Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?

Get the answer to your homework problem.

Try Numerade free for 7 days

Wendy S.

AP CS

7 months, 3 weeks ago

We don’t have your requested question, but here is a suggested video that might help.

Related Question

Setting the mission which encompasses objectives, policies and goals is known as A. Operational planning B. Strategic planning C. Tactical planning D. Contingency planning

Discussion

You must be signed in to discuss.

Video Transcript

setting the mission which encompasses objectives, policies and goals, is known as a operational planning. Be strategic planning C. Tactical planning or D contingency planning setting the mission which encompasses encompasses objectives, policies and goals is known as BE strategic plan. Strategic management is the process of setting goals, procedures and objectives in order to make a company or organization more competitive. Typically speaking, strategic management looks at the efficient, efficiently deploying staff and resources in order to achieve these goals. Often strategic management includes strategy evaluation, internal organizational analysis and strategy execution throughout the company. In business, strategic management is important because it allows the company to analyze areas for operational improvement and in many cases they can follow either an analytical process which identifies potential threats and opportunities or simply follow general guidelines as such. Setting the mission which encompasses objectives, policies and goals is no one as strategic planning.

Successfully reported this slideshow.

Your SlideShare is downloading. ×

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

More Related Content

1. 1. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 1 1. Because it sets out general business intentions, a mission statement does not need to be concise. a. True b. False ANSWER: False 2. A clearly directed strategy flows from top to bottom rather than from bottom to top. a. True b. False ANSWER: True 3. The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization’s networks, information systems, and information security defenses. a. True b. False ANSWER: False 4. A top-down approach to information security usually begins with a systems administrator’s attempt to improve the security of their systems. a. True b. False ANSWER: False 5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams. a. True b. False ANSWER: True 6. Values statements should therefore be ambitous; after all, they are meant to express the aspirations of the organization. ANSWER: False - Vision, vision 7. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker. ANSWER: False - stakeholder 8. The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization’s executive management and its governing board. ANSWER: False - governance 9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs. ANSWER: True 10. Which of the following explicitly declares the business of the organization and its intended areas of operations? a. vision statement b. values statement c. mission statement d. business statement
2. 2. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 2 ANSWER: c 11. Which type of planning is the primary tool in determining the long-term direction taken by an organization? a. strategic b. tactical c. operational d. managerial ANSWER: a 12. Which of the following is true about planning? a. Strategic plans are used to create tacticalplans b. Tactical plans are used to create strategic plans c. Operational plans are used to create tacticalplans d. Operational plans are used to create strategic plans ANSWER: a 13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? a. strategic b. operational c. organizational d. tactical ANSWER: d 14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks? a. Strategic b. Tactical c. Organizational d. Operational ANSWER: d 15. The basic outcomes of InfoSec governance should include all but which of the following? a. Value delivery by optimizing InfoSec investments in support of organizational objectives b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved c. Time management by aligning resources with personnel schedules and organizational objectives d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively ANSWER: c 16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization’s planning and operations are known as ____________. a. data owners b. data custodians c. data users d. data generators ANSWER: c 17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices? a. Hold regular meetings with the CIO to discuss tactical InfoSec planning b. Assign InfoSec to a key committee and ensure adequate support for that committee
3. 3. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 3 c. Ensure the effectiveness of the corporation’s InfoSec policy through review and approval d. Identify InfoSec leaders, hold them accountable, and ensure support for them ANSWER: a 18. Which of the following should be included in an InfoSec governance program? a. An InfoSec development methodology b. An InfoSec risk management methodology c. An InfoSec project management assessment from an outside consultant d. All of these are components of the InfoSec governance program ANSWER: b 19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successfulimprovement effort? a. Initiating b. Establishing c. Acting d. Learning ANSWER: a 20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? a. Initiating b. Establishing c. Acting d. Learning ANSWER: b 21. Which of the following is an information security governance responsibility of the Chief Security Officer? a. Communicate policies and the program b. Set security policy, procedures, programs and training c. Brief the board, customers and the public d. Implement policy, report security vulnerabilities and breaches ANSWER: b 22. ISO 27014:2013 is the ISO 27000 series standard for ____________. a. Governance of Information Security b. Information Security Management c. Risk Management d. Policy Management ANSWER: a 23. Which of the following is a key advantage of the bottom-up approach to security implementation? a. strong upper-management support b. a clear planning and implementation process c. utilizes the technical expertise of the individual administrators d. coordinated planning from upper management ANSWER: c 24. Which of these is a systems development approach that incorporates teams of representatives from multiple
4. 4. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 4 constituencies, including users, management, and IT, each with a vested interest in the project’s success? a. software engineering b. joint application design c. sequence-driven policies d. event-driven procedures ANSWER: b 25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point? a. modular continuous b. elementary cyclical c. time-boxed circular d. traditional waterfall ANSWER: d 26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________. a. data owners b. data custodians c. data users d. data generators ANSWER: a 27. What is the first phase of the SecSDLC? a. analysis b. investigation c. logical design d. physical design ANSWER: b 28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer ANSWER: a 29. In which phase of the SecSDLC does the risk management task occur? a. physical design b. implementation c. investigation d. analysis ANSWER: d 30. An example of a stakeholder of a company includes all of the following except: a. employees b. the generalpublic c. stockholders d. management ANSWER: b 31. A project manager who understands project management, personnel management, and InfoSec technical requirements
5. 5. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 5 is needed to fill the role of a(n) ____________. a. champion b. end user c. team leader d. policy developer ANSWER: c 32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________. a. chief information security officer b. security technician c. security manager d. chief technology officer ANSWER: c 33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team. a. champion b. end user c. team leader d. policy developer ANSWER: a 34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization’s executive management, select key stakeholders, as well as the ____________. a. Board Risk Committee b. Board Finance Committee c. Board Audit Committee d. Chairman of the Board ANSWER: a 35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization ANSWER: b 36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________. a. penetration tester b. gray-hat hacker c. script kiddie d. zebra team
6. 6. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 6 ANSWER: a 37. The process of identifying and documenting specific and provable flaws in the organization’s information asset environment is known as ____________. a. vulnerability assessment b. penetration testing c. exploit identification d. safeguard neutralization ANSWER: a 38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________. a. enterprise risk management. b. joint application design c. security policy review d. disaster recovery planning ANSWER: a 39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct? a. system controls b. technical controls c. operational controls d. managerial controls ANSWER: d 40. The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders. ANSWER: event-driven event driven 41. _________resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states. ANSWER: Physical 42. The ______________________ phase is the last phase of SecSDLC, but perhaps the most important. ANSWER: maintenance and change 43. In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities. ANSWER: penetration 44. Information security governance yields significant benefits. List five. ANSWER: 1. An increase in share value for organizations 2. Increased predictability and reduced uncertainty of business operations by lowering information-security- related risks to definable and acceptable levels 3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care 4. Optimization of the allocation of limited security resources
7. 7. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 7 5. Assurance of effective information security policy and policy compliance 6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response 7. A level of assurance that critical decisions are not based on faulty information 8. Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response. 45. Describe what happens during each phase of the IDEAL General governance framework. ANSWER: Initiating - Lay the groundwork for a successfulimprovement effort. Diagnosing - Determine where you are relative to where you want to be. Establishing - Plan the specifics of how you will reach your destination. Acting - Do the work according to the plan. Learning - Learn from the experience and improve your ability to adopt new improvements in the future. 46. What is the role of planning in InfoSec management? What are the factors that affect planning? ANSWER: Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholder. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment. 47. What is the values statement and what is its importance to an organization? ANSWER: One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public. 48. Contrast the vision statement with the mission statement. ANSWER: If the vision statement states where the organization wants to go, the mission statement describes how it wants to get there. 49. How does tactical planning differ from strategic planning? ANSWER: Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year. 50. According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met? ANSWER: Inculcate a culture that recognizes the criticality of information and InfoSec to the organization Verify that management’s investment in InfoSec is properly aligned with organizational strategies and the organization’s risk environment Assure that a comprehensive InfoSec program is developed and implemented Demand reports from the various layers of management on the InfoSec program’s effectiveness and adequacy 51. Describe the key approaches organizations are using to achieve unified Enterprise Risk Management. ANSWER: Combining physical security and InfoSec under one leader as one business function Using separate business functions that report to a common senior executive Using a risk council approach to provide a collaborative approach to risk management
8. 8. Name: Class: Date: Chapter 03 - Governance and Strategic Planning for Security Copyright Cengage Learning. Powered by Cognero. Page 8 52. What is necessary for a top-down approach to the implementation of InfoSec to succeed? ANSWER: For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally, an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization.

What are the three common levels of planning?

What is the first phase of the SecSDLC?

What is the goal of strategic planning quizlet?

What is the strategic planning process quizlet?