3.4 Self
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.
False
A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.
False
A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization.
False
Every member of the organization's InfoSec department must have a formal degree or certification in information security.
False
Guidelines are detailed statements of what must be done to comply with policy.
False
Each policy should contain procedures and a timetable for periodic review.
True
Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator.
True
Good security programs begin and end with policy.
True
Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
True
Some policies may also need a(n) sunset clause indicating their expiration date.
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.
True
A cold site provides many of the same services and options of a hot site, but at a lower cost.
False
An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement.
False
A disaster recovery plan shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster.
True
Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal.
True