Indicate whether the statement is true or false.
The general management of an organization must structure the IT and information security functions to lead a
successful defense of the organization’s information assets.
“If you know the enemy and know yourself, you will succumb in every battle." (Sun Tzu)
Once the threats have been identified, an assets identification process is undertaken.
Identifying human resources, documentation, and data information is less difficult than identifying hardware
and software assets.
You should adopt naming standards that do not convey information to potential system attackers.
Comprehensive means that an information asset should fit in only one category.
A certificate authority would be categorized as a software security component.
Examples of exceptionally grave damage include 1) armed hostilities against the United States or its allies and
2) disruption of foreign relations vitally affecting the national security.
You can use only qualitative measures to rank values.
Protocols are activities performed within the organization to improve security.
With lattice-based access control, the column of attributes associated with a particular object (such as a print-
er) are referred to as the access control table.
Discretionary controls are managed by a central authority in the organization.
The results from risk assessment activities can be delivered in a number of ways: a report on a systematic ap-
proach to risk control, a project-based risk assessment, or a topic-specific risk assessment.
Every organization should have the collective will and budget to manage every threat by applying controls.
Organizations should communicate with system users throughout the development of the security program,
letting them know that change is occurring.
Internal benchmarking can provide the foundation for baselining.
One problem with benchmarking is that there are many organizations that are identical.
A best practice proposed for a small home office setting is always appropriate to help design control strategies
for a multinational company.
Best business practices are often called recommended practices.
Metrics-based measures are generally less focused on numbers and more strategic than process-based meas-
The CBA is solely based on the cost of the proposed control.
The amount of money spent to protect an asset is often based in part on the value of the asset.
The components of asset valuation include equipment critical to the success of the organization.