Management of Information Security Chapter 4
standard
A ____ is a more detailed statement identifying a measurement of behavior and specifies what must be done to comply with a policy.
capability table
A ____ specifies which subjects and objects users or groups can access.
policy
A standard is built from a ____.
user click a button, press a function key, or type words to agree to the terms.
A typical EULA screen may require the user to ____.
affirmation
For policies to be effective, they must be properly formally agreed to by act or
may be more expensive than other alternatives
A disadvantage of creating a modular ISSP document is that it ____.
may overgeneralize the issues and skip over vulnerabilities
A disadvantage of creating a single comprehensive ISSP document is that such a document ____.
blow-by screen
A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____.
True
During the implementation phase of the policy development SecSDLC, the development team creating the information security policy should make sure that the policy is written at a reasonable reading level.
issue-specific
In an organization, a(n) ____________________ security policy provides detailed, targeted guidance to instruct all the members in the use of technology-based systems.
standards
To execute a policy, an organization must implement a set of ____________________ that clarify and define the policy.
True
Unless a particular use is clearly prohibited, the organization cannot penalize employees for it.
True
Unless a policy actually reaches the end users, it cannot be enforced.
Policies
____ comprise a set of rules that dictates acceptable and unacceptable behavior within an organization.
Configuration rules
____________________ are the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it.
Access control lists
____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.
policy
A quality information security program begins and ends with ____________________
analysis
A risk assessment is performed during the ____ phase of the SecSDLC.
issue-specific
A(n) ____ security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems.
False
A(n) blow-by screen is an organizational tool to ensure that all the appropriate information security policy messages are presented to all the appropriate audiences.
True
A(n) capability table specifies which subjects and objects that users or groups can access.
True
A(n) individual approach to creating the ISSPs can suffer from poor policy dissemination, enforcement, and review.
False
A(n) issue-specific security policy sets the strategic direction, scope, and tone for all of an organization's security efforts.
False
A(n) technical specifications SysSP document is created by management to guide the implementation and configuration of technology.
True
Access control lists can be used to control access to file storage systems.
True
Access control lists include user access lists, matrices, and capability tables.
audits
According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".
False
All rule-based policies must deal with users directly.
applications
All the application systems of an organization are part of the ____________________ layer in the bull's-eye model.
True
An automated policy management system is able to assess readers' understanding of the policy and electronically record reader acknowledgments.
user policies
Capability tables are also known as ____.
True
Configuration rules are configuration codes that guide the execution of a system when information is passing through it.
design
During the ____ phase of the SecSDLC, the team must create a plan to distribute, and verify the distribution of, the policies.
implementation
During the ____ phase, the information security policy development team must provide for policy distribution.
7.0 to 8.0
For most corporate documents, a score of ____ is preferred as a Flesch-Kincaid Grade Level score.
True
For policies to be effective, they must first be developed using generally-accepted practices.
True
Granularity is the level of specificity and detail with which administrators can control access to their systems.
anonymous
In order to avoid reprisal or retaliation against employees, reporting of violations of policy should be set up to be ____________________ .
Information Technology Security Elements
Information security is defined in the ____ component of an EISP.
False
Information security policies do not require a champion.
modular
It is recommended that the ____ approach(es) to creating and managing ISSPs be used.
State of Purpose - addresses the scope and applicability of the ISSP, it also defines the technology addressed, and the responsibilities. Authorized Uses -
List and briefly describe the major components of the ISSP.
False
Once policies are created, they should not be changed.
appeals process
Policies must also specify the penalties for unacceptable behavior and define a(n) ____.
False
Practices are built on sound policy and carry the weight of policy.
standards
Practices are created from ____.
False
Rule-based policies are less specific to the operation of a system than access control lists.
True
Some policies incorporate a(n) sunset clause indicating a specific date the policy will expire.
system-specific
The three types of information security policies include enterprise information security program policy, issue-specific security policies, and ____________________ security policies.
True
To ensure due diligence an organization must demonstrate that it is continuously attempting to meet the requirements of the market in which it operates.