SlideShare a Scribd company logo

Chapter 04 information_security_policy

Download as DOCX, PDF
H
husseinalshomali

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Technology
1 of 7
Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 1 1. Policies must specify penalties for unacceptable behavior and define an appeals process. a. True b. False ANSWER: True 2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee’s inappropriate or illegal use of the system. a. True b. False ANSWER: True 3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for. a. True b. False ANSWER: False 4. Rule-based policies are less specific to the operation of a system than access control lists. a. True b. False ANSWER: False 5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. a. True b. False ANSWER: False 6. Technology is the essential foundation of an effective information security program. _____________ ANSWER: False - Policy 7. Information security policies are designed to provide structure in the workplace and explain the will of the organization’s management. ____________ ANSWER: True 8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________ ANSWER: False - guidelines 9. Examples of actions that illustrate compliance with policies are known as laws. ANSWER: False - practices 10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance. ANSWER: False - software 11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 2 a. policy should never conflict with law b. policy must be able to stand up in court if challenged c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered ANSWER: c 12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? a. On-target model b. Wood’s model c. Bull’s-eye model d. Bergeron and Berube model ANSWER: c 13. Which of the following is NOT among the three types of InfoSec policies based on NIST’s Special Publication 800- 14? a. Enterprise information security policy b. User-specific security policies c. Issue-specific security policies d. System-specific security policies ANSWER: b 14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? a. appeals process b. legal recourse c. what must be done to comply d. the proper operation of equipment ANSWER: d 15. Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP ANSWER: d 16. Which type of document is a more detailed statement of what must be done to comply with a policy? a. procedure b. standard c. guideline d. practice ANSWER: b 17. Which of the following is an element of the enterprise information security policy? a. access controllists b. information on the structure of the InfoSec organization c. articulation of the organization’s SDLC methodology d. indemnification of the organization against liability ANSWER: b 18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. issue-specific b. enterprise information
Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 3 c. system-specific d. user-specific ANSWER: a 19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose ANSWER: a 20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions? a. Violations of Policy b. Systems Management c. Prohibited Usage of Equipment d. Authorized Access and Usage of Equipment ANSWER: a 21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? a. can suffer from poor policy dissemintation, enforcement, and review b. may skip vulnerabilities otherwise reported c. may be more expensive than necessary d. implementation can be less difficult to manage ANSWER: a 22. Which of the following are the two general groups into which SysSPs can be separated? a. technical specifications and managerial guidance b. business guidance and network guidance c. user specifications and managerial guidance d. technical specifications and business guidance ANSWER: a 23. What are the two general methods for implementing technical controls? a. profile lists and configuration filters b. firewall rules and access filters c. user profiles and filters d. access controllists and configuration rules ANSWER: d 24. Which of the following is NOT an aspect of access regulated by ACLs? a. what authorized users can access b. where the system is located c. how authorized users can access the system d. when authorized users can access the system ANSWER: b 25. Which of the following are instructional codes that guide the execution of the system when information is passing through it? a. access controllists b. user profiles
Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 4 c. configuration rules d. capability tables ANSWER: c 26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? a. design b. analysis c. implementation d. investigation ANSWER: d 27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies? a. design b. implementation c. investigation d. analysis ANSWER: a 28. A risk assessment is performed during which phase of the SecSDLC? a. implementation b. analysis c. design d. investigation ANSWER: b 29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? a. policy developer b. policy reviewer c. policy enforcer d. policy administrator ANSWER: d 30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? a. policy administration b. due diligence c. adequate security measures d. certification and accreditation ANSWER: b 31. In the bull’s-eye model, the ____________________ layer is the place where threats from public networks meet the organization’s networking infrastructure. ANSWER: Networks 32. The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the ____________________ security policy. ANSWER: system-specific system specific 33. The responsibilities of both the users and the systems administrators with regard to specific systems administration duties should be specified in the ____________________ section of the ISSP. ANSWER: Systems Management 34. ____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users. ANSWER: Access controllists
Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 5 ACLs 35. A(n) ____________________, which is usually presented on a screen to the user during software installation, spells out fair and responsible use of the software being installed. ANSWER: end-user license agreement end user license agreement EULA 36. The champion and manager of the information security policy is called the ____________________. ANSWER: policy administrator 37. List the significant guidelines used in the formulation of effective information security policy. ANSWER: For policies to be effective, they must be properly: 1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees 4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced 38. List the advantages and disadvantages of using a modular approach for creating and managing the ISSP. ANSWER: The advantages of the modular ISSP policy are: Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches Well controlled by centrally managed procedures, assuring complete topic coverage Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems The disadvantages of the modular ISSP policy are: May be more expensive than other alternatives Implementation can be difficult to manage 39. List the major components of the ISSP. ANSWER: Statement of Purpose Authorized Uses Prohibited Uses Systems Management Violations of Policy Policy Review and Modification Limitations of Liability 40. How should a policy administrator facilitate policy reviews? ANSWER: To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation. Recommendation methods could include e-mail, office mail, or an anonymous drop box. 41. What is the final component of the design and implementation of effective policies? Describe this component. ANSWER: The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management.
Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 6 42. In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important? ANSWER: During the design phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee. 43. What are configuration rules? Provide examples. ANSWER: Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers. 44. What should an effective ISSP accomplish? ANSWER: It articulates the organization’s expectations about how its technology-based system should be used. It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. It indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system. 45. What is a SysSP and what is one likely to include? ANSWER: SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access controllist that defines levels of access for each authorized user. 46. What are the four elements that an EISP document should include? ANSWER: An overview of the corporate philosophy on security Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) Fully articulated responsibilities for security that are unique to each role within the organization a. capability table b. statement of purpose c. Bull’s eye model d. SysSP e. procedures f. InfoSec policy g. standard h. access controllists i. systems management j. ISSP 47. Step-by-step instructions designed to assist employees in following policies, standards and guidelines. ANSWER: e
Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 7 48. A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. ANSWER: g 49. When issues are addressed by moving from the general to the specific, always starting with policy. ANSWER: c 50. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. ANSWER: j 51. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts ANSWER: f 52. Specifications of authorization that govern the rights and privileges of users to a particular information asset. ANSWER: h 53. A clear declaration that outlines the scope and applicability of a policy. ANSWER: b 54. A section of policy that should specify users’ and systems administrators’ responsibilities. ANSWER: i 55. Specifies which subjects and objects that users or groups can access. ANSWER: a 56. Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. ANSWER: d

Recommended

Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...husseinalshomali
 
Chapter 11 personnel_and_security
Chapter 11 personnel_and_securityChapter 11 personnel_and_security
Chapter 11 personnel_and_securityhusseinalshomali
 
Chapter 08 security_management_models
Chapter 08 security_management_modelsChapter 08 security_management_models
Chapter 08 security_management_modelshusseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanismshusseinalshomali
 
Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskhusseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskhusseinalshomali
 
Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_programhusseinalshomali
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityhusseinalshomali
 

Recommended

Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...husseinalshomali
 
Chapter 11 personnel_and_security
Chapter 11 personnel_and_securityChapter 11 personnel_and_security
Chapter 11 personnel_and_securityhusseinalshomali
 
Chapter 08 security_management_models
Chapter 08 security_management_modelsChapter 08 security_management_models
Chapter 08 security_management_modelshusseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanismshusseinalshomali
 
Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskhusseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskhusseinalshomali
 
Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_programhusseinalshomali
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityhusseinalshomali
 
Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencieshusseinalshomali
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editionhusseinalshomali
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practiceshusseinalshomali
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual cisoMichael Ball
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniqueswaqasahmad1995
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
secure file Storage on cloud ppt
secure file Storage on cloud pptsecure file Storage on cloud ppt
secure file Storage on cloud pptNishmithaHc
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingveena venugopal
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Cscu module 01 foundations of security
Cscu module 01 foundations of securityCscu module 01 foundations of security
Cscu module 01 foundations of securityAlireza Ghahrood
 
1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceabcareyshaunda
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 

More Related Content

What's hot

Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencieshusseinalshomali
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editionhusseinalshomali
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practiceshusseinalshomali
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual cisoMichael Ball
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniqueswaqasahmad1995
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
secure file Storage on cloud ppt
secure file Storage on cloud pptsecure file Storage on cloud ppt
secure file Storage on cloud pptNishmithaHc
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingveena venugopal
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Cscu module 01 foundations of security
Cscu module 01 foundations of securityCscu module 01 foundations of security
Cscu module 01 foundations of securityAlireza Ghahrood
 

What's hot (20)

Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencies
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practices
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and TechniquesNetwork Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniques
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
secure file Storage on cloud ppt
secure file Storage on cloud pptsecure file Storage on cloud ppt
secure file Storage on cloud ppt
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Cscu module 01 foundations of security
Cscu module 01 foundations of securityCscu module 01 foundations of security
Cscu module 01 foundations of security
 

Similar to Chapter 04 information_security_policy

1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceabcareyshaunda
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 
Meaningful Use Core Measure 15 Webinar
Meaningful Use Core Measure 15 WebinarMeaningful Use Core Measure 15 Webinar
Meaningful Use Core Measure 15 WebinarCompliancy Group
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docxoswald1horne84988
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfJohnRicos
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docxalinainglis
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxEcon 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxjack60216
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Project 1Create an application that displays payroll informatio.docx
Project 1Create an application that displays payroll informatio.docxProject 1Create an application that displays payroll informatio.docx
Project 1Create an application that displays payroll informatio.docxbriancrawford30935
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice questionArshad A Javed
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCruzIbarra161
 
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docxfelicidaddinwoodie
 
Nr 360 information systems in healthcare
Nr 360 information systems in healthcareNr 360 information systems in healthcare
Nr 360 information systems in healthcareDarlow
 

Similar to Chapter 04 information_security_policy (20)

1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab1. Which of the following elements ensures a policy is enforceab
1. Which of the following elements ensures a policy is enforceab
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
 
Meaningful Use Core Measure 15 Webinar
Meaningful Use Core Measure 15 WebinarMeaningful Use Core Measure 15 Webinar
Meaningful Use Core Measure 15 Webinar
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxEcon 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docx
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Project 1Create an application that displays payroll informatio.docx
Project 1Create an application that displays payroll informatio.docxProject 1Create an application that displays payroll informatio.docx
Project 1Create an application that displays payroll informatio.docx
 
ISA.pdf
ISA.pdfISA.pdf
ISA.pdf
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
 
Nr 360 information systems in healthcare
Nr 360 information systems in healthcareNr 360 information systems in healthcare
Nr 360 information systems in healthcare
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Chapter 04 information_security_policy

  • 1. Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 1 1. Policies must specify penalties for unacceptable behavior and define an appeals process. a. True b. False ANSWER: True 2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee’s inappropriate or illegal use of the system. a. True b. False ANSWER: True 3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for. a. True b. False ANSWER: False 4. Rule-based policies are less specific to the operation of a system than access control lists. a. True b. False ANSWER: False 5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. a. True b. False ANSWER: False 6. Technology is the essential foundation of an effective information security program. _____________ ANSWER: False - Policy 7. Information security policies are designed to provide structure in the workplace and explain the will of the organization’s management. ____________ ANSWER: True 8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________ ANSWER: False - guidelines 9. Examples of actions that illustrate compliance with policies are known as laws. ANSWER: False - practices 10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance. ANSWER: False - software 11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
  • 2. Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 2 a. policy should never conflict with law b. policy must be able to stand up in court if challenged c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered ANSWER: c 12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? a. On-target model b. Wood’s model c. Bull’s-eye model d. Bergeron and Berube model ANSWER: c 13. Which of the following is NOT among the three types of InfoSec policies based on NIST’s Special Publication 800- 14? a. Enterprise information security policy b. User-specific security policies c. Issue-specific security policies d. System-specific security policies ANSWER: b 14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? a. appeals process b. legal recourse c. what must be done to comply d. the proper operation of equipment ANSWER: d 15. Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP ANSWER: d 16. Which type of document is a more detailed statement of what must be done to comply with a policy? a. procedure b. standard c. guideline d. practice ANSWER: b 17. Which of the following is an element of the enterprise information security policy? a. access controllists b. information on the structure of the InfoSec organization c. articulation of the organization’s SDLC methodology d. indemnification of the organization against liability ANSWER: b 18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? a. issue-specific b. enterprise information
  • 3. Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 3 c. system-specific d. user-specific ANSWER: a 19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose ANSWER: a 20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions? a. Violations of Policy b. Systems Management c. Prohibited Usage of Equipment d. Authorized Access and Usage of Equipment ANSWER: a 21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs? a. can suffer from poor policy dissemintation, enforcement, and review b. may skip vulnerabilities otherwise reported c. may be more expensive than necessary d. implementation can be less difficult to manage ANSWER: a 22. Which of the following are the two general groups into which SysSPs can be separated? a. technical specifications and managerial guidance b. business guidance and network guidance c. user specifications and managerial guidance d. technical specifications and business guidance ANSWER: a 23. What are the two general methods for implementing technical controls? a. profile lists and configuration filters b. firewall rules and access filters c. user profiles and filters d. access controllists and configuration rules ANSWER: d 24. Which of the following is NOT an aspect of access regulated by ACLs? a. what authorized users can access b. where the system is located c. how authorized users can access the system d. when authorized users can access the system ANSWER: b 25. Which of the following are instructional codes that guide the execution of the system when information is passing through it? a. access controllists b. user profiles
  • 4. Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 4 c. configuration rules d. capability tables ANSWER: c 26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? a. design b. analysis c. implementation d. investigation ANSWER: d 27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies? a. design b. implementation c. investigation d. analysis ANSWER: a 28. A risk assessment is performed during which phase of the SecSDLC? a. implementation b. analysis c. design d. investigation ANSWER: b 29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy? a. policy developer b. policy reviewer c. policy enforcer d. policy administrator ANSWER: d 30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? a. policy administration b. due diligence c. adequate security measures d. certification and accreditation ANSWER: b 31. In the bull’s-eye model, the ____________________ layer is the place where threats from public networks meet the organization’s networking infrastructure. ANSWER: Networks 32. The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the ____________________ security policy. ANSWER: system-specific system specific 33. The responsibilities of both the users and the systems administrators with regard to specific systems administration duties should be specified in the ____________________ section of the ISSP. ANSWER: Systems Management 34. ____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users. ANSWER: Access controllists
  • 5. Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 5 ACLs 35. A(n) ____________________, which is usually presented on a screen to the user during software installation, spells out fair and responsible use of the software being installed. ANSWER: end-user license agreement end user license agreement EULA 36. The champion and manager of the information security policy is called the ____________________. ANSWER: policy administrator 37. List the significant guidelines used in the formulation of effective information security policy. ANSWER: For policies to be effective, they must be properly: 1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees 4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced 38. List the advantages and disadvantages of using a modular approach for creating and managing the ISSP. ANSWER: The advantages of the modular ISSP policy are: Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches Well controlled by centrally managed procedures, assuring complete topic coverage Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems The disadvantages of the modular ISSP policy are: May be more expensive than other alternatives Implementation can be difficult to manage 39. List the major components of the ISSP. ANSWER: Statement of Purpose Authorized Uses Prohibited Uses Systems Management Violations of Policy Policy Review and Modification Limitations of Liability 40. How should a policy administrator facilitate policy reviews? ANSWER: To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation. Recommendation methods could include e-mail, office mail, or an anonymous drop box. 41. What is the final component of the design and implementation of effective policies? Describe this component. ANSWER: The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management.
  • 6. Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 6 42. In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important? ANSWER: During the design phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee. 43. What are configuration rules? Provide examples. ANSWER: Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers. 44. What should an effective ISSP accomplish? ANSWER: It articulates the organization’s expectations about how its technology-based system should be used. It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. It indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system. 45. What is a SysSP and what is one likely to include? ANSWER: SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access controllist that defines levels of access for each authorized user. 46. What are the four elements that an EISP document should include? ANSWER: An overview of the corporate philosophy on security Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) Fully articulated responsibilities for security that are unique to each role within the organization a. capability table b. statement of purpose c. Bull’s eye model d. SysSP e. procedures f. InfoSec policy g. standard h. access controllists i. systems management j. ISSP 47. Step-by-step instructions designed to assist employees in following policies, standards and guidelines. ANSWER: e
  • 7. Name: Class: Date: Chapter 04 - Information Security Policy Copyright Cengage Learning. Powered by Cognero. Page 7 48. A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. ANSWER: g 49. When issues are addressed by moving from the general to the specific, always starting with policy. ANSWER: c 50. An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. ANSWER: j 51. The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts ANSWER: f 52. Specifications of authorization that govern the rights and privileges of users to a particular information asset. ANSWER: h 53. A clear declaration that outlines the scope and applicability of a policy. ANSWER: b 54. A section of policy that should specify users’ and systems administrators’ responsibilities. ANSWER: i 55. Specifies which subjects and objects that users or groups can access. ANSWER: a 56. Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. ANSWER: d