Although it is impossible to eliminate all business risks, a good policy can reduce the likelihood of risk occurring or reduce its impact. A business must find a way to balance a number of competing drivers. Which of the following is not one of these drivers?
A. Cost
B. Customer Satisfaction
C. Compliance
D. Regulation
A(n) ___________________ is a confirmed event that compromises the confidentiality, integrity, or availability of information.
A. Breach
B. residual risk
C. operational deviation
D. threat
In 2013, the national retailer Target Corporation suffered a major data breach that put the financial information of an estimated 40 million customers at risk. In 2009, the health care provider BlueCross BlueShield of Tennessee suffered a theft of hard drives when it reported 57 hard drives stolen. Both these cases resulted from a(n) ________________ failure.
A. regulation
B. security policy
C. intellectual property
D. compliance
The key to security policy is being able to measure compliance against a set of controls. Security controls define ___________ you protect the information. The security policies should define ___________ you set the goal.
A. how, why
B. why, how
C. whether, if
D. where, when
An organization mandates that all attempts by traders to use the Internet should be logged, and that each trader’s log should be reviewed by a manager at least monthly to ensure compliance. Which of the following questions concerning security is being addressed?
A. How will information be protected?
B. Why is the security goal being set?
C. What type of protection will be achieved?
D. How do you measure whether both the policy and the right processes were followed?
There are many distinct benefits to control measurement. Which of the following benefits is the result of determining which security controls to measure?
A. defines the effectiveness of the controls being measured
B. defines the scope of the compliance being measured
C. defines the impact to the business if the goals are not achieved
D. defines how the policy will be enforced
There are a number of classifications that can be applied to security controls. Which of the following is not one the classifications?
A. physical control
B. physical control
C. preventive control
D. technical control
Which of the following security control design types does not prevent incidents or breaches immediately and relies on a human to decide what action to take?
A. detective control
B. automated control
C. corrective control
D. corrective control
If human action is required, the control is considered _______________.
A. corrective
B. automated
C. manual
D. preventative
A good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have two enforcement components: the carrot and the stick. Which of the following best captures the relationship of the two components?
A. The carrot reminds the employees of the consequences of not following policy, and the stick aims to educate the employee about the importance of security policies.
B. The carrot reminds employees that it is up to them whether to follow security policies, and the stick provides positive reinforcement for following policies.
C. The carrot aims to educate the employee about the importance of security policies, and the stick reminds the employees of the consequences of not following policy.
D. The carrot reminds employees exactly what the security policies are, and the stick provides the reward for remembering those policies.
A security awareness program can be implemented in many ways. Which of the following is the list of generally accepted principles for implementing a program?
A. value, culture, support, relevance, metrics
B. repetition, on-boarding, support, relevance, metrics
C. label, classify, restrict, educate, support
D. repetition, classify, support, relevance, filter
A security awareness program gains credibility when the business sees a reduction of risk, and there are multiple benefits that come with a security awareness program that emphasizes the business risk. Which of the following is not one of the benefits?
A. value
B. culture
C. resiliency
D. relevance
In business, intellectual property (IP) is a term applied broadly to any company information that is thought to bring an advantage. Protecting IP through security policies starts with human resources (HR). Which of the following is a challenge concerning HR policies about IP?
A. HR policies are not legally permitted to establish a code of conduct regarding IP; they can only recommend best practices.
B. Due to confidentiality, HR policies are prohibited from giving employees clear direction as to what the organization owns with respect to IP.
C. HR policies and employment agreements about IP may or may not be enforceable, depending on current law and location.
D. HR employment agreements enforce the confidentiality of IP after an employee leaves the organization.
Once an organization clearly defines its IP, the security policies should specify how to ___________ documents with marks or comments, and ____________ the data, which determines in what location the sensitive file should be placed.
A. label, classify
B. restrict, filter
C. label, filter
D. classify, restrict.
_______________ are owned by an organization if they are created on the computer by company employees or if the assets were custom developed for and purchased by the organization.
A. Intellectual properties
B. Digital Assets
C. Classified Data
D. Security controls
The most senior leader responsible for managing an organization’s risks is the chief privacy officer (CPO). Which of the following is not one of the responsibilities of the CPO?
A.The CPO is responsible for keeping up with privacy laws.
B.The CPO also needs to understand how the laws impact business.
C.The CPO must be a lawyer.
D. The CPO must work closely with a technology team to create strong security policies.
Privacy regulations involve two important principles. _____________________ gives the consumer an understanding of what and how data is collected and used. ________________________ provides a standard for handling consumer information.
A. Business liability, Legal obligation
B. Acceptable use policies, Data encryption
C. Full disclosure, Legal obligation
D. Full disclosure, Data encryption
Which of the following statement states the difference between business liability and a business’s legal obligation?
A. Business liability occurs when a company fails to meet its obligation to its employees and community. A business’s legal obligation is an action that it is required to take in compliance with the law.
B. Business obligation occurs when an organization cannot meet its business liability.
C. A business’s liability is an action the business is required to take in compliance with the law, whereas a business obligation occurs when a company fails to meet the standards established by its employees and community.
D. Business liability is a legal commitment, whereas business obligation is a subset of an organization’s overall risk exposure.
___________________________ are formal written policies describing employee behavior when using company computer and network systems.
A. Mitigating controls
B. Nondisclosure agreements
C. Confidentiality agreements
D. Acceptable use policies
When trying to achieve operational consistency, which of following oversight phases performs the function of periodically assessing to ensure desired results are achieved?
A. improve
B. measure
C. review
D. manage