Topics

Explore all topics

Universities

uni logo
University of North Carolina at Chapel Hill
uni logo
University of Notre Dame
uni logo
Clemson University
Explore all Universities

Professors

Overall Quality
-/5
c c
Overall Quality
-/5
Billt Camp
Overall Quality
-/5
mathio g
Explore all Professors
Add Browser Extension
Start Free Trial
Need Help? Contact us
title
Textbook Solutions
Step-by-step solutions verified by experts
title
24/7 Homework Help
Complete assignments with the help of our community
title
Flashcards
Stimulate your visual memory & walk into test day with confidence
title
DocuAssist
Upload your study materials and we’ll help fill in the answers.
title
Campus Reps
Become a Campus Rep and earn up to 20% commission, plus weekly and monthly cash prizes.
title
My Courses
Add the courses you're enrolled in for tailored study material to meet your requirements
Explore all services
Add Browser Extension
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
العربية
search
ai logoChat with AI
Servicesarrow
Textbook Solutions icon
Textbook Solutions
24/7 Homework Help icon
24/7 Homework Help
Flashcards icon
Flashcards
DocuAssist icon
DocuAssist
Campus Reps icon
Campus Reps
My Courses icon
My Courses
Mobile App icon
Mobile App
Explore All Services
Discoverarrow

Topics

Explore All Services

Universities

uni logo
University of North Carolina at Chapel Hill
uni logo
University of Notre Dame
uni logo
Clemson University
Explore all Universities

professors

/5
c c
/5
Billt Camp
/5
mathio g
Explore all Professors
Explore all topics
Discover more topics
HomeSchoolingAsk a question

Deck 7: Security Management Practices

Full screen (f)
exit full mode
Question
NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development,tailoring,collection,and reporting activities.
Use Space or
up arrow
down arrow
to flip the card.
Question
When an organization applies statistical and quantitative forms of mathematical analysis to the data points collected to measure the activities and outcomes of the InfoSec program,it is using InfoSec best practices.
Question
In the future,NIST is replacing traditional Certification and Accreditation with authorization strategies and security control assessment.
Question
One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.
Question
A best practice is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared."
Question
To generate a security blueprint,organizations usually draw from established security models and practices.
Question
Best security practices (BSPs)balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.
Question
"Good security now is better than perfect security never."
Question
The biggest barrier to benchmarking in information security is the fact that organizations do not talk to each other.
Question
Information security performance management is the process of designing,implementing,and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.
Question
Certification is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.
Question
Once developed,information security performance measures must be implemented and integrated into ongoing information security management operations.For the most part,it is sufficient to collect these measures once.
Question
The platinum standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.
Question
One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.
Question
Another way to create a blueprint is to look at the paths taken by organizations similar to the one whose plan you are developing,known as baselining.
Question
Accreditation is the authorization of an IT system to process,store,or transmit information.
Question
The first phase in the NIST performance measures methodology is to collect data and analyze results; collect,aggregate,and consolidate metric data collection and compare measurements with targets.
Question
Organizations strive to deliver the most value with a given level of investment-this is called the value proposition.
Question
Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care.
Question
In information security,two categories of benchmarks are used: 1)standards of due care and due diligence and 2)baselining.
Question
One of the critical tasks in the measurement process is to assess and quantify what will be secured._________________________
Question
Because "organizations manage what they measure," it is important to ensure that individual metrics are reported in the same manner as the performance they measure._________________________
Question
Even with strong management support,an information security measures program must be able to demonstrate due care to the organization._________________________
Question
Implementing controls at an acceptable standard-and maintaining them-demonstrates that an organization has performed due diligence._________________________
Question
It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of due diligence._________________________
Question
By looking at the paths taken by organizations similar to the one whose plan you are developing,known as benchmarking,the organization can follow the recommended or existing practices of a similar organization or industry-developed standards._________________________
Question
Production level statistics depend greatly on the number of systems and the number of users of those systems._________________________
Question
A goal of 100 percent employee information security training in the training program would invalidate the continued collection of training measures._________________________
Question
Performance measurement is an ongoing,continuous improvement operation._________________________
Question
When choosing from among recommended practices,an organization should ask if it resembles the target organization of the recommended practice._________________________
Question
In some organizations,the terms metrics and best practices are interchangeable._________________________
Question
In information security,two categories of benchmarks are used: standards of due care and due diligence and recommended practices._________________________
Question
Security efforts that seek to provide a(n)acceptable level of performance in the protection of information are called recommended business practices or just best practices._________________________
Question
Another problem with benchmarking is that no two organizations are similar._________________________
Question
Strong upper level management support is critical to the success of an information security performance program._________________________
Question
One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI)designed specifically to integrate an organization's process improvement activities across disciplines._________________________
Question
The federal government prohibits the distribution of best security practices with organizations other than federal agencies._________________________
Question
Measures are data points or computed trends that may indicate the effectiveness of security countermeasures or controls-technical and managerial-as implemented in the organization._________________________
Question
Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices._________________________
Question
A(n)baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared." _________________________
Question
In selecting among recommended practices,an organization should seek to ensure that the target ____ is similar to their own.

A) threat environment
B) resource expenditures
C) organization structure
D) all of these
Question
Which of the following is a major activity in the information security measures development process,according to NIST?

A) Identification and definition of the current information security program
B) Development and selection of specific measures to gauge the implementation, effectiveness, efficiency and impact of the security controls
C) Both of these
D) Neither of these
Question
Information security ____ is the process of designing,implementing,and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.

A) performance management
B) baselining
C) best practices
D) standards of due care/diligence
Question
During Phase 1 of the NIST performance measures development process,the organization identifies relevant ____ and their interests in information security measurement.

A) stakeholders
B) users
C) goals and objectives
D) regulations
Question
The benefits of using information security performance measures include all but which of the following?

A) Increasing efficiency for InfoSec performance
B) Improving effectiveness of InfoSec activities
C) Demonstrating compliance with laws, rules and regulations
D) Providing quantifiable inputs for resource allocation decisions
Question
A ____ is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared.".

A) benchmark
B) best practice
C) baseline
D) standard of due care
Question
Which of the following is NOT one of the three types of performance measures used by organizations?

A) Those that determine the effectiveness of the execution of information security policy
B) Those that determine the effectiveness and/or efficiency of the delivery of information security services
C) Those that assess the impact of budgetary shortfalls in information security on the organization or its mission
D) All of these are types of performance measures used by organizations
Question
Benchmarking can help to determine ____ controls should be considered,but it cannot determine ____ those controls should be implemented in your organization.

A) which; when
B) if; when
C) what; why
D) which; how
Question
Good security now is better ____.

A) than nothing
B) than a kick in the teeth
C) than perfect security never
D) delayed until better security can be developed
Question
In information security,two categories of benchmarks are used: standards of due care and due diligence and ____ practices.

A) security
B) recommended
C) measures
D) metrics
Question
The ____ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

A) Silver
B) Gold
C) Platinum
D) Diamond
Question
Security efforts that seek to provide a superior level of performance in the protection of information are called ____.

A) recommended business practices
B) best practices
C) best security practices
D) All of these are correct
Question
Problems with benchmarking include all but which of the following?

A) Organizations don't share information on successful attacks
B) Organizations being benchmarked are seldom identical
C) Recommended practices change and evolve, thus past performance is no indicator of future success
D) Baseline data provides little value to evaluating progress in improving security
Question
One of the most popular references for developing process improvement and performance measures is the ____ model from the Software Engineering Institute at Carnegie Mellon University.

A) Creative Measures & Management Implementation
B) California Metropolitan Management International
C) InfoSec Process and Performance Measures
D) none of these
Question
Which of the following is NOT a question a CISO should be prepared to answer,about a performance measures program,according to Kovacich?

A) Why should these statistics be collected?
B) How will these statistics be collected?
C) How much will the collection of statistics cost?
D) Who will collect these statistics?
Question
Which of the following is NOT a factor critical to the success of an information security performance program?

A) Strong upper level management support
B) Practical InfoSec budgets and resources for the program
C) Quantifiable performance measures
D) Results oriented measures analysis
Question
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as ____.

A) benchmarking
B) best practices
C) baselining
D) standards of due care
Question
Organizations must consider all but which of the following during development and implementation of an information security measurement program?

A) Measures must yield quantifiable information (percentages, averages, and numbers)
B) Data that supports the measures needs to be readily obtainable
C) Only repeatable information security processes should be considered for measurement
D) Measures must be useful for tracking shortfalls in organizational resources
Question
Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____ organization would do in similar circumstances.

A) prudent
B) security
C) excellent
D) gold standard
Question
While the terms may be interchangeable in some organizations,typically the term ____ is used for more granular,detailed measurement,while the term ____ is used for aggregate,higher-level results.

A) details; summaries
B) objectives; outcomes
C) measures; metrics
D) metrics; measures
Question
Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.

A) prudent man defense
B) due diligence
C) best practice
D) due care
Question
One of the critical tasks in the performance measurement process is to assess and ____ what will be measured.

A) regulate
B) quantify
C) report
D) analyze
Question
In security management,____ is the authorization of an IT system to process,store,or transmit information.

A) accreditation
B) certification
C) performance measurement
D) authorization
Question
In reporting InfoSec performance measures,the CISO must also consider ____.

A) to whom the results should be disseminated
B) how they should be delivered
C) Both of these
D) Neither of these
Question
In the NIST performance measures implementation process,the comparison of observed measurements with target values is known as a ____ analysis.

A) shortfall
B) gap
C) corrective
D) failure
Question
Performance ____ make it possible to define success in the security program.

A) measures
B) targets
C) programs
D) none of these
Question
Which of the following is the first phase in the NIST process for performance measures implementation?

A) Develop the business case
B) Obtain resources
C) Prepare for data collection
D) Obtain management support
Question
It is seldom advisable to broadcast complex and nuanced metrics-based reports to large groups,unless ____.

A) the group is well educated and capable of understanding such complex reports
B) the reports also contain addendums providing detailed analyses of the findings
C) the key points are well established and embedded in a more complete context such as a newsletter or press release
D) None of these
Question
Production-level statistics depend greatly on the number of ____.

A) performance measures developed
B) systems and users of those systems
C) threats and attacks
D) activities and goals implemented by the business unit
Question
In most cases,simply listing the measurements collected does not adequately convey their ____.

A) meaning
B) cost
C) value
D) importance
Question
Which of the following is the last phase in the NIST process for performance measures implementation?

A) Apply corrective actions
B) Obtain resources
C) Repeat the process
D) Obtain management support
Question
Designing the performance measures collection process requires thoughtful consideration of the ____ of the metric along with a thorough knowledge of how production services are delivered.

A) cost
B) location
C) intent
D) owner
Question
Organizations pursue accreditation or certification to ____.

A) gain a competitive advantage
B) provide assurance to their customers
C) provide confidence to their customers
D) All of these
Question
Once developed,information security performance measures must be implemented and integrated into ____ information security management operations.

A) cost-effective
B) ongoing
C) efficient
D) regulated
Question
Collecting project metrics may be even more challenging.Unless the organization is satisfied with a simple tally of who spent how many hours doing which tasks,it needs some mechanism to link the ____ of each project,in terms of loss control or risk reduction,to the resources consumed.

A) metric
B) outcome
C) budget
D) users
Question
NIST recommends the documentation of performance measures in a format to ensure ____ of measures development,tailoring,collection,and reporting activities.

A) effectiveness
B) efficiency
C) repeatability
D) accountability
Question
During Phase 2 of the NIST performance measures development process,the organization will identify and document the information security performance ____ that would guide security control implementation for the information security program of a specific information system.

A) stakeholders
B) users
C) goals and objectives
D) regulations
Question
In security management,____ is "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

A) accreditation
B) certification
C) performance measurement
D) authorization
Question
One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.____ measures examine the performance of the overall security program.

A) Micro-focused
B) Macro-focused
C) Both of these
D) Neither of these
Question
One of the fundamental challenges in information security performance measurement is the definition of ____ security.

A) effective
B) modern
C) information
D) efficient
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/114
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 7: Security Management Practices
1
NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development,tailoring,collection,and reporting activities.
False
2
When an organization applies statistical and quantitative forms of mathematical analysis to the data points collected to measure the activities and outcomes of the InfoSec program,it is using InfoSec best practices.
False
3
In the future,NIST is replacing traditional Certification and Accreditation with authorization strategies and security control assessment.
True
4
One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
5
A best practice is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared."
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
6
To generate a security blueprint,organizations usually draw from established security models and practices.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
7
Best security practices (BSPs)balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
8
"Good security now is better than perfect security never."
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
9
The biggest barrier to benchmarking in information security is the fact that organizations do not talk to each other.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
10
Information security performance management is the process of designing,implementing,and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
11
Certification is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
12
Once developed,information security performance measures must be implemented and integrated into ongoing information security management operations.For the most part,it is sufficient to collect these measures once.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
13
The platinum standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
14
One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
15
Another way to create a blueprint is to look at the paths taken by organizations similar to the one whose plan you are developing,known as baselining.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
16
Accreditation is the authorization of an IT system to process,store,or transmit information.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
17
The first phase in the NIST performance measures methodology is to collect data and analyze results; collect,aggregate,and consolidate metric data collection and compare measurements with targets.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
18
Organizations strive to deliver the most value with a given level of investment-this is called the value proposition.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
19
Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
20
In information security,two categories of benchmarks are used: 1)standards of due care and due diligence and 2)baselining.
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
21
One of the critical tasks in the measurement process is to assess and quantify what will be secured._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
22
Because "organizations manage what they measure," it is important to ensure that individual metrics are reported in the same manner as the performance they measure._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
23
Even with strong management support,an information security measures program must be able to demonstrate due care to the organization._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
24
Implementing controls at an acceptable standard-and maintaining them-demonstrates that an organization has performed due diligence._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
25
It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of due diligence._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
26
By looking at the paths taken by organizations similar to the one whose plan you are developing,known as benchmarking,the organization can follow the recommended or existing practices of a similar organization or industry-developed standards._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
27
Production level statistics depend greatly on the number of systems and the number of users of those systems._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
28
A goal of 100 percent employee information security training in the training program would invalidate the continued collection of training measures._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
29
Performance measurement is an ongoing,continuous improvement operation._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
30
When choosing from among recommended practices,an organization should ask if it resembles the target organization of the recommended practice._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
31
In some organizations,the terms metrics and best practices are interchangeable._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
32
In information security,two categories of benchmarks are used: standards of due care and due diligence and recommended practices._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
33
Security efforts that seek to provide a(n)acceptable level of performance in the protection of information are called recommended business practices or just best practices._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
34
Another problem with benchmarking is that no two organizations are similar._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
35
Strong upper level management support is critical to the success of an information security performance program._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
36
One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI)designed specifically to integrate an organization's process improvement activities across disciplines._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
37
The federal government prohibits the distribution of best security practices with organizations other than federal agencies._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
38
Measures are data points or computed trends that may indicate the effectiveness of security countermeasures or controls-technical and managerial-as implemented in the organization._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
39
Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices._________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
40
A(n)baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared." _________________________
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
41
In selecting among recommended practices,an organization should seek to ensure that the target ____ is similar to their own.

A) threat environment
B) resource expenditures
C) organization structure
D) all of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
42
Which of the following is a major activity in the information security measures development process,according to NIST?

A) Identification and definition of the current information security program
B) Development and selection of specific measures to gauge the implementation, effectiveness, efficiency and impact of the security controls
C) Both of these
D) Neither of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
43
Information security ____ is the process of designing,implementing,and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.

A) performance management
B) baselining
C) best practices
D) standards of due care/diligence
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
44
During Phase 1 of the NIST performance measures development process,the organization identifies relevant ____ and their interests in information security measurement.

A) stakeholders
B) users
C) goals and objectives
D) regulations
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
45
The benefits of using information security performance measures include all but which of the following?

A) Increasing efficiency for InfoSec performance
B) Improving effectiveness of InfoSec activities
C) Demonstrating compliance with laws, rules and regulations
D) Providing quantifiable inputs for resource allocation decisions
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
46
A ____ is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared.".

A) benchmark
B) best practice
C) baseline
D) standard of due care
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
47
Which of the following is NOT one of the three types of performance measures used by organizations?

A) Those that determine the effectiveness of the execution of information security policy
B) Those that determine the effectiveness and/or efficiency of the delivery of information security services
C) Those that assess the impact of budgetary shortfalls in information security on the organization or its mission
D) All of these are types of performance measures used by organizations
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
48
Benchmarking can help to determine ____ controls should be considered,but it cannot determine ____ those controls should be implemented in your organization.

A) which; when
B) if; when
C) what; why
D) which; how
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
49
Good security now is better ____.

A) than nothing
B) than a kick in the teeth
C) than perfect security never
D) delayed until better security can be developed
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
50
In information security,two categories of benchmarks are used: standards of due care and due diligence and ____ practices.

A) security
B) recommended
C) measures
D) metrics
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
51
The ____ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

A) Silver
B) Gold
C) Platinum
D) Diamond
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
52
Security efforts that seek to provide a superior level of performance in the protection of information are called ____.

A) recommended business practices
B) best practices
C) best security practices
D) All of these are correct
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
53
Problems with benchmarking include all but which of the following?

A) Organizations don't share information on successful attacks
B) Organizations being benchmarked are seldom identical
C) Recommended practices change and evolve, thus past performance is no indicator of future success
D) Baseline data provides little value to evaluating progress in improving security
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
54
One of the most popular references for developing process improvement and performance measures is the ____ model from the Software Engineering Institute at Carnegie Mellon University.

A) Creative Measures & Management Implementation
B) California Metropolitan Management International
C) InfoSec Process and Performance Measures
D) none of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
55
Which of the following is NOT a question a CISO should be prepared to answer,about a performance measures program,according to Kovacich?

A) Why should these statistics be collected?
B) How will these statistics be collected?
C) How much will the collection of statistics cost?
D) Who will collect these statistics?
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
56
Which of the following is NOT a factor critical to the success of an information security performance program?

A) Strong upper level management support
B) Practical InfoSec budgets and resources for the program
C) Quantifiable performance measures
D) Results oriented measures analysis
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
57
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as ____.

A) benchmarking
B) best practices
C) baselining
D) standards of due care
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
58
Organizations must consider all but which of the following during development and implementation of an information security measurement program?

A) Measures must yield quantifiable information (percentages, averages, and numbers)
B) Data that supports the measures needs to be readily obtainable
C) Only repeatable information security processes should be considered for measurement
D) Measures must be useful for tracking shortfalls in organizational resources
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
59
Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____ organization would do in similar circumstances.

A) prudent
B) security
C) excellent
D) gold standard
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
60
While the terms may be interchangeable in some organizations,typically the term ____ is used for more granular,detailed measurement,while the term ____ is used for aggregate,higher-level results.

A) details; summaries
B) objectives; outcomes
C) measures; metrics
D) metrics; measures
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
61
Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.

A) prudent man defense
B) due diligence
C) best practice
D) due care
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
62
One of the critical tasks in the performance measurement process is to assess and ____ what will be measured.

A) regulate
B) quantify
C) report
D) analyze
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
63
In security management,____ is the authorization of an IT system to process,store,or transmit information.

A) accreditation
B) certification
C) performance measurement
D) authorization
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
64
In reporting InfoSec performance measures,the CISO must also consider ____.

A) to whom the results should be disseminated
B) how they should be delivered
C) Both of these
D) Neither of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
65
In the NIST performance measures implementation process,the comparison of observed measurements with target values is known as a ____ analysis.

A) shortfall
B) gap
C) corrective
D) failure
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
66
Performance ____ make it possible to define success in the security program.

A) measures
B) targets
C) programs
D) none of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
67
Which of the following is the first phase in the NIST process for performance measures implementation?

A) Develop the business case
B) Obtain resources
C) Prepare for data collection
D) Obtain management support
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
68
It is seldom advisable to broadcast complex and nuanced metrics-based reports to large groups,unless ____.

A) the group is well educated and capable of understanding such complex reports
B) the reports also contain addendums providing detailed analyses of the findings
C) the key points are well established and embedded in a more complete context such as a newsletter or press release
D) None of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
69
Production-level statistics depend greatly on the number of ____.

A) performance measures developed
B) systems and users of those systems
C) threats and attacks
D) activities and goals implemented by the business unit
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
70
In most cases,simply listing the measurements collected does not adequately convey their ____.

A) meaning
B) cost
C) value
D) importance
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
71
Which of the following is the last phase in the NIST process for performance measures implementation?

A) Apply corrective actions
B) Obtain resources
C) Repeat the process
D) Obtain management support
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
72
Designing the performance measures collection process requires thoughtful consideration of the ____ of the metric along with a thorough knowledge of how production services are delivered.

A) cost
B) location
C) intent
D) owner
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
73
Organizations pursue accreditation or certification to ____.

A) gain a competitive advantage
B) provide assurance to their customers
C) provide confidence to their customers
D) All of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
74
Once developed,information security performance measures must be implemented and integrated into ____ information security management operations.

A) cost-effective
B) ongoing
C) efficient
D) regulated
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
75
Collecting project metrics may be even more challenging.Unless the organization is satisfied with a simple tally of who spent how many hours doing which tasks,it needs some mechanism to link the ____ of each project,in terms of loss control or risk reduction,to the resources consumed.

A) metric
B) outcome
C) budget
D) users
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
76
NIST recommends the documentation of performance measures in a format to ensure ____ of measures development,tailoring,collection,and reporting activities.

A) effectiveness
B) efficiency
C) repeatability
D) accountability
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
77
During Phase 2 of the NIST performance measures development process,the organization will identify and document the information security performance ____ that would guide security control implementation for the information security program of a specific information system.

A) stakeholders
B) users
C) goals and objectives
D) regulations
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
78
In security management,____ is "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

A) accreditation
B) certification
C) performance measurement
D) authorization
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
79
One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.____ measures examine the performance of the overall security program.

A) Micro-focused
B) Macro-focused
C) Both of these
D) Neither of these
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
80
One of the fundamental challenges in information security performance measurement is the definition of ____ security.

A) effective
B) modern
C) information
D) efficient
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 114 flashcards in this deck.
QuizPlus
surly
Quizplus
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App
surly
English
English
العربية
Scan to downloadDownload the App
qr-code

English
English
العربية
Copyright © 2025 Quizplus LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree