Management of Information Security 3rd Edition Chapter 4
An organization may include a set of disclaimers in the ____ section of the ISSP.
Limitations of Liability
During the ____ phase of the SecSDLC, the information security policy is monitored, maintained, and modified as needed.
Maintenance
The ____ section of the ISSP should specify users' and systems administrators' responsibilities.
Systems Management
To be certain the employees understand the policy, the document must be written at a reasonable reading level within minimal ____.
Technical jargon and management terminology
The two groups of SysSPs are managerial guidance and ____.
Technical specifications
An automated policy management system is able to assess readers' understanding of the policy and electronically record reader acknowledgments.
True
In some systems, capability tables are known as user profiles.
True
In the modular approach to creating the ISSP, each of the modules is created and updated by the individuals who are responsible for a specific issue.
True
One of the goals of an issue-specific security policy (ISSP) is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
Policies must note the existence of penalties for unacceptable behavior and define an appeals process.
True
SysSPs often function as standards or procedures to be used when configuring or maintaining systems
True
The Flesch-Kincaid Grade Level score evaluates writing on a U.S. grade-school level.
True
To be effective, policy must be uniformly applied to all employees, including executives.
True
Unless a particular use is clearly prohibited, the organization cannot penalize employees for it.
True
Unless a policy actually reaches the end users, it cannot be enforced.
True
When a policy is created and distributed without software automation tools, it is often not clear which manager has approved it.
True
The steps outline in guideline must meet the requirements of the standards from which they were created
True or False, Unable to answer but within chapter 4. Sorry...
According to Confucius, "Tell me, and I forget; show me and, and I remember; let me do and I ____."
Understand
Capability tables are also known as ____ .
User policies or User profiles
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected violations?
Violations of Policy
Technical controls alone are adequately equipped to ensure a secure IT environment.
False
The ISSP is not a binding agreement between the organization and its members.
False
The policy administrator must be technically oriented.
False
Today, most EULAs are presented on blow-by screens.
False
Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.
False
During the ____ phase, the information security policy development team must provide for policy distribution.
Implementation
The information security policy is written during the ____ phase of the SecSDLC.
Implementation
Information security is defined in the ____ component of an EISP.
Information Technology Security Elements
The ____ component of an EISP defines the organizational structure designed to support information security within the organization.
Information Technology Security Responsibilities and Roles
For most corporate documents, a score of ____ is preferred on the Flesch Reading Ease scale.
60 to 70
For most corporate documents, a score of ____ is preferred as a Flesch-Kincaid Grade Level score.
7.0 to 8.0
A detailed outline of the scope of the policy development project is created during the ____ phase of the SecSDLC.
Investigation
Typically, the information security policy administrator is ____. a. the CEO b. the COO c. a mid-level staff member d. the CIO
A mid-level staff member. (Unsure of answer)
Which of the following would not necessarily be good reference or resource in writing good policy documents from scratch?
A public bookstore
A typical EULA screen may require the user to ____. a. click a button on the screen b. type specific words c. press a function key d. All of these
All of these
A risk assessment is performed during the ____ phase of the SecSDLC.
Analysis
Policies must also specify the penalties for unacceptable behavior and define a(n) ____.
Appeals Process
The ISSP sections Authorized Access and Usage of Equipment and Prohibited Usage of Equipment may be combined into a section called ____ .
Appropriate Use Policy
According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".
Audits
The ____ section of an ISSP explains who can use the technology governed by the policy and for what purposes.
Authorized Access and Usage of Equipment
A(n) ____ security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems.
Issue-specific
Some policies incorporate a ____ indicating a specific date the policy will expire.
Sunset clause
A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____.
Blow-by screen
The ____ model describes the layers at which marginal assessment of security controls can be performed and is proven mechanism for prioritizing complex changes.
Bull's-eye
Access control lists can only be used to restrict access according to the user.
False
All rule-based policies must deal with user directly.
False
An ISSP will typically not cover the use of e-mail or the Internet.
False
An individual approach to creating the ISSPs is well controlled by centrally managed procedures assuring complete topic coverage.
False
If multiple audiences exists for information security policies, different documents must be created for each audience.
False
In the Flesch Reading Ease scales, the higher the score, the harder it is to understand the writing.
False
Information security policies do not require a champion
False
Once policies are created, they should not be changed
False
Policies should be published without a date of origin.
False
Rule-based policies are less specific to the operation of a system than access control lists
False
SysSPs focus on the proper handling of issues in the organization, like the use of technologies.
False
Technical controls ____.
Can be implemented using access control lists or configurations rules.
A ____ specifies which subjects and objects users or groups can access.
Capability Table
Many organizations create a single document that combines elements of both the management guidance SysSP and the technical specifications SysSP, know as a(n) ____.
Combination SysSP
Configuration codes entered into security systems to guide the execution of the system when information is passing through it are called ____.
Configuration rules
During the ____ phase of the SecSDLC, the team must create a plan to distribute, and verify the distribution of, the policies.
Design
To ensure ____, an organization must demonstrate that it is continuously attempting to meet the requirements of the market in which it operates.
Due diligence
Which of the following is a type of information security policy that deals with entirety of an organization's information security efforts?
Enterprise information security policy
A disadvantage of creating a modular ISSP document is that it ____.
May be more expensive than other alternatives.
A disadvantage of creating a single comprehensive ISSP document is that such a document ____ .
May overgeneralize the issues and skip over vulnerabilities.
It is recommended that the ____ approach(es) to creating and managing ISSPs be used.
Modular
For instance, if policy mandates that all employees wear identification badges in a clearly visible location, and select members of management decide they are not require to follow this policy, any actions taken against other employees will ____.
Not withstand legal challenge.
The ____ layer is the outermost layer of the bull's-eye model, hence the first to be assessed for marginal improvement.
Policies
____ comprise a set of rules that dictates acceptable and unacceptable behavior within a organization.
Policies
Which of the following is NOT a guideline that may help in the formulation of information technology (IT) policy as well as information security policy?
Policies must be reviewed and approved by legal council before administration.
A standard is built from a ____.
Policy
The policy champion and manager is called the ____.
Policy administrator
A ____ is more detailed statement identifying a measurement of behavior and specifies what must be done to comply with a policy.
Standard
The ISSP should begin with a ____ .
Statement of Purpose
A disadvantage of creating a number of independent ISSP documents is that the results may ____.
Suffer from poor policy dissemination
A policy should be "signed into law" by a high-level manager before the collection and review of employee input.
True
A quality information security program begins and ends with policy.
True
Access control lists can be used to control access to file storage systems
True