210. Which of the following linkages provide a high-level focus?

a. Link information security metrics to the organization strategic goals

b. Link information security metrics to the organization strategic objectives

c. Link information security activities to the organization-level strategic planning

d. Link information security metrics to the information security program performance

210. c. Information security metrics provides a low-level focus whereas security activities, which are part of the security program, provide a high-level focus. Security metrics monitors and measures implementation and effectiveness of security controls within the context of the security program.

211. Which of the following IT security metrics focuses on implementation?

a. Percentage of system users that have received basic awareness training

b. Percentage of operational systems that have completed certification and accreditation following major changes

c. Percentage of new systems that completed certification and accreditation prior to the implementation

d. Percentage of systems successfully addressed in the testing of the contingency plan

211. a. “Percentage of system users that have received basic awareness training” is an example of implementation metrics. The other three choices are examples of effectiveness metrics.

Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts). Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation).

212. Which of the following IT security metrics focuses on efficiency?

a. Percentage of systems successfully testing the contingency plan at the alternative processing site

b. Percentage of systems that use automated tools to validate performance of periodic maintenance

c. Percentage of individuals screened before being granted access to organizational information and information systems

d. Percentage of system components that undergo maintenance on schedule

212. d. “Percentage of system components that undergo maintenance on schedule” is an example of efficiency metrics. The other three choices are examples of implementation metrics.

Effectiveness/efficiency metrics measure the results of security services delivery (i.e., monitors the results of security controls implementation). Implementation metrics measure the results of implementation of security policies, procedures, and controls (i.e., demonstrates progress in implementation efforts).

213. Which of the following is a prerequisite to IT security training?

a. Security basics

b. Awareness

c. Security literacy

d. Education

213. b. Awareness programs act as a prerequisite to IT security training. Awareness programs set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure.

214. The security objective or principle of integrity does not deal with which of the following?

a. Accuracy

b. Privacy

c. Non-repudiation

d. Accountability

214. b. Privacy is a part of a confidentiality objective or principle, whereas the other three choices are part of the integrity objective or principle. Privacy protection is the establishment of controls to ensure the security and confidentiality of data records and restricting access to such records. Confidentiality is preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Hence, privacy and confidentiality are related to each other.

Integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. Accuracy is a qualitative assessment of correctness of data or freedom from error (i.e., data needs integrity). Non-repudiation is a service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party. Accountability generates the requirements for actions of an individual to be traced uniquely to that individual (i.e., supports prevention, detection, fault isolation, and non-repudiation). Hence, accuracy, accountability, and non-repudiation all require that data and information must have integrity. If data that an individual is handling is not accurate and if an individual can deny sending or receiving a message, how can that individual be held accountable for his actions? Note that the terms integrity, accuracy, non-repudiation, and accountability have different definitions and meanings depending on the context of use.

215. Which of the following verifies that the other three security principles have been adequately met by a specific implementation?

a. Assurance

b. Integrity

c. Confidentiality

d. Availability

215. a. Assurance verifies that the security principles such as integrity, availability, confidentiality, and accountability have been adequately met by a specific implementation.

216. Regarding information security governance, which of the following should take place for noncompliance?

a. Change in policies

b. Change in procedures

c. Change in practices

d. Periodic assessments

216. d. Periodic assessments and reports on activities can be a valuable means of identifying areas of noncompliance. The other three choices can result from the periodic assessments.

217. Which of the following must be considered when the system boundaries are drawn and when establishing a control baseline?

a. Confidentiality

b. Impact levels

c. Integrity

d. Availability

217. b. The impact levels (i.e., low, moderate, or high) must be considered when the system boundaries are drawn and when selecting the initial set of security controls (i.e., control baseline). Confidentiality, integrity, and availability are security objectives for which potential impact is assessed.

218. Which of the following is not an element of information quality?

a. Reproducibility

b. Utility

c. Integrity

d. Objectivity

218. a. Information quality is an encompassing term composed of utility integrity and objectivity. Reproducibility means that the information can be substantially reproduced, subject to an acceptable degree of imprecision.

219. Which of the following information security governance structures provides the creation of interorganizational and intra-organizational communication mechanisms in establishing the appropriate policies, procedures, and processes dealing with risk management and information security strategies?