Question 1

A legal standard that requires an organization and its employees to actas a reasonable and prudent individual or organization would under similar circumstances.

Accepted Answer

A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 
A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 H

Question 2

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?

Accepted Answer

A)  Do you perform background checks on all employees with access to sensitive data,
Areas, or access points? 
B)  Are the user accounts of former employees immediately removed on termination? 
C)  Would the typical employee recognize a security issue? 
D)  Would the typical employee know how to report a security issue to the right people? 
A)  Do you perform background checks on all employees with access to sensitive data,
Areas, or access points? 
B)  Are the user accounts of former employees immediately removed on termination? 
C)  Would the typical employee recognize a security issue? 
D)  Would the typical employee know how to report a security issue to the right people? B

Question 3

Which of the following is NOT a consideration when selecting recommended best practices?

Accepted Answer

A)  Threat environment is similar 
B)  Resource expenditures are practical 
C)  Organization structure is similar 
D)  Same certification and accreditation agency or standard 
A)  Threat environment is similar 
B)  Resource expenditures are practical 
C)  Organization structure is similar 
D)  Same certification and accreditation agency or standard D

Question 4

A comprehensive assessment of a system's technical and nontechnical protectionstrategies,as specified by a particular set of requirements.

Accepted Answer

A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 
A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37

Question 5

One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"

Accepted Answer

A) True 
 B)False

Question 6

The authorization of an IT system to process,store,or transmit information.

Accepted Answer

A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 
A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37

Question 7

A common approach to a Risk ManagementFramework (RMF)for InfoSec practice.

Accepted Answer

A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 
A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37

Question 8

An assessment of the performance of some action or process against which futureperformance is assessed.

Accepted Answer

A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 
A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37

Question 9

The actions that demonstrate that an organization has made a valid effort to protect othersa requirement and that the implementedstandards continue to provide the required level of protection.

Accepted Answer

A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 
A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37

Question 10

The process of implementing a performance measures program recommended by NIST involves six phases.List and describe them.

Accepted Answer

Phase 1: Prepare for data collection; id

Question 11

Data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization are known as program measurements.____________

Accepted Answer

A) True 
 B)False

Question 12

Which of the following is NOT a factor critical to the success of an information security performance program?

Accepted Answer

A)  Strong upper level management support 
B)  High level of employee buy-in 
C)  Quantifiable performance measurements 
D)  Results oriented measurement analysis 
A)  Strong upper level management support 
B)  High level of employee buy-in 
C)  Quantifiable performance measurements 
D)  Results oriented measurement analysis

Question 13

Why it measurement prioritization and selection important?How can it be achieved?

Accepted Answer

Because organizations seem to better man

Question 14

A practice related to benchmarking is ____________,which is a measurement against a prior assessment or an internal goal.

Accepted Answer

The answer of A practice related to benchmarking is ____________,which...

Question 15

Which of the following is the last phase in the NIST process for performance measures implementation?

Accepted Answer

A)  Apply corrective actions 
B)  Obtain resources 
C)  Document the process 
D)  Develop the business case 
A)  Apply corrective actions 
B)  Obtain resources 
C)  Document the process 
D)  Develop the business case

Question 16

According to NIST SP 800-37,which of the following is the first step in the security controls selection process?

Accepted Answer

A)  Categorize the information system and the information processed 
B)  Select an initial set of baseline security controls 
C)  Assess the security controls using appropriate assessment procedures 
D)  Authorize information system operation based on risk determination 
A)  Categorize the information system and the information processed 
B)  Select an initial set of baseline security controls 
C)  Assess the security controls using appropriate assessment procedures 
D)  Authorize information system operation based on risk determination

Question 17

The data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization.

Accepted Answer

A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37 
A) accreditation 
B) baseline 
C) benchmarking 
D) certification 
E) due diligence
F)best security practices
G)recommended business practices
H)standard of due care
I)performance measurements
J)NIST SP 800-37

Question 18

Which of the following is NOT one of the three types of performance measures used by organizations?

Accepted Answer

A)  Those that determine the effectiveness of the execution of InfoSec policy 
B)  Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services 
C)  Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy 
D)  Those that assess the impact of an incident or other security event on the organization
Or its mission 
A)  Those that determine the effectiveness of the execution of InfoSec policy 
B)  Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services 
C)  Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy 
D)  Those that assess the impact of an incident or other security event on the organization
Or its mission

Question 19

InfoSec measurements collected from production statistics depend greatly on which of the following factors?

Accepted Answer

A)  Types of performance measures developed 
B)  Number of systems and users of those systems 
C)  Number of monitored threats and attacks 
D)  Activities and goals implemented by the business unit 
A)  Types of performance measures developed 
B)  Number of systems and users of those systems 
C)  Number of monitored threats and attacks 
D)  Activities and goals implemented by the business unit

Question 20

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?

Accepted Answer

A)  Measurements must yield quantifiable information 
B)  Data that supports the measures needs to be readily obtainable 
C)  Only repeatable InfoSec processes should be considered for measurement 
D)  Measurements must be useful for tracking non-compliance by internal personnel 
A)  Measurements must yield quantifiable information 
B)  Data that supports the measures needs to be readily obtainable 
C)  Only repeatable InfoSec processes should be considered for measurement 
D)  Measurements must be useful for tracking non-compliance by internal personnel

A legal standard that requires an organization and its employees to actas a reasonable and prudent individual or organization would under similar circumstances.

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?

Which of the following is NOT a consideration when selecting recommended best practices?

A comprehensive assessment of a system's technical and nontechnical protectionstrategies,as specified by a particular set of requirements.

One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"

The authorization of an IT system to process,store,or transmit information.

A common approach to a Risk ManagementFramework (RMF)for InfoSec practice.

An assessment of the performance of some action or process against which futureperformance is assessed.

The actions that demonstrate that an organization has made a valid effort to protect othersa requirement and that the implementedstandards continue to provide the required level of protection.

The process of implementing a performance measures program recommended by NIST involves six phases.List and describe them.

Data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization are known as program measurements.____________

Which of the following is NOT a factor critical to the success of an information security performance program?

Why it measurement prioritization and selection important?How can it be achieved?

A practice related to benchmarking is ____________,which is a measurement against a prior assessment or an internal goal.

Which of the following is the last phase in the NIST process for performance measures implementation?

According to NIST SP 800-37,which of the following is the first step in the security controls selection process?

The data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization.

Which of the following is NOT one of the three types of performance measures used by organizations?

InfoSec measurements collected from production statistics depend greatly on which of the following factors?

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?

Introduction to the Management of Information Security

Compliance: Law and Ethics

Governance and Strategic Planning for Security

Information Security Policy

Developing the Security Program

Risk Management: Identifying and Assessing Risk

Risk Management: Controlling Risk

Security Management Models

Planning for Contingencies

Personnel and Security

Protection Mechanisms

Filters

Exam 9: Security Management Practices

A legal standard that requires an organization and its employees to actas a reasonable and prudent individual or organization would under similar circumstances.

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?

Which of the following is NOT a consideration when selecting recommended best practices?

A comprehensive assessment of a system's technical and nontechnical protectionstrategies,as specified by a particular set of requirements.

One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"

The authorization of an IT system to process,store,or transmit information.

A common approach to a Risk ManagementFramework (RMF)for InfoSec practice.

An assessment of the performance of some action or process against which futureperformance is assessed.

The actions that demonstrate that an organization has made a valid effort to protect othersa requirement and that the implementedstandards continue to provide the required level of protection.

The process of implementing a performance measures program recommended by NIST involves six phases.List and describe them.

Data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization are known as program measurements.____________

Which of the following is NOT a factor critical to the success of an information security performance program?

Why it measurement prioritization and selection important?How can it be achieved?

A practice related to benchmarking is ____________,which is a measurement against a prior assessment or an internal goal.

Which of the following is the last phase in the NIST process for performance measures implementation?

According to NIST SP 800-37,which of the following is the first step in the security controls selection process?

The data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization.

Which of the following is NOT one of the three types of performance measures used by organizations?

InfoSec measurements collected from production statistics depend greatly on which of the following factors?

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?

Introduction to the Management of Information Security

Compliance: Law and Ethics

Governance and Strategic Planning for Security

Information Security Policy

Developing the Security Program

Risk Management: Identifying and Assessing Risk

Risk Management: Controlling Risk

Security Management Models

Planning for Contingencies

Personnel and Security

Protection Mechanisms

Filters