MIS 433
Understanding Policies and Procedures Quiz
Test your knowledge on the importance of policies and their role in organizational culture with this comprehensive quiz. Covering a range of topics including information assets, policy formats, and the CIA triad, this quiz is designed for anyone looking to deepen their understanding of governance.
Key Features:
- 121 challenging questions
- Multiple choice format
- Immediate feedback on your answers
1. Policies define which of the following?
Rules
Expectations
Patterns of behavior
All of the above
2. Without policy, human beings would live in a state of
Chaos
Bliss
Harmony
Laziness
3. Which of the following best describes the role of policy
To codify guiding principles
To shape behavior
To serve as a roadmap
All of the above
4. Which of the following best describes corporate culture
Shared attitudes, values, and goals
Multiculturalism
A requirement to all acts the same
D. A religion
5. A policy that has been endorsed has the support of which of the following?
Customers
Creditors
C. The union
Managements
6. Who should always be exempt from policy requirements?
Employees
Executives
No one
Salespeople
7. Which of the following states was the first to enact consumer breach notification?
Kentucky
Colorado
Connecticut
California
8. How often should policies be reviewed?
Never
Only when there is a significant change
Annually
At least annually or sooner if there is a significant change
9. Which of the following occurs in the policy publication phase?
Communication
Policy dissemination
Education
All of the above
10. If a policy is violated and there is no consequence, the policy is considered to be which of the following?
Meaningless
Inclusive
Legal
Expired
11. Which of the following statements is always true?
Policies stifle innovation.
Policies make innovation more expensive.
Policies should be adaptable.
Effective policies never change
12. “Attainable” means that the policy ___.
Can be successfully implemented
B. Is expensive
C. Only applies to suppliers
D. Must be modified annually
13. Which of the following is not an example of an information asset?
A. Customer financial records
B. Marketing plan
C. Patient medical history
D. Building graffiti
1. Simple Step, Hierarchical, Graphic, and Flowchart are examples of which of the following formats
Policy
Program
Procedure
Standard
2. Policies, standards, guidelines, and procedures should all be in the same document.
True
False
Only if the company is multinational
Only if the documents have the same author
3. A policy should be considered_________.
Mandatory
Discretionary
Situational
Optional
4. When writing a policy, standard, guideline, or procedure, you should use language that is _________.
Technical
Clear and concise
Legalese
Complex
5. Readers prefer “plain language” because it ______________.
Helps them locate pertinent information
Helps them understand the information
Saves time
All of the above
6. Which of the following terms is best to use when indicating a mandatory requirement?
Must
Shall
Should not
May not
7. A company that uses the term “employees” to refer to workers who are on the company payroll should refer to them throughout their policies as ______.
Workforce members
Employees
Hired hands v
Workers
8. Which of the following is not a characteristic of plain language?
A. Short sentences
B. Using active voice
C. Technical jargon
D. Seven or fewer lines per paragraph
9. When you’re drafting a list of exceptions for a security policy, the language should ___________.
Be as specific as possible
B. Be as vague as possible
C. Reference another, dedicated document
D. None of the above
10. The___________ contains the rules that must be followed.
A. Policy heading
B. Policy statement
C. Policy enforcement clause
D. Policy goals and objectives
11. The aim or intent of a policy is stated in the_________.
Introduction
B. Policy heading
C. Policy goals and objectives
D. Policy statement
12. Which of the following statements best describes the purpose of a guideline?
A. To state the beliefs of an organization
B. To reflect the guiding principles
To dictate mandatory requirements
D. To make suggestions
13. Even the best-written policy will fail if which of the following is true?
A. The policy is too long.
B. The policy is mandated by the government.
C. The policy doesn’t have the support of management.
D. All of the above.
Which of the following are the three principles in the CIA triad?
Confidence, integration, availability
Consistency, integrity, authentication
Confidentiality, integrity, availability
Confidentiality, integrity, awareness
Which of the following is a control that relates to availability?
Disaster recovery site
Firewall
Training
Encryption
Which of the following is an objective of confidentiality?
. Protection from unauthorized access
Protection from manipulation
Protection from denial of service
Protection from authorized access
Which of the following terms best describes the logging of access and usage of information resources?
Accountability
Acceptance
Accounting
Actuality
Which of the following combination of terms best describes the Five A’s of information security?
Awareness, acceptance, availability, accountability, authentication
Awareness, acceptance, authority, authentication, availability
Accountability, assurance, authorization, authentication, accounting
Acceptance, authentication, availability, assurance, accounting
Which of the following terms best describes the motivation for hactivism?
Financial
Political
Personal
Fun
Information custodians are responsible for
Writing policy
Classifying data
Approving budgets
Implementing safeguards
Which of the following terms best describes a synonym for business continuity?
Authorization
Authentication
Availability
Accountability
Which of the following security objectives is most important to an organization?
Confidentiality
Integrity
Availability
The answer may vary from organization to organization.
The Internal Organization for Standardization (ISO) is _____
. A nongovernmental organization
An international organization
Headquartered in Geneva
All of the above
Which of the following terms best describes the granting of users and systems a predetermined level of access to information resources?
Availability
Accountability
Assurance
Authorization
Which of the following terms best describes ISO?
Internal Standards Organization
International Organization for Standardization
International Standards Organization
Internal Organization of Systemization
Which of the following terms best describes an attack whose purpose is to make a machine or network resource unavailable for its intended use?
Man-in-the-middle
Man-in-the-middle
Denial of service
SQL injection
Organizations that choose to adopt the ISO 27002:2103 framework must
. Use every policy, standard, and guideline recommended
Create policies for every security domain
Evaluate the applicability and customize as appropriate
Register with the ISO
Which of the following terms best describes the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction?
Threat
Risk
Vulnerability
Impact
Inherent risk is the state before __________________.
. An assessment has been conducted
Security measures have been implemented
The risk has been accepted
None of the above
Which of the following terms best describes the natural, environmental, or human event or situation that has the potential for causing undesirable consequences or impact?
Risk
Threat source
Threat
Vulnerability
Which of the following terms best describes a disgruntled employee with intent to do harm?
Risk
Threat source
Threat
Vulnerability
Which of the following is not a risk-mitigation action?
Risk acceptance
Risk sharing or transference
Risk reduction
Risk avoidance
A control is a security measure that is designed to _______ a threat source.
Detect
Deter
Prevent
All of the above
Which of the following risk types best describes an example of insurance?
Risk avoidance
Risk transfer
Risk acknowledgement
Risk acceptance
Which of the following risk types relates to negative public opinion?
Operational risk
Financial risk
Reputation risk
Strategic risk
Defining protection requirements is the responsibility of ____________.
The ISO
The data custodian
Data owners
The Compliance Officer
Which of the following activities is not considered a governance activity
Managing
Influencing
Evaluating
Purchasing
Which of the following states is not included in a CMM?
Average
Optimized
Ad hoc
Managed
Which of the following statements best describes policies?
Policies are the implementation of specifications.
Policies are suggested actions or recommendations.
Policies are instructions.
Policies are the directives that codify organizational require
Which of the following terms best describes a definable piece of information, stored in any manner, that is recognized as having value to the organization
NPPI
Information asset
Information system
Classified data
Information systems _________,__________,________, and information.
Create, modify, and delete
Classify, reclassify, and declassify
Store, process, and transmit
Use, label, and handle
Information owners are responsible for which of the following tasks?
Classifying information
Maintaining information
Using information
Registering information
Information classification systems are used in which of the following organizations?
Government
Military
Financial institutions
All of the above
Which of the following National Security classifications requires the most protection
Secret
Top Secret
Confidential
Unclassified
Which of the following terms best describes the CIA attribute associated with the modification of information?
Classified
Integrity
Availability
Intelligence
Is it mandatory for all private businesses to classify information?
Yes
Yes, but only if they want to pay less taxes.
Yes, but only if they do business with the government.
No
Which of the following is not a criterion for classifying information?
The information is not intended for the public domain.
The information has no value to the organization.
The information needs to be protected from those outsides of the organization.
The information is subject to government regulations.
Labeling is the vehicle for communicating classification levels to which of the following roles within the organization?
Employees
Information custodians
Contractors
All of the above
Which of the following terms best describes the process of upgrading or changing classification levels?
Declassification
Classification
Reclassification
Negative classification
10.1.45.245 is an example of which of the following?
. A MAC address
B. A host name
C. An IP address
D. An IP domain name
Which of the following types of information would not be considered NPPI?
Social security number
Date of birth
Debit card PIN
Home address
Code and databases are examples of which of the following?
Software assets
Proprietary information
Internal-use classification
Intellectual property (IP)
A guiding principle is best described as which of the following
A financial target
A fundamental philosophy or belief
A regulatory requirement
A person in charge
Which of the following is a true statement
Corporate culture is the same as policy
Guiding principles set the tone for a corporate culture
All corporate cultures are positive
Guiding principles should be kept secret
An information security policy is a directive that defines which of the following
How employees should do their jobs
How to pass an annual audit
How an organization protects information assets and systems
How much security insurance a company should have
What are the seven characteristics of a successful policy
Endorsed, relevant, realistic, cost-effective, adaptable, enforceable, inclusive
Endorsed, relevant, realistic, attainable, adaptable, enforceable, inclusive
Endorsed, relevant, realistic, technical, adaptable, enforceable, inclusive
Endorsed, relevant, realistic, legal, adaptable, enforceable, inclusive
Who must approve the retirement of a policy
A compliance officer
An auditor
Executive management or the Board of Directors
Legal counsel
Which term best describes government intervention with the purpose of causing a specific set of actions
Deregulation
Politics
Regulation
Amendments
The objectives of GLBA and HIPAA, respectively, are to protect __.
Financial and medical records
Financial and credit card records
Medical and student records
Judicial and medical records
Which of the following terms best describes the process of developing, publishing, adopting, and reviewing a policy
Policy two-step
Policy aging
Policy retirement
Policy lifecycle
Who should be involved in the process of developing policies
Only upper-management-level executives
Only part-time employees
Personnel throughout the company
Only outside, third-party consultants
Which of the following does not happen in the policy development phase
Planning
Enforcement
Authorization
Approval
Which of the following occurs in the policy publication phase
Communication
Policy dissemination
Education
All of the above
Normative integration is the goal of the adoption phase. This means __.
A here are no exceptions to the policy.
The policy passes the stress test.
The policy becomes expected behavior, all others being deviant.
The policy costs little to implement
Which of the following phrases best describes the concept of “championing a policy”
A willingness to lead by example, encourage, and educate
Winning a compliance award
Voting to authorize a policy
None of the above
Who should authorize policies?
Directors or executive management
Operational managers
Employees
Legal counse
Which of the following statements is not an objective of information security
To protect information and information systems from intentional misuse
To protect information and information systems from compromise
To protect information and information systems from destruction
To protect information and information systems from authorized users
Which of the following statements best describes the purpose of a baseline
To measure compliance
To ensure uniformity across a similar set of devices
To ensure uniformity across different devices
To make suggestions
Which of the following statements best describes the purpose of a guideline
To state the beliefs of an organization
To reflect the guiding principles
To dictate mandatory requirements
To make suggestions
Which of the following terms best describes instructions and guidance on how to execute an initiative or how to respond to a situation, within a certain timeframe, usually with defined stages and with designated resources
Plan
Policy
Procedure
Package
Which of the following statements best describes a disadvantage to using the singular policy format
The policy can be short
The policy can be targeted
You may end up with too many policies to maintain
The policy can easily be updated
Which of the following statements best describes a disadvantage to using the consolidated policy format
Consistent language is used throughout the document.
Only one policy document must be maintained.
The format must include a composite management statement.
The potential size of the document.
Version control is the management of changes to a document and should include which of the following elements
Version or revision number
Date of authorization
Change description
All of the above
The name of the policy, policy number, and overview belong in which of the following sections
Introduction
Policy Heading
Policy Goals and Objectives
Policy Statement
Which of the following statements is true
A security policy should only include one objective
A security policy should not include any exceptions.
A security policy should not include a glossary
A security policy should not list all step-by-step measures that need to be taken.
Which of the following best describes policy definitions
A glossary of terms used
A detailed list of the possible penalties associated with breaking rules set forth in the policy
A list of all the members of the security policy creation team
None of the above
The _ contains the penalties that would apply if a portion of the security policy were to be ignored by an employee
Policy heading
Policy statement
Policy enforcement clause
Policy statement of authority
What component of a security policy does the following phrase belong to? “Wireless networks are allowed only if they are separate and distinct from the corporate network.
Introduction
Administrative notation
The policy heading
The policy statement
There may be situations where it is not possible to comply with a policy directive. Where should the exemption or waiver process be explained?
Introduction
The policy statement
The policy enforcement clause
The policy exceptions
The name of the person/group (for example, executive committee) that authorized the policy should be included in ___
The version control table or the policy statement
The heading or the policy statement
The policy statement or the policy exceptions
The version control table or the policy heading
If supporting documentation would be of use to the reader, it should be __
Included in full in the policy document
Ignored because supporting documentation does not belong in a policy document
Listed in either the Policy Heading or Administrative Notation section
Included in a policy appendix
Which of the following is an example of acting upon the goal of integrity
Ensuing that only authorized users can access data
Ensuring that systems have 99.9% uptime
Ensuring that all modifications go through a change-control process
Ensuring that changes can be traced back to the editor
As it pertains to information security, assurance is __.
The process of tracing actions to their source
The processes, policies, and controls used to develop confidence that security measures are working as intended
The positive identification of the person or system seeking access to secured information or systems
The logging of access and usage of information resources
The greater the criminal work factor, the _
More time it takes
More profitable the crime is
Better chance of success
Less chance of getting caught
Which of the following terms best describes the security domain that relates to determining the appropriate safeguards as it relates to the likelihood of a threat to an organization?
Security policy
Access control
Compliance
Risk assessment
Which of the following terms best describes the security domain that relates to how data is classified and valued
Security policy
Asset management
Compliance
Access control
Processes that include responding to a malware infection, conducting forensics investigations, and reporting breaches are included in the _ domain
Security Policy
Operations and Communications
Incident Management
Business Continuity Management
Personnel screening, acceptable use, confidentiality agreements, and training are controls that relate to the __ domain
Operations and Communications
Security Policy
Human Resources
Legal and Compliance
Defining organizational roles, responsibilities, and authority relate to the __ domain.
Operations and Communications
Security Policy
Governance
Legal and Compliance
When an information security program is said to be “strategically aligned,” this indicates that _.
It supports business objectives
It adds value
It maintains compliance with regulatory requirements
All of the above
How often should information security policies be reviewed
Once a year
Only when a change needs to be made
At a minimum, once a year and whenever there is a change trigger
Only as required by law
Information security policies should be authorized by __.
the Board of Directors (or equivalent)
business unit managers
. Legal counsel
stockholders
Which of the following statements best represents the most compelling reason to have an employee version of the comprehensive information security policy
Sections of the comprehensive policy may not be applicable to all employees.
The comprehensive policy may include unknown acronyms.
The comprehensive document may contain confidential information.
The more understandable and relevant a policy is, the more likely users will positively respond to it.
Which of the following is a common element of all federal information security regulations
Covered entities must have a written information security policy
Covered entities must use federally mandated technology.
Covered entities must self-report compliance.
Covered entities must notify law enforcement if there is a policy violation
Organizations that choose to adopt the ISO 27002:2103 framework must __.
Use every policy, standard, and guideline recommended
Create policies for every security domain
Evaluate the applicability and customize as appropriate
register with the ISO
Evidence-based techniques used by information security auditors include which of the following elements
Structured interviews, observation, financial analysis, and documentation sampling
Structured interviews, observation, review of practices, and documentation sampling
Structured interviews, customer service surveys, review of practices, and documentation sampling
Casual conversations, observation, review of practices, and documentation sampling
Which of the following statements best describes independence in the context of auditing
The auditor is not an employee of the company.
The auditor is certified to conduct audits.
The auditor is not responsible for, benefited from, or in any way influenced by the audit target.
Each auditor presents his or her own opinion.
How much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit is known as _
Risk acceptance
risk tolerance
Risk mitigation
Risk avoidance
Which of the following statements best describes a vulnerability
A vulnerability is a weakness that could be exploited by a threat source.
A vulnerability is a weakness that can never be fixed.
A vulnerability is a weakness that can only be identified by testing.
A vulnerability is a weakness that must be addressed regardless of the cost.
Compliance risk as it relates to federal and state regulations can never be __.
. avoided
Transferred
Accepted
None of the above
Data that is considered to be personal in nature and, if disclosed, is an invasion of privacy and a compromise of security is known as which of the following
Non-personal public information
Non-private personal information
Non-public personal information
None of the above
Most organizations restrict access to protected, confidential, and internal-use data to which of the following roles within the organization
Executives
Information owners
Users who have a “need to know”
Vendors
Which of the following terms best describes the process of removing restricted classification levels
Declassification
Classification
Reclassification
Negative classification
Which of the following terms best describes an example of a hardware asset
Server
Database
Hammer
Radio waves
Which of the following statements best describes a MAC address?
A MAC address is a unique network address.
A MAC address is a unique host name.
A MAC address is a unique hardware identifier.
A MAC address is a unique alias.
Which of the following terms best describes the act of classifying information based on an original classification decision already made by an authorized original classification authority
Reclassification
Derivative classification
Declassification
Original classification
Which of the following address types represents a device location on a network
A physical address
A MAC address
A logical address
A static address
Which of th Small businesses do not need to classify data because it is unusual for a small business to have NPPI.e following statements is true?
Small businesses do not need to classify data because small businesses do not have regulatory obligations.
Small businesses do not need to classify data because small businesses do not have regulatory obligations.
Small businesses need to classify data because small businesses are responsible for protecting NPPI, employee data, and company data
Small businesses need to classify data because every organization is legally required to have a classification system.
{"name":"MIS 433", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Test your knowledge on the importance of policies and their role in organizational culture with this comprehensive quiz. Covering a range of topics including information assets, policy formats, and the CIA triad, this quiz is designed for anyone looking to deepen their understanding of governance.Key Features:121 challenging questionsMultiple choice formatImmediate feedback on your answers","img":"https:/images/course5.png"}