CSF 3003 - Information Security Policies
List 7 components of ISSP
1- Statement of Purpose 2- Authorized Access and Usage of Equipment 3- Prohibited Usage of Equipment 4- Systems management 5- Violations of policy 6- Policy review and modification 7- Limitations of liability
*Should produce key reference materials including any existing policies* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Analysis
*Should produce new or recent risk assessment or IT audit documenting the current information security needs of the organization* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Analysis
*All applications systems* A. Policies B. Networks C. Systems D. Applications
Applications
*Access control lists specifications are frequently ______ , rather than ______* A. Simple lists or tables, Complex matrices B. Complex matrices, Simple lists or tables
Complex matrices, Simple lists or tables
*______ are specific instructions entered into a security system to regulate how it reacts to the data it receives* A. Access control lists B. Configuration rules
Configuration rules
*______ may or may not deal with users directly* A. Access control lists B. Configuration rules
Configuration rules
*______ policies are more specific to system operation than ______.* A. Configuration rules, Access control lists B. Access control lists, Configuration rules
Configuration rules, Access control lists
*How the policies will be distributed* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Design
*How verification of the distribution will be accomplished* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Design
*Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Design
*Specifications for any automated tools* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Design
*______ assigns responsibilities for various areas of information security* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Enterprise Information Security Policy (EISP)
*______ guides development, implementation, and management requirements of information security program* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Enterprise Information Security Policy (EISP)
*______ sets strategic direction, scope, and tone for organization's security efforts* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Enterprise Information Security Policy (EISP)
*A similar method to access control lists that specifies which subjects and objects users or groups can access is called a ______ * A. Ability table B. Capability table
Capability table
*When combining elements of both management guidance and technical specifications SysSPs, ______ should be taken to articulate the required actions carefully as the procedures are presented.* A. Care B. Carelessness
Care
List 2 general methods of implementing technical controls
1- Access control lists 2- Configuration rules
Every organization's ISSP should ______. List 3 recommendations.
1- Address specific technology-based systems 2- Require frequent updates 3- Contain an issue statement on the organization's position on an issue
It is often useful to view policy development as a two-part project. List the 2 parts.
1- Design and develop the policy (or redesign and rewrite an outdated policy). This is an exercise in project management. 2- Establish management processes to continue the policy within the organization. This requires adherence to good business practices.
For policies to be effective, they must be properly ______. List 6 conditions.
1- Developed using industry-accepted practices 2- Distributed or disseminated using all appropriate methods 3- Reviewed or read by all employees 4- Understood by all employees 5- Formally agreed to by act or assertion 6- Uniformly applied and enforced
What does Prohibited Usage of Equipment section includes?
1- Disruptive use or misuse 2- Criminal use 3- Offensive or harassing materials 4- Copyrighted, licensed or other intellectual property 5- Other restrictions
ISSP protects organization from inefficiency and ambiguity by ______. List 2 ways.
1- Documenting how the technology-based system is controlled 2- Identifying the processes and authorities that provide this control
List 6 ISSP topics.
1- Email and internet use 2- Prohibitions against hacking 3- Home use of company-owned computer equipment 4- Use of personal equipment on company networks 5- Use of telecommunications technologies 6- Use of photocopy equipment
There are 3 types of information security policy. List them.
1- Enterprise Information Security Policy (EISP) 2- Issue-Specific Security Policy (ISSP) 3- Systems-Specific Security Policy (SysSP)
List the 5 SecSDLC phases.
1- Investigation 2- Analysis 3- Design 4- Implementation 5- Maintenance
SysSPs can be separated into ______. List 3 elements.
1- Management guidance 2- Technical specifications 3- Combined in a single policy document
What does Systems Management section includes?
1- Management of stored materials 2- Employer monitoring 3- Virus protection 4- Physical security 5- Encryption
List 4 bulls-eye model layers
1- Policies 2- Networks 3- Systems 4- Applications
The success of an information resources protection program depends on the ______. List 2 dependents.
1- Policy generated 2- Attitude of management toward securing information on automated systems
List 3 basic rules for shaping a policy.
1- Policy should never conflict with law 2- Policy must be able to stand up in court if challenged 3- Policy must be properly supported and administered
What does Violations of Policy section includes?
1- Procedures for reporting violations 2- Penalties for violations
List 3 objectives of a policy
1- Reduce risk 2- Compliance with laws and regulations 3- Assurance of operational continuity, information integrity, and confidentiality
What does Statement of Purpose for an ISSP includes?
1- Scope and applicability 2- Definition of technology addressed 3- Responsibilities
List 3 common approaches to implementing ISSP.
1- Several independent ISSP documents 2- A single comprehensive ISSP document 3- A modular ISSP document that unifies policy creation and administration
List the 5 EISP components
1- Statement of purpose 2- Information technology security elements 3- Need for information technology security 4- Information security responsibilities and roles 5- Reference to other information technology standards and guidelines
Policies are important reference documents because ______. List 3 reasons.
1- They are used for internal audits 2- They are used for the resolution of legal disputes about management's due carefulness 3- They can act as a clear statement of management's intent
What does Authorized Access and Usage of Equipment section includes?
1- User access 2- Fair and responsible use 3- Protection of privacy
Policy development projects should be ______. List 3 requirements.
1- Well planned 2- Properly funded 3- Aggressively managed to ensure that it is completed on time and within budget
Access control lists regulate ______. List 6 regulations.
1- Who can use the system 2- What authorized users can access 3- When authorized users can access the system 4- Where authorized users can access the system from 5- How authorized users can access the system 6- Restricting what users can access, such as printers, files, communications, and applications
*For most corporate documents, a Flesch Reading Ease score of ______ is preferred.* A. 40 to 50 B. 50 to 60 C. 60 to 70 D. 70 to 80
60 to 70
*For most corporate documents, a Flesch-Kincaid Grade Level score of ______ is preferred.* A. 4.0 to 5.0 B. 5.0 to 6.0 C. 6.0 to 7.0 D. 7.0 to 8.0
7.0 to 8.0
*______ enable administrations to restrict access according to user, computer, time, duration, or even a particular file* A. Access control lists B. Configuration rules
Access control lists
*______ include the user access lists and capability tables that govern the rights and privileges* A. Access control lists B. Configuration rules
Access control lists
*______ set user privileges such as read, write, create, modify, delete, compare, copy.* A. Administrators B. Managers
Administrators
*An organization's information systems are the exclusive property of the organization, and users have no generals rights to use. Each technology and process is provided for business operations. Use for any other purpose constitutes misuse.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Authorized Access and Usage of Equipment
*This section addresses who can use the technology governed by the policy and what it can be used for.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Authorized Access and Usage of Equipment
*Lest you believe that the only reason to have policies is to ______, it is important to emphasize the preventative nature of policy* A. Avoid litigation B. Take responsiblity
Avoid litigation
*For ______, the higher the score, the easier it is to understand the writing.* A. Flesch Reading Ease B. Flesch-Kincaid Grade Level
Flesch Reading Ease
*The ______ scale evaluates the writing on a scale of 1 to 100.* A. Flesch Reading Ease B. Flesch-Kincaid Grade Level
Flesch Reading Ease
*The ______ score evaluates writing on a U.S. grade-school level.* A. B.
Flesch-Kincaid Grade Level
*Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Implementation
*Making certain the policies are enforceable as written* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Implementation
*Policy distribution is not always straightforward* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Implementation
*Writing the policies* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Implementation
*Policies exist, first and foremost, to inform ______ of what is and is not acceptable behavior in the organization* A. Employees B. Lawyers
Inform employees
*Defines the organizational structure designed to support information security.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Information security responsibilities and roles
*Identifies categories of individuals with responsibility for information security (IT department, management, users) and their information security responsibilities, including maintenance of this document.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Information security responsibilities and roles
*Defines information security.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Information technology security elements
*Example: "Protecting the confidentiality, integrity, and availability of information while in processing, transmission, and storage through the use of policy, education and training, and technology."* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Information technology security elements
*This section can also lay out security definitions or philosophies to clarify the policy.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Information technology security elements
*Acquire a capable project manager* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Investigation
*Assign a project champion with sufficient stature and prestige* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Investigation
*Clearly articulate the goals of the policy project* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Investigation
*Develop a detailed outline of and sound estimates for project cost and scheduling* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Investigation
*Gain participation of correct individuals affected by the recommended policies* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Investigation
*Involve legal, human resources and end-users* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Investigation
*Obtain support from senior management, and active involvement of IT management, specifically the CIO* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Investigation
*______ begins with introduction to fundamental technological philosophy of the organization* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Issue-Specific Security Policy (ISSP)
*______ covers the organization against liability for an employee's inappropriate or illegal system use* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Issue-Specific Security Policy (ISSP)
*______ instructs the organization in secure use of a technology systems* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Issue-Specific Security Policy (ISSP)
*______ provides detailed, targeted guidance.* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Issue-Specific Security Policy (ISSP)
*They are created by management to guide the implementation and configuration of technology* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs
Managerial Guidance SysSPs
*If an employee is caught conducting illegal activities with organizational equipment or assets, management does not want the organization held liable.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Limitations of liability
*Statements of liability or disclaimers* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Limitations of liability
*The policy should state that the organization will not protect employees who violate a company policy or any law using company technologies, and that the company is not liable for such actions.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Limitations of liability
*They inform technologists of management intent* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs
Managerial Guidance SysSPs
*______ organizations create a single document combining elements of both management guidance and technical specifications SysSPs, which can be confusing, but practical.* A. Often B. Rarely
Often
*Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Maintenance
*Periodic review should be built in to the process* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Maintenance
*The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously* A. Investigation B. Analysis C. Design D. Implementation E. Maintenance
Maintenance
*They are applied to any technology that affects the confidentiality, integrity or availability of information* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs
Managerial Guidance SysSPs
*Threats first meet the organization's network* A. Policies B. Networks C. Systems D. Applications
Networks
*The recommended approach to implemnting an ISSP is the ______ policy.* A. Independent B. Comprehensive C. Modular
Modular
*______ policy provides a balance between issue orientation and policy management* A. Independent B. Comprehensive C. Modular
Modular
*Justifies importance of information security in the organization.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Need for information technology security
*Provides information on the importance of information security in the organization and the obligation (legal and ethical) to protect critical information about customers, employees, and markets.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Need for information technology security
*First layer of defense* A. Policies B. Networks C. Systems D. Applications
Policies
*______ are sanctioned by senior management.* A. Policies B. Standards C. Practices
Policies
*Which of the following statements is true?* A. Policies are the least expensive means of control and often the most difficult to implement. B. Policies are the most expensive means of control and often the easiest to implement.
Policies are the least expensive means of control and often the most difficult to implement.
*______ drive standards, ______ drive practices, procedures and guidelines.* A. Standards, Policies B. Policies, Standards
Policies, Standards
*A quality information security program begins and ends with ______.* A. Project manager B. Policy
Policy
*______ is a plan or course of action that influences decisions* A. Policy B. Standard C. Practice
Policy
*______ is the essential foundation of an effective information security program.* A. Security guards B. Policy
Policy
*______ sets the tone and emphasis on the importance of information security.* A. Policy maker B. Security maker
Policy maker
*Because a document is only useful if it is up to date, each policy should contain procedures and a timetable for periodic review.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Policy review and modification
*Scheduled review of policy and procedures for modification* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Policy review and modification
*This section should specify a methodology for the review and modification of the policy, to ensure that users do not begin circumventing it as it grows obsolete.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Policy review and modification
*Which of the following statements is true?* A. Policy seeks to improve employee productivity, and prevent potentially embarrassing situations B. Policy seeks to reduce employee productivity, and allow potentially embarrassing situations
Policy seeks to improve employee productivity, and prevent potentially embarrassing situations
*______ are procedures and guidelines explain how employees will comply with policy* A. Policies B. Standards C. Practices
Practices
*______, procedures, and guidelines include detailed steps required to meet the requirements of standards.* A. Policies B. Standards C. Practices
Practices
*Unless a particular use is clearly prohibited, the organization cannot penalize its employees for using it in that fashion.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Prohibited Usage of Equipment
*Many security systems ______ specific configuration scripts telling the systems what actions to perform on each set of information they process* A. Require B. Do not require
Require
*Policies ______ constant modification and maintenance.* A. Require B. Do not require
Require
*It is important that all such responsibilities be designated to either the systems administrators or the users; otherwise, both parties may infer that the responsibility belongs to the other party.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Systems management
*This section focuses on users' relationships to systems management.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Systems management
*______ is a more detailed statement of what must be done to comply with policy* A. Policy B. Standard C. Practice
Standard
*______ are built on sound policy and carry the weight of policy.* A. Policies B. Standards C. Practices
Standards
*The policy should begin with a clear statement of purpose.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Statement of Purpose
*Answers the question, "What is this policy for?".* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Statement of purpose
*Lists other standards that influence and are influenced by this policy document, perhaps including relevant laws (federals and state) and other policies.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Reference to other information technology standards and guidelines
*______ frequently do not look like other types of policy* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Systems-Specific Security Policy (SysSP)
*______ may function as standards or procedures to be used when configuring or maintaining systems* A. Enterprise Information Security Policy (EISP) B. Issue-Specific Security Policy (ISSP) C. Systems-Specific Security Policy (SysSP)
Systems-Specific Security Policy (SysSP)
*The policy development project can be guided by the ______ process.* A. SecSDLC B. Waterfall
SecSDLC
*Example: "This document will: Identify the elements of a good security policy, explain the need for information security, specify the various categories of information security, identify the information responsibilities and roles, identify appropriate levels of security through standards and guidelines. This document establishes an overarching security policy and direction for our company. Individual departments are expected to establish standards, guidelines, and operating procedures that adhere to and reference this policy while addressing their specific and individual needs."* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Statement of purpose
*Provides a framework that helps the reader understand the intent of the document.* A. Statement of purpose B. Information technology security elements C. Need for information technology security D. Information security responsibilities and roles E. Reference to other information technology standards and guidelines
Statement of purpose
*Each type of equipment has its own type of policies* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs
Technical Specifications SysSPs
*They are system administrators' directions on implementing managerial policy* A. Managerial Guidance SysSPs B. Technical Specifications SysSPs
Technical Specifications SysSPs
*Computers and manufacturing systems* A. Policies B. Networks C. Systems D. Applications
Systems
*Allowing anonymous submission is often the only way to convince users to report the unauthorized activities of other, more influential employees.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Violations of policy
*This section specifies the penalties for each category of violation as well as instructions on how individuals in the organization can report observed or suspected violations.* A. Statement of Purpose B. Authorized Access and Usage of Equipment C. Prohibited Usage of Equipment D. Systems management E. Violations of policy F. Policy review and modification G. Limitations of liability
Violations of policy