Chapter 04

Chapter 04
Download Document
Showing pages : 1 - 2 of 12
This preview has blurred sections. Sign up to view the full version! View Full Document
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 04 True/False Indicate whether the statement is true or false. ____ 1. The general management of an organization must structure the IT and information security functions to lead a successful defense of the organizations information assets. ____ 2. If you know the enemy and know yourself, you will succumb in every battle." (Sun Tzu) ____ 3. Once the threats have been identified, an assets identification process is undertaken. ____ 4. Identifying human resources, documentation, and data information is less difficult than identifying hardware and software assets. ____ 5. You should adopt naming standards that do not convey information to potential system attackers. ____ 6. Comprehensive means that an information asset should fit in only one category. ____ 7. A certificate authority would be categorized as a software security component. ____ 8. Examples of exceptionally grave damage include 1) armed hostilities against the United States or its allies and 2) disruption of foreign relations vitally affecting the national security. ____ 9. You can use only qualitative measures to rank values. ____ 10. Protocols are activities performed within the organization to improve security. ____ 11. With lattice-based access control, the column of attributes associated with a particular object (such as a print-er) are referred to as the access control table. ____ 12. Discretionary controls are managed by a central authority in the organization. ____ 13. The results from risk assessment activities can be delivered in a number of ways: a report on a systematic ap-proach to risk control, a project-based risk assessment, or a topic-specific risk assessment. ____ 14. Every organization should have the collective will and budget to manage every threat by applying controls. ____ 15. Organizations should communicate with system users throughout the development of the security program, letting them know that change is occurring. ____ 16. Internal benchmarking can provide the foundation for baselining. ____ 17. One problem with benchmarking is that there are many organizations that are identical. ____ 18. A best practice proposed for a small home office setting is always appropriate to help design control strategies for a multinational company. ____ 19. Best business practices are often called recommended practices. ____ 20. Metrics-based measures are generally less focused on numbers and more strategic than process-based meas-ures. ____ 21. The CBA is solely based on the cost of the proposed control. ____ 22. The amount of money spent to protect an asset is often based in part on the value of the asset. ____ 23. The components of asset valuation include equipment critical to the success of the organization. ____ ...
View Full Document