Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
19 Cards in this Set
- Front
- Back
Which of the following choices is not part of a security policy?
|
description of specific technologies used in the field of information security regulations.
|
|
Which of the following would be the first step in establishing an information security programme?
|
adoption of a corporate information security policy statemet
|
|
An effective information security policy should not have which of the following characteristics?
|
be designed with a short-to mid-term focus
|
|
What is the difference between advisory and regulatory security?
|
Advisory policies provide recommendations.
|
|
What can best be defined as high-level statements, beliefs, goals, and objectives?
|
policies
|
|
A deviation or exception from a security standard requirs which of the following?
|
risk containment
|
|
Why would an information security policy require that communications test equipment be controlled?
|
The equipment can be used to browse information passing on a network.
|
|
Step-by-step instructions used to satisfy control requirements are called a
|
procedure
|
|
Which of the following embodies all the detailed actions that personnel are required to follow?
|
procedures
|
|
Which of the following would be defined as an absence or weadness of a safeguard that could be exploited?
|
a vulnerability
|
|
Within IT security, which of the following combinations best defines risk?
|
threat coupled with a vulnerability
|
|
IT security measures should
|
be tailored to meet organizational security goals.
|
|
Which of the following should not be addressed by employee termination practices?
|
employee bonding to protect against losses due to theft
|
|
What would best define risk management?
|
the process of assessing the risks
|
|
Controls are implemented to
|
mitigate risk and reduce the potential for loss.
|
|
Which of the following is an advantage of a qualitative over a quantitative risk analysis?
|
It prioritizes the risk and identifies areas for immediate improvement in addressing the vulnerabilities.
|
|
What can be defined as an event that could cause harm to the information systems?
|
a threat
|
|
One purpose of a security awareness program is to modify
|
attitudes of employees with sensitive data.
|
|
Which of the following should be given technical security training?
|
IT support personnel and system administrators
|