1. A ________ plan is a plan for the organization’s intendedstrategic efforts over the next several years. a. standard b.operational c. tactical d. strategic

2. ?The goals of information security governance include all butwhich of the following? a. Regulatory compliance by usinginformation security knowledge and infrastructure to supportminimum standards of due care b. ?Strategic alignment ofinformation security with business strategy to supportorganizational objectives c. ?Risk management by executingappropriate measures to manage and mitigate threats to informationresources d. ?Performance measurement by measuring, monitoring, andreporting information security governance metrics to ensure thatorganizational objectives are achieved

3. Standards may be published, scrutinized, and ratified by agroup, as in formal or ________ standards. a. of formal b. ofaudience c. de jure d. in fact

4. The ________is the high-level information security policythat sets the strategic direction, scope, and tone for all of anorganization’s security efforts. a. SysSP b. EISP c. GSP d. ISSP 5.________often function as standards or procedures to be used whenconfiguring or maintaining systems. a. ESSPs b. EISPs c. ISSPs d.SysSPs 6. An information security ________ is a specification of amodel to be followed during the design, selection, and initial andongoing implementation of all subsequent security controls,including information security policies, security education, andtraining. a. plan b. framework c. model d. policy 7. The statedpurpose of ISO/IEC 27002 is to "offer guidelines and voluntarydirections for information security __________." a. implementationb. certification c. management d. accreditation 8. When BS 7799first came out, several countries, including the United States,Germany, and Japan, refused to adopt it, claiming that it hadfundamental problems. Which of the following is NOT one of thoseproblems? a. The standard lacked the measurement precisionassociated with a technical standard. b. It was not as complete asother frameworks. c. The standard was hurriedly prepared, given thetremendous impact its adoption could have on industry informationsecurity controls. d. The global information security community hadalready defined a justification for a code of practice, such as theone identified in ISO/IEC 17799. 9. SP 800-14, Generally AcceptedPrinciples and Practices for Securing Information TechnologySystems, provides best practices and security principles that candirect the security team in the development of a security ________.a. plan b. standard c. policy d. blueprint 10. According to NIST SP800-14's security principles, security should ________. a. supportthe mission of the organization b. require a comprehensive andintegrated approach c. be cost-effective d. All of the above 11. Inearly 2014, in response to Executive Order 13636, NIST publishedthe Cybersecurity Framework, which intends to allow organizationsto __________. a. identify and prioritize opportunities forimprovement within the context of a continuous and repeatableprocess b. assess progress toward a recommended target state c.communicate among local, state, and national agencies aboutcybersecurity risk d. None of these 12. The spheres of security arethe foundation of the security framework and illustrate howinformation is under attack from a variety of sources, with farfewer protection layers between the information and potentialattackers on the __________ side of the organization. a. technologyb. Internet c. people d. operational 13. __________ is a strategyfor the protection of information assets that uses multiple layersand different types of controls (managerial, operational, andtechnical) to provide optimal protection. a. Networking b. Proxy c.Defense in depth d. Best-effort 14. __________ is a strategy ofusing multiple types of technology that prevent the failure of onesystem from compromising the security of information. a.Firewalling b. Hosting c. Redundancy d. Domaining 15. Redundancycan be implemented at a number of points throughout the securityarchitecture, such as a. firewalls b. proxy servers c. accesscontrols d. All of the above 16. ________ controls cover securityprocesses that are designed by strategic planners and implementedby the security administration of the organization. a. Managerialb. Technical c. Operational d. Informational 17. _________ controlsaddress personnel security, physical security, and the protectionof production inputs and outputs. a. ?Informational b. Operationalc. ?Technical d. ?Managerial 18. ?Security __________ are the areasof trust within which users can freely communicate. a. ?perimetersb. ?domains c. ?rectangles d. ?layers 19. The SETA program is acontrol measure designed to reduce the instances of __________security breaches by employees. a. intentional b. external c.accidental d. physical 20. The CPMT conducts the BIA in threestages. Which of the following is NOT one of those stages? a.Determine mission/business processes and recovery criticality b.Identify recovery priorities for system resources c. Identifyresource requirements d. All of these are BIA stages