CIS 286 Quiz 3
blueprint
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ____.
domains
Security ______ are the areas of trust within which users can freely communicate.
de jure
Standards may be published, scrutinized, and ratified by a group, as in formal or __________ standards.
EISP
The ______ is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.
tactical planning
The actions taken by management to specify the intermediate goals and objectives of the organization are ____________.
operational planning
The actions taken by management to specify the short-term goals and objectives of the organization are ________.
standard
A detailed statement of what must be done to comply with management intent is known as a __________.
framework
An information security _______ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.
identify and prioritize for improvement within the context of a continuous and repeatable process
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to _____________.
guideline
Nonmandatory recommendations the employee may use as a reference is known as a _______.
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
The goals of information security governance include all but which of the following?
people
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the _______ side of the organization.
management
The stated purpose of ISO/IEC 27002:2013 is to give guidelines for organizational information security standards and information security __________ practices.
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
When ISO 17799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?
The application of the principle and practices of corporate governance to the information security function.
Which of these best defines information security governance?
Managerial
____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Operational
_____ controls address personnel security, physical security, and the protection of production inputs and outputs.
SysSPs
_____ often function as standards or procedures to be used when configuring or maintaining systems.
Defense in depth
_________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Reduncancy
___________ is a strategy of suing multiple types of controls that prevent the failure of one system from compromising the security of informaiton.
