Management of Information Security 4th Edition - Test Bank

Management of Information Security 4th Edition – Test Bank

 

Instant Download – Complete Test Bank With Answers

 

 

Sample Questions Are Posted Below

 

Chapter 05 – Developing the Security Program

 

TRUE/FALSE

 

1. Small organizations spend more per user on security than medium- and large-sized organizations.

 

ANS:  T                    PTS:   1                    REF:   166

 

2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

 

ANS:  F                    PTS:   1                    REF:   167

 

3. Threats from insiders are more likely in a small organization than in a large one.

 

ANS:  F                    PTS:   1                    REF:   171

 

4. The security education, training, and awareness (SETA) program is designed to reduce the incidence of external security attacks.

 

ANS:  F                    PTS:   1                    REF:   188

 

5. On-the-job training can result in substandard work performance while the trainee gets up to speed.

 

ANS:  T                    PTS:   1                    REF:   196

 

MULTIPLE CHOICE

 

1. Which of the following variables is the most influential in determining how to structure an information security program?

a.	Security capital budget	c.	Security personnel budget
b.	Organizational size	d.	Organizational culture

 

 

ANS:  D                    PTS:   1                    REF:   163

 

2. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?

a.	they have a larger security staff than a small organization
b.	they have a larger security budget (as percent of IT budget) than a small organization
c.	they have a smaller security budget (as percent of IT budget) than a large organization
d.	they have larger security needs than a small organization

 

 

ANS:  D                    PTS:   1                    REF:   166

 

3. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?

a.	Risk management	c.	Systems testing
b.	Risk assessment	d.	Vulnerability assessment

 

 

ANS:  B                    PTS:   1                    REF:   167

 

4. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?

a.	Systems testing	c.	Incident response
b.	Risk assessment	d.	Systems security administration

 

 

ANS:  A                    PTS:   1                    REF:   167

 

5. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?

a.	compliance	c.	planning
b.	policy	d.	systems security administration

 

 

ANS:  C                    PTS:   1                    REF:   167

 

6. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?

a.	policy
b.	centralized authentication
c.	compliance/audit
d.	risk management

 

 

ANS:  C                    PTS:   1                    REF:   168

 

7. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?

a.	A security technician	c.	A security consultant
b.	A security analyst	d.	The security manager

 

 

ANS:  A                    PTS:   1                    REF:   187

 

8. GGG security is commonly used to describe which aspect of security?

a.	technical	c.	physical
b.	software	d.	theoretical

 

 

ANS:  C                    PTS:   1                    REF:   188

 

9. What is the SETA program designed to do?

a.	reduce the occurrence of external attacks
b.	improve the operations
c.	reduce the incidence of accidental security breaches
d.	increase the efficiency of InfoSec staff

 

 

ANS:  C                    PTS:   1                    REF:   188

 

10. A SETA program consists of three elements: security education, security training, and which of the following?.

a.	security accountability	c.	security awareness
b.	security authentication	d.	security authorization

 

 

ANS:  C                    PTS:   1                    REF:   188

 

11. The purpose of SETA is to enhance security in all but which of the following ways?

a.	by building in-depth knowledge
b.	by adding barriers
c.	by developing skills
d.	by improving awareness

 

 

ANS:  B                    PTS:   1                    REF:   189

 

12. Advanced technical training can be selected or developed based on which of the following?

a.	level of previous education	c.	technology product
b.	level of previous training	d.	number of employees

 

 

ANS:  C                    PTS:   1                    REF:   195

 

13. Which of the following is the first step in the process of implementing training?

a.	Identify training staff
b.	Identify target audiences
c.	Identify program scope, goals, and objectives
d.	Motivate management and employees

 

 

ANS:  C                    PTS:   1                    REF:   195

 

14. Which of the following is an advantage of the one-on-one method of training?

a.	Trainees can learn from each other	c.	Customized
b.	Very cost-effective	d.	Maximizes use of company resources

 

 

ANS:  C                    PTS:   1                    REF:   196

 

15. Which of the following is a disadvantage of the one-on-one training method?

a.	Inflexible
b.	May not be responsive to the needs of all the trainees
c.	Content may not be customized to the needs of the organization
d.	Resource intensive, to the point of being inefficient

 

 

ANS:  D                    PTS:   1                    REF:   196

 

16. Which of the following is an advantage of the formal class method of training?

a.	Personal
b.	Self-paced, can go as fast or as slow as the trainee needs
c.	Can be scheduled to fit the needs of the trainee
d.	Interaction with trainer is possible

 

 

ANS:  D                    PTS:   1                    REF:   196

 

17. Which of the following is an advantage of the user support group form of training?

a.	Usually conducted in an informal social setting
b.	Formal training plan
c.	Can be live, or can be archived and viewed at the trainee’s convenience
d.	Can be customized to the needs of the trainee

 

 

ANS:  A                    PTS:   1                    REF:   196

 

18. Which of the following is NOT a step in the process of implementing training?

a.	administer the program
b.	hire expert consultants
c.	maintain the program
d.	identify target audiences

 

 

ANS:  B                    PTS:   1                    REF:   195

 

19. Which of the following is the most cost-effective method for disseminating security information and news to employees?

a.	distance learning seminars	c.	conference calls
b.	security-themed Intranet	d.	security newsletter

 

 

ANS:  D                    PTS:   1                    REF:   202

 

20. Which of the following is true about a company’s InfoSec awareness Web site?

a.	it should contain large images to maintain interest
b.	appearance doesn’t matter if the information is there
c.	it should be placed on the Internet for public consumption
d.	it should be tested with multiple browsers

 

 

ANS:  D                    PTS:   1                    REF:   205-206

 

COMPLETION

 

1. An organization’s information security program refers to the structure and organization of the effort that strives to contain the risks to the information _______ of the organization.

 

ANS:  assets

 

PTS:   1                    REF:   162

 

2. An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.

 

ANS:  assessment

 

PTS:   1                    REF:   167

 

3. A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.

 

ANS:  builders

 

PTS:   1                    REF:   185

 

4. The information security ____________________ is usually brought in when the organization makes the decision to outsource one or more aspects of its security program.

 

ANS:  consultant

 

PTS:   1                    REF:   188

 

5. The ____________________ program is designed to reduce the incidence of accidental security breaches by members of the organization.

 

ANS:

security education, training, and awareness

SETA

 

PTS:   1                    REF:   188

 

6. The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.

 

ANS:  technology product

 

PTS:   1                    REF:   195

 

7. The goal of a security ____________________ program is to keep information security at the forefront of users’ minds on a daily basis.

 

ANS:  awareness

 

PTS:   1                    REF:   199

 

MATCHING

 

 

a.	InfoSec program	f.	CISO
b.	SETA	g.	life cycle planning
c.	office politics	h.	audit trails
d.	legal	i.	security technicians
e.	risk management	j.	formal class

 

 

1. function performed within the InfoSec department as a compliance enforcement obligation

 

2. the structure and organization of the effort that strives to contain the risks to the information assets of the organization

 

3. security plan, initiation phase, development/acquisition phase…

 

4. function performed by nontechnology business units outside the IT area of management control

 

5. the technically qualified individuals who configure firewalls and IDPSs

 

6. an education program designed to reduce the number of security breaches that occur through a lack of employee security awareness

 

7. system logs, log review processes, and log consolidation and management

 

8. reports directly to the CIO

 

9. Relatively inflexible

 

10. one of the factors that cause upper management to juggle with staffing levels

 

1. ANS:  E                    PTS:   1                    REF:   168

 

2. ANS:  A                    PTS:   1                    REF:   162

 

3. ANS:  G                    PTS:   1                    REF:   183

 

4. ANS:  D                    PTS:   1                    REF:   165

 

5. ANS:  I                     PTS:   1                    REF:   187

 

6. ANS:  B                    PTS:   1                    REF:   188

 

7. ANS:  H                    PTS:   1                    REF:   183

 

8. ANS:  F                    PTS:   1                    REF:   171

 

9. ANS:  J                     PTS:   1                    REF:   196

 

10. ANS:  C                    PTS:   1                    REF:   165

 

SHORT ANSWER

 

1. Explain the conflict between the goals and objectives of the CIO and the CISO.

 

ANS:

The CIO, as the executive in charge of the organization’s technology, manages the efficiency in the processing and accessing of the organization’s information. Anything that limits access or slows information processing directly contradicts the CIO’s mission. On the other hand, the CISO functions more like an internal auditor, with the information security department examining existing systems to discover information security faults and flaws in technology, software, and employees’ activities and processes. At times, these activities may disrupt the processing and accessing of the organization’s information.

 

PTS:   1                    REF:   171-172

 

2. What is the security education, training, and awareness program? Describe how the program aims to enhance security.

 

ANS:

The security education, training, and awareness (SETA) program is designed to reduce the incidence of accidental security breaches by members of the organization. The program aims to enhance security in three ways:

– By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

– By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely

– By improving awareness of the need to protect system resources

 

PTS:   1                    REF:   188-189

 

3. List the steps of the seven-step methodology for implementing training.

 

ANS:

The seven-step methodology for implementing training is as follows:

Step 1: Identify program scope, goals, and objectives.

Step 2: Identify training staff.

Step 3: Identify target audiences.

Step 4: Motivate management and employees.

Step 5: Administer the program.

Step 6: Maintain the program.

Step 7: Evaluate the program.

 

PTS:   1                    REF:   195

 

4. What are some of the variables that determine how a given organization chooses to construct its InfoSec program?

 

ANS:

Among the variables that determine how a given organization chooses to structure its information security (InfoSec) program are organizational culture, size, security personnel budget, and security capital budget.

 

PTS:   1                    REF:   163

 

5. What are the four areas into which it is recommended to separate the functions of security?

 

ANS:

Functions performed by nontechnology business units outside the IT area of management

control

Functions performed by IT groups outside the InfoSec area of management control

Functions performed within the InfoSec department as a customer service to the organization

and its external partners

Functions performed within the InfoSec department as a compliance enforcement obligation

 

PTS:   1                    REF:   166-168

 

6. Which security functions are normally performed by IT groups outside the InfoSec area of management control?

 

ANS:

Systems security administration

Network security administration

Centralized authentication

 

PTS:   1                    REF:   165

 

7. What are the components of the security program element described as preparing for contingencies and disasters?

 

ANS:

Business plan, identify resources, develop scenarios, develop strategies, test and revise plan.

 

PTS:   1                    REF:   183

 

8. What is the Chief Information Security Office primarily responsible for?

 

ANS:

The CISO  is primarily responsible for the assessment, management, and implementation of the program that secures the organization’s information.

 

PTS:   1                    REF:   185

 

9. What is the role of help desk personnel in the InfoSec team?

 

ANS:

An important part of the InfoSec team is the help desk, which enhances the security team’s ability to identify potential problems. When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user’s problem may turn out to be related to a bigger problem, such as a hacker, a DoS attack, or a virus.

Because help desk technicians perform a specialized role in InfoSec, they need specialized training. These staff members must be prepared to identify and diagnose both traditional technical problems and threats to InfoSec. Their ability to do so may cut precious hours off of an incident response.

 

PTS:   1                    REF:   188

 

10. What is the purpose of a security awareness program?  What advantage does an awareness program have for the InfoSec program?

 

ANS:

A security awareness program keeps InfoSec at the forefront of users’ minds on a daily basis.  Awareness serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to care more about their work environment.

 

PTS:   1                    REF:   199