Protection of Information Assets - Information Asset Security and Control

Correct Answer: A policy defines high-level objectives, while a standard specifies mandatory requirements to achieve policy goals.

In information security, the key difference between policies and standards is their scope and purpose: The correct answer is that a policy defines high-level objectives, while a standard specifies mandatory requirements to achieve policy goals. Policies are broad governance documents that outline an organization's intentions and direction regarding security. Standards are more detailed and provide specific, mandatory requirements needed to implement the policy. The other options contain inaccuracies: The answer about update schedules is incorrect because policies and standards aren't defined by fixed update schedules (monthly vs. annually). Both are updated as needed based on changes in threats, regulations, or organizational needs. The answer suggesting standards are exclusively developed by technical security professionals is incorrect. While technical input is valuable, standards, like policies, typically require cross-functional development and approval. The answer stating policies address tactical controls while standards define vision is backward. Policies typically outline vision and strategic direction, while standards provide more tactical and specific requirements.

Correct Answer: Placing equipment above the 100-year flood plain level

The most effective physical location control for protecting critical IT systems from floods is placing equipment above the 100-year flood plain level. This is a fundamental preventive control that addresses the physical vulnerability directly at the site planning stage. By positioning IT systems above the historically established flood level, organizations can avoid water damage to critical infrastructure even during major flooding events. The other options are less effective as primary physical location controls: Water detection sensors with automatic alerts are detective controls, not preventive. They alert you when water is present but do not actually protect equipment from flood damage. Business continuity planning with redundant sites is about recovery, not a physical location control that prevents the initial damage from floods at the primary site. Elevated flooring with water-resistant coating provides some protection but is insufficient for serious flooding scenarios where water levels can rise significantly above floor level.

Correct Answer: Behavior-based anomaly detection

Advanced persistent threats (APTs) are sophisticated, long-term attacks that typically evade traditional security controls. The MOST effective detection technique among the options is behavior-based anomaly detection. Behavior-based anomaly detection works by establishing baselines of normal system and user behavior, then identifying deviations that may indicate compromise. This approach excels at detecting unknown threats and zero-day exploits that signature-based solutions miss, making it ideal for APTs that use novel techniques. Regular signature-based scanning relies on known threat patterns, which APTs are specifically designed to avoid, limiting its effectiveness against new or modified attack methods. Comprehensive log analysis with vulnerability assessments is valuable but reactive rather than proactive in detecting ongoing APT activity. It may help identify vulnerabilities but doesn't focus on detecting unusual behavior patterns in real-time. Application whitelisting with mandatory access controls is primarily a preventive measure that restricts what can run on systems, but doesn't actively detect sophisticated threats that may operate within allowed parameters or exploit legitimate credentials.