Security Policies and Procedures
Final Exam Questions
Course Introduction
This course explores the foundational concepts, development, implementation, and management of security policies and procedures within organizations. Students will examine the critical role that policies and procedures play in establishing security standards, governing system usage, and mitigating risks associated with information systems. Topics include best practices for drafting and communicating security policies, policy lifecycle management, compliance with legal and regulatory requirements, and the integration of security procedures into organizational workflows. Through case studies and practical exercises, students learn how to assess security needs, craft effective policy documents, and evaluate the effectiveness of implemented procedures to ensure robust organizational security.
Recommended Textbook
Principles of Information Security 5th Edition by Michael E. Whitman
Available Study Resources on Quizplus 12 Chapters
696 Verified Questions
696 Flashcards
Source URL: https://quizplus.com/study-set/2374
Page 2
Chapter 1: Introduction to the Management of Information Security
Available Study Resources on Quizplus for this Chatper
63 Verified Questions
63 Flashcards
Source URL: https://quizplus.com/quiz/47110
Sample Questions
Q1) Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
A) protection
B) people
C) projects
D) policy
Answer: B
Q2) Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
A) brute force
B) DoS
C) back door
D) hoax
Answer: C
Q3) A(n)____________________ hacks the public telephone network to make free calls or disrupt services.
Answer: phreaker
Q4) Attempting to reverse-calculate a password is called ____________________.
Answer: cracking
To view all questions and flashcards with answers, click on the resource link above. Page 3
Chapter 2: Compliance: Law and Ethics
Available Study Resources on Quizplus for this Chatper
50 Verified Questions
50 Flashcards
Source URL: https://quizplus.com/quiz/47111
Sample Questions
Q1) Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
A) Applied ethics
B) Meta-ethics
C) Normative ethics
D) Deontological ethics
Answer: D
Q2) Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
A) USA Patriot Act of 2001
B) American Recovery and Reinvestment Act
C) Health Information Technology for Economic and Clinical Health Act
D) National Information Infrastructure Protection Act of 1996
Answer: C
Q3) Ethics are based on ___________________,which are the relatively fixed moral attitudes or customs of a societal group.
Answer: cultural mores
To view all questions and flashcards with answers, click on the resource link above. Page 4
Chapter 3: Governance and Strategic Planning for Security
Available Study Resources on Quizplus for this Chatper
52 Verified Questions
52 Flashcards
Source URL: https://quizplus.com/quiz/47112
Sample Questions
Q1) What is the values statement and what is its importance to an organization?
Answer: One of the first positions that management must articulate is the values statement.The trust and confidence of stakeholders and the public are important factors for any organization.By establishing a formal set of organizational principles and qualities in a values statement,as well as benchmarks for measuring behavior against these published values,an organization makes its conduct and performance standards clear to its employees and the public.
Q2) The National Association of Corporate Directors (NACD)recommends four essential practices for boards of directors.Which of the following is NOT one of these recommended practices?
A) Hold regular meetings with the CIO to discuss tactical InfoSec planning
B) Assign InfoSec to a key committee and ensure adequate support for that committee
C) Ensure the effectiveness of the corporation's InfoSec policy through review and approval
D) Identify InfoSec leaders, hold them accountable, and ensure support for them
Answer: A
To view all questions and flashcards with answers, click on the resource link above.
Chapter 4: Information Security Policy
Available Study Resources on Quizplus for this Chatper
56 Verified Questions
56 Flashcards
Source URL: https://quizplus.com/quiz/47113
Sample Questions
Q1) What is the final component of the design and implementation of effective policies?Describe this component.
Q2) Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
A) Policy Review and Modification
B) Limitations of Liability
C) Systems Management
D) Statement of Purpose
Q3) A clear declaration thatoutlines the scope and applicability of a policy.
A)capability table
B)statement of purpose
C)Bull's eye model
D)SysSP
E)procedures
F)InfoSec policy
G)standard
H)access control lists
I)systems management
J)ISSP
Q4) What are the four elements that an EISP document should include?
To view all questions and flashcards with answers, click on the resource link above. Page 6
Chapter 5: Developing the Security Program
Available Study Resources on Quizplus for this Chatper
55 Verified Questions
55 Flashcards
Source URL: https://quizplus.com/quiz/47114
Sample Questions
Q1) Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
A)True
B)False
Q2) Which of the following is an advantage of the formal class method of training?
A) Personal
B) Self-paced, can go as fast or as slow as the trainee needs
C) Can be scheduled to fit the needs of the trainee
D) Interaction with trainer is possible
Q3) A task or subtask becomes a(n) <U>action step </U> when it can be completed by one individual or skill set and when it includes a single deliverable._________________________
A)True
B)False
Q4) Which of the following is an advantage of the one-on-one method of training?
A) Trainees can learn from each other
B) Very cost-effective
C) Customized
D) Maximizes use of company resources
Q5) What minimum attributes for project tasks does the WBS document?
Page 7
To view all questions and flashcards with answers, click on the resource link above.
Chapter 6: Risk Management: Identifying and Assessing Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47115
Sample Questions
Q1) Two of the activities involved in risk management include identifying risks and assessing risks.Which of the following activities is part of the risk identification process?
A) Determining the likelihood that vulnerable systems will be attacked by specific threats
B) Calculating the severity of risks to which assets are exposed in their current setting
C) Assigning a value to each information asset
D) Documenting and reporting the findings of risk identification and assessment
Q2) An asset valuation approach that uses categorical or nonnumericvalues rather than absolute numerical measures is known as <U>numberless</U> assessment.____________
A)True
B)False
Q3) Determining the cost of recovery from an attack is one calculation that must be made to identify risk,what is another?
A) Cost of prevention
B) Cost of litigation
C) Cost of detection
D) Cost of identification
To view all questions and flashcards with answers, click on the resource link above.
Page 8
Chapter 7: Risk Management: Controlling Risk
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47116
Sample Questions
Q1) The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident,disaster,or attack through effective contingency planning and preparation is known as the <U>mitigation</U> risk control strategy.____________
A)True
B)False
Q2) The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?
A) conducting decision support
B) implementing controls
C) evaluating alternative strategies
D) measuring program effectiveness
Q3) Also known as an economic feasibility study,the formal assessment and presentation of the economic expenditures needed for a particular security control,contrasted with its projected value to the organization is known ascost-benefit<U> analysis</U> (CBA).____________
A)True
B)False
Q4) Describe operational feasibility.
Q5) What is the OCTAVE method approach to risk management?
To view all questions and flashcards with answers, click on the resource link above. Page 9
Chapter 8: Security Management Models
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47117
Sample Questions
Q1) One approach used to categorize access control methodologies categorizes controls based on their operational impact on the organization.What are these categories as described by NIST?
Q2) A security blueprint is the outline of the more thorough security framework.
A)True
B)False
Q3) The principle of limiting users' access privileges to the specific informationrequired to perform their assigned tasks is known as<U>need-to-know</U>.____________
A)True
B)False
Q4) In which form of access control is access to a specific set of information contingent on its subject matter?
A) content-dependent access controls
B) constrained user interfaces
C) temporal isolation
D) None of these
Q5) Access controls are build on three key principles.List and briefly define them.
Q6) What are the two primary access modes of the Bell-LaPadula model and what do they restrict?
10
To view all questions and flashcards with answers, click on the resource link above.
Chapter 9: Security Management Practices
Available Study Resources on Quizplus for this Chatper
59 Verified Questions
59 Flashcards
Source URL: https://quizplus.com/quiz/47118
Sample Questions
Q1) Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?
A) Baselining
B) Legal liability
C) Competitive disadvantage
D) Certification revocation
Q2) Why must you do more than simply list the InfoSec measurements collected when reporting them?Explain.
Q3) The authorization by an oversight authority of an IT system to process,store,ortransmit information is known as<U> certification</U>.____________
A)True
B)False
Q4) Describe the three tier approach of the RMF as defined by NIST SP 800-37.
Q5) <U>Standardization</U> is an an attempt to improve information security practices by comparing anorganization's efforts against those of a similar organization or an industry-developedstandard to produce results it would like to duplicate.____________
A)True
B)False
To view all questions and flashcards with answers, click on the resource link above. Page 11
Chapter 10: Planning for Contingencies
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47119
Sample Questions
Q1) A(n)____________________ is a document containing contact information of the individuals to notify in the event of an actual incident.
Q2) Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received?.
A) Database shadowing
B) Timesharing
C) Traditional backups
D) Electronic vaulting
Q3) A(n) <U>wrap-up</U> review is a detailedexamination and discussion of the events that occurred duringan incident or disaster,from first detection to final recovery.____________
A)True
B)False
Q4) The bulk batch-transfer of data to an off-site facility is known as
Q5) ____________________ planning ensures that critical business functions can continue if a disaster occurs.
Q6) When undertaking the BIA,whatshouldthe organization consider?
To view all questions and flashcards with answers, click on the resource link above. Page 12
Chapter 11: Personnel and Security
Available Study Resources on Quizplus for this Chatper
60 Verified Questions
60 Flashcards
Source URL: https://quizplus.com/quiz/47120
Sample Questions
Q1) To move the InfoSec discipline forward,organizations should take all but which of the following steps?
A) Learn more about the requirements and qualifications for InfoSec and IT positions
B) Learn more about InfoSec budgetary and personnel needs
C) Insist all mid-level and upper-level management take introductory InfoSec courses
D) Grant the InfoSec function an appropriate level of influence and prestige
Q2) computer forensics certification from ISFCE
A)definers
B)builders
C)security manager
D)security technician
E)systems programmer
F)ethics officer
G)CISSP
H)SSCP
I)SANS
J)CCE
Q3) List the six key principles that should shape the career of a CISO.
To view all questions and flashcards with answers, click on the resource link above.
13
Chapter 12: Protection Mechanisms
Available Study Resources on Quizplus for this Chatper
61 Verified Questions
61 Flashcards
Source URL: https://quizplus.com/quiz/47121
Sample Questions
Q1) The "something a person has" authentication mechanism takes advantage of something inherent in the user that is evaluated using biometrics.
A)True
B)False
Q2) A(n)____________________ is any device that prevents a specific type of information from moving between an untrusted network and a trusted network.
Q3) Which of the following biometric authentication systems is the most accepted by users?
A) Keystroke pattern recognition
B) Fingerprint recognition
C) Signature recognition
D) Retina pattern recognition
Q4) Which technology employs sockets to map internal private network addresses to a public address using a one-to-many mapping?
A) Network-address translation
B) Screened-subnet firewall
C) Port-address translation
D) Private address mapping
To view all questions and flashcards with answers, click on the resource link above.
14