Quiz 2

QUESTION 1When discussing security policies and implementation tasks, one should follow a checklist with three items: 1) things to do; 2) things to pay attention to; and 3) things to report. TrueFalse2 pointsQUESTION 2One should focus on measuring risk to the business as opposed to implementation of policies and control when tying policy adherence to performance measurement. TrueFalse2 pointsQUESTION 3The struggle between how to manage a business versus how to “grow” has significant implications for security policies that must reflect the core values of the business. Which of the following statements reflects one of the security policy approaches often taken by entrepreneurs growing a business?A company in its early startup stages focuses on stability and seeks to avoid risk.A company starts growing its bureaucracy as early in its development as possible.A company in its startup stages often hires professional managers and defers to their judgment about how to create the business culture.A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk.2 pointsQUESTION 4Data owners ensure that only the access that is needed to perform day-to-day operations is granted and that duties are separated adequately to mitigate the risk of errors and fraud. TrueFalse2 pointsQUESTION 5In a large organization, the complexity required to keep operations running effectively requires a hierarchy of specialties. Thus, which of following organizational structures is preferred?flat organizational structurematrix relationship structurehierarchical organizational structurechange agent structure2 pointsQUESTION 6In general, implementing security policies occurs in isolation from the business perspectives and organizational values that define the organization’s culture. TrueFalse2 pointsQUESTION 7One of the well-documented reasons for why projects fail is insufficient support from leadership. This occurs when value is only derived from policies when they are enforced. An organization must have the will and process to reward adherence. TrueFalse2 pointsQUESTION 8There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following isnotone of the frameworks?COSO for financial controls and enterprise risk management structureCOBIT for IT controls, governance, and risk managementITIL for IT services managementGRC for IT operations, governance, risk management, and compliance2 pointsQUESTION 9The members of the _________________ committee help create priorities, remove obstacle, secure funding, and serve as a source of authority. Members of the _______________ committee, however, are leaders across the organization.executive, securitysecurity, executiveaudit, securityexecutive, operational risk2 pointsQUESTION 10Security frameworks establish behavior expectations and define policy. Policies cannot address every scenario employees will face, but strong training on the core principles that create those policies will equip employees to do their jobs successfully. TrueFalse2 pointsQUESTION 11Within the seven domains of a typical IT infrastructure, there are particular roles responsible for data handling and data quality. Which of the following individuals donotwork with the security teams to ensure data protection and quality?data stewardsauditorshead of information managementdata custodians2 pointsQUESTION 12With a framework in place, controls and risk become more measurable. The ability to measure the enterprise against a set of standards and controls assures regulators of compliance and helps reduce uncertainty. TrueFalse2 pointsQUESTION 13A(n)______________________ aligns strategic goals, operations effectiveness, reporting, and compliance objectives.operational risk committeelayered security approachenterprise risk management frameworkgovernance, risk management, and compliance framework2 pointsQUESTION 14An illustration of ________________ would be an organization installing malware software on the network and endpoint, monitoring for suspicious traffic, and responding as needed.risk governancedisposal of riskstrategic riskrisk evaluation2 pointsQUESTION 15It is often the case that a security manager must make tough management decisions when defining the scope of a program. For example, the manager may need to decide how the program applies to contractors who connect to the company’s systems. TrueFalse2 pointsQUESTION 16The information security program charter is the capstone document for the information security program. This required document establishes the information security program and its framework. Which of the following components isnotdefined by this high-level policy?the program’s purpose and missionthe program’s scope within the organizationassignment of responsibilities for program implementationexplanation of penalties and disciplinary actions for specific infractions2 pointsQUESTION 17Of the roles commonly found in the development, maintenance, and compliance efforts related to a policy and standards library, which of the following has the responsibilities of directing policies and procedures designed to protect information resources, identifying vulnerabilities, and developing a security awareness program?information resources managerinformation resources security officercontrol partnersCISO2 pointsQUESTION 18Because no two organizations are alike, different needs require different solutions, and therefore, security professionals can take advantage of a variety of policy frameworks. That means that each organization can determine the appropriate policy framework to meet its organization’s needs and threats. TrueFalse2 pointsQUESTION 19If information is modified by any means other than the intentional actions of an authorized user or business process, it could have disastrous results for a business. This underscores the importance of availability controls, which prevents the inadvertent or malicious modification of information. For example, if a product-testing firm that spends many hours testing the optimal settings for a piece of safety equipment used in factories undergoes a power surge that alters the data stored in the testing database, the company might use the incorrect data to recommend equipment settings and jeopardize the safety of factory workers. TrueFalse2 pointsQUESTION 20Which of the following statements captures the function of guidelines presented in guidance documents for IT security?Guidelines may present conventional thinking on a specific topic and seldom require revision.Guidelines are generally mandatory, and failing to follow them explicitly can lead to compliance issues.Guidelines assist people in creating unique and distinct procedures or processes that are specific to the needs of a particular company’s IT security needs.Guidelines provide those who implement standards/baselines more detailed information such as hints, tips, and processes to ensure compliance.2 pointsQUESTION 21_________________describes how to design and implement an information security governance structure, whereas __________________ describes security aspects for employees joining, moving within, or leaving an organization.Human resources security, organization of information securityInformation security policy, organization of information securityOrganization of information security, human resources securityHuman resources security, asset management2 pointsQUESTION 22When changes or maintenance need to be performed, it is helpful to use information that describes changes to the organization; these changes often occur when there are common problems concerning compliance. TrueFalse2 pointsQUESTION 23In order to ensure that policy is implemented in a thoughtful manner, it is recommended that the security manager forms a policy change control board or committee. The only employees who should be invited are those from the compliance team so that the team can guarantee that changes to extant policies and standards bolster the organization’s mission and goals. TrueFalse2 pointsQUESTION 24The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). In order to gain this approval, the CISO requires all parties to sign off on the document. Which of the following isnotamong the suggested list of people who should be given the chance to become a second or third layer of review?technical personnellegalaudit and compliancefinance2 pointsQUESTION 25There are no universal prescriptions for building an IT security program. Instead, principles can be used to help make decisions in new situations using industry best practices and proven experience. Which of the following isnotcreated with the use of principles?policiesbaselinesbusiness planguidelines2 pointsQUESTION 26Security controls are measures taken to protect systems from attacks on the integrity, confidentiality, and availability of the system. If a potential employee is required to undergo a drug screening, which of the following controls is being conducted?preventive security controlstechnical security controlsphysical security controlsadministrative controls2 pointsQUESTION 27Because policies and standards are a collection of comprehensive definitions that describe acceptable and unacceptable human behavior, it is important that they contain a significant level of detail and description and address the six key questions who, what, where, when, why, and how. TrueFalse2 pointsQUESTION 28The process known as “lessons learned” seeks to guarantee that mistakes are only made once and not repeated. Such lessons are not attached to a person or role but can come from anyone and anywhere. TrueFalse

"Looking for a Similar Assignment? Order now and Get 10% Discount! Use Code "GET10" in your order"