lOMoARcPSD|18022821

Chapter 9 solution manual accounting information systems

Accounting Information Systems (Western Sydney University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])
 lOMoARcPSD|18022821

Accounting Information Systems, 13e (Romney/Steinbart)

Chapter 9 Confidentiality and Privacy Controls

9.1 Identify and explain controls designed to protect the confidentiality of sensitive corporate
information.

1) Identify the type of information below that is least likely to be considered "sensitive" by an
organization.
A) financial statements
B) legal documents
C) strategic plans
D) product cost information
Answer: A
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

2) Which of the following is not one of the basic actions that an organization must take to
preserve the confidentiality of sensitive information?
A) identification of information to be protected
B) backing up the information
C) controlling access to the information
D) training
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

3) Classification of confidential information is the responsibility of whom, according to

COBIT5?
A) external auditor
B) information owner
C) IT security professionals
D) management
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

4) True or False: Encryption is one of the many ways to protect information in transit over the
internet.
Answer: FALSE
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytic

1
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

5) Classification of confidential information is the responsibility of whom, according to

COBIT5?
A) external auditor
B) information owner
C) IT security professionals
D) management
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

6) Encryption is a necessary part of which information security approach?

A) defense in depth
B) time based defense
C) cloud quarantine
D) synthetic defense
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

7) Information rights management software can do all of the following except

A) limiting access to specific files.
B) limit action privileges to a specific time period.
C) authenticate individuals accessing information.
D) specify the actions individuals granted access to information can perform.
Answer: C
Objective: Learning Objective 1
Difficulty: Difficult
AACSB: Analytic

8) Identify the first step in protecting the confidentiality of intellectual property below.
A) Identifying who has access to the intellectual property
B) Identifying the means necessary to protect the intellectual property
C) Identifying the weaknesses surrounding the creation of the intellectual property
D) Identifying what controls should be placed around the intellectual property
Answer: A
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

2
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

9) After the information that needs to be protected has been identified, what step should be
completed next?
A) The information needs to be placed in a secure, central area.
B) The information needs to be encrypted.
C) The information needs to be classified in terms of its value to the organization.
D) The information needs to be depreciated.
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

10) Which type of software blocks outgoing messages containing key words or phrases
associated with an organization's sensitive data?
A) anti-virus software
B) data loss prevention software
C) a digital watermark
D) information rights software
Answer: B
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

11) Janus Corporation uses a tool that embeds a code into all of its digital documents. It then
scours the internet, searching for codes that it has embedded into its files. When Janus finds an
embedded code on the internet, it knows that confidential information has been leaked. Janus
then begins identifying how the information was leaked and who was involved with the leak.
Janus is using
A) data loss prevention software.
B) a keylogger.
C) a digital watermark.
D) a spybot.
Answer: C
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

12) What confidentiality and security risk does using VoIP present to organizations?
A) Internet e-mail communications can be intercepted.
B) Internet photographs can be intercepted.
C) Internet video can be intercepted.
D) Internet voice conversations can be intercepted.
Answer: D
Objective: Learning Objective 1
Difficulty: Moderate
AACSB: Analytic

3
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

9.2 Identify and explain controls designed to protect the privacy of personal information
collected from customers, employees, suppliers or business partners.

1) Which of the following is not one of the 10 internationally recognized best practices for
protecting the privacy of customers' personal information?
A) Provide free credit report monitoring for customers.
B) Inform customers of the option to opt-out of data collection and use of their personal
information.
C) Allow customers' browsers to decline to accept cookies.
D) Utilize controls to prevent unauthorized access to, and disclosure of, customers' information.
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

2) In developing policies related to personal information about customers, Folding Squid

Technologies adhered to the Trust Services framework. The standard applicable to these policies
is
A) security.
B) confidentiality.
C) privacy.
D) availability.
Answer: C
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic

3) A client approached Paxton Uffe and said, "Paxton, I need for my customers to make
payments online using credit cards, but I want to make sure that the credit card data isn't
intercepted. What do you suggest?" Paxton responded, "The most effective solution is to
implement
A) a data masking program."
B) a virtual private network."
C) a private cloud environment."
D) an encryption system with digital signatures."
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

4
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

4) Describe some steps you can take to minimize your risk of identity theft.
Answer: Shred documents containing personal information. Never send personally identifying
information in unencrypted e-mail. Beware of e-mail/phone/print requests to verify personal
information that the requesting party should already possess. Do not carry your social security
card with you. Print only your initials and last name on checks. Limit the amount of other
information preprinted on checks. Do not use your mailbox for outgoing mail. Do not carry more
than a few blank checks with you. Use special software to digitally clean any digital media prior
to disposal. Monitor your credit cards regularly. File a police report as soon as you discover a
purse or wallet missing. Make photocopies of your driver's license, passport and credit cards and
keep them in a safe location. Immediately cancel any stolen or lost credit cards.
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

5) The first steps in protecting the privacy of personal information is to identify

A) what sensitive information is possessed by the organization.
B) where sensitive information is stored.
C) who has access to sensitive information.
D) All of the above are first steps in protecting privacy.
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic

6) It is impossible to encrypt information

A) transmitted over the Internet.
B) stored on a hard drive.
C) printed on a report.
D) None of the above
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

7) Data masking is also referred to as

A) encryption.
B) tokenization.
C) captcha.
D) cookies.
Answer: B
Objective: Learning Objective 2
Difficulty: Difficult
AACSB: Analytic

5
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

8) Cindy Vindoolo logged on to her e-mail account to find that she had received 50 e-mails from
a company called LifeCo that promised her extreme weight loss if she bought their diet pills.
Cindy angrily deleted all 50 e-mails, realizing she was a victim of
A) telemarketing.
B) spam.
C) direct mail.
D) MLM.
Answer: B
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic

9) Under CAN-SPAM legislation, an organization that receives an opt-out request from an

individual has ________ days to implement steps to ensure they do not send out any additional
unsolicited e-mail to the individual again.
A) 2
B) 5
C) 7
D) 10
Answer: D
Objective: Learning Objective 2
Difficulty: Easy
AACSB: Analytic

10) Identify the item below that is not a step you could take to prevent yourself from becoming a
victim of identity theft.
A) Shred all documents that contain your personal information.
B) Only print your initial and last name on your personal checks.
C) Do not place checks in your outgoing mail.
D) Refuse to disclose your social security number to anyone or any organization.
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

11) Identify the item below which is not a piece of legislation passed to protect individuals
against identity theft or to secure individuals' privacy.
A) the Health Insurance Portability and Accountability Act
B) the Health Information Technology for Economic and Clinical Heath Act
C) the Financial Services Modernization Act
D) the Affordable Care Act
Answer: D
Objective: Learning Objective 2
Difficulty: Difficult
AACSB: Analytic

6
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

12) If an organization asks you to disclose your social security number, yet fails to permit you to
opt-out before you provide the information, the organization has likely violated which of the
Generally Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

13) If an organization asks you to disclose your social security number, but fails to establish a set
of procedures and policies for protecting your privacy, the organization has likely violated which
of the Generally Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

14) If an organization asks you to disclose your social security number, but fails to tell you about
its privacy policies and practices, the organization has likely violated which of the Generally
Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
Answer: B
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

15) If an organization asks you to disclose your social security number, yet fails to properly
dispose of your private information once it has fulfilled its purpose, the organization has likely
violated which of the Generally Accepted Privacy Principles?
A) Management
B) Notice
C) Choice and consent
D) Use and retention
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

7
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

16) If an organization asks you to disclose your social security number, but decides to use it for a
different purpose than the one stated in the organization's privacy policies, the organization has
likely violated which of the Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Quality
Answer: A
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

17) If an organization asks you to disclose your date of birth and your address, but refuses to let
you review or correct the information you provided, the organization has likely violated which of
the Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Choice and consent
Answer: B
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

18) If an organization asks you to disclose your date of birth and your address, but fails to take
any steps to protect your private information, the organization has likely violated which of the
Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Quality
Answer: C
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

8
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

19) If an organization asks you to disclose your date of birth and your address, but fails to
establish any procedures for responding to customer complaints, the organization has likely
violated which of the Generally Accepted Privacy Principles?
A) Collection
B) Access
C) Security
D) Monitoring and enforcement
Answer: D
Objective: Learning Objective 2
Difficulty: Moderate
AACSB: Analytic

9.3 Explain how the two basic types of encryption systems work.

1) Which of the following is not true regarding virtual private networks (VPN)?
A) VPNs provide the functionality of a privately owned network using the Internet.
B) Using VPN software to encrypt information while it is in transit over the Internet in effect
creates private communication channels, often referred to as tunnels, which are accessible only
to those parties possessing the appropriate encryption and decryption keys.
C) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the
corresponding physical connections in a privately owned network.
D) The cost of the VPN software is much less than the cost of leasing or buying the
infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create
a privately owned secure communications network.
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

2) All of the following are associated with asymmetric encryption except

A) speed.
B) private keys.
C) public keys.
D) no need for key exchange.
Answer: A
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

9
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

3) The system and processes used to issue and manage asymmetric keys and digital certificates
are known as
A) asymmetric encryption.
B) certificate authority.
C) digital signature.
D) public key infrastructure.
Answer: D
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

4) Identify one weakness of encryption below.

A) Encrypted packets cannot be examined by a firewall.
B) Encryption provides for both authentication and non-repudiation.
C) Encryption protects the privacy of information during transmission.
D) Encryption protects the confidentiality of information while in storage.
Answer: A
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

5) Using a combination of symmetric and asymmetric key encryption, Sofia Chiamaka sent a
report to her home office in Bangalore, India. She received an e-mail acknowledgement that her
report had been received, but a few minutes later she received a second e-mail that contained a
different hash total than the one associated with her report. This most likely explanation for this
result is that
A) the public key had been compromised.
B) the private key had been compromised.
C) the symmetric encryption key had been compromised.
D) the asymmetric encryption key had been compromised.
Answer: C
Objective: Learning Objective 3
Difficulty: Difficult
AACSB: Analytic

6) Encryption has a remarkably long and varied history. The invention of writing was apparently
soon followed by a desire to conceal messages. One of the earliest methods, attributed to an
ancient Roman emperor, was the simple substitution of numbers for letters, for example A = 1,
B = 2, etc. This is an example of
A) a hashing algorithm.
B) symmetric key encryption.
C) asymmetric key encryption.
D) a public key.
Answer: B
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic
10
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

7) An electronic document that certifies the identity of the owner of a particular public key.
A) asymmetric encryption
B) digital certificate
C) digital signature
D) public key
Answer: B
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

8) Which systems use the same key to encrypt communications and to decrypt communications?
A) asymmetric encryption
B) symmetric encryption
C) hashing encryption
D) public key encryption
Answer: B
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

9) These are used to create digital signatures.

A) asymmetric encryption and hashing
B) hashing and packet filtering
C) packet filtering and encryption
D) symmetric encryption and hashing
Answer: A
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

10) Information encrypted with the creator's private key that is used to authenticate the sender is
A) asymmetric encryption.
B) digital certificate.
C) digital signature.
D) public key.
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

11
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

11) Which of the following is not one of the three important factors determining the strength of
any encryption system?
A) key length
B) key management policies
C) encryption algorithm
D) privacy
Answer: D
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

12) A process that takes plaintext of any length and transforms it into a short code.
A) asymmetric encryption
B) encryption
C) hashing
D) symmetric encryption
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

13) Which of the following descriptions is not associated with symmetric encryption?
A) a shared secret key
B) faster encryption
C) lack of authentication
D) separate keys for each communication party
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

14) Encryption has a remarkably long and varied history. Spies have been using it to convey
secret messages ever since there were secret messages to convey. One powerful method of
encryption uses random digits. Two documents are prepared with the same random sequence of
numbers. The spy is sent out with one and the spy master retains the other. The digits are used as
follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S
becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two
letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the
document used to encrypt it. This is an early example of
A) a hashing algorithm.
B) asymmetric key encryption.
C) symmetric key encryption.
D) public key encryption.
Answer: C
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

12
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

15) One way to circumvent the counterfeiting of public keys is by using

A) a digital certificate.
B) digital authority.
C) encryption.
D) cryptography.
Answer: A
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

16) In a private key system the sender and the receiver have ________, and in the public key
system they have ________.
A) different keys; the same key
B) a decrypting algorithm; an encrypting algorithm
C) the same key; two separate keys
D) an encrypting algorithm; a decrypting algorithm
Answer: C
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

17) Asymmetric key encryption combined with the information provided by a certificate
authority allows unique identification of
A) the user of encrypted data.
B) the provider of encrypted data.
C) both the user and the provider of encrypted data.
D) either the user or the provider of encrypted data.
Answer: D
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

18) On June 17, 2013, a laptop computer belonging to Thea Technologies was stolen from the
trunk of Jamie Marcia's car while she was attending a conference. After reporting the theft, Jamie
considered the implications for the company's network security and concluded there was little to
worry about because
A) the computer was insured against theft.
B) the computer was protected by a password.
C) the data stored on the computer was encrypted.
D) it was unlikely that the thief would know how to access the company data stored on the
computer.
Answer: C
Objective: Learning Objective 3
Difficulty: Easy
AACSB: Analytic

13
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])

 lOMoARcPSD|18022821

19) Hjordis Marika took a call from a client. "Hjordis, I need to interact online in real time with
our affiliate in India, and I want to make sure that our communications aren't intercepted. What
do you suggest?" Hjordis responded, "The best solution is to implement
A) a virtual private network."
B) multifactor authentication."
C) a private cloud environment."
D) an asymmetric encryption system with digital signatures."
Answer: A
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

20) Describe symmetric encryption and identify three limitations.

Answer: Symmetric encryption systems use the same key to encrypt and decrypt data.
Symmetric encryption is much faster than asymmetric encryption, but the sender and receiver
need to know the shared secret key, which requires a different secure method of exchanging the
key. Also, different secret keys must be used with each different communication party. Finally,
there is no way to prove who created a specific document.
Objective: Learning Objective 3
Difficulty: Moderate
AACSB: Analytic

14
Copyright © 2015 Pearson Education, Inc.

Downloaded by Perry Jovelle Bautista (perryatsituab25@[Link])