98. c. Usually, the data owner defines security levels such as confidential or highly confidential and access profiles defining who can do what, such as add, change, or delete the data elements. It is the data owner who paid or sponsored the system for his department.
The database administrator is incorrect because he is concerned with creating and controlling the logical and physical database. The systems programmer is incorrect because he is responsible for installing new releases of systems software and monitoring the performance of systems software products. The applications programmer is incorrect because he is responsible for developing, testing, and maintaining computer-based application programs in the selected programming languages.
99. Which of the following is not a true statement about data collection efforts during IT security metrics development process?
a. Data collection process must be as nonintrusive as possible.
b. Collected data must have maximum usefulness.
c. Collected data must be valid.
d. More resources are needed to collect more data.
99. d. The data collection effort during the IT security metrics development process must be as nonintrusive as possible and of maximum usefulness to ensure that available resources are primarily used to correct problems, not simply to collect data for the sake of collecting. The collection of valid data is more important than collecting more data.
100. System or network administrators will be interested in which of the following IT security metrics?
a. Implementation
b. Effectiveness
c. Efficiency
d. Impact
100. a. The four measurable aspects of IT security metrics speak to different stakeholders. System or network administrators want to know what went wrong during IT security implementation activities. Information security and program managers are interested in effectiveness and efficiency during IT security activities. The agency head or chief executive officer (CEO) is interested in the business and mission impact of IT security activities. As the primary stakeholders, the chief information officer (CIO) and information systems security officer are interested in the results of IT security metrics. As the secondary stakeholders, the chief financial officer (CFO), Inspector General (IG), or Chief Audit Executive (CAE) of Internal Audit are interested in the development and funding of IT security metrics.
101. The prudent man concept is related to which of the following?
a. Due care and due permissions
b. Due care and due rights
c. Due care and due diligence
d. Due care and due privileges
101. c. The prudent man concept is related to due care and due diligence. Due care is maintaining reasonable care, whereas due diligence requires organizations to be vigilant and diligent. Good housekeeping in a data center is an example of due diligence. The prudent man concept states that reasonable people always act reasonably under the same conditions. Because people are infallible, courts and law require that people use reasonable care all the time.
Courts will find computer owners responsible for their insecure systems. Courts will not find liability every time a computer is hijacked. Rather, courts expect organizations to become reasonably prudent computer owners taking due care (reasonable care) to ensure adequate security. Due care means having the right policies and procedures, access controls, firewalls, and other reasonable security measures in place. Computer owners need not take super care, great care, or extraordinary care.
102. What is the purpose of a system security plan?
1. Document the security requirements of a system.
2. Describe the controls in place or planned.
3. Delineate roles and responsibilities.
4. Document the security protection of a system.
a. 1 only
b. 1 and 2
c. 4 only
d. 1, 2, 3, and 4
102. d. The purpose of a system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates roles and responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system.
103. What does management authorization of a system to process information provide?
1. Important quality control
2. Assessment of management controls
3. Assessment of operational controls
4. Assessment of technical controls
a. 2 only
