The document discusses developing an information security program, including training methods and project planning tools. It provides examples of true/false questions about security program elements like the security education, training, and awareness program and work breakdown structure. Key aspects covered include the purpose of SETA to reduce accidental breaches, training methods like one-on-one and formal classes, and that the WBS documents minimum task attributes like work, individuals assigned, dates and expenses.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Chapter 05 developing_the_security_program
1. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 1
1. Small organizations spend more per user on security than medium- and large-sized organizations.
a. True
b. False
ANSWER: True
2. Legal assessment for the implementation of the information security program is almost always done by the information
security or IT departments.
a. True
b. False
ANSWER: False
3. Threats from insiders are more likely in a small organization than in a large one.
a. True
b. False
ANSWER: False
4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external
security attacks.
a. True
b. False
ANSWER: False
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
a. True
b. False
ANSWER: True
6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
a. True
b. False
ANSWER: False
7. Planners need to estimate the effort required to complete each task, subtask, or action step.
a. True
b. False
ANSWER: True
8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
a. True
b. False
ANSWER: False
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes
a single deliverable. _________________________
ANSWER: True
2. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 2
10. Each organization has to determine its own project management methodology for IT and information security projects.
a. True
b. False
ANSWER: True
11. In the early stages of planning, the project planner should attempt to specify completion dates only for major
employees within the project. _________________________
ANSWER: False - milestones
12. Most information security projects require a trained project developer. _________________________
ANSWER: False - manager
13. Which of the following variables is the most influential in determining how to structure an information security
program?
a. Security capital budget b. Organizational size
c. Security personnel budget d. Organizational culture
ANSWER: d
14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
a. they have a larger security staff than a small organization
b. they have a larger security budget (as percent of IT budget) than a small organization
c. they have a smaller security budget (as percent of IT budget) than a large organization
d. they have larger information security needs than a small organization
ANSWER: d
15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls
that can reduce risk?
a. Risk management b. Risk assessment
c. Systems testing d. Vulnerability assessment
ANSWER: b
16. Which of the following functions needed to implement the information security program evaluates patches used to
close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing b. Risk assessment
c. Incident response d. Systems security administration
ANSWER: a
17. Which function needed to implement the information security program includes researching, creating, maintaining,
and promoting information security plans?
a. compliance b. policy
c. planning d. systems security administration
ANSWER: c
18. Which of the following is NOT among the functions typically performed within the InfoSec department as a
compliance enforcement obligation?
a. policy
3. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 3
b. centralized authentication
c. compliance/audit
d. risk management
ANSWER: b
19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software,
and diagnosing and troubleshooting problems?
a. A security technician b. A security analyst
c. A security consultant d. The security manager
ANSWER: a
20. GGG security is commonly used to describe which aspect of security?
a. technical b. software
c. physical d. theoretical
ANSWER: c
21. What is the SETA program designed to do?
a. reduce the occurrence of external attacks
b. improve operations
c. reduce the occurence of accidental security breaches
d. increase the efficiency of InfoSec staff
ANSWER: c
22. A SETA program consists of three elements: security education, security training, and which of the following?.
a. security accountability b. security authentication
c. security awareness d. security authorization
ANSWER: c
23. The purpose of SETA is to enhance security in all but which of the following ways?
a. by building in-depth knowledge
b. by adding barriers
c. by developing skills
d. by improving awareness
ANSWER: b
24. Advanced technical training can be selected or developed based on which of the following?
a. level of previous education b. level of previous training
c. technology product d. number of employees
ANSWER: c
25. Which of the following is the first step in the process of implementing training?
a. Identify training staff
b. Identify target audiences
c. Identify program scope, goals, and objectives
4. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 4
d. Motivate management and employees
ANSWER: c
26. Which of the following is an advantage of the one-on-one method of training?
a. Trainees can learn from each other b. Very cost-effective
c. Customized d. Maximizes use of company resources
ANSWER: c
27. Which of the following is a disadvantage of the one-on-one training method?
a. Inflexible
b. May not be responsive to the needs of all the trainees
c. Content may not be customized to the needs of the organization
d. Resource intensive, to the point of being inefficient
ANSWER: d
28. Which of the following is an advantage of the formal class method of training?
a. Personal
b. Self-paced, can go as fast or as slow as the trainee needs
c. Can be scheduled to fit the needs of the trainee
d. Interaction with trainer is possible
ANSWER: d
29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting
b. Formal training plan
c. Can be live, or can be archived and viewed at the trainee’s convenience
d. Can be customized to the needs of the trainee
ANSWER: a
30. Which of the following is NOT a step in the process of implementing training?
a. administer the program
b. hire expert consultants
c. motivate management and employees
d. identify target audiences
ANSWER: b
31. __________ is a simple project management planning tool.
a. RFP b. WBS
c. ISO 17799 d. SDLC
ANSWER: b
32. Which of the following is the most cost-effective method for disseminating security information and news to
employees?
a. distance learning seminars b. security-themed Web site
5. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 5
c. conference calls d. security newsletter
ANSWER: d
33. Which of the following is true about a company’s InfoSec awareness Web site?
a. it should contain large images to maintain interest
b. appearance doesn’t matter if the information is there
c. it should be placed on the Internet for public use
d. it should be tested with multiple browsers
ANSWER: d
34. An organization’s information security program refers to the entire set of activities, resources, personnel, and
technologies used by an organization to manage the risks to the information _______ of the organization.
ANSWER: assets
35. An organization carries out a risk ____________________ function to evaluate risks present in IT initiatives and/or
systems.
ANSWER: assessment
36. A study of information security positions found that positions can be classified into one of three types:
____________________ are the realtechnical types, who create and install security solutions.
ANSWER: builders
37. The information security ____________________ is usually brought in when the organization makes the decision to
outsource one or more aspects of its security program.
ANSWER: consultant
38. The ____________________ program is designed to reduce the occurrence of accidental security breaches by
members of the organization.
ANSWER: security education, training, and awareness
SETA
39. Project ____________________ is a description of a project’s features, capabilities, functions, and quality level, used
as the basis of a project plan.
ANSWER: scope
40. A(n) ____________________ is a specific point in the project plan when a task that has a noticeable impact on plan's
the progress is complete.
ANSWER: milestone
41. The project planner should describe the skills or personnel needed for a task, often referred to as a(n)
____________________, needed to accomplish a task.
ANSWER: resource
42. The three methods for selecting or developing advanced technical training are by job category, by job function, and by
____________________.
ANSWER: technology product
6. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 6
43. The goal of a security ____________________ program is to keep information security at the forefront of users’
minds on a daily basis.
ANSWER: awareness
44. ____________________ is a phenomenon in which the project manager spends more time documenting project tasks,
collecting performance measurements, recording project task information, and updating project completion forecasts than
in accomplishing meaningful project work.
ANSWER: Projectitis
45. Explain the conflict between the goals and objectives of the CIO and the CISO.
ANSWER: The CIO, as the executive in charge of the organization’s technology, manages the efficiency in the processing
and accessing of the organization’s information. Anything that limits access or slows information processing
directly contradicts the CIO’s mission. On the other hand, the CISO functions more like an internal auditor,
with the information security department examining existing systems to discover information security faults
and flaws in technology, software, and employees’ activities and processes. At times, these activities may
disrupt the processing and accessing of the organization’s information.
46. What is the security education, training, and awareness program? Describe how the program aims to enhance security.
ANSWER: The security education, training, and awareness (SETA) program is designed to reduce the occurence of
accidental security breaches by members of the organization. The program aims to enhance security in three
ways:
- By building in-depth knowledge, as needed, to design, implement, or operate security programs for
organizations and systems
- By developing skills and knowledge so that computer users can perform their jobs while using IT systems
more securely
- By improving awareness of the need to protect system resources
47. List the steps of the seven-step methodology for implementing training.
ANSWER: The seven-step methodology for implementing training is as follows:
Step 1: Identify program scope, goals, and objectives.
Step 2: Identify training staff.
Step 3: Identify target audiences.
Step 4: Motivate management and employees.
Step 5: Administer the program.
Step 6: Maintain the program.
Step 7: Evaluate the program.
48. What are some of the variables that determine how a given organization chooses to construct its InfoSec program?
ANSWER: Among the variables that determine how a given organization chooses to structure its information security
(InfoSec) program are organizational culture, size, security personnel budget, and security capital budget.
49. What are the four areas into which it is recommended to separate the functions of security?
ANSWER: Functions performed by nontechnology business units outside the IT area of management
control
Functions performed by IT groups outside the InfoSec area of management control
Functions performed within the InfoSec department as a customer service to the organization
and its external partners
Functions performed within the InfoSec department as a compliance enforcement obligation
50. Which security functions are normally performed by IT groups outside the InfoSec area of management control?
7. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 7
ANSWER: Systems security administration
Network security administration
Centralized authentication
51. What are the components of the security program element described as preparing for contingencies and disasters?
ANSWER: Business plan, identify resources, develop scenarios, develop strategies, test and revise plan.
52. What is the Chief Information Security Office primarily responsible for?
ANSWER: The CISO is primarily responsible for the assessment, management, and implementation of the program that
secures the organization’s information.
53. What is the role of help desk personnel in the InfoSec team?
ANSWER: An important part of the InfoSec team is the help desk, which enhances the security team’s ability to identify
potential problems. When a user calls the help desk with a complaint about his or her computer, the network,
or an Internet connection, the user’s problem may turn out to be related to a bigger problem, such as a hacker,
a DoS attack, or a virus.
Because help desk technicians perform a specialized role in InfoSec, they need specialized training. These
staff members must be prepared to identify and diagnose both traditional technical problems and threats to
InfoSec. Their ability to do so may cut precious hours off of an incident response.
54. What is the purpose of a security awareness program? What advantage does an awareness program have for the
InfoSec program?
ANSWER: A security awareness program keeps InfoSec at the forefront of users’ minds on a daily basis. Awareness
serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it
leads employees to care more about their work environment.
a. InfoSec program
b. SETA
c. scope creep
d. security watchstander
e. security manager
f. CISO
g. projectitis
h. critical path method
i. security technicians
j. security awareness program
55. In larger organizations, responsible for some aspect of information security; in smaller organizations, this title may be
assigned to the only or senior security administrator.
ANSWER: e
56.
ANSWER: a
57. Occurs when a project manager spends more time working in the project management software than accomplishing
meaningful project work.
ANSWER: g
8. Name: Class: Date:
Chapter 05 - Developing the Security Program
Copyright Cengage Learning. Powered by Cognero. Page 8
58. Entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec
technology.
ANSWER: d
59.
ANSWER: i
60. A program designed to improve the security of information assets by providing targeted information, skills, and
guidance for organizational employees.
ANSWER: b
61. A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to
complete a project.
ANSWER: h
62. Typically considered the top information security officer in an organization.
ANSWER: f
63.
ANSWER: j
64. The expansion of the quantity or quality of project deliverables from the original project plan.
ANSWER: c
65. What minimum attributes for project tasks does the WBS document?
ANSWER: Work to be accomplished (activities and deliverables)
Individuals (or skill set) assigned to perform the task
Start and end dates for the task (when known)
Amount of effort required for completion in hours or work days
Estimated capital expenses for the task
Estimated noncapital expenses for the task
Identification of dependencies between and among tasks