Info security policy chapter 9
__________ encompasses a requirement that the implemented standards continue to provide the required level of protection.
Due diligence
A company striving for "best security practices" makes every effort to establish security program elements that meet every minimum standard in their industry. a. True b. False
False
ISO 27001 certification is only available to companies that do business internationally. a. True b. False
False
Performance measurements are seldom required in today's regulated InfoSec environment. a. True b. False
False
Using a practice called baselining, you are able to compare your organization's efforts to those of other organizations you feel are similar in size, structure, or industry. a. True b. False
False
Standardization is an attempt to improve information security practices by comparing an organization's efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. __________
False - Benchmarking
Collusion is the requirement that every employee be able to perform the work of at least one other employee. __________
False - Job rotation
Two-person control is the requirement that all critical tasks can be performed by multiple individuals. _________
False - Task rotation
A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future misconduct or a vulnerability that might render a job candidate susceptible to coercion or blackmail. __________
False - background
A security metric is an assessment of the performance of some action or process against which future performance is assessed. __________
False - baseline
The biggest barrier to baselining in InfoSec is the fact that many organizations do not share information about their attacks with other organizations. __________
False - benchmarking
A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances. __________
False - care
A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known as racketeering. __________
False - collusion
Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization are known as progress measurements. __________
False - performance
A requirement that all employees take time off from work, which allows the organization to audit the individual's areas of responsibility, is known as a mandatory vacation policy. __________
True
One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. __________
True
One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?" a. True b. False
True
Recommended or best practices are those security efforts that seek to provide a superior level of performance in the protection of information. __________
True
Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that govern other employees. a. True b. False
True
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? a. benchmarking b. corporate espionage c. baselining d. due diligence
a
Employees new to an organization should receive an extensive InfoSec briefing that includes all of the following EXCEPT: a. signing the employment contract b. security policies c. security procedures d. access levels
a
Employees pay close attention to job __________, and including InfoSec tasks in them will motivate employees to take more care when performing these tasks. a. performance evaluations b. descriptions c. quarterly reports d. vacation requests
a
Incorporating InfoSec components into periodic employee performance evaluations can __________. a. heighten InfoSec awareness b. frighten employees c. demotivate workers d. reduce compliance to policy
a
Organizations are required by privacy laws to protect sensitive or personal employee information, including __________. a. personally identifiable information (PII) b. corporate financial information c. internal business contact information d. employee salaries
a
The ISO certification process takes approximately six to eight weeks and involves all of the following steps EXCEPT: a. rejection of the certification application based on lack of compliance or failure to remediate shortfalls b. initial assessment of the candidate organization's InfoSec management systems, procedures, policies, and plans c. writing of a manual documenting all procedural compliance d. presentation of certification by the certification organization
a
The benefits of ISO certification to an organization's employees include all of the following EXCEPT: a. reduced employee turnover due to misinterpreted security policies and practices b. lower risk of accidents and incidents associated with critical or sensitive information c. employee confidence in organizational security practices d. improved productivity and job satisfaction from more clearly defined InfoSec roles and responsibilities
a
The benefits of ISO certification to organizations include all of the following EXCEPT: a. increased opportunities for government contracts b. reduced costs associated with incidents c. smoother operations resulting from more clearly defined processes and responsibilities d. improved public image of the organization, as certification implies increased trustworthiness
a
Which of the following is NOT a phase in the NIST InfoSec performance measures development process? a. Identify relevant stakeholders and their interests in InfoSec measurement. b. Integrate the organization's process improvement activities across all business areas. c. Identify and document the InfoSec performance goals and objectives that would guide security control implementation for the InfoSec program. d. Review any existing measurements and data repositories that can be used to derive measurement data.
a
Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? a. performance management b. baselining c. best practices d. standards of due care/diligence
a
A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions.
a. collusion
Best security practices balance the need for user __________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility.
access
Contract employees—or simply contractors—should not be allowed to do what? a. Work on the premises. b. Wander freely in and out of facilities. c. Visit the facility without an escort. d. Be compensated based on hourly rates.
b
If a temporary worker (temp) violates a policy or causes a problem, what is the strongest action that the host organization can usually take, depending on the SLA? a. Nothing, the organization has no control over temps. b. Terminate the relationship with the individual and request that he or she be censured. c. Fine the temp or force the temp to take unpaid leave, like permanent employees. d. Sue the temp agency for cause, demanding reparations for the actions of the temp.
b
InfoSec measurements collected from production statistics depend greatly on which of the following factors? a. types of performance measures developed b. number of systems and users of those systems c. number of monitored threats and attacks d. activities and goals implemented by the business unit
b
One of the fundamental challenges in InfoSec performance measurement is defining what? a. interested stakeholders b. effective security c. appropriate performance measures d. the proper assessment schedule
b
The InfoSec measurement development process recommended by NIST is divided into two major activities. Which of the following is one of them? a. development and selection of qualified personnel to gauge the implementation, effectiveness, efficiency, and impact of the security controls b. identification and definition of the current InfoSec program c. maintenance of the vulnerability management program d. comparison of organizational practices against similar organizations
b
Which of the following is NOT a common type of background check that may be performed on a potential employee? a. identity b. political activism c. motor vehicle records d. drug history
b
Which of the following is NOT a factor critical to the success of an information security performance program? a. strong upper-level management support b. high level of employee buy-in c. quantifiable performance measurements d. results-oriented measurement analysis
b
Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people? a. Do you perform background checks on all employees with access to sensitive data, areas, or access points? b. Are the user accounts of former employees immediately removed on termination? c. Would the typical employee recognize a security issue? d. Would the typical employee know how to report a security issue to the right people?
b
Which of the following is NOT a task that must be performed if an employee is terminated? a. former employee must return all media b. former employee's home computer must be audited c. former employee's office computer must be secured d. former employee should be escorted from the premises
b
Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? a. baselining b. legal liability c. competitive disadvantage d. certification revocation
b
Which of the following policies requires that every employee be able to perform the work of at least one other staff member? a. collusion b. job rotation c. two-person control d. separation of duties
b
Which of the following policies requires that two individuals review and approve each other's work before the task is considered complete? a. task rotation b. two-person control c. separation of duties d. job rotation
b
An assessment of the performance of some action or process against which future performance is assessed.
b. baseline
A practice related to benchmarking is __________, which is a measurement against a prior assessment or an internal goal.
baselining
NIST recommends the documentation of performance measurements in a standardized format to ensure ____________. a. the suitability of performance measure selection b. the effectiveness of performance measure corporate reporting c. the repeatability of measurement development, customization, collection, and reporting activities d. the acceptability of the performance measurement program by upper management
c
What do you call the legal requirements that an organization must adopt a standard based on what a prudent organization should do, and then maintain that standard? a. certification and accreditation b. best practices c. due care and due diligence d. baselining and benchmarking
c
Which of the following is NOT a question a CISO should be prepared to answer before beginning the process of designing, collecting, and using performance measurements, according to Kovacich? a. Why should these measurements be collected? b. Where will these measurements be collected? c. What affect will measurement collection have on efficiency? d. Who will collect these measurements?
c
Which of the following is NOT one of the types of InfoSec performance measures used by organizations? a. those that determine the effectiveness of the execution of InfoSec policy b. those that determine the effectiveness and/or efficiency of the delivery of InfoSec services c. those that evaluate the frequency with which employees access internal security documents d. those that assess the impact of an incident or other security event on the organization or its mission
c
Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs? a. task rotation b. mandatory vacations c. separation of duties d. job rotation
c
Workers typically hired to perform specific services for the organization and hired via a third-party organization are known as __________. a. temporary workers b. consultants c. contract employees d. business partners
c
An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate.
c. benchmarking
A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known as __________.
collusion
The last phase in NIST performance measures implementation is to apply __________ actions, which closes the gap found in Phase 2.
corrective
Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? a. Measurements must yield quantifiable information. b. Data that supports the measures needs to be readily obtainable. c. Only repeatable InfoSec processes should be considered for measurement. d. Measurements must be useful for tracking non-compliance by internal personnel.
d
Problems with benchmarking include all but which of the following? a. Organizations don't often share information on successful attacks. b. Organizations being benchmarked are seldom identical. c. Recommended practices change and evolve, so past performance is no indicator of future success. d. Benchmarking doesn't help in determining the desired outcome of the security process.
d
When hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level? a. new hire orientation b. covert surveillance c. organizational tour d. background check
d
Which of the following is NOT a consideration when selecting recommended best practices? a. threat environment is similar b. resource expenditures are practical c. organization structure is similar d. same certification and accreditation agency or standard
d
Workers hired to perform specific services for the organization.
d. contract employees
The actions that demonstrate that an organization has made a valid effort to protect others and that the implemented standards continue to provide the required level of protection.
e. due diligence
The requirement that every employee be able to perform the work of at least one other employee.
f. job rotation
The requirement that all critical tasks can be performed by multiple individuals.
g. task rotation
A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances.
h. standard of due care
The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization.
i. performance measurements
Workers brought in by organizations to fill positions for a short time or to supplement the existing workforce.
j. temporary workers
The requirement that every employee be able to perform the work of at least one other employee is known as __________.
job rotation
A requirement that all employees take time off from work, which allows the organization to audit the individual's areas of responsibility, is known as __________ vacation policy.
mandatory
A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________.
target measure metric
The requirement that all critical tasks can be performed by multiple individuals is known as __________.
task rotation
The organization of a task or process so it requires at least two individuals to work together to complete is known as __________ control.
two person two man