ROBERT MORRIS UNIVERSITY MORRIS GRADUATE SCHOOL OF MANAGEMENT MIS 562 - Legal Issues in Information Assurance and Auditing.

NAME: ______________________________________________

PART 1: MULTIPLE CHOICE (60 points)

1. What type of law addresses the violations to society? A. B. C. D. Criminal Law Tort Law Private Law Civil Law

2. Digital forensics can be used for what two key purposes? A. B. C. D. Investigation of perceived poor behavior and high-level analysis Investigation of digital crime and high-level analysis Investigation of allegations of digital crime and root cause analysis Investigation of perceived poor computer behavior and root cause analysis

3. The Chief Information Security Officer (CISO) has asked you to create the organizations information security policy. What are the topics you typically have to include? A. Definition of information security, its objectives and methodology B. Definition of information security, its objectives and scope C. Definition of information security, its objectives, methodology and planning D. Objectives and scope 4. Laws and policies create deterrence only if what 3 characteristics are present to unethical behavior? A. Fear of penalty, Probability of being caught, Probability of penalty being administered B. Fear of penalty, probability of a threat, probability of a vulnerability C. Fear of threat, fear of probability, likelihood of harsh consequence D. Fear of threat, fear of penalty, probability of penalty being administered

5. The Chief Executive Officer (CEO) for your organization has asked you to provide an executive summary outlining the basic components of a plan to implement an Information Security Management System. What are the first tasks that you will indicate? A. A definition for protecting the confidentiality, integrity and availability of data, information security procedures, business continuity plan and the risk mitigation strategies. B. Identification and assessment of risks, definition of responsibilities, designing and implementation of security controls. C. The information security charter, the work breakdown structure necessary for doing information security work and the risk mitigation and acceptance process. D. Topic, thesis, organizational relationships and the list of key stakeholders. 6. Evidentiary material may be all of the following except: A. An item that provides potential evidentiary value B. Any information that could potentially support the organizations legal- or policy-based case against a suspect C. An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official D. Evidence against the hacker that can be used for any purpose in or outside the court of law 7. You are the Information Security Manager (ISM) of an IT Service Provider. The CISO asks you if there are any requirements in ISO/IEC 27002 that should be taken into account as the organization wants to comply with this standard. To which requirement in the standard will you refer to? A. B. C. D. Business Continuity requirements The requirement to address security in third party agreements The requirement to manage information security incidents The requirement to manage disasters and recovery processes

8. It is advisable to have a number of security classification levels in your organization for the classification of information (assets). What is the primary reason for identifying different classes of data? A. We are able to design information security controls that rely on layered defensive measures to protect all the classes of data. B. We can design information security controls that are dedicated for each of the different levels. C. We can focus our limited money and people resources on protecting the data and systems that need to be protected. D. We can make it easier for employees to know which data they are allowed to access during the course of doing their jobs. 9. What are the three main high-level types of controls associated with both the HIPAA and GLBA regulations? A. Administrative, Procedural, Technical B. Administrative, Procedural, Analytical C. Procedural, Technical, Analytical D. Administrative, Physical, Technical 10. The SB 1386 rule drives companies to do all of the following except: A. to review systems and policies in preparation to comply. B. to improve their network/computer security. C. to increase the amount of personal information stored. D. to use encryption to secure their data. 11. Who determines the security classification of information? A. The custodian of the information B. The owner of the information C. The user of the information D. The CIO of the organization 12. Which of the following is used to create a no-mans land between the inside and outside of networks where most organizations place their web servers? A. Firewall Zone B. Demilitarized Zone (DMZ) C. Intrusion Detection Zone D. Honeypot Zone 13. The overall purpose of FIPS-199 guidance is to A. Mapping of computer types to risk level B. Mapping of information types to risk level based on regulations C. Mapping of information types to risk levels using confidentiality, integrity, and availability as guidelines D. Mapping of regulations to information types based on CISO input

14. All of the following are types of risk with Basel II except: A. Credit Risk B. Market Risk C. Operational Risk D. Procedural Risk 15. An information security colleague of yours was given the task of writing the scope section of her organizations information security policy. What kind of information is needed for defining the information security policy scope? A. The characteristics of the business, the organization, its location, assets and technology covered by the policy. B. The consequences to employees for non-compliance with the information security policy. C. The identification of who (role) is responsible for activities and tasks. D. The overall mission of the corporation from a business perspective 16. SANS GIAC code of ethics requires all of the following except: A. Respect for the public B. Respect for the certification C. Respect for my employer D. Respect for other employees 17. COBIT stands for: A. Control Objectives for Information and related Technology B. Control Objectives for Information Security C. Control Objectives for Information Infrastructure D. Control Objectives for Information Processing 18. All of the following is considered customer information except: A. Social security numbers B. Credit card account numbers C. Family member names D. Date and/or location of birth 19. The Risk Management Framework should be implemented in which of the following stages of the Systems Development Life Cycle (SDLC)? A. Initiation B. Development and Acquisition C. Implementation D. All of the above

20. You are asked a question about which standards and controls to implement by your CISO. From the CISOs knowledge, an organization can implement an Information Security Management System (ISMS) that can be certified against an ISO standard, but the CISO doesnt know which one. What standard would you recommend to the CISO? A. B. C. D. ISO/IEC 15308-1:2005 ISO/IEC 17799:2005 ISO/IEC 27001:2005 ISO/IEC 27002:2005

21. How many control objectives are contained within ISO27002? A. 11 B. 39 C. 133 D. 33 22. ISO27001 makes use of what model to help manage information security systems? A. PICA B. PLCA C. DLCA D. PDCA 23. Which of the following can an organization be certified? A. ISO27002 B. COBIT C. ISO27001 D. FISMA 24. All are control areas within ISO27002 except: A. Human Resources B. Access Control C. Incident Management D. Business Continuity E. Security Standards

25. For the formulation of the list with the security measures to be introduced, a member of the management team proposes using the ISO/IEC 27002 as the basis for the security requirements. What is your reaction? A. You indicate that if the organization uses the ISO/IEC 27001 standard instead, the organization will also be able to be certified. B. You indicate that the ISO/IEC 27002 standard in this case had better not be used because this standard does not contain the initiating of security measures. C. You indicate that ISO/IEC 27002 should not be used since it only applies to specific industries D. You indicate that this standard should be used wisely, because the requirements in the ISO/IEC 27002 easily can lead to an extensive range of measures. 26. From an equation perspective, the equation for risk is: A. Risk = Threat + Probability B. Risk = Threat * Probability C. Risk = Threat * Vulnerability D. Risk = Threat + Vulnerability 27. All of the following our governance functions within COBIT 5 except: A. Ensure Systems Security B. Ensure Risk Optimization C. Ensure Resource Optimization D. Ensure Benefits Delivery 28. A senior management representative has asked that you help the organization establish an Information Security Management System (ISMS). What is one of the first key responsibilities of the management? A. Creating the business impact analysis report and having it approved by the board of directors. B. Reviewing reports on the state of information security throughout the organization. C. Formulating, reviewing and approving the information security policy. D. Having the details of the progress of the risk treatment plan in order to support it. 29. Information security requirements with service level agreements are most relevant with third party arrangements when corporations are using A. Internal computing B. External business relationships C. Government services D. Cloud computing services

30. What US Law is responsible for the establishment of the National Bureau of Standards (NSA), and ultimately the now use of NIST standards? A. Federal Privacy Act of 1974 B. Computer Security Act of 1987 C. Computer and Fraud Abuse Act of 1986 D. Identity Theft and Assumption Deterrence Act of 1998

Part 2: TRUE/FALSE (20 points)

31. HIPAA is a privacy law that mostly pertains to both health providers and financial firms. _____ 32. Ethics plays a big part in having an effective information security program. _____ 33. ISO27002 can be used for certification within an organization. 34. The USA Patriot Act deals with anti-terrorism activity. _________ 35. CISM is a Certified Information Security Manager certification that can be obtained through ISACA. _______ 36. COBIT is an Information Technology control framework that was designed by ISC2. _______ 37. A drivers license number would be considered to be a part of identifiable information known as customer information. __________ 38. A clean desk policy is a policy that stipulates that confidential information should be cleared from the desk and secured properly. ______ 39. Using password activated screensavers is an example of a technical safeguard within GLBA. _____ 40. Bringing your own device (BYOD) for corporations is a new trend in mobile computing that brings so much business benefit such that the risks associated with this trend should be accepted without controls. ______ __________

Part 3: SHORT ANSWER (80 points)

41. Identify and list the most appropriate industry that the following regulations would apply to based on our class discussion.

A. B. C. D. E. F.

HIPAA GLBA FISMA Basel II SOX PCI

_________________ _________________ _________________ __________________ ___________________ ____________________

42. Name 3 purposes of an Enterprise Information Security Awareness Program. 43. List and give a brief description of the 5 Golden Rules of building an Information Security Program. 44. What is the difference between defense in depth and security perimeter? 45. Identify and define the 3 main objectives of the Safeguards Rule. 46. Give 4 examples of administrative safeguards in either HIPAA or GLBA. 47. Give 4 examples of physical safeguards in either HIPAA or GLBA. 48. What is the main purpose of the USA Patriot Act? 49. Define in your own words the overall purpose of COBIT. 50. Define the following and give an explanation an example of each. A. Information Security Policy B. Information Security Standard C. Information Security Practice/Procedure. 51. Name the 5 main principles of COBIT. 52. What is the difference between governance and management in COBIT. 53. Name 3 benefits of COBIT 5 for Information Security. 54. How does ISACA define information security?

55. Name 3 of the 5 common information security requirements under the Unified Framework for information security. 56. What is InfraGard and its overall purpose?

57. What is an ISMS, and why is it important to an organization? 58. Identify and explain the steps in the digital forensics methodology. 59. Describe the PDCA model used for the ISMS in ISO27001. 60. What are the penalties/fines associated with SOX non-compliance?

Part 4: ESSAY (40 points) Answer only 4 of the following 6 questions.

1. You have just been named CISO for your organization and you are charged with establishing an information security program. Please describe the steps and components of how you would organize your program. What considerations would you take into creating your program? 2. Explain why a risk assessment process is important to an organization. Then name the steps of the Risk Assessment process used in FISMA, including a brief description of the steps. 3. Describe in detail the importance of ethics for information security professionals. 4. Describe some of the different information security certifications that can be obtained by information security professionals and why attaining certifications is important in the information security field. 5. Describe in your own words on how COBIT, ISO27001, ISO27002, and NIST controls and standards could be implemented holistically into one company. How would they be used and how do they complement each other?

6. Describe in detail your impressions and opinions on how compliance and information security should work together in an organization. Which drives which, and is it possible to be secure and non-compliant, or is it possible to be compliant and non-secure? Give reasons why or why not.