Chapter 13 Microsoft Windows Incident Handling and Management

Which of the following is not true of information security governance (ISG)?

A. An organization's executive management team is responsible for ISG.

B. ISG makes protecting information assets a technical decision.

C. ISG makes security a strategic decision.

D. ISG ensures that information security concepts are applied in a way that helps meet business goals.

B. ISG makes protecting information assets a technical decision.

An organization must balance business drivers to meet its goals. They do this during the business planning process. Which of the following is a common type of business planning that is long term and focuses on preparing approaches for new products, technologies, or processes?

Strategic planning

Which of the following is not one of the responsibilities of information security managers?

A. To create information security standards, guidelines, and procedure

B. To participate in risk assessments

C. To manage the security infrastructure

D. To ensure that security is used to support business goals

D. To ensure that security is used to support business goals

Which role identifies the person in an organization who has the senior-most role in protecting information security?

CISO

Which of the following is a law that protects federal data and IT resources and requires federal agencies to develop an information security program?

A. ISO/IEC

B. HIPAA

C. GLBA

D. FISMA

D. FISMA

______________ planning is short- to medium-term planning that allows an organization to be responsive to market conditions.

Tactical

_________________ planning is day-to-day planning that focuses on the normal operations of an organization.

Operational

______________________ created a comprehensive standard to help any organization create an information security governance program.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)

A board of directors uses _____________ to set forth its information security plans.

policies

In a formal policy development process, the _________ step ensures that a new policy document meets the organization's regulatory needs, whereas the _________ step ensures that all employees know about the new policy.

stakeholder review, communication to employees

A formal ______________ is executive management's high-level statement of information security direction and goals.

policy

What type of standard states a minimum level of behavior or actions that must be met to comply with a policy?

Baseline

Which of the following are characteristics of policies?

A. Broad scope, address whole organization, very rarely change

B. Support high-level policies, set minimum levels of behavior for compliance

C. Step-by-step checklists, explain how to meet security goals, flexible and change as technology changes

D. Very rarely change, set forth general expectations

A. Broad scope, address whole organization, very rarely change

Of the following information security assurance documents, which focuses mainly on advice and recommendations?

Guideline

Security policy elements vary among organizations. However, there are some elements common to all policies. ________________ state(s) the reason why the policy exists. This includes the legal or regulatory justification for the policy, which might be drafted in response to information security threats.

Policy rationale

Data ________ policies state how data is controlled throughout its life cycle.

retention

Data destruction policies do not typically include which of the following?

A. Identification of data ready for destruction

B. Proper destruction methods for different kinds of data or storage media

C. Consequences for improper destruction

D. How the data is controlled throughout its life cycle before destruction

D. How the data is controlled throughout its life cycle before destruction

What kind of policy would likely contain a "no retaliation" element?

Anti-harassment

Isabelle is a security professional. She is creating an anti-harassment policy for her organization. Which of the following topics is least likely to appear in the policy?

A. Inappropriate jokes

B. Acceptable email usage

C. Negative comments

D. Threatening behavior

B. Acceptable email usage

Which of the following terms would not be incorporated into an acceptable use policy (AUP) statement about mobile device usage?

A. Mobile devices that are used to access organizational resources or data must be password protected.

B. Employees must store the organization's AUP on their devices and review the AUP on a weekly basis.

C. Mobile devices (whether provided by the organization or purchased by an employee and used for business purposes) must not store sensitive organizational information.

D. Employees must immediately report the loss of a mobile device used to access organizational resources.

B. Employees must store the organization's AUP on their devices and review the AUP on a weekly basis.

True or False? To run an organization according to information security governance (ISG) principles, the organization must align its information security goals to its business needs.

True

True or False? Only the board of directors can make decisions about information security governance.

False

True or False? In an organization, lower-level roles make governance decisions, whereas higher-level roles are responsible for carrying out information security management (ISM) and operational activities.

False

True or False? Information security management (ISM) implements policies and strategy, whereas information security governance (ISG) creates policies and strategy.

True

True or False? Whereas the chief information officer (CIO) develops a company's technology products, the chief technology officer (CTO) is the organization's senior IT official that focuses on strategic IT issues.

False

True or False? The standards created by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) help organizations review their information security management system through the creation of control measurements.

True

True or False? Standards are the lowest-level information security governance (ISG) documents.

False

True or False? All types of information security governance (ISG) documents ultimately share the same role and focus, even though they might be directed at different audiences and might address similar issues from different standpoints.

False

True or False? Policy documents are subject to a lengthy development and review process because they are high-level governance documents with a broad scope that address the whole organization.

True

True or False? Information security governance (ISG) policy documents change frequently.

False

True or False? An organization must carefully consider security policy exception requests because every exception weakens the organization's security posture.

True

True or False? Intellectual property policies protect an organization's own intellectual property and make sure that its employees respect the intellectual property rights of others.

True

True or False? The following is an example of a guideline: "All strong passwords must have at least 15 characters and have at least 1 number and 1 letter."

False

True or False? In general, U.S. employees have a significant number of privacy rights in the workplace.

False

True or False? Only the federal government requires government agencies to retain financial or other types of data for certain lengths of time.

False

True or False? One reason why data destruction policies must be followed consistently is to protect an organization from claims that it intentionally destroyed evidence.

True

True or False? In general, mobile devices present a vulnerability to security because of their portable nature, given that people can easily lose or misplace their mobile devices.

True

True or False? Employers use anti-harassment policies to help limit liability for workplace harassment.

True

True or False? Security awareness is the process whereby a user proves his or her identity to access an IT resource.

False

True or False? Employee behavior can be helpful and harmful toward protecting data and IT resources.

True