Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Accounting Information Systems, 13e (Romney/Steinbart)
Chapter 9 Confidentiality and Privacy Controls
9.1 Identify and explain controls designed to protect the confidentiality of sensitive corporate
information.
1) Identify the type of information below that is least likely to be considered "sensitive" by an
organization.
A) financial statements
B) legal documents
C) strategic plans
D) product cost information
2) Which of the following is not one of the basic actions that an organization must take to
preserve the confidentiality of sensitive information?
A) identification of information to be protected
B) backing up the information
C) controlling access to the information
D) training
3) Classification of confidential information is the responsibility of whom, according to
COBIT5?
A) external auditor
B) information owner
C) IT security professionals
D) management
4) True or False: Encryption is one of the many ways to protect information in transit over the
internet.
5) Classification of confidential information is the responsibility of whom, according to
COBIT5?
A) external auditor
B) information owner
C) IT security professionals
D) management
6) Encryption is a necessary part of which information security approach?
A) defense in depth
B) time based defense
C) cloud quarantine
D) synthetic defense
7) Information rights management software can do all of the following except
A) limiting access to specific files.
B) limit action privileges to a specific time period.
C) authenticate individuals accessing information.
D) specify the actions individuals granted access to information can perform.
8) Identify the first step in protecting the confidentiality of intellectual property below.
A) Identifying who has access to the intellectual property
B) Identifying the means necessary to protect the intellectual property
C) Identifying the weaknesses surrounding the creation of the intellectual property
D) Identifying what controls should be placed around the intellectual property
9) After the information that needs to be protected has been identified, what step should be
completed next?
A) The information needs to be placed in a secure, central area.
B) The information needs to be encrypted.
C) The information needs to be classified in terms of its value to the organization.
D) The information needs to be depreciated.
10) Which type of software blocks outgoing messages containing key words or phrases
associated with an organization's sensitive data?
A) anti-virus software
B) data loss prevention software
C) a digital watermark
D) information rights software
11) Janus Corporation uses a tool that embeds a code into all of its digital documents. It then
scours the internet, searching for codes that it has embedded into its files. When Janus finds an
embedded code on the internet, it knows that confidential information has been leaked. Janus
then begins identifying how the information was leaked and who was involved with the leak.
Janus is using
A) data loss prevention software.
B) a keylogger.
C) a digital watermark.
D) a spybot.
12) What confidentiality and security risk does using VoIP present to organizations?
A) Internet e-mail communications can be intercepted.
B) Internet photographs can be intercepted.
C) Internet video can be intercepted.
D) Internet voice conversations can be intercepted.
9.2 Identify and explain controls designed to protect the privacy of personal information
collected from customers, employees, suppliers or business partners.
1) Which of the following is not one of the 10 internationally recognized best practices for
protecting the privacy of customers' personal information?
A) Provide free credit report monitoring for customers.
B) Inform customers of the option to opt-out of data collection and use of their personal
information.
C) Allow customers' browsers to decline to accept cookies.
D) Utilize controls to prevent unauthorized access to, and disclosure of, customers' information.
2) In developing policies related to personal information about customers, Folding Squid
Technologies adhered to the Trust Services framework. The standard applicable to these policies
is
A) security.
B) confidentiality.
C) privacy.
D) availability.
3) A client approached Paxton Uffe and said, "Paxton, I need for my customers to make
payments online using credit cards, but I want to make sure that the credit card data isn't
intercepted. What do you suggest?" Paxton responded, "The most effective solution is to
implement
A) a data masking program."
B) a virtual private network."
C) a private cloud environment."
D) an encryption system with digital signatures."
4) Describe some steps you can take to minimize your risk of identity theft.
5) The first steps in protecting the privacy of personal information is to identify
A) what sensitive information is possessed by the organization.
B) where sensitive information is stored.
C) who has access to sensitive information.
D) All of the above are first steps in protecting privacy.
6) It is impossible to encrypt information
A) transmitted over the Internet.
B) stored on a hard drive.
C) printed on a report.
D) None of the above
7) Data masking is also referred to as
A) encryption.
B) tokenization.
C) captcha.
D) cookies.
8) Cindy Vindoolo logged on to her e-mail account to find that she had received 50 e-mails from
a company called LifeCo that promised her extreme weight loss if she bought their diet pills.
Cindy angrily deleted all 50 e-mails, realizing she was a victim of
A) telemarketing.
B) spam.
C) direct mail.
D) MLM.
9) Under CAN-SPAM legislation, an organization that receives an opt-out request from an
individual has ________ days to implement steps to ensure they do not send out any additional
unsolicited e-mail to the individual again.
A) 2
B) 5
C) 7
D) 10
10) Identify the item below that is not a step you could take to prevent yourself from becoming a
victim of identity theft.
A) Shred all documents that contain your personal information.
B) Only print your initial and last name on your personal checks.
C) Do not place checks in your outgoing mail.
D) Refuse to disclose your social security number to anyone or any organization.
11) Identify the item below which is not a piece of legislation passed to protect individuals
against identity theft or to secure individuals' privacy.
A) the Health Insurance Portability and Accountability Act
B) the Health Information Technology for Economic and Clinical Heath Act
C) the Financial Services Modernization Act
D) the Affordable Care Act
12) If an organization asks you to disclose your social security number, yet fails to permit you to
opt-out before you provide the information, the organization has likely violated which of the
Generally Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
13) If an organization asks you to disclose your social security number, but fails to establish a set
of procedures and policies for protecting your privacy, the organization has likely violated which
of the Generally Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
14) If an organization asks you to disclose your social security number, but fails to tell you about
its privacy policies and practices, the organization has likely violated which of the Generally
Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
15) If an organization asks you to disclose your social security number, yet fails to properly
dispose of your private information once it has fulfilled its purpose, the organization has likely
violated which of the Generally Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
16) If an organization asks you to disclose your social security number, but decides to use it for a
different purpose than the one stated in the organization's privacy policies, the organization has
likely violated which of the Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Quality
17) If an organization asks you to disclose your date of birth and your address, but refuses to let
you review or correct the information you provided, the organization has likely violated which of
the Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Choice and consent
18) If an organization asks you to disclose your date of birth and your address, but fails to take
any steps to protect your private information, the organization has likely violated which of the
Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Quality
19) If an organization asks you to disclose your date of birth and your address, but fails to
establish any procedures for responding to customer complaints, the organization has likely
violated which of the Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Monitoring and enforcement
9.3 Explain how the two basic types of encryption systems work.
1) Which of the following is not true regarding virtual private networks (VPN)?
A) VPNs provide the functionality of a privately owned network using the Internet.
B) Using VPN software to encrypt information while it is in transit over the Internet in effect
creates private communication channels, often referred to as tunnels, which are accessible only
to those parties possessing the appropriate encryption and decryption keys.
C) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the
corresponding physical connections in a privately owned network.
D) The cost of the VPN software is much less than the cost of leasing or buying the
infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create
a privately owned secure communications network.
2) All of the following are associated with asymmetric encryption except
A) speed.
B) private keys.
C) public keys.
D) no need for key exchange.
3) The system and processes used to issue and manage asymmetric keys and digital certificates
are known as
A) asymmetric encryption.
B) certificate authority.
C) digital signature.
D) public key infrastructure.
4) Identify one weakness of encryption below.
A) Encrypted packets cannot be examined by a firewall.
B) Encryption provides for both authentication and non-repudiation.
C) Encryption protects the privacy of information during transmission.
D) Encryption protects the confidentiality of information while in storage.
5) Using a combination of symmetric and asymmetric key encryption, Sofia Chiamaka sent a
report to her home office in Bangalore, India. She received an e-mail acknowledgement that her
report had been received, but a few minutes later she received a second e-mail that contained a
different hash total than the one associated with her report. This most likely explanation for this
result is that
A) the public key had been compromised.
B) the private key had been compromised.
C) the symmetric encryption key had been compromised.
D) the asymmetric encryption key had been compromised.
6) Encryption has a remarkably long and varied history. The invention of writing was apparently
soon followed by a desire to conceal messages. One of the earliest methods, attributed to an
ancient Roman emperor, was the simple substitution of numbers for letters, for example A = 1,
B = 2, etc. This is an example of
A) a hashing algorithm.
B) symmetric key encryption.
C) asymmetric key encryption.
D) a public key.
7) An electronic document that certifies the identity of the owner of a particular public key.
A) asymmetric encryption
B) digital certificate
C) digital signature
D) public key
8) Which systems use the same key to encrypt communications and to decrypt communications?
A) asymmetric encryption
B) symmetric encryption
C) hashing encryption
D) public key encryption
9) These are used to create digital signatures.
A) asymmetric encryption and hashing
B) hashing and packet filtering
C) packet filtering and encryption
D) symmetric encryption and hashing
10) Information encrypted with the creator's private key that is used to authenticate the sender is
A) asymmetric encryption.
B) digital certificate.
C) digital signature.
D) public key.
11) Which of the following is not one of the three important factors determining the strength of
any encryption system?
A) key length
B) key management policies
C) encryption algorithm
D) privacy
12) A process that takes plaintext of any length and transforms it into a short code.
A) asymmetric encryption
B) encryption
C) hashing
D) symmetric encryption
13) Which of the following descriptions is not associated with symmetric encryption?
A) a shared secret key
B) faster encryption
C) lack of authentication
D) separate keys for each communication party
14) Encryption has a remarkably long and varied history. Spies have been using it to convey
secret messages ever since there were secret messages to convey. One powerful method of
encryption uses random digits. Two documents are prepared with the same random sequence of
numbers. The spy is sent out with one and the spy master retains the other. The digits are used as
follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S
becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two
letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the
document used to encrypt it. This is an early example of
A) a hashing algorithm.
B) asymmetric key encryption.
C) symmetric key encryption.
D) public key encryption.
15) One way to circumvent the counterfeiting of public keys is by using
A) a digital certificate.
B) digital authority.
C) encryption.
D) cryptography.
16) In a private key system the sender and the receiver have ________, and in the public key
system they have ________.
A) different keys; the same key
B) a decrypting algorithm; an encrypting algorithm
C) the same key; two separate keys
D) an encrypting algorithm; a decrypting algorithm
17) Asymmetric key encryption combined with the information provided by a certificate
authority allows unique identification of
A) the user of encrypted data.
B) the provider of encrypted data.
C) both the user and the provider of encrypted data.
D) either the user or the provider of encrypted data.
18) On June 17, 2013, a laptop computer belonging to Thea Technologies was stolen from the
trunk of Jamie Marcia's car while she was attending a conference. After reporting the theft, Jamie
considered the implications for the company's network security and concluded there was little to
worry about because
A) the computer was insured against theft.
B) the computer was protected by a password.
C) the data stored on the computer was encrypted.
D) it was unlikely that the thief would know how to access the company data stored on the
computer.
19) Hjordis Marika took a call from a client. "Hjordis, I need to interact online in real time with
our affiliate in India, and I want to make sure that our communications aren't intercepted. What
do you suggest?" Hjordis responded, "The best solution is to implement
A) a virtual private network."
B) multifactor authentication."
C) a private cloud environment."
D) an asymmetric encryption system with digital signatures."
20) Describe symmetric encryption and identify three limitations.
