IS3110 CHAP 3

Question 1

FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

1. Never
2. Quarterly
3. Annually
4. Every three years

Answer 1

Annually

Question 2

What law applies to organizations handling health care information?

1. SOX
2. GLBA
3. FISMA
4. HIPAA

Answer 2

HIPAA

Question 3

CEO’s and CFO’s can go to jail if financial statements are inaccurate. What law is this from?

1. SOX
2. GLBA
3. FISMA
4. HIPAA

Answer 3

HIPAA

Question 4

What law requires schools and libraries to limit offensive content on their computers?

1. FERPA
2. HIPAA
3. CIPA
4. SSCP

Answer 4

CIPA

Question 5

Employees in some companies are often required to take an annual vacation of at least five days. The purpose is to reduce fraud and embezzlement. What is this called?

1. Job rotation
2. Mandatory vacation
3. Separation of duties
4. Due diligence

Answer 5

Mandatory vacation

Question 6

Fiduciary refers to a relationship of trust.

TRUE OR FALSE

Answer 6

TRUE

Question 7

Merchants that handle credit cards are expected to implement data security. What standard should they follow?

1. GAISP
2. CMMI
3. COBIT
4. PCI DSS

Answer 7

PCI DSS

Question 8

The National Institute of Standards and Technology published Special Publication 800-30. What does this cover?

1. Risk management
2. Maturity levels
3. A framework of good practices
4. Certification and accreditation

Answer 8

Risk management

Question 9

The COBIT framework is organized into four IT domains and 34 IT processes. Which one covers strategy and tactics?

1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate

Answer 9

Plan and Organize

Question 10

A basic principle of this standard is summarized with four sentences: Business requirements drive investments in IT resources. IT resources are used by IT processes. IT processes deliver enterprise information. Enterprise information responds to business requirements. What is this standard?

1. COBIT
2. ITIL
3. GAISP
4. CMMI

Answer 10

COBIT

Question 11

Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls. Part II is used for certification.

1. ISO 73 Risk Management – Vocabulary
2. ISO 27002 Information Technology Security Techniques
3. ISO 31000 Risk Management Principles and Guidelines
4. IEC 31010 Risk Management – Risk Assessment Techniques

Answer 11

SO 27002 Information Technology Security Techniques

Question 12

Which of the following ISO documents provides generic guidance on risk management?

1. ISO 73 Risk Management – Vocabulary
2. ISO 27002 Information Technology Security Techniques
3. ISO 31000 Risk Management Principles and Guidelines
4. IEC 31010 Risk Management – Risk Assessment Techniques

Answer 12

ISO 31000 Risk Management Principles and Guidelines

Question 13

ITIL is a group of five books developed by the United Kingdom’s Office of Government Commerce.
TRUE OR FALSE

Answer 13

TRUE

Question 14

In the CMMI, which level indicates the highest level of maturity?

1. 0-6 Level
2. 1-4 Level
3. 0-4 Level
4. 0-5 Level

Answer 14

0-5 Level

Question 15

The DIACAP is a risk management process applied to IT systems. What happens after a system is accredited?

1. It is certified
3. It is decommissioned
4. It is validated. It receives authority to operate

Answer 15

It is validated. It receives authority to operate

Question 16

A policy that informs employees what is considered acceptable use for IT systems and data. Banners and logon screens are sometimes used to remind personnel of the policy.

Answer 16

AUP-Acceptable use policy

Question 17

A state position. A state AG represents that estate in all legal matters.

Answer 17

AG-Attorney General

Question 18

A process improvement approach to management. It includes six levels from 0 to 5. Level 0 indicates a process doesn’t exist. Level 5 indicates the process is very mature and effective.

Answer 18

CMMI-Capability Maturity Model Integration

Question 19

A US law passed in 2000. It requires schools and libraries receiving E-Rate funds to filter some Internet content. The primary purpose is to protect minors from obscene or harmful images.

Answer 19

CIPA- Children’s Internet Protection Act

Question 20

When an organization is complying with relevant laws and regulations. it is said to be in compliance. Many organizations have programs in place to ensure that they remain in compliance.

Answer 20

Compliance

Question 21

A framework of good practices for IT management. It is well respected and frequently used. It is organized into four domains. They are 1) Plan and Organize. 2) Acquire and Implement. 3) Deliver and Support, and 4) Monitor and Evaluate.

Answer 21

COBIT-Control Objectives for Information and related Technology

Question 22

A risk management process applied to US DoD systems. It is fully documented in DoD instruction 8 5 1 0.1. Systems must go through a formal certification and accreditation process before being authorized to operate.

Answer 22

DIACAP-Department of Defense Information Assurance Certification and Accreditation Process

Question 23

Taking reasonable steps to protect against risks.

Answer 23

DUE CARE

Question 24

Taking a reasonable amount of time and effort to identify risks. The person or organization conducting due diligence investigates risks in order to understand them.

Answer 24

Due diligence

Question 25

A federal agency created in 1933. It provides insurance for depositor funds in FDIC banks. The goal is to promote confidence in US banks.

Answer 25

FDIC - Federal Deposit Insurance Corporation

Question 26

A US law passed in 1974. It mandates the protection of student records. This includes any records with education or health data. Any institution receiving federal funds for education is covered by this law.

Answer 26

FERPA - Family Education Rights and Privacy Act

Question 27

A US law passed in 2002 and requires federal agencies to protect IT systems and data. Additionally, agencies must have annual inspections. These provide independent evaluations of security programs.

Answer 27

FISMA - Federal Information Security Management Act

Question 28

A federal agency created in 1914. Its primary goal is to promote consumer protection. It also works to prevent unfair methods of competition.

Answer 28

FTC - Federal Trade Commission

Question 29

A relationship of trust between two entities. A fiduciary could be a person who is trusted. The fiduciary has a responsibility to uphold this trust.

Answer 29

Fiduciary responsibility

Question 30

A law passed in 1999. It applies to financial institutions. The financial privacy rule and the safeguards rule apply to IT security. Companies need to tell customers how customer data is used. Additionally, the companies need to take steps to protect financial data.

Answer 30

GLBA - Gramm-Leach-Bliley Act

Question 31

A law passed in 1999. It mandates the protection of health information. Any organization handling any type of health information must comply with this law. This includes health care providers. It also includes employers offering health plans.

Answer 31

HIPAA - Health Insurance Portability and Accountability Act

Question 32

A group of books developed by the United Kingdom’s Office of Government Commerce. These books document good practices that can be used in IT networks.

Answer 32

ITIL - Information Technology Infrastructure Library

Question 33

An international standards organization. It focuses on electrical, electronic, and related technologies. The IEC works with the ISO on some standards. The IEC published IEC 3 1 0 1 0 Risk Management – Risk Assessment Techniques.

Answer 33

IEC - International Electrotechnical Commission

Question 34

An international standards organization. Three risk-related documents that ISO published are ISO 27002, ISO 31000, and ISO 7 3.

Answer 34

ISO - International Organization for Standardization

Question 35

Rotating employees through different jobs. This results in additional oversight for past transactions. It can help prevent or reduce fraudulent activity such as collusion. It can also increase technical expertise on specific systems.

Answer 35

Job rotation

Question 36

Requiring employees to take an annual vacation of at least five consecutive days. While the employee is on vacation, someone else must perform the job. This increased the likelihood that illegal activities will be discovered.

Answer 36

Mandatory vacation

Question 37

An international standard used to protect credit card data. These requirements are set by the PCI Security Council. Merchants are required to comply with the standards.

Answer 37

PCI DSS - Payment Card Industry Data Security Standard

Question 38

A US law passed in 2002. It applies to any publicly traded company. Senior officers and board members are directly responsible for the accuracy of data. If data is misreported they can be fined and go to jail.

Answer 38

SOX - Sarbanes-Oxley Act

Question 39

A federal agency that regulates the securities industry. Securities include stacks, options, and other securities. Any publicly traded company or company that trades securities needs to comply with SEC rules.

Answer 39

SEC - Securities and Exchange Commission

Question 40

A federal position who is the head of the US Department of Justice.

Answer 40

USAG - US Attorney General