True or False

12. Security architecture, and which controls you elect to put in place, should be risk-based and driven by business needs, expressed in policy.

13. For the cost effect, Commercial organizations and federal agencies tend to have a simple security architecture, whether explicit or not.

14. The ISO/IEC 27000 series is much more commonly applied in government than in commercial organizations.

15. Management should set a simple policy direction in line with business plans and demonstrate support for, and commitment to, IT security through the issue and maintenance of an IT security policy across the organization.

16. Access to information, information processing facilities, and business processes should be controlled on the basis of employees requirements.

17. Access control rules should take account of policies for information dissemination and authorization.

18. NIST Special Publication 800-53 Recommended Security Controls for Commercial Information Systems.

19. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the users requirements for security.

20. COBIT includes best practices, measures, and processes organizations can implement to standardize (and theoretically improve) IT management.