,TESTBANK FOR Developing Cybersecurity Programs
and Policies, 4th edition Santos
Notes
1- The file is chapter after chapter.
2- We have shown you few pages sample.
3- The file contains all Appendix and Excel sheet
if it exists.
4- We have all what you need, we make update
at every time. There are many new editions
waiting you.
5- If you think you purchased the wrong file You
can contact us at every time, we can replace it
with true one.
Our email:
,Developing Cybersecurity Programs and Policies in an AI-Driven World (Santos)
Chapter 1 Understanding Cybersecurity Policy and Governance
1) Which of the following elements ensures a policy is enforceable?
A) Compliance can be measured.
B) Appropriate sanctions are applied when the policy is violated.
C) Appropriate administrative, technical, and physical controls are put in place to support the
policy.
D) All of the above
Answer: D
2) Which of the following is typically not a component of cybersecurity programs and policies?
A) Oversight of cyber risk management
B) Sharing of threat intelligence
C) Implementation of traditional information security measures
D) Conducting incident response and digital forensics
Answer: C
3) Which of the following is an example of an information asset?
A) Business plans
B) Employee records
C) Company reputation
D) All of the above
Answer: D
4) Policy implementation and enforcement are part of which of the following phases of the
cybersecurity policy life cycle?
A) Develop
B) Review
C) Adopt
D) Publish
Answer: C
5) Which of the following is the correct order of the cybersecurity policy life cycle?
A) Review, develop, adopt, publish
B) Develop, publish, adopt, review
C) Publish, develop, review, adopt
D) Review, adopt, develop, publish
Answer: B
6) Endorsed is one of the seven policy characteristics. Which of the following statements best
describes endorsed?
A) The policy is supported and followed by management.
B) The policy is accepted by the organization’s employees.
C) The policy is mandatory; compliance is measured; and appropriate sanctions are applied.
D) The policy is regulated by the government.
1
Copyright © 2025 Pearson Education, Inc.
,Answer: A
7) Which of the following is the outcome of policy review?
A) Retirement or renewal
B) Retirement or reauthorization
C) Renewal or reauthorization
D) None of the above
Answer: B
8) Which strategy is commonly used to protect network and corporate assets in cybersecurity?
A) Single-layered security approach
B) Cross-boundary defense-in-depth strategy
C) Random implementation of security controls
D) Reliance solely on firewalls and IPS
Answer: B
9) Which of the following statements is not true?
A) Policies should require only what is possible.
B) Policies that are no longer applicable should be retired.
C) All guiding principles and corporate cultures are good.
D) Guiding principles set the tone for a corporate culture.
Answer: C
10) Which of the following is not one of the six key tasks of the policy development phase?
A) Approve
B) Write
C) Communicate
D) Authorize
Answer: C
11) The United States Department of Homeland Security defines how many critical
infrastructure sectors?
A) 16
B) 14
C) 20
D) 17
Answer: A
12) Which of the following is the seminal tool used to protect both our critical infrastructure and
our individual liberties?
A) Information security
B) Society
C) Physical security
D) Policy
Answer: D
2
Copyright © 2025 Pearson Education, Inc.
,13) Which of the following can be defined as the shared attitudes, goals, and practices that
characterize a company, corporation, or institution?
A) Regulations
B) Corporate culture
C) Cybersecurity policy
D) Guiding principles
Answer: B
14) Which of the following is a collection of articles and amendments that provide a framework
for the American government and define citizens’ rights?
A) The Constitution
B) The Torah
C) Data Protection Act
D) Consumer Credit Act
Answer: A
15) Which layer in the defense-in-depth strategy includes firewalls, IDS/IPS devices,
segmentation, and VLANs?
A) Physical security
B) Network security
C) Perimeter security
D) Application security
Answer: C
16) Which of the following is another term for statutory law?
A) Legislation
B) Regulation
C) Policy
D) Governance
Answer: A
17) Which of the following federal legislations, also known as the Financial Modernization Act
of 1999, was created to reform and modernize the banking industry by eliminating existing
barriers between banking and commerce?
A) HITECH
B) HIPAA
C) FERPA
D) GLBA
Answer: D
18) Which major regulation entity within the European Union (EU) was created to maintain a
single standard for data protection among all member states in the EU?
A) Directive on Security of Network and Information Systems (the NIS Directive)
B) EU General Data Protection Regulation (GDPR)
C) European Union Agency for Network and Information Security (ENISA)
D) The Consumer Credit Regulations 2010
3
Copyright © 2025 Pearson Education, Inc.
,Answer: B
19) Which key task in the policy development phase requires the authors to consult with internal
and external experts, including legal counsel, human resources, compliance, cybersecurity and
technology professionals, auditors, and regulators?
A) Writing
B) Authorizing
C) Vetting
D) Planning
Answer: C
20) Which key task in the policy adoption phase is the busiest and most challenging task of all?
A) Implementation
B) Enforcement
C) Monitoring
D) Education
Answer: A
4
Copyright © 2025 Pearson Education, Inc.
,Developing Cybersecurity Programs and Policies in an AI-Driven World (Santos)
Chapter 2 Cybersecurity Policy Organization, Format, and Styles
1) Which of the following is not an example of a standard?
A) Passwords must include at least one special character.
B) Passwords must not include repeating characters.
C) Pass phrases make good passwords.
D) Passwords must not include the user’s name.
Answer: C
2) Which of the following version numbers is an example of a major policy revision?
A) 3.5
B) 4.0
C) 4.1
D) 5.1
Answer: B
3) Which of the following best describes the role of standards in cybersecurity policy
implementation?
A) Standards outline general guidelines but do not dictate mandatory requirements.
B) Standards specify optional recommendations for policy implementation.
C) Standards provide specifications for policy implementation and dictate mandatory
requirements.
D) Standards are unrelated to policy implementation and are solely focused on network
infrastructure.
Answer: C
4) Where is the policy introduction located in a consolidated policy document?
A) In a separate document
B) Before the version control table
C) At the beginning of the document
D) After the version control table
Answer: D
5) What is the purpose of the administrative notations section of a policy?
A) To refer the reader to additional information
B) To explain terms, abbreviations, and acronyms used in the policy
C) To provide the policy version number
D) To provide information about policy exceptions
Answer: A
6) What is the purpose of the policy definition section?
A) To provide information about policy exceptions
B) To refer the reader to additional information
C) To explain terms, abbreviations, and acronyms used in the policy
D) To provide the policy version number
1
Copyright © 2025 Pearson Education, Inc.
,Answer: C
7) Which of the following statements about standards and guidelines is true?
A) Standards are mandatory, whereas guidelines are not.
B) Guidelines are mandatory, whereas standards are not.
C) Both standards and guidelines are mandatory.
D) Neither standards nor guidelines are mandatory.
Answer: A
8) Which of the following procedure formats is best suited when there is a decision-making
process associated with a task?
A) Simple Step
B) Flowchart
C) Hierarchical
D) Graphic
Answer: B
9) Which of the following best describes a baseline?
A) Specifications for implementation of a policy
B) Instructions on how a policy is carried out
C) Application of a standard to a specific category or grouping
D) Teaching tools that help people conform to a policy
Answer: C
10) Which of the following best describes a procedure?
A) Application of a standard to a specific category or grouping
B) Instructions on how a policy is carried out
C) Teaching tools that help people conform to a policy
D) Specifications for implementation of a policy
Answer: B
11) Which of the following is NOT an example of information security-related plans?
A) Vendor Management Plan
B) Disaster Preparation Plan
C) Business Continuity Plan
D) Incident Response Plan
Answer: B
12) Which of the following is the topmost object in the policy hierarchy?
A) Standards
B) Baselines
C) Procedures
D) Guiding Principles
Answer: D
13) Which of the following is one of the ten plain language techniques for policy writing?
2
Copyright © 2025 Pearson Education, Inc.
,A) Use passive voice.
B) Include redundant pairs or modifiers.
C) Use long sentences.
D) Limit a paragraph to one subject.
Answer: D
14) Which of the following is not one of the plain language techniques for policy writing?
A) Use active voice.
B) Write short sentences.
C) Use “shall” instead of “must.”
D) Avoid double negatives.
Answer: C
15) What is the purpose of the policy exceptions section of a policy document?
A) To acknowledge exclusions
B) To track changes
C) To convey intent
D) To identify the topic
Answer: A
16) Which of the following refers to the relationship between a policy and its supporting
documents?
A) Policy format
B) Policy hierarchy
C) Policy audience
D) Policy objectives
Answer: B
17) Which of the following identifies a policy by name and provides the reader with an overview
of the policy topic or category?
A) Policy heading
B) Policy goal
C) Policy objective
D) Policy statement
Answer: A
18) Which of the following is best thought of as a high-level directive or strategic roadmap?
A) Policy objective
B) Policy heading
C) Policy statement
D) Policy goal
Answer: C
19) A(n) __________ or waiver process is required for exceptions identified after a policy has
been authorized.
A) administrative notation
3
Copyright © 2025 Pearson Education, Inc.
, B) policy statement
C) policy definition
D) exemption
Answer: D
20) Where are the policy definitions located in a consolidated policy document?
A) At the beginning of the document
B) At the end of the document
C) Just after the policy heading
D) In a separate document
Answer: B
4
Copyright © 2025 Pearson Education, Inc.
and Policies, 4th edition Santos
Notes
1- The file is chapter after chapter.
2- We have shown you few pages sample.
3- The file contains all Appendix and Excel sheet
if it exists.
4- We have all what you need, we make update
at every time. There are many new editions
waiting you.
5- If you think you purchased the wrong file You
can contact us at every time, we can replace it
with true one.
Our email:
,Developing Cybersecurity Programs and Policies in an AI-Driven World (Santos)
Chapter 1 Understanding Cybersecurity Policy and Governance
1) Which of the following elements ensures a policy is enforceable?
A) Compliance can be measured.
B) Appropriate sanctions are applied when the policy is violated.
C) Appropriate administrative, technical, and physical controls are put in place to support the
policy.
D) All of the above
Answer: D
2) Which of the following is typically not a component of cybersecurity programs and policies?
A) Oversight of cyber risk management
B) Sharing of threat intelligence
C) Implementation of traditional information security measures
D) Conducting incident response and digital forensics
Answer: C
3) Which of the following is an example of an information asset?
A) Business plans
B) Employee records
C) Company reputation
D) All of the above
Answer: D
4) Policy implementation and enforcement are part of which of the following phases of the
cybersecurity policy life cycle?
A) Develop
B) Review
C) Adopt
D) Publish
Answer: C
5) Which of the following is the correct order of the cybersecurity policy life cycle?
A) Review, develop, adopt, publish
B) Develop, publish, adopt, review
C) Publish, develop, review, adopt
D) Review, adopt, develop, publish
Answer: B
6) Endorsed is one of the seven policy characteristics. Which of the following statements best
describes endorsed?
A) The policy is supported and followed by management.
B) The policy is accepted by the organization’s employees.
C) The policy is mandatory; compliance is measured; and appropriate sanctions are applied.
D) The policy is regulated by the government.
1
Copyright © 2025 Pearson Education, Inc.
,Answer: A
7) Which of the following is the outcome of policy review?
A) Retirement or renewal
B) Retirement or reauthorization
C) Renewal or reauthorization
D) None of the above
Answer: B
8) Which strategy is commonly used to protect network and corporate assets in cybersecurity?
A) Single-layered security approach
B) Cross-boundary defense-in-depth strategy
C) Random implementation of security controls
D) Reliance solely on firewalls and IPS
Answer: B
9) Which of the following statements is not true?
A) Policies should require only what is possible.
B) Policies that are no longer applicable should be retired.
C) All guiding principles and corporate cultures are good.
D) Guiding principles set the tone for a corporate culture.
Answer: C
10) Which of the following is not one of the six key tasks of the policy development phase?
A) Approve
B) Write
C) Communicate
D) Authorize
Answer: C
11) The United States Department of Homeland Security defines how many critical
infrastructure sectors?
A) 16
B) 14
C) 20
D) 17
Answer: A
12) Which of the following is the seminal tool used to protect both our critical infrastructure and
our individual liberties?
A) Information security
B) Society
C) Physical security
D) Policy
Answer: D
2
Copyright © 2025 Pearson Education, Inc.
,13) Which of the following can be defined as the shared attitudes, goals, and practices that
characterize a company, corporation, or institution?
A) Regulations
B) Corporate culture
C) Cybersecurity policy
D) Guiding principles
Answer: B
14) Which of the following is a collection of articles and amendments that provide a framework
for the American government and define citizens’ rights?
A) The Constitution
B) The Torah
C) Data Protection Act
D) Consumer Credit Act
Answer: A
15) Which layer in the defense-in-depth strategy includes firewalls, IDS/IPS devices,
segmentation, and VLANs?
A) Physical security
B) Network security
C) Perimeter security
D) Application security
Answer: C
16) Which of the following is another term for statutory law?
A) Legislation
B) Regulation
C) Policy
D) Governance
Answer: A
17) Which of the following federal legislations, also known as the Financial Modernization Act
of 1999, was created to reform and modernize the banking industry by eliminating existing
barriers between banking and commerce?
A) HITECH
B) HIPAA
C) FERPA
D) GLBA
Answer: D
18) Which major regulation entity within the European Union (EU) was created to maintain a
single standard for data protection among all member states in the EU?
A) Directive on Security of Network and Information Systems (the NIS Directive)
B) EU General Data Protection Regulation (GDPR)
C) European Union Agency for Network and Information Security (ENISA)
D) The Consumer Credit Regulations 2010
3
Copyright © 2025 Pearson Education, Inc.
,Answer: B
19) Which key task in the policy development phase requires the authors to consult with internal
and external experts, including legal counsel, human resources, compliance, cybersecurity and
technology professionals, auditors, and regulators?
A) Writing
B) Authorizing
C) Vetting
D) Planning
Answer: C
20) Which key task in the policy adoption phase is the busiest and most challenging task of all?
A) Implementation
B) Enforcement
C) Monitoring
D) Education
Answer: A
4
Copyright © 2025 Pearson Education, Inc.
,Developing Cybersecurity Programs and Policies in an AI-Driven World (Santos)
Chapter 2 Cybersecurity Policy Organization, Format, and Styles
1) Which of the following is not an example of a standard?
A) Passwords must include at least one special character.
B) Passwords must not include repeating characters.
C) Pass phrases make good passwords.
D) Passwords must not include the user’s name.
Answer: C
2) Which of the following version numbers is an example of a major policy revision?
A) 3.5
B) 4.0
C) 4.1
D) 5.1
Answer: B
3) Which of the following best describes the role of standards in cybersecurity policy
implementation?
A) Standards outline general guidelines but do not dictate mandatory requirements.
B) Standards specify optional recommendations for policy implementation.
C) Standards provide specifications for policy implementation and dictate mandatory
requirements.
D) Standards are unrelated to policy implementation and are solely focused on network
infrastructure.
Answer: C
4) Where is the policy introduction located in a consolidated policy document?
A) In a separate document
B) Before the version control table
C) At the beginning of the document
D) After the version control table
Answer: D
5) What is the purpose of the administrative notations section of a policy?
A) To refer the reader to additional information
B) To explain terms, abbreviations, and acronyms used in the policy
C) To provide the policy version number
D) To provide information about policy exceptions
Answer: A
6) What is the purpose of the policy definition section?
A) To provide information about policy exceptions
B) To refer the reader to additional information
C) To explain terms, abbreviations, and acronyms used in the policy
D) To provide the policy version number
1
Copyright © 2025 Pearson Education, Inc.
,Answer: C
7) Which of the following statements about standards and guidelines is true?
A) Standards are mandatory, whereas guidelines are not.
B) Guidelines are mandatory, whereas standards are not.
C) Both standards and guidelines are mandatory.
D) Neither standards nor guidelines are mandatory.
Answer: A
8) Which of the following procedure formats is best suited when there is a decision-making
process associated with a task?
A) Simple Step
B) Flowchart
C) Hierarchical
D) Graphic
Answer: B
9) Which of the following best describes a baseline?
A) Specifications for implementation of a policy
B) Instructions on how a policy is carried out
C) Application of a standard to a specific category or grouping
D) Teaching tools that help people conform to a policy
Answer: C
10) Which of the following best describes a procedure?
A) Application of a standard to a specific category or grouping
B) Instructions on how a policy is carried out
C) Teaching tools that help people conform to a policy
D) Specifications for implementation of a policy
Answer: B
11) Which of the following is NOT an example of information security-related plans?
A) Vendor Management Plan
B) Disaster Preparation Plan
C) Business Continuity Plan
D) Incident Response Plan
Answer: B
12) Which of the following is the topmost object in the policy hierarchy?
A) Standards
B) Baselines
C) Procedures
D) Guiding Principles
Answer: D
13) Which of the following is one of the ten plain language techniques for policy writing?
2
Copyright © 2025 Pearson Education, Inc.
,A) Use passive voice.
B) Include redundant pairs or modifiers.
C) Use long sentences.
D) Limit a paragraph to one subject.
Answer: D
14) Which of the following is not one of the plain language techniques for policy writing?
A) Use active voice.
B) Write short sentences.
C) Use “shall” instead of “must.”
D) Avoid double negatives.
Answer: C
15) What is the purpose of the policy exceptions section of a policy document?
A) To acknowledge exclusions
B) To track changes
C) To convey intent
D) To identify the topic
Answer: A
16) Which of the following refers to the relationship between a policy and its supporting
documents?
A) Policy format
B) Policy hierarchy
C) Policy audience
D) Policy objectives
Answer: B
17) Which of the following identifies a policy by name and provides the reader with an overview
of the policy topic or category?
A) Policy heading
B) Policy goal
C) Policy objective
D) Policy statement
Answer: A
18) Which of the following is best thought of as a high-level directive or strategic roadmap?
A) Policy objective
B) Policy heading
C) Policy statement
D) Policy goal
Answer: C
19) A(n) __________ or waiver process is required for exceptions identified after a policy has
been authorized.
A) administrative notation
3
Copyright © 2025 Pearson Education, Inc.
, B) policy statement
C) policy definition
D) exemption
Answer: D
20) Where are the policy definitions located in a consolidated policy document?
A) At the beginning of the document
B) At the end of the document
C) Just after the policy heading
D) In a separate document
Answer: B
4
Copyright © 2025 Pearson Education, Inc.
