Week 8 November 9

Instructor & Prepared by – Dan Snell

DOMAIN 05 INFORMATION SECURITY Percentage of test Questions (5.5%)

Task 05/01 Survey information facilities, processes and systems to evaluate current status of:
physical security, procedural security, information systems security, employee
awareness, and information destruction and recovery capabilities.
Knowledge of:
05/01/01 security survey and assessment methodology
05/01/02 protection technology, equipment and procedures
05/01/03 current methods used to compromise information
05/01/04 building and system plans, drawings, and schematics

Task 05/02 Develop and implement policies and standards to ensure information is evaluated and
protected against all forms of unauthorized/inadvertent access, use, disclosure,
modification, destruction or denial.
Knowledge of:
05/02/01 principles of management
05/02/02 information security theory
05/02/03 laws pertaining to protection requirements for proprietary information and intellectual
property
05/02/04 protection measures, equipment, and techniques
05/02/05 current trends and techniques for compromising information

Task 05/03 Develop and manage a program of integrated security controls and safeguards
to ensure confidentiality, integrity, availability, authentication, non-repudiation,
accountability, recoverability and audit ability of sensitive information and
associated information technology resources and assets.
Knowledge of:
05/03/01 information security theory and systems methodology
05/03/02 threats and vulnerabilities assessment analysis and mitigation
05/03/03 systems integration techniques
05/03/04 cost benefit analysis methodology
05/03/05 project management techniques
05/03/06 budgetary projection development process
05/03/07 vendor evaluation and selection process
05/03/08 final acceptance and testing procedures
05/03/09 protection technology, equipment, and procedures
05/03/10 training and awareness methodologies and procedures

Task 05/04 Evaluate the effectiveness of the information security program’s integrated
security controls, to include related policies, procedures and plans, to ensure
consistency with organization strategy, goals and objectives.
Knowledge of:
05/04/01 security survey/assessment methodology
05/04/02 cost benefit/analysis methodology
05/04/03 protection technology/equipment systems
05/04/04 monitoring, audit and testing techniques

Caterpillar: Confidential Green

TERMS & Definitions

- Proprietary Information – Information over which the possessor assets ownership

and which is related to the activities or status of the possessor in some special way.
All proprietary information is confidential; however, not all-confidential
information is proprietary.
- Trade Secret – (From the Uniform Trade Secrets Act) Information including a
formula, pattern, compilation, program, device, method, techniques or process that:
1. Derives independent economic value, actual or potential, from not being
generally known to, and not being ascertainable by proper means, by other
persons who can obtain economic value from its disclosure or use.
2. Is the subject of efforts that are reasonable under the circumstances to
maintain its security.
- Patent - A government grant conveying and securing the exclusive right to make,
use, and sell and invention for a term of 20 years.

Most important distinction is between Trade Secret and other types of proprietary &
confidential Information.

INTENT & PURPOSE

TO: Survey information facilities, processes and systems to evaluate current status of: physical
security, procedural security, information systems security, employee awareness, and
information destruction and recovery capabilities.
TO: Develop and implement policies and standards to ensure information is evaluated and protected against all forms
of unauthorized/inadvertent access, use, disclosure, modification, destruction or denial.
TO: Develop and manage a program of integrated security controls and safeguards to ensure confidentiality, integrity,
availability, authentication, non-repudiation, accountability, recoverability and audit ability of sensitive information
and associated information technology resources and assets.
TO: Evaluate the effectiveness of the information security program’s integrated security controls, to include
related policies, procedures and plans, to ensure consistency with organization strategy, goals and
objectives.

TRADE SECRETS

A trade secret is defined in the “Restatement of the Law of Torts” as follows:

- A Trade secret may consist of any formula, pattern, device or compilation of
information which is used in one’s business and which gives him an opportunity to
gain an advantage over competitors who do not know or use it. It may be a formula
for a chemical compound, a process of manufacturing, treating or preserving
materials, a pattern for a machine or other device or a list of customers.
- A Trade Secret is a process or device for continuous use in the operation of a
business.
Trade Secrets are entitled by law to more protection than other kinds of proprietary information.

The courts tend to find against those who have acted in bad faith where the use of confidential
information is involved, but there must be a showing or proof that the owner preserved the
secrecy of the information to the maximum extent possible.
To protect a Trade Secret it is necessary to prove all of the following elements:
- How Secret was the information? Was it-identified properly/correct?
Caterpillar: Confidential Green
 - What is its Value?
- How was the Information used in the owner’s business?

If information is wrongfully obtained by one person and disclosed in such a fashion that others
gain knowledge of it without being aware that it is, or was, the secret of someone else, the
wrongful discloser is the only person against whom the original owner has recourse.

HOWEVER…………..
If the data involved is a trade secret and the persons to whom it is disclosed are relatively few
and they are put on notice of the existence of the trade secret before they change their positions
in the use of the data, the trade secret may be protected. Also, in addition to the recourse
available against the wrongful discloser, in that the third parties are now on notice, they too will
become wrongful disclosers if they further disclose or use the information.

In regards to Trade Secret the owner may get protection through a written agreement with the
employee.

THE MOST SERIOUS INTERNAL THREAT TO TRADE SECRETS IS THE

EMPLOYEE.

All Sensitive information are not trade secrets………….Examples, which are not Trade Secrets:
- Salary information
- Customer usage information
- Profit margins
- Unit costs
- Personnel changes

PATENTS

FILING REQUIRMENT………….A trade secret remains secret as long as it continues to meet

trade secret tests while the exclusive right to patent protections expires after twenty (20) years.

COPYRIGHT
Copyright provides protection for original works by providing the creator or publisher exclusive
right to the work (e.g. books, periodicals, movies, music or software programs).

Copyrighted material is identified with a C within a circle.

Copyright permits FAIR USE under the following conditions:

- Purpose (commercial versus non-commercial)
- Nature (critique versus business use)
- Amount (1 versus 1,000)
- Effect on potential market value (i.e. Monetary……e.g., NAPSTER example)

Trademark and Servicemark……….

A Trademark is a word, name, symbol, or device that is used in trade with goods to indicate the
source of the goods (i.e., Caterpillar, Cat…). The terms Trademark and mark are commonly used
to refer to both trademarks and servicemarks.
A Servicemark is the same as a trademark except that it identifies and distinguishes the source of
a service rather than a product.

Caterpillar: Confidential Green

Trademarks, which are used in interstate or foreign commerce, may be registered with the US
Patent and Trademark Office.
Lanham Act enacted in 1946 (Federal Trademark Statute).

PROPRIETARY Information:
The Common Law uses two approaches in dealing with proprietary information:
- The “Property Concept” which regards the information as having independent value
if amounts to a trade secret.
- Imposition of duties upon certain classes of people, other than the owner not to use or
divulge information without the owner’s consent………..this approach treats those
individuals as “Fiduciary” as they occupy special positions of trust or confidence.

There are 3 brad threats to proprietary information:

- It can be lost through inadvertent disclosure
- It can be deliberately stolen by an outsider
- It can be deliberately stolen by an insider

COMPETITIVE INTELLIGENCE Collection:

Collection and analysis of information about a competitor occurs daily……….Legal & ethical
techniques are usually employed.
The most important function of Competitive Intelligence is to alert senior management to
marketplace changes in order to prevent surprise.
Compilation techniques employed:
- Newspaper classified advertising
- Plans and permit request filed with local authorities
- Technical journal articles
- Conversation with trade show booth workers
- Public presentations by senior execs
- Conversation with construction workers

“Social Engineering” – telephone conversations with company employees using subtle elicitation
of information without revealing the true purpose of the call.

Rich source of information is held by government regulators…………..

When providing information to anyone outside the company:
- Provide only the information requested or required
- As possible, omit all sensitive or proprietary info
- Identify the sensitive or proprietary info which is provided
- Obtain an agreement with the governmental agency
- Prior to submission, have documents scrutinized by responsible management
personnel familiar with the information involved.
- Realize vast amounts of information is disclosed merely because the holders don’t
realize the value of the info
- BASIC RULE – Never reveal information to anyone that you would not reveal to
a competitor.

INDUSTRIAL Espionage:
- Industrial espionage is the theft of information by legal or illegal means. It is more
dangerous because it is usually highly valuable info, which is stolen and released to
others who plan to exploit it.
Industrial Espionage techniques:
Caterpillar: Confidential Green
 - Employment offers to employees
- Dumpster diving
- Electronic intrusion – Hacking
- Wiretaps, microphones and other listening devices
- Unauthorized access – frequently using a ruse
- Romantic involvement with employees.

PIRACY
The illegal duplication and distribution of recording………..3 Forms:
- Counterfeiting – unauthorized recording of prerecorded sounds
- Pirating – The unauthorized duplication of sound or images
- Bootlegging – The unauthorized recording of a musical broadcast on radio, television
or live concert.

LEGAL
The United States has enacted a number of statutes to protect information and threats to
communication systems: (Review CPP Study Guide 12th Edition – GREEN BOOK page V-7 and
ASIS Manual Information Security Section Page 6 for what Laws cover)
- Computer Fraud and Abuse Act of 1986 – amended in 1994, 1996 & 2001
- Computer Security Act of 1987
- The Telecommunications Deregulation and Competition Act of 1996
- Digital Millennium Copyright Act of 1998
- Lanham Act of 1946 (Trademark Regulation)
- The Economic Espionage Act of 1996
- USA Patriot Act of 2001 (Protects against Terrorist Crime)
- Sarbanes – Oxley Act of 2002 (Better known as SOx)

Two Concepts are recognized with regard to proprietary Info:

- Under the “Property Concept” trade secret information has independent value.
- Fiduciaries, who occupy special positions of trust and confidence, have a duty not to
divulge proprietary Info.
To protect the “Property” of proprietary Info the owner has the right to:
- Sue for damage
- Recover Profits under the equity theory of “Unjust Enrichment”
- Restrain another from the use of the property
- Retain the exclusive use of the property
Prior to instituting litigation, consider that:
- The owner may have to expose the very secrets he/she is trying to protect (COKE
Example)
- The Cost may be to high
- The trade secret owner may lose the case (Wal-Mart vs. Amazon)

PROTECTION PROGRAMS

The Vulnerability Assessment is conducted from the perspective of the competitor and considers:
- What Critical Info exists
- The period of time when information is critical
- The identity of employees and indirect associates who have access to the info
Of Particular importance is information regarding:
- Production of goods and services…….Basic manufacturing data and design manuals,
raw material specifications & research & development
Caterpillar: Confidential Green
Countermeasures to be implemented:
- Clear policy and procedural statements……i.e., Clear desk policy, Data identification
programs, need to know policy.
- Pre-Employment Screening
- Procedures for review of incumbent employees.
- Awareness Programs
- Non-disclosures and secrecy agreements
- Physical security measures such as Access Control, electronic access controls &
supervised destruction of waste and trash
- System of Regular AUDITS or internal Inspections
- Continuous monitoring of routine activities to detect appearances of one’s sensitive
data.

Methodology:
The recognized method for planning Information security follows these key phases…….
- Investigation phase – understand the scope of the potential threat facing the
organization
- Analysis phase – focus’s on the organizations ability for implementing security
program
- Logical Design phase – used to develop proposed systems for solutions
- Physical design phase – intent is to select specific technologies that will support the
protection of systems
- Implementation phase – focuses on software engineering and hardware installations
to ensure that both data and systems are protected.
- Maintenance phase – While usually overlooked this phase is probably the most
expensive and requires long-term commitment. Vigilance, support and constant
modifications take place.

EVALUATION of Potential Threats: An evaluation of potential threats to Information Security

should be identified…….Several Categories of Threats follow:
- Acts of human error or failure
- Compromises to intellectual property
- Deliberate acts of espionage or trespass
- Deliberate acts of information extortion
- Deliberate acts of sabotage or vandalism
- Deliberate acts of theft
- Deliberate Software attacks
- Deviations in quality of service from service providers
- Forces of nature otherwise known as Force Majeure
- Technical hardware failures or errors
- Technical Software failures or errors
- Technological obslolescence

NEEDS Assessment:
An analysis of information security needs to be conducted and there are certain stages within the
analysis………
- Identifying the vulnerabilities and ranking them in terms of likelihood of affecting the
organization.
- Developing controls than can be placed to mitigate those risks
- Undertaking economic feasibilities to determine what the cost benefit of this
protection system would be…………i.e. Business Case vs. Risk

Caterpillar: Confidential Green

EDUCATION, Training and Awareness Programs:
Another very integral part of any information security program…to include education, training
and awareness.

SECURITY POLICY:
It is recognized that planning and education coincide with one another in protecting information
but the program needs to be articulated in a structure normally referred to as a POLICY.
Types of Policies:
- Enterprise Information Security Program Policy….Usually identifies Strategic
direction, scope and purpose for the Security effort
- Issue-Specific Information Security Policy…Provides guidance for all members of
the organization in regard to the technology
- System-Specific Information Security Policy……Provides a guide for management
and technical specs for a particular technology or system utilized

REPEAT of Project MGMT……… Methodology when undertaking an Information Security

Project
- Integration…..Emphasis on coordinating the various elements
- Scope……Understanding the tasks to be undertaken
- Time…..Vetting schedules to perform and control those schedules
- Cost……Economic value
- Quality…..Assuring tasks are performed satisfactorily
- Resources…..Identify individuals to perform the tasks
- Communications…..Develop an efficient and effective process for conveying activity
- Risk…..Understanding the diversities and developing response and control
- Procurement……Acquiring resources (human and technological)

PERSONNEL & SECURITY

Employee Vulnerabilities: Employees are our greatest vulnerability in terms of any

information security program.
EXAMPLES will be in Information Security Risk, Tactic used to attack and Strategy to mitigate
format.
- Receptionist/help desk – Impersonation & Persuasion (i.e., Social Engineering) –
Train employees to never give out passwords or confidential info over phone.
- Building Entrance – Unauthorized physical access – Use tight badge security
- Office – Shoulder Surfing – Don’t type passwords with anyone present
- Phone/help desk – Impersonation on help desk calls – Assign all employees a PIN
specific to help desk support.
- Office – Wandering through halls looking for open offices – Require all guest to be
escorted
- Mailroom – Insertion of forged memos – Lock & monitor mail room.
- Machine Room/phone closet – Attempting to gain access, remove equip and or attach
a protocol analyzer device – keep phone closets, server rooms and other facilities
locked and keep an inventory of equipment.
- Phone & PBX – Stealing phone toll access – Control overseas and long distance calls
and refuse transfers
- Dumpsters – Dumpster Diving – Keep all trash in secured, monitored areas, shred
important data and erase magnetic media
Caterpillar: Confidential Green
 - INTRA/INTERnet – Creation and insertion of mock software on intra/internet to steal
passwords – Maintain continual awareness
- Office – Stealing sensitive documents – Mark documents as confidential and require
lock-up
- General psychological – Impersonation and persuasion – Keep employees on their
toes through continuous Security Awareness

OTHER RISKS……..
- Sales Presentations
- Seminars, trade associations & meeting
- Discussions with suppliers
- Off Premises statements

THEFT of Information by an Outsider:

- False job interviews with a competitors employee
- Access to premises
- Trash cover
- Romantic relationships
- SOCIAL ENGINEERING
- Electronic Hacking

INFORMATION SECURITY PROGRAM FOCUS:

- Identify and group at least two categories which:
- Is critical to the ongoing viability of the enterprise
- Should not be released to the public
- The smallest possibilities of information are desired
- Designate employees authorized to classify information
- MARK the info or data

CONTROL of INFORMATION:
- Origination
- Transmission – encrypted voice, data and or FAX
- Reproduction (copy machines or print shops)
- Storage
- USE
- Destruction

HUMAN Resource Management:

- Pre-employment screening
- Nondisclosure and noncompete agreements
- PIP information in new employee orientation
- PIP Information in the employee handbook
- Security Awareness training/program
- Employee ID’d and badging
- Unsolicited telephone query procedures
- Employee exposure documentation
- Security related questions during exit interviews

VENDORS & VISITORS:

- Visitor controls
- Vendor/contractor/visitor nondisclosure agreements
- Due diligence inquiries
Caterpillar: Confidential Green
 - PIP Info in contractor orientation

ADMINISTRATIVE CONTROLS:
- Pre-Publication review
- Trade show/Off site meeting procedures
- Media/Public affair procedures
- Internal and independent security audits
- Notice to new employers of former employee access & Responsibility (EXCESS
ACCESS)
- Informed monitoring of routine activities
- Set records retention periods & destroy schedules

PHYSICAL SECURITY MEASURES:

- ACCESS CONTROL
- ID of all personnel in sensitive areas (Color coded)
- Escort visitors & challenge strangers
- Standards for storage containers (remove keys)
- Key & combination control
- Warning screen on access to sensitive D/B’s
- Examine electronic access (hackers)
- Use of technical services countermeasures
- Monitor trash

ELECTRONIC Data Processing Centers should have the same physical security protection as
any other business or industrial establishment.

PERSONAL Computer Systems should have access limited to authorized users only

THREATS TO INFORMATION SYSTEMS:

- Eavesdropping or unauthorized listening

- Wiretapping – interception of any communication circuits
- Bugging – interception of a communication using an electronic device
- Recording of Conversations – Under Federal Law, one party consent is necessary to
electronically monitor the conversation between two parties. HOWEVER, state law
may prohibit electronic monitoring without 2 party consent (e.g. Maryland &
Pennsylvania)
 Wired Microphones:
- Carbon Microphone – common in a standard telephone set
- Crystal microphone – generates a small electric current when the crystal is vibrated
by sound waves
- Contact microphone – usually a crystal mike installed on a common wall with the
target area.
- Spike microphone – installed in a hole in a common wall with the target area no fully
through to the other side of the wall.
 Disadvantages of contact over spike microphones:
 Signals are generally too weak to travel very far over a wire
 Other sounds may mask sound in the target area (water, door slam, etc.)
 Microphone is affected by variations in temp and humidity

Caterpillar: Confidential Green

 - Dynamic microphone – movement of a small wire near a permanent magnet converts
sound into electrical energy – requires no power source and is usually very small.
- Pneumatic cavity device – specially designed small cavity which picks up surface
vibrations
- Condenser Microphone – High fidelity use – fragile & sensitive
- Electret Microphone – Used primarily is public address systems and for audio
recording (very small)
- OMINIDERECTIONS MICROPHONE – Used in conference rooms & picks up
sounds from many directions.
- CARDOID MICROPHONE – picks up sounds from directly in front of microphone
- PARABOLIC MICROPHONE – resembles a TV dish antenna…….Concentrates
audio energy gathered over an equal area to the diameter of the dish (Typically
between 1 ½ and 4 feet)
- SHOTGUN MICROPHONE – A bulky arrangement of tubes which gathers the
sound and sends to the microphone attached to the tubes.
- WIRELESS MICROPHONE - A Radio frequency (RF) device consisting of a
microphone, transmitter, power supply, transmitter, power supply, antenna and
receiver. The steel structure of a building or foil backed insulation in a home can
seriously attenuate the Radio signal and the receiver transmitter functions poorly
inside an automobile.
- Light Amplification by Stimulated Emission of Radiation (LASER)
- Electromagnetic Radiation – Detected electromagnetic energy is generated by
electronic Info processing devices and detection is possible for several hundred feet.
The FARADAY CAGE or TEMPEST SHIELDING is used for very sensitive
equipment.
- TELEPHONE EAVESDROPPING:
 The telephone co. voltage on the line can be utilized to power eavesdropping devices
 Telephone system vulnerabilities include – Direct interception, radio transmitters, pen
registers (Identifies # being called or coming in), voice mail intercepts and
manipulation of system software
 Information acquired includes voice, fax, teletype and or data using direct physical
connection or inductive coupling which does not require a physical connection.
 Use of existing wire
 Use of telephone equipment in the target area which requires physical entry by
alteration of wiring, drop in radio transmitter.
 Digital Systems which can be recorded and converted to analog and or speech
 Remote Maintenance Access Terminal (RMAT) – which is control software of a PBX
(private board exchange) which can be accessed via an onsite terminal or by calling
the telephones systems remote maintenance port #.
 Dialed number recorder commonly referred to as a pen register
 Cellular and cordless, analog and digital devices transmit RF signals which can be
intercepted
 Cellular telephones can be intercepted with a receiver tuned to the proper frequency
and is illegal to intercept. Variable Path Encryption (VPE) is particularly useful to
secure cellular signals.

COMPUTER TECHNOLOGY RISKS:

- VIRUS – Any hidden computer code that copies itself onto other programs….Attacks
vary.

Caterpillar: Confidential Green

 -TROJAN HORSE – A program designed to appear innocent which when downloaded
can open by date, system activity and affects data.
- BOMB – Computer code inserted by a programmer into legitimate
software…..similar to Trojan horse which can be time sensitive or event sensitive.
- DATA MANIPULATION – Common form of access by numerous people to
monitor, convert, modify, etc. data.
- TRAPDOORS AND BACK DOORS - A Programmer designed means of access.
Trapdoors are created and inserted during program development and backdoors are
unintentional access to the software code.
- COOKIE MONSTER – Improper modified log-on for remote resource sharing which
allows the illegal party to extort unauthorized service from a user seeking access.
THE BEST WAY TO PROTECT ANY TYPE OF DATA IS TO ENCRYPT IT………..
- Theft of Hardware

OTHER TECHNOLOGY RISKS………

- FAX Machines – many plain paper fax machines use a disposable film which retain
negative images.
- Computer Modems and Fax Boards
- Speakerphones – excellent fro hiding eavesdropping devices
- Video Teleconferencing equipment – Many systems cannot communicate because of
incompatibilities so a translator node is usually in between these devices to translate.

TECHNICAL COUNTERMEASURE SWEEPS:

- Physical Searches – Detailed & time consuming task conducted in specific areas……
View or take apart all logical placements of eavesdropping devices.
- Telephone search – performed by a technician familiar with specific equipment
- ELECTRONIC SEARCH – NO REMOTE DEVICE OR TECHNIQUES CAN
GUARANTEE TO FIND A WELL-INSTALLED DEVICE INSTALLED BY AN
EXPERIENCED TECHNICIAN.
 Time domain reflectory (TDR) – an electronic picture of a telecommunication line at
a given time, which is compared to the same line at a future time.
 Telephone analyzer – electronic analysis of the telephone set
 Field strength meter – measures the relative RF energy present at a given point
 Countermeasure radio receiver – searches a large part of the radio spectrum to isolate
and identify a signal.
 Spectrum analyzer – displays a large part of the RF spectrum and provide a visual
analysis.
 Metal detector – Not very reliable!
 Non-linear junction detector – Transmits a microwave signal and will find a
semiconductor device, which is dead.

Caterpillar: Confidential Green

TEST SAMPLE QUESTIONS:

1. Any formula, pattern, device or compilation of information which is used in ones

business and which gives him an opportunity to gain advantage over competitors who
do not know or use it is:
a. A monopoly
b. An unfair trade practice
c. A Trade Secret
d. A Patent

2. Probably the main reason for loss of sensitive information is:

a. Inadvertent disclosure
b. Deliberately stolen by an outsider
c. Industrial espionage
d. Deliberately stolen by an insider

3. The primary tool of pre-employment screening is the:

a. Interview
b. Application Form
c. The investigation
d. The investigator

4. Competitive intelligence is a legitimate activity, which is engaged in by many firms

throughout the world. The most important function of competitive intelligence is to:
a. Alert senior management to marketplace changes in order to prevent surprise
b. Alert senior management as to the personal habits of competitive senior management
c. Alert government intelligence agencies to marketplace changes
d. Alert senior management to changes in protocol in foreign countries

5. The instrument used to monitor telephone calls by providing a record of all numbers
dialed from a particular phone is called:
a. A wiretap
b. A Bug
c. An electronic surveillance
d. A pen register
Caterpillar: Confidential Green
6. A clandestine listening device, generally a small hidden microphone and radio
transmitter is known as:
a. A bug
b. A wiretap
c. A tempest
d. A beeper

7. A microphone with a large disk-like attachment used for listening to audio from great
distances is know as:
a. Contact microphone
b. Spike microphone
c. Parabolic microphone
d. Moving coil microphone

8. Sound waves too high in fregquency to be heard by the human ear, generally above
20KHZ are known as:
a. Microwaves
b. Ultrasonic
c. High frequency
d. Short-wave

9. Two methods of protection against telephone line eavesdropping are apparently

reliable. The first method is “don’t discuss sensitive information” and the other is:
a. To use wire tap detector
b. To use a radio jammer
c. To use audio jammer
d. To use encryption equipment

10. The unauthorized acquisition of sensitive information is known as:

a. Industrial espionage
b. Embezzlement
c. Larceny
d. False pretenses

11. Proprietary information is:

a. Information which must be so classified under government order
b. Private information of highly sensitive character
c. Defense data which must be classified according to federal regulations
d. Anything that an enterprise considers relevant to its status or operations and does not
want to disclose publicly

12. A trade secret is:

a. Any formula, pattern, device or compilation of information which is used in ones
business and which gives him an opportunity to gain advantage over competitors who
do not know or use it.
b. All information about a company which the company desires to protect
c. Information of a company which is registered as such with the U.S. Patent Office
d. Information so designated by the government

Caterpillar: Confidential Green

13. The class of person under a duty to safeguard a proprietary secret is know as:
a. Agent
b. Principal
c. Fiduciaries
d. Business Associate

14. In designing a proprietary information protection program, the area of greatest

vulnerability is:
a. Personnel files
b. Marketing data
c. Employees
d. Computers

15. “Social Engineering” is:

a. The conversation involved in the beginning of a romantic relationship
b. A function of the personnel department in which like persons are teamed together in
workshops or seminars for maximum productivity
c. The subtle elicitation of information without revealing the true purpose of the call
d. The specific design of a business structure to facilitate the interaction of the
inhabitants

Caterpillar: Confidential Green

ANSWERS:
1. c – A trade Secret
2. a – Inadvertent disclosure
3. b – Application Form
4. a – Alert Senior Management to marketplace changes in order to prevent surprise
5. d – A pen Register
6. a – A bug
7. c. – Parabolic microphone
8. b - Ultrasonic
9. d – To use Encryption equipment
10. a – Industrial espionage
11. d – Anything that an enterprise considers relevant to its status or operations and does not
want to disclose publicly
12. a - Any formula, pattern, device or compilation of information which is used in ones
business and which gives him an opportunity to gain advantage over competitors who do
not know or use it
13. c- Fiduciaries
14. c - Employees
15. c - The subtle elicitation of information without revealing the true purpose of the call

Caterpillar: Confidential Green