Which of the following is the first phase in the NIST process for performance measurement implementation?

Successfully reported this slideshow.

Your SlideShare is downloading. ×

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

More Related Content

1. 1. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 1 1. Using a practice called baselining, you are able to develop policy based on the typical practices of the industry in which you are working. a. True b. False ANSWER: False 2. A company striving for ‘best security practices’ makes every effort to establish security program elements that meet every minimum standard in their industry. a. True b. False ANSWER: False 3. One question you should ask when choosing among recommended practices is “Can your organization afford to implement the recommended practice?” a. True b. False ANSWER: True 4. Performance measurements are seldom required in today’s regulated InfoSec environment. a. True b. False ANSWER: False 5. Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization. a. True b. False ANSWER: False 6. One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. ____________ ANSWER: True 7. The biggest barrier to baselining in InfoSec is the fact that many organizations do not share warnings with other organizations. ____________ ANSWER: False - benchmarking 8. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular set of requirements is known as accreditation. ____________ ANSWER: False - certification 9. Standardization is an an attempt to improve information security practices by comparing an organization’s efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. ____________ ANSWER: False - Benchmarking
2. 2. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 2 10. The authorization by an oversight authority of an IT system to process, store, or transmit information is known as certification. ____________ ANSWER: False - accreditation 11. Recommended practices are those security efforts that seek to provide a superior level of performance in the protection of information. ____________ ANSWER: True 12. A performance measure is an an assessment of the performance of some action or process against which future performance is assessed. _____________ ANSWER: False - baseline 13. A standard of due process is a legal standard that requires an organization and its employees to act as a “reasonable and prudent” individual or organization would under similar circumstances. ____________ ANSWER: False - care 14. Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization are known as program measurements. ____________ ANSWER: False - performance 15. Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? a. benchmarking b. best practices c. baselining d. due diligence ANSWER: a 16. Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? a. Baselining b. Legal liability c. Competitive disadvantage d. Certification revocation ANSWER: b 17. Which of the following is NOT a consideration when selecting recommended best practices? a. Threat environment is similar b. Resource expenditures are practical c. Organization structure is similar d. Same certification and accreditation agency or standard ANSWER: d 18. What are the legal requirements that an organization adopt a standard based on what a prudent organization should do, and then maintain that standard? a. Certification and accreditation b. Best practices c. Due care and due diligence d. Baselining and benchmarking ANSWER: c 19. Problems with benchmarking include all but which of the following? a. Organizations don’t often share information on successfulattacks b. Organizations being benchmarked are seldom identical
3. 3. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 3 c. Recommended practices change and evolve, thus past performance is no indicator of future success d. Benchmarking doesn’t help in determining the desired outcome of the security process ANSWER: d 20. Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people? a. Do you perform background checks on all employees with access to sensitive data, areas, or access points? b. Are the user accounts of former employees immediately removed on termination? c. Would the typical employee recognize a security issue? d. Would the typical employee know how to report a security issue to the right people? ANSWER: b 21. Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? a. Performance management b. Baselining c. Best practices d. Standards of due care/diligence ANSWER: a 22. Which of the following is NOT one of the three types of performance measures used by organizations? a. Those that determine the effectiveness of the execution of InfoSec policy b. Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services c. Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy d. Those that assess the impact of an incident or other security event on the organization or its mission ANSWER: c 23. Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? a. Measurements must yield quantifiable information b. Data that supports the measures needs to be readily obtainable c. Only repeatable InfoSec processes should be considered for measurement d. Measurements must be useful for tracking non-compliance by internal personnel ANSWER: d 24. Which of the following is NOT a factor critical to the success of an information security performance program? a. Strong upper level management support b. High level of employee buy-in c. Quantifiable performance measurements d. Results oriented measurement analysis ANSWER: b 25. Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich? a. Why should these measurements be collected?
4. 4. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 4 b. Where will these measurements be collected? c. What affect will measurement collection have on efficiency? d. Who will collect these measurements? ANSWER: c 26. The InfoSec measurement development process recommended by NIST is is divided into two major activities. Which of the following is one of them? a. Regularly monitor and test networks b. Identification and definition of the current InfoSec program c. Maintain a vulnerability management program d. Compare organizational practices against organizations of similar characteristics ANSWER: b 27. InfoSec measurements collected from production statistics depend greatly on which of the following factors? a. Types of performance measures developed b. Number of systems and users of those systems c. Number of monitored threats and attacks d. Activities and goals implemented by the business unit ANSWER: b 28. Which of the following InfoSec measurement specifications makes it possible to define success in the security program? a. Development approach b. Establishing targets c. Prioritization and selection d. Measurements templates ANSWER: b 29. Which of the following is the first phase in the NIST process for performance measurement implementation? a. Develop the business case b. Obtain resources c. Prepare for data collection d. Identify corrective actions ANSWER: c 30. Which of the following is the last phase in the NIST process for performance measures implementation? a. Apply corrective actions b. Obtain resources c. Document the process d. Develop the business case ANSWER: a 31. In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality? a. Accreditation b. Certification c. Performance measurement d. Testimonial ANSWER: a 32. Which of the following is Tier 3 (indicating environment of operation) of the tiered risk management approach? a. Mission/business process b. Information system c. Accounting/logistics
5. 5. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 5 d. Organization ANSWER: b 33. According to NIST SP 800-37, which of the following is the first step in the security controls selection process? a. Categorize the information system and the information processed b. Select an initial set of baseline security controls c. Assess the security controls using appropriate assessment procedures d. Authorize information system operation based on risk determination ANSWER: a 34. The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? a. Prepare the plan of action and develop milestones b. Assemble the security authorization package c. Determine if the cost/benefit ratio is acceptable d. Determine the risk to organizational operations ANSWER: c 35. Best security practices balance the need for user _____________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility. ANSWER: access 36. A practice related to benchmarking is ____________, which is a measurement against a prior assessment or an internal goal. ANSWER: baselining baseline 37. ____________________ encompasses a requirement that the implemented standards continue to provide the required level of protection. ANSWER: due diligence 38. A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________. ANSWER: target measure metric 39. The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2. ANSWER: corrective 40. When choosing from among recommended practices, an organization should consider a number of questions. List four. ANSWER: Does your organization resemble the target organization of the recommended practice? Are you in a similar industry as the target of the recommended practice? Do you face similar challenges as the target of the recommended practice? Is your organizational structure similar to the target of the recommended practice? Can your organization expend resources at the level required by the recommended practice? Is your threat environment similar to the one assumed by the recommended practice?
6. 6. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 6 41. List the four factors critical to the success of an InfoSec performance program, according to NIST SP 800-55, Rev. 1. ANSWER: Strong upper level management support PracticalInfoSec policies and procedures Quantifiable performance measurements Results oriented measurement analysis 42. Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the following questions posed by Kovacich. List four of these questions. ANSWER: Why should these statistics be collected? What specific statistics will be collected? How will these statistics be collected? When will these statistics be collected? Who will collect these statistics? Where (at what point in the function’s process) will these statistics be collected? 43. The process of implementing a performance measures program recommended by NIST involves six phases. List and describe them. ANSWER: Phase 1: Prepare for data collection; identify, define, develop, and select information security measures. Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. Phases 4: Develop the business case. Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in phase 3. Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls. 44. What are the two major activities into which the InfoSec measurement development process recommended by NIST is divided? ANSWER: 1. Identification and definition of the current InfoSec program 2. Development and selection of specific measurements to gauge the implementation, effectiveness, efficiency, and impact of the security controls 45. On what do measurements collected from production statistics greatly depend? Explain your answer. ANSWER: Measurements collected from production statistics depend greatly on the number of systems and the number of users of those systems. As the number of systems changes and/or the number of users of those systems changes, the effort to maintain the same level of service will vary. 46. Why it measurement prioritization and selection important? How can it be achieved? ANSWER: Because organizations seem to better manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes that they measure. This can be achieved with a simple low-, medium-, or high-priority ranking system or a weighted scale approach, which would involve assigning values to each measurement based on its importance in the context of the overall InfoSec program and in the overall risk-mitigation goals and criticality of the systems. 47. Why must you do more than simply list the InfoSec measurements collected when reporting them? Explain. ANSWER: In most cases, simply listing the measurements collected does not adequately convey their meaning. For example, a line chart showing the number of malicious code attacks occurring per day may communicate a
7. 7. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 7 basic fact, but unless the reporting mechanism can provide the context —for example, the number of new malicious code variants on the Internet in that time period—the measurement will not serve its intended purpose. In addition, you must make decisions about how to present correlated metrics - whether to use pie, line, bar, or scatter charts, and which colors denote which kinds of results. 48. Compare and contrast accreditation and certification. ANSWER: In security management, accreditation is the authorization of an IT system to process, store, or transmit information. Accreditation is issued by a management official and serves as a means of assuring that systems are of adequate quality. It also challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements. Certification is a comprehensive assessment of both technical and nontechnical protection strategies for a particular system, as specified by a particular set of requirements. Thus, while systems may be certified as meeting a specific set of criteria—like the PCI DSS—they must be accredited (or approved by an appropriate authority) before being allowed to process a specific set of information (such as classified documents) at an acceptable level of risk. 49. Describe the three tier approach of the RMF as defined by NIST SP 800-37. ANSWER: NIST follows a three-tiered approach to risk management. Most organizations work from the top down, focusing first on aspects affecting the entire organization, such as governance (tier 1). Then, after the more strategic issues are addressed, they move toward more tactical issues around business processes (tier 2). The most detailed aspects are addressed in tier 3, dealing with information systems. a. accreditation b. baseline c. benchmarking d. certification e. due diligence f. best security practices g. recommended business practices h. standard of due care i. performance measurements j. NIST SP 800-37 50. The actions that demonstrate that an organization has made a valid effort to protect others a requirement and that the implemented standards continue to provide the required level of protection. ANSWER: e 51. The authorization of an IT system to process, store, or transmit information. ANSWER: a 52. A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances. ANSWER: h 53. Those security efforts that are considered among the best in the industry. ANSWER: f
8. 8. Name: Class: Date: Chapter 09 - Security Management Practices Copyright Cengage Learning. Powered by Cognero. Page 8 54. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular set of requirements. ANSWER: d 55. The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization. ANSWER: i 56. A common approach to a Risk Management Framework (RMF) for InfoSec practice. ANSWER: j 57. An attempt to improve information security practices by comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate. ANSWER: c 58. Those procedures that provide a superior level of security for an organization’s information. ANSWER: g 59. An assessment of the performance of some action or process against which future performance is assessed. ANSWER: b

What is the first step in information security quizlet?

When choosing from recommended practices an organization should consider a number of questions list four?

Is the comprehensive evaluation of the technical and non technical security controls of an IT system?