Security Policies and Governance Final (Ch. 8 - 14)

During the process of developing a communications plan, it is necessary to ask the question, __________________.

"What is the target audience?"

Which of the following statements does not offer an explanation of what motivates an insider to pose a security risk?

An individual might think that threatening to disclose security information will earn the attention and recognition from the organization and thus result in promotion.

_______________ is an international governance and controls framework and a widely accepted standard for governing, assessing, and managing IT security and risks.

COBIT

While these two approaches have similarities in terms of the topics they address, ________ will cover broad IT management topics and specify which security controls and management need to be installed; however, ________ does not address how to implement specific controls.

COBIT, ISO

There must be security policies in place to set core standards and requirements when it comes to encrypted data. Which of the following is not one of these standards and requirements?

Encryption keys must be located in the same server as the encryption data.

A patch management assessment uses tools to define and comprehend risks to an application, system, or network device; patch management denotes weaknesses, or control gaps, that exist in the IT infrastructure.

False

How security data is classified demonstrates the information in terms of criticality and sensitivity. Sensitivity denotes how vital the information is to accomplishing an organization's mission. Criticality denotes the impact affiliated with unauthorized disclosure of information.

False

In order for the data owner and IT department to discern the controls necessary to secure data, they need to decide between the authentication method and encryption controls; both are not required.

False

In the 5 Code of Federal Regulations (C.F.R.), it is recommended that an individual has security awareness training before s/he can access information. The C.F.R is unusual in that it requires all users to receive broad training in system/application life cycle management, security planning and system/application security management, risk management, and contingency planning.

False

In the concept of best fit privilege, a user has the bare minimum access based on what is needed to complete one's responsibilities. Least privilege, however, states that individuals should have the bare minimum access based on what is needed to complete one's responsibilities and have that access managed with the utmost efficiency. The difference is that best fit privileges customize access to the individual, while least privileges typically customize access to the group or class of users.

False

In the data classification scheme for recovery of information, data that is designated as urgent is that which needs to be recovered as soon as possible to mitigate significant impact on the organization.

False

In the organizational structure, the vendor management team is responsible for managing security concerns involving third parties and vendors. This team conducts an assessment on a vendor before data leaves the organization and is processed by a third party. The concept of separation of duties is often put in place to ensure that data is verified before it leaves the organization.

False

In the three-lines-of-defense model of risk management, the second line of defense is the business unit (BU), which is responsible for controlling risk on a daily basis. The BU locates risk, assesses the impact, and mitigates the risk whenever possible.

False

It is often the case that system accounts need increased privileges to start, stop, and manage system services; such accounts can be interactive or non-interactive. The word interactive denotes a person's inability to log on to the account, whereas noninteractive denotes a person's ability to do so.

False

Of the different risks that can occur in an IT security framework, events that transpire outside an organization's domain of control and impact IT operations fall under the category of operational risks.

False

Policies associated with risk management endorse a series of actions that enable an organization to be consistently conscious of risks. There are two efforts deployed: threat and vulnerability assessments and penetration testing.

False

RADIUS is an organizational model that is focused on the design, integration, security, distribution, and management of data across the enterprise. Sizable organizations are inclined to concern themselves with the management of data as its own pursuit, which cuts across all domains.

False

Risk and control self-assessment is the term used to define how an organization's security policy allows the business to thrive, or the degree to which it diminishes the obstacles to the business.

False

The BIA has two intended outcomes: 1) an enumerated list of dependencies and critical processes, and 2) a critical investigation of regulatory and legal requirements.

False

The acceptable use policy (AUP) is a document dedicated to the safeguarding of passwords.

False

The conventional wisdom concerning the security frameworks of domains is that it is always preferable for an organization to create a framework based on its own needs. Frameworks like ISO and COBIT are resources and should not be used as models to build on.

False

The issue of securing data in transit and data at rest concerns the subject of encryption due to the fact that all states have privacy laws that fall under one type of encryption requirement: that all private data is encrypted.

False

The main difference between a guideline and a standard is that the former is a mandated control and the latter is a strong endorsement of a course of action.

False

The only benefit to giving system administrators enhanced access rights is that it significantly diminishes the total security risk to the organization. Thus, if the systems administrator's credentials are endangered, access would be limited.

False

The recovery point objective (RPO) is the duration of time within which the recovery of a business process should occur following downtime or an outage.

False

The recovery time objective (RTO) is the greatest permissible level of data loss from the origin point of a disaster.

False

The security operations team has the responsibility of monitoring intrusions and breaches in the form of firewalls and network traffic. When the team finds a breach, they notify independent auditors who aid in the recovery of the business and will provide an assessment of how the breach occurred.

False

Vendors are users who need to be able to access particular application functions. Such access is issued based on the type of user rather than the individual. Guests and general public users, however, need to review and evaluate controls, and this access contains unlimited read access to logs and configuration settings.

False

When creating an IRT charter document, it is necessary to create a mission statement, which summarizes prior information on incident response and its significance to the organization.

False

There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks?

GRC for IT operations, governance, risk management, and compliance

Which of the following has the responsibility of offering instruction on intrusion detection systems and intrusion prevention system standards as well as their accompanying uses for diminishing false alerts?

IDS and IPS architecture and management guidelines

Because risk management is a both a governance process and a model that seeks consistent improvement, there is a series of steps to be followed every time a new risk emerges. Which of the following is not one of these steps?

Identify the prior risks; it is not necessary to determine the cause.

Training that happens in a classroom has many benefits, but which of the following is the one of the most significant drawbacks concerning the instructors' abilities?

Instructors with sufficient expertise are difficult to find.

If a CISO seeks to raise employees' awareness of the dangers of malware in the organization, which of the following approaches is recommended?

The CISO should talk about how malware could prevent the service desk from helping a customer.

Consider this scenario: A company is notified that its servers have been compromised to be the point of departure to attack a host of other companies. The company then initiates an IRT, which is unable to locate the breach. The company then seeks the services of an outside firm that specializes in forensic analysis and intrusions. The outside firm locates the source of the breach and wants to monitor the actions of the intruder. However, the outside firm is informed by its internal legal counsel that the company does not agree with this course of action. Which of the following statements best captures the effectiveness of the company's IRT policies?

The IRT is moderately effective because a breach was found without seeking external counsel.

Which of the following statements illustrates the importance of the LAN-to-WAN domain to an organization's security?

The LAN needs to establish a secure connection to the WAN to ensure that traffic is thoroughly inspected and carefully filtered.

Consider this scenario: A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company's approach?

The company effectively implemented patch management.

Which of the following outcomes is one of the benefits of a risk-management approach to security policies?

This approach offers alternative courses of action that might not be obvious to the leaders.

Consider this scenario: After many years, an employee is promoted to a position that has an elevated level of trust with his management. He started with the company in an entry-level position, and then moved from a supervisory to a managerial role. This role entails that the employee trains other employees and has a deep understanding of how the department functions. Which of the following actions should be taken in regard to this employee's levels of access during the span of time he has worked for the company?

This employee should have prior access removed to ensure separation of duties and avoid future instances of security risk.

In the financial services sector, some organizations have implemented a three-lines-of defense model. What does the use of this model suggest about an organization's structure?

This organization uses a layered approach that creates a separation of duties.

"Privilege creep" refers to individuals who retain access privileges within an organization based on their previous jobs within the organization. This is an undesirable situation because multiple access privileges create the conditions for employees to engage in fraud.

True

A significant objective in telecommunication standards is the need to identify the devices and protocols to be used and then determine how to handle data on those devices.

True

A useful method for sharing security policies across an organization is a document-handling server, such as an intranet. Benefits of this server include material cost control, keeping policies current, and ensuring that policies are searchable.

True

A workstation can be any user device, such as a smartphone or a laptop, that accesses data; policies regarding the workstation domain relate to any such computing device.

True

Because regulatory compliance is a significant effort, some organizations engage full-time teams to collect, review, and report in an attempt to demonstrate that regulations are being followed. However, creating these full-time teams redirects business protection resources needlessly. A better strategy is to create an IT policies framework that defines security controls that aligns with policies and regulations.

True

Employees who occupy a vendor status directly report to that vendor company, and that company will often manage their access. Thus, processes must be instituted to guarantee that the vendor company is managing its employees effectively. The situations that demand a vendor to give notification to the company that's engaged the vendor are as follows: 1) when people are hired or fired; 2) when people switch roles; 3) when systems are enhanced or separated from the organization's network; and 4) when security configuration adjustments are made to the communications between the vendor and the organization.

True

Escalation is a process that is regularly implemented by a CISO when risks are being addressed. If a business unit is unresponsive, it is necessary for a CISO to escalate events. However, the path of escalation differs depending on the organization.

True

Guidelines in the LAN-to-WAN domain offer recommendations for individuals who have the responsibility of determining the degree to which Internet access should be allowed. To offer additional choices while also negotiating risk, individuals can implement content-filtering guidelines (which offer options for effective ways filter content), methods for recording of the list of banned sites, and ways to request user privileges to blocked sites, as needed.

True

If an organization wants to reduce the number of possible threats and damages, it is recommended that it puts security policies in place to guarantee that access is limited to individual responsibilities and roles. This policy should also mandate that a person's access is revoked when s/he leaves the organization.

True

If the governance and compliance framework is well-defined, this means that the approach is structured around a common language and is a foundation from which information security policies can be governed.

True

In 2012, the software company Televant suffered a breach of its internal firewall and network. In response, the company severed the usual data links between clients and segmented the portions of its internal networks that had been affected. The fact that segmentation was introduced immediately after the breach suggests that such segmentation was not initially built into the LAN security policy, which raises many security control questions.

True

In addition to being federally mandated, a good security awareness policy has many benefits including the processes of notifying employees of the following: 1) basic foundations of information security; 2) raising consciousness of risk and threats; 3) how to cope with unexpected risk; 4) how give a record of incidents, breaches, and suspicious activity; and 5) how to help create a culture that educated about security and risk awareness.

True

In most cases, a Quality Assurance function is a control that occurs in real-time and is preventive. A Quality Control function differs because, as a detective control, it examines defects over time and surveys a wide range of samples.

True

In order to create a detailed communication plan, it is recommended that these elements are included: intranet Web site; monthly communications; management briefing; and the incorporation of security policies into current training events and communications.

True

In order to record the dates when new policies and changes to those policies are enacted, it is advisable to use a use a consolidated calendar. Stakeholders should review a calendar monthly to prepare for policy implementation appropriately.

True

In the third line of defense, the auditor serves as an advisor to the first and second lines of defense in matters concerning risk. The third line must preserve his or her independence but also offer input on risk direction and strategies.

True

Risk management policies establish the framework for measuring risk for data classification and actions associated with risk and control self-assessment (RCSA); these policies also define the standards for judging the assessments as well as the content that comprises the assessments.

True

Security awareness training is formally conducted in two methods: instructor-led classroom training and computer-based training (CBT). It is common practice for large organizations to use a combination of both methods.

True

Security frameworks establish behavior expectations and define policy. Policies cannot address every scenario employees will face, but strong training on the core principles that create those policies will equip employees to do their jobs successfully.

True

The RSCA is utilized to construct plans for risk management, which can include the location of where to implement the procedures for quality assurance and quality control.

True

The disaster declaration policy contains the plan for declaring a disaster. Activating this plan might include the emergency notification of personnel, strategic vendors, and stakeholders as well as activation of alternative sites and housing and transport arrangements.

True

The operational risk committee has the ability to determine which business activities are riskier than others. For example, if a business wants to sell product on the Internet for the first time, then the risk committee would need to understand the wide-ranging risks involved as well as the organization's security capability.

True

WAN standards often address WAN management, router security, protocols, Domain Name Services (DNS), and Web services. As such, a WAN controls standard might include the following types of statements: "All access points to the WAN shall be approved by the IS department," and "All WAN-related address changes and configurations shall be approved by the IS department."

True

When confronting guest and general public access, some best practices include but are not limited to the following: highly prohibiting access to specific functions, conducting a penetration test on all public-facing Web sites to detect control vulnerabilities, and minimizing the amount of network traffic to point-to-point communications

True

When developing baseline standards, it is vital to use industry best practices. Industry best practices standards enable one to justify choices being made to regulators. Furthermore, there is increased efficiency to be gained by modifying an existing standard as opposed to creating one from the ground up.

True

When implementing a patch, it is recommended that there be an back-out strategy in place; this is necessary because it is possible the patch might create complications.

True

Whenever a high-risk application is put into place in an organization, is it necessary for the following four user domain-level securities to be enacted: risk assessment, controls design, access management, and escalation.

True

With a framework in place, controls and risk become more measurable. The ability to measure the enterprise against a set of standards and controls assures regulators of compliance and helps reduce uncertainty.

True

An important principle in information security is the concept of layers of security, which is often referred to as layered security, or defense in depth. Which of the following is not an example of a layer of security?

a control standard

A(n) ______________________ is a centrally located device that is capable and permitted to extend and connect to distributed services.

agentless central management tool

The act of recording noteworthy security events that transpire on a network or computing device is known as a(n) ______________________.

audit

Of all the reasons that people commit errors when it comes to IT security, which of the following is the main reason people make mistakes?

carelessness

Which the following is not one the policies concerned with LAN-to-WAN filtering and connectivity?

content-blocking tools configuration standard

It is important that ___________________ accounts have full and unencumbered rights to restore data as well as to configure, install, repair, and recover applications and networks.

contingent

LAN security policies center on issues concerning connectivity; this includes determining how devices adhere to the network. Among the types of LAN control standards are _______________, which creates the schedules on LAN-attached devices for scheduled preventative and consistent maintenance, and ________________, which explains the change control management process for soliciting changes, granting changes, and implementing changes on the network

controlled maintenance, configuration change control

The system/application domain covers an expansive range of topics; therefore, the baseline standards in this domain are diverse. For example, the _____________________ explain how to compose and assess the security of applications.

developer coding standards

Which of the following control standards in the system/application domain maintains control of both managing errors and ensuring against potentially damaging code?

developer-related standards

It is important to conduct a nearly continuous evaluation of possible ______________ to guarantee that recovery estimates provided to customers are accurate and maintain credibility with customers.

downtimes

The members of the _________________ committee help create priorities, remove obstacle, secure funding, and serve as a source of authority. Members of the _______________ committee, however, are leaders across the organization.

executive, security

An organization's _______________________ is a particular group of differently skilled individuals who are responsible for attending to serious security situations.

incident response team (IRT)

The goal of employee awareness and training is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. Which of the following is one of the other benefits of a successfully enacted training and awareness program?

instituting chances for employees to gather new skills, which can foster enhanced job satisfaction

Consider this scenario: A company that buys a sizeable amount of equipment for its manufacturing process needs to accurately report such expenditures, so it calls upon the services of financial auditors. While financial auditors might consider how robust the data might be, the company might also involve IT auditors to examine the technology in place to gather the data itself. What process is this company using to address its concerns?

integrated audit

Baseline LAN standards are concerned with network traffic monitoring because no matter how good firewalls and routers can be, they are still not 100% effective. Thus, _________________ offer a wide range of protection because they seek out patterns of attack.

intrusion systems

The Barings Bank collapsed in 1995 after it was found that an employee had lost over $1.3 billion of the bank's assets on the market. The collapse occurred when an arbitrage trader was responsible for both managing trades and guaranteeing that trades were settled and reported according to proper procedures. To which of the following causes is this collapse attributed?

lack of separation of duties

A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows: Risk exposure =________________ the event will occur + ____________ if the event occurs

likelihood, impact

The scope of security awareness training must be customized based on the type of user assigned to each role in an organization. For instance, it is important that ________________ receives training in security basic requirement, regulatory and legal requirement, detail policy review, and reporting suspicious activity.

middle management

Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four?

moderately sensitive

In order to build security policy implementation awareness across the organization, there should be ____________________ who partner with other team and departments to promote IT security through different communication channels.

multiple executive supporters

In policies regarding the ___________ of data, it must be guaranteed that the data that exits the private network is secured and monitored; the data should also be encrypted while in transit.

physical transport

There are many ways that people can be manipulated to disclose knowledge that can be used to jeopardize security. One of these ways is to call someone under the false pretense of being from the IT department. This is known as _________________________.

pretexting

Of the six specific business risks, the ___________________ risk results from negative publicity regarding an organization's practices. Litigation and a decline in revenue are possible outcomes of this type of risk.

reputational

A ______________________ is an apparatus for risk management that enables the organization to comprehend its risks and how those risks might impact the business.

risk and control self-assessment (RCSA)

The _______________________domain establishes the context and business view for a risk evaluation and guarantees that risk activity aligns with the business goals, objectives, and tolerances. The ________________ domain establishes that technology risks are identified and delivered to leadership in business terms.

risk governance, risk evaluation

The National Security Information document EO 12356 explains the U.S. military classification scheme of top secret, secret data, confidential, sensitive but unclassified, and unclassified. Which of the following data can be reasonably expected to create serious damage to national security in the event that it was subject to unauthorized disclosure?

secret

A(n) __________________ is a term used to indicate any unwanted event that takes places outside the normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies.

security event

The ______________________ denotes the application software and technology that concerns a wide range of topics from the data management to the systems that process information.

system/application domain

Which of the following is not one of the similarities shared by an enterprise risk management (ERM) framework and a governance, risk management, and compliance (GRC) framework?

the importance of value delivery

Of all the needs that an organization might have to classify data, there are three that are most prevalent. Which of the following is not one of the reasons?

transfer information

In order to enhance the training experience and emphasize the core security goals and mission, it is recommended that the executives _______________________.

video record a message from one the leaders in a senior role to share with new employees

When is the best time to implement security policies to help developers diminish the number of vulnerabilities during application development?

while the application is being written