Читаем CISSP Practice полностью

206. Regarding information security governance, which of the following does not change, unlike others?

a. Programs

b. Assets

c. Mission

d. Practices

206. c. An organization’s basic mission does not change because it is the guiding principle to follow at all times. However, the organization may change its security practices and protection mechanisms over IT assets and computer programs. Yet, these changes must be made within the boundaries of the mission requirements and guidelines. Note that the information security governance must follow the IT governance and the corporate governance principles.

207. What is the most important objective of system security planning?

a. To improve the protection of information system resources

b. To protect highly sensitive systems

c. To protect highly critical systems

d. To focus on accredited systems

207. a. The most important objective of system security planning is to improve the protection of information system resources (e.g., systems, programs, people, data, and equipment). All information systems have some level of sensitivity and criticality and some systems may be accredited. The sensitive, critical, and accredited systems are part of the information system resources and they need protection as part of good management practices.

208. Which of the following policy types is usually broad in scope and function?

a. Program policies

b. Issue-specific policies

c. System-specific policies

d. Network policies

208. a. Program policy is usually broad in scope in that it does not require much modification over time, whereas other types of policies are likely to require more frequent revisions as changes in technology take place.

209. Which of the following is not a part of access agreements?

a. Nondisclosure agreements

b. Rules-of-behavior agreements

c. Employment agreements

d. Conflict-of-interest agreements

209. c. Employment agreements come before the access agreements. Access agreements include nondisclosure, acceptable use, rules-of-behavior, and conflict-of-interest for individuals requiring access to information and information system resources before authorizing access to such resources.

210. Which of the following linkages provide a high-level focus?

a. Link information security metrics to the organization strategic goals

b. Link information security metrics to the organization strategic objectives

c. Link information security activities to the organization-level strategic planning

d. Link information security metrics to the information security program performance

210. c. Information security metrics provides a low-level focus whereas security activities, which are part of the security program, provide a high-level focus. Security metrics monitors and measures implementation and effectiveness of security controls within the context of the security program.

211. Which of the following IT security metrics focuses on implementation?

a. Percentage of system users that have received basic awareness training

b. Percentage of operational systems that have completed certification and accreditation following major changes

c. Percentage of new systems that completed certification and accreditation prior to the implementation

d. Percentage of systems successfully addressed in the testing of the contingency plan

211. a. “Percentage of system users that have received basic awareness training” is an example of implementation metrics. The other three choices are examples of effectiveness metrics.

Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts). Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation).

212. Which of the following IT security metrics focuses on efficiency?

a. Percentage of systems successfully testing the contingency plan at the alternative processing site

b. Percentage of systems that use automated tools to validate performance of periodic maintenance

c. Percentage of individuals screened before being granted access to organizational information and information systems

d. Percentage of system components that undergo maintenance on schedule

212. d. “Percentage of system components that undergo maintenance on schedule” is an example of efficiency metrics. The other three choices are examples of implementation metrics.