Developing Cybersecurity Programs and Policies (Santos)
Chapter 1 Understanding Cybersecurity Policy and Governance
1) Which of the following elements ensures a policy is enforceable?
A) Compliance can be measured.
B) Appropriate sanctions are applied when the policy is violated.
C) Appropriate administrative, technical, and physical controls are put in place to support
the policy.
D) All of the above
Answer: D
2) FERPA protects which of the following?
A) Medical records
B) Educational records
C) Personally identifiable information
D) Financial records
Answer: B
3) Which of the following is an example of an information asset?
A) Business plans
B) Employee records
C) Company reputation
D) All of the above
Answer: D
,4) Policy implementation and enforcement are part of which of the following phases of
the cybersecurity policy life cycle?
A) Develop
B) Review
C) Adopt
D) Publish
Answer: C
5) Which of the following is the correct order of the policy life cycle?
A) Review, develop, adopt, publish
B) Develop, publish, adopt, review
C) Publish, develop, review, adopt
D) Review, adopt, develop, publish
Answer: B
6) Endorsed is one of the seven policy characteristics. Which of the following statements
best describes endorsed?
A) The policy is supported by management.
B) The policy is accepted by the organization’s employees.
C) The policy is mandatory; compliance is measured; and appropriate sanctions are
applied.
D) The policy is regulated by the government.
Answer: A
7) Which of the following is the outcome of policy review?
A) Retirement or renewal
,B) Retirement or reauthorization
C) Renewal or reauthorization
D) None of the above
Answer: B
8) How often should policies be reviewed?
A) Monthly
B) Twice a year
C) Annually
D) Never
Answer: C
9) Which of the following statements is not true?
A) Policies should require only what is possible.
B) Policies that are no longer applicable should be retired.
C) All guiding principles and corporate cultures are good.
D) Guiding principles set the tone for a corporate culture.
Answer: C
10) Which of the following is not one of the tasks of the policy development phase?
A) Approve
B) Write
C) Communicate
D) Authorize
Answer: C
, 11) The United States Department of Homeland Security defines how many critical
infrastructure sectors?
A) 16
B) 14
C) 20
D) 17
Answer: A
12) Which of the following is the seminal tool used to protect both our critical
infrastructure and our individual liberties?
A) Information security
B) Society
C) Physical security
D) Policy
Answer: D
Chapter 1 Understanding Cybersecurity Policy and Governance
1) Which of the following elements ensures a policy is enforceable?
A) Compliance can be measured.
B) Appropriate sanctions are applied when the policy is violated.
C) Appropriate administrative, technical, and physical controls are put in place to support
the policy.
D) All of the above
Answer: D
2) FERPA protects which of the following?
A) Medical records
B) Educational records
C) Personally identifiable information
D) Financial records
Answer: B
3) Which of the following is an example of an information asset?
A) Business plans
B) Employee records
C) Company reputation
D) All of the above
Answer: D
,4) Policy implementation and enforcement are part of which of the following phases of
the cybersecurity policy life cycle?
A) Develop
B) Review
C) Adopt
D) Publish
Answer: C
5) Which of the following is the correct order of the policy life cycle?
A) Review, develop, adopt, publish
B) Develop, publish, adopt, review
C) Publish, develop, review, adopt
D) Review, adopt, develop, publish
Answer: B
6) Endorsed is one of the seven policy characteristics. Which of the following statements
best describes endorsed?
A) The policy is supported by management.
B) The policy is accepted by the organization’s employees.
C) The policy is mandatory; compliance is measured; and appropriate sanctions are
applied.
D) The policy is regulated by the government.
Answer: A
7) Which of the following is the outcome of policy review?
A) Retirement or renewal
,B) Retirement or reauthorization
C) Renewal or reauthorization
D) None of the above
Answer: B
8) How often should policies be reviewed?
A) Monthly
B) Twice a year
C) Annually
D) Never
Answer: C
9) Which of the following statements is not true?
A) Policies should require only what is possible.
B) Policies that are no longer applicable should be retired.
C) All guiding principles and corporate cultures are good.
D) Guiding principles set the tone for a corporate culture.
Answer: C
10) Which of the following is not one of the tasks of the policy development phase?
A) Approve
B) Write
C) Communicate
D) Authorize
Answer: C
, 11) The United States Department of Homeland Security defines how many critical
infrastructure sectors?
A) 16
B) 14
C) 20
D) 17
Answer: A
12) Which of the following is the seminal tool used to protect both our critical
infrastructure and our individual liberties?
A) Information security
B) Society
C) Physical security
D) Policy
Answer: D
