When discussing security policies and implementation tasks, one should follow a checklist with three items: 1) things to do; 2) things to pay attention to; and 3) things to report. True
- When discussing security policies and implementation tasks, one should follow a checklist with three items: 1) things to do; 2) things to pay attention to; and 3) things to report. True
False
2 points
QUESTION 2
- One should focus on measuring risk to the business as opposed to implementation of policies and control when tying policy adherence to performance measurement. True
False
2 points
QUESTION 3
- The struggle between how to manage a business versus how to “grow” has significant implications for security policies that must reflect the core values of the business. Which of the following statements reflects one of the security policy approaches often taken by entrepreneurs growing a business?A company in its early startup stages focuses on stability and seeks to avoid risk.A company starts growing its bureaucracy as early in its development as possible.A company in its startup stages often hires professional managers and defers to their judgment about how to create the business culture.A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk.
2 points
QUESTION 4
- Data owners ensure that only the access that is needed to perform day-to-day operations is granted and that duties are separated adequately to mitigate the risk of errors and fraud. True
False
2 points
QUESTION 5
- In a large organization, the complexity required to keep operations running effectively requires a hierarchy of specialties. Thus, which of following organizational structures is preferred?flat organizational structurematrix relationship structurehierarchical organizational structurechange agent structure
2 points
QUESTION 6
- In general, implementing security policies occurs in isolation from the business perspectives and organizational values that define the organization’s culture. True
False
2 points
QUESTION 7
- One of the well-documented reasons for why projects fail is insufficient support from leadership. This occurs when value is only derived from policies when they are enforced. An organization must have the will and process to reward adherence. True
False
2 points
QUESTION 8
- There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks?COSO for financial controls and enterprise risk management structureCOBIT for IT controls, governance, and risk managementITIL for IT services managementGRC for IT operations, governance, risk management, and compliance
2 points
QUESTION 9
- The members of the _________________ committee help create priorities, remove obstacle, secure funding, and serve as a source of authority. Members of the _______________ committee, however, are leaders across the organization.executive, securitysecurity, executiveaudit, securityexecutive, operational risk
2 points
QUESTION 10
- Security frameworks establish behavior expectations and define policy. Policies cannot address every scenario employees will face, but strong training on the core principles that create those policies will equip employees to do their jobs successfully. True
False
2 points
QUESTION 11
- Within the seven domains of a typical IT infrastructure, there are particular roles responsible for data handling and data quality. Which of the following individuals do not work with the security teams to ensure data protection and quality?data stewardsauditorshead of information managementdata custodians
2 points
QUESTION 12
- With a framework in place, controls and risk become more measurable. The ability to measure the enterprise against a set of standards and controls assures regulators of compliance and helps reduce uncertainty. True
False
2 points
QUESTION 13
- A(n)______________________ aligns strategic goals, operations effectiveness, reporting, and compliance objectives.operational risk committeelayered security approachenterprise risk management frameworkgovernance, risk management, and compliance framework
2 points
QUESTION 14
- An illustration of ________________ would be an organization installing malware software on the network and endpoint, monitoring for suspicious traffic, and responding as needed.risk governancedisposal of riskstrategic riskrisk evaluation
2 points
QUESTION 15
- It is often the case that a security manager must make tough management decisions when defining the scope of a program. For example, the manager may need to decide how the program applies to contractors who connect to the company’s systems. True
False
2 points
QUESTION 16
- The information security program charter is the capstone document for the information security program. This required document establishes the information security program and its framework. Which of the following components is not defined by this high-level policy?the program’s purpose and missionthe program’s scope within the organizationassignment of responsibilities for program implementationexplanation of penalties and disciplinary actions for specific infractions
2 points
QUESTION 17
- Of the roles commonly found in the development, maintenance, and compliance efforts related to a policy and standards library, which of the following has the responsibilities of directing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program?information resources managerinformation resources security officercontrol partnersCISO
2 points
QUESTION 18
- Because no two organizations are alike, different needs require different solutions, and therefore, security professionals can take advantage of a variety of policy frameworks. That means that each organization can determine the appropriate policy framework to meet its organization’s needs and threats. True
False
2 points
QUESTION 19
- If information is modified by any means other than the intentional actions of an authorized user or business process, it could have disastrous results for a business. This underscores the importance of availability controls, which prevents the inadvertent or malicious modification of information. For example, if a product-testing firm that spends many hours testing the optimal settings for a piece of safety equipment used in factories undergoes a power surge that alters the data stored in the testing database, the company might use the incorrect data to recommend equipment settings and jeopardize the safety of factory workers. True
False
2 points
QUESTION 20
- Which of the following statements captures the function of guidelines presented in guidance documents for IT security?Guidelines may present conventional thinking on a specific topic and seldom require revision.Guidelines are generally mandatory, and failing to follow them explicitly can lead to compliance issues.Guidelines assist people in creating unique and distinct procedures or processes that are specific to the needs of a particular company’s IT security needs.Guidelines provide those who implement standards/baselines more detailed information such as hints, tips, and processes to ensure compliance.
2 points
QUESTION 21
- _________________describes how to design and implement an information security governance structure, whereas __________________ describes security aspects for employees joining, moving within, or leaving an organization.Human resources security, organization of information securityInformation security policy, organization of information securityOrganization of information security, human resources securityHuman resources security, asset management
2 points
QUESTION 22
- When changes or maintenance need to be performed, it is helpful to use information that describes changes to the organization; these changes often occur when there are common problems concerning compliance. True
False
2 points
QUESTION 23
- In order to ensure that policy is implemented in a thoughtful manner, it is recommended that the security manager forms a policy change control board or committee. The only employees who should be invited are those from the compliance team so that the team can guarantee that changes to extant policies and standards bolster the organization’s mission and goals. True
False
2 points
QUESTION 24
- The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). In order to gain this approval, the CISO requires all parties to sign off on the document. Which of the following is not among the suggested list of people who should be given the chance to become a second or third layer of review?technical personnellegalaudit and compliancefinance
2 points
QUESTION 25
- There are no universal prescriptions for building an IT security program. Instead, principles can be used to help make decisions in new situations using industry best practices and proven experience. Which of the following is not created with the use of principles?policiesbaselinesbusiness planguidelines
2 points
QUESTION 26
- Security controls are measures taken to protect systems from attacks on the integrity, confidentiality, and availability of the system. If a potential employee is required to undergo a drug screening, which of the following controls is being conducted?preventive security controlstechnical security controlsphysical security controlsadministrative controls
2 points
QUESTION 27
- Because policies and standards are a collection of comprehensive definitions that describe acceptable and unacceptable human behavior, it is important that they contain a significant level of detail and description and address the six key questions who, what, where, when, why, and how. True
False
2 points
QUESTION 28
- The process known as “lessons learned” seeks to guarantee that mistakes are only made once and not repeated. Such lessons are not attached to a person or role but can come from anyone and anywhere. True
False
