Chapter 03: Legal, Ethical, and Professional Issues in Information Security

TRUE/FALSE

1. The key difference between laws and ethics is that ethics carry the authority of a governing body and
laws do not.

ANS: F PTS: 1 REF: 91

2. Due care requires that an organization make a valid effort to protect others and continually maintain
this level of effort.

ANS: F PTS: 1 REF: 91

3. The Clipper Chip can be used to monitor or track private communications.

ANS: T PTS: 1 REF: 93

4. HIPAA specifies particular security technologies for each of the security requirements to ensure the
privacy of the health-care information.

ANS: F PTS: 1 REF: 94

5. Every state has implemented uniform laws and regulations placed on organizational use of computer
technology.

ANS: F PTS: 1 REF: 100

6. Thirty-four countries have ratified the European Council Cyber-Crime Convention as of April 2010.

ANS: F PTS: 1 REF: 100

7. The United States has implemented a version of the DMCA law called the Database Right, in order to
comply with Directive 95/46/EC.

ANS: F PTS: 1 REF: 101

8. The Association for Computing Machinery and the Information Systems Security Association have the
authority to banish violators of their ethical standards from practicing their trade.

ANS: F PTS: 1 REF: 102

9. Studies on ethics and computer use reveal that people of different nationalities have different
perspectives; difficulties arise when one nationality’s ethical behavior violates the ethics of another
national group.

ANS: T PTS: 1 REF: 102

10. Cultural differences can make it easy to determine what is and is not ethical—especially when it comes
to the use of computers.

ANS: F PTS: 1 REF: 102

 11. Studies have reported that the Pacific Rim countries of Singapore and Hong Kong are hotbeds of
software piracy.

ANS: T PTS: 1 REF: 103

12. The difference between a policy and a law is that ignorance of a law is an acceptable defense.

ANS: F PTS: 1 REF: 107

13. There are four general causes of unethical and illegal behavior.

ANS: F PTS: 1 REF: 107

14. Individuals with authorization and privileges to manage information within the organization are most
likely to cause harm or damage by accident.

ANS: T PTS: 1 REF: 107

15. The Information Systems Security Association (ISSA) is a nonprofit society of information security
professionals whose primary mission is to bring together qualified information security practitioners
for information exchange and educational development.

ANS: T PTS: 1 REF: 109

16. The Department of Homeland Security is the only U.S. federal agency charged with the protection of
American information resources and the investigation of threats to, or attacks on, the resources.

ANS: F PTS: 1 REF: 109-110

17. DHS is made up of three directorates.

ANS: F PTS: 1 REF: 110

18. Established in January 2001, the National InfraGard Program began as a cooperative effort between
the FBI’s Cleveland Field Office and local technology professionals.

ANS: T PTS: 1 REF: 110

19. The NSA is responsible for signal intelligence and information system security.

ANS: T PTS: 1 REF: 112

20. The Secret Service is charged with the detection and arrest of any person committing a United States
federal offense relating to computer fraud and false identification crimes.

ANS: T PTS: 1 REF: 113

MODIFIED TRUE/FALSE

1. Ethics define socially acceptable behaviors. _________________________

ANS: T PTS: 1 REF: 91

 2. Civil law addresses activities and conduct harmful to society and is actively enforced by the state.
_________________________

ANS: F, Criminal

PTS: 1 REF: 92

3. Privacy is not absolute freedom from observation, but rather is a more precise “state of being free from
unsanctioned intrusion.” _________________________

ANS: T PTS: 1 REF: 93

4. The Federal Privacy Act of 1974 regulates government agencies and holds them accountable if they
release information about national security. _________________________

ANS: F, individual privacy

PTS: 1 REF: 93-94

5. Intellectual privacy is recognized as a protected asset in the United States.

_________________________

ANS: F, property

PTS: 1 REF: 96|98

6. The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and
competitive advantage. _________________________

ANS: T PTS: 1 REF: 98

7. The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management
of publicly traded corporations and public accounting firms. ______________________________

ANS: F, Sarbanes-Oxley Act of 2002

PTS: 1 REF: 99

8. In 1995 the Directive 95/46/EC was adopted by the European Union. _________________________

ANS: T PTS: 1 REF: 101

9. In a study on software licence infringement, those from United States were significantly more
permissive. _________________________

ANS: F, Netherlands

PTS: 1 REF: 103

10. The code of ethics put forth by (ISC)2 focuses on four mandatory canons: “Protect society, the
commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide
diligent and competent service to principals; and advance and protect the profession.”.
_________________________
 ANS: T PTS: 1 REF: 109

11. The Department of Homeland Security was created in 1999. _________________________

ANS: F, 2003

PTS: 1 REF: 110

12. The Federal Bureau of Investigation’s National InfraGard Program serves its members in four basic
ways: Maintains an intrusion alert network using encrypted e-mail; Maintains a secure Web site for
communication about suspicious activity or intrusions; Sponsors local chapter activities; Operates a
help desk for questions. _________________________

ANS: T PTS: 1 REF: 111

13. The U.S. Secret Service is a department within the Department of the Interior.
_________________________

ANS: F, Treasury

PTS: 1 REF: 113

14. The communications networks of the United States carry more funds than all of the armored cars in the
world combined. _________________________

ANS: T PTS: 1 REF: 113

15. Deterrence can prevent an illegal or unethical activity from occurring. _________________________

ANS: T PTS: 1 REF: 114

MULTIPLE CHOICE

1. ____ law comprises a wide variety of laws that govern a nation or state.
a. Criminal c. Public
b. Civil d. Private
ANS: B PTS: 1 REF: 92

2. ____ law regulates the structure and administration of government agencies and their relationships
with citizens, employees, and other governments.
a. Public c. Civil
b. Private d. Criminal
ANS: A PTS: 1 REF: 92

3. The Computer ____ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws
and enforcement efforts.
a. Violence c. Theft
b. Fraud d. Usage
ANS: B PTS: 1 REF: 92
 4. According to the National Information Infrastructure Protection Act of 1996, the severity of the
penalty for computer crimes depends on the value of the information obtained and whether the offense
is judged to have been committed for each of the following except ____.
a. for purposes of commercial advantage c. to harass
b. for private financial gain d. in furtherance of a criminal act
ANS: C PTS: 1 REF: 92

5. The National Information Infrastructure Protection Act of 1996 modified which Act?
a. USA PATRIOT Act
b. USA PATRIOT Improvement and Reauthorization Act
c. Computer Security Act
d. Computer Fraud and Abuse Act
ANS: D PTS: 1 REF: 92

6. The Privacy of Customer Information Section of the common carrier regulation states that any
proprietary information shall be used explicitly for providing services, and not for any ____ purposes.
a. troubleshooting c. customer service
b. billing d. marketing
ANS: D PTS: 1 REF: 93

7. The ____ Portability and Accountability Act Of 1996, also known as the Kennedy-Kassebaum Act,
protects the confidentiality and security of health care data by establishing and enforcing standards and
by standardizing electronic data interchange.
a. Customer c. Computer
b. Health Insurance d. Telecommunications
ANS: B PTS: 1 REF: 94

8. Which of the following acts is a collection of statutes that regulate the interception of wire, electronic,
and oral communications?
a. Electronic Communications Privacy Act
b. Financial Services Modernization Ac
c. Sarbanes-Oxley Act
d. Economic Espionage Act
ANS: A PTS: 1 REF: 94

9. Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
a. Financial Services Modernization Act
b. Communications Act
c. Computer Security Act
d. Economic Espionage Act
ANS: A PTS: 1 REF: 95

10. What is the subject of the Computer Security Act?

a. Federal Agency Information Security
b. Telecommunications Common Carriers
c. Cryptography Software Vendors
d. Banking Industry
ANS: A PTS: 1 REF: 96
11. Which of the following acts defines and formalizes laws to counter threats from computer related acts
and offenses?
a. Electronic Communications Privacy Act of 1986
b. Freedom of Information Act (FOIA)
c. Computer Fraud and Abuse Act
d. Federal Privacy Act of 1974
ANS: C PTS: 1 REF: 96

12. ____ defines stiffer penalties for prosecution of terrorist crimes.

a. USA Patriot Act c. Gramm-Leach-Bliley Act
b. Sarbanes-Oxley Act d. Economic Espionage Act
ANS: A PTS: 1 REF: 97

13. ____ attempts to prevent trade secrets from being illegally shared.
a. Electronic Communications Privacy Act
b. Sarbanes-Oxley Act
c. Financial Services Modernization Act
d. Economic Espionage Act
ANS: D PTS: 1 REF: 98

14. The ____ of 1999 provides guidance on the use of encryption and provides protection from
government intervention.
a. Sarbanes-Oxley Act
b. Gramm-Leach-Bliley Act
c. U.S.A. Patriot Act
d. Security and Freedom through Encryption Act
ANS: D PTS: 1 REF: 98

15. What is the subject of the Sarbanes-Oxley Act?

a. Banking c. Privacy
b. Financial Reporting d. Trade secrets
ANS: B PTS: 1 REF: 99

16. The Council of Europe adopted the Convention of Cybercrime in ____.

a. 1976 c. 1998
b. 1986 d. 2001
ANS: D PTS: 1 REF: 100

17. Which of the following countries reported generally intolerant attitudes toward personal use of
organizational computing resources?
a. Australia c. Singapore
b. United States d. Sweden
ANS: C PTS: 1 REF: 103

18. Individuals with authorization and privileges to manage information within the organization are most
likely to cause harm or damage ____.
a. with intent c. with malice
b. by accident d. with negligence
 ANS: B PTS: 1 REF: 107

19. Criminal or unethical ____ goes to the state of mind of the individual performing the act.
a. attitude c. accident
b. intent d. ignorance
ANS: B PTS: 1 REF: 107

20. Laws and policies and their associated penalties only deter if which of the following conditions is
present?
a. Fear of penalty
b. Probability of being caught
c. Probability of penalty being administered
d. All of the above
ANS: D PTS: 1 REF: 107

COMPLETION

1. ____________________ are rules that mandate or prohibit certain behavior in society.

ANS: Laws

PTS: 1 REF: 90-91

2. Guidelines that describe acceptable and unacceptable employee behaviors in the workplace are known
as ____________________.

ANS: policies

PTS: 1 REF: 91

3. ____________________ are the fixed moral attitudes or customs of a particular group.

ANS: Cultural mores

PTS: 1 REF: 91

4. “Long arm ____________________” refers to the long arm of the law reaching across the country or
around the world to draw an accused individual into its court systems.

ANS: jurisdiction

PTS: 1 REF: 91

5. ____________________ is the legal obligation of an entity that extends beyond criminal or contract
law.

ANS: Liability

PTS: 1 REF: 91

6. Family law, commercial law, and labor law are all encompassed by ____________________ law.
 ANS: private

PTS: 1 REF: 92

7. The ____________________ Act of 2001 provides law enforcement agencies with broader latitude in
order to combat terrorism-related activities.

ANS:
U.S.A. Patriot
USA Patriot

PTS: 1 REF: 93

8. ____________________ information is created by combining pieces of non-private data—often

collected during software updates, and via cookies—that when combined may violate privacy.

ANS: Aggregate

PTS: 1 REF: 93

9. The ______________________________ Act of 1986 is a collection of statutes that regulates the

interception of wire, electronic, and oral communications.

ANS: Electronic Communications Privacy

PTS: 1 REF: 94

10. The ______________________________ contains a number of provisions focusing on facilitating

affiliation among banks, securities firms, and insurance companies.

ANS:
Financial Services Modernization
Gramm-Leach-Bliley Act of 1999

PTS: 1 REF: 95

11. The ____________________ Act of 1996 attempts to prevent trade secrets from being illegally shared.

ANS: Economic Espionage

PTS: 1 REF: 98

12. The ____________________ Act seeks to improve the reliability and accuracy of financial reporting,
as well as increase the accountability of corporate governance, in publicly traded companies.

ANS: Sarbanes-Oxley

PTS: 1 REF: 99

13. The _________________________ Act of 1966 allows any person to request access to federal agency
records or information not determined to be a matter of national security.

ANS: Freedom of Information

 PTS: 1 REF: 99

14. The ________________________________________ is the American contribution to an international

effort to reduce the impact of copyright, trademark, and privacy infringement, especially when
accomplished via the removal of technological copyright protection measures.

ANS:
Digital Millennium Copyright Act (DMCA)
Digital Millennium Copyright Act
DMCA

PTS: 1 REF: 101

15. Software license infringement is also often called software ____________________.

ANS: piracy

PTS: 1 REF: 103

16. The low overall degree of tolerance for ____________________ system use may be a function of the
easy association between the common crimes of breaking and entering, trespassing, theft, and
destruction of property to their computer-related counterparts.

ANS: illicit

PTS: 1 REF: 103

17. Key studies reveal that the overriding factor in leveling the ethical perceptions within a small
population is ____________________.

ANS: education

PTS: 1 REF: 107

18. The ___________________________________ is a respected professional society that was

established in 1947 as “the world’s first educational and scientific computing society.”

ANS: Association of Computing Machinery

PTS: 1 REF: 108

19. The
________________________________________________________________________________2
manages a body of knowledge on information security and administers and evaluates examinations for
information security certifications.

ANS:
International Information Systems Security Certification Consortium, Inc. (ISC)
International Information Systems Security Certification Consortium, Inc.
(ISC)

PTS: 1 REF: 109

 20. The ________________________________________ Association is a professional association that
focuses on auditing, control, and security and whose membership comprises both technical and
managerial professionals.

ANS:
Information Systems Audit and Control
ISACA

PTS: 1 REF: 109

ESSAY

1. What are the requirements for a policy to become enforceable?

ANS:
For a policy to become enforceable, it must be:
Dissemination (distribution) - The organization must be able to demonstrate that the relevant policy
has been made readily available for review by the employee.

Review (reading) - The organization must be able to demonstrate that it disseminated the document in
an intelligible form, including versions for illiterate, non-English reading, and reading-impaired
employees.

Comprehension (understanding) - The organization must be able to demonstrate that the employee
understood the requirements and content of the policy.

Compliance (agreement) - The organization must be able to demonstrate that the employee agrees to
comply with the policy, through act or affirmation.

Uniform enforcement - The organization must be able to demonstrate that the policy has been
uniformly enforced, regardless of employee status or assignment.

PTS: 1 REF: 91-92

2. List the five fundamental principles of HIPAA.

ANS:
1. Consumer control of medical information
2. Boundaries on the use of medical information
3. Accountability for the privacy of private information
4. Balance of public responsibility for the use of medical information for the greater good measured
against impact to the individual
5. Security of health information

PTS: 1 REF: 94-95

3. List three of the provisions included in the Security And Freedom Through Encryption Act of 1999.

ANS:
Reinforce an individual’s right to use or sell encryption algorithms, without concern for regulations
requiring some form of key registration. Key registration is the storage of a cryptographic key (or its
text equivalent) with another party to be used to break the encryption of data. This is often called “key
escrow.”
Prohibit the federal government from requiring the use of encryption for contracts,
grants, and other official documents, and correspondence.

State that the use of encryption is not probable cause to suspect criminal activity.

Relax export restrictions by amending the Export Administration Act of 1979.

Provide additional penalties for the use of encryption in the commission of a criminal act.

PTS: 1 REF: 98