Question 1

NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development,tailoring,collection,and reporting activities.

Accepted Answer

False

Question 2

When an organization applies statistical and quantitative forms of mathematical analysis to the data points collected to measure the activities and outcomes of the InfoSec program,it is using InfoSec best practices.

Accepted Answer

Using statistical and quantitative analysis is a method for evaluating InfoSec programs, but it is not the sole definition of InfoSec best practices, which encompass a broader range of strategies and guidelines.

Question 3

In the future,NIST is replacing traditional Certification and Accreditation with authorization strategies and security control assessment.

Accepted Answer

This statement is true. NIST is replacing the traditional Certification and Accreditation (C&A) process with a risk-based approach that involves continuous monitoring and ongoing authorization for information systems. This new approach is known as the Risk Management Framework (RMF), which includes security control assessment as one of its key components.

Question 4

One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.

Accepted Answer

The statement is true. One of the first decisions that an organization must make in building an information security measures program is whether the focus will be on macro-level (organizational-wide) or micro-level (specific systems or applications). This decision will guide the development and implementation of security policies, procedures, and controls.

Question 5

A best practice is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared."

Accepted Answer

A best practice is a method or technique that has been generally accepted as superior to any alternatives because it produces results that are superior to those achieved by other means. The definition provided describes a "benchmark."

Question 6

To generate a security blueprint,organizations usually draw from established security models and practices.

Accepted Answer

This statement is true. Organizations typically rely on established security models and practices to develop their security blueprint. These may include frameworks like NIST, ISO, or CIS controls, as well as best practices for specific types of security controls (e.g. firewalls or access control systems).

Question 7

Best security practices (BSPs)balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.

Accepted Answer

The answer of Best security practices (BSPs)balance the need for...

Question 8

"Good security now is better than perfect security never."

Accepted Answer

It is always better to have some level of security rather than waiting indefinitely for the "perfect" security that may never materialize. In today's constantly evolving threat landscape, a proactive approach to security is essential.

Question 9

The biggest barrier to benchmarking in information security is the fact that organizations do not talk to each other.

Accepted Answer

Benchmarking requires comparison and sharing of information between organizations. However, in the field of information security, organizations are often unwilling to disclose their security practices and incidents due to fear of reputational damage or competitive disadvantage. This lack of communication and sharing creates a barrier to benchmarking in information security.

Question 10

Information security performance management is the process of designing,implementing,and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.

Accepted Answer

This statement accurately describes information security performance management.

Question 11

Certification is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

Accepted Answer

This is the correct definition of certification in the context of IT security.

Question 12

Once developed,information security performance measures must be implemented and integrated into ongoing information security management operations.For the most part,it is sufficient to collect these measures once.

Accepted Answer

Information security performance measures must be continuously collected and monitored to ensure ongoing effectiveness and identify areas for improvement. This involves integrating them into regular information security management activities and reviewing them regularly to assess progress and make any necessary adjustments.

Question 13

The platinum standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

Accepted Answer

The term "platinum standard" is not a widely recognized or defined term in the context of performance or information protection. It may be a metaphorical expression, but it does not have a specific, established meaning like "gold standard" does.

Question 14

One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.

Accepted Answer

The goal is to assess the effectiveness of security controls, not to define maximum security controls.

Question 15

Another way to create a blueprint is to look at the paths taken by organizations similar to the one whose plan you are developing,known as baselining.

Accepted Answer

The answer of Another way to create a blueprint is...

Question 16

Accreditation is the authorization of an IT system to process,store,or transmit information.

Accepted Answer

Accreditation is the process by which an IT system is authorized to process, store or transmit information. It involves a thorough evaluation of the system's security controls, policies, procedures, and processes. Once the system is found to meet the required security standards, it is granted accreditation.

Question 17

The first phase in the NIST performance measures methodology is to collect data and analyze results; collect,aggregate,and consolidate metric data collection and compare measurements with targets.

Accepted Answer

The first phase in the NIST performance measures methodology is to define the performance measures, not to collect data and analyze results.

Question 18

Organizations strive to deliver the most value with a given level of investment-this is called the value proposition.

Accepted Answer

Organizations always aim to provide the maximum possible value to their stakeholders, which includes customers, shareholders, and employees while optimizing the resources invested. This is referred to as the value proposition.

Question 19

Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care.

Accepted Answer

This statement is true. A standard of due care is a legal term that refers to the level of prudence and caution an organization must take to protect sensitive information, and can be used as evidence in legal disputes to prove that an organization took reasonable measures to protect their data.

Question 20

In information security,two categories of benchmarks are used: 1)standards of due care and due diligence and 2)baselining.

Accepted Answer

The answer of In information security,two categories of benchmarks are...

Quiz 7: Security Management Practices