Questions.pdf

2 points

IT Governance Institute’s (ITGI) de�nition of information security governance reads, “Information Security Governance is a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages _____ appropriately, uses organizational resources responsibly, and monitors the success or failure of the information security program.”  

2 points

Which is a Key Risk Indicator for a company with a critical e-commerce site with a minimal security incident history?  

Quiz 1

Purpose

This assignment will assess your ability to:

· Develop a security program, identifying goals, objectives, and metrics. [SPM 1]

· Develop a security strategy for an organization.

Overview

This quiz covers Module 1 concepts. It will take about 60 minutes. This is an individual assignment. Make sure to complete all of the module’s reading and preparation before taking the quiz.

assets

programs

computers

risk 

The rate of the increase in the number of port scans per week 

The rate of the decrease in the number of new customers

The rate of the increase in the number of new customers

The rate of the decrease in the number of failed login attempts

1

2

2 points

The metric “percentage of migrated systems per week” in a data center migration project is best described as:  

1 point

According to the NIST SP 800-55, which of the following factors do not have to be considered in metrics development?   

2 points

The metric “percentage of systems with completed installation of advanced anti-malware” is best described as:  

A key operational indicator (KOI)

A key risk indicator (KRI)

A key goal indicator (KGI)

A key performance indicator (KPI)

Only repeatable information security processes should be considered for measurement

Data that supports the measures need to be readily available 

Measures must yield quanti�able information   

Data should come from a compliance framework

A key performance indicator (KPI)

A key goal indicator (KGI)

A key operational indicator (KOI)

A key risk indicator (KRI)

3

4

5

2 points

________ is the act of making informed decisions about the losses that the company is willing to accept given a breach of security and building the appropriate mitigating risk strategies to reduce the risk to acceptable levels de�ned by the business.  

2 points

Which one of the following statements is NOT true?

Governance 

Risk

Asset 

Compliance 

Most boards of directors want to know how the security strategy and investment compare with their competitors' strategy.  

The ability to exploit the opportunity has more to do with how wide-spread technology is used within the organization.  

Not many information security threats are common across industries in that they represent vulnerabilities to generally available software.  

Each organization should understand the regulatory environment within which it participates.   

6

7

2 points

Which one of the following statements is NOT true?

2 points

___________ de�nes the roles and expectations of the management levels and non-management levels alike so that each party understands what it is responsible for.

2 points

Which one of the following statements is NOT true?

The question to ask when building the security strategy is: Do I have a stated control in place?  

Companies may do an excellent job of documenting the policies and procedures but may do an inferior job of executing them.   

Internal and external audits provide signi�cant knowledge as to the process breakdowns within an organization.   

The tendency to evaluate how important an incident is by the number of occurrences should be avoided.   

Security policies

Organizations 

Information security governance

Risk assessment

We have to protect information that is more accessible in more ways by more people than ever before.  

Few companies can afford to take risks without knowing the risk that they are assuming by doing nothing.  

Organizations tend to have short-term memories with projects that failed and relatively long memories with projects that were successes.  

Before developing the security strategy, the person responsible for developing the strategy needs to understand the organization’s past experiences with information security.   

8

9

10

2 points

Which one is not a goal of security metric?

2 points

Which one of the following statements is NOT true?

2 points

Which metric is easier to generate and better helps in decision making?

To support information security manager 

To get certi�ed

To improve information security 

To answer top level management questions

The regulation’s primary task is to ensure that the appropriate processes are in place, people are aware of their responsibilities, and technical issues are appropriately managed.  

Because technology changes at a pace faster than the policy-making process, by the time new legislation was enacted, the legislation would most likely be out of date. Because technology changes at a pace faster than the policy-making process, by the time new legislation was enacted, the legislation would most likely be out of date. 

There is value in reviewing the security laws and standards outside of the mandates within a particular industry.  

The regulations are drafted at a policy level and, as such, it would be easy to mandate the selection of a speci�c platform.  

The average number of attacks per month

The average number of attacks against remote access servers

The average number of attacks against remote access servers per month

The average number of attacks

11

12

13

2 points

Compliance ensures that due diligence has been exercised within the organization to meet the government __________ for security practices.  

2 points

The _________ needs to ensure that contractual obligations are established, and it is clear how the external functions will be managed.    

2 points

Which one of the following statements is NOT true?

regulations

legislations

policies

structure

security policy

security strategy 

security risk

security regulation

Compliance must be addressed as a one-time robust strategy. 

Three components of governance, risk, and compliance are necessary for adequate security controls.

Compliance is an essential control that has been recognized by governments for centuries.

Criminal acts, by their very nature, are forms of noncompliance with the laws that are in place.

14

15

16

2 points

_____________ is ensuring that the controls are being adhered to on an ongoing basis, thereby increasing the likelihood of a reduction of risk and increased adherence to the governance intended by the organization.  

2 points

Security strategies can be developed using the ___________ approach and building appropriate measures to track whether the security strategy is enhancing the customer, quality, learning, or �nancial perspectives.  

2 points

____________ is simply the structure, policies, and practices that are put in place by the organization to ensure that the controls are adequately communicated, carried out, and enforced by engaging direction and support at the appropriate organizational level.  

Risk

Compliance 

Asset 

Governance 

interventions

balanced scorecard

mind mapping

security risk

Governance 

Risk

Asset 

Compliance 

17

18

19

2 points

Which one is not a security metric?

Total Cost of Ownership

The number of vulnerabilities found after a penetration test 

The number of unidenti�ed devices on the internal network

Annual Lost Expectancy 

20