1. What is policy compliance?
   1. The effort to follow an organization’s policy
   2. When customers read a website policy statement
   3. Adherence to an organization’s policy
   4. Failure to follow an organization’s policy
2. What is an automated control?
   1. A control that stops behavior immediately and does not rely on human decisions
   2. A control that does not stop behavior immediately and relies on human decisions
   3. A control that does not stop behavior immediately but automates notification of an incident
   4. A control that stops behavior immediately and relies on human decisions
3. Which of the following is not a business driver?
   1. Ability to acquire the newest technology
   2. Cost of maintaining controls
   3. Ability to legally defend
   4. Customer satisfaction
4. A firewall is generally considered an example of a ________ control.
5. What is an information security policy?
   1. A policy that defines acceptable behavior of a customer
   2. A policy that defines what hardware to purchase
   3. A policy that defines how to protect information in any form
   4. A policy that defines the type of uniforms guards should wear
6. Which of the following is not a type of security control?
   1. Preventative
   2. Correlative
   3. Detective
   4. Corrective
7. Tone at the top refers to:
   1. A company’s leaders making sure every employee knows the priorities
   2. Senior leaders implementing and enforcing policies
   3. Senior managers building trust with the public and with regulators
   4. All of the above
8. Privacy regulations involve two important principles: full disclosure and data encryption.
   1. True
   2. False
9. What are the benefits to having a security awareness program emphasize the business risk?
   1. Risk becomes more relevant to employees.
   2. Security policies are more likely to be followed.
   3. It provides employees a foundation to deal with unexpected risk.
   4. All of the above
10. Which of the following is not a guideline to be considered when developing policy to secure PII data?
    1. Align—Coordinate privacy policies with data classification policies.
    2. Retain—Ensure proper controls around data retention and destruction.
    3. Disclose—Fully disclose to the individual what data is being collected and how it will be used.
    4. Resiliency—Policies provide guidelines for the unexpected.
11. Information used to open or access a bank account is generally considered PII data.
    1. True
    2. False
12. Which of the following is not a benefit of having an acceptable use policy?
    1. Outlines disciplinary action for improper behavior
    2. Prevents employees from misusing the Internet
    3. Reduces business liability
    4. Defines proper behavior while using the Internet
13. Mitigating controls always meet the full intent of the policy.
    1. True
    2. False
14. Which of the following do you need to measure to achieve operational consistency?
    1. Consistency
    2. Quality
    3. Results
    4. All of the above
15. Well-defined and properly implemented security policies help the business in which of the following ways?
    1. Maximize profit
    2. Reduce risk
    3. Produce consistent and reliable products
    4. All of the above

1. Egress.com, “IT Leaders and Employees Differ on Data Ethics, Ownership and Root Causes of Insider Breaches,” May 22, 2019, https://www.egress.com/en-US/news/insider-data-breach-survey-2019-na, accessed April 15, 2020.

2. Keeper Security, “2018 State of Cybersecurity in Small & Medium Size Businesses,” Ponemon Institute, 2018, https://keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf, accessed April 15, 2020.

3. Legal Information Institute, “Intellectual Property,” https://www.law.cornell.edu/wex/intellectual_property, accessed April 15, 2020.

4. MediaValet, “What Is a Digital Asset,” https://www.mediavalet.com/blog/what-is-a-digital-asset-2/, accessed April 15, 2020.

5. https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act