143. d. To qualify as a trade secret, information must be of competitive value or advantage to the owner or his business. Trade secrets can include technical information and customer and supplier lists. Employee names do not come under the trade secret category because they are somewhat public information, requiring protection from recruiters.
144. Which of the following covers system-specific policies and procedures?
a. Technical controls
b. Operational controls
c. Management controls
d. Development controls
144. c. Management controls are actions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures, and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions.
Technical controls include hardware and software controls used to provide automated protection to the computer system or applications. Technical controls operate within the technical systems and applications.
Operational controls are the day-to-day procedures and mechanisms used to protect operational systems and applications. Operational controls affect the system and application environment.
Development controls include the process of assuring that adequate controls are considered, evaluated, selected, designed, and built into the system during its early planning and development stages, and that an ongoing process is established to ensure continued operation at an acceptable level of risk during the installation, implementation, and operation stages.
145. Organizational electronic-mail policy is an example of which of the following?
a. Advisory policy
b. Regulatory policy
c. Specific policy
d. Informative policy
145. c. Advisory, regulatory, and informative policies are broad in nature and cover many topics and areas of interest. E-mail policy is an example of specific policy dealing with communication between and among individuals.
146. What should be done when an employee leaves an organization?
a. Review of recent performance evaluation
b. Review of human resource policies
c. Review of nondisclosure agreements
d. Review of organizational policies
146. c. When an employee leaves an organization, he should be reminded of nondisclosure agreements that he signed upon his hiring. This agreement includes measures to protect confidential and proprietary information such as trade secrets and inventions.
147. For computer security, integrity does not mean which of the following?
a. Accuracy
b. Authenticity
c. Completeness
d. Timeliness
147. d. Timeliness is a part of the availability goal, whereas accuracy, authenticity, and completeness are part of the integrity goal.
148. For computer security, confidentiality does not mean which of the following?
a. Nonrepudiation
b. Secrecy
c. Privacy
d. Sensitivity
148. a. Nonrepudiation is a part of the integrity goal, whereas secrecy, privacy, sensitivity, and criticality are part of the confidentiality goal.
149. Which of the following security goals is meant for intended uses only?
a. Confidentiality
b. Integrity
c. Availability
d. Accountability
149. c. Availability is for intended uses only and not for any other uses. Another definition of availability is ensuring timely and reliable access to and use of system-related information by authorized entities. Confidentiality (C), integrity (I), and availability (A) are security goals and are often called the CIA triad. Confidentiality is preserving authorized restrictions on information access and disclosure. Integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. Accountability is tracing actions of an entity uniquely to that entity.
150. The advanced encryption standard (AES) is useful for securing which of the following?
a. Confidential but classified material
b. Secret but classified material
c. Top secret but unclassified material
d. Sensitive but unclassified material
150. d. The advanced encryption standard (AES) is an encryption algorithm used for securing sensitive but unclassified material. The loss, misuse, or unauthorized access to or modification of sensitive but unclassified material might adversely affect an organization’s security interests.
