Management of Information Security Notes Chapter 5 -- Developing Secu

rity Programs
Study online at https://quizlet.com/_22u11l
____ is the term used to describe the structure and organization of
the effort that strives to contain the risks to the information assets Information security program
of the organization.
____________________ personnel are the front line of incident
response, as they may be able to diagnose and recognize an
Help Desk
attack while handling calls from users having problems with their
computers, the network, or Internet connections.
The ____ is primarily responsible for the assessment, manage-
ment, and implementation of the program that secures the orga- CISO
nization's information.
The information security ____ is typically an expert in some
aspect of information security, who is brought in when the orga-
consultant
nization makes the decision to outsource one or more aspects of
its security program.
Identify program scope, goals, and objectives
Identify training staff
Identify target audiences
List the steps of the seven-step methodology for implementing
Motivate management and employees
training.
Administer the program
Maintain the program
Evaluate the program
The Computer Security Act of 1987 requires federal agencies to
provide mandatory periodic training in computer security encryp-
tion and accepted computer practices to all employees involved False
with the management, use, or operation of their computer sys-
tems.
Security ____________________ involves providing members of
the organization with detailed information and hands-on instruc- training
tion to enable them to perform their duties securely.
A disadvantage of offering training in a formal class is that it ____. may not be sufficiently responsive to the needs of all trainees
The three elements of a SETA program are security education,
security awareness
security training, and ____________________.
On average, the security budget of a medium-sized organization
11%
is ____ of the total IT budget.
Individuals who perform routine monitoring activities are called
False
security technicians.
The typical security staff in a small organization consists of ____. one person
Keys to a good security ____________________ series include
poster
varying the content and keeping posters updated.
Which of the following training methods uses a sink-or-swim ap-
On-the-job training
proach?
The responsibilities of the ____ are a combination of the respon-
security administrator
sibilities of a security technician and a security manager.
In large organizations the information security department is often
top computing executive or Chief Information Officer
headed by the CISO who reports directly to the ____.
Advanced technical training can be selected or developed based
technology product
on job category, job function, or ____.
A study of information security positions found that positions can
be classified into one of three types: ____________________
provide the policies, guidelines, and standards. They're the people definers
who do the consulting and the risk assessment, who develop the
product and technical architectures.
builders

1/3
 Management of Information Security Notes Chapter 5 -- Developing Secu
rity Programs
Study online at https://quizlet.com/_22u11l
A study of information security positions found that positions can
be classified into one of three types: ____________________ are
the real technical types, who create and install security solutions.
Effective training and awareness programs make employees ac-
True
countable for their actions.
According to Charles Cresson Wood, "Reporting directly to top
management is not advisable for the Information Security De-
partment Manager [or CISO] because it impedes objectivity and
False
the ability to perceive what's truly in the best interest of the
organization as a whole, rather than what's in the best interest
of a particular department."
Legal assessment for the implementation of the information se-
curity program is almost always done by the information security False
or IT departments.
A security technician is usually an entry-level position. True
In informing and preparing employees for their role in information
security, security awareness provides the "what", training pro- True
vides the "how" and education provides the "why".
Security managers are accountable for the day-to-day operation
True
of the information security program.
Threats from insiders are more likely in a small organization than
False
in a large one.
The three methods for selecting or developing advanced tech-
nical training are by job category, by job function, and by technology product
____________________.
The security education, training, and awareness (SETA) program
reduce the incidence of accidental security breaches
is designed to ____ by/of members of the organization.
A SETA program consists of three elements: security education,
security awareness
security training, and ____.
Employee behavior that endangers the security of the organiza-
tion's information can be modified through security awareness security training
and ____________________.
Security managers commonly report to the ____. CISO
The security analyst is a specialized ____. security administrator
One of the most commonly implemented but least effective secu-
False
rity methods is the security awareness program.
The professional agencies such as SANS, ISC2, ISSA and CSI
offer industry training conferences and programs that are ideal for False
the average employee.
Security education involves providing members of the organiza-
tion with detailed information and hands-on instruction to enable False
them to perform their duties securely.
Which of the following is the first step in the process of implement-
identify program scope, goals, and objectives
ing training?
An organization's size is the variable that has the greatest influ-
ence on the structure of the organization's information security False
program.
An organization's ____________________ program refers to the
structure and organization of the effort that strives to contain the information security
risks to the information assets of the organization.
In small organizations, security training and awareness is most
True
commonly conducted on a one-on-one basis.

2/3
 Management of Information Security Notes Chapter 5 -- Developing Secu
rity Programs
Study online at https://quizlet.com/_22u11l
A security ____________________ is the most cost-effective
method of disseminating security information and news to em- newsletter
ployees.
Organizations with complex IT infrastructures are likely to require
more information security support than those with less complex True
infrastructures.
To their advantage, some observers feel that small organizations
True
avoid some threats precisely because of their small size.
A security trinket program is one of the most expensive security
True
awareness programs.
A convenient time to conduct training for general users is during
True
employee orientation.
Which of the following would be responsible for configuring fire-
walls and IDSs, implementing security software, and diagnosing A security technician
and troubleshooting problems?
Security officers and investigators are part of the
GGG (guards, gates, and guns)
____________________ aspect of security.
In large organizations, it is recommended to separate information
security functions into four areas, including: non-technology busi-
ness functions, IT functions, information security customer ser- True
vice functions and information security compliance enforcement
functions.
The purpose of the CAEIAE program is to enhance security by
building in-depth knowledge, by developing security-related skills
True
and knowledge, by improving awareness of the need to protect
system resources.
An organization carries out a risk ____________________ func-
assessment
tion to evaluate risks present in IT initiatives and/or systems.

3/3