Answer Key

CHAPTER 1 Information Security Overview

1. C 2. E 3. D 4. C 5. A 6. Logical control 7. C 8. D 9. A
10. E 11. D 12. B 13. C 14. E 15. A

CHAPTER 2 Privacy Overview

1. A 2. E 3. C 4. A 5. D 6. D 7. 8 8. B 9. A 10. B 11. A
12. A legitimate business reason 13. D 14. B 15. C

CHAPTER 3 The American Legal System

1. E 2. B 3. A 4. D 5. C 6. A 7. Stare decisis 8. D 9. E
10. A 11. Congress 12. D 13. 9 14. C 15. 94

CHAPTER 4 Security and Privacy of Consumer Financial Information

1. D 2. B 3. A 4. B 5. C 6. Social engineering 7. A 8. E
9. National Bank Act of 1864 10. B 11. C 12. B 13. 12 14. B
15. C

CHAPTER 5 Security and Privacy of Information Belonging to Children and in Educational Records

1. B 2. A 3. B 4. 13 5. D 6. B 7. CIPA 8. Technical protection measure (TPM) 9. C 10. A 11. C 12. A 13. B 14. B 15. A

CHAPTER 6 Security and Privacy of Health Information

1. Reasonable and appropriate 2. D 3. 60 4. 12 5. D 6. An organization that performs a healthcare activity on behalf of a covered entity 7. C 8. B 9. 30 10. D 11. A 12. B 13. C 14. E
15. Unsecured

CHAPTER 7 Corporate Information Security and Privacy Regulation

1. A 2. A 3. To protect shareholders and investors from financial fraud. SOX also was designed to restore investor faith in American stock markets. 4. C 5. E 6. Internal controls are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable. 7. D 8. B 9. B 10. C 11. B 12. D
13. Provides management with reasonable assurance that: (1) financial reports, records, and data are accurately maintained; (2) transactions are prepared according to generally accepted accounting principles (GAAP) rules and are properly recorded; and (3) unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected promptly. 14. C 15. B

CHAPTER 8 Federal Government Information Security and Privacy Regulations

1. A 2. A government agency must state what information is to be collected; why the information is being collected; the intended use of the information; how the agency will share the information; whether people have the opportunity to consent to specific uses of the information; how the information will be secured; and whether the information collected will be a system of records as defined by the Privacy Act of 1974.
3. C 4. B 5. E 6. NCCIC/US-CERT 7. B 8. D 9. CyberScope
10. B 11. A 12. B 13. B 14. E 15. D

CHAPTER 9 State Laws Protecting Citizen Information and Breach Notification Laws

1. A 2. 2003 3. D 4. A legal concept that protects an entity from liability if it follows the law 5. B 6. D 7. C 8. A person must be able to easily understand it 9. E 10. C 11. D 12. A legal concept that describes a person’s right to sue another for harm that the latter caused 13. A 14. D 15. B

CHAPTER 10 Intellectual Property Law

1. E 2. A legal concept that means that people can be held responsible for their actions even if they did not intend to cause harm to another person. 3. B 4. 20 5. E 6. C 7. A person or business must use the trademark in interstate commerce, and the trademark must be distinctive 8. A 9. C 10. A 11. C 12. A 13. It is important to know the ownership of a copyrighted work in order to determine the length of copyright protection. 14. E 15. B

CHAPTER 11 The Role of Contracts

1. C 2. An agreement where the complete terms of the agreement are presented on a computer screen, usually in the form of a pop-up window. A user must take an affirmative action to accept the terms of the agreement. 3. B 4. A 5. B 6. D 7. Legal relief granted by a court
8. C 9. A 10. Loss of control of data, loss of privacy of data, third-party dependency for critical infrastructure, potential security and technology defects, lack of control over third parties, loss of an entity’s own
competence in IT infrastructure security. 11. E 12. B 13. B
14. Enforceable 15. D

CHAPTER 12 Criminal Law and Tort Law Issues in Cyberspace

1. B 2. Crimes are wrongdoings against society. 3. A 4. E 5. C
6. The Sixth Amendment to the U.S. Constitution 7. B 8. E 9. A
10. Extreme and outrageous 11. A 12. C 13. D 14. Libel and
slander 15. E

CHAPTER 13 Information Security Governance

1. A 2. Executive management providing strategic direction, oversight, and accountability for an organization’s data and information technology (IT) resources. 3. D 4. D 5. Middle management providing day-to-day guidance and oversight for an organization’s information and information resources. 6. A 7. A list of mandatory activities that must be completed to achieve an information security goal 8. A 9. B 10. D
11. A checklist of actions that should be performed to achieve a certain goal 12. C 13. A 14. E 15. B

CHAPTER 14 Risk Analysis, Incident Response, and Contingency Planning

1. B 2. E 3. A risk assessment identifies the threats and vulnerabilities to IT resources. 4. D 5. A 6. Exposure factor 7. The annualized loss expectancy (ALE) is the amount of loss that an organization can expect
to have each year because of a particular risk. ALE is often expressed as the equation: ALE = SLE × ARO. SLE is single loss expectancy. ARO is
annual rate of occurrence. 8. C 9. A 10. D 11. C 12. Incident
13. Disaster 14. A 15. A

CHAPTER 15 Computer Forensics and Investigations

1. B 2. D 3. C 4. The Electronic Communications Privacy Act; the Wiretap Act; the Pen Register and Trap and Trace Statute. 5. Computer forensics also is known as system forensics, digital forensics, computer forensic analysis, computer examination, data recovery, and inforensics (information forensics). These terms are used interchangeably.
6. B 7. E 8. Four 9. C 10. B 11. A 12. Data stored in the
memory of an electronic device. Volatile data is lost when the electronic device is turned off. 13. C 14. B 15. Bit-by-bit copy