Chapter 15 - IT Security Controls, Plans and Procedures - FINAL

T

1. To ensure that a suitable level of security is maintained, management must follow up the implementation with an evaluation of the effectiveness of the security controls.

T

2. Management controls refer to issues that management needs to address.

F

3. Operational controls range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions.

T

4. Detection and recovery controls provide a means to restore lost computing resources.

T

5. Water damage protection is included in security controls.

F

6. All controls are applicable to all technologies.

T

7. Physical access or environmental controls are only relevant to areas housing the relevant equipment.

F

8. Once in place controls cannot be adjusted, regardless of the results of risk assessment of systems in the organization.

T

9. Controls may vary in size and complexity in relation to the organization employing them.

T

10. It is likely that the organization will not have the resources to implement all the recommended controls.

F

11. The selection of recommended controls is not guided by legal requirements.

T

12. The recommended controls need to be compatible with the organization's systems and policies.

T

13. The implementation phase comprises not only the direct implementation of the controls, but also the associated training and general security awareness programs for the organization.

T

14. Appropriate security awareness training for all personnel in an organization, along with specific training relating to particular systems and controls, is an essential component in implementing controls.

F

15. The IT security management process ends with the implementation of controls and the training of personnel.

B

1. _________ is a formal process to ensure that critical assets are sufficiently protected in a cost-effective manner.

A. Configuration management control B. IT security management
C. Detection and recovery control D. Security compliance

D

2. An IT security ________ helps to reduce risks.

A. control B. safeguard
C. countermeasure D. all of the above

A

3. _______ controls focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization's mission.

A. Management B. Technical
C. Preventative D. Supportive

B

4. _______ controls are pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls.

A. Preventative B. Supportive
C. Operational D. Detection and recovery

C

5. ________ controls focus on the response to a security breach, by warning of violations or attempted violations of security policies.

A. Technical B. Preventative
C. Detection and recovery D. Management

C

6. A contingency plan for systems critical to a large organization would be _________ than that for a small business.

A. smaller, less detailed B. larger, less detailed
C. larger, more detailed D. smaller, more detailed

B

7. Management should conduct a ________ to identify those controls that are most appropriate and provide the greatest benefit to the organization given the available resources.

A. cost analysis B. cost-benefit analysis
C. benefit analysis D. none of the above

D

8. An IT security plan should include details of _________.

A. risks B. recommended controls
C. responsible personnel D. all of the above

A

9. The implementation process is typically monitored by the organizational ______.

A. security officer B. general counsel
C. technology officer D. human resources

D

10. The follow-up stage of the management process includes _________.

A. maintenance of security controls B. security compliance checking
C. incident handling D. all of the above

C

11. The objective of the ________ control category is to avoid breaches of any law, statutory, regulatory, or contractual obligations, and of any security requirements.

A. access B. asset management
C. compliance D. business continuity management

B

12. The objective of the ________ control category is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

A. asset management B. business continuity management
C. information security incident management D. physical and environmental security

A

13. Identification and authentication is part of the _______ class of security controls.

A. technical B. operational
C. management D. none of the above

A

14. Maintenance of security controls, security compliance checking, change and configuration management, and incident handling are all included in the follow-up stage of the _________ process.

A. management B. security awareness and training
C. maintenance D. all of the above

B

15. Periodically reviewing controls to verify that they still function as intended, upgrading controls when new requirements are discovered, ensuring that changes to systems do not adversely affect the controls, and ensuring new threats or vulnerabilities have not become known are all ________ tasks.

A. security compliance B. maintenance
C. incident handling D. program management

risk assessment

1. A _________ on an organization's IT systems identifies areas needing treatment.

Control

2. ________ is a means of managing risk, including policies, procedures, guidelines, practices, or organizational structures.

monitor risks

3. The three steps for IT security management controls and implementation are: prioritize risks, respond to risks, and __________ .

Technical

4. ________ controls involve the correct use of hardware and software security capabilities in systems.

IT security

5. The _______ plan documents what needs to be done for each selected control, along with the personnel responsible, and the resources and time frame to be used.

management

6. When the implementation is successfully completed, _______ needs to authorize the system for operational use.

Security compliance

7. ______ checking is an audit process to review the organization's security processes.

Change

8. _______ management is the process used to review proposed changes to systems for implications on the organization's systems and use.

Configuration

9. _______ management is concerned with specifically keeping track of the configuration of each system in use and the changes made to each.

detection and recovery

10. The _________ controls focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources.

operational

11. Contingency planning falls into the _________ class of security controls.

Preventative

12. _________ controls focus on preventing security beaches from occurring by inhibiting attempts to violate security policies or exploit a vulnerability.

security compliance

13. The ________ audit process should be conducted on new IT systems and services once they are implanted; and on existing systems periodically, often as part of a wider, general audit of the organization or whenever changes are made to the organization's security policy.

supportive

14. Controls can be classified as belonging to one of the following classes: management controls, operational controls, technical controls, detection and recovery controls, preventative controls, and _______ controls.

operational

15. Incident response is part of the ________ class of security controls.