Indicate whether the statement is true or false.
If an organization deals successfully with change and has created procedures and systems that can be adjusted
to the environment, the existing security improvement program will probably continue to work well.
As threats evolve or new vulnerabilities in the systems emerge, the information security team must determine
if a shift in the priorities of the organization’s security posture is required.
The tracking of trouble tickets should include tracking problem resolution.
Policies can be considered enforceable even if they have not been understood and agreed to.
Users do not participate in configuration management.
Documentation procedures are not required for configuration and change management processes.
When the amount of data stored on a particular hard drive averages 30-40% of available capacity for a pro-
longed period, consider an upgrade for the hard drive.
A maintenance model such as the ISO model deals with methods to manage and operate systems.
External monitoring entails collecting intelligence from various data sources, and then giving that intelligence
context and meaning for use by decision makers within the organization.
Often, US-CERT is viewed as a definitive authority with regard to computer and information security events.
Many publicly accessible information sources, both mailing lists and Web sites, are available to those organ-
izations and individuals who have the time, expertise, and grant access to make use of them.
Over time, external monitoring processes should capture information about the external environment in a
format that can be referenced both across the organization as threats emerge and for historical use.
The value of internal monitoring is low when the resulting knowledge of the network and systems configura-
tion is fed into the vulnerability assessment and remediation maintenance domain.
The characteristics concerned with manufacturer and software versions are about technical functionality —
and they should be kept highly accurate and up-to-date.
The target selection step involves using the external monitoring intelligence to configure a test engine (such
as Nessus) for the tests to be performed.
The intranet scan starts with an Internet search engine.
All systems that are mission critical should be enrolled in PSV measurement.
All telephone numbers controlled by an organization should be tested, unless the configuration of the phone
equipment on premises can assure that no number can be dialed from the worldwide telephone system.