Exam 7: Security Management Practices

A(n)baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared." _________________________

Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:

Best security practices (BSPs)balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.

During Phase 1 of the NIST performance measures development process,the organization identifies relevant ____ and their interests in information security measurement.

By looking at the paths taken by organizations similar to the one whose plan you are developing,known as benchmarking,the organization can follow the recommended or existing practices of a similar organization or industry-developed standards._________________________

Certification is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

The ____________________ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

The ____ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

Good security now is better ____.

In future certification and accreditation practices,NIST will focus less on certification and accreditation strategies,and more on ____.

The process of implementing a performance measures program recommended by NIST involves six phases.List them.

Implementing controls at an acceptable standard-and maintaining them-demonstrates that an organization has performed due diligence._________________________

NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development,tailoring,collection,and reporting activities.

In the future,NIST is replacing traditional Certification and Accreditation with authorization strategies and security control assessment.

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of due diligence._________________________

One of the critical tasks in the measurement process is to assess and ____________________ what will be measured.

Organizations typically use three types of performance measures,including those that assess the impact of a(n)____________________ or other security event on the organization or its mission.

Production level statistics depend greatly on the number of systems and the number of users of those systems._________________________

The federal government prohibits the distribution of best security practices with organizations other than federal agencies._________________________

The benefits of using information security performance measures include "increasing ____________________ for information security performance; improving effectiveness of information security activities; demonstrating compliance with laws,rules,and regulations; and providing quantifiable inputs for resource allocation decisions."