IS3350 CHAPTER 13 Flashcards
This states the proper use of an organization’s information technology resources and is called ___?
ACCEPTABLE USE POLICY (AUP)
The process through which a user proves his or her identity to access an information technology resource is called ___?
AUTHENTICATION
A minimum level of behavior or action that must be met in order to comply with a governance document. These are often specified in standards and are called ___?
BASELINE
An organization’s governing body. It plans an organization’s strategic direction and is required by law to act with due care and in the best interests of the organization. This body is called ___?
BOARD OF DIRECTOR (BOD)
An organization’s senior information technology official. This role focuses on developing an organizations own IT resources. This position is called ___?
CHIEF INFORMATION OFFICER (CIO)
An organization’s senior information security official is called the ___?
CHIEF INFORMATION SECURITY OFFICER (CISO)
An organization’s most senior technology official. This role focuses on developing an organization’s technology products. This position is called ___?
CHIEF TECHNOLOGY OFFICER (CTO)
This/these states how data is to be destroyed when it reaches the end of its life cycle and is called ___?
DATA DESTRUCTION POLICIES
This/these states how data is to be controlled controlled throughout its life cycle and is called ___?
DATA RETENTION POLICIES
Recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard doesn’t apply is called ___?
GUIDELINES
Executive management’s responsibility to provide strategic direction, oversight, and accountability for an organization’s information and information systems resources is called ___?
INFORMATION SECURITY GOVERNANCE
How an organization manages its day-to-day security activities. It makes sure that the policies dictated by the executive management team as part of its governance function are properly implemented is called ____?
INFORMATION SECURITY MANAGEMENT
The day-to-day planning of a business is called ___?
OPERATIONAL PLANNING
An organization’s high-level statement of information security direction and goals. These are the highest level governance documents and are called ____?
POLICY
The detailed step-by-step tasks, or checklists, that should be performed to achieve a certain goal or task. These are the lowest level governance documents and called ___?
PROCEDURE
People that are affected by a policy, standard, guideline, or procedure. These are people who have an interest in a policy document and are called ___?
STAKEHOLDERS
Mandatory activities, actions, or rules that must be met in order to achieve policy goals. These are usually technology neutral and are called ___?
STANDARDS
Long-term business planning is called ___?
STRATEGIC PLANNING
Short- to medium-term business planning is called ___?
TACTICAL PLANNING
A method of authentication that requires a user to prove their identity in two or more ways is called ___?
TWO-FACTOR AUTHENTICATION
Pieces of information used to access information technology resources. These include passwords, personal identification numbers (PINs), tokens, smart cards, and biometric data and are called ___?
USER CREDENTIALS
- What is a policy?
- An overall statement of information security scope and direction
- A minimum threshold of information security controls that must be implemented
- A checklist of steps that must be completed to ensure information security
- A technology-dependent statement of best practices
- Recommended actions and operational guidelines
An overall statement of information security scope and direction
- What is information security governance?
Executive management providing strategic direction, oversight, and accountability for an organization’s data and IT resources.
- What type of policy would an organization use to forbid its employees from using organizational email for personal use?
- Privacy policy
- Intellectual property policy
- Anti-harassment policy
- Acceptable use policy
- Monitoring policy
Acceptable use policy
- What is software piracy?
- Unauthorized copying of software
- Unauthorized distribution of software
- Unauthorized use of software properly purchased by an organization
- None of the above
- 1 & 2
Unauthorized copying of software
Unauthorized distribution of software
- What is information security management?
Middle management providing day-to-day guidance and oversight for an organization’s information and information resources.
- Employer monitoring can be a normal term of employment if advance notice is given?
TRUE OR FALSE
TRUE
- What is a standard?
A list of mandatory activities that must be completed to achieve an information security goal.
- Which law states requirements for federal agency information security governance?
- FISMA
- FERPA
- HIPAA
- GLBA
- FIPPS
FISMA
- A guideline is a list of mandatory activities that must be completed to achieve an information security goal.
TRUE OR FALSE
FALSE
- Which role is the senior most information technology official in an organization?
- CFO
- CISO
- CTO
- CIO
- None of the above
CIO
- What is a procedure?
A checklist of actions that should be performed to achieve a certain goal.
- Which management layer has overall responsibility for information security governance?
- CIO
- CISO
- Board of directors
- Employees
- Information security managers
Board of directors
- What is the final step in the policy development process?
- Maintenance and review
- Management review
- Continued awareness activities
- Communication to employees
- Stakeholder review
Maintenance and review
- What factors drive data retention policies?
- Legal requirements
- Business need for information
- Historical need for information
- Storage space requirements
- All the above
Legal requirements
Business need for information
Historical need for information
Storage space requirements
All the above
- What is a valid reason for allowing an information security policy exception?
- The cost of implementing security policy is too high
- The cost of compliance with the policy is more than the cost of noncompliance
- It is’t technically feasible to implement the policy
- End users believe that the policy makes their work harder
- It is too difficult to implement the policy
The cost of compliance with the policy is more than the cost of noncompliance
