True/False Indicate whether the statement is true or false. ____ 1. The general management of an organization must structure the IT and information security functions to lead a successful defense of the organization’s information assets. ____ 2. “If you know the enemy and know yourself, you will succumb in every battle." (Sun Tzu) ____ 3. Once the threats have been identified, an assets identification process is undertaken. ____ 4. Identifying human resources, documentation, and data information is less difficult than identifying hardware and software assets. ____ 5. You should adopt naming standards that do not convey information to potential system attackers. ____ 6. Comprehensive means that an information asset should fit in only one category. ____ 7. A certificate authority would be categorized as a software security component. ____ 8. Examples of exceptionally grave damage include 1) armed hostilities against the United States or its allies and 2) disruption of foreign relations vitally affecting the national security. ____ 9. You can use only qualitative measures to rank values. ____ 10. Protocols are activities performed within the organization to improve security. ____ 11. With lattice-based access control, the column of attributes associated with a particular object (such as a print-er) are referred to as the access control table. ____ 12. Discretionary controls are managed by a central authority in the organization. ____ 13. The results from risk assessment activities can be delivered in a number of ways: a report on a systematic ap-proach to risk control, a project-based risk assessment, or a topic-specific risk assessment. ____ 14. Every organization should have the collective will and budget to manage every threat by applying controls. ____ 15. Organizations should communicate with system users throughout the development of the security program, letting them know that change is occurring. ____ 16. Internal benchmarking can provide the foundation for baselining. ____ 17. One problem with benchmarking is that there are many organizations that are identical. ____ 18. A best practice proposed for a small home office setting is always appropriate to help design control strategies for a multinational company. ____ 19. Best business practices are often called recommended practices. ____ 20. Metrics-based measures are generally less focused on numbers and more strategic than process-based meas-ures. ____ 21. The CBA is solely based on the cost of the proposed control. ____ 22. The amount of money spent to protect an asset is often based in part on the value of the asset. ____ 23. The components of asset valuation include equipment critical to the success of the organization. ____ 24.
This is the end of the preview. Sign up to
access the rest of the document.