3.4 Self

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.

False

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.

False

A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization.

False

Every member of the organization's InfoSec department must have a formal degree or certification in information security.

False

Guidelines are detailed statements of what must be done to comply with policy.

False

Each policy should contain procedures and a timetable for periodic review.

True

Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator.

True

Good security programs begin and end with policy.

True

Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.

True

Some policies may also need a(n) sunset clause indicating their expiration date.

True

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.

True

A cold site provides many of the same services and options of a hot site, but at a lower cost.

False

​An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement.

False

A disaster recovery plan shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster.

True

Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training, and rehearsal.

True