REQ SEC CH 04

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________. (p. 201) plan standard policy blueprint

blueprint

Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards. (p. 177-178) de formale de public de jure de facto

de jure

Redundancy can be implemented at a number of points throughout the security architecture, such as in ________. (p. 209) firewalls proxy servers access controls All of the above

All of the above

A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. (p. 172-173) standard operational tactical strategic

Strategic

________often function as standards or procedures to be used when configuring or maintaining systems. ESSPs EISPs (p. 182) ISSPs (p. 184) SysSPs (p. 187)

SysSPs (p. 187)

Good security programs begin and end with policy. (p. 177) True False

True

The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. (p. 192) True False

True

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates. (p. 192-3) True False

True

You can create a single, comprehensive ISSP document covering all information security issues. (p. 184) True False

True

Each policy should contain procedures and a timetable for periodic review. (p. 187) True False

True (p. 187, Policy Review and Modification)

The ________is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. SysSP (p. 187) EISP (p. 182) GSP ISSP (p. 184)

EISP (p. 182)

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions. (p. 187) True False

False (p. 187, Limits of Liability)

The ISSP (issue specific security policy) is a plan which sets out the requirements that must be met by the information security blueprint or framework. (p. 182) True False

False Correct answer is Enterprise Information Security Policy (p. 182)

A managerial guidance SysSP (System Specific Security Policy) document is created by the IT experts in a company to guide management in the implementation and configuration of technology. (p. 188) True False

False Created by managers , not IT experts

ACLs (Access Control Lists) are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly. (p. 190) True False

False Rule base policies are more specific than ACLs.

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior. (p. 179) True False

False (policies)

​The goals of information security governance include all but which of the following? (p. 176) Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care ​Strategic alignment of information security with business strategy to support organizational objectives ​Risk management by executing appropriate measures to manage and mitigate threats to information resources​ Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved

Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care

When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems? (p. 196-197) The standard lacked the measurement precision associated with a technical standard. It was not as complete as other frameworks. The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls. The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.

The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799. Had NOT defined a jurisdiction.

An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training. (p. 194) plan framework model policy

framework

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization. (p. 208-9) technology Internet people operational

people