Info Security Ch 10
"Unfreezing" in the Lewin change model involves thawing hard-and-fast habits and established procedures.
True
An ideal organization fosters resilience to change.
True
Corrective action decisions are usually expressed in terms of trade-offs.
True
Each organization has to determine its own project management methodology for IT and information security projects.
True
Once a project is underway, it is managed using a process known as gap analysis, which ensures that progress is measured periodically.
True
Performance management is the process of identifying and controlling the resources applied to a project as well as measuring progress an adjusting the process as progress is made toward the goal.
True
Planners need to estimate the effort required to complete each task, subtask, or action step in the project plan.
True
Planning for the implementation phase of a security project requires the creation of a detailed project plan.
True
The budgets of public organizations are usually the product of legislation or public meetings.
True
The bull's-eye model can be used to evaluate the sequence of steps taken to integrate parts of the information security blueprint into a project plan.
True
The effective use of a DMZ is one of the primary methods of securing an organization's networks. A) True B) False
True
The need for qualified, trained, and available personnel constrains the project plan.
True
The project plan as a whole must describe how to acquire and implement the needed security controls and create a setting in which those controls achieve the desired outcomes.
True
The size of the organization and the normal conduct of business may preclude a single large training program on new security procedures or technologies.
True
Weak management support, with overly delegated responsibility and no champion, sentences the project to almost-certain failure.
True
When an estimate is flawed, as when the number of effort-hours required is underestimated, the plan should be corrected and downstream tasks updated to reflect the change.
True
A(n) __ is a simple project management planning tool. a. WBS b. RFP c. SDLC d. ISO 17799
WBS
The Lewin change model includes ____. a. moving b. unfreezing c. refreezing d. all of the above
all of the above
Some cases of ____ are simple, such as requiring employees to use a new password beginning on an announced date. a. wrap-up b. pilot implementation c. direct changeover d. phased implementation
direct changeover
Technology __ guides how frequently technical systems are updated, and how technical updates are approved and funded. a. governance b. changeover c. wrap-up d. turnover
governance
In the __ process, measured results are compared against expected results. a. wrap-up b. direct changeover c. turnover d. negative feedback loop
negative feedback loop
Tasks or action steps that come after the task at hand are called __. a. parents b. successors c. predecessors d. children
successors
The __ layer of the bull's-eye model includes computers used as servers, desktop computers, and systems used for process control and manufacturing. a. Policies b. Applications c. Networks d. Systems
systems
A proven method for prioritizing a program of complex change is the bull's-eye method.
true
The goal of the __ is to resolve any pending project-related issues, critique the overall effort of the project, and draw conclusions about how to improve the project management process for the future. a. phased implementation b. pilot implementation c. wrap-up d. direct changeover
wrap-up
The SecSDLC involves which of the following activities? A) collecting information about an organization's objectives B) collecting information about an organization's information security environment C) collecting information about an organization's technical architecture D) all of the above
All of the Above
The __ layer of the bull's-eye model receives attention last. a. Policies b. Applications c. Networks d. Systems
Applications
A(n) __ is used to justify that the project will be reviewed and verified prior to the development of the project plan. a. SDLC b. WBS c. CBA d. RFP
CBA
Each for-profit organization determines its capital budget and the rules for managing capital spending and expenses the same way.
False
Every organization needs to develop an information security department or program of its own.
False
In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project
False
Most information security projects require a trained project developer.
False
Planning for the implementation phase requires the creation of a detailed request for proposal, which is often assigned either to a project manager or the project champion.
False
The RFP determines the impact that a specific technology or approach can have on the organization's information assets and what it may cost.
False
The Work Breakdown Structure (WBS) can be prepared with a simple desktop PC word processing program.
False
The networks layer of the bull's-eye is the outermost ring of the bull's eye.
False
The security systems implementation life cycle is a process for collecting information about an organization's objectives, its technical architecture, and its information security environment.
False
The work breakown structure (WBS) can only be prepared with a complex, specialized desktop PC application.
False
Project managers can reduce resistance to change by involving employees in the projectplan. In systems development, this is referred to as ____. a. DMZ c. WBS b. SDLC d. JAD
JAD
If the task is to write firewall specifications for the preparation of a(n) ____, the planner would note that the deliverable is a specification document suitable for distribution to vendors. a. SDLC b. RFP c. CBA d. WBS
RFP
Tasks or action steps that come after the task at hand are called ____. a. predecessors c. children b. successors d. parents
Successors
The __ level of the bull's-eye model establishes the ground rules for the use of all systems and describes what is appropriate and what is inappropriate; it enables all other information security components to function correctly. a. Policies b. Applications c. Networks d. Systems
Policies
A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable.
True
The optimal time frame for training is usually one to three weeks before the new policies and technologies come online.
True
The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system's bugs are worked out
True
The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system's bugs are worked out.
True
Effective planning for information security involves: collecting information about an organization's information security environment a. collecting information about an organization's objectives b. collecting information about an organization's technical c. architecture d. all of the above
all of the above
The __ methodology has been used by many organizations and requires that issues be addressed from the general to the specific, and that the focus be on systematic solutions instead of individual problems. a. bulls-eye b. direct changeover c. parallel d. wrap-up
bull's-eye
The date for sending the final RFP to vendors is considered a(n) ____, because it signals that all RFP preparation work is complete. a. deliverable b. milestone c. resource d. intermediate step
milestone
A __ is usually the best approach to security project implementation. a. pilot implementation b. parallel operations c. direct changeover d. phased implementation
phased implementation
In a __ implementation, the entire security system is put in place in a single office, department, or division before expanding to the rest of the organization
pilot
Many public organizations must spend all budgeted funds within the fiscal year - otherwise, the subsequent year's budget is __________. A) increased by the unspent amount B) not affected unless the deficit is repeated C) automatically audited for questionable expenditures D) reduced by the unspent amount
reduced by the unspent amount
All organizations should designate a champion from the general management community of interest to supervise the implementation of an information security project plan.
False
In general, the design phase is accomplished by changing the configuration and operation of the organization's information systems to make them more secure.
False
In project planning, the tasks or action steps that come before the specific task at hand are commonly referred to as prerequisites.
False
The parallel operations strategy works well when an isolated group can serve as a test area, which prevents any problems with the new system from dramatically interfering with the performance of the organization as a whole.
False
By managing the _______, the organization can reduce unintended consequences by having a process to resolve potential conflict and disruption that uncoordinated change can introduce. A) Wrap-up B) Conversion process C) Governance D) Process of change
Process of Change
The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
False