Successful security policy implementation in the workplace depends on people understanding key concepts and embracing the material. Thus, people need to be motivated to succeed if they are going to implement such policies. There are three basic elements of motivation: pride, self-interest, and success. Which of the following does not occur when these elements are combined?
A. individual and team motivation
B. individuals meeting the basic expectations of their job requirements to be successful
C. satisfied customers
D. an increase in bottom-line profits
Which of the following statements captures an example of a manager tapping into pride as a source of motivation?
A. “It’s really important that you complete this task because it is one of your roles and responsibilities.”
B. “The supervisor is requiring that I inform you that you need to complete this task because the person originally assigned is not available.”
C. “It is necessary that you complete this task because not doing so would result in disciplinary action.”
D. “It is really important that you complete this task because the team values your contributions and would benefit from your input.”
In order to convince an organization to adopt security policies, it is necessary for a manager to have some proficiency in ________________, which refers to certain social personality traits such as the ability to communicate and project optimism.
A. soft skills
B. motivation
C. tone at the top
D. empathy
In order to gain a deeper understanding of how employees interact in the workplace, it is useful to learn about the eight classic personality types that have been identified by HR Magazine. One of these is the achievers. Which of the following descriptions best captures this personality type?
A. These people like structure and deadlines and tend to be obsessed with precision and attention to detail.
B. These people are very result oriented. They genuinely want the best result and may seek different ways to bring that result into being.
C. These people like to entertain and be the center of attention. They develop over time a wit and charm to capture people’s attention.
D. These people are very kind and thoughtful to others. They want everyone to “feel good” and will put their own self-interest aside for the good of the whole.
For leaders, implementing security policies is all about working through others to gain their support and adhere to the policies. Of the widely accepted leadership rules that apply to security policies, which of the following is not among these rules?
A. productivity
B. values
C. support
D. training
Implementing security policy means continuous communication with ___________________ and ensuring transparency about what’s working and what’s not working.
A. control partners
B. stakeholders
C. executives
D. data custodians
In order to be thoughtful about the implementation of security policies and controls, leaders must balance the need to reduce______________ with the impact to the business operations. Doing so could mean phasing security controls in over time or be as simple as aligning security implementation with the business’s training events.
A. costs
B. productivity
C. risk
D. data storage
Although an organization’s list of stakeholders will vary depending on the policy being implemented, there are stakeholders who can be seen commonly across organizations. What is the key focus of stakeholders in information security?
A. timely delivery of high-quality products and services at competitive prices
B. compliance with laws and regulations
C. keeping operations within risk tolerances
D. protection of the company and the customer
It is important for an organization to determine how it wants to manage ____________________, which means how to group various tasks, and____________________, which relates to the number of layers and number of direct reports found in an organization.
A. division of labor, span of control
B. span of control, division of labor
C. separation of duties, flat organizational structure
D. division of labor, separation of duties
In a large organization, the complexity required to keep operations running effectively requires a hierarchy of specialties. Thus, which of following organizational structures is preferred?
A. flat organizational structure
B. matrix relationship structure
C. hierarchical organizational structure
D. change agent structure
It is important that an effective roll out of information security policies prioritizes good communications. Which of the following is not among the points to be included in a good communication approach?
A. Be clear—avoid technical jargon when possible.
B. use many channels—reinforce the message as many times as possible.
C. Say “thank you”—acknowledge the efforts both to create and to implement the security policies.
D. Be withholding—it is important to keep the main impact of the policy confidential.
Hierarchical models have many advantages to organizations, but there are also a number of disadvantages. Which of the following is one of the disadvantages?
A. Accountability can be a problem because when many component teams are involved, it can be difficult to determine whose fault it is if something doesn’t work.
B. Communication lines are not clearly defined, so it is difficult to find the group that specializes in the area that can help solve it.
C. Unlike in flat organizations, hierarchical organizations do not have teams dedicated to identifying the next big threat.
D. There is often a decentralized authority, which can quickly become a negative when the span of control becomes too wide.
In a hierarchical organization, there are a large number of touch points and personalities that must be engaged to successfully implement a security policy. As the number of touch points increases, the number of complex ________________ also increases between stakeholders.
A. security liaisons
B. matrix relationships
C. executives
D. control partners
Apathy can have detrimental effects on information security. Engaged communication is one strategy that can be implemented to overcome the effects of apathy. Which of the following statements further elaborates this strategy?
A. Continually reinforce the message of the value and importance of information security.
B. Compliance must be monitored and individuals held accountable.
C. Adjust the implementation strategy to better explain the importance of the policy within the context of the individual role.
D. Seek opportunity to spotlight individuals who model the desired behavior.
Research shows that projects dedicated to information security policies fail due to eight common perceived missteps. Which of the following is not one of the missteps?
A. Unclear purpose: This refers to the clarity of value the project brings.
B. Doubt: This refers to the need for change; it is necessary to explain why what is in place today is not good enough.
C. Lack of organizational incentives: This refers to the inability to motivate behaviors
D. Lack of complexity: This refers to an oversimplification of policies that sacrifices depth and nuance.
Implementing security policies is easier if you manage it from a change model perspective. The first step of this model is to create urgency. Who is responsible for conveying urgency to business leaders?
A. chief information security officer
B. chief information officer
C. chief finance officer
D. chief technology officer
In order to build a coalition, it’s the responsibility of the chief information security officer (CISO) to reach out to stakeholders, explain the policy change, and listen to concerns. Many organizations have what are called control partners, who give input before a policy change can be made. Which of the following is not an example of control partners found in many large organizations?
A. internal auditors
B. operational risk managers
C. data custodians
D. legal professionals
Business leaders rely on technology roles to be accountable for implementing security policies, monitoring their adherence, and managing day-to-day activities. The role of ______________, for example, is to be accountable for ensuring only the access that is needed to perform day-to-day operations is granted
A. data owner
B. data manager
C. data user
D. data custodian
The struggle between how to manage a business versus how to “grow” has significant implications for security policies that must reflect the core values of the business. Which of the following statements reflects one of the security policy approaches often taken by entrepreneurs growing a business?
A. A company in its early startup stages focuses on stability and seeks to avoid risk.
B. A company starts growing its bureaucracy as early in its development as possible.
C. A company in its startup stages often hires professional managers and defers to their judgment about how to create the business culture.
D. A company in high-growth mode focuses on agility and innovation and tends to have a greater acceptance of risk.
In general, it’s not a good idea to implement significant policy changes during a _______________.
A. change in leadership
B. reduction in force
C. new quarter
D. separation of duties