the Health Insurance Portability and Accountability Act (HIPAA). Data mining is an accepted tool
for ad hoc reporting; it could pose a threat to privacy only if it violates regulator)' provisions.
Identity theft is a potential consequence of privacy violations but not the main focus of many
regulations. Human rights addresses privacy issues but is not the main focus of regulations.
Investments in information security technologies should be based on:
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations.
Investments in security technologies should be based on a value analysis and a sound business
case. Demonstrated value takes precedence over the current business climate because it is
ever changing. Basing decisions on audit recommendations would be reactive in nature and
might not address the key business needs comprehensively. Vulnerability assessments are
useful, but they do not determine whether the cost is justified.
Retention of business records should PRIMARILY be based on:
A. business strategy and direction.
B. regulatory and legal requirements.
C. storage capacity and longevity.
D. business ease and value analysis.
Retention of business records is generally driven by legal and regulatory requirements.
Business strategy and direction would not normally apply nor would they override legal and
regulatory requirements. Storage capacity and longevity are important but secondary issues.
Business case and value analysis would be secondary to complying with legal and regulatory
Which of the following is characteristic of centralized information security management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests
Centralization of information security management results in greater uniformity and better