Information Security Overview - Chapter A

Questions and Answers

What distinguishes information from knowledge?

• Knowledge is easier to acquire than information.
• Information represents knowledge. (correct)
• Information is an absolute truth.
• Knowledge is reliant on factual information.

Which lesson focuses on justifying the investment in security?

• Lesson 2
• Lesson 3 (correct)
• Lesson 5
• Lesson 7

Which option best describes the role of security in the systems development life cycle?

• Security is integrated at every phase. (correct)
• Security is only considered at the final phase.
• Security is a peripheral concern.
• Security eliminates the need for problem-solving.

What is one of the main outcomes of this chapter?

Understanding the evolution of information security. (A)

What does Lesson 6 cover in this chapter?

Strategies and tactics for security. (A)

How does the text define 'information'?

A portion conveying meaning. (C)

Which lesson specifically addresses the building of a security program?

Lesson 5 (C)

Which of the following best identifies the scope of the chapter's discussion?

A comprehensive overview of information security. (B)

What is the primary focus of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

Security over Protected Health Information (PHI) (C)

Which act is known as the Financial Services Modernization Act of 1999?

Gramm-Leach-Bliley Act (GLBA) (D)

Which of the following regulations specifically addresses disclosure of false financial information by publicly traded companies?

Sarbanes-Oxley Act (B)

What do California laws SB 1386 and SB 24 require companies to do?

Protect personal information (D)

What can happen to organizations that fail to comply with security regulations?

They can face strong penalties (B)

What is the relationship between security controls and data access?

Effective security controls enable safe access for authorized parties. (A)

What was a major consequence of Egghead Software's security breach?

Severe damage to the company's reputation. (B)

Which of the following scenarios best illustrates a failure in security practices?

A retailer discovers large-scale theft of customer data due to poor security. (C)

What was the ultimate fate of Egghead Software following the security incident?

The company filed for bankruptcy and was acquired by Amazon.com. (B)

How might improved security practices have affected Egghead Software's situation?

They might have retained their customers and reputation. (A)

What is the primary purpose of classifying information within organizations?

To manage different aspects of its handling and access (D)

Which type of information is typically restricted to employees, contractors, and service providers?

Internal use only information (D)

Which of the following is most likely considered confidential information?

Internal memos and strategic corporate information (D)

What type of information may include trade secrets such as formulas and production details?

Specialized or secret information (C)

What is a key reason why information protection may be mandatory in some business sectors?

To meet legal and regulatory requirements (C)

Which of the following methods is NOT typically associated with managing information handling?

Public sharing (D)

Which of the following is NOT an example of specialized information?

Marketing advertisements (D)

Which aspect of handling information does NOT directly relate to its classification?

Publicity (B)

Which of the following might be classified as information for internal use?

Strategic corporate information on upcoming projects (B)

Which attribute best describes the handling of sensitive information such as passwords and encryption keys?

Confidential and restricted access (D)

Flashcards are hidden until you start studying

Study Notes

Information Security Overview

• Information protection is crucial for organizations; it enhances adaptability and strategic alignment.
• Information is defined as a meaningful representation of data rather than just knowledge.
• Classifying information helps manage access and handling differently, ensuring appropriate security measures.

Categories of Information

• Internal information is accessible to employees, contractors, and service providers, but not to the general public. Examples include internal memos and company announcements.
• Confidential information is available on a need-to-know basis, encompassing research plans, financial forecasts, and customer lists.

Specialized Information

• Trade secrets fall under specialized information, including formulas, intellectual property, proprietary methodologies, and sensitive codes like passwords and encryption keys.
• Protecting specialized information is essential for maintaining competitive advantage.

Regulatory Compliance

• Certain sectors, like healthcare, are mandated to comply with laws such as HIPAA, which require robust security for Protected Health Information (PHI).
• Financial institutions must adhere to compliance requirements under the Federal Financial Institutions Examination Council (FFIEC) and the Gramm-Leach-Bliley Act (GLBA).
• Publicly traded companies are subject to the Sarbanes-Oxley Act (SOX) to protect shareholders and ensure accurate financial reporting.

Legal Regulations

• California laws such as SB 1386 and SB 24 demand that companies protect personal information, with penalties for non-compliance.
• Strong security controls facilitate safer access for authorized entities to sensitive data.

Case Study: Egghead Software

• In 2000, Egghead Software suffered a security breach where approximately 3.7 million credit card numbers were stolen, leading to severe reputational damage.
• The breach resulted in loss of customer trust, declining stock prices, layoffs, and eventual bankruptcy, followed by acquisition by Amazon.com.
• The incident raises questions about the potential for avoiding such consequences through effective security measures.