The Law, Regulation and Ethics of Information Assurance

• This is an open-book individual examination. The questions may require researchbeyond the OERs, lecture notes, and conferences. Each answer must include at leastone citation of an authoritative source. A single Reference List should be included at theend of the exam.• There are five (5) questions. Each response is worth 20 points. Each response is limited to 300 words. Points may be deducted for exceeding the word limit. The followingcriteria will be used for grading: relevance and correctness, completeness, clarity andlogical flow, spelling, grammar, and proper citations/Reference List.EXAM QUESTIONS:1. Computer Fraud and Abuse Act (CFAA)This key cybersecurity law makes it a federal crime to intentionally access a computer without authorization or to exceed authorized access. Explain the issue(s) presented by the CFAA term, “authorization,” using recent example(s), and how it could be improved/corrected.2. Bring Your Own Device (BYOD) and Acceptable UseBYOD means that devices employees own are being used for work. Discuss how an organization can/should manage the use of personal devices. What are the most important restrictions the organization can impose on work use? On personal use? Why are these limits important? How can they be established and enforced?3. The Privacy Act and Data BrokersThe Privacy Act controls the federal government protection of certain data in its systems of records. Explain how or if that Act applies to data the government accesses from commercial data brokers.4. Ransom AttackRansomware presents challenges to data integrity. NIST has drafted a practice guide regarding recovery from ransomware and other data integrity events. But, what could/should an organization do before ransomware attack? Why?5. Life Style SurveillanceDigitization, technology and applications permit us to monitor our physical activity andhealth statistics. Employers are increasingly interested in influencing or controlling the nonwork and non-duty hour activities of their employees. Describe the potential benefits to begained from employers’ collecting/using employee non-duty hour lifestyle/health data. For example, do employees exercise regularly? Do they smoke? Document one example of an employer collecting or accessing information about employee non-duty, health-related activities. Identify and explain legal and ethical challenges to the practice of monitoring employee off-duty lifestyle (for example, exercise and eating) activities.