Risk Management Strategies and Information Security Components Quiz

Questions and Answers

What is the main purpose of a security policy?

To inform employees about available computer systems

To provide step-by-step descriptions of implementing security measures

To establish minimum standards and best practices for security (correct)

To outline financial regulations for an organization

What type of action does an 'Advisory' security policy indicate?

Actions that are optional but recommended (correct)

Actions that are solely related to employee benefits

Actions that are in violation of the law

Actions that are mandatory for all employees

In the context of a security policy, what does the term 'Baseline' refer to?

The maximum level of security achievable

The best practice recommended by industry experts

The minimum security required for a system or process (correct)

The average level of security maintained by most organizations

What distinguishes 'Regulatory' security policies from 'Advisory' and 'Informative' policies?

They address industry regulations regarding organizations' conduct

What should a password policy mainly establish in an organization?

Minimum standards and best practices for password security

What is the main difference between the 'defend' and 'mitigate' risk control strategies?

Defend involves applying policies, while mitigate involves contingency planning.

What is the primary purpose of an Information Security Policy?

To convey instructions to employees

What is the difference between a 'policy' and a 'standard' in terms of security documents?

A policy conveys management intentions, while a standard is about compliance.

In the context of information security, what does 'governance' refer to?

Establishing and maintaining a framework to align security strategies with business objectives

Why are security policies considered organizational laws?

Because employees must abide by them