CHAPTER 4: SECURITY MANAGEMENT

Similar documents
Post-Class Quiz: Information Security and Risk Management Domain

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

IS-3 Electronic Information Security. Implementation Checklist

March 1. HIPAA Privacy Policy

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF MGM GROWTH PROPERTIES LLC OVERALL MISSION

Project Integration Management

MONITORING THE COUNCIL S INVESTMENTS

1. Define risk. Which are the various types of risk?

POLK-BURNETT ELECTRIC COOPERATIVE

FOR COMMENT PERIOD NOT YET APPROVED AS NEW STANDARD

Making the Jump to Risk Management. Jeff Blackmon, FBCI, CISSP, CBCP, ITIL Strategic Continuity Solutions, LLC.

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

Investment Policy Statement, Objectives, and Guidelines June 21, 2017

EFFECTIVE TECHNIQUES IN RISK MANAGEMENT. Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph.

HIPAA PRIVACY AND SECURITY AWARENESS

13.1 Quantitative vs. Qualitative Analysis

Nest Investments LLC. Form ADV, Part 2A. Nest Investments LLC 1845 Walnut Street 22nd Floor Philadelphia, PA Fax:

CERA Module 1 Exam 2016

Identity Theft Prevention Program Lake Forest College Revision 1.0

Running Head: Information Security Risk Assessment Methods, Frameworks and Guidelines

CMA Code of Ethics for Professional Accountants. Annex 1 (Sections 290 and 291)

The Public Service Commission will respond to any Routine Access requests in a reasonable and timely fashion.

The Risk of Economic Crime

Risk Management: Assessing and Controlling Risk

1 Security 101 for Covered Entities

TABLE OF CONTENTS I. Introduction A. Policy Framework Statement B. Related Documents C. Scope D. Additional Information E. Contact Information II.

McNay Art Museum. Financial Report (with supplementary information) Years Ended June 30, 2017 and 2016

Regulatory Notice. Request for Comment on Draft MSRB Rule G-44, on Supervisory and Compliance Obligations of Municipal Advisors

H 7789 S T A T E O F R H O D E I S L A N D

CITY & COUNTY OF HONOLULU DEFERRED COMPENSATION PLAN INVESTMENT POLICY AND PROCEDURES STATEMENT. May 23, 2013

BERMUDA INSURANCE (GROUP SUPERVISION) RULES 2011 BR 76 / 2011

Stokes Capital Advisors, LLC 101 Venture Court Greenwood, SC

U.S. Department of the Interior Office of Inspector General. Advisory Letter. Critical Infrastructure Assurance Program, Department of the Interior

Regulations on risk management in banks. 1. General provisions

Identification & Assessment of Risks Authors: Ali Basharat & Zeenoor Sohail Sheikh

Financial Monitoring of a Development Project by FMSF - A Concept Note

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Cyber Risk Proposal Form

Recommendation of the Council on Good Practices for Public Environmental Expenditure Management

Cyber ERM Proposal Form

ANTI-FRAUD CODE CONTENTS INTRODUCTION GOAL CORPORATE REFERENCE FRAMEWORK CONCEPTUAL FRAMEWORK ACTION FRAMEWORK GOVERNANCE STRUCTURE

Prepared by Office of Procurement and Real Property Management. This replaces Administrative Procedure No. A8.266 dated September 2014 A8.

University Data Policies

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

Office of the City Auditor 2018 Annual Work Plan and Long Term Audit Plan

HIPAA and Lawyers: Your stakes have just been raised

M_o_R (2011) Foundation EN exam prep questions

COUNTY OF SAN BERNARDINO

Defence Construction Canada Section

International Monetary Fund Washington, D.C.

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Risk Management Plan for the Ocean Observatories Initiative

Quality Control & Compliance Initiative. This document is publicly available to any staff member on the following network path:

RISK MANAGEMENT POLICY OF HEXA TRADEX LIMITED (W.E.F )

The Evolution of Risk Management and The Risk Management Process

OPTIMISTIC. Operational Review. Sub Contents. 148 Risk Management 234 Human Resources 244 Information Technology 249 Operations

Model Request for Proposal. Real Estate. A Template for Small Institutional Investors

Conceptualisation Stage Continued

Selecting the Managers: Research and Due Diligence

Certified in Risk and Information Systems Control

Department of Defense INSTRUCTION

Formal approach to non-statistical sampling

Texas Workforce Commission

CHARTER RISK OVERSIGHT COMMITTEE (ROC) March 2018

POLICIES AND PROCEDURES

Risk Management Policy

Financial Crime Risk Return

3 Explanation of the Provisions

Data Protection: The Best Policy for Insurers

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Through their philanthropic efforts, foundations from Maine to

3. Scope and Applicability. This instruction is applicable to all BUPERS commands and subordinate activities.

AUSTRAC Guidance Note. Risk management and AML/CTF programs

Errors in Operational Spreadsheets: A Review of the State of the Art

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

VENTURA COUNTY EMPLOYEES RETIREMENT ASSOCIATION RETIREMENT ADMINISTRATOR CHARTER

INTERNATIONAL SOS. Data Retention, Archiving and Destruction Policy. Version 1.10

NEW ZEALAND SOCIETY OF ACTUARIES PROFESSIONAL STANDARD NO. 30 VALUATIONS OF GENERAL INSURANCE CLAIMS MANDATORY STATUS EFFECTIVE DATE: 31 DECEMBER 2017

PALM HEALTHCARE FOUNDATION, INC. AND SUBSIDIARY REPORT ON AUDIT OF CONSOLIDATED FINANCIAL STATEMENTS

Healthcare Data Breaches: Handle with Care.

SCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

The State Farm College Savings Plan. Supplement dated June 30, 2017 to Enrollment Handbook and Participation Agreement dated April 22, 2016

FIRMA Nashville Tennessee April 21, 2015

Managing Project Risks. Dr. Eldon R. Larsen, Marshall University Mr. Ryland W. Musick, West Virginia Division of Highways

HAZARD MANAGEMENT POLICY Page 1 of 7 Reviewed: October 2018

FRAUD RISK MANAGEMENT

An Introduction to Risk

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Risk Oversight Committee Charter

Shri Mahaviray Namah. J. B. NAGAR CPE Study Circle of WIRC

Medical Monitoring Program: PPACA and CMS Final Recommended Guidelines vs. Rules: New License Monthly Screening Requirements

Equifax Data Breach: Your Vital Next Steps

GUIDANCE ON EMPLOYMENT VETTING

Your Guide to Compliance: FFIEC Supplement to Authentication in an Internet Banking Environment

Certified Enterprise Risk Professional (CERP) Test Content Outline

WILLIAMS SCOTSMAN INTERNATIONAL, INC. CODE OF CONDUCT AND ETHICS

Transcription:

CHAPTER 4: SECURITY MANAGEMENT Multiple Choice: 1. An effective security policy contains all of the following information except: A. Reference to other policies B. Measurement expectations C. Compliance management and measurements description D. Glossary of terms Answer: D Reference: Security Policies Set the Stage Difficulty: moderate 2. Which of the following is typically NOT found in corporate security policy? A. Effective/expiration dates B. Standards library structure C. Authorizing individual D. Exception process Answer: B Reference: Security Policies Set the Stage Difficulty: moderate 3. A(n) policy might prescribe the need for information security and may delegate the creation and management of the program. A. Programme-level B. System-specific C. Issue-specific D. Programme-framework Answer: A Reference: Four Types of Policies Difficulty: moderate 4. A(n) policy focuses on policy issues that management decided for a specific system. A. Programme-level B. System-specific C. Issue-specific D. Programme-framework

Answer: B Reference: Four Types of Policies Difficulty: easy 5. policy speaks to specific issues of concern to the organization. A. Programme-level B. System-specific C. Issue-specific D. Programme-framework Answer: C Reference: Four Types of Policies Difficulty: moderate 6. Programme-level policy helps management do all of the following except: A. Establish a security programme B. Assign programme management responsibilities C. Depict the library standards structure D. Establish a basis for policy compliance Answer: C Reference: Programme-Level Policies Difficulty: moderate 7. Which of the following is not a programme-level policy component? A. Compliance B. Responsibilities C. Scope D. Rationale Answer: D Reference: Programme-Level Policies Difficulty: moderate 8. The programme-level policy component authorizes and defines the use of specific penalties and disciplinary action for those failing to comply with computer security policies. A. Purpose B. Scope C. Compliance D. Responsibilities Answer: C Reference: Programme-Level Policies Difficulty: moderate 9. The programme-level policy component specifies which resources, information, and personnel are covered.

A. Purpose B. Scope C. Compliance D. Responsibilities. Answer: B Reference: Programme-Level Policies Difficulty: moderate 10. All of the following information technology management s decisions are reflected in the programmeframework policy EXCEPT: A. Priorities for protection B. Resource allocation C. Assignment of responsibilities D. None of the above. Answer: D Reference: Programme-Framework Policies Difficulty: moderate 11. Some organizations distribute handbooks that address the programme-framework policy, these combine: A. Policy B. Standards C. Both of the above D. None of the above Answer: C Reference: Programme-Framework Policies Difficulty: moderate 12. The key policy areas of computer security include all of the following except: A. Library security structure B. Life-cycle management C. Contingency planning D. Network security Answer: A Reference: Programme-Framework Policies Difficulty: moderate 13. Which of the following is NOT something included in a system-specific policy? A. State the security objectives of a specific system B. Describe the security functions of a specific system

C. Define how the system should be operated to achieve security D. Specify how technology protections and features will be used to support the security objectives Answer: B Reference: Issue-Specific Policies Difficulty: moderate 14. The basic components of an issue-specific policy might include all of the following except: A. Compliance B. Applicability C. Standard library structure D. Issue statement Answer: C Reference: Issue-Specific Policies Difficulty: moderate 15. A basic component of an issue-specific policy that defines a security issue and any relevant terms, distinctions, and conditions is a(n): A. Issue statement B. Statement of the organization s position C. Point of contact and supplementary information D. Role and responsibility Answer: A Reference: Issue-Specific Policies Difficulty: moderate 16. A basic component of an issue-specific policy that states where, how, when, to whom, and to what a particular policy applies is: A. Issue statement B. Role and responsibility C. Applicability D. Compliance Answer: C Reference: Issue-Specific Policies Difficulty: moderate 17. Compliance defines penalties that must be consistent with organizational personnel policies and are coordinated with all of the following except appropriate: A. Officials B. Offices C. Employee bargaining units

D. ISP administrators Answer: D Reference: Issue-Specific Policies Difficulty: moderate 18. Which of the following is NOT considered an example of an issue-specific policy? A. E-Mail acceptable use B. Internet acceptable use C. Read/write access to the HR database D. Laptop acceptable use Answer: C Reference: Issue-Specific Policies Difficulty: moderate 19. Examples of system-specific policy decisions which focus on only one system, include all of the following except: A. Who is allowed to read or modify data? B. Under what conditions can data be read or modified? C. Can users dial into the system from home? D. Are users permitted to use flash drives? Answer: D Reference: System-Specific Policies Difficulty: moderate 20. The model for a system security policy does NOT include: A. Security objectives B. Operational security C. Management structure D. Policy implementation Answer: C Reference: Development and Management of Security Policies Difficulty: moderate 21. All of the following statements about operational security documentation are true except: A. Formal policy is published as a distinct policy document B. Less formal policy may be written in memos C. Informal policy may not be written at all D. Uncommon policies are included in informal policy. Answer: D Reference: Operational Security Difficulty: moderate

22. Automated methods of enforcing or supporting security policy would NOT include: A. Block file save to all but hard disk B. Intrusion detection software C. Prevent booting from a floppy disk D. Blocking telephone systems users from calling some numbers Answer: A Reference: Development and Management of Security Policies Difficulty: moderate 23. The supporting documents derived from policy statements include all of the following except: A. Regulations B. Procedural maps C. Standards and baselines D. Guidelines Answer: B Reference: Policy Support Documents Difficulty: moderate 24. Step-by-step directions to execute a specific security activity is referred to as a: A. Regulation B. Standard C. Guideline D. Procedure Answer: D Reference: Policy Support Document Difficulty: moderate 25. Which of the following regulatory agencies regulates U.S. banks? A. FTC B. FFIEC C. FDA D. SEC. Answer: B Reference: Regulations Difficulty: moderate 26. is needed by businesses and agencies to determine how much security is needed for appropriate protection. A. Separation of duties

B. Education, awareness, and training C. Asset and data classification D. Risk analysis and management. Answer: C Reference: Asset Classification Difficulty: moderate 27. In the standards taxonomy suggests that no single person is responsible for approving his own work. A. Separation of duties B. Education, awareness, and training C. Asset and data classification D. Risk analysis and management. Answer: A Reference: Separation of Duties Difficulty: moderate 28. Which of the following would NOT be checked as part of an employee screening process? A. Credit report B. Worker s compensation reports C. Education verification and credential confirmation D. All of the above are checked. Answer: D Reference: Employee Screening Difficulty: moderate 29. provides technical facilities, data processing, and support services to users of information systems. A. Chief information security officer B. Information resources manager C. Owners of information resources D. Custodians of information resources Answer: D Reference: Who is Responsible for Security Difficulty: moderate 30. Which of the following is NOT a calculation used for quantitative risk analysis? A. ALE B. Probability C. Standard deviation

D. Vulnerability Answer: C Reference: Quantitative Risk Analysis Difficulty: moderate Fill in the Blank: 31. A constantly funded, ongoing management activity, a(n) is intended for the preservation and advancement of the organization. Answer: programme Reference: Introduction Difficulty: moderate 32. Even before security technology is acquired and deployed, must be considered. Answer: policies Reference: Security Policies Set the Stage Difficulty: moderate 33. A programme-level policy is also thought of as the statement for the IT security program. Answer: mission Reference: Four Types of Policies Difficulty: moderate 34. The component of programme-level policy indicates which resources, information, and personnel the programme covers. Answer: scope Reference: Programme-Level Policies Difficulty: moderate 35. The organization-wide direction for broad areas of programme implementation is found in the policies. Answer: programme-framework Reference: Programme-Framework Policies Difficulty: moderate 36. Security rules are derived from security. Answer: goals Reference: Development and Management of Security Policies Difficulty: moderate 37. Security are designed to describe meaningful actions about specific resources. Answer: objectives Reference: Security Objectives Difficulty: moderate 38. Security objectives may not be fully met because of cost, operational, and other constraints. Answer: technical Reference: Operational Security Difficulty: moderate 39. Enforcing security is typically a combination of technical and management methods. Answer: traditional Reference: Policy Implementation Difficulty: moderate 40. Policy support explain the system development, management, and operational requirements. Answer: documents Reference: Policy Support Documents Difficulty: moderate 41. Information security are often dictated by the nature of an organization s business.

Answer: standards Reference: Regulations Difficulty: moderate 42. A(n) refers to specific security requirements but a is a specific set of requirements for a technology implementation. Answer: standard, baseline Reference: Standards and Baselines Difficulty: moderate 43. To determine how much security is needed for protection, businesses use asset and data. Answer: classification Reference: Asset Classification Difficulty: moderate 44. One way to limit any individual s ability to cause harm is to duties within a business. Answer: separate Reference: Separation of Duties Difficulty: moderate 45. Critical information used to make the best hiring decision is typically found in records. Answer: public Reference: Employee Screening Difficulty: moderate 46. Those individuals seeking employment involving access to sensitive government assets will have a security clearance. Answer: defense (or military) Reference: Military Security Clearance Difficulty: moderate 47. The two basic types of risk analysis and quantitative and. Answer: qualitative Reference: Risk Analysis and Management Difficulty: moderate 48. User education, awareness, and training on policies and procedures are important because are the weakest link in a security-related process. Answer: people Reference: Education, Training, and Awareness Difficulty: moderate Matching: 49. Match the following terms to their meanings: I. Issue statement A. Lists applicable standards or guidelines II. Applicability III. Compliance IV. Roles and responsibilities B. Describes infractions and states penalties C. Defines relevant terms, distinctions, and conditions D. Where, how, when, to whom policy applies V. Points of contact E. Identifies approving authority Answer: C D B E A Reference: Issue Specific Policies Difficulty: moderate

50. Match the following terms to their meanings: I. Asset classification A. Limit individual s ability to cause harm II. Separation of duties effective III. Preemployment hiring practices IV. Risk analysis and management B. Which security controls are appropriate and cost C. Top-driven and comprehensive D. internal information security process V. Education, awareness, and management E. How much security is appropriate protection Answer: E A D B C Reference: Suggested Standards Taxonomy Difficulty: moderate 51. Match the following terms to their meanings: I. ALE A. Absence of a risk-reducing safeguard II. Probability III. Threat IV. Control B. An event having an undesired impact C. Single loss expectancy multiplied by annualized rate of occurrence D. Chance that an event will occur V. Vulnerability E. Risk-reducing measure acts to detect, prevent, or minimize loss Answer: C D B E A Reference: Risk Analysis and Management Difficulty: moderate 52. Match the following terms to their meanings: I. CISO A. Conduct periodic risk-based reviews II. Information resources manager III. Owners of information resources IV. Internal auditors B. Carry out programme that uses resources C. People who have access to information resources D. Maintains policies and procedures V. Users E. Establishes and maintains security and risk management programmes Answer: E D B A C Reference: Who Is Responsible for Security Difficulty: moderate

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback