var quiz = {
	questions : [
		{
			text : 'Which of the following is an example of an ultimate data owner?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Front-line employee',
				'B.	Customer accessing information via the extranet',
				'C.	IT administrator',
				'D.	CIO'
			],
			answer : 3,
			score : 1,
			expandedAnswer : '<br>\nThe key here is the word \'ultimate.\' Employees and the administrator can be data owners in some situations, but senior management is ultimately the owner of business-oriented data. Data owners are legally bound to the protection of data within a company. Because of this required responsibility, data owners should be members of senior management. These individuals practice due care with data classifications and associated security policies.',
			moreInfo : ''
		},
		{
			text : 'What is the term that defines when senior management initiates and sponsors a company\'s security program?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Bottom-up approach',
				'B.	Top-down approach',
				'C.	Steering committee',
				'D.	Middle-driven approach'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nA top-down approach to security management is the ideal method because it\'s typically more successful than the bottom-up approach. A top-down approach means that management is driving a project, and bottom-up means that a lower-level employee is driving a project. The most important factor in security management is obtaining the support of upper management.',
			moreInfo : ''
		},
		{
			text : 'Which of the following would not be part of an organizational security policy?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Security program goals',
				'B.	Email security policy',
				'C.	Responsibility assignments',
				'D.	Enforcement information'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nAn organizational security policy covers the entire program at a high level. Typically this will cover how the program is set up, goals and objectives, the person responsible for specific tasks, and how to enforce the policy. Email security would be an issue-specific policy.',
			moreInfo : ''
		},
		{
			text : 'A technique used in qualitative risk analysis that uses the anonymous opinions of all individuals is called what?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Consensus approach',
				'B.	Delphi Technique',
				'C.	Group mentality',
				'D.	Group discussion phase'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nIn the qualitative risk analysis approach, the Delphi Technique is used to achieve honest results by allowing the individuals to submit their opinions anonymously. This technique is designed to allow people to submit their opinions without being influenced by others.',
			moreInfo : ''
		},
		{
			text : 'Which of the following terms is a recommendation to an employee on how to act?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Baseline',
				'B.	Rule',
				'C.	Guideline',
				'D.	Standard'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nGuidelines are used to provide employees with recommendations on how to perform specific tasks. This is different than a standard, which is a rule that must be followed, or a baseline, which is a minimal level of security.',
			moreInfo : ''
		},
		{
			text : 'Which is not an example or characteristic of qualitative risk analysis?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Delphi Technique',
				'B.	Storyboarding',
				'C.	Single loss expectancy calculations',
				'D.	Opinion-based'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nQualitative risk analysis does not focus on real-number calculations, but instead assigns rankings to threats and countermeasures, and focuses on judgment, intuition, and experience. Single Loss Expectancy (SLE) is a method used in quantitative risk analysis.',
			moreInfo : ''
		},
		{
			text : 'A policy that is more technically focused and outlines the directives dictated by management is which of the following?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	System-specific',
				'B.	Technical-specific',
				'C.	Organizational',
				'D.	Issue-specific'
			],
			answer : 0,
			score : 1,
			expandedAnswer : '<br>\nSystem-specific policies are technical directives derived by management to protect individual systems. They can outline how a system should be accessed or how users should be trained on the use of a specific system.',
			moreInfo : ''
		},
		{
			text : 'Which is not an example of security awareness?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Security training',
				'B.	Security bulletin board notes',
				'C.	Security ACLs',
				'D.	Security objectives in an employee’s performance review'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nSecurity awareness is a vital part of a successful security program. As its name states, the goal is to make employees aware of the components of the security program. Employees can be made aware in a variety of ways, such as email, regular meetings, training classes, or by having security-related tasks as part of their performance plans. Access Control Lists (ACLs) are security controls, but don\'t contribute to security awareness.',
			moreInfo : ''
		},
		{
			text : 'A common omission in security programs by many companies is which of the following?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Responsibility assignments',
				'B.	Penalties for non-compliance',
				'C.	Risk analysis',
				'D.	Awareness'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nA common mistake that many companies make is failing to include penalties in the security program to be enforced if/when individuals don\'t comply with outlined directives. As with any rule or law, without known consequences, it’s unlikely that the instruction will be followed. Security awareness is included in most security policies, although following through with the awareness objective is less common.',
			moreInfo : ''
		},
		{
			text : 'What step should happen first when an employee is terminated if it\'s an unfriendly separation?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Escorted off premises',
				'B.	Network and system access privileges removed',
				'C.	Facility ID badges handed out',
				'D.	Employee’s personal items should be boxed'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nThe first step taken when an employee is terminated is to remove all network and system privileges. The ex-employee could still remotely connect to a network and do harm. Protecting the company’s assets should be the first step.',
			moreInfo : ''
		},
		{
			text : 'What is the most important factor in the successful implementation of a companywide security program?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Realistic budget estimates',
				'B.	Hiring a reputable consulting firm',
				'C.	Security awareness',
				'D.	Having the support of senior management'
			],
			answer : 3,
			score : 1,
			expandedAnswer : '<br>\nWithout the support of senior management, a security program has little chance of survival. A company\'s leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and company-wide participation also require the buy-in from senior management.',
			moreInfo : ''
		},
		{
			text : 'Identifying, assessing, and reducing risk to an acceptable level and maintaining the achieved level is referred to as what?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Risk planning',
				'B.	Risk management',
				'C.	Security management',
				'D.	Operations management'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nRisk management plays a key role in the overall security program. Managing risk is a daunting task because there are so many risks to contend with.',
			moreInfo : ''
		},
		{
			text : 'Assigning a dollar figure to a single event assumed by the company if a threat occurred is called what?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Single loss expectancy',
				'B.	Exposure factor',
				'C.	Qualitative risk analysis',
				'D.	Quantitative risk analysis'
			],
			answer : 0,
			score : 1,
			expandedAnswer : '<br>\nSingle loss expectancy (SLE) is a technique used in quantitative risk analysis. It\'s a formula that helps a company assign financial value to a specific event. The calculation is: asset value x exposure factor (EF). Exposure factor is the percentage of loss placed on an asset each time a threat is realized.',
			moreInfo : ''
		},
		{
			text : 'Companies should set up different types of baselines for the company as a whole and for individual departments. This can include physical, technical, and administrative security. Which of the following defines a baseline?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Rules indicating what should and should not be done',
				'B.	A minimum level of security required',
				'C.	Step-by-step instructions used to complete a task',
				'D.  Recommendations'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nBaselines are used to help companies and people understand the lowest level of security that must be provided. Baselines can be applied to individual systems, departments, firewalls or human errors.',
			moreInfo : ''
		},
		{
			text : 'A company can\'t get rid of all risk. The risk that\'s left over is referred to as residual risk, and the company must determine if this corresponds with their acceptable level of risk. Which of the following defines residual risk?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Asset value x exposure factor',
				'B.	SLE x ARO',
				'C.	(Threats x vulnerability x asset value) x control gap',
				'D.	Threats x vulnerability x asset value'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nResidual risk is the amount of risk left over after the countermeasure has been implemented. To figure out the actual residual risk, the team must identify and calculate total risk, which is threats x vulnerability x asset value. The team must then calculate the control gap, which is what the countermeasure can\'t protect against. The result is residual risk. A company must decide if the residual risk falls within their acceptable level of risk. If so, a cost/benefit analysis is carried out, and then the countermeasure can be purchased and installed.',
			moreInfo : ''
		}
	]
};