Management of Information Security Chapter 4

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

standard

A ____ is a more detailed statement identifying a measurement of behavior and specifies what must be done to comply with a policy.

capability table

A ____ specifies which subjects and objects users or groups can access.

policy

A standard is built from a ____.

user click a button, press a function key, or type words to agree to the terms.

A typical EULA screen may require the user to ____.

affirmation

For policies to be effective, they must be properly formally agreed to by act or

may be more expensive than other alternatives

A disadvantage of creating a modular ISSP document is that it ____.

may overgeneralize the issues and skip over vulnerabilities

A disadvantage of creating a single comprehensive ISSP document is that such a document ____.

blow-by screen

A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____.

True

During the implementation phase of the policy development SecSDLC, the development team creating the information security policy should make sure that the policy is written at a reasonable reading level.

issue-specific

In an organization, a(n) ____________________ security policy provides detailed, targeted guidance to instruct all the members in the use of technology-based systems.

standards

To execute a policy, an organization must implement a set of ____________________ that clarify and define the policy.

True

Unless a particular use is clearly prohibited, the organization cannot penalize employees for it.

True

Unless a policy actually reaches the end users, it cannot be enforced.

Policies

____ comprise a set of rules that dictates acceptable and unacceptable behavior within an organization.

Configuration rules

____________________ are the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it.

Access control lists

____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.

policy

A quality information security program begins and ends with ____________________

analysis

A risk assessment is performed during the ____ phase of the SecSDLC.

issue-specific

A(n) ____ security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems.

False

A(n) blow-by screen is an organizational tool to ensure that all the appropriate information security policy messages are presented to all the appropriate audiences.

True

A(n) capability table specifies which subjects and objects that users or groups can access.

True

A(n) individual approach to creating the ISSPs can suffer from poor policy dissemination, enforcement, and review.

False

A(n) issue-specific security policy sets the strategic direction, scope, and tone for all of an organization's security efforts.

False

A(n) technical specifications SysSP document is created by management to guide the implementation and configuration of technology.

True

Access control lists can be used to control access to file storage systems.

True

Access control lists include user access lists, matrices, and capability tables.

audits

According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".

False

All rule-based policies must deal with users directly.

applications

All the application systems of an organization are part of the ____________________ layer in the bull's-eye model.

True

An automated policy management system is able to assess readers' understanding of the policy and electronically record reader acknowledgments.

user policies

Capability tables are also known as ____.

True

Configuration rules are configuration codes that guide the execution of a system when information is passing through it.

design

During the ____ phase of the SecSDLC, the team must create a plan to distribute, and verify the distribution of, the policies.

implementation

During the ____ phase, the information security policy development team must provide for policy distribution.

7.0 to 8.0

For most corporate documents, a score of ____ is preferred as a Flesch-Kincaid Grade Level score.

True

For policies to be effective, they must first be developed using generally-accepted practices.

True

Granularity is the level of specificity and detail with which administrators can control access to their systems.

anonymous

In order to avoid reprisal or retaliation against employees, reporting of violations of policy should be set up to be ____________________ .

Information Technology Security Elements

Information security is defined in the ____ component of an EISP.

False

Information security policies do not require a champion.

modular

It is recommended that the ____ approach(es) to creating and managing ISSPs be used.

State of Purpose - addresses the scope and applicability of the ISSP, it also defines the technology addressed, and the responsibilities. Authorized Uses -

List and briefly describe the major components of the ISSP.

False

Once policies are created, they should not be changed.

appeals process

Policies must also specify the penalties for unacceptable behavior and define a(n) ____.

False

Practices are built on sound policy and carry the weight of policy.

standards

Practices are created from ____.

False

Rule-based policies are less specific to the operation of a system than access control lists.

True

Some policies incorporate a(n) sunset clause indicating a specific date the policy will expire.

system-specific

The three types of information security policies include enterprise information security program policy, issue-specific security policies, and ____________________ security policies.

True

To ensure due diligence an organization must demonstrate that it is continuously attempting to meet the requirements of the market in which it operates.


Ensembles d'études connexes

Chapter 2 - NUR 240 Review Questions

View Set

Endocrine and Metabolic Disorders EXAM I

View Set

Introduction to Cloud and Software Oriented Architectures (SOA)

View Set

POST HOC COMPARISONS & TESTING ASSUMPTIONS

View Set

Exam 1: audition/vestibular senses, olfaction, gestation

View Set

Cryptography and PKI (Security+ 501)

View Set

Chapter 8 test your understanding

View Set

BLAW 3201 - Test #1: Ch. 3 (Duplechain)

View Set

CHAPTER 25: Respiratory System... Select all that apply

View Set