WGU C725 Information Security and Assurance: Final Exam Questions With Answers | Latest Update 2023/2024 Graded A+

WGU C725 Information Security and Assurance: Final Exam Questions With Answers | Latest Update 2023 Graded A+. A type of security management planning where upper, or senior, management is responsible for initiating and defining policies for the organization. Top-down approach A type of security management planning where IT staff makes security decisions directly without input from senior management. This approach is rarely used in organizations and is considered problematic in the IT industry. Bottom-up approach This security plan is a long-term plan that is fairly stable. It defines the organization's security purpose. It also helps to understand security function and align it to the goals, mission, and objectives of the organization. It's useful for about five years if it is maintained and updated annually. This plan also serves as the planning horizon. Long-term goals and visions for the future are discussed this plan. Thisplan should include a risk assessment. Strategic Plan This security plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. This plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals. Some examples of these plans are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans. Tactical Plan This security plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. These plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans. These plans spell out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. These plans include details on how the implementation processes are in compliance with the organization's security policy. Examples of these plans are training plans, system deployment plans, and product design plans. Operational Plan Also called classification, the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. It is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities. Data classification Top secret, Secret, Confidential, Sensitive but unclassified, Unclassified. Five levels of government/military classification The highest level of government/military data classification. The unauthorized disclosure of top-secret data will have drastic effects and cause grave damage to national security. This data is compartmentalized on a need-to-know basis such that a user could have this clearance and have access to no data until the user has a need to know. Top Secret This level of government/military data classification is used for data of a restricted nature. The unauthorized disclosure of data classified as secret will have significant effects and cause critical damage to national security. Secret This level of government/military data classification is used for data of a sensitive, proprietary, or highly valuable nature. The unauthorized disclosure of data with this classification level will have noticeable effects and cause serious damage to national security. This classification is used for all data between secret and sensitive but unclassified classifications. Confidential This level of government/military data classification is used for data that is for internal use or for office use only (FOUO). Often this data classification is used to protect information that could violate the privacy rights of individuals. This is not technically a classification label; instead, it is a marking or label used to indicate use or management. Sensitive But Unclassified (SBU) This level of government/military data classification is used for data that is neither sensitive nor classified. The disclosure of this type of data does not compromise confidentiality or cause any noticeable damage. This is not technically a classification label; instead, it is a marking or label used to indicate use or management. Unclassified The easy way to remember the names of the five levels of the government or military data classification scheme, U.S. Can Stop Terrorism. Top Secret Secret Confidential Sensitive But unclassified Unclassified Four common or possible business classification levels Confidential Private Sensitive Public This common business/private sector data classification level is the highest level of classification. This is used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for a company if this type of data is disclosed. Sometimes the label proprietary is substituted. Sometimes proprietary data is considered a specific form of this type of information. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization. Confidential This common business/private sector data classification level is used for data that is of a private or personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if private data is disclosed. Private This common business/private sector data classification level is used for data that is more classified than public data. A negative impact could occur for the company if sensitive data is disclosed. Sensitive This common business/private sector data classification level is the lowest level of classification. This is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization. Public Relating to data classification or categorization, this is the formal assignment of responsibility to an individual or group. Ownership This role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. They sign off on all policy issues. Senior Manager This Role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. Security Professional This role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. They are typically a high-level manager who is ultimately responsible for data protection. Data Owner