Privacy policies must contain notifications and opt-out provisions: they are a high-level
management statement of direction. They do not necessarily address warranties, liabilities or
geographic coverage, which are more specific.
The cost of implementing a security control should not exceed the:
A. annualized loss expectancy.
B. cost of an incident.
C. asset value.
D. implementation opportunity costs.
The cost of implementing security controls should not exceed the worth of the asset. Annualized
loss expectancy represents the losses drat are expected to happen during a single calendar
year. A security mechanism may cost more than this amount (or the cost of a single incident)
and stil be considered cost effective. Opportunity costs relate to revenue lost by forgoing the
acquisition of an item or the making of a business decision.
When a security standard conflicts with a business objective, the situation should be resolved
A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or
disallowing an exception to the standard. It is highly improbable that a business objective could
be changed to accommodate a security standard, while risk acceptance* is a process that
derives from the risk analysis.
Minimum standards for securing the technical infrastructure should be defined in a security:
Minimum standards for securing the technical infrastructure should be defined in a security
architecture document. This document defines how components are secured and the security