CHAPTER 15

Question 1

To ensure that a suitable level of security is maintained, management
must follow up the implementation with an evaluation of the effectiveness of the security controls

Answer 1

T

Question 2

Management controls refer to issues that management needs to address

Answer 2

T

Question 3

Operational controls range from simple to complex measures that work
together to secure critical and sensitive data, information, and IT systems functions

Answer 3

F

Question 4

Detection and recovery controls provide a means to restore lost
computing resources

Answer 4

T

Question 5

Water damage protection is included in security controls

Answer 5

T

Question 6

All controls are applicable to all technologies

Answer 6

F

Question 7

Physical access or environmental controls are only relevant to areas
housing the relevant equipment.

Answer 7

T

Question 8

Once in place controls cannot be adjusted, regardless of the results of
risk assessment of systems in the organization

Answer 8

F

Question 9

Controls may vary in size and complexity in relation to the

organization employing them.

Answer 9

T

Question 10

It is likely that the organization will not have the resources to
implement all the recommended controls

Answer 10

T

Question 11

The selection of recommended controls is not guided by legal
requirements.

Answer 11

F

Question 12

The recommended controls need to be compatible with the

organization’s systems and policies

Answer 12

T

Question 13

The implementation phase comprises not only the direct
implementation of the controls, but also the associated training and general security awareness programs for the organization

Answer 13

T

Question 14

Appropriate security awareness training for all personnel in an
organization, along with specific training relating to particular systems and controls, is an essential component in implementing controls

Answer 14

T

Question 15

The IT security management process ends with the implementation of
controls and the training of personnel

Answer 15

F

Question 16

_________ is a formal process to ensure that critical assets are sufficiently protected in a cost-effective manner.

A. Configuration management control
B. IT security management
C. Detection and recovery control
D. Security compliance

Answer 16

IT security management

Question 17

An IT security ________ helps to reduce risks.
A. control B. safeguard
C. countermeasure D. all of the above

Answer 17

all of the above

Question 18

_______ controls focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization’s mission.
A. Management B. Technical
C. Preventative D. Supportive

Answer 18

Management

Question 19

_______ controls are pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls.
A. Preventative B. Supportive
C. Operational D. Detection and recovery

Answer 19

Supportive

Question 20

________ controls focus on the response to a security breach, by warning of violations or attempted violations of security policies.
A. Technical B. Preventative
C. Detection and recovery D. Management

Answer 20

Detection and recovery

Question 21

A contingency plan for systems critical to a large organization would be _________ than that for a small business.
A. smaller, less detailed B. larger, less detailed
C. larger, more detailed D. smaller, more detailed

Answer 21

larger, more detailed

Question 22

Management should conduct a ________ to identify those controls that are most appropriate and provide the greatest benefit to the organization given the available resources.
A. cost analysis B. cost-benefit analysis
C. benefit analysis D. none of the above

Answer 22

cost-benefit analysis

Question 23

An IT security plan should include details of _________.
A. risks B. recommended controls
C. responsible personnel D. all of the above

Answer 23

all of the above

Question 24

The implementation process is typically monitored by the organizational ______.
A. security officer B. general counsel
C. technology officer D. human resources

Answer 24

security officer

Question 25

The follow-up stage of the management process includes \_\_\_\_\_\_\_\_\_.
			A.  maintenance of security controls
			B.  security compliance checking
			C.  incident handling
			D.  all of the above

Answer 25

all of the above

Question 26

The objective of the ________ control category is to avoid breaches of any law, statutory, regulatory, or contractual obligations, and of any security requirements.
A. access B. asset management
C. compliance D. business continuity management

Answer 26

compliance

Question 27

The objective of the ________ control category is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
A. asset management
B. business continuity management
C. information security incident management
D. physical and environmental security

Answer 27

business continuity management

Question 28

Identification and authentication is part of the \_\_\_\_\_\_\_ class of security controls.
			A.  technical			B.  operational
			C.  management		D.  none of the above

Answer 28

technical

Question 29

Maintenance of security controls, security compliance checking, change and configuration management, and incident handling are all included in the follow-up stage of the _________ process.
A. management B. security awareness and training
C. maintenance D. all of the above

Answer 29

management

Question 30

Periodically reviewing controls to verify that they still function as intended, upgrading controls when new requirements are discovered, ensuring that changes to systems do not adversely affect the controls, and ensuring new threats or vulnerabilities have not become known are all ________ tasks.
A. security compliance B. maintenance
C. incident handling D. program management

Answer 30

maintenance