158. b. Policies generally outline fundamental requirements that top management consider imperative, whereas guidelines provide more detailed rules for implementing the broader policies. Guidelines, while encouraged, are not considered to be mandatory.

159. Who must bear the primary responsibility for determining the level of protection needed for IT resources?

a. Information systems security analysts

b. Business managers

c. Information systems security managers

d. Information systems auditors

159. b. Business managers (functional managers) should bear the primary responsibility for determining the level of protection needed for information systems resources that support business operations. Therefore, business managers should be held accountable for managing the information security risks associated with their operations, much as they would for any other type of business risk. Both the information systems security analysts and managers can assist the business manager, whereas the systems auditor can evaluate the level of protection available in an information system.

The level of protection starts at the chief executive officer (CEO) level. This means having a policy on managing threats, responsibilities, and obligations, which will be reflected in employee conduct, ethics, and procurement policies and practices. Information security must be fully integrated into all relevant organizational policies, which can occur only when security consciousness exists at all levels.

160. Which of the following is a better method to ensure that information systems security issues have received appropriate attention by senior management of an organization?

a. Establish a technical-level committee

b. Establish a policy-level committee

c. Establish a control-level committee

d. Establish a senior-level committee

160. d. Some organizations have established senior-level committees consisting of senior managers to ensure that information technology issues, including information security, receive appropriate attention and support. The other committees collect data on specific issues that each committee deals with and recommend actions to senior-level committees for their approval.

161. What is a key characteristic that should be common to all information systems security central groups?

a. Organizational reporting relationships

b. Information systems security responsibilities

c. Information systems security technical assistance

d. Support received from other organizational units

161. b. The two key characteristics that a security central group should include (i) clearly defined information security responsibilities and (ii) dedicated staff resources to carry out these responsibilities.

162. To ensure that information systems security policies serve as the foundation of information systems security programs, organizations should link:

a. Policies to standards

b. Policies to business risks

c. Policies to procedures

d. Policies to controls

162. b. Developing a comprehensive set of policies is the first step in establishing an organization-wide security program. The policy should be linked to business risks and adjusted on a continuing basis to respond to newly identified risks or areas of misunderstanding.

163. Which of the following is a useful technique for impressing the users about the importance of organization-wide information systems security policies?

a. Making policies available through the Internet

b. Ensuring policies are available through physical bulletin boards

c. Requiring a signed statement from all users that they will abide by the policies

d. Ensuring policies are available through electronic bulletin boards

163. c. A statement is required from new users at the time access to information system resources was first provided and from all users periodically, usually once a year. Requiring a signed statement can serve as a useful technique for impressing on the users the importance of understanding organizational policies. In addition, if the user was later involved in a security violation, the statement can serve as evidence that he had been informed of organizational policies.

164. Which of the following considers the loss of security objectives (i.e., confidentiality, integrity, and availability) that could be expected to have a limited, serious, or severe adverse effect on an organization’s operations, assets, systems, or individuals and on other organizations?

a. Low-impact

b. Moderate-impact

c. Potential impact

d. High-impact

164. c. Potential impact considers all three levels of impact such as (i) a limited adverse effect representing a low impact, (ii) a serious adverse effect representing a moderate impact, and (iii) a severe or catastrophic adverse effect representing a high impact.

165. Effective information systems security measures cannot be maintained due to which of the following reasons?

a. Lack of awareness

b. Lack of a policy

c. Lack of a procedure

d. Lack of enforcement

165. d. If employees see that management is not serious about security policy enforcement, they will not pay attention to security, thus minimizing its effectiveness. In addition to the lack of enforcement, inconsistent enforcement is a problem.

166. Sensitivity criteria for a computer-based information system are not defined in terms of which of the following?

a. The value of having an application system

b. The cost of developing and maintaining an application system

c. The value of having the needed information

d. The cost of not having an application system

166. b. Sensitivity criteria are largely defined in terms of the value of having, or the cost of not having, an application system or needed information.

167. What is the first thing to do upon unfriendly termination of an employee?

a. Complete a sign-out form immediately.

b. Send employee to the accounting department for the last paycheck.

c. Remove the system access quickly.

d. Send employee to the human resource department for benefits status.

167. c. Whether the termination is friendly or unfriendly, the best security practice is to disable the system access quickly, including login to systems. Out-processing often involves a sign-out form initialed by each functional manager with an interest in the separation of the employee. The sign-out form is a type of checklist. Sending the employee to the accounting and human resource departments may be done later.

168. Which of the following have similar structures and complementary objectives?

a. Training and awareness

b. Hackers and users

c. Compliance and common sense

d. Need-to-know and threats