Security Policies Chapter 6

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to archive?

Access to a high level of expertise

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

An organization should share its information. (An organization should collect only what it needs, keep its information up to date, and properly destroy its information when its no longer needed)

Which practice is NOT considered unethical under RFC-1087 issued by the Internet Architecture Board (IAB)?

Enforcing the integrity of computer-based information (Seeking to gain unauthorized access to resources,Disrupting intended use of the Internet, Compromising the privacy of users)

A remediation liaison makes sure all personnel are aware of and comply with an organization's policies.

False

Mandatory vacations minimize risk by rotating employees among various systems or duties.

False

Often an extension of a memorandum of understanding (MOU), the blanket purchase agreement (BPA) serves as an agreement that documents the technical requirements of interconnected assets.

False

Procedures do NOT reduce mistakes in a crisis

False

Which of the following would NOT be considered in the scope of organizational compliance efforts?

Laws (Company policy, Internal audit, Corporate culture)

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

Memorandum of understanding (MOU)

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

Phishing

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

Separation of duties

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for a timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

Service level agreement (SLA)

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these types of classification decisions?

Threat (Value, sensitivity, criticality are)

A functional policy declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing

True

Company-related classifications are not standard, therefore there may be some differences between the terms "private" and "confidential" in different companies

True

One advantage of using a security management firm for security monitoring is that it has a high level of expertise.

True

Social engineering is deceiving or using people to get around security controls.

True

Standards are used when an organization has selected a solution to fulfill a policy goal.

True

The idea that users should be granted only the levels of permissions they need in order to perform their duties is called the principle of least privilege

True

What is NOT a good practice for developing strong professional ethics?

Assume that information should be free (Set the example by demonstrating ethics in daily activities, Encourage adopting ethical guidelines and standards, Inform users through security awareness training)