1. 24.

Step-by-step directions to execute a specific security activity is referr

ed to as a:
A) Standard
B) Guideline
C) Regulation
D) Procedure
Points Earned: 0.0/1.0
Correct Answer(s): D

2. Which of the following would be the first step in establishing a network/i

nformation security program?
A) purchase of security access control software
B) development and implementation of a network/information security standards ma
nual
Feedback: See page 60.
C) adoption of a corporate network/information security policy statement
D) development of a security awareness-training program for employees
Feedback: See page 60.Points Earned: 0.0/1.0
Correct Answer(s): C

3. What can be best defined as high-level statements, beliefs, goals, and obj
ectives?
A) standards
B) guidelines
Feedback: See page 61.
C) policies
D) procedures
Feedback: See page 61.Points Earned: 0.0/1.0
Correct Answer(s): C

4. Within Network and IT security, which of the following combinations best d

escribe risk
A) threat coupled with a breach of security
B) threat coupled with an attack
C) threat coupled with a vulnerability
Feedback: See pages 78 - 79.
D) vulnerability coupled with a breach
Feedback: See pages 78 - 79.Points Earned: 1.0/1.0
Correct Answer(s): C

5. Which of the following is not part of a security policy?

A) statement of management intent, supporting the goals and principles of inform
ation security
B) definition of the overall steps of information security and the importance of
security
C) description of specific technologies used in the field of information securit
y regulations
D) definition of general and specific responsibilities for information security
management
Feedback: See pages 60 and 63
Feedback: See pages 60 and 63Points Earned: 0.0/1.0
Correct Answer(s): C

6. Which of the following is an advantage of qualitative over quantitative ri

sk analysis?
A) It prioritizes the risks and identifies areas for imediate improvement in add
ressing the vulnerabilities.
Feedback: See page 80.
B) It makes a cost-benefit analysis of recommended controls easier.
C) It can be easily automated.
D) It provides specific quantifiable measurements of th magnitude of the impacts
.
Feedback: See page 80.Points Earned: 1.0/1.0
Correct Answer(s): A

7. An effective security policy would not have which of the following charact
eristics?
A) specify areas of responsibility and authority
Feedback: See pages 59-70.
B) be understandable and supported by all stakeholders
C) include seperations of duty
D) be designed for short to mid-term focus
Feedback: See pages 59-70.Points Earned: 0.0/1.0
Correct Answer(s): D

8. Step by step instructions used to satisfy control requirements are called

a
A) guideline.
B) procedure.
Feedback: See pages 71 and 74.
C) standard.
D) policy.
Feedback: See pages 71 and 74.Points Earned: 1.0/1.0
Correct Answer(s): B

9. Controls are implemented to

A) eliminate risk and eliminate potential for loss
B) mitigate risk and reduce the potential for loss
C) eliminate risk and reduce potential for loss
Feedback: See page 79.
D) mitigate risk and eliminate the potential for loss
Feedback: See page 79.Points Earned: 0.0/1.0
Correct Answer(s): B
 10. Which of the following shouldn't be addressed by employee termination pra
ctices?
A) removal of the employee from active payroll files
B) employee bonding to protect against losses due to theft
C) return of access badges
Feedback: See pages 76 - 77.
D) deletion of assigned logon ID and passwords to prohibit system access
Feedback: See pages 76 - 77.Points Earned: 0.0/1.0
Correct Answer(s): B

11. Which of the following would be defined as an absence or weakness of a sa

feguard that could be exploited?
A) an exposure
B) a threat
C) a risk
D) a vulnerability
Feedback: See page 78.
Feedback: See page 78.Points Earned: 1.0/1.0
Correct Answer(s): D

12. What can be defined as an event that could cause harm to network/informat
ion system?
A) a weakness
B) a threat
Feedback: See page 78.
C) a vulnerability
D) a risk
Feedback: See page 78.Points Earned: 1.0/1.0
Correct Answer(s): B

13. A(n) ____________ policy might prescribe the need for information securit
y and may delegate the creation and management of the program.
A) System-specific
B) Programme-level
C) Programme-framework
D) Issue-specific
Points Earned: 0.0/1.0
Correct Answer(s): B

14. What is the difference between advisory and regulatory security policies?
A) Regulatory policies are high-level policies, whereas advisory policies are ve
ry detailed
B) Advisory polices are mandated and regulatory polies are not.
C) There are no differences between them
D) Advisory polices provide recommendations
Feedback: See pages 70 and 71.
Feedback: See pages 70 and 71.Points Earned: 1.0/1.0
Correct Answer(s): D

15. 23. The supporting documents derived from policy statements include which
of the following? Select all correct answers.
A) Regulations
B) Procedural maps
C) Standards and baselines
D) Guidelines
Points Earned: 1.0/1.0
Correct Answer(s): A , C , D