Question 1

Match each item with a statement below.
-Published, scrutinized, and ratified by a group.

Accepted Answer

De jure standards are those that have been formally approved and adopted by an official body or authority, which involves the process of being published, scrutinized, and ratified by a group.

Question 2

Match each item with a statement below.
-Set of rules for the protection of an organization's information assets.

Accepted Answer

An Information Security Policy is a set of rules for the protection of an organization's information assets.

Answer: A
 A Managerial Guidance SysSP document is guidance for managers on developing policies, procedures, and guidelines for information security.

Answer: C
 An Incident Response plan is a set of procedures to follow in the event of a security breach or cyber attack.

Answer: D
 A Business Continuity Plan is a plan for maintaining business operations in the event of a disruption, including a cyber attack.

Answer: F
 De jure refers to something that is legally recognized and enforced.

Answer: G
 De facto refers to something that is based on practice or custom rather than law.

Answer: H
 A Security Blueprint is a detailed plan for implementing security measures to protect an organization's information assets.

Answer: I
 A Business Impact Analysis assesses the potential impact of a disruption to a business or organization's operations, including the impact of a cyber attack.

Question 3

Establishing a contact number of hot line is an aspect of ____ planning.

Accepted Answer

Establishing a contact number for a hot line is an essential part of a crisis management plan. A hot line provides an immediate communication channel between the impacted party and the response team. This enables quick response to the crisis and minimizes the impact of the crisis. Business continuity planning focuses on maintaining business operations in the face of disruption, whereas incident response and attack planning are reactive measures to mitigate the impact of the crisis.

Question 4

____________________ management differs dramatically from incident response, as it focuses first and foremost on the people involved.

Accepted Answer

The answer of ____________________ management differs dramatically from incident response,...

Question 5

A(n) ____________________ is also known as a general security policy, an IT security policy, or an information security policy.

Accepted Answer

The answer of A(n) ____________________ is also known as a...

Question 6

A(n) ____ is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources.

Accepted Answer

An incident is defined as any event that poses a threat to the confidentiality, integrity, or availability of an information asset. This can include a wide range of activities such as hacking, malware infection, physical theft, and employee error. An incident can range in severity from minor to major, but any incident that poses a clear threat must be addressed quickly and appropriately to minimize the impact on the organization. A disaster or crisis typically refers to a larger-scale event that may impact multiple information assets, while recovery refers to the process of restoring systems and data after an incident or disaster has occurred.

Question 7

A(n) ____________________ is a set of specifications that identifies a piece of technology's authorized users and includes details on the rights and privileges those users have on that technology.

Accepted Answer

The answer of A(n) ____________________ is a set of specifications...

Question 8

Match each item with a statement below.
-Basis for the design, selection, and implementation of all security program elements, including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls, and maintenance of the security program.

Accepted Answer

The security blueprint serves as the foundation for the design, selection, and implementation of all security program elements, including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls, and maintenance of the security program. It outlines the overall structure and framework of the security measures and practices within an organization.

Question 9

Match each item with a statement below.
-Informal part of an organization's culture.

Accepted Answer

"De facto" refers to the informal, unwritten part of an organization's culture.

Answer: A 
 A "managerial guidance SysSP document" would be a formal written policy or procedure.

Answer: B 
 "Security training" refers to the education and instruction given to employees in order to promote safe and secure practices.

Answer: C 
 "Incident response" refers to the process an organization uses to respond to and manage a security incident or breach.

Answer: D 
 "Business continuity plan" refers to the plan that an organization has in place to resume operations in the event of a disruption.

Answer: E 
 An "information security policy" is a formal written guideline outlining an organization's approach to maintaining the confidentiality, integrity, and availability of its data.

Answer: F 
 "De jure" refers to something that is established by law or regulation.

Answer: H 
 A "security blueprint" would typically refer to a diagram or plan that outlines an organization's security infrastructure or architecture.

Answer: I 
 "Business impact analysis" involves assessing the potential impact of different types of security incidents on an organization's operations and bottom line.

Question 10

____ planning prepares an organization to reestablish critical business operations during a disaster that affects operations at the primary site.

Accepted Answer

Business continuity planning involves creating processes and procedures to ensure critical business operations can continue during and after a disaster or disruption. This includes preparing for the recovery and resumption of business operations at an alternate site if necessary. Incident response planning focuses on immediate responses to specific incidents or threats, whereas crisis management typically involves a broader and more strategic approach to managing a crisis situation. Attack is not a relevant term in this context.

Question 11

When disaster threatens the viability of the organization at the primary site, disaster recovery undergoes a transition into ____.

Accepted Answer

When disaster threatens the viability of the organization at the primary site, disaster recovery undergoes a transition into business continuity. Business continuity refers to the measures and procedures that an organization puts in place to ensure that essential functions can continue during and after a disaster. It involves a broader scope than disaster recovery, which focuses primarily on restoring IT infrastructure and data after an interruption.

Question 12

Match each item with a statement below.
-Investigation and assessment of the impact that various attacks can have on the organization.

Accepted Answer

Business impact analysis involves investigation and assessment of the impact that various attacks can have on the organization.

Answer: C 
 Incident response involves responding to and managing the aftermath of a security incident.

Answer: D 
 A business continuity plan outlines how an organization will continue to operate in the event of a disruption or disaster.

Answer: E 
 An information security policy is a document that outlines an organization's policies and procedures for protecting its information assets.

Answer: A 
 A managerial guidance SysSP document provides guidance to managers on how to implement and maintain information security in an organization.

Answer: H 
 A security blueprint is a comprehensive plan that outlines an organization's security infrastructure and operations.

Answer: F 
 De jure refers to something that is legally recognized, while de facto refers to something that is true in practice, even if it is not legally recognized. These terms are not directly related to information security.

Answer: G 
 De jure refers to something that is legally recognized, while de facto refers to something that is true in practice, even if it is not legally recognized. These terms are not directly related to information security.

Answer: B 
 Security training involves educating employees on how to identify and respond to security threats and vulnerabilities.

Question 13

Match each item with a statement below.
-Ensures that critical business functions continue if a catastrophic incident or disaster occurs.

Accepted Answer

A business continuity plan is specifically designed to ensure that critical business functions continue in the event of a catastrophic incident such as a natural disaster, cyber attack, or similar event.

Answer: C
 An incident response plan outlines the steps and procedures that an organization must follow in the event of a security incident or data breach.

Answer: I
 A business impact analysis is a process that helps identify the potential impact of a disruptive event on an organization's critical business functions, allowing the organization to develop appropriate response plans.

Answer: E
 An information security policy outlines an organization's approach to information security, including roles and responsibilities, acceptable use policies, and other related topics.

Answer: A
 A managerial guidance SysSP document provides guidance for managers and other stakeholders on how to implement security policies and procedures effectively.

Answer: H
 A security blueprint provides a detailed description of an organization's security architecture, including hardware, software, and other components.

Answer: F and G
 De jure refers to something that is established by law or by a governing body, while de facto refers to something that is established in practice, even if it is not formally recognized. Both of these terms can be used in various contexts and are not directly related to the topics listed in the question.

Question 14

The analysis and prioritization of the business functions within the organization's departments, sections, divisions, groups, or other units to determine which are most vital to continued operations is called ____.

Accepted Answer

The answer of The analysis and prioritization of the business...

Question 15

Match each item with a statement below.
-Provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.

Accepted Answer

Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.

Answer: C
 Incident response refers to the systematic approach taken by an organization to handle a security incident, including the identification, containment, eradication, and recovery stages.

Answer: D
 A business continuity plan outlines the processes and procedures that enable an organization to continue essential operations during and after a disaster or disruption.

Answer: E
 An information security policy is a set of guidelines and procedures that outline an organization's strategy for securing its resources.

Answer: I
 Business impact analysis is an assessment of the potential effects on an organization's operations, including financial losses, reputational damage, and other impacts, resulting from a disruptive event.

The remaining options (A, F, G, and H) do not match the statements provided.

Question 16

The identification of critical business functions and the resources needed to support them is the cornerstone of the ____________________ plan.

Accepted Answer

The answer of The identification of critical business functions and...

Question 17

A security ____________________ is an outline of the overall information security strategy and a roadmap for planned changes to the organization's information security environment.

Accepted Answer

The answer of A security ____________________ is an outline of...

Question 18

Match each item with a statement below.
-The set of activities taken to plan for, detect, and correct the impact of an incident on information assets.

Accepted Answer

The description matches the definition of incident response.

Answer: D 
 The description matches the definition of business continuity plan.

Answer: I 
 The description matches the definition of business impact analysis.

Answer: E 
 The description matches the definition of information security policy.

Answer: A 
 The description matches the definition of a managerial guidance SysSP document, which provides guidance for security management.

Answer: B 
 Security training is not described in the given statement.

Answer: F 
 De jure and de facto are not described in the given statement.

Answer: G 
 De jure and de facto are not described in the given statement.

Answer: H 
 A security blueprint is not described in the given statement.

Question 19

An attack scenario end case is categorized ____.

Accepted Answer

The answer of An attack scenario end case is categorized...

Question 20

Match each item with a statement below.
-Created by management to guide the implementation and configuration of a specific technology so as to direct the way a technology is to be used to control the behavior of people in the organization.

Accepted Answer

A managerial guidance SysSP (System-Specific Policy) document is created by management to guide the implementation and configuration of a specific technology, directing how it should be used to control behavior within the organization.

Quiz 2: Security Policies and Standards

Match each item with a statement below. -Published, scrutinized, and ratified by a group.

Match each item with a statement below. -Set of rules for the protection of an organization's information assets.

Establishing a contact number of hot line is an aspect of ____ planning.

____________________ management differs dramatically from incident response, as it focuses first and foremost on the people involved.

A(n) ____________________ is also known as a general security policy, an IT security policy, or an information security policy.

A(n) ____ is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources.

A(n) ____________________ is a set of specifications that identifies a piece of technology's authorized users and includes details on the rights and privileges those users have on that technology.

Match each item with a statement below. -Informal part of an organization's culture.

____ planning prepares an organization to reestablish critical business operations during a disaster that affects operations at the primary site.

When disaster threatens the viability of the organization at the primary site, disaster recovery undergoes a transition into ____.

Match each item with a statement below. -Investigation and assessment of the impact that various attacks can have on the organization.

Match each item with a statement below. -Ensures that critical business functions continue if a catastrophic incident or disaster occurs.

The analysis and prioritization of the business functions within the organization's departments, sections, divisions, groups, or other units to determine which are most vital to continued operations is called ____.

Match each item with a statement below. -Provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.

The identification of critical business functions and the resources needed to support them is the cornerstone of the ____________________ plan.

A security ____________________ is an outline of the overall information security strategy and a roadmap for planned changes to the organization's information security environment.

Match each item with a statement below. -The set of activities taken to plan for, detect, and correct the impact of an incident on information assets.

An attack scenario end case is categorized ____.

Match each item with a statement below. -Created by management to guide the implementation and configuration of a specific technology so as to direct the way a technology is to be used to control the behavior of people in the organization.