Information Security Policy Related Questions with Answers

In a perfect world, policies and procedures would always produce the perfect product. This requires employees to follow policies and procedures at all times. However, we do not live in a perfect world. Neither policies nor procedures are always perfect, nor do employees always follow them.

Anyone who has cashed a check at a bank understands what a basic procedure looks like. A check-cashing procedure includes checking the person’s identification and the account balance. The bank’s policy states that when a teller follows the check-cashing procedure, and the account has sufficient funds, the teller may give the cash to the account holder. The teller must follow this procedure to protect the customer and the bank from fraud.

In the creation of information systems security policies, also called security policies, IS policies, or ISMS policies, many factors drive policy requirements. These requirements include organization size, processes, type of information, and laws and regulations. Once an organization creates policies, it will face both technical and human challenges implementing them.

Suggested Read:

The keys to implementing policies are employee acceptance and management enforcement. A policy is worth little or nothing if no one follows it.

The below listed questions will also helps you to clear the following information security related certification exams:

CEH – Certified Ethical Hacker
CISM –Certified Information Security Manager
CompTIA Security+
CISSP – Certified Information Systems Security Professional
GSEC – GIAC Security Essentials
ECSA – EC-Council Certified Security Analyst
GPEN – GIAC Penetration Tester
SSCP – Systems Security Certified Practitioner
CRISC – Certified in Risk and Information System Control
CISA – Certified Information Systems Auditor
CCNA – Cisco Certified Network Associate
CHFI – Computer Hacking Forensic Investigator
CCSP – Certified Cloud Security Professional
NCSF – NIST Cybersecurity Framework
LPT – Licensed Penetration Tester

Below are some widely used MCQ questions with answers of security policies related:

1. John works in the accounting department but travels to other company locations. He must present the past quarter’s figures to the chief executive officer (CEO) in the morning. He forgot to update the PowerPoint presentation on his desktop computer at the main office. What is at issue here?

Unauthorized access to the system
Integrity of the data
Availability of the data
Nonrepudiation of the data
Unauthorized use of the system

2. Which of the following are generally accepted as IA tenets but not ISS tenets? (Select two.)

Confidentiality
Integrity
Availability
Authentication
Nonrepudiation

3. When should a wireless security policy be initially written?

When the industry publishes new wireless standards
When a vendor presents wireless solutions to the business
When the next generation of wireless technology is launched
After a company decides to implement wireless and before it is installed

4. A toy company is giving its Web site a much-needed facelift. The new Web site is ready to be deployed. It’s late October, and the company wants to have the site ready for the holiday rush. The year-end holiday season accounts for 80 percent of its annual revenue. What process would be of particular importance to the toy company at this time?

Continuous improvement
Business process reengineering
Change management
Information security system life cycle

5. Information systems security policies should support business operations. These policies focus on providing consistent protection of information in the system. This happens by controlling multiple aspects of the information system that directly or indirectly affect normal operations at some point. While there are many different benefits to supporting operations, some are more prevalent than others. Which of the following are aspects of ISS policies that extend to support business operations?

Controlling change to the IT infrastructure
Protecting data at rest and in transit
Protecting systems from the insider threat
B and C only
All the above

6. A weakness is found in a system’s configuration which could expose client data to unauthorized users. Which of the following best describes the problem?

A new threat was discovered.
A new vulnerability was discovered.
A new risk was discovered.
A and B
B and C
A, B, and C

7. What is policy compliance?

The effort to follow an organization’s policy
When customers read a Web site policy statement
Adherence to an organization’s policy
Failure to follow to an organization’s policy

8. What is an automated control?

A control that stops behavior immediately and does not rely on human decisions
A control that does not stop behavior immediately and relies on human decisions
A control that does not stop behavior immediately but automates notification of incident
A control that stops behavior immediately and relies on human decisions

9. Which of the following is not a business driver?

Ability to acquire the newest technology
Cost of maintaining controls
Ability to legally defend
Customer satisfaction

10. What is an information security policy?

A policy that defines acceptable behavior of a customer
A policy that defines what hardware to purchase
A policy that defines how to protect information in any form
A policy that defines the type of uniforms guards should wear

11. Which of the following is not a type of security control?

Preventative
Correlative
Detective
Corrective

12. Tone at the top refers to:

A company’s leaders making sure every employee knows the priorities
Senior leaders implementing and enforcing policies
Senior managers building trust with the public and with regulators
All of the above

13. What are the benefits to having a security awareness program emphasize the business risk?

Risk becomes more relevant to employees
Security policies are more likely to be followed
Provides employees a foundation to deal with unexpected risk
All of the above

14. Which of the following is not a guideline to be considered when developing policy to secure PII date?

Align—Coordinate privacy policies with data classification policies
Retain—Ensure proper controls around data retention and destruction
Disclose—Fully disclose to the individual what data is being collected and how it will be used
Resiliency—Policies provide guidelines for the unexpected

15. Which of the following is not a benefit of having an acceptable use policy?

Outlines disciplinary action for improper behavior
Prevents employees from misusing the Internet
Reduces business liability
Defines proper behavior while using the Internet

16. Which of the following do you need to measure to achieve operational consistency?

Consistency
Quality
Results
All of the above

17. Well-defined and properly implemented security policies help the business in which of the following ways?

Maximize profit
Reduce risk
Produce consistent and reliable products
All of the above

18. Which of the following are pressures on creating security policies?

Shareholder value
Regulations
Technology vulnerabilities and limitations
B and C only
All of the above

19. Which of the following laws require proper security controls for handling privacy data?

HIPAA
GLBA
FERPA
B and C Only
All of the above

20. Which of the following are control objectives for PCI DSS?

Maintain an information security policy
Protect cardholder data
Alert when credit cards are illegally used
A and B only
None of the above

21. What should you ask for to gain confidence that a vendor’s security controls are adequate?

An SSAE16 Type I audit
An SSAE16 Type II audit
A list of all internal audits
All of the above

22. Why is it important to map regulatory requirements to policies and controls?

To demonstrate compliance to regulators
To ensure regulatory requirements are covered
To demonstrate the importance of a security control
All of the above

23. Who typically writes a report to the board of directors on the current state of information security within a company?

Chief risk officer
Chief information officer
Chief information security officer
A and B
B and C
A, B, and C

24. Which of the following attempts to identify where sensitive data is currently stored?

Data Leakage Protection Inventory
DLP Encryption Key
Data Loss Protection Perimeter
DLP Trojans

25. Voice over Internet Protocol (VoIP) can be used over which of the following?

LAN
WAN
Both
Neither

26. Which of the following is not one of the seven domains of typical IT infrastructure?

Remote Access Domain
LAN Domain
World Area Network Domain
System/Application Domain

27. One key difference between RBAC and ABAC is which of the following?

ABAC is dynamic and RBAC is static.
ABAC is static and RBAC is dynamic.
No difference; these are just different terms to mean the same thing.

28. What policy generally requires that employees lock up all documents and digital media at the end of a workday and when not in use?

Acceptable use policy
Clean desk policy
Privacy policy
Walk out policy

29. What kind of workstation management refers to knowing what software is installed?

Inventory management
Patch management
Security management
Discovery management

30. Generally, remote authentication provides which of the following?

Fewer controls than if you were in the office
The same controls than if you were in the office
More controls than if you were in the office
Less need for controls than in the office

31. Where is a DMZ usually located?

Inside the private LAN
Within the WAN
Between the private LAN and public WAN
Within the mail server

32. What is a botnet?

A piece of software the end user loads onto a device to prevent intrusion
A piece of software a company loads onto a device to monitor its employees
A piece of software a hacker loads onto a device without user knowledge
A piece of software used to communicate between peers

33. Which of the following is a basic element of motivation?

Pride
Self-interest
Success
B and C
All of the above

34. Which personality type often breaks through barriers that previously prevented success?

Attackers
Commanders
Analyticals
Pleasers

35. Which of the following is a method for overcoming apathy?

Avoiding redundancy
Issuing company directives
Engaging in communication
Requiring obedience to policies

36. Why is HR policy language often intentionally vague?

To avoid being interpreted as an unintended promise
To start lawsuits
To avoid being too severe for new hires

37. When a catastrophic security breach occurs, who is ultimately held accountable by regulators and the public?

Company officers
The CIO
The ISO
The data owner

38. Which of the following are attributes of entrepreneurs?

Innovators
Well educated in business management
More likely to take risks
A and C
B and C

39. Which of the following is the best measure of success for a security policy?

Number of security controls developed as a result
The number of people aware of the policy
Reduction in risk
The rank of the highest executive who approved it

40. A change agent typically will

Ensure current processes are working
Ensure application code changes are well understood
Challenge whether a company’s existing processes represent the best approach

41. An IT policy framework charter includes which of the following?

The program’s purpose and mission
The program’s scope within the organization
Assignment of responsibilities for program implementation
Compliance management
A, B, and C only
A, B, C, and D

42. Which of the following is the first step in establishing an information security program?

Adoption of an information security policy framework or charter
Development and implementation of an information security standards manual
Development of a security awareness-training program for employees
Purchase of security access control software

43. Which of the following are generally accepted and widely used policy frameworks? (Select three.)

COBIT
ISO/IEC 27002
NIST SP 800-53
NIPP

44. Which of the following is not mandatory?

Standard
Guideline
Procedure
Baseline

45. Which of the following includes all of the detailed actions and tasks that personnel are required to follow?

Standard
Guideline
Procedure
Baseline

46. When building a policy framework, which of the following information systems factors should be considered?

Unauthorized access to and use of the system
Unauthorized disclosure of information
Disruption of the system
Modification of information
Destruction of information resources
A, B, and E only
A, B, C, D, and E

47. What is the difference between risk appetite and risk tolerance?

Risk tolerance measures impact and likelihood, while risk appetite measures variance from a target goal.
Risk appetite measures impact and likelihood, while risk tolerance measures variance from a target goal.
There is no difference between these two.

48. Which of the following are important to consider before a policy?

Architecture operating model
Intent
Policy change control board
A and B
B and C
A, B, and C

49. Which of the following is not an administrative control?

Development of policies, standards, procedures, and guidelines
Screening of personnel
Change control procedures
Logical access control mechanisms

50. Which of the following are common steps taken in the development of documents such as security policies, standards, and procedures?

Design, development, publication, coding, and testing
Feasibility, development, approval, implementation, and integration
Initiation, evaluation, development, approval, publication, implementation, and maintenance
Design, coding, evaluation, approval, publication, and implementation

51. Which type of control is associated with responding to and fixing a security incident?

Deterrent
Compensating
Corrective
Detective

52. Which of the following does a policy change control board do? (Select two.)

Assesses policies and standards and makes recommendations for change
Determines the policy and standards library numbering scheme
Implements technical controls as business conditions change
Reviews requested changes to the policy framework

53. Which of the following is not an IT security policy framework?

COBIT
ISO
ERM
OCTAVE

54. Which of the following are PCI DSS network requirements?

Network segregation
Penetration testing
Virus scanning
All of the above
A and B only

55. Which of the following are common IT framework characteristics?

Risk-based management
Aligned business risk appetite
Reduced operation disruption and losses
Established path from requirements to control
All of the above
A and C only

56. Which of the following applies to both GRC and ERM?

Defines an approach to reduce risk
Applies rigid framework to eliminate redundant controls, policies, and efforts
Passively enforces security policy
Seeks line of sight into root causes of risks

57. Which of the following is not a key area of improvement noted after COBIT implementation?

Value delivery
Decentralization of the risk function
Better resourcing of IT
Better communication

58. Security awareness is required by which of the following?

Law
Customers
Shareholders
All of the Above

59. Which of the following does an acceptable use policy relate to?

Server-to-server communication
Users accessing the Internet
Encryption when transmitting files
A and B

60. What is the difference between least access privileges and best fit access privileges?

Least access privileges customize access to an individual
Best fit privileges customize access to a group based on risk
No difference
A and B

61. The steps to implement security controls on a firewall would be documented within which of the following?

Policy
Control standard
Baseline standard
Procedure

62. A DMZ separates a LAN from which of the following?

Phone network
Internet
Cellular network
VoIP Network

63. Visitor control is an aspect of which of the following?

Network security
Personnel security
Workstation security
Physical security

64. Which of the following can you use to segment LANs?

Routers and firewalls
Routers and gateways
Gateways and servers
Servers and workstations

65. Without a policy that leads to controls that restrict employees from installing their own software on a company workstation, a company could suffer which of the following consequences?

Malware on the network
Lawsuits from software licensing issues
Loss of productivity
All of the above

66. Good sources for security policies and standards include which of the following?

U.S. Government
Private companies selling standards
Professional organizations
Vendors
All of the above

67. Two-factor authentication is a typical control used by employees to remotely access which of the following?

Workstation
LAN
DMZ Web site
WAN

68. Which document outlines the specific controls that a technology device needs to support?

Control standard
Baseline standard
Procedure
Policy

69. What is the difference between a stateless firewall and a stateful one?

A stateful firewall looks at each packet individually and a stateless firewall examines the packet in context the connection and other packets.
A stateless firewall looks at each packet individually and a stateful firewall examines the packet in context the connection and other packets.
No difference

70. Which of the following is not a common need for most organizations to classify data?

Protect information
Retain information
Sell information
Recover information

71. You need to retain data for what major reasons?

Legal obligation
Needs of the business
For recovery
A and B
All of the above

72. What qualities should the data owner possess?

Is in a senior position within the business
Understands the data operations of the business
Understands the importance and value of the information to the business
Understand the ramifications of inaccurate data or unauthorized access
All of the above

73. What is a process to understand business leaders’ perspective of risk called?

QA
QC
RCSA

74. Data in transit is what type of data?

Data backup tapes being moved to a recovery facility
Data on your USB drive
Data traversing a network
Data being stored for later transmission

75. Which of the following should not be in an information response team charter?

Mission
Organizational structure
Detailed line budget
Roles and responsibilities

76. Which of the following IRT members should be consulted before communicating to the public about an incident?

Management
Public relations
IRT manager
All of the above

77. As defined by this chapter, what is not a step in responding to an incident?

Discovering an incident
Reporting an incident
Containing an incident
Creating a budget to compare options
Analyzing an incident response

78. What value does a forensic tool bring?

Gathers evidence
Helps evidence to be accepted by the court
Can take a bit image of a machine
All of the above

79. How important is it to identify the attacker before issuing a final IRT report?

Critically important; do not issue the report without it
Moderately important; nice to have but issue the report if not available
Not important; focus on the incident and do not include identity of attacker even if you have it
Important, but allow law enforcement to brief management about attacker’s identity

80. When analyzing an incident, you must try to determine which of the following?

The tool used to attack
The vulnerability that was exploited
The result of the attack
All of the above

81. What is the difference between a BCP and a DRP?

A BCP focuses on the business recovery and DRP focuses on technology recovery.
A DRP focuses on the business recovery and BCP focuses on technology recovery.
There is no difference. The two terms mean the same thing.

82. Which of the following indicate that the culture of an organization is adopting IT security policies?

Security policies are part of routine daily interaction.
Security policies are supported by organizational committees.
Security policies’ core values are demonstrated in workers’ instinctive reactions to situations.
All of the above

83. A control environment is defined as:

An inventory of the security policy controls
A well-defined framework to track control exceptions
A term describing the overall way in which the organization’s controls are governed and executed
None of the above

84. Which of the following is not an organizational challenge when implementing security policies?

Accountability
Surplus of funding
Lack of priority
Tight schedules

85. Which type of plan is critical to ensuring security awareness reaches specific types of users?

Rollout plan
Media plan
Executive project plan
Communications plan

86. Why should a security policy implementation be flexible to allow for updates?

Unknown threats will be discovered.
New ways of teaching will be introduced.
New technologies will be introduced.
A and C
All of the above

87. Which of the following is the least objectionable when dealing with policies with regard to outdated technology?

Write security policies to best practices and issue a policy waiver for outdated technology that inherently cannot comply.
Write security policies to the lowest, most common security standard the technology can support.
Write different sets of policies for outdated technologies.
All of the above

88. What is a strong indicator that awareness training is not effective?

A firewall breach
Sharing your password with a supervisor
Sharing a laptop with a coworker
A fire in the data center

89. A target state is generally defined as:

A term used in technology to describe a future state
A way to describe specific policy goals and objectives
A way to describe what tools, processes, and resources (including people) are needed to achieve the goals and objectives
All of the above
None of the above

90. What is the best way to disseminate a new policy?

Hardcopy
Intranet
Brown bag session
All of the above

91. A formal communication plan is ________ when implementing major security policies.

Always needed
Optional
Never needed

92. Which of the following is not an organizational gateway committee?

Architecture review committee
Internal connection committee
Vendor governance committee
Security compliance committee

93. Which of the following is not an access control?

Authentication
Authorization
Decryption
Logging

94. In which of the following areas might a company monitor its employees’ actions?

Internet
E-mail
Computers
A and B
All of the above

95. What is not required in modern-day CISO positions?

Must rely on the organization to enforce policy
Needs to have strong law enforcement background
Needs to build relationships and consensus
Must influence behavior and change culture to enforce policy

96. What is an example of a manual control?

Background checks
Authentication
Access rights reviews
A and C
All of the above

97. A breach of a single customer record cannot be considered a pervasive control weakness.

True—you must lose a significant amount of data for it to be considered a pervasive control weakness.
False—any breach can be a pervasive control weakness, depending on the control that failed.

98. Line management does which of the following to make policies operational?

Acts as go-to people for addressing questions
Applies policies consistently
Gathers metrics on the policies’ effectiveness
A and C
All of the above

99. In which process would you place quality assurance controls?

Governance processes
Management processes
A and B
None of the above

100. Which of the following is not reviewed when monitoring a user’s e-mail and Internet activity?

Data leakage
Viruses and malware
Unauthorized access to sites
Network performance

101. An operating system and different applications are installed on a system. The system is then locked down with various settings. You want the same operating system, applications, and settings deployed to 50 other computers. What’s the easiest way?

Scripting
Imaging
Manually
Spread the work among different departments

102. Your organization wants to automate the distribution of security policy settings. What should be considered?

Training of administrators
Organizational acceptance
Testing for effectiveness
All of the above

103. An organization uses a decentralized IT model with a central IT department for core services and security. The organization wants to ensure that each department is complying with primary security requirements. What can be used to verify compliance?

Group Policy
Centralized change management policies
Centralized configuration management policies
Random audits

104. An organization wants to maintain a database of system settings. The database should include the original system settings and any changes. What should be implemented within the organization?

Change management
Configuration management
Full ITIL life cycle support
Security Content Automation Protocol

105. An organization wants to reduce the possibility of outages when changes are implemented on the network. What should the organization use?

Change management
Configuration management
Configuration management database
Simple Network Management Protocol

106. A security baseline image of a secure configuration that is then replicated during the deployment process is sometimes call a ________.

Master copy
Zero-day image
Gold master
Platinum image

107. What is a valid approach for validating compliance to security baseline?

Vulnerability scanner
Penetration test
A and B

Let’s take a true/false based questions (with answers) and test your knowledge and learn some interesting things along the way.

1. COBIT is a widely accepted international best practices policy framework.

True
False

2. Ted is an administrator in the server backup area. He is reviewing the contract for the offsite storage facility for validity. This contract includes topics such as the amount of storage space required, the pickup and delivery of media, response times during an outage, and security of media within the facility. This contract is an example of information security.

True
False

3. Privacy regulations involve two important principles: full disclosure and data encryption.

True
False

4. Information used to open or access a bank account is generally considered PII data.

True
False

5. Mitigating controls always meet the full intent of the policy.

True
False

6. When creating laws and regulations, the government’s sole concern is the privacy of the individual.

True
False

7. Health care providers are those that process and facilitate billing.

True
False

8. The only consideration in protecting personal customer information is legal requirements.

True
False

9. You should always write new security policies each time a new regulation is issued.

True
False

10. Private WANs must be encrypted at all times.

True
False

11. A LAN is efficient for connecting computers within an office or groups of buildings.

True
False

12. What employees learn in awareness training influences them more than what they see within their department.

True
False

13. Always applying the most strict authentication method is the best way to protect the business and ensure achievement of goals.

True
False

14. Remote access does not have to be encrypted if strong authentication is used.

True
False

15. In hierarchical organizations, the leaders are close to the workers that deliver products and services.

True
False

16. User apathy often results in an employee just going through the motions.

True
False

17. In the case of policies, it is important to demonstrate to business how polices will reduce risk and will be derived in a way that keeps costs low.

True
False

18. An ideal time to refresh security policies is during a reduction in force.

True
False

19. A control partner’s role includes analysis of proposed policy changes and providing an opinion on their viability.

True
False

20. Security policies provide the “what” and “why” of security measures.

True
False

21. The purpose of a consequence model is to discipline an employee in order to ensure future compliance with information security policies.

True
False

22. A mitigating control eliminates the risk by achieving the policy goal in a different way.

True
False

23. When writing policies and standards, you should address the six key questions who, what, where, when, why, and how.

True
False

24. Guideline documents are often tied to a specific control standard.

True
False

25. The sole purpose of an architecture operating model is to define how all the businesses technology will be implemented.

True
False

26. Exceptions or waivers to security policies are a bad idea and should never be approved.

True
False

27. Security principles are needed in the absence of complete information to make high-quality security decisions.

True
False

28. “Access to all Organization information resources connected to the <Organization> network must be controlled by using user IDs and appropriate authentication” is a statement you might find in a procedure document.

True
False

29. The security committee is the key committee for the CISO.

True
False

30. The underlying concept of SOD is that individuals execute high-risk transactions as they receive preapproval.

True
False

31. A risk management and metrics team is generally the first team to respond to an incident.

True
False

32. Once you decide not to eliminate a risk but to accept it, you can ignore the risk.

True
False

33. Implementing a governance framework can allow an organization to systemically identify and prioritize risks.

True
False

34. All organizations should have a full-time team dedicated to collecting, reviewing, and reporting to demonstrate adherence to regulations.

True
False

35. Pretexting is what happens when a hacker breaks into a firewall.

True
False

36. A privileged-level access agreement (PAA) prevents an administrator from abusing elevated rights.

True
False

37. Social engineering occurs when a hacker posts her victories on a social Web site.

True
False

38. Typically in large organizations all administrators have the same level of authority.

True
False

39. An interactive service account typically does not have a password.

True
False

40. Production data should be sanitized before being used in a test environment.

True
False

41. Organizations should always create new policies tailored to their needs rather than adopt industry norms found on the Internet.

True
False

42. An owner of the data must obtain approval from the custodian of the resource to use the data.

True
False

43. Authorization is the process used to prove the identity of the person accessing systems, applications, and data.

True
False

44. In all businesses you will always have data that needs to be protected.

True
False

45. Risk exposure is best-guess professional judgment using a qualitative technique.

True
False

46. Federal agencies can customize their own data classification scheme.

True
False

47. Quality assurance is typically a detective control.

True
False

48. Generally, having five to 10 data classifications works best to cover all the possible data needs of an organization

True
False

49. Encryption protects data at rest from all type of breaches.

True
False

50. All incidents regardless of how small should be handled by an incident response team.

True
False

51. When containing an incident, you should always apply a long-term preventive solution.

True
False

52. During the containment step, you should also gather as much evidence as reasonably possible about the incident.

True
False

53. To clean up after an incident, you should always wipe the affected machine clean and rebuild it from scratch.

True
False

54. The Business Impact analysis (BIA) is created after the business has created a Business Continuity Plan (BCP).

True
False

55. The BIA assessment is created by the IRT team primarily for use during a security incident.

True
False

56. Effective security policies require that everyone in the organization be accountable for policy implementation.

True
False

57. Deliberate acts and malicious behavior by employees are easy to control, especially when proper deterrents are installed.

True
False

58. Classroom training for security policy awareness is always the superior option to other alternatives, such as online training.

True
False

59. A brown bag session is a formal training event with a tightly controlled agenda.

True
False

60. The security compliance committee has one role, which is to identify when violations of policies occur.

True
False

61. Laws define the specific internal IT processes needed to be compliant.

True
False

62. Connecting a personal device to the company network can create legal implications.

True
False

63. After a set of security settings has been applied to a system, there is no need to recheck these settings on the system.

True
False

64. Several tools are available to automate the deployment of security policy settings. Some tools can deploy baseline settings. Other tools can deploy changes in security policy settings.

True
False

65. Change requests are tracked in a control work order database. Approved changes are also recorded in a CMDB.

True
False

66. Microsoft created the Web-Based Enterprise Management (WBEM) technologies for Microsoft products.

True
False

67. It is important to protect your gold master because an infected copy could quickly result in widespread infection with malware.

True
False

68. If an organization implements the COSO internal control framework, then it cannot implement another controls framework like COBIT.

True
False

Below is the set of some important questions and answers related to the filling of the blanks.

1. Governance is the practice of ensuring an entity is in conformance to policies, regulations, ________, and procedures.

Answer: Standards

2. Greg has developed a document on how to operate and back up the new financial sections storage area network. In it, he lists the steps required for powering up and down the system as well as configuring the backup tape unit. Greg has written a ________.

Answer: Procedure

3. Implementation and enforcement of policies is a challenge. The biggest hindrance to implementation of policies is the ________ factor.

Answer: Human

4. A firewall is generally considered an example of a ________ control.

Answer: Preventive

5. Nation-state attacks that try to disrupt the country’s critical infrastructure are sometimes referred to as ________.

Answer: Cyberterrorism or cyberwarfare

6. The law that attempts to limit children’s exposure to sexually explicit material is ________.

Answer: CIPA

7. Which of the seven domains refers to the technical infrastructure that connects the organization’s LAN to a WAN and allows end users to surf the Internet?

Answer: LAN-to-WAN Domain

8. A ________ is a term that refers to a network that limits what and how computers are able to talk to each other.

Answer: Segmented Network

9. Dedicated network devices whose only function is to create and manage VPN traffic are called VPN ________.

Answer: Concentrators

10. The minimum standard in authentication for businesses is the use of ________.

Answer: IDs and Passwords

11. Avoiders like to ________ and will do _______ but not much more.

Answer: Be in the background; precisely what is asked of them

12. As the number of specialties increases so does ________.

Answer: The cost of business

13. Kotter’s Eight-Step Change Model can help an organization gain support for _______ changes.

Answer: Security policy

14. ________ are best defined as high-level statements, beliefs, goals, and objectives.

Answer: Policies

15. Accounts that have not been accessed for a extended period of time are often referred to as ________.

Answer: Dormant accounts

16. List the five tenets of information assurance that you should consider when building an IT policy framework. ________

Answer: Confidentiality, integrity, availability, authorization, and nonrepudiation

17. List examples of physical security control items. ________

Answer: Answers may include devices and processes used to control physical access; examples include fences, security guards, locked doors, motion detectors, and alarms

18. A process to refresh policies as needed based on a major event uses the principle called ________.

Answer: Lessons learned

19. A(n) ________ is a plan or course of action used by an organization to convey instructions from its senior-most management to those who make decisions, take actions, and perform other duties on behalf of the organization.

Answer: Policy

20. The principle that states security is improved when it is implemented as a series of overlapping controls is called ________

Answer: Defense in depth

21. A security team’s organizational structure defines the team’s ________.

Answer: Priorities or specialties

22. The more layers of approval required for SOD, the more ________ it is to implement the process.

Answer: Expensive or burdensome

23. Asking to borrow someone’s keycard could be an example of ________.

Answer: Social engineering

24. You can use a _______ process to grant temporary elevated rights.

Answer: Firecall-ID

25. A(n) _______ looks at risk and issues an independent opinion.

Answer: Auditor

26. A(n) _______ has inside information on how an organization operates.

Answer: Insider

27. A CISO must _______ risks if the business unit is not responsive.

Answer: Escalate

28. System accounts are also referred to as _______ accounts.

Answer: Service

29. EDM typically refers in information security to ________.

Answer: Enterprise data management

30. The content for the documents in the policies and standards library should be written so they are ________ and________.

Answer: Cohesive, coherent

31. The lowest federal government data classification rating for classified material is ________.

Answer: Confidential

32. Risk exposure can be expressed in the following manner: ________ = ________ × ________.

Answer: Risk exposure [=] Likelihood the event will occur [×] Impact if the event occurs

33. A method outlined in this chapter to determine if an incident is major or minor is to classify an incident with a _______ rating.

Answer: Severity

34. The IRT starts recording events once an __________.

Answer: Incident is declared

35. Which IRT member is responsible for handling the media?

Answer: Public relations

36. To get employees to comply and accept security policies, the organization must understand the employees’ ________

Answer: Motivations or needs

37. ________ often focuses on enterprise risk management across multiple lines of business to resolve strategic business issues.

Answer: Executive management

38. ________ establish how the organization achieves regulatory requirements.

Answer: Security policies

39. When testing for security in an application code, the quality assurance process tests ________ the code is in production and quality control tests ________ the code is in production.

Answer: Before, after

40. The operational risk function is responsible for ensuring that the business operates within risk ________ and risk ________.

Answer: Appetite, tolerance

41. A ________ is a starting point or standard. Within IT, it provides a standard focused on a specific technology used within an organization.

Answer: Baseline

42. The time between when a new vulnerability is discovered and when software developers start writing a patch is known as a ________.

Answer: Vulnerability window or security gap

43. A common method of scoring risk is reflected in the formula as follows, Risk = ________ × ________.

Answer: Likelihood × Impact

44. A ________ can be used with a downloaded file. It offers verification that the file was provided by a specific entity. It also verifies the file has not been modified.