IS3350 CHAPTER 13

Question 1

This states the proper use of an organization’s information technology resources and is called ___?

Answer 1

ACCEPTABLE USE POLICY (AUP)

Question 2

The process through which a user proves his or her identity to access an information technology resource is called ___?

Answer 2

AUTHENTICATION

Question 3

A minimum level of behavior or action that must be met in order to comply with a governance document. These are often specified in standards and are called ___?

Answer 3

BASELINE

Question 4

An organization’s governing body. It plans an organization’s strategic direction and is required by law to act with due care and in the best interests of the organization. This body is called ___?

Answer 4

BOARD OF DIRECTOR (BOD)

Question 5

An organization’s senior information technology official. This role focuses on developing an organizations own IT resources. This position is called ___?

Answer 5

CHIEF INFORMATION OFFICER (CIO)

Question 6

An organization’s senior information security official is called the ___?

Answer 6

CHIEF INFORMATION SECURITY OFFICER (CISO)

Question 7

An organization’s most senior technology official. This role focuses on developing an organization’s technology products. This position is called ___?

Answer 7

CHIEF TECHNOLOGY OFFICER (CTO)

Question 8

This/these states how data is to be destroyed when it reaches the end of its life cycle and is called ___?

Answer 8

DATA DESTRUCTION POLICIES

Question 9

This/these states how data is to be controlled controlled throughout its life cycle and is called ___?

Answer 9

DATA RETENTION POLICIES

Question 10

Recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard doesn’t apply is called ___?

Answer 10

GUIDELINES

Question 11

Executive management’s responsibility to provide strategic direction, oversight, and accountability for an organization’s information and information systems resources is called ___?

Answer 11

INFORMATION SECURITY GOVERNANCE

Question 12

How an organization manages its day-to-day security activities. It makes sure that the policies dictated by the executive management team as part of its governance function are properly implemented is called ____?

Answer 12

INFORMATION SECURITY MANAGEMENT

Question 13

The day-to-day planning of a business is called ___?

Answer 13

OPERATIONAL PLANNING

Question 14

An organization’s high-level statement of information security direction and goals. These are the highest level governance documents and are called ____?

Answer 14

POLICY

Question 15

The detailed step-by-step tasks, or checklists, that should be performed to achieve a certain goal or task. These are the lowest level governance documents and called ___?

Answer 15

PROCEDURE

Question 16

People that are affected by a policy, standard, guideline, or procedure. These are people who have an interest in a policy document and are called ___?

Answer 16

STAKEHOLDERS

Question 17

Mandatory activities, actions, or rules that must be met in order to achieve policy goals. These are usually technology neutral and are called ___?

Answer 17

STANDARDS

Question 18

Long-term business planning is called ___?

Answer 18

STRATEGIC PLANNING

Question 19

Short- to medium-term business planning is called ___?

Answer 19

TACTICAL PLANNING

Question 20

A method of authentication that requires a user to prove their identity in two or more ways is called ___?

Answer 20

TWO-FACTOR AUTHENTICATION

Question 21

Pieces of information used to access information technology resources. These include passwords, personal identification numbers (PINs), tokens, smart cards, and biometric data and are called ___?

Answer 21

USER CREDENTIALS

Question 22

1. What is a policy?
2. An overall statement of information security scope and direction
3. A minimum threshold of information security controls that must be implemented
4. A checklist of steps that must be completed to ensure information security
5. A technology-dependent statement of best practices
6. Recommended actions and operational guidelines

Answer 22

An overall statement of information security scope and direction

Question 23

2. What is information security governance?

Answer 23

Executive management providing strategic direction, oversight, and accountability for an organization’s data and IT resources.

Question 24

3. What type of policy would an organization use to forbid its employees from using organizational email for personal use?
4. Privacy policy
5. Intellectual property policy
6. Anti-harassment policy
7. Acceptable use policy
8. Monitoring policy

Answer 24

Acceptable use policy

Question 25

4. What is software piracy?
5. Unauthorized copying of software
6. Unauthorized distribution of software
7. Unauthorized use of software properly purchased by an organization
8. None of the above
9. 1 & 2

Answer 25

Unauthorized copying of software

Unauthorized distribution of software

Question 26

5. What is information security management?

Answer 26

Middle management providing day-to-day guidance and oversight for an organization’s information and information resources.

Question 27

6. Employer monitoring can be a normal term of employment if advance notice is given?
   TRUE OR FALSE

Answer 27

TRUE

Question 28

7. What is a standard?

Answer 28

A list of mandatory activities that must be completed to achieve an information security goal.

Question 29

8. Which law states requirements for federal agency information security governance?
9. FISMA
10. FERPA
11. HIPAA
12. GLBA
13. FIPPS

Answer 29

FISMA

Question 30

9. A guideline is a list of mandatory activities that must be completed to achieve an information security goal.
   TRUE OR FALSE

Answer 30

FALSE

Question 31

10. Which role is the senior most information technology official in an organization?
11. CFO
12. CISO
13. CTO
14. CIO
15. None of the above

Answer 31

CIO

Question 32

11. What is a procedure?

Answer 32

A checklist of actions that should be performed to achieve a certain goal.

Question 33

12. Which management layer has overall responsibility for information security governance?
13. CIO
14. CISO
15. Board of directors
16. Employees
17. Information security managers

Answer 33

Board of directors

Question 34

13. What is the final step in the policy development process?
14. Maintenance and review
15. Management review
16. Continued awareness activities
17. Communication to employees
18. Stakeholder review

Answer 34

Maintenance and review

Question 35

14. What factors drive data retention policies?
15. Legal requirements
16. Business need for information
17. Historical need for information
18. Storage space requirements
19. All the above

Answer 35

Legal requirements
Business need for information
Historical need for information
Storage space requirements

All the above

Question 36

15. What is a valid reason for allowing an information security policy exception?
16. The cost of implementing security policy is too high
17. The cost of compliance with the policy is more than the cost of noncompliance
18. It is’t technically feasible to implement the policy
19. End users believe that the policy makes their work harder
20. It is too difficult to implement the policy

Answer 36

The cost of compliance with the policy is more than the cost of noncompliance