Information Security (9%) Flashcards
Protecting Information
Information Categories
Sensitive and proprietary information
Privacy-protected data
Intellectual property
Intangible assets
Information defined under international, federal, and state laws governing trade secrets, patents, and copyrights
Protecting Information
Basic principles of effective protection
- Classification and labeling
- Handling protocols to specify use, distribution, storage, security expectations, declassification, return, and destruction/disposal methodology
- Training
- Incident reporting and investigation
- Audit/compliance processes and special needs (disaster recovery)
Protecting Information - Information Assets
What is the second most valuable resource after employee?
Corporate Knowledge
Protecting Information - Information Assets
Intangible rights protecting commercially valuable products of intellect?
Intellectual Property Rights (IRR)
Trademark | Copyright | Patent | TradeSecrets | PublicityRights | MoralRights | Rights against unfair competition
Protecting Information - Information Assets
Excludes others from making, using, offering for sale, or selling an invention for 20 years
Patents
Protecting Information - Information Assets
The owner must take reasonable measures to keep the information secret
Must derive independent economic value, actual or potential, from not being generally known and not being readily ascertainable through proper means by the public
Trade Secret
Protecting Information - Information Assets
For information to be considered a trade secret, the owner must be able to prove…
- The information added value or benefit to the owner
- The trade secret was specifically identified
- The owner provided a reasonable level of protection
A robust security program and strict protection measures clearly and consistently defined, communicated, and enforced
Protecting Information - Information Assets
Patents vs. Trade secrets
- An inventor may protect an invention by patenting it or by deeming it a trade secret
- Patents require public disclosure and last only 20 years
- A trade secret is not disclosed and may last indefinitely
- Stealing a trade secret may violate criminal laws but there are no criminal laws regarding patent infringement
Protecting Information - Information Assets
A proprietary right or other valid economic interest in data resulting from private investment
Proprietary Information
Protecting Information - Information Assets
- Protects the expression of ideas in literary, artistic, and musical works
- Under international law, copyrights do not have to be registered to be protected
- An author or copyright holder can formalize ownership through government registration, which may help in any later enforcement actions
Copyright
Protecting Information - Information Assets
Name, phrase or other device used to identify and distinguish the services of a certain provider
Service Mark
Protecting Information - Information Assets
Word, phrase, logo or other graphic symbol used by a manufacturer or seller to distinguish its product from others
Consists of words, names, symbols, devices, or images applied to products or used in connection with goods or services to identify their source
Trade Mark
Protecting Information - Information Assets
It is intellectual property owner’s responsibility to understand and comply with the requirements related to protecting patent, trademark and copyrights in each relevant jurisdiction
Protecting Information - Information Risk Assessment
A thorough and tailored risk assessment is the foundation for the development of an overall IAP strategy
Protecting Information - Information Risk Assessment
The goal of risk management and the security program is…
to optimize risk, never to minimize it
Protecting Information - Information Risk Assessment
In basic risk management, how much one should spend to prevent an information security incident equals the probability of the incident times its cost
Protecting Information - Information Risk Assessment
Too often there is an over-emphasis on dollar values as the only metric in a risk analysis
- May discourage the consideration of non-tangible measures of factors that cannot be easily quantified
- Qualitative risk analysis are sometimes more appropriate and should be considered in lieu of or in addition to quantitative analysis
Protecting Information - OPSEC
What was developed in the military to protect unclassified information that could reveal sensitive plans and operations?
A Protection Approach
Protecting Information - OPSEC
OPSEC calls for…
Viewing the big picture and identifying any protection gaps that remain despite current security measures
Protecting Information - OPSEC
OPSEC responds to the fact that small bits of information taken from several different sources can be combined to reveal sensitive information
Protecting Information - OPSEC
OPSEC or information risk management should be practiced in organizations of all sizes, but it is particularly valuable for smaller businesses that may not have a large security or IAP staff or a great deal of security resources
Protecting Information - OPSEC
A simple and systematic method of employing safeguards to protect critical information; the process includes five cyclical steps
- Identify assets (critical information
- Define the threat (collectors, capabilities, motivations)
- Assess vulnerabilities
- Analyze the risk (impact, priority, existing countermeasures, etc)
- Develop and implement countermeasures
Protecting Information - Information Threats
Categories of Information Threats
Intentional
Natural
Inadvertent
Protecting Information - Information Threats
Top business impacts of information loss…
- Loss of company reputation/image/goodwill
- Loss of competitive advantage in on product/service
- Reduced projected/anticipated returns or profitability
- Loss of core business technology or process
- Loss of competitive advantage in multiple products/services
Protecting Information - Information Threats
Today information assets compromised are almost always impossible to recall or contain in terms of dissemination - They can be anywhere or everywhere in an instant
Protecting Information - Information Threats
Perhaps the most frequently overlooked threats are inadvertent threats
Protecting Information - Information Threats
Insider espionage is facilitated by…
- Advanced information storage and retrieval results in easier access
- A broader range of foreign buyers is more accessible than ever
- International collaboration places more employees in strategic positions to work with foreign personnel
- Opportunities to transfer information increase with increasing rates of foreign travel
Protecting Information - Information Threats
Insider espionage ctd…
- Abundant financial burdens for Americans make them more prone to compromise
- Debts increased by easy access to gambling sources will make Americans more prone to compromise
- Reduced loyalty between organizations and employees generates motivation
- Ethnic ties produce opportunities and motivation in American employees
- Commitment to the “global community” and common good motivates the desire to share information
Protecting Information - Information Threats
A virtual threat (“ghost”) does one or more of three functions:
- Sends information to its control (owner of the threat software)
- Receives commands from its control
- Executes commands where it is installed
Protecting Information - Information Vulnerabilities
Trade shows are a traditional venue for business and government intelligence collection
Protecting Information - Information Vulnerabilities
Virtual threats take advantage of flaws, or vulnerabilities, in a complex source code
Protecting Information - Information Vulnerabilities
One business activity that raises special risks to a company’s information is the establishment of relationships with other companies, domestically or internationally
(such as partnerships or outsourcing agreements)
Protecting Information - Information Vulnerabilities
IT threats cannot manifest without a vulnerability to exploit, which are in five categories
- Vulnerabilities in the information systems infrastructure
- Vulnerabilities in people using the information systems infrastructure
- Vulnerabilities in people maintaining the information systems infrastructure
- Vulnerabilities in information systems management processes
- Executive and senior management vulnerabilities
Protecting Information
Access control databases are vulnerable in two ways
- Administrative misconduct
- Attack from an outside connection (internet)
Protecting Information
The physical access control network is generally made up of two parts
- The connection between the reader and a controller
- The TCP/IP network on which controllers talk to servers and users talk to servers
Protecting Information
A legacy HID (Hughes identification device) card has two components
- The secret facility number, or facility code, which is not printed on the card but is known to the facility owner
- An identification number that is printed on the card
Protecting Information
A tool called gecko, which can be built for $10 worth of parts, can give an intruder complete control over a door by compromising the Weigand text stream sent from the reader to the controller
Information Protection Measures
A race of technology and methodology between the “good guys” and the “bad guys”, requiring an organization’s information systems management program be continually improved
Red Queen Effect
Information Protection Measures
Because of their close interaction with employees every day, first and second-tier management are those individuals who exert the most influence over information security
Information Protection Measures
Where does the responsibility ultimately lie for protecting information assets?
Leadership of an organization
Information Protection Measures
Information protection measures must be sufficient to ensure…
Confidentiality
Accountability
Non-repudiation
Integrity
Recoverability
Availability
Auditability
Information Protection Measures
The most effective IT security for information protection is a layered approach that integrates physical, procedural, and logical protection measures
Information Protection Measures
3 different perspectives of Defense in Depth, or Layered Protection
- Increasing levels of trust for those who are given access to successive layers
- Different security technologies or measures that operate in concert
- Successive layers employed to delay, detect, and deter intruders
Information Protection Measures
Personnel security plays a key role in IAP and includes things such as…
- Due diligence investigations of potential partners
- Standard pre-employment screening
- Vetting of subcontractors, vendors, and consultants
Information Protection Measures
Steps for protecting a business for espionage (according to the FBI)
- Recognize there is an insider and outsider threat to your company
- identify and evaluate trade secrets
- Implement a proactive plan for safeguarding trade secrets
- Secure physical and electronic versions of your trade secrets
- Confine intellectual knowledge on a “need-to-know” basis
Information Protection Measures
Security awareness and training is one of the most cost-effective measures that can be employed to protect corporate and organizational information assets
Information Protection Measures
The use of services, equipment and techniques designed to locate, identify and neutralize the effectiveness of electronic eavesdropping, wiretapping, bugging, etc…
Technical Surveillance Countermeasures (TSCM)
Information Access Control
Benefits of an IAP program
- Enhances fiduciary oversight, control, and stewardship of key intangible assets
- Aligns information assets with business operations and the organization’s strategic vision
- Allows more efficient allocation of traditional and IT security resources
- Allows more timely pursuit of information asset compromises and intellectual property rights (IPR) violations
Information Access Control
IAP Program benefits ctd…
- Serves as leverage in negotiating coverage and premiums for intellectual property (IP) and information technology (IT) insurance
- Provides consistency in regulatory reporting of intangible assets
- Standardizes internal and external handling of intangible assets
- Identifies key internal and external sources of intangible assets and intellectual capital
Information Access Control
The first step in implementing an IAP is…?
To identify the information that may need to be labeled and protected
- Helps narrow the scope of the information that requires protection
- Focuses limited security resources where they are most needed
Information Access Control
An employee’s access to information should be based on his or her current job function and a need-to-know basis, not on a position or management level
Information Access Control
An organization’s leadership should consider both the
- Categories of Information
- Levels of Information
Information Access Control
Levels of information may be determined by…?
Sensitivity
Criticality
Time which info. is pertinent
Information Access Control
Most organizations use 2 - 4 levels of sensitivity marking, such as “confidential”, “restricted”, “limited”
Information Access Control
Typical categories of information controls
- Approved for external release (unrestricted access)
- Internal (limited to employees and contractors)
- Confidential (limited by a specific need to know)
Information Access Control
How should information of various classifications be stored?
Separately
Information Access Control
Access to internal information should be restricted to company personnel or others who have signed a nondisclosure agreement
Information Access Control
A central knowledge management system
- Collects distributes and publicizes corporate data in a searchable, accessible format
- Aids corporate departments by reducing redundant efforts and promoting knowledge sharing
- Helps preserve knowledge if an employee leaves his or her position or the company
- Can enable one department to learn from the processes, technologies, and ideas of another
Information Access Control
A central knowledge management system ctd…
- Can enable one department to learn from the processes, technologies, and ideas of another
- Can be used to collect data that measure the productivity and performance of business units and individual employees
- May create a security vulnerability
Information protection policy and procedure
Effective information Asset Policy (IAP) requires
- Leadership commitment, budgetary resources, depth of support
- Dedicated department
- Requirement to adhere to the policy
- Continuous education and training
Information protection policy and procedure
Information security policies should include, at a minimum…
- A definition of information security, its overall objectives and scope, and the importance of security as an enabling mechanism for information sharing
- A statement of management intent, supporting the goals and principles of information security
- A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization
Information protection policy and procedure
Physical security participation in the creation of the ISS policy is critical for 2 reasons
- ISS policies affect day-to-day physical security operations (both staff’s interaction with computers and security devices’ connections to and interaction with the network)
- ISS policy defines what types of devices are allowed on the network
Information protection policy and procedure
Recovery…two primary elements of recovery are?
- To return to normal business operations as soon as possible
- To implement measures to prevent a recurrence of the problem
Regulations and legal protection
Information owners must recognize legal protections are effective only if the owner is willing to pursue recourse
Regulations and legal protection
The Gramm-Leach-Bliley Act
Regulates the use and disclosure of nonpublic Pll for those who obtain financial products or services from financial institutions
Regulations and legal protection
- Generally prohibits a financial institution from disclosing Pll to a nonaffiliated 3rd party, directly or indirectly, unless it has
- Disclosed to the customer, in a clear and conspicuous manner, that the information may be disclosed to a third party
- Has given the consumer an opportunity to direct that the information not be disclosed
- Has described the manner in which the consumer can exercise the nondisclosure option
Regulations and legal protection
HIPAA…Requires covered entities and business associates to do the following to protect health information
- Maintain a risk-driven information security management program based o administrative, technical, and physical controls
- Ensure the confidentiality, integrity, and availability of all electronic PHI created, received, maintained, or transmitted
- Protect against any reasonably anticipated threats or hazards to the security or integrity of PHI
- Protect against any reasonably anticipated uses or disclosures of PHI that are not permitted or otherwise required
Regulations and legal protection
HIPPA ctd…
- Ensures compliance by its workforce
- Ensures compliance by third parties with who information is shared
Regulations and legal protection
The Sarbanes-Oxly Law of 2002 (SOX)
- Most significant new securities law since the SEC was created in 1934
- Places substantial responsibilities on officers and directors of public companies
- Imposes significant criminal penalties on CEO’s, CFO’s and others
- Obligates public companies to publicly address information security practices
Regulations and legal protection
SOX ctd…
- Section 404 (most relevant to security) requires management develop, text, document, and monitor internal controls, disclosure controls, and procedures
- Principles of corporate governance applied to public corporations have been extended to private companies through state laws or market forces
Regulations and legal protection
The Red Flags Rule…Implements Sections 114 and 315 of the Fair and Accurate Credit Transaction (FACT) Act
The FTC requires each creditor holding an account with a reasonably foreseeable risk of ID theft, to develop and implement an Identity Theft Prevention Program
Regulations and legal protection
Red Flags Rule ctd…
Red flags that must be identified, detected, and responded to include:
- Alerts, notifications, or warnings from a consumer reporting agency
- Suspicious documents
- Suspicious personally identifying information, such as a suspicious address
- Unusual use of - or suspicious activity relating to - a covered account
- Notices from customers, victims, LE, or other businesses about possible ID theft in connection with covered accts.
Regulations and Legal Protection
All successful IAP programs assign a specialist the responsibility of monitoring pending legislation and regulations related to the protection of information assets
The impact of cybercrime
Often the loss of productivity is more costly than the cost of cleaning up from the virus attack
The impact of cybercrime
The average cost to comply with state breach-disclosure laws now exceeds $200 per record
The impact of cybercrime
Based on the expansion of cybercrime into organized crime, many believe the insider threat is no longer the cause of most IT losses
Computer Basics
The first computer was built by…?
Alan Turning during WWII to decrypt the German Enigma code
Computer Basics
Developed by Gordon Moore, co-founder of Intel, and states that the processing power of computers will double every eighteen months
Moore’s Law
Computer Basics
A computer operates in two primary modes
- Stand-alone computing device
- Device that can communicate with other computers
Computer Basics
3 logical points of control for a computer
Input
Programs
Communications stack
Network Basics
The most common type of network connection is to the…?
Internet
Network Basics
7 communication layers of the Open Systems Interconnect (OSI) model
Application
Presentation
Session
Transport
Network
Data link
Physical
IT Security Terminology
IDS
IT Intrusion Detection Systems monitor for malicious programs and unauthorized changes to files and settings, monitor network traffic, and provide real-time alarms for network-based attacks
IT Security Terminology
Sanitizing Media
- Sanitizing: Removing data before the media is reused
- Overwriting: Replacing data with meaningless data
- Clearing: Eradicating data by overwriting or degaussing (laboratory techniques can recover “cleared” data)
- Destroying: Physically damaging the media
IT Security Terminology
Logical network access control
The process by which users are identified and granted privileges to information, systems or resources
IT Security Countermeasures
Categories of IT Countermeasures
Administrative
Technical
Physical
IT Security Terminology
Where IT countermeasures are deployed
- On the information systems infrastructure (technical)
- Infrastructure management (administrative, technical, physical)
- Executive and senior management (administrative, technical, physical)
- Community-based (administrative, technical, physical)
IT Security Terminology
Logical network access control
The process by which users are identified and granted privileges to information, systems or resources
IT Security - Encryption
Obscuring the meaning of information by altering or encoding it so it can only be decoded by people for whom it is needed
Encryption
Information Systems Security (ISS)
ISS Control Objectives
Protection
Detection
Recovery
Compliance
Information Systems Security (ISS)
Three “threat agents” (categories of threats) in ISS risk management
Nature
People
Virtual
Information Systems Security (ISS)
AAA Triad
Authentication
Authorization
Auditing
The purpose of employing an access control program includes:A) To protect persons materials, or informationB) To slow or speed up the rate of movement to, from, or within an establishmentC) To permit or deny entranceD) Both A and CE) All of the above
E) All of the above
Identification and access control systems have the widest application of:A) Manual identification systemsB) Magnetic readersC) Bio-metric-based systemsD) Dielectric readersE) None of the above
A) Manual identification systems
The performance requirements of any trustworthy system of identification include:A) Resistance to surreptitious substitution or counterfeitingB) ReliabilityC) ValidityD) Both b and cE) All of the above
E) All of the above
A general defect of manual identification systems is that: A) Many are made of plasticB) Many do not have bio-metric characteristics on themC) Once issued, they tend to remain valid indefinitelyD) They lack identifying colorsE) None of the above
C) Once issued, they tend to remain valid indefinitely
Any formula, pattern, device, or compilation of information that is used in one’s business and that gives you an opportunity to gain an advantage over competitors who do not use it or know about it is:A) A patentB) A trade secretC) A monopolyC) Copyrighted materialE) None of the above
B) A trade secret
What is the most likely the main reason for loss of sensitive information?A) Industrial EspionageB) An employee’s loose lipsC) Inadvertent disclosureD) Deliberate theft by an outsiderE) Both b and cF) None of the above
E) Both b and c
Which of the following should be part of an effective information security program?A) Pre-Employment screeningB) Nondisclosure agreements from employeesC) Employee awareness programsD) Policy and procedural statements on the recognition, classification, and handling of sensitive informationE) All of the above
E) All of the above
Which of the following is generally not allowed to be disclosed on an employment questionnaire?A) Current residenceB) ReferencesC) Prior EmploymentD) Prior ArrestsE) None of the above
D) Prior Arrests
The primary tool of preemployment screening is the:A) Application formB) InterviewC) PolygraphD) Investigator performing the interview
A) Application form
To be within the definition of a trade secret, sensitive information must meet which of the following criteria?A) Individuals to whom it is disclosed must know that it is a secretB) It must be identifiableC) It must not be already available in public sourcesD) There must be some obvious indication that the owner is attempting to prevent its unauthorized disclosureE) all of the above
E) all of the above
According to the “restatement of the law of torts,” a trade secret is:A) All information about a company that the company desires to protectB) Any formula, pattern, device, or compilation of information that is used in one’s business and that gives that business an opportunity to gain an advantage over competitors who do not know or use itC) Information about a company that is registered with the US Patent OfficeD) Both a and bE All of the above
B) Any formula, pattern, device, or compilation of information that is used in one’s business and that gives that business an opportunity to gain an advantage over competitors who do not know or use it
A trade secret may be:A) A formula for chemical compoundB) A process of manufacturing materialsC) A pattern for a machineD) A list of customersE) All of the above
E) All of the above
The characteristics of a trade secret as compared with other confidential information are:A) Those business secrets that have been duly registered pursuant to the requirements of lawB) Continuous or consistent business applications of a secret not known to others, from the use of which some advantage is gained by the userC) Those business secrets that are fully protected in accordance with the Federal Privacy ActD) Both a and cE) All of the above
B) Continuous or consistent business applications of a secret not known to others, from the use of which some advantage is gained by the user
Which of the following is generally not true in regards to trade secrets?A) The more a business narrowly defines what it regards as a secret, the easier it is to protect that body of informationB) It is difficult to protect a trade secret that can be found in publicly accessible sourcesC) Secret information does not have to be specifically identifiableD) Secret information must be effectively protectedE) None of the above
E) None of the above
In regard to a trade secret, it may be decided that its disclosure by another was innocent, rather than wrongful, even in the case where the person making the disclosure really was guilty of malice or wrong intent. This situation may occur when:A) The trade secret was not registeredB) The trade secret did not involve national defense informationC) The trade secret was not in current useD) There is absence of evidence that an owner has taken reasonable precautions to protect confidential informationE) All of the above
D) There is absence of evidence that an owner has taken reasonable precautions to protect confidential information
Proprietary information is:A) Private information of a highly sensitive natureB) Information that must be classified according to executive order of the US GovernmentC) Sensitive information that is classified under federal regulationsD) Anything that an enterprise considered relevant to its status or operations and does not want to disclose publiclyE) None of the above
D) Anything that an enterprise considered relevant to its status or operations and does not want to disclose publicly
The class of person under a duty to safeguard a proprietary secret is known as:A) AgentB) Proprietary security employeeC) FiduciaryD) Business associateE) None of the above
C) Fiduciary
It is important for employees to know whether confidential information is a trade secret, or some other confidential material, because:A) If it is a trade secret, the employee may be prevented from disclosing it by injunctionB) if it is not a trade secret and it is disclosed, the employer must take action after the disclosure and must be able to provide some actual damage in order to recoverC) If it is not a trade secret, the information, once disclosed is no longer dependableD) If it is not a trade secret, the information, once disclosed cannot be further prevented from disclosure by an injunctionE) All of the above
E) All of the above
Which of the following is not a correct statement as a general rule involving the protection of proprietary information:A) As a class, employees are the largest group of persons bound to secrecy because of their status or relationshipB) By operation of common law, employees are presumed to be fiduciaries to the extent that they may not disclose secrets of their employers without authorizationC) Other than the employees, any other persons to be bound to secrecy must agree to be so bound.D) Any agreements to be bound must always be in writing and are not implied from acts
D) Any agreements to be bound must always be in writing and are not implied from acts
To effectively involve the law for the protection of sensitive information, the owner of the proprietary information must be able to show “objective indications of attempts to protect secrecy” Which of the following has been recognized in the past as such an indications?A) Use of warning signs to alert employees to sensitive data and the places where it is storedB) Separately storing sensitive information in security containers with appropriate security precautionsC) Special instructions providing a “need-to-know” basisD) Restrictions to non employee access to places containing sensitive information E) All of the above
E) All of the above
Which of the following should be made part of a proprietary information protection program:A) Preemployment screeningB) Effective perimeter control systemC) Execution of patent and secrecy agreementD) Paper and data controlE) Both a and cF) All of the above
F) All of the above
In designing a proprietary information protection program, the area of greatest vulnerability is:A) Personnel filesB) EmployeesC) ComputersD) Marketing DataE) Perimeter boundaries
B) Employees
In devising proprietary information procedures, which of the following is considered to be a main area of paper or document vulnerability?A) Comprehensive paper controlsB) A Technical report systemC) Control and issue of notebooksD) All of the aboveE) None of the above
D) All of the above
When a loss of proprietary information is discovered, which of the following steps should be taken first?A) Attempt to recover the materialB) Attempt to apprehend the perpetratorsC) Assess economic damageD) Reevaluate the protection systemE) All of the above
E) All of the above
Which of the following would not be considered in the trade secret category?A) Salary dataB) Market surveysC) Personnel mattersD) Customer usage evaluationsE) All of the above
E) All of the above
Litigations concerning former employees involving trade secrets have some problems. which of the following is considered to be such a problem?A) The cost of litigations is too high, and the owner of the trade secret may loseB) Litigation is a waste of timeC) the owner of the trade secret may have to expose the information that is being protectedD) Both a and cE) All of the above
D) Both a and c
A trash cover is:A) A sealed cover on a trash containerB) The process of examining one’s trash for informationC) Placing the company’s trash in a locked containerD) Both a and cE) All of the above
B) The process of examining one’s trash for information
Sound waves too high in frequency to be heard by the human ear, generally above 20 kHz, are known as:A) High-frequency sound wavesB) Microwave wavesC) Ultrasonic wavesD) Short-frequency sound wavesE) None of the above
C) Ultrasonic waves
The process of combining a number of transmissions into one composite signal to be sent over one link is called:A) Transmission integrityB) Communication integrationC) A demultiplexerD) MultiplexingE) None of the above
D) Multiplexing
Which of the following applies to the laser as a means of communication?A) Line-of-sight transmission is necessaryB) Poor weather conditions interfere with the beamC) It is proactively impossible to intercept the beam without detectionD) Both a and cE) All of the above
E) All of the above
Electromagnetic radiation is detectable electromagnetic energy that is generated by electronic information processing devices. Which of the following is used to protect very sensitive equipment?A) A current carrier deviceB) Pneumatic cavity shieldingC) Tempest ShieldingD) Pen Register shielding
C) Tempest Shielding
The practice of preventing unauthorized persons from gaining information by analyzing electromagnetic emanations from electronic equipment is often termed:A) BuggingB) VeilingC) TempestD) All of the aboveE) None of the above
C) Tempest
Which of the following is not correct in regard to microwave transmissions:A) Microwave signals penetrate fog and snowB) Microwave signals are transmitted in short radio wavesC) A large number of microwave signals can be transmittedD) Microwave signals travel in curved linesE) Microwave signals are not affected by ordinary man made noiseD) None of the above
D) Microwave signals travel in curved lines
A term used to indicate a method of disguising information so that it is unintelligible to those who should not obtain it:A) Interconnection decoyB) MultiplexingC) ScramblingD) Mixed signalE) None of the above
C) Scrambling
The most secure scrambler in common use is the:A) Frequency inverterB) DecoderC) Laser beamD) VocoderE) None of the above
D) Vocoder
The method used to monitor telephone calls by providing a record of all numbers dial from a particular phone is called:A) Electronic surveillanceB) Phone bugC) WiretapD) Pen RegisterE) None of the above
D) Pen Register
A small hidden microphone and a radio transmitter are generally know as:A) A wiretapB) A bugC) A beeperD) Electronic surveillanceE) All of the above
B) A bug
A specifically constructed microphone attached directly to an object or surface to be protected, which responds only when the protected object or surface is disturbed is known as a:A) Parabolic microphoneB) Special audio microphoneC) Contact microphoneD) Surreptitious microphoneE) None of the above
C) Contact microphone
A microphone with a dislike attachment that is used for listening to audio from great distances is known as a(n):A) Contact microphone B) Parabolic microphoneC) Ultrasonic microphoneD) Both a and cE) None of the above
B) Parabolic microphone
A microphone that is installed on a common wall adjacent to the target area when it is impractical or impossible to enter the target area is known as a:A) Carbon microphoneB) Parabolic microphoneC) Contact microphoneD) Dynamic microphoneE) None of the above
C) Contact microphone
Which method of protection against telephone line eavesdropping is most reliable:A) Don’t discuss sensitive informationB) Use a radio jammerC) Use encryption equipmentD) Both a and cE) Use an audio jammer
D) Both a and c
The unauthorized acquisition or dissemination by an employee of confidential data critical to his or her employer is known as:A) EmbezzlementB) LarcenyC) Industrial espionageD) BurglaryE) False pretenses
C) Industrial espionage
The term eavesdropping refers to:A) WiretappingB) BuggingC) Trash coverD) Both a and bE) All of the above
D) Both a and b
Which of the following methods could be used as a form of eavesdropping using a telephone instrument?A) Wiring can be altered so that the handset or receiver will act as an open microphoneB) A radio transmitter can be concealed in the microphone C) The infinity transmitter can be usedD) Both b and cE) All of the above
E) All of the above
A microphone that requires no power source, is very small, and is difficult to detect has the characteristics of a(n):A) Contact microphoneB) Parabolic microphoneC) Dynamic microphoneD) Infinity microphoneE) None of the above
C) Dynamic microphone
The frequency range best suited for a wireless microphone because it provides better security and lower interference:A) 25-50 mHzB) 88-104 mHzC) 88-120 mHzD) 150-174 mHzE) None of the above
E) None of the above
Installation of a wireless radio eavesdropping usually consists of the following:A) Transmitter and receiverB) Power supplyC) AntennaD) MicrophoneE) Both a and dF) All of the above
F) All of the above
The control software of a private board exchange (PBX) can be accessed and compromised by calling the telephone number of a device on the PBX from a computer and modem. The name of this PBX device is the:A) Internal and remote signal portB) Current carrier signaling portC) Time-domain reflectometerD) Remote maintenance access terminalE) None of the above
D) Remote maintenance access terminal
Which of the following is not true regarding electronic eavesdropping:A) An effective countermeasure to detect evidence of electronic eavesdropping in telephone equipment should be conducted by a person who is technically familiar with such equipmentB) An effective countermeasure would be to conduct a physical search as well as an electronic searchC) all Wiring should be traced and accounted forD) A listening device installed in a wire will cause a crackling sound, click, or other noise that can beard on the lineE) None of the above
D) A listening device installed in a wire will cause a crackling sound, click, or other noise that can beard on the line
The first federal legislation that attempted to regulate electronic surveillance in the United States was enacted by Congress in:A) 1910B) 1924C) 1934D) 1968E) 1971
C) 1934
The manufacture, distribution, possession, and advertising of wire or oral communication interception devices is prohibited by:A) The Fourth AmendmentB) The Fifth AmendmentC) The Federal Communications Act of 1934D) The Omnibus Crime Control and Safe Streets Act of 1968E) The FBI
D) The Omnibus Crime Control and Safe Streets Act of 1968
Which of the following is not a requirement under the Omnibus Crime Control and Safe Streets Act of 1968 before a court may give permission for an electronic surveillance A) The identity of the offender should be statedB) The crime must be any felony under federal lawC) The place and location of the electronic surveillance must be statedD) Initial approval must be granted by the attorney general of the United States or by a specially designated attorney generalE) All of the above
B) The crime must be any felony under federal law
The criminal punishment for violation of the wiretapping phases of the Omnibus Crime Control and Safe Streets Act of 1968 is:A) A $10,000 fineB) 6 months in jail and/or a $5,000 fineC) 1 year in jail and/or a $10,000 fineD) 5 years in prison and/or a $10,000 fineE) None of the above
D) 5 years in prison and/or a $10,000 fine
Which of the following is provided for by the Omnibus Crime Control and Safe Streets Act of 1968?A) It prohibits wiretapping or bugging unless the party to the intercepted conversation gives consentB) It prohibits the manufacture and distribution of oral communication interceptor devicesC) Nonfederal law enforcement representatives are denied the rights to make use of electronic surveillance unless there is a state statute permitting it.D) Both a and bE) All of the above
E) All of the above
Title III of the Omnibus Crime Control and Safe Streets Act of 1968 requires that an approval for electronic surveillance must be obtained from the:A) Chief justice of the Supreme CourtB) Director of the FBIC) Attorney general of the United States or any specially designated assistant attorney generalD) Director of the CIAE) All of the above
C) Attorney general of the United States or any specially designated assistant attorney general
Criminal violations involving theft of trade secrets could be covered by:A) Statues on theft of tradeB) Bribery statues involving trade secretsC) Statues n receipt of stolen propertyD) Statutes on criminal conspiracy E) All of the above
E) All of the above
The public statute passed to protect personal information in the possession of the federal agencies is:A) The Espionage StatueB) The Unauthorized Disclosure ActC) The Omnibus Crime Control and Safe Streets Act of 1968D) The Privacy Act of 1974E) None of the above
D) The Privacy Act of 1974
The Privacy Act of 1974 provides which of the following safeguards?A) Permits individuals to gain access to certain information pertaining to themselves in federal agency recordsB) Permits individuals to determine what records pertaining to themselves are collected and maintained by federal agenciesC) Permits individuals to prevent certain records pertaining to themselves from being used or made available for another purpose without their consentD) Requires federal agencies to be subject to civil suits for damages that may occur as a result of willful or intentional action that violates an individuals rights under the Privacy Act of 1974E) All of the above
E) All of the above
Which of the following would not be permitted to review a students record according to the Family Educational Rights and Privacy Act of 1974:A) Law enforcement officialsB) Other school officialsC) The school’s registrar’s officeD) All of the aboveE) None of the above
A) Law enforcement officials
Which of the following characteristics pertains to a good information management program?A) An employee education program for those who utilize the classification systemB) Limited number of individuals who can initiate classification of informationC) Limitation of the duration during which the classification will remain in effectD) All of the aboveE) None of the above
D) All of the above
What are the three most common methods of information loss to be guarded against?A) Newspaper articles, magazine articles, televisionB) Employee payroll, personnel matters, market surveysC) Theft by an insider, inadvertent disclosure, industrial espionageD) Employee hiring, magazine articles, industrial espionageE) None of the above
C) Theft by an insider, inadvertent disclosure, industrial espionage
The elements of an information security program include:A) informing employees that the information is to be protectedB) Establishing the use of patent or nondisclosure agreementsC) Designation of certain information as sensitiveD) providing the means for employees to protect sensitive informationE) All of the above
E) All of the above
Which of the following statements is not true in regard to an information security program?A) The information security program is an attempt to make theft of sensitive information difficult, not necessarily to eliminate it.B) The protection afforded against losses by either internal or external sources is, at best, limitedC) A good information security program will provide total protection from industrial espionageD) A trust relationship must be established and maintained with employeesE) The goodwill and compliance of employees is crucial for success.
C) A good information security program will provide total protection from industrial espionage
Vital records normally constitute what percentage of the company’s total records?A) 2%B) 5%C) 10%D) 15%E) 20%
A) 2%
Which of the following is considered to be an approved method of protecting vital records?A) On-site storage in vaults or safesB) Protection of original vital recordsC) Natural dispersal within an outside organizationD) Planned dispersal of copies of vital recordsE) All of the above
E) All of the above
The term social engineering is:A) A function of the personnel department in which like persons are teamed together in workshops or seminars for maximum productivityB) The subtle elicitation of information without revealing the true purpose of the callC) The specific design of a business stricture to facilitate the interaction of the inhabitantsD) Both a and cE) None of the above
B) The subtle elicitation of information without revealing the true purpose of the call
Competitive intelligence gathering is a legitimate activity that is engaged in by many firms throughout the worlds. The important function of competitive intelligence is to :A) Alert senior management to changes in protocol in foreign countriesB) Alert senior management to the personal habits of competitive senior managementC) Alert government intelligence agencies to marketplace changes D) Alert senior management to marketplace changes in order to prevent surpriseD) All of the above
D) Alert senior management to marketplace changes in order to prevent surprise
The Secretary of Defense is not authorized to act on behalf of the following agency or department in rendering industrial security services:A) Department of CommerceB) Central Intelligence AgencyC) Department of JusticeD) Department of LaborE) None of the above
B) Central Intelligence Agency
The overall policy guidance for the Defense Industrial Security Program is provided by:A) The Federal Bureau of InvestigationB) The Deputy Undersecretary of Defense for PolicyC) The Assistant Chief of Staff in IntelligenceD) The Defense Intelligence AgencyE) None of the above
B) The Deputy Undersecretary of Defense for Policy
The Defense Industrial Security Program on behalf of all user agencies is administered by the:A) Director, Defense Investigative ServiceB) Comptroller, Assistant Secretary of DefenseC)Deputy Undersecretary of Defense for PolicyD) Defense Industrial Security Clearance OfficeE) None of the above
A) Director, Defense Investigative Service
The executive order that applies to classified information is:A) E.O. 1044B) E.O. 1066C) E.O. 12065D) E.O. 12523E) E.O. 114084
C) E.O. 12065
A controlled area established to safeguard classified material that, because of it size or nature, cannot be adequately protected by other prescribed safeguards is termed to be:A) A restricted areaB) A classified areaC) A closed areaD) A limited areaE) None of the above
C) A closed area
The DIS regional office under the support of the director of instrumental security that has jurisdiction over the geographical area in which a facility is located is called the:A) Regional Security OfficeB) Division Security OfficeC) Clearance OfficeD) Cognizant Security OfficeE) None of the above
D) Cognizant Security Office
Technical and intelligence information derived from foreign communication by other than the intended recipient is know as:A) Restricted dataB) Communications intelligenceC) Classified security mattersD) Highly confidentialE) None of the above
B) Communications intelligence
The designation that should be applied to information or material showing unauthorized disclosure that could be reasonably be expected to cause damage to national security is:A) RestrictedB) Top SecretC) ConfidentialD) Unauthorized disclosureE) None of the above
C) Confidential
Technical information used for training, maintenance, and inspections of classified military munitions of war would be classified as:A) RestrictedB) ClassifiedC) Top secretD) ConfidentialE) Cosmic
D) Confidential
A designation or marking that identifies classified operational keying material and that indicates the material requiring special consideration with respect to access, storage, and handling is:A) CosmicB) SpecialC) CryptoD) Communications IntelligenceE) Red flagged
C) Crypto
The portion of internal security that is concerned with the protection of classified information in the hands of US industry is called:A) Information securityB) Classified securityC) National SecurityD) Industrial securityE) Communications security
D) Industrial security
The result of any system of administrative policies and procedures for identifying, controlling, and protecting from unauthorized disclosure of information and is authorized by executive order or statute is called:A) Computer securityB) Industrial securityC) Personnel securityD) Communications securityE) Information security
E) Information security
An administrative determination that an individual is eligible for access to classified information is:A) Personnel security clearanceB) Industrial security clearanceC) National security clearanceD) Communications security clearanceE) None of the above
A) Personnel security clearance
The combinations to safe, containers, and vaults should be changed:A) Every 3 monthsB) Every 4 monthsC) Every 6 monthsD) Every 9 monthsE) Every year
E) Every year
The designation that shall be applied only to information or material unauthorized disclosure of which could reasonably be expected to cause serious damage to national security:A) RestrictedB) SecretC) Confidential D) Top secretE) Unauthorized disclosure
B) Secret
Information regarding the revelation of significant military plans or intelligence operations should be classified as:A) RestrictedB) SecretC) ConfidentialD) Top secretC) Cosmic
B) Secret
The designation that should only be applied to information or material unauthorized disclosure of which could reasonably be expected to cause exceptional grave damage to national security is:A) RestrictedB) SecretC) ConfidentialD) Top secretE) Cosmic
D) Top secret
Information that could lead to the compromise of vital national defense plans or complex cryptologic and communications intelligence systems should be classified as:A) RestrictedB) SecretC) ConfidentialD) Top secretE) Cosmic
D) Top secret
Regulations of the Department of Defense require that the contractor shall establish such procedures as are necessary to ensure that any employee discovering the loss, compromise, or suspected compromise of classified information outside a facility promptly reports to:A) The Defense Intelligence AgencyB) The Defense Industrial Security Clearance OfficeC) The nearest FBI officeD) Comptroller, Assistant Secretary of DefenseE) The Industrial Security Office
C) The nearest FBI office
Defense Department regulations require the identification card of a defense contractor to include a:A) Distinctive color codingB) ThumbprintC) Photograph of the holderD) Symbol codeE) all of the above
C) Photograph of the holder
Which of the following should definitely not appear on the identification card of employees of defense contractors?A) Distinctive color codingB) Symbol codeC) Top secret or secretD) ConfidentialE) Both c and dF) All of the above
E) Both c and d
No invitation, written or oral, shall be given to a foreign national or to a representative of a foreign interest to attend any session of a meeting sponsored by a Department of Defense activity until:A) A full field investigation has resulted in the necessary security clearanceB) Approval for attendance has been received from the sponsoring activityC) The Department of the State has given approvalD) The CIA has given approvalE) None of the above
B) Approval for attendance has been received from the sponsoring activity
A document that is classified “confidential” shall exhibit the marking at:A) The top of the pageB) The bottom of the pageC) The right-had side of the pageD) The left-hand side of the pageE) Both the top and bottom of the page
E) Both the top and bottom of the page
The basic document for conveying to the contractor that classification and declassification specifications for classified contract is:A) Form DD-254B) Form DD-441C) Form DD-482D) Form DD-562E) Form DD-1541
A) Form DD-254
Unclassified material should:A) Be marked “unclassified” at the top of the pageB) Be marked “unclassified” at the bottom of the pageC) Be marked “unclassified” at the top and bottom of the pageD) Be marked “unclassified” anywhere on the pageE) Have no marking
E) Have no marking
An unclassified document that is attached to a classified document should have a notation stating:A) “Classified same as enclosure”B) “Treat as classified”C) “Unclassified when separated from classified enclosure”D) No notation neededE) None of the above
C) “Unclassified when separated from classified enclosure”
Whenever classified information is downgraded, declassified, or upgraded, the material shall be promptly and conspicuously marked to indicate:A) What was changedB) The date it was changedC) The identity of the person taking the actionD) All of the aboveE) None of the above
D) All of the above
Foreign classified material should be marked in accordance with instruction received from:A) The Defense Intelligence AgencyB) The foreign contacting authorityB) The FBID) The Industrial Security OfficeE) None of the above
B) The foreign contacting authority
Department of Defense regulations regarding the protection of classified information requires that defense contractors maintain accountability of top secret information for a minimum time of:A) 1 yearB) 2 yearsC) 3 yearsD) 4 yearsE) 5 years
C) 3 years
When not in use, top secret information should be stored in a:A) Class A vaultB) Class B vaultC) Class C vaultD) Class D vaultE) Class E vault
A) Class A vault
Which of the following is prohibited by the Department of Defense regulations regarding the method of transmitting top secret information outside a facility?A) Electronic means in a crypto systemB) Armed Forces Courier ServiceC) Designated courier that has been clearedD) US Postal ServiceE) Specifically designated escort
D) US Postal Service
Secret information can be transmitted by which of the following means according to Department of Defense regulations?A) Designated courier that has been clearedB) US Registered MailC) Armed Forces Courier ServiceD) Both a and cE) All of the above
E) All of the above
Department of Defense regulations indicate that destruction of classified information can be accomplished by:A) MeltingB) BurningC) MutilationD) Chemical decompositionE) All of the above
E) All of the above
Which of the following has the appropriate security clearance in the destruction of top secret and secret information according to Department of Defense regulationsA) Two employees of the defense contractorB) Three employees of the defense contractorC) Four employees of the defense contractorD) One employee of the Department of Defense and two employees of the defense contractorE) None of the above
A) Two employees of the defense contractor
According to Department of Defense regulations, if classified material is removed from the facility for destruction, it should be destroyed:A) The same day it was removedB) Within 2 daysC) Within 4 daysD) Within 1 weekE) Within 10 days
A) The same day it was removed
According to Department of Defense regulations, to be eligible for a personnel security clearance for confidential information, the following age must be attained:A) 16B) 18C) 20D) 21E) 25
A) 16
According to Department of Defense regulations, the security clearance of a contractual employee shall be effective for:A) 6 monthsB) 1 yearC) 2 yearsD) 5 yearsE) As long as he or she is employed by the contractor
E) As long as he or she is employed by the contractor
According to Department of Defense regulations, the following are not eligible for a personnel security clearance:A) All foreign nationalsB) All foreign national except those granted reciprocal clearancesC) Only foreign nationals that are from a communist countryD) Only foreign nationals that are under 16E) None of the above
B) All foreign national except those granted reciprocal clearances
A facility security clearance should not be granted to contractor activities:A) In Puerto RicoB) In facilities determined to be under foreign ownership, control, or influenceC) In US trust territoriesD) Both a and cE) All of the above
B) In facilities determined to be under foreign ownership, control, or influence
For personnel security clearances required in connection with a facility security clearance, applications shall be submitted to the:A) Defense Intelligence AgencyB) Industrial Clearance OfficeC) Contracting officerD) Cognizant Security OfficeE) Central Intelligence Agency
D) Cognizant Security Office
According to Department of Defense regulations, “interim” personnel security clearances must be approved by the:A) Defense Intelligence AgencyB) Industrial Clearance OfficeC) Contracting officerD) Cognizant Security OfficeE) None of the above
C) Contracting officer
Department of Defense regulations require initial approval in writing prior to processing any classified information in a ADP system by which of the following authorities?A) Head of the Industrial Security Clearance OfficeB) National Security AgencyC) Cognizant Security OfficeD) Contracting officerE) Defense Intelligence Agency
C) Cognizant Security Office
An ADP system that operates in a manner where all users with access to the system have a security clearance and a need-to-know status for all classified information that is in the system is known as:A) Classified security modeB) Restricted security modeC) Controlled security modeD) Dedicated security modeE) Limited security mode
D) Dedicated security mode
An ADP system that operates in a manner in which all users with access to the system have a security clearance for the highest classification and most restrictive types of information in the system is know as:A) Classified security modeB) Restricted security modeC) Controlled security modeD) System high-security modeE) Dedicated security mode
D) System high-security mode
An ADP system that operates in a manner in which at least some of the users with access to the system have neither a security clearance nor need-to-know status for all classified inflammation that is int he system, but in a manner that the cognizant security officer or a higher authority has determined that the necessary degree of security has been achieved and maintained, is known as:A) Limited security modeB) Classified security modeC) Controlled security modeD) Restricted security modeE) Dedicated security mode
C) Controlled security mode
The ADP system security supervisor or designee should review the audit trail logs at least:A) DailyB) WeeklyC) MonthlyD) BimonthlyE) Quarterly
B) Weekly
The Department of Defense Personnel Security Questionnaire (Industrial) Form is:A) DD-16B) DD-48C) DD-254D) DD-441E) DD-482
B) DD-48
According to Department of Defense regulations, which of the following document is not acceptable proof of US citizenship concerning the safeguarding of classified information?A) Birth certificateB) Certification of naturalizationC) Certificate of citizenshipD) Certified copy of baptismal recordE) All of the above
D) Certified copy of baptismal record
All propriety information is sensitive, while not all sensitive information is proprietary. An example of information that is not proprietary even though the organization would treat is as sensitive is:A) The customer database of the organizationB) Confidential personnel data in employee filesC) Strategic marketing plans in which the use of outside marketing firms is contemplatedD) Specification for product components that are produced by a subcontractor
B) Confidential personnel data in employee files
Trade secrets are generally afforded greater legal protection than other proprietary information. Which of the following is not an element of the test for a trade secret?A) Be identifiableB) Not already be available in public sourcesC) Be disclosed only to persons with a duty to protect itD) Be technical or product related
D) Be technical or product related
The major reason for the loss of sensitive information is: A) EspionageB) Intentional disclosure by an insiderC) Inadvertent disclosureD) Disclosure though legal proceedings
C) Inadvertent disclosure
Competitive intelligence gathering is a legitimate activity, which is engaged in by many firms throughout the world. The most important function of competitive intelligence is to:A) Alert senior management to marketplace changes in order to prevent surpriseB) Alert senior management as to the personal habits of competitive senior managementC) Alert government intelligence agencies to marketplace changesD) Alert senior management to changes in protocol in foreign countries
A) Alert senior management to marketplace changes in order to prevent surprise
A microphone with a large disk-like attachment used for listening to audio from great distances is known as: A) Contact microphoneB) Spike microphoneC) Parabolic microphoneD) Moving-coil microphone
C) Parabolic microphone
Sound waves too high in frequency to be heard by the human ear, generally above 20kHz, are known as:A) MicrowavesB) UltrasonicC) High frequencyD) Short wave
B) Ultrasonic
Two methods of protection against telephone line eavesdropping are apparently reliable. The first method is “don’t discuss sensitive information” and the other is:A) To use a wire tap detectorB) To use a radio jammerC) To use a audio jammerD) To use encryption equipment
D) To use encryption equipment
The unauthorized acquisition of sensitive information is known as:A) Industrial espionageB) EmbezzlementC) LarcenyD) False pretenses
A) Industrial espionage
Proprietary information is:A) Information that must be so classified under government orderB) Private information of highly sensitive characterC) Defense data that must be classified according to federal regulationsD) Anything that an enterprise considers relevant to its status or operations and does not want to disclose publicly
D) Anything that an enterprise considers relevant to its status or operations and does not want to disclose publicly
A trade secret is:A) Any formula, pattern, device, or compilation of information that is used in one’s business and that gives that business an opportunity to gain an advantage over competitors who do not know or use it.B) All information about a company that the company desires to protectC) Information of a company that is registered as such with the US Patent OfficeD) Information so designated by the government
A) Any formula, pattern, device, or compilation of information that is used in one’s business and that gives that business an opportunity to gain an advantage over competitors who do not know or use it.
The control software of a Private Board Exchange (PBX) can be accessed and compromised by calling the telephone number of a devices on the PBX from a computer and modem. What is this access device called?A) Time-domain reflectometerB) Remote maintenance access terminalC) Current carrier signalling portD) Internal and remote signal port
B) Remote maintenance access terminal
Which of the following is generally not true with regard to proprietary information?A) Secret information does not have to be specifically identifiableB) Secret information must be such that it can be effectively protectedC) The more narrowly a business defines what it regards a secret, the easier it is to protected that body of informationD) It is difficult to protect as a trade secret that which can be found in publicly accessible sources
A) Secret information does not have to be specifically identifiable
With respect to trade secrets, it may be decided that its disclosure by another was innocent rather than wrongful, even in the case where the person making the disclosure really was guilty of malice or wrong intent. This situation may occur when:A) There is absence of evidence that an owner has taken reasonable precautions to protect confidential informationB) The trade secret was not registeredC) The trade secret did not involved national defense informationD) The trade secret was not in current use
A) There is absence of evidence that an owner has taken reasonable precautions to protect confidential information
The class of person under duty to safeguard a proprietary secret is known as:A) AgentsB) PrincipalsC) FiduciariesD) Business associates
C) Fiduciaries
Which of the following is not a correct statement, or a general rule, involving the protection of proprietary information?A) By operation of common law, employees are presumed to be fiduciaries to the extent that they may not disclose secrets of their employees without authorization.B) As a class, employees are the largest group of persons bound to secrecy because of their status or relationshipC) Other than employees, any other persons bound to secrecy must agree to be bound.D) Any agreements to be bound must always be in writing and are implied from acts.
D) Any agreements to be bound must always be in writing and are implied from acts.
The term eavesdropping refers to:A) Wiretapping onlyB) Bugging onlyC) Both wiretapping and buggingD) Mail covers
C) Both wiretapping and bugging
A microphone that has the characteristics of requiring no power sourced to operate it and being quite small, relatively difficult to detect, and offered by equipment suppliers in such items as cuff links and hearing aids is known as a:A) Carbon microphoneB) Dynamic microphoneC) Contact microphoneD) Parabolic microphone
B) Dynamic microphone
A microphone that is normally installed on a common wall adjoining a target area when it is impractical or impossible to enter the area to make a microphone installation is a:A) Carbon microphoneB) Dynamic microphoneC) Contact microphoneD) Parabolic microphone
C) Contact microphone
Which of the following is not true with regard to electronic eavesdroppingA) A listening devices installed in a wire will cause a cracking sound, click, or other noise that can be heard on the lineB) There should be an effective countermeasures survey to detect evidence of electronic eavesdroppingC) equipment in telephones must be conducted by a person technically familiar with such equipmentD) All wiring should be traced out and accounted for in a countermeasure surveyE) In a countermeasure survey to detect electronic eavesdropping, a physical search should be utilized as well as an electronic search
A) A listening devices installed in a wire will cause a cracking sound, click, or other noise that can be heard on the line
In designing a proprietary information protection program, the area of greatest vulnerability is:A) Personnel filesB) Marketing dataC) EmployeesD) Computers
C) Employees
A nonlinear junction detector is used to locate eavesdropping devices by:A) Detecting the semiconductor components that comprise their circuitsB) Recording changes in the voltage on a telephone lineC) Measuring the distance from a known point to the indicated location of a telephone line attachmentD) Detecting infrared emissions.
A) Detecting the semiconductor components that comprise their circuits
Which of the following statements is incorrect with regard to an information security program?A) A good information security program will provide absolute protection against an enemy spyB) The information security program is an attempt to make theft of sensitive information difficult, not necessarily eliminate itC) A trust relationship must be established and maintained with employeesD) The good will and compliance of employees is crucial for success
A) A good information security program will provide absolute protection against an enemy spy
A specially constructed microphone attached directly to an object or surface to be protected and that responds only when the protected object or surface is disturbed is know as a:
Contact microphone
Social engineering is:A) The conversation involved in the beginning of romantic relationshipB) A function of the personnel department in which like persons are teamed together in workshops or seminars for maximum productivityC) The subtle elicitation of information without revealing the true purpose of the callD) The specific design of a business structure to facilitate the interaction of the inhabitants.
C) The subtle elicitation of information without revealing the true purpose of the call
A former employee who had access to your trade secret information is now employed by a competitor and is apparently using the trade secret information to gain market share. There are several serious factors you should consider before you institute litigation in the matter. Which of the following is not a serious factor the be considered?A) You may have to expose the very secrets you are attempting to protectB) the cost of litigation may exceed the value of the secret informationC) You may lose a law caseD) Other employees may leave the company and attempt to use the trade secret information in the business of a new employer
D) Other employees may leave the company and attempt to use the trade secret information in the business of a new employer
Electromagnetic radiation is detectable electromagnetic energy generated by electronic information processing devices. Which of the following is used to protect very sensitive equipment?A) A current carrier deviceB) Pneumatic cavity shieldingC) Tempest shieldingD) Pen register shielding
C) Tempest shielding
Piracy refers to the illegal duplication and distribution of recordings. Which from is not considered piracy?A) PiratingB) DownloadingC) BootleggingD) Counterfeiting
B) Downloading
To prevent cyber crime, it is not a good strategy to:A) Install a fire protection systemB) Assign passwords or codesC) Disable unused computer servicesD) Update software for improving security
A) Install a fire protection system
Which federal statute does not protect information and communications systems?A) USA PATRIOT ActB) Economic Espionage ActC) Civil Rights ActD) Sarbanes- Oxley Act
C) Civil Rights Act
A trade secret consists of which of the following?A) Any formula, pattern, device, or compilation of information that is used in one’s business and that gives that business an opportunity to gain an advantage over competitors who do not know or use itB) Answers a and cC) It may be a formula for chemical compound; a process of manufacturing, treating, or preserving materials; or a pattern for a machine or other deviceD) A list of customersE) Answers A,C, and D
A) Any formula, pattern, device, or compilation of information that is used in one’s business and that gives that business an opportunity to gain an advantage over competitors who do not know or use it
Which of the following are basic elements of trade secrets?A) It must be secret and not known to othersB) It must be used in the business of the owner of the secret to obtain an advantageC) There must be continuous or consistent business applications of the secretD) Answers a and bE) all of the above
D) Answers a and b
Which of the following is not a primary distinction between patents and trade secrets?A) Requirements for obtaining a patent are not specificB) A much lower level novelty is required of a trade secretC) Trade secrets are targetsD) To qualify for a patent, the invention must be more than novel and usefulE) it must represent a positive contribution beyond the skill of the average personF) Because anyone can purchase a patent, there are no industrial espionage targets in a patent invention
A) Requirements for obtaining a patent are not specific
Which of the following statements is correct involving proprietary information?A) All confidential information is proprietary, but not all proprietary information is confidentialB) All proprietary information is not confidentialC) All proprietary information is confidential, but not all confidential information is proprietaryD) All confidential information is proprietaryE) Answers b and d
C) All proprietary information is confidential, but not all confidential information is proprietary
Which of the following are broad threats to proprietary information?A) It can be lost through inadvertent disclosureB) An outsider can deliberately steal itC) An insider can delibertly steal itD) Answers b and cE) Answers a, b, and c
E) Answers a, b, and c
Which of the following should not be included in an effective proprietary information security program?A) Designation of appropriate data as insensitiveB) Informing and notifying employeesC) Full utilization of secret agreements with employeesD) Providing physical means to protect sensitive dataE) Treating sensitive information as propriety
A) Designation of appropriate data as insensitive
The contact microphone is usually a crystal microphone and is normally installed on a common wall adjoining a target area. Which of the following is a advantageous of the contact microphone?A) Signals generated are weakB) Microphones received other soundsC) It is affected by changes in temperature and humidityD) Answers b and cE) All of the above
E) All of the above
What is the best way to protect any type of data?
Encrypt it
Any information containing which of the following elements is considered to be a valuable asset requiring protection?A) Production of goodsB) Locating and retaining customersC) Production servicesD) Answers a and bE) All of the above
E) All of the above
Which of the following is the most serious threat to trade secrets?A) CompaniesB) MediaC) EmployeesD) CustomersE) None of the above
C) Employees
