Test Bank for Management of Information Security 6th Edition Michael E. Whitman, Herbert J.

Test Bank for Management of Information Security

6th Edition Michael E. Whitman, Herbert J. Mattord

To download the complete and accurate content document, go to:

https://testbankbell.com/download/test-bank-for-management-of-information-security-
6th-edition-michael-e-whitman-herbert-j-mattord/

Visit TestBankBell.com to get complete for all chapters

Name: Class: Date:

chapter 5

Indicate whether the statement is true or false.

1. On-the-job training can result in substandard work performance while the trainee gets up to speed.
a. True
b. False

2. The security education, training, and awareness (SETA) program is designed to reduce the occurrence of external
security attacks.
a. True
b. False

3. Using complex project management tools may result in a complication where the project manager creates project
diagrams with insufficient detail for the implementation of the project.
a. True
b. False

4. Each professional project manager will strive to find the proper balance between the planning and the actual work of
the project.
a. True
b. False

5. When creating a WBS, planners need to estimate the effort required to complete each task, subtask, or action step.
a. True
b. False

6. Threats from insiders are more likely in a small organization than in a large one.
a. True
b. False

7. Legal assessment for the implementation of the information security program is almost always done by the information
security or IT department.
a. True
b. False

8. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
a. True
b. False

9. Small organizations spend more per user on security than medium- and large-sized organizations.
a. True
b. False

Indicate whether the statement is true or false. If it is false, change the identified word(s) to make the statement
true.

10. InfoSec is a continuous series of policies that comprise a process. __________

Copyright Cengage Learning. Powered by Cognero. Page 1

Name: Class: Date:

chapter 5
11. Project management is focused on achieving the objectives of the project. __________

12. Project scope management ensures that the project plan includes only those activities that are necessary to complete it.
__________

13. Establishing performance measures and creating project way points simplifies project monitoring. __________

14. Establishing performance measures and creating project milestones simplifies project planning. __________

15. Projectitis is a phenomenon in which the project manager spends more time documenting project tasks than in
accomplishing meaningful project work. __________

16. The goal of a security alertness program is to keep information security at the forefront of users’ minds on a daily
basis. __________

Indicate the answer choice that best completes the statement or answers the question.

17. Medium-sized organizations tend to spend approximately __________ percent of the total IT budget on security.
a. 2
b. 5
c. 11
d. 20

18. According to Wood, which of the following is a reason the InfoSec department should report directly to top
management?
a. It fosters objectivity and the ability to perceive what’s truly in the best interest of the organization as a whole.
b. It allows independence in the InfoSec department, especially if it is needed to audit the IT division.
c. It prevents InfoSec from becoming a drain on the IT budget.
d. It allows the InfoSec executive to dictate security requirements with greater authority to the other business
divisions.

19. A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in
the development of a security system is known as __________.
a. a security technician b. a security analyst
c. a security consultant d. a security manager

20. Larger organizations tend to spend approximately __________ percent of the total IT budget on security.
a. 2
b. 5
c. 11
d. 20

21. The purpose of SETA is to enhance security in all but which of the following ways?
a. by building in-depth knowledge
b. by adding barriers
c. by developing skills
d. by improving awareness
Copyright Cengage Learning. Powered by Cognero. Page 2
Name: Class: Date:

chapter 5

22. Which of the following is true about a company’s InfoSec awareness Web site?
a. It should contain few images to avoid distracting readers.
b. Appearance doesn’t matter if the information is there.
c. It should be placed on the Internet for public use.
d. It should be tested with multiple browsers.

23. As noted by Kosutic, options for placing the CISO (and his or her security group) in the organization are generally
driven by organizational size and include all of the following EXCEPT:
a. within a division/department with a conflict of interest
b. in a separate group reporting directly to the CEO/president
c. under a division/department with no conflict of interest
d. as an additional duty for an existing manager/executive

24. __________ is a simple project management planning tool.

a. RFP b. WBS
c. ISO 17799 d. SDLC

25. This person would be responsible for some aspect of information security and report to the CISO; in smaller
organizations, this title may be assigned to the only or senior security administrator.
a. security technician b. security analyst
c. security consultant d. security manager

26. Which of the following functions needed to implement the information security program evaluates patches used to
close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. systems testing b. risk assessment
c. incident response d. risk treatment

27. The __________ certification, considered to be one of the most prestigious certifications for security managers and
CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is
considered to be vendor neutral.
a. CISSP
b. GIAC Security Leadership Certification
c. Security +
d. Associate of (ISC)2

28. Which of the following is NOT a part of an information security program?

a. technologies used by an organization to manage the risks to its information assets
b. activities used by an organization to manage the risks to its information assets
c. personnel used by an organization to manage the risks to its information assets
d. All of these are part of an information security program.

29. In large organizations, the InfoSec department is often located within a(n) _________ division headed by the
_________, who reports directly to the _________.
a. IT, CISO, CIO

Copyright Cengage Learning. Powered by Cognero. Page 3

Name: Class: Date:

chapter 5

b. Finance, Comptroller, CFO

c. Security, CSO, CIO
d. Legal, Corporate Counsel, CEO

30. Which of the following is NOT among the functions typically performed within the InfoSec department as a
compliance enforcement obligation?
a. policy
b. centralized authentication
c. compliance/audit
d. risk management

31. What is the SETA program designed to do?

a. reduce the occurrence of external attacks
b. improve operations
c. reduce the occurrence of accidental security breaches
d. increase the efficiency of InfoSec staff

32. Which of the following is NOT a step in the process of implementing training?
a. administer the program
b. hire expert consultants
c. motivate management and employees
d. identify target audiences

33. Which function needed to implement the information security program includes researching, creating, maintaining,
and promoting information security plans?
a. compliance b. policy
c. planning d. SETA programs

34. The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics?
a. market
b. budget
c. size
d. culture

35. Which of the following is an advantage of the user support group form of training?
a. usually conducted in an informal social setting
b. formal training plan
c. can be live, or can be archived and viewed at the trainee’s convenience
d. can be customized to the needs of the trainee

36. Which of the following would most likely be responsible for configuring firewalls and IDPSs, implementing security
software, and diagnosing and troubleshooting problems?
a. security technician b. security analyst
c. security consultant d. security manager

Copyright Cengage Learning. Powered by Cognero. Page 4

Name: Class: Date:

chapter 5
37. There are a number of methods for customizing training for users; two of the most common involve customizing by
__________ and by __________.
a. skill level; employee rank b. department; seniority
c. functional background; skill level d. educational level; organizational need

38. Which of the following is the first step in the process of implementing training?
a. identify training staff
b. identify target audiences
c. identify program scope, goals, and objectives
d. motivate management and employees

39. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
a. It has a larger dedicated (full-time) security staff than a small organization.
b. It has a larger security budget (as percent of IT budget) than a small organization.
c. It has a smaller security budget (as percent of IT budget) than a large organization.
d. It has larger information security needs than a small organization.

40. An (ISC)2 program geared toward individuals who want to take any of its certification exams before obtaining the
requisite experience for certification is the __________.
a. Associate of (ISC)2
b. SSCP
c. ISSAP
d. ISSMP

41. Which of the following is a disadvantage of the one-on-one training method?

a. inflexible scheduling
b. may not be responsive to the needs of all the trainees
c. content may not be customized to the needs of the organization
d. resource intensive, to the point of being inefficient

42. An ISACA certification targeted at upper-level executives, including CISOs and CIOs, directors, and consultants with
knowledge and experience in IT governance, is known as the __________.
a. CGEIT
b. CISM
c. CISSP
d. CRISC

43. Which of the following is an advantage of the formal class method of training?
a. increased personal interaction between trainer and trainee
b. self-paced; can go as fast or as slow as the trainee needs
c. can be scheduled to fit the needs of the trainee
d. interaction with trainer is possible

44. Which of the following describes the primary reason the InfoSec department should NOT fall under the IT function?

Copyright Cengage Learning. Powered by Cognero. Page 5

Name: Class: Date:

chapter 5

a. The average salary of the top security executive typically exceeds that of the typical IT executive, creating
professional rivalries between the two.
b. There is a misalignment between the goals of the InfoSec department, which focuses on protecting
information, and the IT function, which focuses on efficiency in processing and accessing information.
c. There is a fundamental difference in the mission of the InfoSec department, which seeks to minimize access to
information, and the IT function, which seeks to increase accessibility of information.
d. None of the above are reasons the InfoSec department should NOT fall under the IT function.

45. "GGG security" is a term commonly used to describe which aspect of security?
a. technical b. software
c. physical d. policy

46. Which of the following organizations is best known for its series of certifications targeted to information systems
audit, information security, risk control, and IT governance?
a. SANS Institute
b. (ISC)2
c. ISACA
d. EC-Council

47. Which of the following organizations offers the Certified CISO (C|CISO) certification?
a. SANS Institute
b. (ISC)2
c. ISACA
d. EC-Council

48. Which of the following is the most cost-effective method for disseminating security information and news to
employees?
a. employee seminars b. security-themed Web site
c. conference calls d. e-mailed security newsletter

49. A SETA program consists of three elements: security education, security training, and which of the following?
a. security accountability b. security authentication
c. security awareness d. security authorization

50. Which of the following organizations is best known for its series of technical InfoSec certifications through Global
Information Assurance Certification (GIAC)?
a. SANS Institute
b. (ISC)2
c. ISACA
d. EC-Council

51. Organizations classified as __________ may still be large enough to implement the multitier approach to security,
though perhaps with fewer dedicated groups and more functions assigned to each group.
a. medium-sized
b. small-sized
Copyright Cengage Learning. Powered by Cognero. Page 6
Name: Class: Date:

chapter 5

c. large-sized
d. super-sized

52. An ISACA certification targeted at IT professionals who are in careers that link IT risk management with enterprise
risk management is known as the __________.
a. CGEIT
b. CISM
c. CISSP
d. CRISC

53. Which of the following is an advantage of the one-on-one method of training?

a. trainees can learn from each other b. very cost-effective
c. customized to the needs of the trainee d. maximizes use of company resources

54. To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT:
a. form a committee and approve suggestions from the CISO
b. learn more about the requirements and qualifications needed
c. learn more about budgetary and personnel needs
d. grant the InfoSec function needed influence and prestige

55. Which of the following functions includes identifying the sources of risk and may include offering advice on controls
that can reduce risk?
a. risk treatment b. risk assessment
c. systems testing d. vulnerability assessment

56. Which of the following variables is the most influential in determining how to structure an information security
program?
a. security capital budget b. competitive environment
c. online exposure of organization d. organizational culture

57. Smaller organizations tend to spend approximately __________ percent of the total IT budget on security.
a. 2
b. 5
c. 11
d. 20

Enter the appropriate word(s) to complete the statement.

58. The three methods for selecting or developing advanced technical training are by job category, by job function, and by
__________.

59. The __________ is considered the industry best practice as a project management approach.

60. The __________ program is designed to reduce the occurrence of accidental security breaches by members of the
organization.

Copyright Cengage Learning. Powered by Cognero. Page 7

Name: Class: Date:

chapter 5
61. An organization carries out a risk __________ function to evaluate risks present in IT initiatives and/or systems.

62. Establishing performance measures and creating project __________ simplifies project monitoring.

63. __________ is a phenomenon in which the project manager spends more time documenting project tasks, collecting
performance measurements, recording project task information, and updating project completion forecasts than in
accomplishing meaningful project work.

64. Project __________ management ensures that the project plan includes only those activities that are necessary to
complete it.

65. An organization’s information security __________ refers to the entire set of activities, resources, personnel, and
technologies used to manage risks to the organization's information assets.

66. A study of information security positions found that they can be classified into one of three types: __________ are the
real technical types, who create and install security solutions.

67. The information security __________ is usually brought in when the organization makes the decision to outsource one
or more aspects of its security program.

68. The goal of a security __________ program is to keep information security at the forefront of users’ minds on a daily
basis.

a. InfoSec program
b. SETA
c. scope creep
d. security watchstander
e. security manager
f. CISO
g. projectitis
h. critical path method
i. security technicians
j. security awareness program

69. In larger organizations, the person responsible for some aspect of information security; in smaller organizations, this
title may be assigned to the only or senior security administrator.

70. The structure and organization of the effort to manage risks to an organization’s information assets.

71. Occurs when a project manager spends more time working in the project management software than accomplishing
meaningful project work.

72. An entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec
technology.

73. The technical specialists responsible for the implementation and administration of some security-related technology.

Copyright Cengage Learning. Powered by Cognero. Page 8

Name: Class: Date:

chapter 5
74. A program designed to improve the security of information assets by providing targeted information, skills, and
guidance for organizational employees.

75. A diagramming technique designed to identify the sequence of tasks that make up the shortest elapsed time needed to
complete a project.

76. Typically considered the top information security officer in an organization.

77. A way to keep InfoSec at the forefront of users’ minds on a daily basis.

78. The expansion of the quantity or quality of project deliverables from the original project plan.

79. Explain the conflict between the goals and objectives of the CIO and the CISO.

80. What is the security education, training, and awareness program? Describe how the program aims to enhance security.

81. What are the four areas into which it is recommended to separate the functions of security?

82. What are some of the variables that determine how a given organization chooses to construct its InfoSec program?

83. What is the purpose of a security awareness program? What advantage does an awareness program have for the
InfoSec program?

84. What is the chief information security officer primarily responsible for?

85. What is the role of help desk personnel in the InfoSec team?

86. What components of the security program are described as preparing for contingencies and disasters?

87. List the steps of the seven-step methodology for implementing training.

88. Which security functions are normally performed by IT groups outside the InfoSec area of management control?

89. What minimum attributes for project tasks does the WBS document?

Copyright Cengage Learning. Powered by Cognero. Page 9

Name: Class: Date:

chapter 5
Answer Key
1. True

2. False

3. False

4. True

5. True

6. False

7. False

8. False

9. True

10. False - projects

11. True

12. True

13. False - milestones

14. False - monitoring

15. True

16. False - awareness

17. c

18. a

19. b

20. b

21. b

22. d

23. a

24. b

25. d
Copyright Cengage Learning. Powered by Cognero. Page 10
Name: Class: Date:

chapter 5

26. a

27. a

28. d

29. a

30. b

31. c

32. b

33. c

34. a

35. a

36. a

37. c

38. c

39. d

40. a

41. d

42. a

43. d

44. b

45. c

46. c

47. d

48. d

49. c

50. a

Copyright Cengage Learning. Powered by Cognero. Page 11

Name: Class: Date:

chapter 5
51. a

52. d

53. c

54. a

55. b

56. d

57. d

58. technology product

59. PMBOK
Project Management Body of Knowledge

60. security education, training, and awareness

SETA

61. assessment

62. milestones

63. Projectitis

64. scope

65. program

66. builders

67. consultant

68. awareness

69. e

70. a

71. g

72. d

73. i

74. b

75. h
Copyright Cengage Learning. Powered by Cognero. Page 12
Name: Class: Date:

chapter 5

76. f

77. j

78. c

79. The CIO, as the executive in charge of the organization’s technology, manages the efficiency in the processing and
accessing of the organization’s information. Anything that limits access or slows information processing directly
contradicts the CIO’s mission. On the other hand, the CISO functions more like an internal auditor, with the information
security department examining existing systems to discover information security faults and flaws in technology, software,
and employees’ activities and processes. At times, these activities may disrupt the processing and accessing of the
organization’s information.

80. The security education, training, and awareness (SETA) program is designed to reduce the occurrence of accidental
security breaches by members of the organization. The program aims to enhance security in three ways:
- By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and
systems
- By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely
- By improving awareness of the need to protect system resources

81. Functions performed by nontechnology business units outside the IT area of management
control
Functions performed by IT groups outside the InfoSec area of management control
Functions performed within the InfoSec department as a customer service to the organization
and its external partners
Functions performed within the InfoSec department as a compliance enforcement obligation

82. Among the variables that determine how a given organization chooses to structure its information security (InfoSec)
program are organizational culture, size, security personnel budget, and security capital budget.

83. A security awareness program keeps InfoSec at the forefront of users’ minds on a daily basis. Awareness serves to
instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to
care more about their work environment.

84. The CISO is primarily responsible for the assessment, management, and implementation of the program that secures
the organization’s information.

85. An important part of the InfoSec team is the help desk, which enhances the security team’s ability to identify potential
problems. When a user calls the help desk with a complaint about his or her computer, the network, or an Internet
connection, the user’s problem may turn out to be related to a bigger problem, such as a hacker, a DoS attack, or a virus.
Because help desk technicians perform a specialized role in InfoSec, they need specialized training. These staff members
must be prepared to identify and diagnose both traditional technical problems and threats to InfoSec. Their ability to do so
may cut precious hours off of an incident response.

86. Business plan, identify resources, develop scenarios, develop strategies, test and revise plan

87. The seven-step methodology for implementing training is as follows:

Step 1: Identify program scope, goals, and objectives.
Step 2: Identify training staff.
Step 3: Identify target audiences.
Copyright Cengage Learning. Powered by Cognero. Page 13
Test Bank for Management of Information Security 6th Edition Michael E. Whitman, Herbert J.

Name: Class: Date:

chapter 5
Step 4: Motivate management and employees.
Step 5: Administer the program.
Step 6: Maintain the program.
Step 7: Evaluate the program.

88. Systems security administration

Network security administration
Centralized authentication

89. Work to be accomplished (activities and deliverables)

Individuals (or skill set) assigned to perform the task
Start and end dates for the task (when known)
Amount of effort required for completion in hours or work days
Estimated capital expenses for the task
Estimated noncapital expenses for the task
Identification of dependencies between and among tasks

Copyright Cengage Learning. Powered by Cognero. Page 14

Visit TestBankBell.com to get complete for all chapters