Chapter 3

Question 1

– Is the Nation’s cryptologic organization
– Protects US information systems
– Produces foreign intelligence information
– Responsible for signal intelligence and information system security

Answer 1

National Security Agency (NSA)

Question 2

Major IT Professional Organizations

Answer 2

1. Association of Computing Machinery
2. International Information Systems Security Certification Consortium, Inc
3. System Administration, Networking, Security Institute
4. Information Systems Audit and Control Association
5. Information Systems Security Association

Question 3

The leader in development and implementation of information security legislation?

Answer 3

United States of America

Question 4

– Established in 1947 as “the world’s first educational and scientific computing society”
– Code of ethics contains references to protecting information confidentiality, causing no harm, protecting others’ privacy, and respecting others’ intellectual property

Answer 4

*Association of Computing Machinery (ACM)

Question 5

Certification Consortium, Inc. (ISC)2
– Nonprofit organization focusing on development and implementation of information security certifications and credentials
– Code primarily designed for information security
professionals who have certification from (ISC)2
– Code of ethics focuses on four mandatory canons

Answer 5

International Information Systems Security

Question 6

body of expectations that describe
acceptable and unacceptable employee behaviors
in the workplace

Answer 6

Policies

Question 7

regulates structure/administration of
government agencies and relationships with
citizens, employees, and other governments

Answer 7

Public

Question 8

Seeks to improve reliability and accuracy of
financial reporting and increase the accountability of corporate governance.

Answer 8

Sarbanes-Oxley Act of 2002

Question 9

rules that mandate or prohibit certain
societal behavior

Answer 9

Law

Question 10

fixed moral attitudes or customs of
a particular group; ethics based on these.

Answer 10

Cultural Mores

Question 11

addresses violations harmful to society;
actively enforced by the state

Answer 11

Criminal

Question 12

What is the difference of law and policy?

Answer 12

Ignorance of a
policy is an acceptable defense.

Question 13

regulates relationships between individuals
and organizations.

Answer 13

Private

Question 14

– Maintains an intrusion alert network
– Maintains a secure Web site for communication
about suspicious activity or intrusions
– Sponsors local chapter activities
– Operates a help desk for questions

Answer 14

Federal Bureau of Investigation’s National
InfraGard Program

Question 15

– Professional association with focus on auditing, control, and security
– Concentrates on providing IT control practices and standards
– ISACA has code of ethics for its professionals

Answer 15

Information Systems Audit and Control Association (ISACA)

Question 16

5 issues covered by Agreement on Trade-Related Aspects of Intellectual Property Rights

Answer 16

– Application of basic principles of trading system and international intellectual property agreements
– Giving adequate protection to intellectual property rights
– Enforcement of those rights by countries in their own territories
– Settling intellectual property disputes
– Transitional arrangements while new system is being introduced

Question 17

“occurring when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes”

Answer 17

Identity Theft

Question 18

provides law enforcement agencies with broader latitude in order to combat terrorism-related activities

Answer 18

USA PATRIOT Act of 2001

Question 19

Export and Espionage Laws

Answer 19

• Economic Espionage Act of 1996 (EEA)
• Security And Freedom Through Encryption Act of 1999 (SAFE)
• The acts include provisions about encryption that:
  – Reinforce the right to use or sell encryption
  algorithms, without concern of key registration
  – Prohibit the federal government from requiring it
  – Make it not probable cause in criminal activity
  – Relax export restrictions
  – Additional penalties for using it in a crime

Question 20

Examples of Criminal Cases

Answer 20

• Murder.
• Robbery.
• Treason.
• Rape.
• Kidnapping.

Question 21

• Establishes international task force overseeing
  Internet security functions for standardized
  international technology laws
• Attempts to improve effectiveness of international
  investigations into breaches of technology law
• Well received by intellectual property rights
  advocates due to emphasis on copyright
  infringement prosecution
• Lacks realistic provisions for enforcement

Answer 21

European Council Cyber-Crime
Convention

Question 22

legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution

Answer 22

Liability

Question 23

best method for preventing an illegal or
unethical activity; e.g., laws, policies, technical
controls

Answer 23

Deterrence

Question 24

General Computer Crime Laws

Answer 24

1. Computer Fraud and Abuse Act of 1986
2. National Information Infrastructure Protection act of 1996
3. USA PATRIOT Act of 2001
   4.USA PATRIOT Improvement and Reauthorization Act
4. Computer Security Act of 1987

Question 25

– Made up of five directorates, or divisions – Mission is to protect the people as well as the physical and informational assets of the US

Answer 25

Department of Homeland Security (DHS)

Question 26

governs nation or state; manages relationships/conflicts between organizational entities and people.

Answer 26

Civil

Question 27

Key Federal Agency

Answer 27

1. Department of Homeland Security (DHS) 2. Federal Bureau of Investigation’s National InfraGard Program 3. National Security Agency (NSA) 4. U.S. Secret Service

Question 28

– Modified several sections of the previous act and increased the penalties for selected crimes – Severity of penalties judged on the purpose * For purposes of commercial advantage * For private financial gain * In furtherance of a criminal act

Answer 28

National Information Infrastructure Protection Act of 1996

Question 29

define socially acceptable behavior.

Answer 29

Ethics

Question 30

– Nonprofit society of information security (IS) professionals – Primary mission to bring together qualified IS practitioners for information exchange and educational development – Promotes code of ethics similar to (ISC)2 , ISACA, and ACM

Answer 30

Information Systems Security Association (ISSA)

Question 31

to compensate for wrongs committed by an organization or its employees

Answer 31

Restitution

Question 32

To minimize the risk, information practitioner should

Answer 32

- Understand current legal environment – Stay current with laws and regulations – Watch for new issues that emerge

Question 33

Privacy US Regulations

Answer 33

– Privacy of Customer Information Section of the common carrier regulation – Federal Privacy Act of 1974 – Electronic Communications Privacy Act of 1986 – Health Insurance Portability and Accountability Act of 1996 (HIPAA), aka Kennedy-Kassebaum Act – Financial Services Modernization Act, or Gramm-Leach-Bliley Act of 1999

Question 34

Examples of Civil Cases

Answer 34

* A person who is hurt in a car accident sues the driver of the other car; * A worker sues his employer after the worker hurts his back at work and can never work again; * A homeowner who has hired a builder to build a new kitchen sues the builder when the kitchen is badly built and has to be fixed; * A family sues their doctor when the doctor does not discover that the mother has cancer in time for the cancer to be treated

Question 35

The organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Common dissemination techniques include hard copy and electronic distribution.

Answer 35

Dissemination (distribution)

Question 36

Allows access to federal agency records or information not determined to be matter of national security

Answer 36

Freedom of Information Act of 1966 (FOIA)

Question 37

– Professional organization with a large membership dedicated to protection of information and systems – SANS offers set of certifications called Global Information Assurance Certification (GIAC)

Answer 37

System Administration, Networking, and Security Institute (SANS)

Question 38

Examples of Private Cases

Answer 38

* Divorce and Infidelity Investigations. The end of a marriage often involves the loss of trust between spouses. ... * Child Custody Disputes. ... * Finding Missing Loved Ones. ... * Serving Legal Papers. ... * Trial Preparation. ... * Social Media Investigations. ... * Background Investigations.

Question 39

: ensuring that employees know what constitutes acceptable behavior and know the consequences of illegal or unethical actions

Answer 39

Due Care

Question 40

Difference between laws and ethics?

Answer 40

Laws carry sanctions of a governing authority; ethics do not.

Question 41

The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for illiterate, non-English reading, and reading-impaired employees. Common techniques include recordings of the policy in English and alternate languages.

Answer 41

Review (reading)

Question 42

function as laws within an organization; must be crafted carefully to ensure they are complete, appropriate, fairly applied to everyone

Answer 42

Policy

Question 43

cornerstone of many computer-related federal laws and enforcement efforts

Answer 43

Computer Fraud and Abuse Act of 1986

Question 44

* Created by World Trade Organization (WTO) * First significant international effort to protect intellectual property rights * Outlines requirements for governmental oversight and legislation providing minimum levels of protection for intellectual property

Answer 44

Agreement on Trade-Related Aspects of Intellectual Property Rights

Question 45

The organization must be able to demonstrate that the employee understood the requirements and content of the policy. Common techniques include quizzes and other assessments

Answer 45

Comprehension (understanding)

Question 46

court's right to hear a case if the wrong was committed in its territory or involved its citizenry

Answer 46

Jurisdiction

Question 47

The organization must be able to demonstrate that the employee agrees to comply with the policy, through act or affirmation. Common techniques include logon banners which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.

Answer 47

Compliance (agreement)

Question 48

Laws and policies only deter if three conditions are present:

Answer 48

– Fear of penalty – Probability of being caught – Probability of penalty being administered

Question 49

Is a “state of being free from unsanctioned intrusion”

Answer 49

Privacy

Question 50

right of any court to impose its authority over an individual or organization if it can establish jurisdiction

Answer 50

Long arm jurisdiction

Question 51

Policy enforcement

Answer 51

1. Dissemination 2. Review 3. Comprehension 4. Compliance 5. Uniform Enforcement

Question 52

Made permanent fourteen of the sixteen expanded powers of the Department of Homeland Security and the FBI in investigating terrorist activity

Answer 52

USA PATRIOT Improvement and Reauthorization Act

Question 53

* Intellectual property recognized as protected asset in the U.S.; copyright law extends to electronic formats

Answer 53

U.S. Copyright Law

Question 54

The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.

Answer 54

Uniform enforcement

Question 55

Types of Law

Answer 55

1. Civil 2. Criminal 3. Public 4. Private

Question 56

making a valid effort to protect others; continually maintaining level of effort

Answer 56

Due Diligence

Question 57

one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

Answer 57

Computer Security Act of 1987

Question 58

Protects the confidentiality and security of health care data by establishing and enforcing standards and by standardizing electronic data interchange

Answer 58

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Question 59

Three General Cause of Unethical and illegal behavior

Answer 59

: ignorance, accident, intent