Download California Information Security Compliance (SIMM) based on the Statewide Information Mana and more Exams Advanced Education in PDF only on Docsity!
California Information Security Compliance (SIMM) based on
the Statewide Information Management Manual (SIMM),
California Government Code (GC), SAM (State Administrative
Manual), and general information security best practices
applicable to California public entities.
- What is the main purpose of the SIMM 5300 series? a. Establish financial policies b. Guide statewide health policy c. Provide direction for information security and privacy programs d. Outline vehicle fleet management The SIMM 5300 series provides detailed guidance on implementing information security and privacy policies in California state agencies.
- Who is responsible for ensuring compliance with the SIMM requirements at a state agency? a. Department of Technology b. Agency Information Security Officer (AISO) c. Governor d. California State Auditor
The AISO is designated to oversee and ensure adherence to security compliance at the agency level.
- According to SIMM 5305-A, how often must agencies conduct an Information Security Risk Assessment? a. Monthly b. Once every five years c. At least annually d. Only when a breach occurs Risk assessments must be conducted annually to ensure continued risk awareness and mitigation.
- What does SIMM stand for? a. State IT Management Manual b. Security Infrastructure and Monitoring Manual c. Statewide Information Management Manual d. State Information Mandate Manual SIMM is the Statewide Information Management Manual used for IT governance and compliance.
- Which document sets the overarching policy that SIMM supports? a. IRS 1075 b. SAM – State Administrative Manual
a. 5300-A b. 5330-B c. 5305-D d. 5320 SIMM 5330-B is the template and guidance document for developing Information Security Program Plans.
- What should an agency do after identifying a high-risk item in its annual assessment? a. Ignore it until budget is approved b. Develop a mitigation strategy and document it in the risk register c. Fire the IT director d. Report it directly to the media Agencies must take timely action to manage and mitigate identified risks. 10.What’s the required frequency for updating the Information Security Program Plan? a. Every 5 years b. Only when an incident occurs c. Annually or when significant changes occur d. When budget allows The plan must be reviewed annually or after major changes to the environment or risks.
11.According to SIMM 5360-A, who is responsible for user access reviews? a. Network team b. Legal team c. Information Asset Owner d. Custodian The Information Asset Owner ensures proper access controls are implemented and reviewed. 12.What is required in SIMM 5310-A? a. Virus definitions b. Information Security and Privacy Roles and Responsibilities c. Patch management policies d. Audit trail reviews SIMM 5310-A outlines the roles and responsibilities of personnel involved in security and privacy programs. 13.Who appoints the Agency Information Security Officer (AISO)? a. Governor b. Department of Justice c. Agency Director or designee d. Auditor
c. Size d. Number of users The CIA triad is the foundation of information classification in California SIMM. 17.Which of the following is an example of a compensating control? a. Ignoring a risk b. Using multifactor authentication if encryption isn't available c. Disabling access control d. Delaying patching Compensating controls reduce risk when a direct control is not feasible. 18.What must be included in an agency’s Information Security Program Plan? a. Budget request b. Security goals, objectives, and responsibilities c. Employee lunch schedule d. Physical fitness policy The plan must define the agency's security posture and responsibilities clearly. 19.SIMM 5340-B is used to report: a. Hiring plans b. Audit recommendations
c. Security incident follow-up actions d. Antivirus updates SIMM 5340-B provides a template for documenting actions taken post-incident. 20.What is a primary purpose of SIMM 5330-A? a. Classify budget categories b. Guide development of Information Security Strategic Plan c. Provide retirement forms d. License software SIMM 5330-A supports the planning of long-term security objectives and initiatives.
21. What is the primary goal of the SIMM 5360 series? a. Audit documentation b. Training manuals c. Access control and identity management guidance d. Software licensing The SIMM 5360 series outlines standards and templates for managing user access and identity verification. 22. What document requires state agencies to submit a Technology Recovery Plan (TRP)? a. SIMM 5305-A
c. Third-party vendor audits d. Building access SIMM 5360-B is the template for reporting identity and access management practices.
26. A key responsibility of the Information Security Office is to: a. Set budget for all state projects b. Monitor compliance with statewide IT security policies c. Assign software licenses d. Maintain employee timesheets The ISO ensures state entities adhere to required information security protocols. 27. Which of the following is a sensitive information type per SIMM guidelines? a. Meeting agenda b. Parking permit c. Social Security Number (SSN) d. Organization chart Personally Identifiable Information (PII) like SSNs are classified as sensitive. 28. What is required before granting user access to an information system? a. Managerial reference b. Physical exam
c. Role-based access authorization d. Parking access Users must be granted access according to their specific job duties (least privilege).
29. SIMM 5340-A is used to: a. Create backup schedules b. Report initial security incidents to the California Department of Technology c. Budget project planning d. Log physical entry to a building SIMM 5340-A is the standard template for incident reporting. 30. Security controls that prevent unauthorized access are classified as: a. Corrective controls b. Preventive controls c. Detective controls d. Responsive controls Preventive controls are designed to block security threats before they occur. 31. What is the minimum requirement for reviewing and updating the Information Asset Inventory? a. Every 6 years b. Annually or when significant changes occur
c. Request vacation d. Issue email accounts This template supports assessing the maturity of an agency’s security program.
35. The term “least privilege” refers to: a. Equal access for all b. Limiting user access to only what's needed c. Allowing external vendors full access d. Prioritizing high-level users “Least privilege” ensures users have only the access necessary for their roles. 36. What is a required component of the Risk Register per SIMM 5305-C? a. Pay rates b. Risk description, impact, likelihood, and mitigation strategy c. Employee birthdates d. Printer inventory The Risk Register must capture key risk elements to guide security decisions. 37. Which agency provides oversight for SIMM compliance? a. U.S. Secret Service b. California Department of Technology (CDT) c. DMV d. Homeland Security
CDT oversees state technology policies, including security through SIMM.
38. Annual information security awareness training is: a. Optional b. Mandatory for all state personnel c. Required only for IT staff d. Required every 3 years All staff must receive annual training to maintain security posture. 39. A Business Impact Analysis (BIA) helps determine: a. Email use b. IT licenses c. Critical business functions and required recovery time d. Employee insurance A BIA is essential for continuity and disaster recovery planning. 40. SIMM 5320-C helps with: a. Furniture purchases b. Categorizing information assets c. Badge printing d. HR onboarding SIMM 5320-C supports the classification of data by sensitivity and risk.
44. What must be reported on SIMM 5330-D? a. Meeting minutes b. Information Security Exceptions c. Software reviews d. Cafeteria menu SIMM 5330-D documents approved deviations from SIMM/SAM requirements. 45. How should access be granted according to SIMM? a. After probation ends b. Based on documented roles and responsibilities c. Without restriction d. Randomly Access should be controlled and justified by formal documentation. 46. If an agency fails to comply with SIMM, the CDT may: a. Issue free software b. Cancel holidays c. Take corrective or enforcement action d. Give awards The CDT has authority to ensure enforcement of statewide compliance. 47. The definition of an incident includes: a. Normal operations
b. Printer running out of ink c. Unauthorized access to sensitive information d. Scheduled backups Security incidents involve breaches or unauthorized activities affecting data or systems.
48. What must be documented during account provisioning? a. Parking assignment b. Approval, date granted, role, and reviewer c. Favorite color d. Lunch schedule Proper documentation ensures accountability and traceability for access management. 49. Who approves exceptions to statewide information security policies? a. Receptionist b. City mayor c. CDT Office of Information Security d. Any employee Only CDT’s OIS has authority to approve formal exceptions to policy requirements. 50. What is the overarching principle in all SIMM security guidance? a. Cost efficiency
53. The SIMM 5305-D is used to submit what kind of plan? a. Lunch rotation b. Server decommissioning c. Risk treatment plan d. Employee appraisal SIMM 5305-D provides a structure for documenting how identified risks will be managed. 54. What is the minimum password length recommended by SIMM? a. 6 characters b. 12 characters c. 20 characters d. 8 digits only The current standard recommends a minimum of 12 characters for stronger protection. 55. Which of the following is a required element in a TRP (Technology Recovery Plan)? a. Floorplans b. Internet speed c. System recovery time objectives (RTOs) d. Snack preferences
Recovery Time Objectives are essential for evaluating acceptable downtime in a TRP.
56. What is the main goal of security awareness training under SIMM? a. Teach software installation b. Promote user behavior that protects systems and data c. Learn new programming languages d. Identify fashion trends Awareness training helps prevent breaches caused by human error or negligence. 57. SIMM 5310-B defines the responsibilities of which key role? a. Maintenance manager b. Chief Information Security Officer (CISO) c. Software tester d. Receptionist SIMM 5310-B outlines responsibilities for the CISO in overseeing enterprise security. 58. How often should information classification levels be re-evaluated? a. Never b. Whenever data usage or risk changes c. Only during data breaches d. Every 10 years
