Chapter 4

Question 1

3 Categories of Laws

Answer 1

Criminal Law
Civil Law
Administrative Law

Question 2

Which type of law does this describe?

preserve peace; involve police and other law enforcement agencies

Answer 2

Criminal Law

Question 3

Which type of law does this describe?

provide for an orderly society; settled between individuals and organizations

Answer 3

Civil Law

Question 4

what type of law does this describe?

rules and procedures that should be followed in every possible situations

executive orders, policies, procedures, and regulations

Answer 4

Administrative Law

Question 5

Where are administrative Laws published?

Answer 5

Code of Federal Regulations (CFR)

Question 6

Computer Fraud and Abuse Act (CFAA)

Answer 6

first cyber-crime-specific legislation in US
expansion of Comprehensive Crime Control Act

Question 7

National Information Infrastructure Protection Act of 1996

Answer 7

covers computer systems used in international commerce and interstate commerce
extends protections beyond computer systems like railroads, pipelines, electric grids, etc.
damage to critical portions of national infrastructure as a felony

Question 8

Federal Sentencing Guidelines (1991)

Answer 8

formalized prudent person rule
three burdens of proof for negligence

Question 9

prudent person rule

Answer 9

requires senior executives to take personal responsibility for ensuring due care

Question 10

3 burdens of proof for negligence

Answer 10

1. person must have legally recognized obligation
2. must have failed to comply with recognized standards
3. must be a causal relationship between negligence and damages

Question 11

FISMA - Federal Information Security Management Act

Answer 11

requires federal agencies implement an infosec profram that covers the agency’s ops - to include contractors

replaced Computer Security Act of 1987 and the Government Information Security Reform Act of 2000

Question 12

Which organization is responsible for developing the FISMA implementation guidelines?

Answer 12

NIST

Question 13

Federal Cybersecurity Laws of 2014

Answer 13

Federal Information Systems Modernization Act
Cybersecurity Enhancement Act
National Cybersecurity Protection Act

Question 14

Federal Information Systems Modernization Act

Answer 14

modified 2002 FISMA by centralizing federal cybersecurity responsibility with the DHS

except:
defense-related cybersecurity remain responsibility of SecDef
intelligence-related cybersec remains responsibility of director of national intel

Question 15

Cybersecurity Enhancement Act

Answer 15

NIST is responsible for coordination nationwide work on voluntary cybersec standards

Question 16

National Cybersecurity Protection Act

Answer 16

DHS establishes a national cybersec and commo integration center to be the interface between federal agencies and civilian orgs to share cyber risks, incidents, analysis, and warnings

Question 17

4 types Intellectual Property

Answer 17

copyrights
trademarks
patents
trade secrets

Question 18

Copyright law - primary purpose

Answer 18

guarantees the creators of “original works of authorship” protection against duplication of their work

Question 19

8 categories of copyright protection

Answer 19

Literary
Musical
Dramatic
Pantomimes/Choreography
Pictorial, graphical, sculptural
Motion pictures
Sound recordings
Architectural

Question 20

What category of copyright does source code fall under?

Answer 20

literary works

Question 21

Digital Millennium Copyright Act (DMCA)

Answer 21

prohibits attempts to circumvent copyright protection mechanisms
limits liabilities of ISPs when circuits are used by criminals violating copyright law
streaming audio/video over the internet is “eligible nonsubscription transmissions” - not illegal

Question 22

Trademarks

Answer 22

words, slogans, and logos used to identify a company and its products or services

Question 23

™ (TM)

Answer 23

shows you intend to protect works or slogans as trademarks

Question 24

® (R)

Answer 24

symbolizes a trademark registered with the USPTO - United States Patent and Trademark Office

Question 25

Patents

Answer 25

protect IP rights of inventors for 20 years - after which they become public domain

Question 26

3 requirements for Patents

Answer 26

• must be new
• must be useful
• must not be obvious

Question 27

trade secrets

Answer 27

IP that is critical to business, and would cause significant damage if disclosed to competitors

Question 28

Protecting Trade Secrets

Answer 28

make employees with access sign NDAs
implement adequate access controls

Question 29

what is one of the best ways to protect source code?

Answer 29

treat it as a trade secret

Question 30

Economic Espionage Act of 1996

Answer 30

stealing trade secrets to sell to foreign agent fined up to $500,000 and imprisoned for 15 yrs
stealing trade secrets for other reasons fined up to $250000 and imprisoned for up to 10 yrs

Question 31

4 types of license agreements

Answer 31

1. contractural license agreement
2. shrink-wrap license agreement
3. click-through license agreements
4. Cloud services license agreemtns

Question 32

contractual license agreements

Answer 32

written contract b/w software vendor and customer

Question 33

shrink-wrapped license agreements

Answer 33

written on the outside of the software packaging

Question 34

click-through license agreements

Answer 34

during installation process, you are required to click a button indicating you have read the terms of the agreement and to abide by them

Question 35

cloud services license agreements

Answer 35

usually a link to the legal terms and a check box to indicate user has read them

Question 36

International Traffic in Arms regulations (ITAR)

Answer 36

controls the export of items that are specifically designed as military and defense items

Question 37

Export Administration Regulations (EAR)

Answer 37

items appear on the commerce control list (CCL)
includes entire category covering info sec products
controls export of commercial items that may have a military application

Question 38

Fourth Amendment

Answer 38

basis for privacy rights; protection against unreasonable search and seizure of persons, houses, papers, and effects

expanded to include protection against wiretapping

Question 39

Privacy Act of 1974

Answer 39

applies to government agencies regarding records maintenance and access to your records

Question 40

Electronic Communications Privacy Act of 1986 (ECPA)

Answer 40

makes it a crime to invade the electronic privacy of an individual

Question 41

Communications Assistance for Law Enforcement Act (CALEA) of 1994

Answer 41

requires all communications carriers to make wiretaps possible for law enforcement

Question 42

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Answer 42

privacy and security regulations for organizations that process or store private medical information about individuals

Question 43

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

Answer 43

updated HIPAA privacy and security requirements

Question 44

Children’s Online Privacy Protection Act (COPPA)

Answer 44

websites that cater to children:
have a notice that indicates the type of information they collect and what its use for
parents must have ability to review and delete information permanently from the site
parents must give consent to the collection of information

Question 45

Gramm-Leach_Bliley Act of 1999 (GLBA)

Answer 45

limits types of info that could be exchanged amongst financial institutions

Question 46

USA PATRIOT Act

Answer 46

broadens powers of law enforcement and intelligence agencies
wiretapping authorizations are easier to obtain

Question 47

Family Educational Rights and Privacy Act (FERPA)

Answer 47

grants privacy rights to students older than 18
right to inspect educational records
right to request corrections
schools may not release person information from student records

Question 48

Identity Theft and Assumption Deterrence Act

Answer 48

the person whose identify was stolen is the victim

Question 49

“reasonable expectation to privacy”

Answer 49

if you are using corporate or government equipment, you should not expect privacy so be careful what you do

Question 50

European Union Data Protection Directive (DPD)

Answer 50

outlines privacy measures that must be in place for protecting personal data

Question 51

European Union General Data Protection Regulation (GDPR)

Answer 51

widened scope of personal data protections to all organizations that collect data from EU residents - even if they are not based in the EU

Question 52

7 key provisions of GDPR

Answer 52

1. Lawfulness, fairness, transparency
2. Purpose limitation
3. Data minimizaiton
4. Accuracy
5. Storage Limitation
6. Security
7. Accountability

Question 53

which key provision of GDPR does this describe?

must have a legal basis for processing personal information

Answer 53

lawfullness, fairness, transparency

Question 54

which key provision of GDPR does this describe?

must clearly document and disclose the purposes for which you collect data

Answer 54

purpose limitation

Question 55

which key provision of GDPR does this describe?

must ensure that the data processed is adequate for your stated purpose and limited to what is necessary

Answer 55

Data minimization

Question 56

which key provision of GDPR does this describe?

data you collect or maintain is correct and not misleading; correct or erase inaccurate data

Answer 56

Accuracy

Question 57

which key provision of GDPR does this describe?

keep data only for as long as it is needed

Answer 57

storage limitation

Question 58

which key provision of GDPR does this describe?

must have appropriate integrity and confidentiality controls in place

Answer 58

security

Question 59

which key provision of GDPR does this describe?

must take responsibility for your actions with protected data

Answer 59

accountability

Question 60

Personal Information Protection and Electronic Documents Act (PIPEDA)

Answer 60

Canadian law that restricts how commercial entities may collect, use, and disclose PI

Question 61

Payment Card Industry Data Security Standard (PCI DSS)

Answer 61

compliance requirement dictated by contractual obligation - not by law

Question 62

12 requirements of PCI DSS

Answer 62

1. firewalls
2. change default passwords
3. protect cardholder data
4. encrypt transmission across public networks
5. protect against malware
6. maintain secure systems and apps
7. restrict access to cardholder data
8. identity and authentication access control
9. restrict physical access to cardholder data
10. track and monitor access to network resources and data
11. test security systems and processes
12. maintain info sec policy for all personnel

Question 63

Sarbanes-Oxley Act (SOX)

Answer 63

protects investors from fraudulent financial reporting by corporations

Question 64

BIS - Bureau of Industry and Security

Answer 64

sets regs on the export of encryption products

Question 65

GLBA - Gramm-Leach-Bliley Act

Answer 65

requires financial institutions protect customer records

Question 66

If an organization wants to transfer data from EU residents with other agencies, what is the best way to ensure compliance with GDRP?

Answer 66

standard contractual clauses provided by the EU

Question 67

If an organization wants to internally transfer data collected from EU residents, how can they remain compliant with GDRP?

Answer 67

binding corporate rules

Question 68

How can organizations remain HIPAA compliant and enter a relationship with a service provider that gives them access to the PHI?

Answer 68

Enter a BAA - Business Associate Agreement.
It makes the service provider liable under HIPAA.