324 Appendix ■ Answers
7 2. B. The Communications Assistance to Law Enforcement Act (CALEA) requires that all
communications carriers make wiretaps possible for law enforcement officials who have
an appropriate court order.- B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial
institutions, including providing written notice of privacy practices to customers. - C. Nondisclosure agreements (NDAs) typically require either mutual or one-way
confidentiality in a business relationship. Service-level agreements (SLAs) specify service
uptime and other performance measures. Noncompete agreements (NCAs) limit the
future employment possibilities of employees. Recovery time objectives (RTOs) are used in
business continuity planning. - D. Router ACLs, encryption, and firewall rules are all examples of technical controls.
Data classification is an administrative control. - C. While senior management should be represented on the BCP team, it would be highly
unusual for the CEO to fill this role personally.
7 7. D. Nonrepudiation allows a recipient to prove to a third party that a message came
from a purported source. Authentication would provide proof to Ben that the sender was
authentic, but Ben would not be able to prove this to a third party.- C. Defense in depth states that organizations should have overlapping security controls
designed to meet the same security objectives whenever possible. This approach provides
security in the event of a single control failure. - D. Stakeholders should be informed of changes before, not after, they occur. The other
items listed are goals of change management programs. - B. Ben should encrypt the data to provide an additional layer of protection as a
compensating control. The organization has already made a policy exception, so he
should not react by objecting to the exception or removing the data without authorization.
Purchasing insurance may transfer some of the risk but is not a mitigating control. - A. The risk assessment team should pay the most immediate attention to those risks that
appear in quadrant I. These are the risks with a high probability of occurring and a high
impact on the organization if they do occur. - D. Electronic access to company resources must be carefully coordinated. An employee
who retains access after being terminated may use that access to take retaliatory action.
On the other hand, if access is terminated too early, the employee may figure out that he or
she is about to be terminated. - D. In a risk acceptance strategy, the organization decides that taking no action is the most
beneficial route to managing a risk. - A. COPPA requires that websites obtain advance parental consent for the collection of
personal information from children under the age of 13. - D. The annualized rate of occurrence (ARO) is the frequency at which you should expect
a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to
occur once every 100 years, or 0.01 times per year.