Chapter 9 – ‘Confidentiality and Privacy Controls’

Question 1

1. Which of the following statements is true? 
   a. Encryption is sufficient to protect confidentiality and privacy.
   b. Cookies are text files that only store information. They cannot perform any
   actions.
   c. The controls for protecting confidentiality are not effective for protecting
   privacy.
   d. All of the above are true.

Answer 1

b. Cookies are text files that only store information. They cannot perform any
actions. (Correct. Cookies are text files, not executable programs. They can,
however, store sensitive information, so they should be protected.) 

Question 2

2. A digital signature is ____________.  
   a. created by hashing a document and then encrypting the hash with the
   signer’s private key
   b. created by hashing a document and then encrypting the hash with the
   signer’s public key
   c. created by hashing a document and then encrypting the hash with the
   signer’s symmetric key
   d. none of the above

Answer 2

a. created by hashing a document and then encrypting the hash with the
signer’s private key (Correct. Creating a hash provides a way to verify the
integrity of a document, and encrypting it with the signer’s private key
provides a way to prove that the sender created the document.)

Question 3

3. Able wants to send a file to Baker over the Internet and protect the file
   so that only Baker can read it and can verify that it came from Able.
   What should Able do? 
   a. Encrypt the file using Able’s public key, and then encrypt it again using
   Baker’s private key.
   b. Encrypt the file using Able’s private key, and then encrypt it again using
   Baker’s private key.
   c. Encrypt the file using Able’s public key, and then encrypt it again using
   Baker’s public key.
   d. Encrypt the file using Able’s private key, and then encrypt it again using
   Baker’s public key.

Answer 3

d. Encrypt the file using Able’s private key, and then encrypt it again using
Baker’s public key. (Correct. Encrypting it with Baker’s public key means that
only Baker can decrypt it. Then, Baker can use Able’s public key to decrypt the
file—if the result is under- standable, it had to have been created by Able and
encrypted with Able’s private key.)

Question 4

4. Which of the following statements is true? 
   a. Encryption and hashing are both reversible (can be decoded).
   b. Encryption is reversible, but hashing is not.
   c. Hashing is reversible, but encryption is not.  
   d. Neither hashing nor encryption is reversible.

Answer 4

b. Encryption is reversible, but hashing is not. (Correct. Encryption can be
reversed to decrypt the ciphertext, but hashing cannot be reversed.) 

Question 5

6. Which of the following statements about obtaining consent to collect
   and use a customer’s personal information is true? 
   a. The default policy in Europe is opt-out, but in the United States the default
   is option.
   b. The default policy in Europe is opt-in, but in the United States the default is
   opt-out.
   c. The default policy in both Europe and the United States is opt-in.
   d. The default policy in both Europe and the United States is opt-out.

Answer 5

b. The default policy in Europe is opt-in, but in the United States the default is
opt-out. (Correct.) 

Question 6

7. One of the ten Generally Accepted Privacy Principles concerns security.
   According to GAPP, what is the nature of the relationship between
   security and privacy?
   a. Privacy is a necessary, but not sufficient, precondition to effective security.
   b. Privacy is both necessary and sufficient to effective security.
   c. Security is a necessary, but not sufficient, precondition to protect privacy.

Answer 6

c. Security is a necessary, but not sufficient, precondition to protect privacy.
(Correct.)

Question 7

8. Which of the following statements is true? 
   a. Symmetric encryption is faster than asymmetric encryption and can be used
   to provide nonrepudiation of contracts.
   b. Symmetric encryption is faster than asymmetric encryption but cannot be
   used to provide nonrepudiation of contracts.
   c. Asymmetric encryption is faster than symmetric encryption and can be used
   to provide nonrepudiation of contracts.
   d. a symmetric encryption is faster than symmetric encryption but cannot be
   used to provide nonrepudiation of contracts.

Answer 7

b. Symmetric encryption is faster than asymmetric encryption but cannot be
used to provide nonrepudiation of contracts. (Correct. Symmetric encryption is
faster than asymmetric encryption, but it cannot be used for nonrepudiation;
the key is shared by both parties, so there is no way to prove who created and
encrypted a document.)

Question 8

9. Which of the following statements is true? 
   a. VPNs protect the confidentiality of information while it is in transit over the
   Internet.  
   b. Encryption limits firewalls’ ability to filter traffic.
   c. A digital certificate contains that entity’s public key.
   d. All of the above are true.

Answer 8

d. All of the above are true. (Correct. All three statements are true.)

Question 9

10. Which of the following can organizations use to protect the privacy of
    a customer’s personal information when giving programmers a realistic
    data set with which to test a new application?  
    a. Digital signature.  
    b. Digital watermark.  
    c. Data loss prevention.
    d. Data masking.

Answer 9

d. Data masking. (Correct. Masking replaces actual values with fake ones, but
the result is still the same type of data, which can then be used to test program
logic.)

Question 10

5. Confidentiality focuses on protecting ____________.

c. merger and acquisition plans

Answer 10

► c. merger and acquisition plans (Correct. Merger and acquisition plans are sensitive
information that should not be made public until the deal is consummated.)