptable employee behavior in the workplace are known as __________.

policies

___________ law regulates the structure and administration of government agencies and their relationships with citizens employees, and other government.

public

A ______ plan is a plan for the organization's intended strategic efforts over the next severl years.

strategic

Some policies may need a(n) ____________________ indicating their expiration date.

sunset clause

The ______ of 1999 provides guidance on the use of encrypiton and provides protection form goverment intervention.

Security and Freedom through Encryption Act.

Which country reported the least tolerant attitudes toward personal use of organizational computing resources?

Singapore

_____ often function as standards or procedures to be used when configuring or maintaining systems.

SysSPs

When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems

The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799

The SETA program is a control measure designed to reduce the instances of ______ security breaches by employees.

accidental

It is good practice, however, for policy _____ to solicit input both form technically adept information security experts and from business-focused managers in each community of interest when making revisions to security policies.

administrators

A ________ is a document containing contact information for the people to be notified in the event of an incident.

alert roster

A fundamental difference between a BIA and risk management is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information, while the BIA assumes _____

controls have been bypassed, ineffective and failed

______ are the fixed moral attitudes or sutoms of a particular group.

cultural mores

The difference between a policy and a law is the ignorance of a law is an acceptable defense. (T/F)

flase

A security ________ is and outline of the overall information security strategy for the organizations and a roadmap for planned changes to the information security environment of the organizations.

framework.

The Computer _________ and Abuse Act of 1986 is the cornerstone of many computer related federal laws and enformcment efforts.

fraud

In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to _____.

identify and prioritize opportunities for improvement within the context of a continuous and repeatable process

A ______ is a plan or course of action that conveys instructions from and organizations senior managments to those who make decisions, take actions, and perform other duties

policy

_______ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information

redundancy

RAID is an acronym for a _____ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.

redundant

According to NIST SP 800-14's security principles, security should ________.

support the mission of the organization, require a comprehensive and integrated approach, and be cost-effective

___________-specific serurtiy policies often function as standards or procedures to be used when configuring or maintaining systems.

systems

According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depth on the value of the information obtained and whether the offense is judged to have been committed for each of the following except______-

to harass

Good security programs begin and end with policy. (T/F)

true

You can create a single comprehensive ISSP document covering all infomation security issues. (T/F)

true

Criminal laws addresses activities and conduct harmful to society and is categorized as private or public. (T/F)

True

Due care and due diligence require that an organization make a valid effort to protect others and continually maintain this level of effort, ensuring these actions are effective. (T/F)

True

Each policy should contain procedures and a timetable for periodic review. (T/F)

True

A standard is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions, take actions, and perform other duties. (T/F)

False

For policy to become enforceable it only needs to be distributed, read, understood, and agreed to. (T/F)

False

The ISSP sets out the requirements that must be met by the information security blueprint or framework. (T/F)

False

The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. (T/F)

False

Laws and policies and their associated penalties only deter if the following conditions are present.

Fear of penalty, probability of being caught and of being administered.

Laws pliciesm and their associated penalties only provide deterrence if three conditions are present. List and describe them

Fear of penalty: potential offenders must fear the penalty. Probability of being apprehended: potential offenders must believe there is a strong possibility of being caught. Probability of penalty being applied: potential offenders must believe that the penalty will be administrated.

What is the subject of the Computer Security Act>

Federal Agency Information Security

The subject of the Sarbanes-Oxley Act

Financial Reporting

Is also known as the Gramm-Leach_Bliley Act

Financial Services Modernization Act

Redundancy can be implemented at a number of points throughout the security architecture, such as in _______.

Firewalls, proxy servers and access controls

What is the purpose of security education, training. and awareness (SETA)?

Improve awareness of the need to protect system resources, developing skills and knowledge so computer users can perform their jobs more securely.

The Health Insurance Portability and Accountability Act of 1996, also known as the _____ Act, protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange.

Kennedy-Kessebaum

_______ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

Managerial

The goals of information security governance include all but

Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care

The _____ defines stiffer penalties for prosecution of terrorist crimes.

USA Patriot Act

What three purposes does the ISSP serve?

1. Addresses specific areas of technology, such as authorized and prohibited usage of equipment, policies, liability, and systems management. 2. Requires frequent updates. 3. Contains a statement on the organization's position on specific issues.

List the five fundamental principles of HIPAA.

1. Consumer control of medical information 2. Boundaries on the use of medical information 3. Accountability for the privacy of private information 4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual 5. Security of health information

This acts defines and formalizes laws to counter threats from computer related acts and offenses.

Computer Fraud and Abuse Act of 1986

What are the requirements for a policy to become enforceable?

Dissemination (distribution)- the organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Review (reading)- The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for illiterate, non-English reading. and reading-impaired employees Comprehension (understanding)- The organization must be able to demonstrate that the employee understood the requirements and content of the policy. Compliance (agreement)- The organization must be able to demonstrate that the employee agrees to comply with the policy, through act or affirmation. Uniform enforcement- The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.

The transfer of large batches of data to an off-site facility is called ____.

electronic vaulting

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ____.

blueprint

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage _______.

by accident

____ law comprises a wide variety of laws that govern a nation or state.

civil

A _____ site provides only rudimentary services and facilities.

cold

Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.

damage assessment

Standards may be published, scrutinized, and ratified by a group, as in formal or ____ standards.

de jure

____ is a strategy for the protection of information assets that uses mulitple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

defense in depth.

Security _____ are the areas of trust within which users can freely communicate.

domains

Criminal or unethical ____ goes to the state of mind of the individual performing the act.

intent

The Council of Europe adopted the Convention of CyberCrime in 2001 to oversee range of security functions associated with ____ activities

internet

"Long arm _____" refers to the long arm of the law reaching across the country or around the world to draw an accused individual into its court systems whenever it can establish jurisdiction.

jurisdiction

__________ are rules that mandate or prohibit certain behavior and are enforced by the state

laws


Related study sets

Project Management Ch. 11 Quizzes

View Set

Unit 1: Financial Responsibility and Decision Making

View Set

Chapter 12 - Supply chain management in the service industry

View Set

Introduction to Sociology Ch 16 Questions

View Set

RN Adult Medical Surgical Online Practice 2023 B

View Set

Principles of Information Security (6th. Ed) - Chapter 9 Review Questions

View Set

Gen Bio 100: Chapter 6.5 Enzymes

View Set