Question 1

NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development,tailoring,collection,and reporting activities.

Accepted Answer

False

Question 2

When an organization applies statistical and quantitative forms of mathematical analysis to the data points collected to measure the activities and outcomes of the InfoSec program,it is using InfoSec best practices.

Accepted Answer

Using statistical and quantitative analysis is a method for evaluating InfoSec programs, but it is not the sole definition of InfoSec best practices, which encompass a broader range of strategies and guidelines.

Question 3

In the future,NIST is replacing traditional Certification and Accreditation with authorization strategies and security control assessment.

Accepted Answer

This statement is true. NIST is replacing the traditional Certification and Accreditation (C&A) process with a risk-based approach that involves continuous monitoring and ongoing authorization for information systems. This new approach is known as the Risk Management Framework (RMF), which includes security control assessment as one of its key components.

Question 4

One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.

Accepted Answer

The statement is true. One of the first decisions that an organization must make in building an information security measures program is whether the focus will be on macro-level (organizational-wide) or micro-level (specific systems or applications). This decision will guide the development and implementation of security policies, procedures, and controls.

Question 5

A best practice is a &#34;value or profile of a performance metric against which changes in the performance metric can be usefully compared.&#34;

Accepted Answer

A best practice is a method or technique that has been generally accepted as superior to any alternatives because it produces results that are superior to those achieved by other means. The definition provided describes a "benchmark."

Question 6

To generate a security blueprint,organizations usually draw from established security models and practices.

Accepted Answer

This statement is true. Organizations typically rely on established security models and practices to develop their security blueprint. These may include frameworks like NIST, ISO, or CIS controls, as well as best practices for specific types of security controls (e.g. firewalls or access control systems).

Question 7

Best security practices (BSPs)balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.

Accepted Answer

The answer of Best security practices (BSPs)balance the need for...

Question 8

&#34;Good security now is better than perfect security never.&#34;

Accepted Answer

It is always better to have some level of security rather than waiting indefinitely for the "perfect" security that may never materialize. In today's constantly evolving threat landscape, a proactive approach to security is essential.

Question 9

The biggest barrier to benchmarking in information security is the fact that organizations do not talk to each other.

Accepted Answer

Benchmarking requires comparison and sharing of information between organizations. However, in the field of information security, organizations are often unwilling to disclose their security practices and incidents due to fear of reputational damage or competitive disadvantage. This lack of communication and sharing creates a barrier to benchmarking in information security.

Question 10

Information security performance management is the process of designing,implementing,and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.

Accepted Answer

This statement accurately describes information security performance management.

Question 11

Certification is defined as &#34;the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

Accepted Answer

The answer of Certification is defined as &#34;the comprehensive evaluation...

Question 12

Once developed,information security performance measures must be implemented and integrated into ongoing information security management operations.For the most part,it is sufficient to collect these measures once.

Accepted Answer

The answer of Once developed,information security performance measures must be...

Question 13

The platinum standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

Accepted Answer

The answer of The platinum standard is a model level...

Question 14

One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.

Accepted Answer

The answer of One of the three goals of System...

Question 15

Another way to create a blueprint is to look at the paths taken by organizations similar to the one whose plan you are developing,known as baselining.

Accepted Answer

The answer of Another way to create a blueprint is...

Question 16

Accreditation is the authorization of an IT system to process,store,or transmit information.

Accepted Answer

The answer of Accreditation is the authorization of an IT...

Question 17

The first phase in the NIST performance measures methodology is to collect data and analyze results; collect,aggregate,and consolidate metric data collection and compare measurements with targets.

Accepted Answer

The answer of The first phase in the NIST performance...

Question 18

Organizations strive to deliver the most value with a given level of investment-this is called the value proposition.

Accepted Answer

The answer of Organizations strive to deliver the most value...

Question 19

Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care.

Accepted Answer

The answer of Organizations that adopt minimum levels of security...

Question 20

In information security,two categories of benchmarks are used: 1)standards of due care and due diligence and 2)baselining.

Accepted Answer

The answer of In information security,two categories of benchmarks are...

Question 21

One of the critical tasks in the measurement process is to assess and quantify what will be secured._________________________

Accepted Answer

The answer of One of the critical tasks in the...

Question 22

Because &#34;organizations manage what they measure,&#34; it is important to ensure that individual metrics are reported in the same manner as the performance they measure._________________________

Accepted Answer

The answer of Because &#34;organizations manage what they measure,&#34; it...

Question 23

Even with strong management support,an information security measures program must be able to demonstrate due care to the organization._________________________

Accepted Answer

The answer of Even with strong management support,an information security...

Question 24

Implementing controls at an acceptable standard-and maintaining them-demonstrates that an organization has performed due diligence._________________________

Accepted Answer

The answer of Implementing controls at an acceptable standard-and maintaining...

Question 25

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of due diligence._________________________

Accepted Answer

The answer of It is no longer sufficient to simply...

Question 26

By looking at the paths taken by organizations similar to the one whose plan you are developing,known as benchmarking,the organization can follow the recommended or existing practices of a similar organization or industry-developed standards._________________________

Accepted Answer

The answer of By looking at the paths taken by...

Question 27

Production level statistics depend greatly on the number of systems and the number of users of those systems._________________________

Accepted Answer

The answer of Production level statistics depend greatly on the...

Question 28

A goal of 100 percent employee information security training in the training program would invalidate the continued collection of training measures._________________________

Accepted Answer

The answer of A goal of 100 percent employee information...

Question 29

Performance measurement is an ongoing,continuous improvement operation._________________________

Accepted Answer

The answer of Performance measurement is an ongoing,continuous improvement operation._________________________...

Question 30

When choosing from among recommended practices,an organization should ask if it resembles the target organization of the recommended practice._________________________

Accepted Answer

The answer of When choosing from among recommended practices,an organization...

Question 31

In some organizations,the terms metrics and best practices are interchangeable._________________________

Accepted Answer

The answer of In some organizations,the terms metrics and best...

Question 32

In information security,two categories of benchmarks are used: standards of due care and due diligence and recommended practices._________________________

Accepted Answer

The answer of In information security,two categories of benchmarks are...

Question 33

Security efforts that seek to provide a(n)acceptable level of performance in the protection of information are called recommended business practices or just best practices._________________________

Accepted Answer

The answer of Security efforts that seek to provide a(n)acceptable...

Question 34

Another problem with benchmarking is that no two organizations are similar._________________________

Accepted Answer

The answer of Another problem with benchmarking is that no...

Question 35

Strong upper level management support is critical to the success of an information security performance program._________________________

Accepted Answer

The answer of Strong upper level management support is critical...

Question 36

One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI)designed specifically to integrate an organization's process improvement activities across disciplines._________________________

Accepted Answer

The answer of One of the most popular of the...

Question 37

The federal government prohibits the distribution of best security practices with organizations other than federal agencies._________________________

Accepted Answer

The answer of The federal government prohibits the distribution of...

Question 38

Measures are data points or computed trends that may indicate the effectiveness of security countermeasures or controls-technical and managerial-as implemented in the organization._________________________

Accepted Answer

The answer of Measures are data points or computed trends...

Question 39

Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices._________________________

Accepted Answer

The answer of Industries that are regulated by governmental agencies...

Question 40

A(n)baseline is a &#34;value or profile of a performance metric against which changes in the performance metric can be usefully compared.&#34; _________________________

Accepted Answer

The answer of A(n)baseline is a &#34;value or profile of...

Question 41

In selecting among recommended practices,an organization should seek to ensure that the target ____ is similar to their own.&#10;A) threat environment&#10;B) resource expenditures&#10;C) organization structure&#10;D) all of these

Accepted Answer

The answer of In selecting among recommended practices,an organization should...

Question 42

Which of the following is a major activity in the information security measures development process,according to NIST?&#10;A) Identification and definition of the current information security program&#10;B) Development and selection of specific measures to gauge the implementation, effectiveness, efficiency and impact of the security controls&#10;C) Both of these&#10;D) Neither of these

Accepted Answer

The answer of Which of the following is a major...

Question 43

Information security ____ is the process of designing,implementing,and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.&#10;A) performance management&#10;B) baselining&#10;C) best practices&#10;D) standards of due care/diligence

Accepted Answer

The answer of Information security ____ is the process of...

Question 44

During Phase 1 of the NIST performance measures development process,the organization identifies relevant ____ and their interests in information security measurement.&#10;A) stakeholders&#10;B) users&#10;C) goals and objectives&#10;D) regulations

Accepted Answer

The answer of During Phase 1 of the NIST performance...

Question 45

The benefits of using information security performance measures include all but which of the following?&#10;A) Increasing efficiency for InfoSec performance&#10;B) Improving effectiveness of InfoSec activities&#10;C) Demonstrating compliance with laws, rules and regulations&#10;D) Providing quantifiable inputs for resource allocation decisions

Accepted Answer

The answer of The benefits of using information security performance...

Question 46

A ____ is a &#34;value or profile of a performance metric against which changes in the performance metric can be usefully compared.&#34;.&#10;A) benchmark&#10;B) best practice&#10;C) baseline&#10;D) standard of due care

Accepted Answer

The answer of A ____ is a &#34;value or profile...

Question 47

Which of the following is NOT one of the three types of performance measures used by organizations?&#10;A) Those that determine the effectiveness of the execution of information security policy&#10;B) Those that determine the effectiveness and/or efficiency of the delivery of information security services&#10;C) Those that assess the impact of budgetary shortfalls in information security on the organization or its mission&#10;D) All of these are types of performance measures used by organizations

Accepted Answer

The answer of Which of the following is NOT one...

Question 48

Benchmarking can help to determine ____ controls should be considered,but it cannot determine ____ those controls should be implemented in your organization.&#10;A) which; when&#10;B) if; when&#10;C) what; why&#10;D) which; how

Accepted Answer

The answer of Benchmarking can help to determine ____ controls...

Question 49

Good security now is better ____.&#10;A) than nothing&#10;B) than a kick in the teeth&#10;C) than perfect security never&#10;D) delayed until better security can be developed

Accepted Answer

The answer of Good security now is better ____.&#10;A) than...

Question 50

In information security,two categories of benchmarks are used: standards of due care and due diligence and ____ practices.&#10;A) security&#10;B) recommended&#10;C) measures&#10;D) metrics

Accepted Answer

The answer of In information security,two categories of benchmarks are...

Question 51

The ____ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.&#10;A) Silver&#10;B) Gold&#10;C) Platinum&#10;D) Diamond

Accepted Answer

The answer of The ____ standard is a model level...

Question 52

Security efforts that seek to provide a superior level of performance in the protection of information are called ____.&#10;A) recommended business practices&#10;B) best practices&#10;C) best security practices&#10;D) All of these are correct

Accepted Answer

The answer of Security efforts that seek to provide a...

Question 53

Problems with benchmarking include all but which of the following?&#10;A) Organizations don't share information on successful attacks&#10;B) Organizations being benchmarked are seldom identical&#10;C) Recommended practices change and evolve, thus past performance is no indicator of future success&#10;D) Baseline data provides little value to evaluating progress in improving security

Accepted Answer

The answer of Problems with benchmarking include all but which...

Question 54

One of the most popular references for developing process improvement and performance measures is the ____ model from the Software Engineering Institute at Carnegie Mellon University.&#10;A) Creative Measures & Management Implementation&#10;B) California Metropolitan Management International&#10;C) InfoSec Process and Performance Measures&#10;D) none of these

Accepted Answer

The answer of One of the most popular references for...

Question 55

Which of the following is NOT a question a CISO should be prepared to answer,about a performance measures program,according to Kovacich?&#10;A) Why should these statistics be collected?&#10;B) How will these statistics be collected?&#10;C) How much will the collection of statistics cost?&#10;D) Who will collect these statistics?

Accepted Answer

The answer of Which of the following is NOT a...

Question 56

Which of the following is NOT a factor critical to the success of an information security performance program?&#10;A) Strong upper level management support&#10;B) Practical InfoSec budgets and resources for the program&#10;C) Quantifiable performance measures&#10;D) Results oriented measures analysis

Accepted Answer

The answer of Which of the following is NOT a...

Question 57

Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as ____.&#10;A) benchmarking&#10;B) best practices&#10;C) baselining&#10;D) standards of due care

Accepted Answer

The answer of Creating a blueprint by looking at the...

Question 58

Organizations must consider all but which of the following during development and implementation of an information security measurement program?&#10;A) Measures must yield quantifiable information (percentages, averages, and numbers)&#10;B) Data that supports the measures needs to be readily obtainable&#10;C) Only repeatable information security processes should be considered for measurement&#10;D) Measures must be useful for tracking shortfalls in organizational resources

Accepted Answer

The answer of Organizations must consider all but which of...

Question 59

Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____ organization would do in similar circumstances.&#10;A) prudent&#10;B) security&#10;C) excellent&#10;D) gold standard

Accepted Answer

The answer of Organizations that adopt minimum levels of security...

Question 60

While the terms may be interchangeable in some organizations,typically the term ____ is used for more granular,detailed measurement,while the term ____ is used for aggregate,higher-level results.&#10;A) details; summaries&#10;B) objectives; outcomes&#10;C) measures; metrics&#10;D) metrics; measures

Accepted Answer

The answer of While the terms may be interchangeable in...

Question 61

Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.&#10;A) prudent man defense&#10;B) due diligence&#10;C) best practice&#10;D) due care

Accepted Answer

The answer of Maintaining an acceptable level of secure controls...

Question 62

One of the critical tasks in the performance measurement process is to assess and ____ what will be measured.&#10;A) regulate&#10;B) quantify&#10;C) report&#10;D) analyze

Accepted Answer

The answer of One of the critical tasks in the...

Question 63

In security management,____ is the authorization of an IT system to process,store,or transmit information.&#10;A) accreditation&#10;B) certification&#10;C) performance measurement&#10;D) authorization

Accepted Answer

The answer of In security management,____ is the authorization of...

Question 64

In reporting InfoSec performance measures,the CISO must also consider ____.&#10;A) to whom the results should be disseminated&#10;B) how they should be delivered&#10;C) Both of these&#10;D) Neither of these

Accepted Answer

The answer of In reporting InfoSec performance measures,the CISO must...

Deck 7: Security Management Practices