Quizz
2 points
IT Governance Institute’s (ITGI) de�nition of information security governance reads, “Information Security Governance is a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages _____ appropriately, uses organizational resources responsibly, and monitors the success or failure of the information security program.”
2 points
Which is a Key Risk Indicator for a company with a critical e-commerce site with a minimal security incident history?
Quiz 1
Purpose
This assignment will assess your ability to:
· Develop a security program, identifying goals, objectives, and metrics. [SPM 1]
· Develop a security strategy for an organization.
Overview
This quiz covers Module 1 concepts. It will take about 60 minutes. This is an individual assignment. Make sure to complete all of the module’s reading and preparation before taking the quiz.
assets
programs
computers
risk
The rate of the increase in the number of port scans per week
The rate of the decrease in the number of new customers
The rate of the increase in the number of new customers
The rate of the decrease in the number of failed login attempts
1
2
2 points
The metric “percentage of migrated systems per week” in a data center migration project is best described as:
1 point
According to the NIST SP 800-55, which of the following factors do not have to be considered in metrics development?
2 points
The metric “percentage of systems with completed installation of advanced anti-malware” is best described as:
A key operational indicator (KOI)
A key risk indicator (KRI)
A key goal indicator (KGI)
A key performance indicator (KPI)
Only repeatable information security processes should be considered for measurement
Data that supports the measures need to be readily available
Measures must yield quanti�able information
Data should come from a compliance framework
A key performance indicator (KPI)
A key goal indicator (KGI)
A key operational indicator (KOI)
A key risk indicator (KRI)
3
4
5
2 points
________ is the act of making informed decisions about the losses that the company is willing to accept given a breach of security and building the appropriate mitigating risk strategies to reduce the risk to acceptable levels de�ned by the business.
2 points
Which one of the following statements is NOT true?
Governance
Risk
Asset
Compliance
Most boards of directors want to know how the security strategy and investment compare with their competitors' strategy.
The ability to exploit the opportunity has more to do with how wide-spread technology is used within the organization.
Not many information security threats are common across industries in that they represent vulnerabilities to generally available software.
Each organization should understand the regulatory environment within which it participates.
6
7
2 points
Which one of the following statements is NOT true?
2 points
___________ de�nes the roles and expectations of the management levels and non-management levels alike so that each party understands what it is responsible for.
2 points
Which one of the following statements is NOT true?
The question to ask when building the security strategy is: Do I have a stated control in place?
Companies may do an excellent job of documenting the policies and procedures but may do an inferior job of executing them.
Internal and external audits provide signi�cant knowledge as to the process breakdowns within an organization.
The tendency to evaluate how important an incident is by the number of occurrences should be avoided.
Security policies
Organizations
Information security governance
Risk assessment
We have to protect information that is more accessible in more ways by more people than ever before.
Few companies can afford to take risks without knowing the risk that they are assuming by doing nothing.
Organizations tend to have short-term memories with projects that failed and relatively long memories with projects that were successes.
Before developing the security strategy, the person responsible for developing the strategy needs to understand the organization’s past experiences with information security.
8
9
10
2 points
Which one is not a goal of security metric?
2 points
Which one of the following statements is NOT true?
2 points
Which metric is easier to generate and better helps in decision making?
To support information security manager
To get certi�ed
To improve information security
To answer top level management questions
The regulation’s primary task is to ensure that the appropriate processes are in place, people are aware of their responsibilities, and technical issues are appropriately managed.
Because technology changes at a pace faster than the policy-making process, by the time new legislation was enacted, the legislation would most likely be out of date. Because technology changes at a pace faster than the policy-making process, by the time new legislation was enacted, the legislation would most likely be out of date.
There is value in reviewing the security laws and standards outside of the mandates within a particular industry.
The regulations are drafted at a policy level and, as such, it would be easy to mandate the selection of a speci�c platform.
The average number of attacks per month
The average number of attacks against remote access servers
The average number of attacks against remote access servers per month
The average number of attacks
11
12
13
2 points
Compliance ensures that due diligence has been exercised within the organization to meet the government __________ for security practices.
2 points
The _________ needs to ensure that contractual obligations are established, and it is clear how the external functions will be managed.
2 points
Which one of the following statements is NOT true?
regulations
legislations
policies
structure
security policy
security strategy
security risk
security regulation
Compliance must be addressed as a one-time robust strategy.
Three components of governance, risk, and compliance are necessary for adequate security controls.
Compliance is an essential control that has been recognized by governments for centuries.
Criminal acts, by their very nature, are forms of noncompliance with the laws that are in place.
14
15
16
2 points
_____________ is ensuring that the controls are being adhered to on an ongoing basis, thereby increasing the likelihood of a reduction of risk and increased adherence to the governance intended by the organization.
2 points
Security strategies can be developed using the ___________ approach and building appropriate measures to track whether the security strategy is enhancing the customer, quality, learning, or �nancial perspectives.
2 points
____________ is simply the structure, policies, and practices that are put in place by the organization to ensure that the controls are adequately communicated, carried out, and enforced by engaging direction and support at the appropriate organizational level.
Risk
Compliance
Asset
Governance
interventions
balanced scorecard
mind mapping
security risk
Governance
Risk
Asset
Compliance
17
18
19
2 points
Which one is not a security metric?
Total Cost of Ownership
The number of vulnerabilities found after a penetration test
The number of unidenti�ed devices on the internal network
Annual Lost Expectancy
20