What Are The Drone Anti-jamming Systems Technology?
Chapter 04 information_security_policy
1. Name: Class: Date:
Chapter 04 - Information Security Policy
Copyright Cengage Learning. Powered by Cognero. Page 1
1. Policies must specify penalties for unacceptable behavior and define an appeals process.
a. True
b. False
ANSWER: True
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee’s
inappropriate or illegal use of the system.
a. True
b. False
ANSWER: True
3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.
a. True
b. False
ANSWER: False
4. Rule-based policies are less specific to the operation of a system than access control lists.
a. True
b. False
ANSWER: False
5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should
not be considered since it makes the process too complex.
a. True
b. False
ANSWER: False
6. Technology is the essential foundation of an effective information security program. _____________
ANSWER: False - Policy
7. Information security policies are designed to provide structure in the workplace and explain the will of the
organization’s management. ____________
ANSWER: True
8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as
regulations. ____________
ANSWER: False - guidelines
9. Examples of actions that illustrate compliance with policies are known as laws.
ANSWER: False - practices
10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy
development, implementation, and maintenance.
ANSWER: False - software
11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
2. Name: Class: Date:
Chapter 04 - Information Security Policy
Copyright Cengage Learning. Powered by Cognero. Page 2
a. policy should never conflict with law b. policy must be able to stand up in court if
challenged
c. policy should be agreed upon by all employees and
management
d. policy must be properly supported and
administered
ANSWER: c
12. Which of the following is a policy implementation model that addresses issues by moving from the general to the
specific and is a proven mechanism for prioritizing complex changes?
a. On-target model b. Wood’s model
c. Bull’s-eye model d. Bergeron and Berube model
ANSWER: c
13. Which of the following is NOT among the three types of InfoSec policies based on NIST’s Special Publication 800-
14?
a. Enterprise information security policy
b. User-specific security policies
c. Issue-specific security policies
d. System-specific security policies
ANSWER: b
14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
a. appeals process b. legal recourse
c. what must be done to comply d. the proper operation of equipment
ANSWER: d
15. Which policy is the highest level of policy and is usually created first?
a. SysSP b. USSP
c. ISSP d. EISP
ANSWER: d
16. Which type of document is a more detailed statement of what must be done to comply with a policy?
a. procedure b. standard
c. guideline d. practice
ANSWER: b
17. Which of the following is an element of the enterprise information security policy?
a. access controllists
b. information on the structure of the InfoSec organization
c. articulation of the organization’s SDLC methodology
d. indemnification of the organization against liability
ANSWER: b
18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee
can and cannot use a resource?
a. issue-specific b. enterprise information
3. Name: Class: Date:
Chapter 04 - Information Security Policy
Copyright Cengage Learning. Powered by Cognero. Page 3
c. system-specific d. user-specific
ANSWER: a
19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification
b. Limitations of Liability
c. Systems Management
d. Statement of Purpose
ANSWER: a
20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy
infractions?
a. Violations of Policy
b. Systems Management
c. Prohibited Usage of Equipment
d. Authorized Access and Usage of Equipment
ANSWER: a
21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review
b. may skip vulnerabilities otherwise reported
c. may be more expensive than necessary
d. implementation can be less difficult to manage
ANSWER: a
22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance b. business guidance and network guidance
c. user specifications and managerial guidance d. technical specifications and business guidance
ANSWER: a
23. What are the two general methods for implementing technical controls?
a. profile lists and configuration filters
b. firewall rules and access filters
c. user profiles and filters
d. access controllists and configuration rules
ANSWER: d
24. Which of the following is NOT an aspect of access regulated by ACLs?
a. what authorized users can access b. where the system is located
c. how authorized users can access the system d. when authorized users can access the system
ANSWER: b
25. Which of the following are instructional codes that guide the execution of the system when information is passing
through it?
a. access controllists b. user profiles
4. Name: Class: Date:
Chapter 04 - Information Security Policy
Copyright Cengage Learning. Powered by Cognero. Page 4
c. configuration rules d. capability tables
ANSWER: c
26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
a. design b. analysis
c. implementation d. investigation
ANSWER: d
27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design b. implementation
c. investigation d. analysis
ANSWER: a
28. A risk assessment is performed during which phase of the SecSDLC?
a. implementation b. analysis
c. design d. investigation
ANSWER: b
29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and
storage of the policy?
a. policy developer b. policy reviewer
c. policy enforcer d. policy administrator
ANSWER: d
30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which
it operates, what is it ensuring?
a. policy administration b. due diligence
c. adequate security measures d. certification and accreditation
ANSWER: b
31. In the bull’s-eye model, the ____________________ layer is the place where threats from public networks meet the
organization’s networking infrastructure.
ANSWER: Networks
32. The three types of information security policies include the enterprise information security policy, the issue-specific
security policy, and the ____________________ security policy.
ANSWER: system-specific
system specific
33. The responsibilities of both the users and the systems administrators with regard to specific systems administration
duties should be specified in the ____________________ section of the ISSP.
ANSWER: Systems Management
34. ____________________ include the user access lists, matrices, and capability tables that govern the rights and
privileges of users.
ANSWER: Access controllists
5. Name: Class: Date:
Chapter 04 - Information Security Policy
Copyright Cengage Learning. Powered by Cognero. Page 5
ACLs
35. A(n) ____________________, which is usually presented on a screen to the user during software installation, spells
out fair and responsible use of the software being installed.
ANSWER: end-user license agreement
end user license agreement
EULA
36. The champion and manager of the information security policy is called the ____________________.
ANSWER: policy administrator
37. List the significant guidelines used in the formulation of effective information security policy.
ANSWER: For policies to be effective, they must be properly:
1. Developed using industry-accepted practices
2. Distributed or disseminated using all appropriate methods
3. Reviewed or read by all employees
4. Understood by all employees
5. Formally agreed to by act or assertion
6. Uniformly applied and enforced
38. List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.
ANSWER: The advantages of the modular ISSP policy are:
Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches
Well controlled by centrally managed procedures, assuring complete topic coverage
Clear assignment to a responsible department
Written by those with superior subject matter expertise for technology-specific systems
The disadvantages of the modular ISSP policy are:
May be more expensive than other alternatives
Implementation can be difficult to manage
39. List the major components of the ISSP.
ANSWER: Statement of Purpose
Authorized Uses
Prohibited Uses
Systems Management
Violations of Policy
Policy Review and Modification
Limitations of Liability
40. How should a policy administrator facilitate policy reviews?
ANSWER: To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can
easily make recommendations for revisions to the policies and other related documentation. Recommendation
methods could include e-mail, office mail, or an anonymous drop box.
41. What is the final component of the design and implementation of effective policies? Describe this component.
ANSWER: The final component of the design and implementation of effective policies is uniform and impartial
enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because
this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful
termination—organizations must establish high standards of due care with regard to policy management.
6. Name: Class: Date:
Chapter 04 - Information Security Policy
Copyright Cengage Learning. Powered by Cognero. Page 6
42. In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is
this important?
ANSWER: During the design phase, the team must create a plan to distribute and verify the distribution of the policies.
Members of the organization must explicitly acknowledge that they have received and read the policy.
Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong
evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be
overturned and punitive damages might be awarded to the former employee.
43. What are configuration rules? Provide examples.
ANSWER: Configuration rules are instructional codes that guide the execution of the system when information is passing
through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or
may not deal with users directly. Many security systems require specific configuration scripts that dictate
which actions to perform on each set of information they process. Examples include firewalls, intrusion
detection and prevention systems (IDPSs), and proxy servers.
44. What should an effective ISSP accomplish?
ANSWER: It articulates the organization’s expectations about how its technology-based system should be used.
It documents how the technology-based system is controlled and identifies the processes and authorities that
provide this control.
It indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system.
45. What is a SysSP and what is one likely to include?
ANSWER: SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for
example, to configure and operate a network firewall. Such a document could include: a statement of
managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an
access controllist that defines levels of access for each authorized user.
46. What are the four elements that an EISP document should include?
ANSWER: An overview of the corporate philosophy on security
Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role
Fully articulated responsibilities for security that are shared by all members of the organization (employees,
contractors, consultants, partners, and visitors)
Fully articulated responsibilities for security that are unique to each role within the organization
a. capability table
b. statement of purpose
c. Bull’s eye model
d. SysSP
e. procedures
f. InfoSec policy
g. standard
h. access controllists
i. systems management
j. ISSP
47. Step-by-step instructions designed to assist employees in following policies, standards and guidelines.
ANSWER: e
7. Name: Class: Date:
Chapter 04 - Information Security Policy
Copyright Cengage Learning. Powered by Cognero. Page 7
48. A detailed statement of what must be done to comply with policy, sometimes viewed
as the rules governing policy compliance.
ANSWER: g
49. When issues are addressed by moving from the general to the specific, always starting with policy.
ANSWER: c
50. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the
use of a resource, such as one of its processes or technologies.
ANSWER: j
51. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s
security efforts
ANSWER: f
52. Specifications of authorization that govern the rights and privileges of users to a particular information asset.
ANSWER: h
53. A clear declaration that outlines the scope and applicability of a policy.
ANSWER: b
54. A section of policy that should specify users’ and systems administrators’ responsibilities.
ANSWER: i
55. Specifies which subjects and objects that users or groups can access.
ANSWER: a
56.
Organizational policies that often function as standards or procedures to be used when configuring or maintaining
systems.
ANSWER: d