1. Because the responsibility for IT security is shared across the organization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control. True or False

2. A major disadvantage of the baseline risk assessment approach is the significant cost in time, resources, and expertise needed to perform the analysis. True or False

3. A threat may be either natural or human-made and may be accidental or deliberate. True or False

4. To ensure that a suitable level of security is maintained, management must follow up the implementation with an evaluation of the effectiveness of the security controls. True or False

5. Detection and recovery controls provide a means to restore lost computing resources. True or False

6. Physical access or environmental controls are only relevant to areas housing the relevant equipment. True or False

7. Once in place controls cannot be adjusted, regardless of the results of risk assessment of systems in the organization. True or False

8. It is likely that the organization will not have the resources to implement all the recommended controls. True or False

9. The selection of recommended controls is not guided by legal requirements. True or False

10. The implementation phase comprises not only the direct implementation of the controls, but also the associated training and general security awareness programs for the organization. True or False

11. Appropriate security awareness training for all personnel in an organization, along with specific training relating to particular systems and controls, is an essential component in implementing controls. True or False

12. Security architecture, and which controls you elect to put in place, should be risk-based and driven by business needs, expressed in policy. True or False

13. For the cost effect, Commercial organizations and federal agencies tend to have a simple security architecture, whether explicit or not. True or False

14. The ISO/IEC 27000 series is much more commonly applied in government than in commercial organizations. True or False

15. Management should set a simple policy direction in line with business plans and demonstrate support for, and commitment to, IT security through the issue and maintenance of an IT security policy across the organization. True or False

16. Access to information, information processing facilities, and business processes should be controlled on the basis of employees requirements. True or False

17. Access control rules should take account of policies for information dissemination and authorization. True or False

18. NIST Special Publication 800-53 Recommended Security Controls for Commercial Information Systems. True or False

19. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the users requirements for security. True or False

20. COBIT includes best practices, measures, and processes organizations can implement to standardize (and theoretically improve) IT management. True or False

21. Threats are attacks carried out. True or False

22. Computer security is protection of the integrity, availability, and confidentiality of information system resources. True or False

23. Data integrity assures that information and programs are changed only in a specified and authorized manner. True or False

24. Availability assures that systems works promptly and service is not denied to authorized users. True or False

25. The A in the CIA triad stands for authenticity. True or False

26. Computer security is essentially a battle of wits between a perpetrator who tries to find holes and the administrator who tries to close them. True or False

27. Many security administrators view strong security as an impediment to efficient and user-friendly operation of an information system. True or False

28. Hardware is the most vulnerable to attack and the least susceptible to automated controls. True or False

29. Contingency planning is a functional area that primarily requires computer security technical measures. True or False

30. X.800 architecture was developed as an international standard and focuses on security in the context of networks and communications. True or False

31. Assurance is the process of examining a computer product or system with respect to certain criteria. True or False

32. One of the most influential computer security models is the Bell-LaPadula model. True or False

33. The BLP model effectively breaks down when (untrusted) low classified executable data are allowed to be executed by a high clearance (trusted) subject. True or False

34. The Biba models deals with confidentiality and is concerned with unauthorized disclosure of information. True or False

35. Multilevel security is of interest when there is a requirement to maintain a resource in which multiple levels of data sensitivity are defined. True or False

36. The addition of multilevel security to a database system does not increase the complexity of the access control function. True or False

37. The Common Criteria for Information Technology and Security Evaluation are ISO standards for specifying security requirements and defining evaluation criteria. True or False

38. Organizational security objectives identify what IT security outcomes should be achieved. True or False

39. The assignment of responsibilities relating to the management of IT security and the organizational infrastructure is not addressed in a corporate security policy. True or False

40. It is critical that an organizations IT security policy have full approval or buy-in by senior management. True or False