Management of Information Security Chapter 5

Created by holymoses61 

Upgrade to
remove ads

Chapter 5 of Management of Information Security, 3rd ed., Whitman and Mattford

Information security program

____ is the term used to describe the structure and organization of the effort that strives to contain the risks to the information assets of the organization.

Help Desk

____________________ personnel are the front line of incident response, as they may be able to diagnose and recognize an attack while handling calls from users having problems with their computers, the network, or Internet connections.

CISO

The ____ is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information.

consultant

The information security ____ is typically an expert in some aspect of information security, who is brought in when the organization makes the decision to outsource one or more aspects of its security program.

Identify program scope, goals, and objectives
Identify training staff
Identify target audiences
Motivate management and employees
Administer the program
Maintain the program
Evaluate the program

List the steps of the seven-step methodology for implementing training.

False

The Computer Security Act of 1987 requires federal agencies to provide mandatory periodic training in computer security encryption and accepted computer practices to all employees involved with the management, use, or operation of their computer systems.

training

Security ____________________ involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.

may not be sufficiently responsive to the needs of all trainees

A disadvantage of offering training in a formal class is that it ____.

security awareness

The three elements of a SETA program are security education, security training, and ____________________.

11%

On average, the security budget of a medium-sized organization is ____ of the total IT budget.

False

Individuals who perform routine monitoring activities are called security technicians.

one person

The typical security staff in a small organization consists of ____.

poster

Keys to a good security ____________________ series include varying the content and keeping posters updated.

On-the-job training

Which of the following training methods uses a sink-or-swim approach?

security administrator

The responsibilities of the ____ are a combination of the responsibilities of a security technician and a security manager.

top computing executive or Chief Information Officer

In large organizations the information security department is often headed by the CISO who reports directly to the ____.

technology product

Advanced technical training can be selected or developed based on job category, job function, or ____.

definers

A study of information security positions found that positions can be classified into one of three types: ____________________ provide the policies, guidelines, and standards. They're the people who do the consulting and the risk assessment, who develop the product and technical architectures.

builders

A study of information security positions found that positions can be classified into one of three types: ____________________ are the real technical types, who create and install security solutions.

True

Effective training and awareness programs make employees accountable for their actions.

False

According to Charles Cresson Wood, "Reporting directly to top management is not advisable for the Information Security Department Manager [or CISO] because it impedes objectivity and the ability to perceive what's truly in the best interest of the organization as a whole, rather than what's in the best interest of a particular department."

False

Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.

True

A security technician is usually an entry-level position.

True

In informing and preparing employees for their role in information security, security awareness provides the "what", training provides the "how" and education provides the "why".

True

Security managers are accountable for the day-to-day operation of the information security program.

False

Threats from insiders are more likely in a small organization than in a large one.

technology product

The three methods for selecting or developing advanced technical training are by job category, by job function, and by ____________________.

reduce the incidence of accidental security breaches

The security education, training, and awareness (SETA) program is designed to ____ by/of members of the organization.

security awareness

A SETA program consists of three elements: security education, security training, and ____.

security training

Employee behavior that endangers the security of the organization's information can be modified through security awareness and ____________________.

CISO

Security managers commonly report to the ____.

security administrator

The security analyst is a specialized ____.

False

One of the most commonly implemented but least effective security methods is the security awareness program.

False

The professional agencies such as SANS, ISC2, ISSA and CSI offer industry training conferences and programs that are ideal for the average employee.

False

Security education involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely.

identify program scope, goals, and objectives

Which of the following is the first step in the process of implementing training?

False

An organization's size is the variable that has the greatest influence on the structure of the organization's information security program.

information security

An organization's ____________________ program refers to the structure and organization of the effort that strives to contain the risks to the information assets of the organization.

True

In small organizations, security training and awareness is most commonly conducted on a one-on-one basis.

newsletter

A security ____________________ is the most cost-effective method of disseminating security information and news to employees.

True

Organizations with complex IT infrastructures are likely to require more information security support than those with less complex infrastructures.

True

To their advantage, some observers feel that small organizations avoid some threats precisely because of their small size.

True

A security trinket program is one of the most expensive security awareness programs.

True

A convenient time to conduct training for general users is during employee orientation.

A security technician

Which of the following would be responsible for configuring firewalls and IDSs, implementing security software, and diagnosing and troubleshooting problems?

GGG (guards, gates, and guns)

Security officers and investigators are part of the ____________________ aspect of security.

True

In large organizations, it is recommended to separate information security functions into four areas, including: non-technology business functions, IT functions, information security customer service functions and information security compliance enforcement functions.

True

The purpose of the CAEIAE program is to enhance security by building in-depth knowledge, by developing security-related skills and knowledge, by improving awareness of the need to protect system resources.

assessment

An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or systems.

Please allow access to your computer’s microphone to use Voice Recording.

Having trouble? Click here for help.

We can’t access your microphone!

Click the icon above to update your browser permissions above and try again

Example:

Reload the page to try again!

Reload

Press Cmd-0 to reset your zoom

Press Ctrl-0 to reset your zoom

It looks like your browser might be zoomed in or out. Your browser needs to be zoomed to a normal size to record audio.

Please upgrade Flash or install Chrome
to use Voice Recording.

For more help, see our troubleshooting page.

Your microphone is muted

For help fixing this issue, see this FAQ.

Star this term

You can study starred terms together

NEW! Voice Recording

Create Set