CHAPTER 9 Confidentiality and Privacy Controls

Question 1

1. Which of the following statements is true?
   a. Encryption is sufficient to protect confidentiality and privacy.
   b. Cookies are text files that only store information. They cannot perform any actions.
   c. The controls for protecting confidentiality are not effective for protecting privacy.
   d. All of the above are true.

Answer 1

b. Cookies are text files that only store information. They cannot perform any actions.
(Correct. Cookies are text files, not executable programs. They can, however, store
sensitive information, so they should be protected.)

Question 2

2. A digital signature is ____________.
   a. created by hashing a document and then encrypting the hash with the signer’s private key
   b. created by hashing a document and then encrypting the hash with the signer’s public key
   c. created by hashing a document and then encrypting the hash with the signer’s symmetric key
   d. none of the above

Answer 2

a. created by hashing a document and then encrypting the hash with the signer’s private
key (Correct. Creating a hash provides a way to verify the integrity of a document, and
encrypting it with the signer’s private key provides a way to prove that the sender created
the document.)

Question 3

3. Able wants to send a file to Baker over the Internet and protect the file so that only Baker
   can read it and can verify that it came from Able. What should Able do?
   a. Encrypt the file using Able’s public key, and then encrypt it again using Baker’s private key.
   b. Encrypt the file using Able’s private key, and then encrypt it again using Baker’s private key.
   c. Encrypt the file using Able’s public key, and then encrypt it again using Baker’s public key.
   d. Encrypt the file using Able’s private key, and then encrypt it again using Baker’s public key.

Answer 3

d. Encrypt the file using Able’s private key, and then encrypt it again using Baker’s public
key. (Correct. Encrypting it with Baker’s public key means that only Baker can decrypt
it. Then, Baker can use Able’s public key to decrypt the file—if the result is understandable,
it had to have been created by Able and encrypted with Able’s private key.)

Question 4

4. Which of the following statements is true?
   a. Encryption and hashing are both reversible (can be decoded).
   b. Encryption is reversible, but hashing is not.
   c. Hashing is reversible, but encryption is not.
   d. Neither hashing nor encryption is reversible.

Answer 4

b. Encryption is reversible, but hashing is not. (Correct. Encryption can be reversed to
decrypt the ciphertext, but hashing cannot be reversed.)

Question 5

5. Confidentiality focuses on protecting ____________.
   a. personal information collected from customers
   b. a company’s annual report stored on its website
   c. merger and acquisition plans
   d. all of the above

Answer 5

c. merger and acquisition plans (Correct. Merger and acquisition plans are sensitive information that should not be made public until the deal is consummated.)

Question 6

6. Which of the following statements about obtaining consent to collect and use a customer’s personal information is true?
   a. The default policy in Europe is opt-out, but in the United States the default is optin.
   b. The default policy in Europe is opt-in, but in the United States the default is opt-out.
   c. The default policy in both Europe and the United States is opt-in.
   d. The default policy in both Europe and the United States is opt-out.

Answer 6

b. The default policy in Europe is opt-in, but in the United States the default is opt-out.
(Correct.)

Question 7

7. One of the ten Generally Accepted Privacy Principles concerns security. According to
   GAPP, what is the nature of the relationship between security and privacy?
   a. Privacy is a necessary, but not sufficient, precondition to effective security.
   b. Privacy is both necessary and sufficient to effective security.
   c. Security is a necessary, but not sufficient, precondition to protect privacy.
   d. Security is both necessary and sufficient to protect privacy.

Answer 7

c. Security is a necessary, but not sufficient, precondition to protect privacy. (Correct.)

Question 8

8. Which of the following statements is true?
   a. Symmetric encryption is faster than asymmetric encryption and can be used to provide
   nonrepudiation of contracts.
   b. Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts.
   c. Asymmetric encryption is faster than symmetric encryption and can be used to provide
   nonrepudiation of contracts.
   d. Asymmetric encryption is faster than symmetric encryption but cannot be used to
   provide nonrepudiation of contracts.

Answer 8

b. Symmetric encryption is faster than asymmetric encryption but cannot be used
to provide nonrepudiation of contracts. (Correct. Symmetric encryption is faster
than asymmetric encryption, but it cannot be used for nonrepudiation; the key is
shared by both parties, so there is no way to prove who created and encrypted a
document.)

Question 9

9. Which of the following statements is true?
   a. VPNs protect the confidentiality of information while it is in transit over the Internet.
   b. Encryption limits firewalls’ ability to filter traffic.
   c. A digital certificate contains that entity’s public key.
   d. All of the above are true.

Answer 9

d. All of the above are true. (Correct. All three statements are true.)

Question 10

10. Which of the following can organizations use to protect the privacy of a customer’s personal
    information when giving programmers a realistic data set with which to test a new
    application?
    a. Digital signature.
    b. Digital watermark.
    c. Data loss prevention.
    d. Data masking.

Answer 10

d. Data masking. (Correct. Masking replaces actual values with fake ones, but the result
is still the same type of data, which can then be used to test program logic.)