Tutorial 5 Legal, Ethical, and Professional Issues in Information Security

True / False

1. The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not.
2. A key difference between a policy and a law is that ignorance of a law is an acceptable defense.

3. For policy to become enforceable, it only needs to be distributed, read, understood, and agreed to.

4. Due care and due diligence require that an organization make a valid effort to protect others and continually maintain
this level of effort, ensuring these actions are effective.

5. Criminal laws address activities and conduct harmful to society and are categorized as public law.

6. The Computer Security Act of 1987, the cornerstone of many computer-related federal laws and enforcement effort,
was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984.

7. In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their
information from unauthorized access.

8. ​The FTC recommends that people place an initial fraud alert (among other things) when they suspect they are victims of
identity theft.

9. The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property
rights because it de-emphasizes prosecution for copyright infringement.

10. The United States has implemented a version of the DMCA law called the Database Right, in order to comply with
Directive 95/46/EC.

11. Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties
arise when one nationality’s ethical behavior violates the ethics of another national group.

12. Cultural differences can make it difficult to determine what is ethical and not ethical between cultures, except when it
comes to the use of computers, where ethics are considered universal.

13. Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by
inadequate protection mechanisms.

14. Individuals with authorization and privileges to manage information within the organization are most likely to cause
harm or damage by accident.

15. Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught,
and expect the penalty to be applied if they are caught.

Page 1
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security
16. Employees are not deterred by the potential loss of certification or professional accreditation resulting from a breach
of a code of conduct, because this loss has no effect on employees' marketability and earning power.

17. The Department of Homeland Security is the only U.S. federal agency charged with the protection of American
information resources and the investigation of threats to, or attacks on, those resources.

18. The Department of Homeland Security works with academic campuses nationally, focusing on resilience, recruitment,
internationalization, growing academic maturity, and academic research.

19. The Secret Service is charged with safeguarding the nation’s financial infrastructure and payments systems to preserve
the integrity of the economy.

20. Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with
public and private organizations and the academic community.

21. The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer
network operations to gain a decision advantage for the United States and its allies.

Modified True / False

22. Ethics are the moral attitudes or customs of a particular group. _____

23. Civil law addresses activities and conduct harmful to society and is actively enforced by the state. _____

24. Privacy is the right of individuals or groups to protect themselves and their information from unauthorized access,
providing confidentiality._____

25. Information denigration refers to pieces of nonprivate data that, when combined, may create information that violates
privacy. _____

26. The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage.
_____

27. Intellectual privacy is recognized as a protected asset in the United States. _____

28. The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly
traded corporations and public accounting firms. _____

29. The Digital Millennium Copyright Act is the American law created in response to Directive 95/46/EC, adopted in
1995 by the European Union. _____

Page 2
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security
30. In a study on software license infringement, licenses from the United States were significantly more permissive than
those from the Netherlands and other countries. _____

31. Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear
the probability of a penalty being applied. _____

32. The code of ethics put forth by (ISC)2 focuses on four mandatory canons: “Protect society, the commonwealth, and the
infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to
principals; and advance and protect the profession.” _____

33. The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _____

34. The U.S. Secret Service is currently within the Department of the Treasury. _____

35. The communications networks of the United States carry(ies) more funds than all of the armored cars in the world
combined. _____

36. The Federal Bureau of Investigation’s National InfraGard Program serves its members in four basic ways: Maintains
an intrusion alert network using encrypted e-mail; maintains a secure Web site for communication about suspicious
activity or intrusions; sponsors local chapter activities; and operates a help desk for questions. _____

37. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the
Kennedy–Kassebaum Act, protects the confidentiality and security of healthcare data. _____

Multiple Choice

38. _____ law comprises a wide variety of laws pertaining to relationships among individuals and organizations.
a. Criminal b. Civil
c. Statutor d. Constitutiona
y l

39. _____ law regulates the structure and administration of government agencies and their relationships with citizens,
employees, and other governments.
a. Publi b. Private
c
c. Civil d. Crimina
l

40. The Computer _____ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and
enforcement efforts.
a. Violence b. Fraud

Page 3
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security

c. Theft d. Usag
e

41. According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer
crimes depends on the value of the information obtained and whether the offense is judged to have been committed for
each of the following except _____.
a. for purposes of commercial b. for private financial gain
advantage
c. to harass d. in furtherance of a criminal
act

42. The _____ defines stiffer penalties for prosecution of terrorism-related activities.
a. USA PATRIOT Act b. Sarbanes-Oxley Act
c. Gramm-Leach-Bliley Act d. Economic Espionage Act

43. The National Information Infrastructure Protection Act of 1996 modified which act?
a. USA PATRIOT Act
b. USA PATRIOT Improvement and Reauthorization Act
c. Computer Security Act
d. Computer Fraud and Abuse Act

44. Which of the following acts defines and formalizes laws to counter threats from computer-related acts and offenses?
a. Electronic Communications Privacy Act of
1986
b. Freedom of Information Act (FOIA) of 1966
c. Computer Fraud and Abuse Act of 1986
d. All of the other answers are correct

45. In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all
federal agencies _____.
a. provide security awareness training
b. periodic assessment of risk
c. develop policies and procedures based on risk assessments
d. all of the other answers are correct

46. What is the subject of the Computer Security Act of 1987?

Page 4
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security
47. The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information
shall be used explicitly for providing services, and not for any _____ purposes.
a. troubleshooting b. billing
c. customer service d. marketin
g

48. The Health Insurance Portability and Accountability Act of 1996, also known as the _____ Act, protects the
confidentiality and security of health-care data by establishing and enforcing standards and by standardizing electronic
data interchange.
a. Gramm-Leach-Blile b. Kennedy-Kessebau
y m
c. Privacy d. HITECH

49. Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral
communications?
a. Electronic Communications Privacy
Act
b. Financial Services Modernization Act
c. Sarbanes-Oxley Act
d. Economic Espionage Act

50. Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
a. Financial Services Modernization Act
b. Communications Act
c. Computer Security Act
d. Health Insurance Portability and Accountability Act

51. Information about a person’s history, background, and attributes that can be used to commit identity theft is known as
_____ information.
a. virtually interpreted
b. privately held
c. personally
identifiable
d. identity defined

52. The unauthorized taking of person information with the intent of committing fraud and abuse of a person’s financial
and personal reputation, purchasing goods and services without authorization, and generally impersonating the victim for
illegal or unethical purposes.is known as _____.
a. non-criminal
fraud
b. ransoming
c. identity theft
d. identity extortion

Page 5
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security

53. The _____ attempts to prevent trade secrets from being illegally shared.
a. Electronic Communications Privacy
Act
b. Sarbanes-Oxley Act
c. Financial Services Modernization Act
d. Economic Espionage Act

54. The _____ of 1999 provides guidance on the use of encryption and provides protection from government intervention.
a. Prepper Act
b. Economic Espionage Act
c. USA PATRIOT Act
d. Security and Freedom through Encryption
Act

55. _____ use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar
activities, if the use is for educational or library purposes, is not for profit, and is
not excessive.
a. Justified b. Fair
c. Persona d. Limite
l d

56. What is the subject of the Sarbanes-Oxley Act?

57. Payment Card Industry _____ Standards are designed to enhance the security of customers’ payment card account
data.
a. Data Safety b. Data Security
c. Data d. Account
Practices Security

58. In 2001, the Council of Europe drafted the European Council Cybercrime Convention, which empowers an
international task force to oversee a range of security functions associated with _____ activities.
a. online b. electronic
terrorist commerce
c. cyberactivist d. Internet

59. The Digital _____ Copyright Act is the American contribution to an international effort by the World Intellectual
Properties Organization (WIPO) to reduce the impact of copyright, trademark, and privacy infringement.

Page 6
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security

a. Managemen b. Master
t
c. Information d. Millennium

60. In the 1999 study of computer use-ethics, which of the following countries reported the least tolerant attitudes toward
misuse of organizational computing resources?
a. Australia b. United
States
c. Singapor d. Sweden
e

61. Individuals with authorization and privileges to manage information within the organization are most likely to cause
harm or damage _____.
a. with intent b. by accident and/or through unintentional negligence
c. with malice d. none of the other answers are correct

62. There are three general causes of unethical and illegal behavior: _____, Accident, and Intent.
a. Curiosit b. Ignorance
y
c. Revenge d. None of the other answers are correct

63. Criminal or unethical _____ goes to the state of mind of the individual performing the act.
a. ignorance
b. intent
c. accident
d. all of the other answers are
correct

64. Laws, policies, and their associated penalties only provide deterrence if which of the following conditions is present?
a. Fear of penalty
b. Probability of being caught
c. Probability of penalty being
administered
d. All of the other answers are correct

65. _____ is a professional association that focuses on auditing, control, and security. The membership comprises both
technical and managerial professionals.
a. ISACA b. Information Systems Security Association
(ISSA)
c. EC-Counci d. SANS
l

Page 7
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security
66. The _____ is a respected professional society that was established in 1947. Today it is “the world’s largest
educational and scientific computing society.
a. Association for Computing Machinery b. Information Systems Security Association
(ISSA)
c. International Information Systems Security Certification d. EC-Council
Consortium, Inc.

Completion

67. _____ are rules that mandate or prohibit certain behavior and are enforced by the government.

68. _____ are the fixed moral attitudes or customs of a particular group.

69. _____ is the legal obligation of an entity that extends beyond criminal or contract law.

70. “Long arm _____” refers to the long arm of the law reaching across the country or around the world to draw an
accused individual into its court systems whenever it can establish jurisdiction.

71. Managerial statements that dictate certain behavior within an organization are known as _____.

72. Family law, commercial law, and labor law are all encompassed by _____ law.

73. The _____ Act of 2001 provides law enforcement agencies with broader latitude in order to combat terrorism-related
activities.

74. _____ information is a form of collective data that relates to a group or category of people and that has been altered to
remove characteristics or components that make it possible to identify individuals within the group.

75. The _____ Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral
communications.

76. The _____ Act of 1999 contains a number of provisions focusing on facilitating affiliation among banks, securities
firms, and insurance companies.

77. _____ theft is the unauthorized taking of personal information with the intent of committing fraud or another illegal or
unethical purpose.

79. The _____ Act seeks to improve the reliability and accuracy of financial reporting, as well as increase the
accountability of corporate governance, in publicly traded companies.

Page 8
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security
80. The _____ of 1966 allows any person to request access to federal agency records or information not determined to be
a matter of national security.

81. The _____ Card Industry Data Security Standards are designed to enhance the security of customers’ account data.

82. The _____ is the American contribution to an international effort to reduce the impact of copyright, trademark, and
privacy infringement, especially when accomplished via the removal of technological copyright protection measures.

83. Software license infringement is also often called software _____.

84. According to the 1999 international study of computer-use ethics, many people from many cultural backgrounds
indicated that unless an organization explicitly forbids _____ use of its computing resources, such use is acceptable

85. Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is _____.

86. The _____ is a respected professional society that was established in 1947 as “the world’s first educational and
scientific computing society.”

87. The _____ is a nonprofit organization that focuses on the development and implementation of information security
certifications and credentials.

88. The _____ is a professional association that focuses on auditing, control, and security and whose membership
comprises both technical and managerial professionals.

Essay

89. What are the requirements for a policy to become enforceable?

90. List the five fundamental principles of HIPAA.

91. What are the provisions of the ​Digital Millennium Copyright Act (DMCA)?

92. Laws, policies, and their associated penalties only provide deterrence if three conditions are present. List and describe
them.

Subjective Short Answer

93. What is civil law, and what does it accomplish?

94. If you work for a financial services organization such as a bank or credit union, which 1999 law affects your use of
customer data? What other effects does it have?

Page 9
Tutorial 5 Legal, Ethical, and Professional Issues in Information Security

95. What is the difference between law and ethics?

Page 10