Preview Extract
Corporate Computer Security, 5e (Boyle/Panko)
Chapter 2 Planning and Policy
1) Which of the following is FALSE about security management?
A) Management is abstract; technology is visible.
B) Security technology is far more important than security management.
C) There are fewer general principles in security management than technology.
D) It is generally a mistake to focus too heavily on security technology compared to security
management.
Answer: B
Page Ref: 49
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Difficult
2) Comprehensive security pertains to ________.
A) closing all routes of attack to their systems to attackers
B) closing all Internet-linked servers to attackers
C) lessening security issues in an entire company
D) decreasing the risk of all computer systems in a company
Answer: A
Page Ref: 49
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Moderate
3) If a failure of a single element of a system will ruin security, this is called a(n) ________.
A) weakest-link failure
B) hybrid solution
C) internal audit
D) risk analysis
Answer: A
Page Ref: 49
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Easy
4) Process pertains to ________.
A) the plan-protect-respond cycle
B) the systems life cycle
C) a planned series of actions
D) recovery according to plan
Answer: C
Page Ref: 50
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Moderate
1
Copyright ยฉ 2021 Pearson Education, Inc.
5) Which of the following is NOT part of the highest-level security management process that
most firms use today to protect against threats?
A) Plan
B) Process
C) Protect
D) Respond
Answer: B
Page Ref: 51
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Moderate
6) The systems development life cycle is most connected to the ________ of the plan-protectrespond cycle of security management.
A) plan
B) process
C) protect
D) respond
Answer: C
Page Ref: 52
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Moderate
7) Response is ________.
A) the second phase of the systems life cycle
B) the plan-based creation and operation of countermeasures
C) a planned series of actions
D) recovery according to plan
Answer: D
Page Ref: 53
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Moderate
8) A firm’s primary objective is to make a profit.
Answer: TRUE
Page Ref: 48
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Easy
9) A firewall administrator should check the log file in a company each week.
Answer: FALSE
Page Ref: 49
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Moderate
2
Copyright ยฉ 2021 Pearson Education, Inc.
10) One reason why security management is difficult is that companies need to protect a large
number of resources.
Answer: TRUE
Page Ref: 50
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Easy
11) Security is too complicated to be managed informally.
Answer: TRUE
Page Ref: 50
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Easy
12) In the plan-protect-respond cycle, the three activities always take place in sequential order.
Answer: FALSE
Page Ref: 50
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Easy
13) One key to making security an enabler is to get security involved near the end of most
projects.
Answer: FALSE
Page Ref: 54
Learning Objective: 2.1 Justify the need for formal management processes
Difficulty: Easy
14) ________ are things that require a firm to change its security planning, protections, and
response.
A) Responses
B) Protections
C) MSSPs
D) Driving forces
Answer: D
Page Ref: 58
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
15) Which of the following produced the greatest change in financial reporting requirement since
the Great Depression?
A) The Sarbanes-Oxley Act
B) The General Data Protection Regulation
C) The Gramm-Leach-Bliley Act
D) The Health Insurance Portability and Accountability Act
Answer: A
Page Ref: 58
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
3
Copyright ยฉ 2021 Pearson Education, Inc.
16) The Sarbanes-Oxley Act was passed in ________.
A) 2000
B) 2002
C) 2010
D) 2012
Answer: B
Page Ref: 58
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
17) Which of the following is an EU privacy law?
A) The Sarbanes-Oxley Act
B) The General Data Protection Regulation
C) The Gramm-Leach-Bliley Act
D) The Health Insurance Portability and Accountability Act
Answer: B
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
18) Which of the following is also known as the Financial Services Modernization Act?
A) GDPR
B) GLBA
C) HIPAA
D) SB 1386
Answer: B
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
19) Which of the following was the first data breach notification law in the U.S.?
A) GDPR
B) GLBA
C) HIPAA
D) SB 1386
Answer: D
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
4
Copyright ยฉ 2021 Pearson Education, Inc.
20) ________ was the last state to implement a data breach notification law in ________.
A) Georgia; 2000
B) Alabama; 2018
C) North Dakota; 2016
D) California; 2018
Answer: B
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
21) One of the first data breach notification laws in the U.S. was created in ________.
A) California
B) New York
C) Illinois
D) Texas
Answer: A
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
22) Who has the power to prosecute companies that fail to take reasonable precautions to protect
private information?
A) HIPAA
B) FTC
C) GDPR
D) GLBA
Answer: B
Page Ref: 61
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
23) ________ has set the standards for companies that accept credit cards as a form of payment.
A) FISMA
B) FTC
C) PCI-DSS
D) HIPAA
Answer: C
Page Ref: 61
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
5
Copyright ยฉ 2021 Pearson Education, Inc.
24) Why was FISMA enacted?
A) To set standards for companies that accept credit card payments
B) To set accreditation standards for members of a particular industry
C) To prosecute firms that fail to take reasonable precautions to protect customers’ private
information
D) To bolster computer and network security within the federal government
Answer: D
Page Ref: 61
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Difficult
25) Compliance laws create requirements to which corporate security must respond.
Answer: TRUE
Page Ref: 58
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Easy
26) The Sarbanes-Oxley Act was passed in 2012.
Answer: FALSE
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Easy
27) Given the importance of Sarbanes-Oxley compliance for companies, most firms were forced
to increase their security efforts.
Answer: TRUE
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Easy
28) The GLBA is considered the most important EU privacy rule ever created.
Answer: FALSE
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Easy
29) There are strong federal laws requiring companies to provide notice of a data breach.
Answer: FALSE
Page Ref: 60
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Moderate
30) HIPAA has the power to require firms to pay to be audited annually by an external firm.
Answer: FALSE
Page Ref: 61
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Easy
6
Copyright ยฉ 2021 Pearson Education, Inc.
31) The first stage of FISMA is a certification of a system by an organization.
Answer: TRUE
Page Ref: 62
Learning Objective: 2.2 Describe compliance laws and regulations
Difficulty: Easy
32) Which of the following is considered the first step for a corporation in managing security?
A) To decide where the security function will sit on a firm’s organization chart
B) To determine what devices need secured and which software to use to do that
C) To determine the size of the security staff and the budget that will support that staff
D) To decide the objectives of the security function
Answer: A
Page Ref: 62
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Moderate
33) Which of the following is considered a fundamental problem with making IT security a staff
department outside IT?
A) Separation reduces accountability.
B) IT security would report to a firm’s CIO.
C) Security changes that would need to be made would be easier.
D) Security and IT could share many of the same technological skill set.
Answer: A
Page Ref: 64
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Moderate
34) Which of the following is NOT one of the three auditing departments that are part of most
corporations?
A) Financial auditing
B) Internal auditing
C) Outside auditing
D) IT auditing
Answer: C
Page Ref: 65
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Easy
7
Copyright ยฉ 2021 Pearson Education, Inc.
35) ________ in regard to outside IT security means checking out closely the IT security
implications of a potential partnership before beginning the relationship.
A) A hybrid solution
B) Internal auditing
C) Risk analysis
D) Due diligence
Answer: D
Page Ref: 66
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Moderate
36) The most common type of IT security outsourcing is done for ________.
A) laptops
B) e-mail
C) all hardware
D) all software
Answer: B
Page Ref: 66
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Easy
37) An advantage to using an MSSP is ________.
A) cost
B) control of employees
C) constant internal control
D) independence
Answer: D
Page Ref: 66
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Moderate
38) The usual title for a company’s security department head is chief security officer.
Answer: TRUE
Page Ref: 62
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Easy
39) Most analysts recommend placing security outside IT.
Answer: TRUE
Page Ref: 64
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Moderate
8
Copyright ยฉ 2021 Pearson Education, Inc.
40) Most firms have a CSO report direct to the company’s CEO.
Answer: FALSE
Page Ref: 64
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Easy
41) The financial auditing department examines organizational units for efficiency, effectiveness,
and adequate controls.
Answer: FALSE
Page Ref: 64
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Moderate
42) IT security is almost always mistrusted by other departments because of security’s potential
to make life harder.
Answer: TRUE
Page Ref: 64
Learning Objective: 2.3 Describe organizational security issues
Difficulty: Easy
43) Which of the following compares probable losses with the costs of security protections?
A) Weakest-link failure
B) Reasonable risk
C) Internal audits
D) Risk analysis
Answer: D
Page Ref: 68
Learning Objective: 2.4 Describe risk analysis
Difficulty: Easy
44) The ________ of the classic risk analysis calculation is the percentage of an asset’s value that
would be lost in a breach.
A) single loss expectancy
B) annualized loss expectancy
C) exposure factor
D) countermeasure impact
Answer: C
Page Ref: 69
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
9
Copyright ยฉ 2021 Pearson Education, Inc.
45) What does a central logging server of an MSSP on a network do?
A) It calculates the amount of processing ability needed for a system.
B) It uploads a firm’s event log data.
C) It uploads the number of times that employees have logged intoโor attempted to log intoโ
questionable sites.
D) It automatically creates a firewall when questionable activity is detected.
Answer: B
Page Ref: 67
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
46) Which of the following is an outsourcing alternative?
A) PCI-DSS
B) FISMA
C) MSSP
D) ISO 27000
Answer: B
Page Ref: 67
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
47) In the classic risk analysis calculation, once you know how much damage an incident may
cause from a single breach, the next issue is how frequently breaches will occur. This is normally
done on a(n) ________ basis.
A) annualized
B) weekly
C) daily
D) bi-annual
Answer: A
Page Ref: 69
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
48) In the classic risk analysis calculation, the countermeasure impact assesses the ________.
A) drawbacks of a countermeasure
B) benefits of a countermeasure
C) costs of a countermeasure
D) number of incidents of all possible countermeasures
Answer: B
Page Ref: 70
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
10
Copyright ยฉ 2021 Pearson Education, Inc.
49) The ________ of the classic risk analysis calculation is the value of the thing to be protected.
A) asset value
B) annualized loss expectancy
C) exposure factor
D) countermeasure impact
Answer: A
Page Ref: 69
Learning Objective: 2.4 Describe risk analysis
Difficulty: Easy
50) Discounted cash flow analysis is also called ________.
A) IRR
B) TCI
C) NPV
D) ROI
Answer: D
Page Ref: 70
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
51) Which of the following is NOT a logical possible response to risk by a company?
A) Risk reduction
B) Risk acceptance
C) Risk transference
D) Risk analysis
Answer: D
Page Ref: 73
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
52) Installing firewalls in a company is an example of ________.
A) risk reduction
B) risk acceptance
C) risk transference
D) risk avoidance
Answer: A
Page Ref: 73
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
11
Copyright ยฉ 2021 Pearson Education, Inc.
53) The most common example of risk transference is ________.
A) insurance
B) no countermeasures
C) installing firewalls
D) IT security measures
Answer: A
Page Ref: 73
Learning Objective: 2.4 Describe risk analysis
Difficulty: Easy
54) Implementing no countermeasures to security challenges and absorbing any damages that
may occur is known as ________.
A) risk reduction
B) risk acceptance
C) risk transference
D) risk avoidance
Answer: B
Page Ref: 73
Learning Objective: 2.4 Describe risk analysis
Difficulty: Easy
55) Return on investment analysis requires the computation of either the net present value or the
________.
A) risk transference
B) risk avoidance
C) internal rate of return
D) total cost of incident
Answer: C
Page Ref: 70
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
56) IT security planning always focuses on risk.
Answer: TRUE
Page Ref: 68
Learning Objective: 2.4 Describe risk analysis
Difficulty: Easy
57) The annualized loss expectancy of the classic risk analysis calculation is the yearly average
loss expected from a compromise for the asset.
Answer: TRUE
Page Ref: 69
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
12
Copyright ยฉ 2021 Pearson Education, Inc.
58) Although IT security can reduce the risk of attacks for companies, security also has some
negative side effects.
Answer: TRUE
Page Ref: 69
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
59) The classic risk analysis calculation is difficult or impossible to use in actual practice.
Answer: TRUE
Page Ref: 70
Learning Objective: 2.4 Describe risk analysis
Difficulty: Easy
60) The worst problem with classic risk analysis is that it is rarely possible to estimate the
annualized rate of occurrence for threats.
Answer: TRUE
Page Ref: 71
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
61) ROI is typically quite easy to measure for security investments.
Answer: FALSE
Page Ref: 72
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
62) A positive of classic risk analysis is that it imposes general discipline for thinking about risks
and countermeasures.
Answer: TRUE
Page Ref: 73
Learning Objective: 2.4 Describe risk analysis
Difficulty: Moderate
63) ________ includes all of a firm’s technical countermeasures and how they are organized into
a complete system of protection.
A) Technical security architecture
B) Risk avoidance
C) Corporate security policy
D) Implementation guidance
Answer: A
Page Ref: 74
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
13
Copyright ยฉ 2021 Pearson Education, Inc.
64) Technologies that a company has implemented in the past but that now are somewhat
ineffective are known as ________.
A) central security management consoles
B) legacy security technologies
C) technical security architecture
D) defense in depth
Answer: B
Page Ref: 75
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
65) When an attacker has to break through multiple countermeasures to succeed, it’s known as
________.
A) defense in depth
B) single point of vulnerability
C) weakest link
D) technical security architecture
Answer: A
Page Ref: 75
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
66) Which of the following defines the opposite of defense in depth?
A) Weakest link
B) Defense in depth
C) Single point of vulnerability
D) Technical security architecture
Answer: C
Page Ref: 75
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
67) ________ refers to the intention to minimize lost productivity and attempt to not slow
innovation.
A) Minimizing security burdens
B) Defining the weakest link
C) A single point of vulnerability
D) Technical security architecture
Answer: A
Page Ref: 76
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
14
Copyright ยฉ 2021 Pearson Education, Inc.
68) ________ is being able to manage security technologies from a single security management
console or at least from a relatively few consoles.
A) Technical security architecture
B) A single point of vulnerability
C) Centralized security management
D) Defense in depth
Answer: C
Page Ref: 78
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
69) It is preferable if a firm’s security systems evolve naturally and organically without major
coordination.
Answer: FALSE
Page Ref: 75
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Easy
70) If a legacy technology is a serious threat to security, it must be replaced.
Answer: TRUE
Page Ref: 75
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Easy
71) In defense in depth, there are multiple independent countermeasures placed in a series.
Answer: TRUE
Page Ref: 75
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
72) All single points of failure can be eliminated.
Answer: FALSE
Page Ref: 76
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
73) Firewalls are only for borders between external networks and internal networks and do not
exist for solely an internal purpose.
Answer: FALSE
Page Ref: 76
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Moderate
15
Copyright ยฉ 2021 Pearson Education, Inc.
74) In interorganizational systems, two companies link some of their IT assets.
Answer: TRUE
Page Ref: 78
Learning Objective: 2.5 Describe technical security infrastructure
Difficulty: Easy
75) The goal of ________ is to emphasize a firm’s commitment to strong security.
A) corporate security policies
B) centralized security management
C) technical security architecture
D) acceptable use policies
Answer: A
Page Ref: 80
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
76) It is common for companies to require users to read and sign a(n) ________.
A) corporate security policy
B) personally identifiable information policy
C) e-mail policy
D) acceptable use policy
Answer: D
Page Ref: 80
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
77) ________ are mandatory implementation guidance, meaning that employees are not free to
opt out of them.
A) Standards
B) Policies
C) Guidelines
D) Procedures
Answer: A
Page Ref: 82
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
78) ________ are mandatory implementation guidance, meaning that employees are not free to
opt out of them.
A) Standards
B) Policies
C) Guidelines
D) Procedures
Answer: A
Page Ref: 82
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
16
Copyright ยฉ 2021 Pearson Education, Inc.
79) Of the following, ________ are the most detailed.
A) policies
B) standards
C) guidelines
D) procedures
Answer: D
Page Ref: 82
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
80) In the ________, a specific, full act should require two or more people to complete.
A) implementation guidance
B) weakest link
C) segregation of duties
D) request/authorization control
Answer: C
Page Ref: 83
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
81) ________ describe the details of what is to be done but without specifically describing how
to do something.
A) Baselines
B) Standards
C) Best practices
D) Procedures
Answer: A
Page Ref: 84
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
82) ________ are descriptions of what the best firms in the industry are doing about security.
A) Baselines
B) Standards
C) Procedures
D) Best practices
Answer: D
Page Ref: 84
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
17
Copyright ยฉ 2021 Pearson Education, Inc.
83) ________ can simply be described as a person’s system of values.
A) Baselines
B) Ethics
C) Procedures
D) Best practices
Answer: B
Page Ref: 85
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Easy
84) Which of the following is NOT a general guideline to handling exceptions?
A) Only some people should be allowed to request exceptions.
B) The person who requests an exception must never be the same person who authorizes the
exception.
C) More people should be allowed to authorize exceptions than can request exceptions.
D) Each exception must be carefully documented in terms of specifically what was done and
who did each action.
Answer: C
Page Ref: 87
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Difficult
85) ________ is a process, function, or group of tools that are used to improve policy
implementation and enforcement.
A) Promulgation
B) Oversight
C) Monitoring
D) Auditing
Answer: B
Page Ref: 88
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Easy
86) In a 2018 report, it was reported that ________ of fraud is detected through anonymous tips.
A) approximately 25 percent
B) more than 40 percent
C) approximately 48 percent
D) more than 65 percent
Answer: B
Page Ref: 89
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Easy
18
Copyright ยฉ 2021 Pearson Education, Inc.
87) The ________ was a replacement for the controversial Protect America Act of 2007.
A) USA Freedom Act
B) Communications Assistance for Law Enforcement Act
C) Foreign Intelligence Surveillance Act
D) General Data Protection Regulation
Answer: A
Page Ref: 94
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Easy
88) A policy is a statement of what should be done under specific circumstances.
Answer: TRUE
Page Ref: 79
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Easy
89) E-mail policies exist in almost all firms.
Answer: TRUE
Page Ref: 80
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Easy
90) Team-written policies are usually less respected by employees than policies written
exclusively by IT security.
Answer: FALSE
Page Ref: 80
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
91) Implementation guidance limits the discretion of implementers.
Answer: TRUE
Page Ref: 81
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
92) Accountability refers to the liability for sanctions if implementation is not done properly.
Answer: TRUE
Page Ref: 84
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
93) Formally announcing, publishing, or making users aware of new policies of the company is
called oversight.
Answer: FALSE
Page Ref: 88
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Easy
19
Copyright ยฉ 2021 Pearson Education, Inc.
94) All publicly traded companies must have their financial statements audited.
Answer: TRUE
Page Ref: 89
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
95) The Communications Assistance for Law Enforcement Act was passed in the late 1960s.
Answer: FALSE
Page Ref: 94
Learning Objective: 2.6 Explain policy-driven implementation
Difficulty: Moderate
96) Which of the following focuses broadly on corporate internal and financial controls?
A) COBIT
B) ISO/IEC 27000
C) COSO
D) ISO/IEC 27002
Answer: C
Page Ref: 95
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
97) Which of the following is a series of standards specifically addressing IT security?
A) COBIT
B) ISO/IEC 27000
C) COSO
D) ISO/IEC 27002
Answer: A
Page Ref: 95
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
98) Which of the following is NOT an objective in the COSO framework?
A) Strategic
B) Reporting
C) Compliance
D) Implementation
Answer: D
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
20
Copyright ยฉ 2021 Pearson Education, Inc.
99) Which of the following is NOT a COSO framework component?
A) Internal environment
B) Event identification
C) Training practices
D) Risk assessment
Answer: C
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
100) Which of the following COSO framework components encompasses the tone of the
organization?
A) Internal environment
B) Event identification
C) Objective setting
D) Control activities
Answer: A
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
101) In which of the following COSO framework components are policies and procedures
established?
A) Internal environment
B) Control activities
C) Information and communication
D) Objective setting
Answer: B
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
102) Which of the following is NOT one of the major domains of the COBIT framework?
A) Evaluate, direct, and monitor
B) Build, acquire, and implement
C) Deliver, service, and support
D) Promote, hire, and train
Answer: D
Page Ref: 99
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
21
Copyright ยฉ 2021 Pearson Education, Inc.
103) The ISO/IEC 27001 standard specifies how to certify organizations as being compliant with
________.
A) ISO/IEC 27000
B) ISO/IEC 27043
C) COSO
D) COBIT
Answer: A
Page Ref: 100
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
104) Objective setting and risk assessment are both COSO framework components.
Answer: TRUE
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
105) The IT Governance Institute was created by the Association of Certified Fraud Examiners.
Answer: FALSE
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
106) The ISO/IEC 27002 standard divides security into 14 broad areas.
Answer: TRUE
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
107) The EDM domain of the COBIT framework evaluates strategic alternatives.
Answer: TRUE
Page Ref: 96
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
108) COBIT is a general control planning and assessment tool for corporations.
Answer: FALSE
Page Ref: 98
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
109) There is no time ordering for the five components of the COSO framework.
Answer: TRUE
Page Ref: 98
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
22
Copyright ยฉ 2021 Pearson Education, Inc.
110) The first standard in the series was originally called ISO/IEC 17799.
Answer: TRUE
Page Ref: 99
Learning Objective: 2.7 Know governance frameworks
Difficulty: Moderate
23
Copyright ยฉ 2021 Pearson Education, Inc.
Document Preview (23 of 246 Pages)
User generated content is uploaded by users for the purposes of learning and should be used following SchloarOn's honor code & terms of service.
You are viewing preview pages of the document. Purchase to get full access instantly.
-37%
Test Bank for Corporate Computer Security, 5th Edition
$18.99 $29.99Save:$11.00(37%)
24/7 Live Chat
Instant Download
100% Confidential
Store
Ava Brown
0 (0 Reviews)
Best Selling
The World Of Customer Service, 3rd Edition Test Bank
$18.99 $29.99Save:$11.00(37%)
Chemistry: Principles And Reactions, 7th Edition Test Bank
$18.99 $29.99Save:$11.00(37%)
Test Bank for Hospitality Facilities Management and Design, 4th Edition
$18.99 $29.99Save:$11.00(37%)
Solution Manual for Designing the User Interface: Strategies for Effective Human-Computer Interaction, 6th Edition
$18.99 $29.99Save:$11.00(37%)
Data Structures and Other Objects Using C++ 4th Edition Solution Manual
$18.99 $29.99Save:$11.00(37%)
2023-2024 ATI Pediatrics Proctored Exam with Answers (139 Solved Questions)
$18.99 $29.99Save:$11.00(37%)