Midterm Exam 410

ISS policies must set rules for users, define consequences of violations, and minimize risk to the organization. There are typically five different types of documents in a policy framework: 1) Principles; 2) Policy; 3) Standard; 4) Procedure, and 5) Guideline.

False

Integrity ensures that only authorized individuals are able to access information.

False

One of the classifications that can be applied to security controls is physical control, which is also known as a "procedural control." This control relies on a human to take some action.

False

The most senior leader responsible for managing an organization's risks is the chief privacy officer (CPO). Which of the following is not one of the responsibilities of the CPO?

The CPO must be a lawyer.

A good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have two enforcement components: the carrot and the stick. Which of the following best captures the relationship of the two components?

The carrot aims to educate the employee about the importance of security policies, and the stick reminds the employees of the consequences of not following policy.

In 2012, COBIT 5.0 was released to the public. This version of COBIT was a departure from other frameworks in that it put emphasis on what enables processes to work well; COBIT calls these process enablers.

True

In general, it is good practice to make your security policies relevant to business needs because they stand a better chance of being followed.

True

The benefit of a risk-aware culture is that people want do the right thing all the time, which leads to an increased likelihood of policies being followed. Thus, when this behavior is modeled every day by everyone, it becomes the norm.

True

Generally, regardless of threat or vulnerability, there will ____________ be a chance a threat can exploit a vulnerability.

always

One of the considerations of integrity is how to protect data in the event of a breach or unauthorized access. One way to resolve this issue is to take a security layered approach and to use encryption. A breach in one layer will be caught by another. In this case, even if data is improperly accessed, it still cannot be read.

False

Organizations can lower communication costs and save time by leasing private lines for WANs instead of using VPN tunnels. For small and medium-size companies, it's the only practical solution given the cost and technical complexities.

False

The members of the _________________ committee help create priorities, remove obstacle, secure funding, and serve as a source of authority. Members of the _______________ committee, however, are leaders across the organization.

executive, security

The Sarbanes-Oxley (SOX) Act became law in 1999 and was meant to repeal existing laws so that banks, investment companies, and other financial services companies could merge.

False

___________________________ are formal written policies describing employee behavior when using company computer and network systems.

Acceptable use policies

In general, implementing security policies occurs in isolation from the business perspectives and organizational values that define the organization's culture.

false

In general, matrix relationships are created with control partners.

false

In the data classification scheme for recovery of information, data that is designated as urgent is that which needs to be recovered as soon as possible to mitigate significant impact on the organization.

false

Which of the following is not one of the common network devices found on the LAN domain?

flat network

If human action is required, the control is considered _______________.

manual

Although an organization's list of stakeholders will vary depending on the policy being implemented, there are stakeholders who can be seen commonly across organizations. What is the key focus of stakeholders in information security?

protection of the company and the customer

The risk governance domain guarantees that the entire range of opportunities and consequences are considered with regard to business strategy.

true

When an organization implements a division of labor, the depth and quality is higher. The result is the organization grows, along with operating costs. An organization needs to divide labor in such a way that it can create quality, remain competitive, and control operating costs.

true

When implementing policies, it is necessary to follow these four steps: 1) building consensus on intent; 2) reviews and approvals for your documents; 3) publication of the documents; and 4) awareness and training.

true

qWhen going through the steps to create a vision for change, it is valuable to find a leader in your organization who can be an agent of change; someone who doesn't follow the pack, who can think outside the box, and can steer the organization through the politics of creating change.

true

One of the ways to verify a computer's identity is by using certificates, because, in general terms, the certificate acts like a digital fingerprint.

true

Which of the following statements captures an example of a manager tapping into pride as a source of motivation?

"It is really important that you complete this task because the team values your contributions and would benefit from your input."

The section of the security newsletter that informs or educates staff and serves as an information security glossary is called __________________________.

"What Is . . . ?"

______________________ can run on a workstation or server and is at the heart of all business applications.

Application software

_______________ is a measurement that quantifies how much information can be transmitted over the network.

Bandwidth

_______________ is an international governance and controls framework and a widely accepted standard for governing, assessing, and managing IT security and risks.

COBIT

An organization mandates that all attempts by traders to use the Internet should be logged, and that each trader's log should be reviewed by a manager at least monthly to ensure compliance. Which of the following questions concerning security is being addressed?

How do you measure whether both the policy and the right processes were followed?

___________________ is the act of protecting information and the systems that store and process it.

Information systems security

Which of the following is one of the challenges of the Sarbanes-Oxley (SOX) Act?

It is very expensive and nearly impossible to test all of a company's controls.

In the financial services sector, some organizations have implemented a three-lines-of defense model. What does the use of this model suggest about an organization's structure?

This organization uses a layered approach that creates a separation of duties.

The struggle between how to manage a business versus how to "grow" has significant implications for security policies that must reflect the core values of the business. Which of the following statements reflects one of the security policy approaches often taken by entrepreneurs growing a business?

A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk.

Apathy can have detrimental effects on information security. Engaged communication is one strategy that can be implemented to overcome the effects of apathy. Which of the following statements further elaborates this strategy?

Adjust the implementation strategy to better explain the importance of the policy within the context of the individual role.

Which of the following is not one of the "five pillars of the IA model"

Assurance

While these two approaches have similarities in terms of the topics they address, ________ will cover broad IT management topics and specify which security controls and management need to be installed; however, ________ does not address how to implement specific controls.

COBIT, ISO

As a result of a U.S. Supreme Court ruling challenging the restriction of access to information in libraries, the ________________ was declared constitutional. However, the courts do require schools and libraries to unblock sites when requested by an adult.

Children's Internet Protection Act (CIPA)

While it would not be possible to classify all data in an organization, there has nonetheless been an increase in the amount of unstructured data retained in recent years, which has included data and logs. There are many different ways to make the time-consuming and expensive process of retaining data less challenging. Which of the following is not one these approaches?

Classify all forms of data no matter the risk to the organization.

_____________________ in e-commerce broadly deals with creating rules on how to handle a consumer's transaction and other information.

Consumer rights

_______________ are owned by an organization if they are created on the computer by company employees or if the assets were custom developed for and purchased by the organization.

Digital Assets

A vulnerability is a human-caused or natural event that could impact the system, whereas a risk is a weakness in a system that can be exploited.

False

All states laws and the federal government share the same definition of data privacy.

False

Although it can be expensive for businesses to implement operational efficiency, this cost produces greater quality results. For organizations with multiple divisions, developing processes once and repeating them saves time.

False

An organization mandates use of the firewall, which stops all traffic to the Internet except for Web browsing and company e-mail. For this control, the question concerning security being addressed is, "What type of protection will be achieved?"

False

As a statement of formal written policies describing employee behavior when using company computer and network systems, an acceptable use policies (AUPs) document is an important tool to create a legal partnership between the employer and employee.

False

Creating an accurate inventory is a challenge, given the speed at which data files are created, deleted, moved, and changed. It is therefore recommend that an organization prioritize the inventory of assets, starting with the least sensitive to most sensitive.

False

In an organizational structure, the stakeholders in the line of business are focused on effective comprehensive assurance policies.

False

In general, the enforcement of policies among employees is far less challenging than policy acceptance.

False

In the COBIT Build, Acquire, and Implement domain, the staff tunes the environment to minimize risks and collects lessons learned.

False

In the monitoring process, quality assurance is about sampling work that has already been done to ensure that, collectively, actions meet standards, and quality control is about verifying and approving actions before they occur.

False

It is possible for an organization to set up a sound policy framework that can prevent any issues from occurring in ISS.

False

Policies, which can be a process or a method for implementing a solution, often become the measuring stick by which an organization is evaluated for compliance.

False

The Sarbanes-Oxley (SOX) Act became law in 2002, and it was enacted in reaction to a series of accusations of corporate fraud. The basic idea behind SOX 404 is to recommend security policies and controls that provide confidence in the accuracy of financial statements. There are many critics who argue that the act does not go far enough in describing how a company should report earnings, valuations, corporate responsibilities, and executive compensation.

False

The reason that the United States has privacy laws is that an individual's privacy is the government's sole concern, and as such, the government is the main beneficiary of privacy laws.

False

When discussing security policies and implementation tasks, one should follow a checklist with three items: 1) things to do; 2) things to pay attention to; and 3) things to report.

False

While security awareness in employees is important, well-educated employees do not play a significant role in the reduction of risk.

False

_____________ risk is the possible outcome that can occur when an organization or business unsuccessfully addresses its fiscal obligations.

Financial

Privacy regulations involve two important principles. _____________________ gives the consumer an understanding of what and how data is collected and used. ________________________ provides a standard for handling consumer information.

Full disclosure, Data encryption

Review Test Submission: Module 8 Self-Test - Requires ...

GRC for IT operations, governance, risk management, and compliance

There are many IT security policy frameworks that can often be combined to draw upon each of their strengths. Which of the following is not one of the frameworks?

GRC for IT operations, governance, risk management, and compliance

In business, intellectual property (IP) is a term applied broadly to any company information that is thought to bring an advantage. Protecting IP through security policies starts with human resources (HR). Which of the following is a challenge concerning HR policies about IP?

HR policies and employment agreements about IP may or may not be enforceable, depending on current law and location.

Because risk management is a both a governance process and a model that seeks consistent improvement, there is a series of steps to be followed every time a new risk emerges. Which of the following is not one of these steps?

Identify the prior risks; it is not necessary to determine the cause.

A key component to IT security is authorization, which is especially important in large, complex organizations with thousands of employees and hundreds of systems. Two methods of authorization are role based access control (RBAC) and attribute based access control (ABAC). Although RBAC and ABAC can provide the same access, which of the following is an advantage of ABAC?

In ABAC, roles are expressed more in business terms and thus may be more understandable.

When publishing your policy and standards library, it is necessary to evaluate the communications tools that are available in your organization. Which of the following statements best captures one of the best practices for publishing your documents?

It is good idea to create separate Web pages for each document and provide a link to the document itself on that Web page.

Research shows that projects dedicated to information security policies fail due to eight common perceived missteps. Which of the following is not one of the missteps?

Lack of complexity: This refers to an oversimplication of policies that sacrifices depth and nuance.

If an organization is creating a customized data classification scheme, it is important to keep in mind the accepted guidelines. Which of the following is not one these guidelines?

Make recommendations for how audits can be conducted.

Also known as the Federal Information Processing Standards (FIPS), the_______________ framework is a shared set of security standards required by the Federal Information Security Management Act (FISMA).

NIST

The SOX act created the ______________________, which sets accounting and auditing standards.

Public Company Accounting Oversight Board (PCAOB)

________________ functions as a preventive control designed to prevent mistakes from happening. ________________functions as a detective control intended to improve the quality over time by affording opportunities to learn from past mistakes.

Quality assurance; Quality control

Federal and state governments in the United States establish laws that define how to control, handle, share, and process the sensitive information that the new economy relies on. ___________________ are then added to these laws, which are typically written by civil servants to implement the authority of the law.

Regulations

The Information Technology Infrastructure Library (ITIL) is a series of books that describes IT practices and procedures, and it has five core books called volumes. Which of the following is not one of the five volumes?

Service assessment

If a CISO seeks to raise employees' awareness of the dangers of malware in the organization, which of the following approaches is recommended?

The CISO should talk about how malware could prevent the service desk from helping a customer.

In 1999, the ___________________ is a law that came into being to repeal existing laws so that banks, investment companies, and other financial services companies could merge.

The Gramm-Leach-Bliley Act (GLBA)

Which of the following agencies is responsible for developing information security standards and procedures that adhere to federal law?

The National Institute of Standards and Technology (NIST)

Consider this scenario: A major software company finds that code has been executed on an infected machine in its operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12 days later. Which of the following statements best describes the company's approach?

The company effectively implemented patch management.

In order to gain a deeper understanding of how employees interact in the workplace, it is useful to learn about the eight classic personality types that have been identified by HR Magazine. One of these is the achievers. Which of the following descriptions best captures this personality type?

These people are very result oriented. They genuinely want the best result and may seek different ways to bring that result into being.

All organizations, including business and government, need to create and enforce policies that demonstrate compliance with regulations. It is impossible to design effective security controls without good security policies.

True

An enterprise view is particularly important when it comes to security policies.

True

Availability ensures information is available to authorized users and devices. Initially, the information owner must determine availability requirements. The owner must determine who needs access to the data and when.

True

Business process reengineering (BPR) is comprised of five phases: 1) Planning; 2) Create/Refine; 3) Process Baseline Research and Benchmarking; 4) Develop the Future Process; and 5) Add to Governance Routines.

True

Data exists generally in one of two states: data at rest, such as on a backup tape, or data in transit, such as when traveling across a network.

True

If a company wants to hire a consultant to redesign a major computer application, both parties would sign a confidentiality agreement (CA), also known as a nondisclosure agreement (NDA). The company could then disclose its problems, and the consultant would have more precise information to base an estimate.

True

In 2007, the Office of Management and Budget (OMB) defined personally identifiable information (PII) as: "Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."

True

In order to be compliant with the NIST publications, policies must include key security control requirements. One of these key requirements includes certification and accreditation, which is a process that occurs after the system is documented, controls tested, and risk assessment completed. It is required before going live with a major system. Once a system is certified and accredited, responsibility shifts to the owner to operate the system.

True

In order to move data from an unsecure WAN to a secure LAN, you begin by segmenting a piece of your LAN into a demilitarized zone (DMZ).

True

More than memorizing policy word for word, a security awareness program should teach an employee where to go for help. New employees especially need to know they are not alone in dealing with unexpected issues

True

One of the foundational reasons for using and enforcing security policies is to protect systems from the "insider threat," which refers to users with authorized access. These are privileged users who would have the ability and access to wreak havoc on the system

True

Over time, industries create standards that may become best practices. Yet, the term is overused and difficult to quantify. The term leading practice is more precise, given that it is easier to quantify. If most members of an industry adopt a method, it's considered to be "leading."

True

The Information Technology and Infrastructure Library (ITIL) is a set of practices and predefined procedures for managing specific IT services such as change management.

True

The independent audit procedure has increased in popularity because there is a mutual benefit to customer and vendor in having an independent audit performed. To the customer, it provides some assurance that the vendor's control environment has been audited. The vendor, then, can say there's been an independent opinion that the customer's data is protected.

True

The legal concept of nonrepudiation provides assurance that an individual cannot deny having digitally signed a document or been party to a transaction. As the sum total of evidence that proves to the court's satisfaction that only one person could have executed that transaction, this concept exists because businesses want to prove it was one person's computer, ID, and digital signature, and that the person's transaction that cannot be repudiated.

True

The phrase "tone at the top" refers to the ways that a company's leaders express their commitment to security policies and make sure every employee knows the priorities.

True

The process of restricting users' access so that they access an application rather than the data itself is often referred to as entitlement.

True

To build a framework for security policies and controls, one can use the following approach: 1) document the concepts and principles you will adopt; 2) apply them to security policies and standards; and 3) develop security controls and procedures.

True

When developing policy to secure PII data, the following guidelines should be considered: examine, collaborate, align, educate, retain, limit, disclose, and encrypt.

True

While shareholders are chiefly concerned with maximizing profit and maintaining a healthy stock price as a business concern, the government focuses more on fairness, health, and safety issues.

True

There are several types of domains in the IT infrastructure. Which of the following is not one of these domains?

VPN

The COBIT Align, Plan, and Organize domain includes basic details of an organization's requirements and goals; this domain answers which of the following questions?

What do you want to do?

Security controls are measures taken to protect systems from attacks on the integrity, confidentiality, and availability of the system. If a potential employee is required to undergo a drug screening, which of the following controls is being conducted?

administrative controls

An efficient organization requires the proper alignment of people, processes, and technology. One of the ways good security policies can mitigate this risk is through enforcement. Which of the following situations is an example of enforcement?

an employee is given the authority to request a wire transfer, and a manager is required to approve the transfer

The new class of software available to support policy management and publication is called Governance, Risk, and Compliance (GRC). Which of the following explanations fits the "governance" category of the software?

assessing the proper technical and non-technical operation of controls and remediating areas where controls are lacking or not operating properly

If a vulnerability is not fixed at the root cause, there is a possibility that another route of attack can emerge. This route is known as the ____________________.

attack vextor

Within the seven domains of a typical IT infrastructure, there are particular roles responsible for data handling and data quality. Which of the following individuals do not work with the security teams to ensure data protection and quality?

auditors

The COBIT Monitor, Evaluate, and Assess domain looks at specific business requirements and strategic direction, and determines if the system still meets these objectives. To ensure requirements are being met, independent assessments known as________________ take place.

audits

One of the most important approaches used to secure personal data is ________________, which is the process used to prove the identity of an individual. ______________, however, is the process used to enable a person's access privileges.

authentication, authorization

It is necessary to retain information for two significant reasons: legal obligation and business needs. Data that occupies the class of ________________ is comprised of records that are required to support operations; the data included might be customer and vendor records.

business

Policy and standards often change as a result of business drivers. One such driver, known as ___________________, occurs when business shifts and new systems or processes are incorporated; these business shifts and new systems and processes may differ from what a standard or policy requires.

business exceptions

There are no universal prescriptions for building an IT security program. Instead, principles can be used to help make decisions in new situations using industry best practices and proven experience. Which of the following is not created with the use of principles?

business plan

Implementing security policies is easier if you manage it from a change model perspective. The first step of this model is to create urgency. Who is responsible for conveying urgency to business leaders?

chief information security officer

Many organizations have a(n) _____________ policy in place to manage the business concern of how to handle sensitive information in physical form, such as reports. This policy generally requires employees to lock up all documents and digital media at the end of a workday and when not in use

clean desk

In recent years, ___________________ has emerged as major technology. It provides a way of buying software, infrastructure, and platform services on someone else's network.

cloud computing

In any event in which customer data is involved, it is necessary to check with the ___________________ on the legal requirements related to managing and use of that data.

compliance team

The different concepts in the architecture operating model are aligned with how the business chooses to integrate and standardize with an enterprise solution. In the___________________, the technology solution shares data across the enterprise.

coordinated operating model

A(n) ___________________ sets expectations on the use and security of mobile devices, whereas a(n) _________________ establishes a broad set of rules for approved conduct when a user accesses information on company-owned devices.

corporate mobility policy, acceptable use policy

When an organization lacks policies, its operations become less predictable. Which of the following is a challenge you can expect without policies?

customer dissatisfaction`

The term ________________ denotes data that is being stored on devices like a universal serial bus (USB) thumb drive, laptop, server, DVD, CD, or server. The term ______________ denotes data that exists in a mobile state on the network, such as data on the Internet, wireless networks, or a private network.

data at rest, data in transit

The concept of _________________ comes from the acknowledgment that data changes form and often gets copied, moved, and stored in many places. Sensitive data often leaves the protection of application databases and ends up in e-mails, spreadsheets, and personal workstation files.

data loss protection

To be compliant with the security standards and processes outlined in NIST publications, policies must include key security control requirements. Which of the following is not one of the key requirements?

data privacy

Which of the following security control design types does not prevent incidents or breaches immediately and relies on a human to decide what action to take?

detective control

An illustration of ________________ would be an organization installing malware software on the network and endpoint, monitoring for suspicious traffic, and responding as needed.

disposal of risk

It is important for an organization to determine how it wants to manage ____________________, which means how to group various tasks, and____________________, which relates to the number of layers and number of direct reports found in an organization.

division of labor, span of control

Though there are many ways to group security policies, a common method is to organize common risks and related policy issues into__________________ that share similarities but are distinctive enough to allow logical separation into more manageable secure areas.

domains

A flat network limits what and how computers are able to talk to each other. Many standards require flat networks such as the Payment Card Industry Data Security Standard (PCI DSS). This standard requires a flat network to further protect credit cardholder information.

false

A patch management assessment uses tools to define and comprehend risks to an application, system, or network device; patch management denotes weaknesses, or control gaps, that exist in the IT infrastructure.

false

As leaders across the organization, the security team reviews the business processes and determines possible risks and threats. The team works closely with the business to understand any existing threats of fraud.

false

Awareness programs are separated into two parts: awareness and approval. The purpose of awareness is to provide employees a better understanding of security risks. The goal of approval is to gain the buy-in of all employees on the effectiveness of the program after they have demonstrated awareness.

false

Because policies and standards are a collection of comprehensive definitions that describe acceptable and unacceptable human behavior, it is important that they contain a significant level of detail and description and address the six key questions who, what, where, when, why, and how.

false

COSO is an international governance and controls framework and a widely accepted standard for assessing, governing, and managing IT security and risks.

false

Distinguishing between quality assurance and quality control can be challenging, but the key difference is that quality assurance is an assessment to determine the necessary responses to ensure correction, while quality control entails instilling confidence or the state of feeling confident.

false

How security data is classified demonstrates the information in terms of criticality and sensitivity. Sensitivity denotes how vital the information is to accomplishing an organization's mission. Criticality denotes the impact affiliated with unauthorized disclosure of information.

false

IT security frameworks like COSO, COBIT, and ISO only have one thing in common: they are all risk-based.

false

In an attribute based access control (ABAC) model, roles assigned are static, whereas in a role based access control (RBAC), roles are built more dynamically.

false

In general, when individuals work effectively in isolation they are less likely to need or benefit from organizational support. Thus, risk management is accomplished because organizational efficiency is achieved.

false

In order for the data owner and IT department to discern the controls necessary to secure data, they need to decide between the authentication method and encryption controls; both are not required.

false

In order to develop a policy on ethics, a security manager should make sure that the documents should be integrated with measures, practices, and procedures that are deemed relevant to a coherent system of security.

false

In order to ensure that policy is implemented in a thoughtful manner, it is recommended that the security manager forms a policy change control board or committee. The only employees who should be invited are those from the compliance team so that the team can guarantee that changes to extant policies and standards bolster the organization's mission and goals.

false

In the organizational structure, the vendor management team is responsible for managing security concerns involving third parties and vendors. This team conducts an assessment on a vendor before data leaves the organization and is processed by a third party. The concept of separation of duties is often put in place to ensure that data is verified before it leaves the organization.

false

In the three-lines-of-defense model of risk management, the second line of defense is the business unit (BU), which is responsible for controlling risk on a daily basis. The BU locates risk, assesses the impact, and mitigates the risk whenever possible.

false

It is good practice when writing policies and standards to use terms like should rather than must or need to.

false

It is recommended that organizations retain information for the entire life of their existence because there is no guarantee of when it will be necessary to satisfy the purposes of legal obligations and business operations.

false

Mobile devices and broadband are becoming very reliable, though much like cell phone coverage, mobile broadband coverage is spotty at times. As a result of their drawbacks, mobile devices offer only one main business benefit: increased customer responsiveness.

false

Motivated employees are far more likely to embrace the implementation security policies, but this does not correlate to more risks being identified and mitigated for the organization. Rather, it creates a more comfortable work environment.

false

Of the different risks that can occur in an IT security framework, events that transpire outside an organization's domain of control and impact IT operations fall under the category of operational risks.

false

Of the people working in concert with security teams to ensure data quality and protection, the head of information management is responsible for executing the policies and procedures, such as backup, versioning, uploading, downloading, and database administration.

false

One of the best practices for policies and standards maintenance is to establish an ad hoc review process for documents in draft form. The process will create space for flexibility when considering which people will be affected by new policies and security controls.

false

Policies associated with risk management endorse a series of actions that enable an organization to be consistently conscious of risks. There are two efforts deployed: threat and vulnerability assessments and penetration testing.

false

The domains of the risk IT framework mutually inform each other, creating flexibility and agility. It is possible to uncover a potential threat in the risk governance domain and quickly assess its impact using the risk evaluation domain.

false

The issue of securing data in transit and data at rest concerns the subject of encryption due to the fact that all states have privacy laws that fall under one type of encryption requirement: that all private data is encrypted.

false

The main difference between a revision and an update is that the former consists of minor edits, whereas the latter may require changes of major or minor significance.

false

The only difference between a remote access domain and a user domain is that in a user domain, you are traveling from a public unsecure network into the private secure company network.

false

The privacy policy emerged as a type of code of conduct. With the rise of social media, many businesses are concerned about employees posting information about the company on social media sites. For many organizations, posting any information about the business beyond the employee's name and title is strictly forbidden.

false

The requirements for patch management outlined in security policies include determining how patches should be utilized and tracked. It is important to have a steady approach to utilizing patches that includes the two main components: vetting and prioritization.

false

The security operations team has the responsibility of monitoring intrusions and breaches in the form of firewalls and network traffic. When the team finds a breach, they notify independent auditors who aid in the recovery of the business and will provide an assessment of how the breach occurred.

false

The terms system software and application software can be used interchangeably because they perform the same functions of allowing a computer to communicate over a network.

false

When employees are feeling doubtful, they often feel a lack of motivation and just "go through the motions," and this leads to putting the organization's security at risk.

false

When handling data, the process of transmission refers to the need to ensure that data is encrypted, protected, and tracked upon arrival at its destination.

false

When it comes to information, an organization has one main concern about how that information is collected, stored, and processed: Is the information safe?

false

When you need to discipline employees, it is important to discipline different employees differently for the same policy violation in order to prevent them from becoming complacent. It is necessary to work independently from the human resources department and create your own procedures.

false

The ultimate goal of the review and approval processes is to gain senior executive approval of the policy or standard by the chief information security officer (CISO). In order to gain this approval, the CISO requires all parties to sign off on the document. Which of the following is not among the suggested list of people who should be given the chance to become a second or third layer of review?

finance

In a large organization, the complexity required to keep operations running effectively requires a hierarchy of specialties. Thus, which of following organizational structures is preferred?

hierarchical organizational structure

The key to security policy is being able to measure compliance against a set of controls. Security controls define _____ ______ you protect the information. The security policies should define ___________ you set the goal.

how, why

Which of the following responsibilities is in the purview of the second line of defense?

identify and assess enterprise risk

Successful security policy implementation in the workplace depends on people understanding key concepts and embracing the material. Thus, people need to be motivated to succeed if they are going to implement such policies. There are three basic elements of motivation: pride, self-interest, and success. Which of the following does not occur when these elements are combined?

individuals meeting the basic expectations of their job requirements to be successful

A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows: Risk exposure =________________ the event will occur + ____________ if the event occurs

likelihood, impact

A risk exposure is defined as the impact to the organization when a situation transpires. The widely accepted formula for calculating exposure is as follows: Risk exposure =________________ the event will occur + ____________ if the event occurs

likelihood, impact

In a hierarchical organization, there are a large number of touch points and personalities that must be engaged to successfully implement a security policy. As the number of touch points increases, the number of complex ________________ also increases between stakeholders.

matrix relationships

Despite the fact that there exists no mandatory scheme of data classification for private industry, there are four classifications used most frequently. Which of the following is not one of the four?

moderately sensitive

In 2010, a major restaurant the chain suffered a network breach when malware was discovered to have collected customer credit card information that was later stolen by an outside party. Such a breach was a PCI DSS framework violation. Which of the following actions is the first step that should have been taken to ensure the PCI DSS framework was safely protecting the credit card information?

network segregation

The shared belief system of employees in a business or company is known as the _____________________.

organizational culture

In policies regarding the ___________ of data, it must be guaranteed that the data that exits the private network is secured and monitored; the data should also be encrypted while in transit.

physical transport

A__________________ communicates general rules that cut across the entire organization.

policy principles document

There are a number of classifications that can be applied to security controls. Which of the following is not one the classifications?

preventive control

For leaders, implementing security policies is all about working through others to gain their support and adhere to the policies. Of the widely accepted leadership rules that apply to security policies, which of the following is not among these rules?

productivity

In May 2013, a National Security Agency (NSA) contractor named Edward Snowden leaked thousands of documents to a journalist detailing how the U.S. implements intelligence surveillance across the Internet. In which of the following sectors did this breach occur?

public sector

The term critical infrastructure refers to key elements of the country's transportation, energy, communications, and banking systems. Which of the following is not an example of critical infrastructure?

public universities

In general, it's not a good idea to implement significant policy changes during a _______________.

reduction in force

Although it is impossible to eliminate all business risks, a good policy can reduce the likelihood of risk occurring or reduce its impact. A business must find a way to balance a number of competing drivers. Which of the following is not one of these drivers?

regulation

A security awareness program gains credibility when the business sees a reduction of risk, and there are multiple benefits that come with a security awareness program that emphasizes the business risk. Which of the following is not one of the benefits?

relevance

A security awareness program can be implemented in many ways. Which of the following is the list of generally accepted principles for implementing a program?

repetition, onboarding, support, relevance, metrics

Of the six specific business risks, the ___________________ risk results from negative publicity regarding an organization's practices. Litigation and a decline in revenue are possible outcomes of this type of risk.

reputational

Transparency is an important concept in policies related to the handling and use of customer data. Organizations should be transparent and should notify individuals of the distribution, use, collection, and maintenance of personally identifiable information (PII). Which of the following elements does not need to be included with regard to handling of customer data?

response controls

When trying to achieve operational consistency, which of following oversight phases performs the function of periodically assessing to ensure desired results are achieved?

review

In order to be thoughtful about the implementation of security policies and controls, leaders must balance the need to reduce______________ with the impact to the business operations. Doing so could mean phasing security controls in over time or be as simple as aligning security implementation with the business's training events.

risk

A ______________________ is an apparatus for risk management that enables the organization to comprehend its risks and how those risks might impact the business.

risk and control self-assessment (RCSA)

There are many factors one must consider to ensure security policies and controls align with regulations. Which of the following is not one of the factors?

risk assessment

The ________________ domain ensures risks are diminished and remediated in the most cost-effective manner. To prevent risk from increasing in severity and scope, this domain coordinates risk responses ensuring that the right people are engaged when appropriate.

risk response

Before publishing major policy changes, it can be beneficial to conduct a _______________ in order to offer employees an explanation of the upcoming changes and create a space for dialogue.

roadshow

The National Security Information document EO 12356 explains the U.S. military classification scheme of top secret, secret data, confidential, sensitive but unclassified, and unclassified. Which of the following data can be reasonably expected to create serious damage to national security in the event that it was subject to unauthorized disclosure?

secret

Of the many factors one must consider to ensure security policies and controls align with regulations; ________________________ is/are important to demonstrate coverage of regulatory requirements because they show the importance of each security control.

security control mappings

A(n) _______________ ___ is a term used to indicate any unwanted event that takes places outside the normal daily security operations. This type of event relates to a breakdown in controls as identified by the security policies.

security event

In 2013, the national retailer Target Corporation suffered a major data breach that put the financial information of an estimated 40 million customers at risk. In 2009, the health care provider BlueCross BlueShield of Tennessee suffered a theft of hard drives when it reported 57 hard drives stolen. Both these cases resulted from a(n) ________________ failure.

security policy

Using switches, routers, internal firewalls, and other devices, you can restrict network traffic with a ____________________, which limits what and how computers are able to talk to each other.

segmented network

A typical data leakage protection program provides several layers of defense to prevent confidential data from leaving the organization. Which of the following is not one of the layers of defense?

self-regulation

A good example of ___________________ is a real estate business that shares data on new home purchases between the unit that sells insurance for the home and the business unit that sold the home.

service integration

When writing a ____________________, one could state how often a supplier will provide a service or how quickly a firm will respond. For managed services, this document often covers system availability and acceptable performance measures.

service level agreement

Remote authentication has always been a concern because the person is coming from a public network, and many companies require two-factor authentication for remote access. Which of the following is not one of the most commonly accepted types of credentials?

something you want to know

In an LAN domain, a_______________ is similar to a hub but can filter traffic, a ______________ connects LANs, or a LAN and a WAN, and a ______________ is a software or hardware device that filters traffic in and out of a LAN.

switch, router, firewall

A ____________________ can be used to hierarchically represent a classification for a given set of objects or documents.

taxonomy

In January 2013, two important changes were made to ___________________. First, it became easier to share records with child welfare agencies. Second, the change eliminates some requirements to notify parents when school records are being released.

the Family Educational Rights and Privacy Act (FERPA)

Assume that the governance committee states that all projects costing more than $70,000 must be reviewed and approved by the chief information officer and the IT senior leadership team (SLT). At this point, the CIO has the responsibility to ensure that management processes observe the governance rules. For example, the project team might present the proposed project in an SLT meeting for a vote of approval. What does this scenario illustrate about organizational structure?

the difference between governance and management oversight

Which of the following is not one of the similarities shared by an enterprise risk management (ERM) framework and a governance, risk management, and compliance (GRC) framework?

the importance of value delivery

In order to be compliant with Payment Card Industry Data Security Standard (PCI DSS), one of the control objectives that should be included in one's security policies and controls is building and maintaining a secure network. The reason for this is as follows:

to have a specific firewall, system password, and other security network layer controls

Of all the needs that an organization might have to classify data, there are three that are most prevalent. Which of the following is not one of the reasons?

transfer information

A company that discusses the architecture operating model is well-equipped to identify areas of discord and create a shared set of beliefs on the proper placement and implementation of controls.

true

A security token is either a software code or hardware device that produces a "token" during the logon stage. Often represented as a series of numbers, a security token is nearly impossible to duplicate and serves to ensure the identity of the person seeking access to the network.

true

A significant amount of IT risk is operational risk, which encompasses any occurrence that troubles the activities the organization conducts on a regular basis. Examples of operational risk include errors in coding, a system outage, a security breach, or a network slowdown.

true

As one of the most vital actions performed in an organization, the risk assessment delimits vulnerabilities and threats as well as recommendations for controls.

true

As the people responsible for ensuring data quality within the business unit, data stewards are the owners of the data.

true

Authentication is one of the most important components of the user domain, and it is necessary to determine an authentication method that makes sense for your organization. It is best to restrict access to an ID and password to one individual and ensure that users frequently change passwords.

true

Because a leader's job is to work through others to achieve specific goals, there are some widely accepted leadership rules that also apply to security policies. These are values, goals, training, support, and reward.

true

Because regulatory compliance is a significant effort, some organizations engage full-time teams to collect, review, and report in an attempt to demonstrate that regulations are being followed. However, creating these full-time teams redirects business protection resources needlessly. A better strategy is to create an IT policies framework that defines security controls that aligns with policies and regulations.

true

Best practices are typically the known and shared practices and the standard of professional care expected for an industry.

true

Continuous improvement relies on people telling you what is and isn't working, and a good source for this information is an employee departing a company.

true

Controls, which are chosen after the risk assessment of the assets is finished, is a word that is often used interchangeably with safeguards and countermeasures.

true

Data owners ensure that only the access that is needed to perform day-to-day operations is granted and that duties are separated adequately to mitigate the risk of errors and fraud.

true

Evangelists are exemplary people who often who stand out during awareness sessions or other training opportunities and who can be called upon for their potential to serve as advocates for information security. These people can help their teams, departments, and groups address questions related to compliance requirements.

true

Examples of strategic risk include an organizational merger or acquisition, a change in the customer, or a change in the industry.

true

If the governance and compliance framework is well-defined, this means that the approach is structured around a common language and is a foundation from which information security policies can be governed.

true

In 2012, the Federal Financial Institutions Examination Council (FFIEC) began requiring financial institutions to go beyond using just IDs and passwords when it issued the guidance "Authentication in an Electronic Banking Environment;" this type of authentication process is known as multifactor authentication.

true

In most cases, a Quality Assurance function is a control that occurs in real-time and is preventive. A Quality Control function differs because, as a detective control, it examines defects over time and surveys a wide range of samples.

true

In the third line of defense, the auditor serves as an advisor to the first and second lines of defense in matters concerning risk. The third line must preserve his or her independence but also offer input on risk direction and strategies.

true

Motivation consists of being enthusiastic, energized, and engaged to achieve a goal or objective. The three basic elements of motivation are pride, self-interest, and success.

true

One of the basic measurements for assessing whether or not individuals are being held accountable for adherence to security policies is the reported number of security violations by employees. You should investigate any unexplained increases in reported violations to determine why an abnormal number is occurring.

true

One of the vital components of an awareness program is to motivate employees and encourage a healthy organizational culture. Fostering motivation is as significant as mastering a technology because a motivated employee can deal with unpredictable situations and creatively execute policy when needed.

true

One should focus on measuring risk to the business as opposed to implementation of policies and control when tying policy adherence to performance measurement.

true

Risk management policies establish the framework for measuring risk for data classification and actions associated with risk and control self-assessment (RCSA); these policies also define the standards for judging the assessments as well as the content that comprises the assessments.

true

Security frameworks establish behavior expectations and define policy. Policies cannot address every scenario employees will face, but strong training on the core principles that create those policies will equip employees to do their jobs successfully.

true

The Control Objectives for Information and related Technology (COBIT) is an IT governance framework developed by ISACA that includes resources to support bridging the gaps between business risks, control requirements, and technical issues.

true

The Gramm-Leach-Bliley Act uses the term nonpublic personal information (NPI) to denote any personally identifiable financial information that a consumer discloses to a financial institution.

true

The RSCA is utilized to construct plans for risk management, which can include the location of where to implement the procedures for quality assurance and quality control.

true

The following example of an air conditioning factory illustrates the QA and QC processes: The QA process assesses the different parts of air conditioners following their installation. This can include, for instance, testing the air filter to ensure that it functions. The QC process, however, examines manufacturer records of air filters to determine why the QA process unsuccessfully caught a defective air filter.

true

The last step on Kotter's Eight-Step Change Model is to anchor the changes in corporate culture; to make anything stick, it must become habit and part of the culture. Therefore, it is important to find opportunities to integrate security controls into day-to-day routines.

true

The operational risk committee has the ability to determine which business activities are riskier than others. For example, if a business wants to sell product on the Internet for the first time, then the risk committee would need to understand the wide-ranging risks involved as well as the organization's security capability.

true

Understanding the distribution of classification is vital to understanding the levels of sensitive data. If there is an overclassification of data, this might indicate an unnecessarily costly means of securing data that is not as vital, whereas underclassification suggests that the most vital data may not be sufficiently secured.

true

When a company is following the proportionality principle in its policy creation, the security levels, costs, practices, and procedures are all appropriate and proportionate to the degree of reliance on the system and the value of the data.

true

With a framework in place, controls and risk become more measurable. The ability to measure the enterprise against a set of standards and controls assures regulators of compliance and helps reduce uncertainty.

true

In the Build, Acquire, and Implement domain, the ability to manage change is very important. Thus, there are often ___________________ set to avoid disrupting current services while new services are added.

upgrades

Policies and standards are a collection of concrete definitions that describe acceptable and unacceptable human behavior. The questions related to_______________ are more appropriate for procedures or guidelines than policies or standards, which require detail that is more at the level of________________.

where, when, and how; what, who, and why

The _______________ domain refers to any endpoint device used by end users, which includes but is not limited to mean any smart device in the end user's physical possession and any device accessed by the end user, such as a smartphone, laptop, workstation, or mobile device

workstation

Authentication of a workstation and encryption of wireless traffic are issues that belong to which of the following two domains?

workstation and LAN