CSF 3003 - Information Security Policies

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

List 7 components of ISSP

1- Statement of Purpose 2- Authorized Access and Usage of Equipment 3- Prohibited Usage of Equipment 4- Systems management 5- Violations of policy 6- Policy review and modification 7- Limitations of liability

*Should produce key reference materials including any existing policies* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Analysis

*Should produce new or recent risk assessment or IT audit documenting the current information security needs of the organization* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Analysis

*All applications systems* A. Policies B. Networks C. Systems D. Applications

Applications

*Access control lists specifications are frequently ______ , rather than ______* A. Simple lists or tables, Complex matrices B. Complex matrices, Simple lists or tables

Complex matrices, Simple lists or tables

*______ are specific instructions entered into a security system to regulate how it reacts to the data it receives* A. Access control lists B. Configuration rules

Configuration rules

*______ may or may not deal with users directly* A. Access control lists B. Configuration rules

Configuration rules

*______ policies are more specific to system operation than ______.* A. Configuration rules, Access control lists B. Access control lists, Configuration rules

Configuration rules, Access control lists

*How the policies will be distributed* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Design

*How verification of the distribution will be accomplished* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Design

*Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Design

*Specifications for any automated tools* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Design

*______ assigns responsibilities for various areas of information security* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Enterprise Information Security Policy (EISP)

*______ guides development, implementation, and management requirements of information security program* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Enterprise Information Security Policy (EISP)

*______ sets strategic direction, scope, and tone for organization's security efforts* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Enterprise Information Security Policy (EISP)

*A similar method to access control lists that specifies which subjects and objects users or groups can access is called a ______ * A. Ability table B. Capability table

Capability table

*When combining elements of both management guidance and technical specifications SysSPs, ______ should be taken to articulate the required actions carefully as the procedures are presented.* A. Care B. Carelessness

Care

List 2 general methods of implementing technical controls

1- Access control lists 2- Configuration rules

Every organization's ISSP should ______. List 3 recommendations.

1- Address specific technology-based systems 2- Require frequent updates 3- Contain an issue statement on the organization's position on an issue

It is often useful to view policy development as a two-part project. List the 2 parts.

1- Design and develop the policy (or redesign and rewrite an outdated policy). This is an exercise in project management. 2- Establish management processes to continue the policy within the organization. This requires adherence to good business practices.

For policies to be effective, they must be properly ______. List 6 conditions.

1- Developed using industry-accepted practices 2- Distributed or disseminated using all appropriate methods 3- Reviewed or read by all employees 4- Understood by all employees 5- Formally agreed to by act or assertion 6- Uniformly applied and enforced

What does Prohibited Usage of Equipment section includes?

1- Disruptive use or misuse 2- Criminal use 3- Offensive or harassing materials 4- Copyrighted, licensed or other intellectual property 5- Other restrictions

ISSP protects organization from inefficiency and ambiguity by ______. List 2 ways.

1- Documenting how the technology-based system is controlled 2- Identifying the processes and authorities that provide this control

List 6 ISSP topics.

1- Email and internet use 2- Prohibitions against hacking 3- Home use of company-owned computer equipment 4- Use of personal equipment on company networks 5- Use of telecommunications technologies 6- Use of photocopy equipment

There are 3 types of information security policy. List them.

1- Enterprise Information Security Policy (EISP) 2- Issue-Specific Security Policy (ISSP) 3- Systems-Specific Security Policy (SysSP)

List the 5 SecSDLC phases.

1- Investigation 2- Analysis 3- Design 4- Implementation 5- Maintenance

SysSPs can be separated into ______. List 3 elements.

1- Management guidance 2- Technical specifications 3- Combined in a single policy document

What does Systems Management section includes?

1- Management of stored materials 2- Employer monitoring 3- Virus protection 4- Physical security 5- Encryption

List 4 bulls-eye model layers

1- Policies 2- Networks 3- Systems 4- Applications

The success of an information resources protection program depends on the ______. List 2 dependents.

1- Policy generated 2- Attitude of management toward securing information on automated systems

List 3 basic rules for shaping a policy.

1- Policy should never conflict with law 2- Policy must be able to stand up in court if challenged 3- Policy must be properly supported and administered

What does Violations of Policy section includes?

1- Procedures for reporting violations 2- Penalties for violations

List 3 objectives of a policy

1- Reduce risk 2- Compliance with laws and regulations 3- Assurance of operational continuity, information integrity, and confidentiality

What does Statement of Purpose for an ISSP includes?

1- Scope and applicability 2- Definition of technology addressed 3- Responsibilities

List 3 common approaches to implementing ISSP.

1- Several independent ISSP documents 2- A single comprehensive ISSP document 3- A modular ISSP document that unifies policy creation and administration

List the 5 EISP components

1- Statement of purpose 2- Information technology security elements 3- Need for information technology security 4- Information security responsibilities and roles 5- Reference to other information technology standards and guidelines

Policies are important reference documents because ______. List 3 reasons.

1- They are used for internal audits 2- They are used for the resolution of legal disputes about management's due carefulness 3- They can act as a clear statement of management's intent

What does Authorized Access and Usage of Equipment section includes?

1- User access 2- Fair and responsible use 3- Protection of privacy

Policy development projects should be ______. List 3 requirements.

1- Well planned 2- Properly funded 3- Aggressively managed to ensure that it is completed on time and within budget

Access control lists regulate ______. List 6 regulations.

1- Who can use the system 2- What authorized users can access 3- When authorized users can access the system 4- Where authorized users can access the system from 5- How authorized users can access the system 6- Restricting what users can access, such as printers, files, communications, and applications

*For most corporate documents, a Flesch Reading Ease score of ______ is preferred.* A. 40 to 50 B. 50 to 60 C. 60 to 70 D. 70 to 80

60 to 70

*For most corporate documents, a Flesch-Kincaid Grade Level score of ______ is preferred.* A. 4.0 to 5.0 B. 5.0 to 6.0 C. 6.0 to 7.0 D. 7.0 to 8.0

7.0 to 8.0

*______ enable administrations to restrict access according to user, computer, time, duration, or even a particular file* A. Access control lists B. Configuration rules

Access control lists

*______ include the user access lists and capability tables that govern the rights and privileges* A. Access control lists B. Configuration rules

Access control lists

*______ set user privileges such as read, write, create, modify, delete, compare, copy.* A. Administrators B. Managers

Administrators

*An organization's information systems are the exclusive property of the organization, and users have no generals rights to use. Each technology and process is provided for business operations. Use for any other purpose constitutes misuse.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Authorized Access and Usage of Equipment

*This section addresses who can use the technology governed by the policy and what it can be used for.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Authorized Access and Usage of Equipment

*Lest you believe that the only reason to have policies is to ______, it is important to emphasize the preventative nature of policy* A. Avoid litigation B. Take responsiblity

Avoid litigation

*For ______, the higher the score, the easier it is to understand the writing.* A. Flesch Reading Ease B. Flesch-Kincaid Grade Level

Flesch Reading Ease

*The ______ scale evaluates the writing on a scale of 1 to 100.* A. Flesch Reading Ease B. Flesch-Kincaid Grade Level

Flesch Reading Ease

*The ______ score evaluates writing on a U.S. grade-school level.* A. B.

Flesch-Kincaid Grade Level

*Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Implementation

*Making certain the policies are enforceable as written* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Implementation

*Policy distribution is not always straightforward* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Implementation

*Writing the policies* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Implementation

*Policies exist, first and foremost, to inform ______ of what is and is not acceptable behavior in the organization* A. Employees B. Lawyers

Inform employees

*Defines the organizational structure designed to support information security.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Information security responsibilities and roles

*Identifies categories of individuals with responsibility for information security (IT department, management, users) and their information security responsibilities, including maintenance of this document.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Information security responsibilities and roles

*Defines information security.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Information technology security elements

*Example: "Protecting the confidentiality, integrity, and availability of information while in processing, transmission, and storage through the use of policy, education and training, and technology."* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Information technology security elements

*This section can also lay out security definitions or philosophies to clarify the policy.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Information technology security elements

*Acquire a capable project manager* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Investigation

*Assign a project champion with sufficient stature and prestige* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Investigation

*Clearly articulate the goals of the policy project* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Investigation

*Develop a detailed outline of and sound estimates for project cost and scheduling* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Investigation

*Gain participation of correct individuals affected by the recommended policies* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Investigation

*Involve legal, human resources and end-users* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Investigation

*Obtain support from senior management, and active involvement of IT management, specifically the CIO* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Investigation

*______ begins with introduction to fundamental technological philosophy of the organization* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Issue-Specific Security Policy (ISSP)

*______ covers the organization against liability for an employee's inappropriate or illegal system use* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Issue-Specific Security Policy (ISSP)

*______ instructs the organization in secure use of a technology systems* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Issue-Specific Security Policy (ISSP)

*______ provides detailed, targeted guidance.* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Issue-Specific Security Policy (ISSP)

*They are created by management to guide the implementation and configuration of technology* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs

Managerial Guidance SysSPs

*If an employee is caught conducting illegal activities with organizational equipment or assets, management does not want the organization held liable.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Limitations of liability

*Statements of liability or disclaimers* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Limitations of liability

*The policy should state that the organization will not protect employees who violate a company policy or any law using company technologies, and that the company is not liable for such actions.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Limitations of liability

*They inform technologists of management intent* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs

Managerial Guidance SysSPs

*______ organizations create a single document combining elements of both management guidance and technical specifications SysSPs, which can be confusing, but practical.* A. Often B. Rarely

Often

*Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Maintenance

*Periodic review should be built in to the process* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Maintenance

*The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance

Maintenance

*They are applied to any technology that affects the confidentiality, integrity or availability of information* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs

Managerial Guidance SysSPs

*Threats first meet the organization's network* A. Policies B. Networks C. Systems D. Applications

Networks

*The recommended approach to implemnting an ISSP is the ______ policy.* A. Independent B. Comprehensive C. Modular

Modular

*______ policy provides a balance between issue orientation and policy management* A. Independent B. Comprehensive C. Modular

Modular

*Justifies importance of information security in the organization.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Need for information technology security

*Provides information on the importance of information security in the organization and the obligation (legal and ethical) to protect critical information about customers, employees, and markets.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Need for information technology security

*First layer of defense* A. Policies B. Networks C. Systems D. Applications

Policies

*______ are sanctioned by senior management.* A. Policies B. Standards C. Practices

Policies

*Which of the following statements is true?* A. Policies are the least expensive means of control and often the most difficult to implement. B. Policies are the most expensive means of control and often the easiest to implement.

Policies are the least expensive means of control and often the most difficult to implement.

*______ drive standards, ______ drive practices, procedures and guidelines.* A. Standards, Policies B. Policies, Standards

Policies, Standards

*A quality information security program begins and ends with ______.* A. Project manager B. Policy

Policy

*______ is a plan or course of action that influences decisions* A. Policy B. Standard C. Practice

Policy

*______ is the essential foundation of an effective information security program.* A. Security guards B. Policy

Policy

*______ sets the tone and emphasis on the importance of information security.* A. Policy maker B. Security maker

Policy maker

*Because a document is only useful if it is up to date, each policy should contain procedures and a timetable for periodic review.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Policy review and modification

*Scheduled review of policy and procedures for modification* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Policy review and modification

*This section should specify a methodology for the review and modification of the policy, to ensure that users do not begin circumventing it as it grows obsolete.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Policy review and modification

*Which of the following statements is true?* A. Policy seeks to improve employee productivity, and prevent potentially embarrassing situations B. Policy seeks to reduce employee productivity, and allow potentially embarrassing situations

Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

*______ are procedures and guidelines explain how employees will comply with policy* A. Policies B. Standards C. Practices

Practices

*______, procedures, and guidelines include detailed steps required to meet the requirements of standards.* A. Policies B. Standards C. Practices

Practices

*Unless a particular use is clearly prohibited, the organization cannot penalize its employees for using it in that fashion.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Prohibited Usage of Equipment

*Many security systems ______ specific configuration scripts telling the systems what actions to perform on each set of information they process* A. Require B. Do not require

Require

*Policies ______ constant modification and maintenance.* A. Require B. Do not require

Require

*It is important that all such responsibilities be designated to either the systems administrators or the users; otherwise, both parties may infer that the responsibility belongs to the other party.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Systems management

*This section focuses on users' relationships to systems management.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Systems management

*______ is a more detailed statement of what must be done to comply with policy* A. Policy B. Standard C. Practice

Standard

*______ are built on sound policy and carry the weight of policy.* A. Policies B. Standards C. Practices

Standards

*The policy should begin with a clear statement of purpose.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Statement of Purpose

*Answers the question, "What is this policy for?".* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Statement of purpose

*Lists other standards that influence and are influenced by this policy document, perhaps including relevant laws (federals and state) and other policies.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Reference to other information technology standards and guidelines

*______ frequently do not look like other types of policy* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Systems-Specific Security Policy (SysSP)

*______ may function as standards or procedures to be used when configuring or maintaining systems* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)

Systems-Specific Security Policy (SysSP)

*The policy development project can be guided by the ______ process.* A. SecSDLC B. Waterfall

SecSDLC

*Example: "This document will: Identify the elements of a good security policy, explain the need for information security, specify the various categories of information security, identify the information responsibilities and roles, identify appropriate levels of security through standards and guidelines. This document establishes an overarching security policy and direction for our company. Individual departments are expected to establish standards, guidelines, and operating procedures that adhere to and reference this policy while addressing their specific and individual needs."* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Statement of purpose

*Provides a framework that helps the reader understand the intent of the document.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines

Statement of purpose

*Each type of equipment has its own type of policies* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs

Technical Specifications SysSPs

*They are system administrators' directions on implementing managerial policy* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs

Technical Specifications SysSPs

*Computers and manufacturing systems* A. Policies B. Networks C. Systems D. Applications

Systems

*Allowing anonymous submission is often the only way to convince users to report the unauthorized activities of other, more influential employees.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Violations of policy

*This section specifies the penalties for each category of violation as well as instructions on how individuals in the organization can report observed or suspected violations.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability

Violations of policy


Kaugnay na mga set ng pag-aaral

NCLEX Patients with musculoskeletal disorders

View Set

Managerial Accounting - Ch 7: Incremental Analysis for short term decision making

View Set

10th grade Biology Unit 1: Lesson 6

View Set