FiltersDone

Question type

Essay

Multiple Choice

Short Answer

True False

Matching

Exam 7: Security Management Practices

Show Answer

Share

---

All types

Filters

Study FlashcardsPractice ExamLearn

Question 31

True/False

Review LaterAdd Note

Review Later

The federal government prohibits the distribution of best security practices with organizations other than federal agencies._________________________

A) True
B) False

Correct Answer

verified

Show Answer

Question 32

Multiple Choice

Review LaterAdd Note

Review Later

Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:

A) Develop standard guidelines and procedures for certifying and accrediting corporate IT systems, including the critical infrastructure of the United States
B) Define essential minimum security controls for federal IT systems
C) Promote the development of public- and private-sector assessment organizations and certification of individuals capable of providing cost-effective, high-quality security certifications based on standard guidelines and procedures
D) All of these are goals of the NIST C&A Project

E) B) and D)
F) A) and B)

Correct Answer

verified

Show Answer

Question 33

True/False

Review LaterAdd Note

NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development,tailoring,collection,and reporting activities.

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of due diligence._________________________

In the future,NIST is replacing traditional Certification and Accreditation with authorization strategies and security control assessment.

Certification is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

A(n)baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared." _________________________

The process of implementing a performance measures program recommended by NIST involves six phases.List them.

Organizations typically use three types of performance measures,including those that assess the impact of a(n)____________________ or other security event on the organization or its mission.

During Phase 1 of the NIST performance measures development process,the organization identifies relevant ____ and their interests in information security measurement.

By looking at the paths taken by organizations similar to the one whose plan you are developing,known as benchmarking,the organization can follow the recommended or existing practices of a similar organization or industry-developed standards._________________________

Production level statistics depend greatly on the number of systems and the number of users of those systems._________________________

Implementing controls at an acceptable standard-and maintaining them-demonstrates that an organization has performed due diligence._________________________

Best security practices (BSPs)balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.

In future certification and accreditation practices,NIST will focus less on certification and accreditation strategies,and more on ____.

The ____________________ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

The benefits of using information security performance measures include "increasing ____________________ for information security performance; improving effectiveness of information security activities; demonstrating compliance with laws,rules,and regulations; and providing quantifiable inputs for resource allocation decisions."

One of the critical tasks in the measurement process is to assess and ____________________ what will be measured.

The ____ standard is a model level of performance that demonstrates industrial leadership,quality,and concern for the protection of information.

Good security now is better ____.