Law, Investigations, and Ethics Flashcards

1
Q
In the public sector, as opposed to the private sector, due care is usually determined by    
A. Minimum standard requirements. 
B. Legislative requirements. 
C. Insurance rates. 
D. Potential for litigation.
A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?    
A. Due diligence 
B. Risk mitigation 
C. Asset protection 
D. Due care
A

Answer: D
Explanation: “Due care and due diligence are terms that are used throughout this book. Due diligence is the act of investigating and understanding the risks the company faces. A company practices due care by developing security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible risks. So due diligence is understanding the current threats and risks and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.” Pg. 85 Shon Harris: All-in-One CISSP Certification
“The following list describes some of the actions required to show that due care is being properly practiced in a corporation:
Pg. 616 Shon Harris: All-in-One CISSP Certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
Under the standard of due care, failure to achieve the minimum standards would be considered    
A. Negligent 
B. Unethical 
C. Abusive 
D. Illegal
A

Answer: A
Explanation: Due Care: care which an ordinary prudent person would have exercised under the same or similar circumstances. “Due Care” and “Reasonable Care” are used interchangeably. Ronald Krutz The CISSP PREP Guide (gold edition) pg 896

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Under the principle of culpable negligence, executives can be held liable for losses that result from computer system breaches if:
A. the company is not a multi-national company
B. they have not exercised due care protecting computing resources
C. they have failed to properly insure computer resources against loss
D. the company does not prosecute the hacker that caused the breach

A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation f the corresponding vulnerability. Therefore, a legal liability exists when?
A. C L
D. C > L – (residual risk)

A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
When companies come together to work in an integrated manner such as extranets, special care must be taken to ensure that each party promises to provide the necessary level of protection, liability and responsibility. These aspects should be defined in the contracts that each party signs. What describes this type of liability?  
A. Cascade liabilities 
B. Downstream liabilities 
C. Down-flow liabilities 
D. Down-set liabilities
A

Answer: B
Explanation: “When companies come together to work in an integrated manner, such as extranets and VANs, special care must be taken to ensure that teach party promises to provide the necessary level of protection, liability, and responsibility needed, which should be clearly defined in the contracts that each party signs. Auditing and testing should be performed to ensure that each party is indeed holding up its side of the bargain and that its technology integrates properly with all other parties. Interoperability can become a large, frustrating, and expensive issue in these types of arrangements.
If one of the companies does no provide the necessary level of protection and their negligence affects a partner they are working with, the affected company can sue the upstream company. For example, let’s say company A and company B have constructed an extranet. Company A does not put in controls to detect and del with viruses. Company A gets infected with a destructive virus and it is spread to company B through the extranet. The virus corrupts critical data and causes massive disruption to company B’s production. Company B can sue company A for being negligent. Both companies need to make sure that they are doing their part to ensure that their activities, or lack of them, will not negatively affect another company, which is referred to as downstream liability.” Pg 61 6 Shon Harris: All-in-One CISSP Certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The typical computer felons are usually persons with which of the following characteristics?
A. They have had previous contact with law enforcement
B. They conspire with others
C. They hold a position of trust
D. They deviate from the accepted norms of security

A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
Which of the following is responsible for the most security issues?
A. Outside espionage 
B. Hackers 
C. Personnel 
D. Equipment Failure
A

Answer: C
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Hackers are most often interested in:
A. Helping the community in securing their networks
B. Seeing how far their skills wll take them
C. Getting recognition for their actions
D. Money

A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Which of the following categories of hackers poses the greatest threat?  
A. Disgruntled employees 
B. Student hackers 
C. Criminal hackers 
D. Corporate spies
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
Individuals who have their sole aim as breaking into a computer system are being referred to as:   
A. Crackers 
B. Sniffers 
C. Hackers 
D. None of the choices.
A

Answer: A
Explanation: Crackers are individuals who try to break into a computer system. The term was coined in the mid-80s by hackers who wanted to differentiate themselves from individuals whose sole purpose is to sneak through security systems. Whereas crackers sole aim is to break into secure systems, hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks. Although hackers still argue that there’s a big difference between what they do and what crackers do, the mass media has failed to understand the distinction, so the two terms – hack and crack – are often used interchangeably.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
Which of the following tools is less likely to be used by a hacker?  
A. l0phtcrack 
B. Tripwire 
C. Crack 
D. John the ripper
A

Answer: B
Explanation: “Other security packages, such as the popular Tripwire data integrity assurance packages, also provide a secondary antivirus functionality. Tripwire is designed to alert administrators of unauthorized file modifications. It’s often used to detect web server defacements and similar attacks, but it also may provide some warning of virus infections if critical system executable files, such as COMMAND.COM, are modified unexpectedly. These systems work by maintaining a database of hash values for all files stored on the system. These archive hash values are then compared to current computed values to detect any files that were modified between the two periods.” Pg. 224 Tittel: CISSP Study Guide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
Which of the following tools is not likely to be used by a hacker?  
A. Nessus 
B. Saint 
C. Tripwire 
D. Nmap
A

Answer: C
Explanation:
Nmap – discovers systems and what services they are offering
Saint – vulnerability scanning and penetration testing nessus – vulnerability scanner
tripwire – performs validation of system files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
Supporting evidence used to help prove an idea of point is described as? It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence:  
A. Circumstantial evidence 
B. Corroborative evidence 
C. Opinion evidence 
D. Secondary evidence
A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following would best describe secondary evidence?
A. Oral testimony by a non-expert witness
B. Oral testimony by an expert witness
C. A copy of a piece of evidence
D. Evidence that proves a specific act

A

Answer: C
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following exceptions is less likely to make hearsay evidence admissible in court?
A. Records are collected during the regular conduct of business
B. Records are collected by senior or executive management
C. Records are collected at or near the time of occurrence of the act being investigated
D. Records are in the custody of the witness on a regular basis

A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
Once evidence is seized, a law enforcement officer should emphasize which of the following?  
A. chain of command 
B. chain of custody 
C. chain of control 
D. chain of communications
A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following rules is less likely to allow computer evidence to be admissible in court?
A. It must prove a fact that is material to the case
B. Its reliability must be proven
C. The process for producing it must be documented
D. The chain of custody of evidence must show who collected, security, controlled, handled,
transported, and tampered with the evidence

A

Answer: C
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
A copy of evidence or oral description of its contents; not reliable as best evidence is what type of evidence?  
A. Direct evidence 
B. Circumstantial evidence 
C. Hearsay evidence 
D. Secondary evidence
A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
What is defined as inference of information from other, intermediate, relevant facts?  
A. Secondary evidence 
B. Conclusive evidence 
C. Hearsay evidence 
D. Circumstantial evidence
A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

In order to be able to successfully prosecute an intruder:
A. A point of contact should be designated to be responsible for communicating with law enforcement and other external agencies.
B. A proper chain of custody of evidence has to be preserved
C. Collection of evidence has to be done following predefined procedures
D. Whenever possible, analyze, a replica of the compromised resource, not the original, thereby avoiding inadvertently tampering with evidence

A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
Which of the following proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses?  
A. direct evidence 
B. best evidence 
C. conclusive evidence 
D. hearsay evidence
A

Answer: A
Explanation: As stated in the CISSP documentation, “If you want to achieve the validation or revalidation of the oral testimony of a witness, you need to provide physical, direct evidence to backup your statements and override the five senses of an oral testimony”. Circumstantial or Corroborative evidence is not enough in this case, we need direct, relevant evidence backing up the facts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In order to preserve a proper chain of custody of evidence?
A. Evidence has to be collected following predefined procedures in accordance with all laws and legal regulations
B. Law enforcement officials should be contacted for advice on how and when to collect critical information
C. Verifiable documentation indicating the sequence of individuals who have handled a piece of evidence should be available.
D. Log files containing information regarding an intrusion are retained for at least as long as normal business records, and longer in the case of an ongoing investigation.

A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the primary reason for the chain of custody of evidence?
A. To ensure that no evidence is lost
B. To ensure that all possible evidence is gathered
C. To ensure that it will be admissible in court
D. To ensure that incidents were handled with due care and due diligence

A

Answer: C
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
Which element must computer evidence have to be admissible in court?  
A. It must be relevant 
B. It must be annotated 
C. It must be printed 
D. t must contain source code
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
Which kind of evidence would printed business records, manuals, and, printouts classify as?  
A. Direct evidence 
B. Real evidence 
C. Documentary evidence 
D. Demonstrative evidence
A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
Since disks and other magnetic media are only copies of the actual or original evidence, what type of evidence are they are often considered to represent?  
A. Hearsay 
B. Irrelevant 
C. Incomplete 
D. Secondary
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is LEAST necessary when creating evidence tags detailing the chain of custody for electronic evidence?
A. The mode and means of transportation.
B. Notifying the person who owns the information being seized.
C. Complete description of the evidence, including quality if necessary.
D. Who received the evidence.

A

Answer: B
Explanation: The references indicate that transportation is important.
Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case number if one has been assigned…The pieces of evidence should then be sealed in a container and the container should be marked with the same information. The container should be sealed with evidence tape and if possible, the writing should be on the tape so a broken seal can be detected. - Shon Harris All-in-one CISSP Certification Guide pg 673
In many cases, it is not possible for a witness to uniquely identify an object in court. In those cases, a chain of evidence must be established. This involves everyone who handles evidence including the police who originally collect it, the evidence technicians who process it, and the lawyers who use it in court. The location of the evidence must be fully documented from the moment it was collected to the moment it appears in court to ensure that it is indeed the same item. This requires thorough labeling of evidence and comprehensive logs noting who had access to the evidence at specific times and the reasons they required such access.” Pg. 593 Tittel: CISSP Study Guide.
The evidence life cycle covers the evidence gathering and application process. This life cycle has the following components: Discovery and recognition Protection Recording Collection Collect all relevant storage media Make image of hard disk before removing power Print out screen Avoid degaussing equipment Identification Preservation Protect magnetic media from erasure Store in proper environment Transportation Presentation in a court of law Return of evidence to owner
Pg. 309 Krutz: The CISSP Prep Guide
The life cycle of evidence includes * Collection and identification * Storage, preservation, and transportation * Presentation in court * Being returned to victim or owner
Pg 677 Shon Harris: All-In-One CISSP Certification Exam Guide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
To be admissible in court, computer evidence must be which of the following?  
A. relevant 
B. decrypted 
C. edited 
D. incriminating
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
Computer-generated evidence is considered:  
A. Best evidence 
B. Second hand evidence 
C. Demonstrative evidence 
D. Direct evidence
A

Answer: B
Explanation: “Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence. Hearsay evidence is not normally admissible in court unless it has firsthand evidence that can be used to prove the evidence’s accuracy, trustworthiness, and reliability, such as a businessperson who generated the computer logs and collected them.” Pg. 630 Shon Harris: All-in-One CISSP Certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Why would a memory dump be admissible as evidence in court?
A. Because it is used to demonstrate the truth of the contents
B. Because it is used to identify the state of the system
C. Because the state of the memory cannot be used as evidence
D. Because of the exclusionary rule

A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Evidence corroboration is achieved by
A. Creating multiple logs using more than one utility.
B. Establishing secure procedures for authenticating users.
C. Maintaining all evidence under the control of an independent source.
D. Implementing disk mirroring on all devices where log files are stored.

A

Answer: C
Explanation: Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence. - Shon Harris All-in-one CISSP Certification Guide pg 678

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

You are documenting a possible computer attack.
Which one of the following methods is NOT appropriate for legal record keeping?
A. A bound paper notebook.
B. An electronic mail document.
C. A personal computer in “capture” mode that prints immediately.
D. Microcassette recorder for verbal notes

A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which one of the following is NOT a requirement before a search warrant can be issued?
A. There is a probable cause that a crime has been committed.
B. There is an expectation that evidence exists of the crime.
C. There is probable cause to enter someone’s home or business.
D. There is a written document detailing the anticipated evidence.

A

Answer: D
Explanation: “If a computer crime is suspected, it is important not to alert the suspect. A preliminary investigation should be conducted to determine whether a crime has been committed by examining the audit records and system logs, interviewing witnesses, and assessing the damage incurred….Search warrants are issued when there is a probable cause for the search and provide legal authorization to search a location for specific evidence.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 436

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Once a decision is made to further investigate a computer crime incident, which one of the following is NOT employed?
A. Identifying what type of system is to be seized.
B. Identifying the search and seizure team members.
C. Identifying the cost of damage and plan for their recover.
D. Determining the risk that the suspect will destroy evidence.

A

Answer: C
Explanation: Costs and how to recover are not considered in a computer crime scene incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
From a legal perspective, which of the following rules must be addressed when investigating a computer crime?    
A. Search and seizure 
B. Data protection 
C. Engagement 
D. Evidence
A

Answer: D
Explanation: “The gathering, control, storage and preservation of evidence are extremely critical in any legal investigation.” Pg 432 Krutz: The CISSP Prep Guide: Gold Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following is not a problem regarding computer investigation issues?
A. Information is intangible
B. Evidence is difficult to gather
C. Computer-generated records are only considered secondary evidence, thus are no as reliable as best evidence
D. In many instances, an expert or specialist is required

A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Why is the investigation of computer crime involving malicious damage especially challenging?
A. Information stored in a computer is intangible evidence.
B. Evidence may be destroyed in an attempt to restore the system.
C. Isolating criminal activity in a detailed audit log is difficult.
D. Reports resulting from common user error often obscure the actual violation.

A

Answer: B
Explanation: The gathering, control, storage, and preservation of evidence are extremely critical in any legal investigation. Because evidence involved in a computer crime might be intangible and subject to easy modification without a trace, evidence must be carefully handled and controlled throughout its entire life cycle. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 432

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
After law enforcement is informed of a computer crime, the organization's investigators constraints are    
A. removed. 
B. reduced. 
C. increased. 
D. unchanged.
A

Answer: C
Explanation: “On the other hand, there are also two major factors that may cause a company to shy away from calling in the authorities. First, the investigation will more than likely become public and may embarrass the company. Second, law enforcement authorities are bound to conduct an investigation that complies with the Fourth Amendment and other legal requirements that may not apply to a private investigation.” Pg. 529 Tittel: CISSP Study Guide

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
To understand the “whys” in crime, many times it is necessary to understand MOM. Which of the following is not a component of MOM?  
A. Opportunities 
B. Methods 
C. Motivation 
D. Means
A

Answer: B
Reference: pg 600 Shon Harris: All-in-One CISSP Certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
What category of law deals with regulatory standards that regulate performance and conduct? Government agencies create these standards, which are usually applied to companies and individuals within those companies.  
A. Standards law 
B. Conduct law 
C. Compliance law 
D. Administrative law
A

Answer: C
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
Something that is proprietary to that company and importance for its survival and profitability is what type of intellectual property law?  
A. Trade Property 
B. Trade Asset 
C. Patent 
D. Trade Secret
A

Answer: D
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which of the following statements regarding trade secrets is false?
A. For a company to have a resource qualify as a trade secret, it must provide the company with some type of competitive value or advantage
B. The Trade Secret Law normally protects the expression of the idea of the resource.
C. Many companies require their employees to sign nondisclosure agreements regarding the protection of their trade secrets
D. A resource can be protected by law if it is not generally known and if it requires special skill, ingenuity, and/or expenditure of money and effort to develop it

A

Answer: B
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
Which category of law is also referenced as a Tort law?  
A. Civil law 
B. Criminal law 
C. Administrative law 
D. Public law
A

Answer: A
Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Which of the following European Union (EU) principles pertaining to the protection of information on private individuals is incorrect?
A. Data collected by an organization can be used for any purpose and for as long as necessary, as long as it is never communicated outside of the organization by which it was collected
B. Individuals have the right to correct errors contained in their personal data
C. Transmission of personal information to locations where “equivalent” personal data protection cannot be assured is prohibited.
D. Records kept on an individual should be accurate and up to date

A

Answer: A
Explanation: Directive 95/46/EC
ACCESS
Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
Not B : Legitimate Purpose Personal data can only be processed for specified, explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes.

46
Q
A country that fails to legally protect personal data in order to attract companies engaged in collection of such data is referred to as a    
A. data pirate 
B. data haven 
C. country of convenience 
D. sanctional nation
A

Answer: B
Explanation: Correct answer is B. Data Haven.
Data Haven A place where data that cannot legally be kept can be stashed for later use; an offshore web host. This is an interesting topic; companies often need information that they are not legally allowed to know. For example, some hospitals are not allowed to mark patients as HIV positive (because it stigmatizes patients); staff members create codes or other ways so they can take the necessary steps to protect themselves.
http://www.technovelgy.com/ct/content.asp?Bnum=279
DATA HAVEN This phrase has been around for at least 15 years, but only in a specialist way. One sense is that of a place of safety and security for electronic information, for example where encrypted copies of crucial data can be stored as a backup away from one’s place of business. But it can also mean a site in which data can be stored outside the jurisdiction of regulatory authorities. This sense has come to wider public notice recently as a result of Neal Stephenson’s book Cryptonomicon, in which the establishment of such a haven in South East Asia is part of the plot. In a classic case of life imitating art, there is now a proposal to set up a data haven on one of the old World War Two
ISC CISSP Exam
“Pass Any Exam. Any Time.” - www.actualtests.com 509
forts off the east coast of Britain, which declared independence under the name of Sealand back in 1967 (it issues its own stamps and money, for example). The idea is to get round a proposed British law-the Regulation of Investigatory Powers Bill (RIP)-that would force firms to hand over decryption keys if a crime is suspected and make Internet providers install equipment to allow interception of e-mails by the security services. The Privacy Act doesn’t protect information from being transferred from New Zealand to data havens-countries that don’t have adequate privacy protection. [Computerworld, May 1999] The government last night poured cold water on a plan by a group of entrepreneurs to establish a “data haven” on a rusting iron fortress in the North Sea in an attempt to circumvent new anticryptography laws. [Guardian, June 2000] World Wide Words is copyright © Michael Quinion, 1996-2004. All rights reserved. Contact the author for reproduction requests. Comments and feedback are always welcome. Page created 17 June 2000; last updated 27 October 2002.
http://www.worldwidewords.org/turnsofphrase/tp-dat2.htm
Not C: The majority google searches for ‘Country of Convenience’ relate to those countries supporting terrorism.
Not D: the meaning of sanctioned is listed below. This would mean that countries that DON’T protect privacy are APPROVED Main Entry: 2sanction Function: transitive verb Inflected Form(s): sanctioned; sanction*ing Date: 1778 1 to make valid or binding usually by a formal procedure (as ratification) 2 to give effective or authoritative approval or consent

47
Q

Which of the following requires all communications carriers to make wiretaps possible?
A. 1994 US Communications Assistance for Law Enforcement Act
B. 1996 US Economic and Protection of Property Information Act
C. 1996 US National Information Infrastructure Protection Act
D. 1986 US Computer Security Act

A

Answer: A
Explanation:

48
Q

Which of the following US federal government laws/regulations was the first to require the development of computer security plan?
A. Privacy Act of 1974
B. Computer Security Act of 1987
C. Federal Information Resources Management Regulations
D. Office of Management & Budget Circular A-130

A

Answer: B
Reference: pg 722 Hansche: Official (ISC)2 Guide to the CISSP Exam

49
Q

Which US act places responsibility on senior organizational management for prevention and detection programs with fines of up to $290 million for nonperformance?
A. The 1987 US Computer Security Act
B. The 1986 US Computer Fraud and Abuse Act
C. The 1991 US Federal Sentencing Guidelines
D. The 1996 US National Information Infrastructure Protection Act

A

Answer: C
Reference: pg 615 Shon Harris: All-in-One CISSP Certification

50
Q
What document made theft no longer restricted to physical constraints?  
A. The Electronic Espionage Act of 1996 
B. The Gramm Leach Bliley Act of 1999 
C. The Computer Security Act of 1987 
D. The Federal Privacy Act of 1974
A

Answer: A
Explanation:

51
Q
In the US, HIPAA addresses which of the following?  
A. Availability and Accountability 
B. Accuracy and Privacy 
C. Security and Availability 
D. Security and Privacy
A

Answer: D
Explanation:

52
Q

Which of the following placed requirements of federal government agencies to conduct securityrelated training, to identify sensitive systems, and to develop a security plan for those sensitive systems?
A. 1987 US Computer Security Act
B. 1996 US Economic and Protection of Proprietary Information Act
C. 1994 US Computer Abuse Amendments Act
D. 1986 (Amended in 1996) US Computer Fraud and Abuse Act

A

Answer: A
Explanation:

53
Q
Which of the following cannot be undertaken in conjunction with computer incident handling? 
A. system development activity 
B. help-desk function 
C. system backup function 
D. risk management process
A

Answer: A
Explanation:

54
Q

What is the primary goal of incident handling?
A. Successfully retrieve all evidence that can be used to prosecute
B. Improve the company’s ability to be prepared for threats and disasters
C. Improve the company’s disaster recovery plan
D. Contain and repair any damage caused by an event

A

Answer: D
Reference: Page 629 of Shon Harris’s All in One Exam Guide, Second Ed.

55
Q
Which one of the following is NOT a factor to consider when establishing a core incident response team?    
A. Technical knowledge 
B. Communication skills 
C. The recovery capability 
D. Understanding business policy
A

Answer: C
Explanation: The team should have someone from senior management, the network administrator, security officer, possibly a network engineer and /or programmer, and liaison for public affairs…The incident response team should have the following basic items List of outside agencies and resources to contact or report to List of computer or forensics experts to contact Steps on how to secure and preserve evidence Steps on how to search for evidence List of items that should be included on the report A list that indicates how the different systems should be treated in this type of situation (removed from internet, removed from the network, and powered down) - Shon Harris All-in-one CISSP Certification Guide pg 671-672 an investigation should involve management, corporate security, human resources, the legal department, and other appropriate staff members. The act of investigating may also affect critical operations…Thus it is important to prepare a plan beforehand on how to handle reports of suspected computer crimes. A committee of appropriate personnel should be set up beforehand to address the following issues Establishing a prior liaison with law enforcement Deciding when and whether to bring in law enforcement… Setting up means of reporting computer crimes Establishing procedures for handling and processing reports of computer crime Planning for and conducting investigations Involving senior management and the appropriate departments, such as legal, internal audit, information systems, and human resources Ensuring the proper collection of evidence, which includes identification and protection of the various storage media. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 435-436

56
Q
Which of the following specifically addresses cyber attacks against an organization’s IT systems?  
A. Continuity of support plan 
B. Business continuity plan 
C. Incident response plan 
D. Continuity of operations plan
A

Answer: C
Explanation:

57
Q

When should a post-mortem review meeting be held after an intrusion has been properly taken care of?
A. Within the first three months after the investigation of the intrusion is completed
B. Within the first week after prosecution of intruders have taken place, whether successful or not
C. Within the first month after the investigation of the intrusion is completed
D. Within the first week of completing the investigation of the intrusion

A

Answer: D
Explanation:

58
Q

During a review of system logs of the enterprise, a security manager discovers that a colleague working on an exercise ran a job to collect confidential information on the company’s clients. The colleague who ran the job has since left the company to work for a competitor. Based on the (ISC) Code of Ethics, which one of the following statements is MOST correct?
The manager should call the colleague and explain what has been discovered. The manager should then ask for the return of the information in exchange for silence.
A. The manager should warn the competitor that a potential crime has been committed that could put their company at risk.
B. The manager should inform his or her appropriate company management, and secure the results of the recover exercise for future review.
C. The manager should call the colleague and ask the purpose of running the job prior to informing his or her company management of the situation.

A

Answer: C
Explanation: In the references I have not found out anything that directly relates to this but It would be logical to assume the answer of going to necessary management. “ISC2 Code of Ethics…. Not commit or be party to any unlawful or unethical act that may negatively affect their professional reputation or the reputation of their profession. Appropriately report activity related to the profession that they believe to be unlawful and shall cooperate with the resulting investigations.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 440

59
Q

In what way could the use of “cookies” violate a person’s privacy?
A. When they are used to tie together a set of unconnected requests for web pages to cause an electronic map of where one has been.
B. When they are used to keep logs of who is using an anonymizer to access a site instead of their regular userid.
C. When the e-mail addresses of users that have registered to access the web site are sold to marketing firms.

A

Answer: A
Explanation: Both A and C are correct in that they are true but from a CISSP viewpoint looking into a PC the cookies show a map of where the user has been. Therefore I think A is the better choice. “Any web site that knows your identity and has cookie for you could set up procedures to exchange their data with the companies that buy advertising space from them, synchronizing the cookies they both have on your computer. This possibility means that once your identity becomes known to a single company listed in your cookies file, any of the others might know who you are every time you visit their sites. The result is that a web site about gardening that you never told your name could sell not only your name to mail-order companies, but also the fact that you spent a lot of time one Saturday night last June reading about how to fertilize roses. More disturbing scenarios along the same lines could be imagined.” http://www.junkbusters.com/cookies.html Answer: D

60
Q

Which of the following is the BEST way to prevent software license violations?
A. Implementing a corporate policy on copyright infringements and software use
B. Requiring that all PC’s be diskless workstations
C. Installing metering software on the LAN so applications can be accessed through the metered software
D. Regularly scanning used PC’s to ensure that unauthorized copies of software have not been loaded on the PC

A

Answer: D

61
Q
The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP:  
A. moral 
B. ethical 
C. legal 
D. control
A

Answer: D
Explanation:

62
Q

Where can the phrase “Discourage unsafe practice” be found?
A. Computer Ethics Institute commandments
B. (ISC)2 Code of Ethics
C. Internet Activities Board’s Ethics and the Internet (RFC1087)
D. CIAC Guidelines

A

Answer: B Explanation:

63
Q
One of the offences an individual or company can commit is decompiling vendor code. This is usually done in the hopes of understanding the intricate details of its functionality. What best describes this type of non-ethical engineering?  
A. Inverse Engineering 
B. Backward Engineering 
C. Subvert Engineering 
D. Reverse Engineering
A

Answer: D
Explanation:

64
Q
Which one of the following is an ethical consideration of computer technology?    
A. Ownership of proprietary software. 
B. Information resource management. 
C. Service level agreements. 
D. System implementation and design.
A

Answer: B
Explanation: If going by the Internet Activities Board, then Information resource management would be the answer since you aren’t wasting resources.
Note: This question is oddly worded

65
Q
The Internet Activities Board characterizes which of the following as unethical behavior for Internet users?  
A. Writing computer viruses 
B. Monitoring data traffic 
C. Wasting computer resources 
D. Concealing unauthorized accesses
A

Answer: C
Explanation: Explanations: Wasting resources (people, capacity, and computers) through purposeful actions” is listed as unethical per page 909 of CISSP / Shon Harris / 5th edition.

66
Q

Which of the following is a potential problem when creating a message digest for forensic purposes?
A. The process is very slow.
B. The file’s last access time is changed.
C. The message digest is almost as long as the data string.
D. One-way hashing technology invalidates message digest processing.
E. a file could be changed during the process

A

Answer: E
Explanation: Not D: does not make much sense. The purpose of the one-way hash it to create a message digest.
Not C. “To generate a digital signature, the digital signal program passes the file to be sent through a one-way hash function. This hash function produces a fixed size output from a variable size input.” Pg. 208 Krutz: The CISSP Prep Guide: Gold Edition.

67
Q

A forensic examination should inspect slack space because it
A. Contains system level access control kernel.
B. Can contain a hidden file or data.
C. Can contain vital system information.
D. Can be defeated to avoid detection.

A

Answer: B
Explanation:

68
Q

Forensic imaging of a workstation is initiated by
A. Booting the machine with the installed operating system.
B. Booting the machine with an operating system diskette.
C. Removing the hard drive to view the output of the forensic imaging software.
D. Directing the output of the forensic imaging software to the small computer system interface (SCSI).

A

Answer: D
Explanation: “It is very important that the person, or people, conducting the forensics investigation is skilled in this trade and knows what to look out for. If a person reboots the attacked system or goes around looking at different files, it could corrupt viable evidence, change timestamps on key files, and erase footprints the criminal may have left. One very good first step is to make a sound image of the attacked system and perform forensic analysis on this copy. This will ensure that the evidence stays unharmed on the original system in case some steps in the investigation actually corrupt or destroy data. Also the memory of the system should be dumped to a file before doing any work on the system or powering it down.” - Shon Harris All-in-one CISSP Certification Guide pg 672-673
PCMCIA to SCSI and parallel to SCSI forensic products can be found at the following vendor. http://www.icsforensic.com/products_cat_fr.cfm

69
Q

A disk image backup is used for forensic investigation because it
A. Is based on secured hardware technology.
B. Creates a bit level copy of the entire disk.
C. Time stamps the files with the date and time of the copy operation.
D. Excludes areas that have never been used to store data.

A

Answer: B
Explanation: Never conduct your investigation on an actual system that was compromised. Take the system offline, make a backup, and use the backup to investigate the incident. - Ed Tittle CISSP Study Guide (sybex) pg 595

70
Q

When it comes to magnetic media sanitization, what difference can be made between clearing and purging information?
A. Clearing completely erases the media whereas purging only removes file headers, allowing the recovery of files
B. Clearing renders information unrecoverable by a keyboard attack and purging renders information unrecoverable against laboratory attack
C. They both involve rewriting the media
D. Clearing renders information unrecoverable against a laboratory attack and purging renders information unrecoverable to a keyboard attack

A

Answer: B
Reference: pg 405 Tittel: CISSP Study Guide

71
Q

What is HIPAA?
A. The Home Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the KennedyKassebaum Act.
B. The Public Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the KennedyKassebaum Act.
C. )The Health Insurance Privacy & Accountability Act of 1996 (August 2), public law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the KennedyKassebaum Act.
D. The Health Insurance Privacy & Accountability Act of 1996 (August 2), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the KennedyKassebaum Act.

A

Answer: B
Explanation: “The United States Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPAA-Public Law 104-191), effective August 21, 1996, addresses the issues of health care
ISC CISSP Exam
“Pass Any Exam. Any Time.” - www.actualtests.com 521
privacy, security, transactions and code sets, unique identifies, electronic signatures, and plan portability in the United States.” Pg 499-500 Krutz: The CISSP Prep Guide: Gold Edition.

72
Q

The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA),
A. apply to certain types of critical health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.
B. apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.
C. apply to health information created or maintained by some large health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.
D. apply to health information created or maintained by health care providers regardless of whether they engage in certain electronic transactions, health plans, and health care clearinghouses.

A

Answer: B
Explanation:

73
Q
Gap analysis does not apply to   
A. Transactions 
B. availability 
C. Privacy 
D. Security
A

Answer: B
Explanation:

74
Q

A gap analysis for Privacy refers
A. to the practice of identifying the policies and procedures you currently have in place regarding the availability of protected health information.
B. to the practice of identifying the policies and procedures you currently have in place regarding the confidentiality of protected health information.
C. to the practice of identifying the policies and procedures you currently have in place regarding the authenticity of protected health information.
D. to the practices of identifying the legislation you currently have in place regarding the confidentiality of protected health information.

A

Answer: B
Explanation:

75
Q

A gap analysis for Privacy
A. includes a comparison of your proposed policies and procedures and the requirements established in the Security and Privacy Regulation in order to identify any necessary modifications in existing policies to satisfy HIPAA regulations when they are stricter than state privacy laws.
B. includes a comparison of your current policies and procedures and the requirements established in the Security and Privacy Regulation in order to identify any necessary modifications in existing policies to satisfy HIPAA regulations when they are stricter than state privacy laws
C. includes a comparison of your ideal policies and procedures and the requirements established in the Security and Privacy Regulation in order to identify any necessary modifications in existing policies to satisfy HIPAA regulations when they are stricter than state privacy laws.
D. includes a comparison of your exceptional policies and procedures and the requirements established in the Security and Privacy Regulation in order to identify any necessary modifications in existing policies to satisfy HIPAA regulations when they are stricter than state privacy laws

A

Answer: B
Explanation:

76
Q

What is a gap analysis in relationship to HIPAA?
A. In terms of HIPAA, a gap analysis cannot be defined.
B. In terms of HIPAA, a gap analysis defines what an organization currently is doing in a specific area of their organization and compares current operations to other requirements mandated by ethical standards.
C. In terms of HIPAA, a gap analysis defines what an organization currently is doing in a specific area of their organization and compares current operations to other requirements mandated by state or federal law
D. In terms of HIPAA, a gap analysis defines what an organization proposes to be doing in a specific area of their organization and compares proposed operations to other requirements mandated by state or federal law.

A

Answer: C
Explanation:

77
Q

The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to certain types of health information created or maintained by health care providers
A. who engage in certain electronic transactions, health plans, and health care clearinghouses
B. who do not engage in certain electronic transactions, health plans, and health care clearinghouses
C. regardless of whether they engage in certain electronic transactions, health plans, and health care clearinghouses
D. if they engage for a majority of days in a year in certain electronic transactions, health plans, and health care clearinghouses.

A

Answer: A
Explanation:

78
Q

HIPAA preempts state laws
A. except to the extent that the state law is less stringent
B. regardless of the extent that the state law is more stringent
C. except to the extent that the state law more stringent
D. except to the extent that the state law is legislated later than HIPAA

A

Answer: C
Explanation:

79
Q

The Implementation Guides
A. are referred to in the Static Rule
B. are referred to in the Transaction Rule
C. are referred to in the Transitional Rule
D. are referred to in the Acquision Rule

A

Answer: B
Explanation:

80
Q

The HIPAA task force must first
A. inventory the organization’s systems, processes, policies, procedures and data to determine which elements are critical to patient care and central to the organization’s business
B. inventory the organization’s systems, processes, policies, procedures and data to determine which elements are non critical to patient care and central to the organization’s business
C. inventory the organization’s systems, processes, policies, procedures and data to determine which elements are critical to patient complaints and central to the organization’s peripheral businesses
D. modify the organization’s systems, processes, policies, procedures and data to determine which elements are critical to patient care and central to the organization’s business

A

Answer: A
Explanation:

81
Q

A covered healthcare provider with a direct treatment relationship with an individual need not:
A. provide the notice no later than the date of the first service delivery, including service delivered electronically
B. have the notice available at the service delivery site for individuals to request and keep
C. get a acknowledgement of the notice from each individual on stamped paper
D. post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to read it

A

Answer: C
Explanation: Notice Distribution. A covered health care provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients starting April 14, 2003 as follows: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

82
Q

A health plan may conduct its covered transactions through a clearinghouse, and may require a provider to conduct covered transactions with it through a clearinghouse. The incremental cost of doing so must be borne
A. by the HIPAA authorities
B. by the health plan
C. by any other entity but the health plan
D. by insurance companies

A

Answer: B
Explanation:

83
Q

Covered entities (certain health care providers, health plans, and health care clearinghouses) are not required to comply with the HIPAA Privacy Rule until the compliance date. Covered entities may, of course, decide to:
A. unvoluntarily protect patient health information before this date
B. voluntarily protect patient health information before this date
C. after taking permission, voluntarily protect patient health information before this date
D. compulsorily protect patient health information before this date

A

Answer: B
Explanation:

84
Q

The confidentiality of alcohol and drug abuse patient records maintained by this program is protected by federal law and regulations. Generally, the program may not say to a person outside the program that a patient attends the program, or disclose any information identifying a patient as an alcohol or drug abuser even if:
A. )The person outside the program gives a written request for the information
B. the patient consent in writing
C. the disclosure is allowed by a court order
D. the disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation.

A

Answer: D
Explanation: Incident handling is not related to disaster recovery, it is related to security incidents.

85
Q

What is a Covered Entity? The term “Covered Entity” is defined in 160.103 of the regulation.
A. The definition is complicate and long.
B. The definition is referred to in the Secure Computing Act
C. The definition is very detailed.
D. The definition is deceptively simple and short

A

Answer: D
Explanation:

86
Q

Are employers required to submit enrollments by the standard transactions?
A. Though Employers are not CEs and they have to send enrollment using HIPAA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPAA standards
B. Employers are not CEs and do not have to send enrollment using HIPAA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPAA standards.
C. Employers are CEs and have to send enrollment using HIPAA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPAA standards.
D. Employers are CEs and do not have to send enrollment using HIPAA standard transactions. Further, the employer health plan IS also a CE and must be able to conduct applicable transactions using the HIPAA standards.

A

Answer: B
Explanation:

87
Q

Employers
A. often advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits.
B. sometimes advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits.
C. never advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to health plan, and generally help them navigate their health benefits.
D. are prohibited by plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plan.

A

Answer: A
Explanation:

88
Q
Employers 
A. are covered entities if they do not use encryption 
B. are covered entities 
C. are not legal entities 
D. are not covered entities
A

Answer: D
Explanation:
The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is An entity that is one or more of these types of entities is referred to as a “covered entity” in the Administrative Simplification regulations
Reference: https://www.cms.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp

89
Q

The HIPAA task force must inventory the organization’s systems, processes, policies, procedures and data to determine which elements are critical to patient care and central to the organizations business. All must be inventoried and listed by
A. by priority as well as encryption levels, authenticity, storage-devices, availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused and carefully document all the criteria used.
B. by priority and cost as well as availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused and carefully document all the criteria used.
C. by priority as well availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused but need not document all the criteria used.
D. by priority as well as availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused and carefully document all the criteria used.

A

Answer: D
Explanation:

90
Q

Are there penalties under HIPAA?
A. No penalties
B. HIPAA calls for severe civil and criminal penalties for noncompliance, including: – fines up to $25k for multiple violations of the same standard in a calendar year – fines up to $250k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.
C. HIPAA calls for severe civil and criminal penalties for noncompliance, includes: – fines up to 50k for multiple violations of the same standard in a calendar year – fines up to $500k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information
D. HIPAA calls for severe civil and criminal penalties for noncompliance, including: – fines up to $100 for multiple violations of the same standard in a calendar year – fines up to $750k and/or imprisonment up to 20 years for knowing misuse of individually identifiable health information E. HIPAA calls for severe civil and criminal penalties for noncompliance, including: – fines up to $1.5 million for multiple violations of the same standard in a calendar year – fines up to $250k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

A

Answer: E
Explanation:

91
Q

HIPAA gave the option to adopt other financial and administrative transactions standards, “consistent with the goals of improving the operation of health care system and reducing administrative costs” to
A. ASCA prohibits HHS from paying Medicare claims that are not submitted electronically after October 16, 2003.
B. ASCA prohibits HHS from paying Medicare claims that are not submitted on paper after October 16, 2003
C. ASCA prohibits HHS from paying Medicare claims that are not submitted electronically after October 16, 2003, unless the Secretary grants a waiver from this requirement
D. No

A

Answer: C
Explanation:

92
Q

May a health plan require a provider to use a health care clearinghouse to conduct a HIPAAcovered transaction, or must the health plan acquire the ability to conduct the transaction directly
ISC CISSP Exam
“Pass Any Exam. Any Time.” - www.actualtests.com 530
with those providers capable of conducting direct transactions?
A. A health plan may conduct its covered transactions through a clearinghouse, and may require a provider to conduct covered transactions with it through a clearinghouse. But the incremental cost of doing so must be borne by the health plan. It is a cost-benefit decision on the part of the health plan whether to acquire the ability to conduct HIPAA transactions directly with other entities, or to require use of a clearinghouse.
B. A health plan may not conduct it’s covered transactions through a clearinghouse
C. A health plan may after taking specific permission from HIPAA authorities conduct its covered transactions through a clearinghouse
D. is not as per HIPAA allowed to require provider to conduct covered transactions with it through a clearinghouse

A

Answer: A
Explanation:

93
Q

Business Associate Agreements are required by the regulation whenever a business associate relationship exists. This is true even when the business associates are both covered entities.
A. There are no specific elements which must be included in a Business Associate Agreement. However some recommended but not compulsory elements are listed in 164.504(e) (2)
B. There are specific elements which must be included in a Business Associate Agreement. These elements are listed Privacy Legislation
C. There are no specific elements which must be included in a Business Associate Agreement.
D. There are specific elements which must be included in a Business Associate Agreement. These elements are listed in 164.504(e) (2)

A

Answer: D
Explanation: Business Associate Contracts. A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
Reference: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html

94
Q

The implementation Guides
A. are referred to in the Transaction Rule
B. are not referred to in the Transaction Rule
C. are referred to in the Compliance Rules
D. are referred to in the Confidentiality Rule

A

Answer: A
Explanation:

95
Q

Business Associates
A. are entities that perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity
B. are entities that do not perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity
C. are entities that perform services that require the use of Encrypted Insurance Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity
D. are entities that perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity cannot be a business partner of another covered entity.

A

Answer: A
Explanation:

96
Q

Health Care Providers, however,
A. become the business associates of health plans even without joining a network
B. become the business associates of health plans by simply joining a network
C. do not become the business associates of health plans by simply joining a network
D. do not become the HIPAA associates of health plans by simply joining a network

A

Answer: C
Explanation:

97
Q
In terms of HIPAA what an organization currently is doing in a specific area of their organization and compared current operations to other requirements mandated by state or federal law is called  
A. HIPAA status analysis 
B. gap analysis 
C. comparison analysis 
D. stop-gap analysis
A

Answer: B
Explanation:

98
Q
Group Health Plans sponsored or maintained by employers, however,  
A. ARE SOMETIMES covered entities. 
B. ARE NOT covered entities. 
C. ARE covered entities 
D. ARE called uncovered entities
A

Answer: C
Explanation:

99
Q

Employers often advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits. Is this type of assistance allowed under the regulation?
A. The final rule does nothing to hinder or prohibit plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plans.
B. The final rule prohibits plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plans
C. The final rule does hinder but does not prohibit plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plans
D. The final rule does no advocating on behalf of group health plan participants or provide assistance in understanding their health plan.

A

Answer: A
Explanation:

100
Q

HIPAA does not call for:
A. Standardization of electronic patient health, administrative and financial data
B. Unique health identifiers for individuals, employers, health plans, and health care providers.
C. Common health identifiers for individuals, employers, health plans and health care providers.
D. Security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.

A

Answer: C
Explanation:

101
Q

A gap analysis for the Transactions set refer to the practice of identifying the data content you currently have available
A. through your medical software
B. through your accounting software
C. through competing unit medical software
D. based on the statutory authorities report

A

Answer: A
Explanation:

102
Q

A gap analysis for the Transactions set does not refer to
A. the practice of identifying the data content you currently have available through your medical software
B. the practice of and comparing that content to what is required by HIPAA, and ensuring there is a match.
C. and requires that you study the specific format of a regulated transaction to ensure that the order of the information when sent electronically matches the order that is mandated in the Implementation Guides.
D. but does not require that you study the specific format of a regulated transaction to ensure that the order of information when sent electronically matches the order that is mandated in the Implementation Guides.

A

Answer: D

Explanation

103
Q

Health Information Rights although your health record is the physical property of the healthcare practitioner or facility that compiled it, the information belongs to you. You do not have the right to:
A. obtain a paper copy of the notice of information practices upon request inspect and obtain a copy of your health record as provided for in 45 CFR 164.524
B. request a restriction on certain uses and disclosures of your information outside the terms as provided by 45 CFR 164.522
C. amend your health record as provided in 45 CFR 164.528 obtain an accounting of disclosures of your health information as provided in 45 CFR 164.528
D. revoke your authorization to use or disclose health information except to the extent that action has already been taken

A

Answer: B
Explanation:

104
Q
Employers often advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits. Is individual consent required?  
A. No 
B. Sometimes 
C. Yes 
D. The answer is indeterminate
A

Answer: C
Explanation:

105
Q

Who enforces HIPAA?
A. The Office of Civil Rights of the Department of Confidentiality Services is responsible for enforcement of these rules
B. The Office of Civil Rights of the Department of Health and Human Services is responsible for enforcement of these rules
C. The Office of Health Workers Rights of the Department of Health and Human Services in responsible for enforcement of these rules
D. The Department of Civil Rights of the Office of Health and Human Services is responsible for enforcement of these rules

A

Answer: B
Explanation:

106
Q
Gap analysis does not apply to  
A. Transactions 
B. availability 
C. Privacy 
D. Security
A

Answer: B
Explanation:

107
Q

A gap analysis for Security
A. refers to the practice of trusting the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access, alternation or inadvertent disclose.
B. refers to the practice of modifying the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access, alteration or inadvertent disclosure.
C. refers to the practice of identifying the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access, alteration or inadvertent disclosure. D. refers to the practice of improving the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access alteration or inadvertent disclosure.

A

Answer:
D Explanation: http://en.wikipedia.org/wiki/Gap_analysis Gap analysis identifies gaps between the optimized allocation and integration of the inputs (resources), and the current allocation level. This reveals areas that can be improved.

108
Q

The Implementation Guides are referred to in the Transaction Rule. The manuals are
A. non-technical in nature and do not specifically state what the data content should be for each HIPAA transaction. They also do not state the order in which this data must appear when transmitted electronically.
B. theoretical in nature and specifically state what the data content should be for each HIPAA transaction. They also state the order in which this data must appear when transmitted electronically.
C. technical in nature and specifically state what the data content should be for each HIPAA transaction. They do not state the order in which this data must appear when transmitted electronically.
D. technical in nature and specifically state what the data content should be for each HIPAA transaction. They also state the order in which this data must appear when transmitted electronically.

A

Answer: D
Explanation:

109
Q

Title II of HIPAA includes a section, Administrative Simplification, not requiring:
A. Improved efficiency in healthcare delivery by standardizing electronic data interchange
B. Protection of confidentiality of health data through setting and enforcing standards
C. Protection of security of health data through setting and enforcing standards
D. Protection of availability of health data through setting and enforcing standards

A

Answer: D
Explanation:

110
Q
Who is not affected by HIPAA?  
A. clearing houses 
B. banks 
C. universities 
D. billing agencies
A

Answer: B
Explanation: University: there are medical universities and thus could be a covered entity and as such, affected by HIPAA.

111
Q

HIPAA results in
A. sweeping changed in some healthcare transaction and administrative information systems
B. sweeping changes in most healthcare transaction and administrative information systems
C. minor changes in most healthcare transaction and administrative information systems
D. no changes in most healthcare transaction and minor changes in administrative information systems

A

Answer: B
Explanation: