IS4550 CHAPTER 6 Flashcards

1
Q

The ability to reasonably ensure conformity and adherence to organization policies, standards, procedures to laws and regulations is called ___.

A

COMPLIANCE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A deviation from a centrally supported and approved IT security standard and can come about because of a lack of preparedness by the organization to comply with a standard or due to the use of a technology that has not been sanctioned by the standards is called ___.

A

EXCEPTION

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A capstone document that establishes the reporting lines and delegation of responsibilities for Information Security to management below the organization’s chief information officer (CIO) or other executive leader is called ___.

A

INFORMATION SECURITY PROGRAM CHARTER

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information security standards published by the ISO and by the International Electrotecnical Commission (IEC)

A

ISO/IEC 27000 SERIES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A standard that focuses on areas of current relevance and concern to an organization. This is used to express security control requirement, typically for non-technical processes and are used to guide human behavior is called ___.

A

ISSUE-SPECIFIC STANDARD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A logical structure that is established to organize policy documentation into groupings and categories that make it easier for employees to find and understand the contents of various policy documents is called ___.

A

IT POLICY FRAMEWORK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A publication for the US National Institute of standards and Technology (NIST) and is titled “Recommended Security controls for Federal Information Systems and Organizations is called ___.

A

NIST SP 800-53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A standard that focusses on specific technology or systems being used within an organization. These are used to express the security control implementation requirements for some specific technology is called ___.

A

SYSTEM-SPECIFIC STANDARD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. An IT policy framework charter includes which of the following?
  2. The program’s purpose and mission
  3. The program’s scope within the organization
  4. Assignment of responsibilities for program implementation
  5. Compliance management
  6. 1, 2, and 3 only
  7. 1, 2, 3, and 4
A
  1. The program’s purpose and mission
  2. The program’s scope within the organization
  3. Assignment of responsibilities for program implementation
  4. Compliance management

ALL ANSWERS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Which of the following is the first step in establishing an information security program?
  2. Adoption of an information security policy framework or charter
  3. Development and implementation of an information security standards manual
  4. Development of a security awareness-training program for employees
  5. Purchase of security access control software
A

Adoption of an information security policy framework or charter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Which of the following are generally accepted and widely used policy frameworks? Select three
  2. COBIT
  3. ISO/IEC 27002
  4. NIST SP 800-53
  5. NIPP
A

COBIT
ISO/IEC 27002
NIST SP 800-53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Security policies provide the “what” and “why” of security measures.
    TRUE OR FALSE
A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. ___ are best defined as high-level statements, beliefs, goals, and objectives.
A

Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. which of the following is not mandatory?
  2. Standard
  3. Guideline
  4. Procedure
  5. Baseline
A

Guideline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Which of the following includes all of the detailed actions and tasks that personnel are required to follow?
  2. Standard
  3. Guideline
  4. Procedure
  5. Baseline
A

Procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Risk management is the process of reducing risk to an acceptable level.
    TRUE OR FALSE
A

TRUE

17
Q
  1. List the five tenets of information assurance that you should consider when building an IT policy framework.
A
  1. Confidentiality
  2. Integrity
  3. Availability
  4. Authorization
  5. Nonrepudiation
18
Q
  1. Preservation of confidentiality in information systems requires that the information not be disclosed to ___.
A

Unauthorized persons or processes

19
Q
  1. When building a policy framework, which of the following information systems factors should be considered?
  2. Unauthorized access to and use of the system
  3. Unauthorized disclosure of information
  4. Disruption of the system
  5. Modification of information
  6. Destruction of information resources
  7. 1, 2, and 5 only
  8. 1, 2,, 3, 4, and 5
A
Unauthorized access to and use of the system
Unauthorized disclosure of information 
Disruption of the system
Modification of information
Destruction of information resources