Chapter 2
What is a policy statement?
A high-level directive or strategic roadmap.
Which of the following best describes policy definitions?
A. A glossary of terms, abbreviations, and acronyms used in the document that the reader may be unfamiliar with
Which of the following terms best describes instructions and guidance on how to execute an initiative or how to respond to a situation, within a certain time frame, usually with defined stages and with designated resources? A. Plan B. Policy C. Procedure D. Package
A. Plan
When you're drafting a list of exceptions for a security policy, the language should _________________.
A. be as specific as possible
A policy should be considered _____.
A. mandatory
Which of the following terms is best to use when indicating a mandatory requirement? A. must B. shall C. should not D. may not
A. must
The name of the person/group (for example, executive committee) that authorized the policy should be included in ___________________.
A. the version control table or the policy statement
What is a policy exception?
Agreed waivers that are documented within the policy.
What is an exploit?
B. A malicious program or code designed to "exploit" or take advantage of a single vulnerability or set of vulnerabilities
Policies, standards, guidelines, and procedures should all be in the same document.
B. False
The policy hierarchy is the relationships between which of the following?
B. Guiding principles, standards, guidelines, and procedures
The name of the policy, policy number, and overview belong in which of the following sections?
B. Policy Heading
When writing a policy, standard, guideline, or procedure, you should use language that is ___________.
B. clear and concise
A company that uses the term "employees" to refer to workers who are on the company payroll should refer to them throughout their policies as _________.
B. employees
The _________ contains the rules that must be followed.
B. policy statement
What are baselines?
Baselines are the application of a standard to a specific category or grouping.
Simple Step, Hierarchical, Graphic, and Flowchart are examples of which of the following formats?
C. Procedure
Which of the following is not a characteristic of plain language?
C. Technical jargon
Which of the following statements is true regarding policy definitions? A. They should be defined and maintained in a separate document. B. The general rule is to include definitions for any topics except technical, legal, or regulatory language. C. The general rule of policy definitions is to include definitions for any instance of industry-specific, technical, legal, or regulatory language. D. They should be created before any policy or standards.
C. The general rule of policy definitions is to include definitions for any instance of industry-specific, technical, legal, or regulatory language.
Even the best-written policy will fail if which of the following is true? A. The policy is too long. B. The policy is mandated by the government. C. The policy doesn't have the support of management. D. All of the above.
C. The policy doesn't have the support of management.
Which of the following statements best describes the purpose of a standard?
C. To dictate mandatory requirements
Which of the following statements best describes the purpose of a baseline?
C. To ensure uniformity and consistency
Which of the following statements best describes a disadvantage to using the singular policy format?
C. You may end up with too many policies to maintain.
If supporting documentation would be of use to the reader, it should be __________________.
C. listed in either the Policy Heading or Administrative Notation section
The _________ contains the penalties that would apply if a portion of the security policy were to be ignored by an employee.
C. policy enforcement clause
The aim or intent of a policy is stated in the ________.
C. policy goals and objectives
Which of the following statements is true? A. A security policy should include only one objective. B. A security policy should not include any exceptions. C. A security policy should not include a glossary. D. A security policy should not list all step-by-step measures that need to be taken.
D. A security policy should not list all step-by-step measures that need to be taken.
Readers prefer "plain language" because it __________________. A. helps them locate pertinent information B. helps them understand the information C. saves time D. All of the above
D. All of the above
Version control is the management of changes to a document and should include which of the following elements? A. Version or revision number B. Date of authorization or date that the policy took effect C. Change description D. All of the above
D. All of the above
There may be situations where it is not possible to comply with a policy directive. Where should the exemption or waiver process be explained?
D. The policy exceptions
What component of a security policy does the following phrase belong to? "Wireless networks are allowed only if they are separate and distinct from the corporate network."
D. The policy statement
Which of the following statements best describes a disadvantage to using the consolidated policy format?
D. The potential size of the document.
Which of the following statements best describes the purpose of a guideline?
D. To help people conform to a standard
What are guidelines?
Guidelines are best thought of as teaching tools. The objective of a guideline is to help people conform to a standard.
Policies should be written using what kind of language?
Plain language.
What are procedures?
Procedures are instructions for how a policy, a standard, a baseline, and guidelines are carried out in a given situation. Procedures focus on actions or steps, with specific starting and ending points.
What are the four commonly used procedure formats?
Simple step, hierarchical, graphic, and flowchart.
What are standards?
Standards serve as specifications for the implementation of policy and dictate mandatory requirements. Standards should be compulsory and must be enforced to be effective.
What is the policy definitions section?
The Policy Definition section is a glossary of terms, abbreviations, and acronyms used in the document that the reader may be unfamiliar with.
What is a plan?
The function of a plan is to provide strategic and tactical instructions and guidance on how to execute an initiative or how to respond to a situation, within a certain time frame, usually with defined stages and with designated resources. Plans are sometimes referred to as programs. For our purposes, the terms are interchangeable.
What is a policy enforcement clause?
The policy enforcement clause is where the sanctions for non-adherence to the policy are unequivocally stated to reinforce the seriousness of compliance.
What is the purpose of administrative notations?
The purpose of administrative notations is to refer the reader to additional information and/or provide a reference to an internal resource. Notations include regulatory cross-references, the name of corresponding documents such as standards, guidelines, and programs, supporting documentation such as annual reports or job descriptions, and the policy author's name and contact information.
What is a policy hierarchy?
The relationship between standards, baselines, guidelines, and procedures.
Define plain language
Using the simplest, most straightforward way to express an idea.
