IS4550 CHAPTER 2 Flashcards
Formal written policies that describe proper and unacceptable behavior when using computer and network systems is called ___.
ACCEPTABLE USE POLICIES (AUPs)
A security control that stops behavior immediately and does not rely on human decisions is called ___.
AUTOMATED CONTROL
A confirmed event that compromises the confidentiality, integrity, or availability of information is called ___.
BREACH
Most senior leader responsible for managing risks related to data privacy is called ___.
CHIEF PRIVACY OFFICER (CPO)
Legally binding agreements on the handling and disclosure of company material is called ___.
CONFIDENTIALITY AGREEMENT (CA)
A security control that restores a system or process is called ___.
CORRECTIVE CONTROL
Level of protection based on data type is called ___.
DATA CLASSIFICATION
With ___ the actual information can be viewed only when the data is decrypted with a key.
DATA ENCRYPTION
A manual security control that identifies a behavior after it has happened is called ___.
DETECTIVE CONTROL
Any digital material owned by an organization including text, graphics, audio, video, and animations is called ___.
DIGITAL ASSETS
The concept that an individual should know what information about them is being collected. An individual should also be told how that information is being used is called ___.
FULL DISCLOSURE
Any product of human intellect that is unique and not obvious with some value in the marketplace is called ___.
INTELLECTUAL PROPERTY (IP)
A mark or comment placed inside the document itself indication a level of protection is called ___.
LABEL
A security control that does not stop behavior immediately and relies on human decisions is called ___.
MANUAL CONTROL
Legally binding agreement on the handling and disclosure of company material is called ___.
NON-DISCLOSURE AGREEMENT (NDA)
The difference between what policies and procedure state should be done and what is actually performed is called ___.
OPERATIONAL DEVIATION
Sensitive information used to uniquely identify an individual in a way that could potentially be exploited is called ___.
PERSONALLY IDENTIFIABLE INFORMATION (PII)
An automated security control that stops a behavior immediately is called ___.
PREVENTIVE CONTROL
Any record required by law to be made available to the public and are made or filed by a governmental entity is called ___.
PUBLIC RECORD
The risk that remains after all the controls have been applied is called ___.
RESIDUAL RISK
Training about security policies, threats, and handling of digital assets is called ___.
SECURITY AWARENESS PROGRAM
Adherence to the organization’s set of rules with regard to policy is called ___.
SECURITY POLICY COMPLIANCE
- Policy compliance is ___?
- The effort to follow an organization’s policy
- When customers read a Web site policy statement
- Adherence to an organization’s policy
- Failure to follow to an organization’s policy
Adherence to an organization’s policy
- What is an automated control?
- A control that stops behavior immediately and does not rely on human decisions
- A control that does not stop behavior immediately and relies on human decisions
- A control that does not stop behavior immediately but automates notification of incident
- A control that stops behavior immediately and relies on human decisions
A control that stops behavior immediately and does not rely on human decisions
- Which of the following is NOT a business driver?
- Ability to acquire the newest technology
- Cost of maintaining controls
- Ability to legally defend
- Customer satisfaction
Ability to acquire the newest technology
- A firewall is generally considered an example of a ___ control.
Preventive
- What is an information security policy?
- A policy that defines acceptable behavior of a customer
- A policy that defines what hardware to purchase
- A policy that defines how to protect information in any form
- A policy that defines the type of uniforms guards should wear
A policy that defines how to protect information in any form
- Which of the following is not a type of security control?
- Preventative
- Correlative
- Detective
- Corrective
Correlative
- Security awareness programs have two enforcement components: the ___ and the ___.
- Carrot, rewards
- Leaders, managers
- Board of directors, HR
- Carrot, stick
Carrot, stick
- Most security policies require that a label be applied when a document is classified.
TRUE OR FALSE
FALSE
- What are the benefits to having a security awareness program emphasize the business risk?
- Risk becomes more relevant to employees
- Security policies are more likely to be followed
- Provides employees a foundation to deal with unexpected risk
- All the above
Risk becomes more relevant to employees
Security policies are more likely to be followed
Provides employees a foundation to deal with unexpected risk
ALL the answers
- Within which of the following do security policies need to define PII legal requirements?
- The context of the business and location
- The limits set by the business to maximize profit
- What is acceptable by the shareholders
- Moral obligation to the greater good
The context of the business and location
- Information used to open or access a bank account is generally considered PII data.
TRUE OR FALSE
TRUE
- Which of the following is not a benefit of having an acceptable use policy?
- Outlines disciplinary action for improper behavior
- Prevents employees from misusing the Internet
- Reduces business liability
- Defines proper behavior while using the Internet
Prevents employees from misusing the Internet
- Lower risk exposure can be perceived only through actual measurement.
TRUE OR FALSE
FALSE
- Which of the following do you need to measure to achieve operational consistency?
- Consistency
- Quality
- Results
- All the above
Consistency
Quality
Results
ALL the answers
- Well-defined and properly implemented security policies help the business in which of the following ways?
- Maximize profit
- Reduce risk
- Produce consistent and reliable products
- All the above
Maximize profit
Reduce risk
Produce consistent and reliable products
ALL the answers
