question pdf

profilejimpop1998
Quiz2.pdf
Home>Computer Science homework help>question pdf

2 points

Which is not one of the primary missions of a security council? 

2 points

  Which is not a direct advantage of reporting as high in the organization as position?  

Quiz 2

Purpose

This assignment will assess your ability to communicate with senior executives about overall security posture.

Overview

This quiz covers Module 2 concepts. It will take about 60 minutes. This is an individual assignment. Make sure to complete all of the module’s reading and preparation before taking the quiz.

Review and Recommend Security Policies

Prioritize Information Security Efforts

Mediate between IT management and systems security

Recommend Areas Requiring Investment

Perform more ef�cient IT and network administration

Gain other senior management’s attention to security 

Limit the distortion or inaccurate translation of messages

Maintain visibility of the importance of information security

1

2

2 points

Leading organizations have been doing certain critical functions to meet information security challenges. What is the correct order of these functions?   

2 points

Which is not the responsibility of the Internal Audit Department? 

2 points

What is the best way to communicate policies and controls within an organization?

Assess Risk and Determine Needs > Monitor and Evaluate > Promote Awareness > Implement Policies and Controls  

Monitor and Evaluate > Promote Awareness > Implement Policies and Controls > Assess Risk and Determine Needs   

Assess Risk and Determine Needs > Implement Policies and Controls > Promote Awareness > Monitor and Evaluate  

Monitor and Evaluate > Implement Policies and Controls > Assess Risk and Determine Needs > Promote Awareness  

Evaluating the implementation of the organization’s control structure

Evaluating the effectiveness of the organization’s control structure

Performing penetration tests and vulnerability assessments 

Reporting audit failures to the board of directors if needed

Promoting awareness campaigns 

Enforcing policies and controls

Having a meeting with department leads

Performing a risk analysis

3

4

5

2 points

Which one is not the responsibility of a CEO?

2 points

Which activity describes best the following: “Researching and reviewing three different SIEM (Security Information and Event Management) products to ensure that the appropriate security tools are purchased to solve the right problem."  

2 points

Business Impact Analysis (BIA) is a responsibility of:

Ensure responsible funding is provided for ongoing security operations.  

Ensure the con�dentiality, integrity, and availability of the information within the organization.  

Support the security department's initiatives as they relate to the mission of the business.  

Hold the components of the business accountable for securely achieving their objectives.  

Risk assessment/analysis

Security control assessment

System security plan development  

Security architecture

CIO

CISO

CEO

CFO

6

7

8

2 points

Who is responsible for information security?

2 points

A CIO is responsible predominantly for 

2 points

Which one is correct for technical security managers and information security leaders?  

CIO

CISO

CEO

All of them

Integrity

Con�dentiality

Accountability 

Availability

An information security leader provides added value to the business, whereas a technical security manager does not have to  

An information security leader should have a solid technical background in order to be unbiased in her/his decision; a technical security leader should have a business point of view to make correct decisions.  

An information security leader knows the security regulations, whereas a technical security manager does not.  

An information security leader should be a former technical security manager in order to be successful.  

9

10

11

2 points

What one is not correct for the Information Security Council?

2 points

Which is not correct for a Security Of�cer?

2 points

Which of the following regulations does not require an assigned individual for information security tasks?   

The Information Security Council should have representatives from multiple organizational units that are necessary to support the policies in the long term.  

The information security council forms the backbone for sustaining organizational support for comprehensive information security programs.  

The information security council serves as the governance and oversight function for the information security program.   

Information Security councils are created by middle management, senior management, and the end-users of the organization.  

The security of�cer is responsible for the con�dentiality and integrity of information, but not availability.  

Security of�cers can talk about the technical controls in place in the organization with technical detail to the CIO and CEO.  

The security of�cer is expected to have broad security knowledge and why each of these areas is important to the business.  

The primary responsibility of a security of�cer is to protect the business.  

HIPAA

PATRIOT act

SOX

GLBA

12

13

14

2 points

Which is not correct for Business Impact Analysis (BIA)?

2 points

What do NIST SP800-53 and ISO/IEC 27002 have in common?

2 points

Which critical functions does the activity of “Vulnerability assessment” fall into?  

2 points

Which of the following is not a competency of effective security leadership?

A CIO must ensure that BIA is done.

One of the outputs of BIA is the recovery time objectives of the critical applications.

One of the outputs of BIA is the identi�ed critical applications.

A CEO must ensure that BIA is done.

Both suggest security controls for organizations.

Both are international standards.

Both have certi�cation schemes.

Both are prepared for security leaders.

Assess risk and determine needs

Promote awareness

Monitor and evaluate

Implement policies and controls

Understand the Organizational Culture

Communicate real risk

Pay attention to technical competence

Be a technical person as needed

15

16

17

18

2 points

Which is not a direct advantage of reporting as high in the organization as position?  

2 points

Think about the following consequences of an information security breach: regulatory compliance issues, risk to the business reputation, decrease in the ef�ciency of the organization’s capability to produce. Who has to deal with these problems? (Who has the ultimate responsibility?)  

Limit the distortion or inaccurate translation of messages

Gain other senior management’s attention to security 

Perform more ef�cient IT and network administration 

Maintain visibility of the importance of information security

CFO

CEO

CISO

CIO

19

20