b. User awareness
c. User behavior
d. User training
157. c. A relatively new risk receiving particular attention in organizational policies is user behavior. Some users may feel no compunction against browsing sensitive organizational computer files or inappropriate Internet sites if there is no clear guidance on what types of user behaviors are acceptable. These risks did not exist before the extensive use of networks, electronic mail, and the Internet.
158. A common technique for making an organization’s information systems security policies more useful is to distinguish between:
a. Policies and procedures
b. Policies and guidelines
c. Principles and practices
d. Policies and standards
158. b. Policies generally outline fundamental requirements that top management consider imperative, whereas guidelines provide more detailed rules for implementing the broader policies. Guidelines, while encouraged, are not considered to be mandatory.
159. Who must bear the primary responsibility for determining the level of protection needed for IT resources?
a. Information systems security analysts
b. Business managers
c. Information systems security managers
d. Information systems auditors
159. b. Business managers (functional managers) should bear the primary responsibility for determining the level of protection needed for information systems resources that support business operations. Therefore, business managers should be held accountable for managing the information security risks associated with their operations, much as they would for any other type of business risk. Both the information systems security analysts and managers can assist the business manager, whereas the systems auditor can evaluate the level of protection available in an information system.
The level of protection starts at the chief executive officer (CEO) level. This means having a policy on managing threats, responsibilities, and obligations, which will be reflected in employee conduct, ethics, and procurement policies and practices. Information security must be fully integrated into all relevant organizational policies, which can occur only when security consciousness exists at all levels.
160. Which of the following is a better method to ensure that information systems security issues have received appropriate attention by senior management of an organization?
a. Establish a technical-level committee
b. Establish a policy-level committee
c. Establish a control-level committee
d. Establish a senior-level committee
160. d. Some organizations have established senior-level committees consisting of senior managers to ensure that information technology issues, including information security, receive appropriate attention and support. The other committees collect data on specific issues that each committee deals with and recommend actions to senior-level committees for their approval.
161. What is a key characteristic that should be common to all information systems security central groups?
a. Organizational reporting relationships
b. Information systems security responsibilities
c. Information systems security technical assistance
d. Support received from other organizational units
161. b. The two key characteristics that a security central group should include (i) clearly defined information security responsibilities and (ii) dedicated staff resources to carry out these responsibilities.
162. To ensure that information systems security policies serve as the foundation of information systems security programs, organizations should link:
a. Policies to standards
b. Policies to business risks
c. Policies to procedures
d. Policies to controls
162. b. Developing a comprehensive set of policies is the first step in establishing an organization-wide security program. The policy should be linked to business risks and adjusted on a continuing basis to respond to newly identified risks or areas of misunderstanding.
163. Which of the following is a useful technique for impressing the users about the importance of organization-wide information systems security policies?
a. Making policies available through the Internet
