When writing a ____________________ one could state how often a supplier will provide a service or how quickly a firm will respond. For managed services, this document often covers system availability and acceptable performance measures.
As employees find new ways to improve a system or process, it is important to have a way to capture their ideas. ________________________ can be understood as finding a better way or as a lesson learned.
Which of the following security control design types does not prevent incidents or breaches immediately and relies on a human to decide what action to take?
If human action is required, the control is considered _______________.
The most senior leader responsible for managing an organization’s risks is the chief privacy
officer (CPO). Which of the following is notone of the responsibilities of the CPO?
Although it is impossible to eliminate all business risks, a good policy can reduce the likelihood of risk occurring or reduce its impact. A business must find a way to balance a number of competing drivers. Which of the following is notone of these drivers?
When trying to achieve operational consistency, which of following oversight phases performs the function of periodically assessing to ensure desired results are achieved?
There are many distinct benefits to control measurement. Which of the following benefits is the result of determining which security controls to measure?
Once an organization clearly defines its IP, the security policies should specify how to ___________ documents with marks or comments, and ____________ the data, which determines in what location the sensitive file should be placed.
Privacy regulations involve two important principles. _____________________ gives the consumer an understanding of what and how data is collected and used. ________________________provides a standard for handling consumer information.
___________________________are formal written policies describing employee behavior when using company computer and network systems.
_______________are owned by an organization if they are created on the computer by company employees or if the assets were custom developed for and purchased by the organization.
________________ functions as a preventive control designed to prevent mistakes from happening. ________________functions as a detective control intended to improve the quality over time by affording opportunities to learn from past mistakes.
Which statement most clearly contrasts the difference between policies and procedures?
In the Build, Acquire, and Implement domain, the ability to manage change is very important. Thus, there are often ___________________set to avoid disrupting current services while new services are added.
A__________________ communicates general rules that cut across the entire organization.
Which of the following is notone of the four domains that collectively represent a conceptual information systems security management life cycle?
The COBIT Align, Plan, and Organize domain includes basic details of an organization’s requirements and goals; this domain answers which of the following questions?
Generally, regardless of threat or vulnerability, there will ____________ be a chance a threat can exploit a vulnerability.
Which of the following statement states the difference between business liability and a business’s legal obligation?
In the ______________ principle adopted by many organizations, you gain access only to the systems and data you need to perform your job.
In business, intellectual property (IP) is a term applied broadly to any company information that is thought to bring an advantage. Protecting IP through security policies starts with human resources (HR). Which of the following is a challenge concerning HR policies about IP?
ISS policies ensure the consistent protection of information flowing through the entire system. Which of the following is not one of the foundational reasons for using and enforcing security policies?
___________________ is the act of protecting information and the systems that store and process it.
A good security awareness program makes employees aware of the behaviors expected of them. All security awareness programs have two enforcement components, the carrot and the stick. Which of the following best captures the relationship of the two components?