Читаем CISSP Practice полностью

66. c. Components of an information security program policy include purpose, scope, responsibilities, and compliance. The compliance component defines penalties and disciplinary actions.

67. Which of the following are required to enforce system-specific policies?

1. Logical access controls

2. Physical security measures

3. Management controls

4. Technical controls

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

67. d. Both technology-based and nontechnology-based controls are required to enforce system-specific policies. This covers all the four items listed in the question.

68. Benefits of central computer security programs include which of the following?

1. Sharing information

2. Installing technical controls

3. Controlling virus infections

4. Administering day-to-day computer security

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 2 and 4

68. b. Organizations can develop expertise centrally and then share it, reducing the need to contract out repeatedly for similar services. The central computer security program can help facilitate information sharing. Similarly, controlling virus infections from central location is efficient and economical. Options 2 and 4 are examples of benefits of a system-level computer security program.

69. Which of the following are essential to improving IT security performance through metrics?

1. Quantifying performance gaps

2. Providing insights into root causes

3. Submitting reports to internal management

4. Collecting meaningful data for analysis

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

69. a. Performance metrics are essential to performance improvement because they quantify performance gaps and provide insights into root causes of inadequate performance. Submitting reports to internal management and collecting meaningful data for analysis support quantifying performance gaps and providing insights into root causes.

70. The concept of least privilege is primarily based on which of the following?

a. Risk assessment

b. Information flow enforcement

c. Access enforcement

d. Account management

70. a. An organization employs the concept of least privilege primarily for specific duties and information systems, including specific ports, protocols, and services in accordance with risk assessments as necessary to adequately mitigate risk to the organization’s operations, assets, and individuals. The other three choices are specific components of access controls.

71. Results-based training does not focus on which of the following?

a. Roles and responsibilities

b. Understanding levels

c. Job titles

d. Backgrounds

71. c. The results-based training focuses on job functions or roles and responsibilities, not job titles, and recognizes that individuals have unique backgrounds, and therefore, different levels of understanding.

72. Which of the following are essential to reach a higher rate of success in protecting information?

1. Proven security tools and techniques

2. Encouraging professional certification

3. Training employees in security policies

4. Role-based security responsibilities

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 3 and 4

72. d. Organizations that continually train their workforce in organizational security policy and role-based security responsibilities have a higher rate of success in protecting information.

Proven security tools and techniques and encouraging professional certification indirectly support training employees in security policies and role-based security responsibilities.

73. Which of the following is the ultimate purpose of information security performance metrics?

a. To pinpoint problems

b. To scope resources for remediation

c. To track ownership of data

d. To improve information security

73. d. The ultimate purpose of information security performance metrics is to support the organizational requirements and to assist in internal efforts to improve information security.

Intermediate benefits of performance measurement, leading to the ultimate purpose, include assisting with pinpointing problems, scoping the resources for remediation, tracking the status of remediation, and quantifying successes. Measurement also creates accountability for results by tracking ownership of data and its related activities.