Management of Information Security 3rd Edition Chapter 4

An organization may include a set of disclaimers in the ____ section of the ISSP.

Limitations of Liability

During the ____ phase of the SecSDLC, the information security policy is monitored, maintained, and modified as needed.

Maintenance

The ____ section of the ISSP should specify users' and systems administrators' responsibilities.

Systems Management

To be certain the employees understand the policy, the document must be written at a reasonable reading level within minimal ____.

Technical jargon and management terminology

The two groups of SysSPs are managerial guidance and ____.

Technical specifications

An automated policy management system is able to assess readers' understanding of the policy and electronically record reader acknowledgments.

True

In some systems, capability tables are known as user profiles.

True

In the modular approach to creating the ISSP, each of the modules is created and updated by the individuals who are responsible for a specific issue.

True

One of the goals of an issue-specific security policy (ISSP) is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

True

Policies must note the existence of penalties for unacceptable behavior and define an appeals process.

True

SysSPs often function as standards or procedures to be used when configuring or maintaining systems

True

The Flesch-Kincaid Grade Level score evaluates writing on a U.S. grade-school level.

True

To be effective, policy must be uniformly applied to all employees, including executives.

True

Unless a particular use is clearly prohibited, the organization cannot penalize employees for it.

True

Unless a policy actually reaches the end users, it cannot be enforced.

True

When a policy is created and distributed without software automation tools, it is often not clear which manager has approved it.

True

The steps outline in guideline must meet the requirements of the standards from which they were created

True or False, Unable to answer but within chapter 4. Sorry...

According to Confucius, "Tell me, and I forget; show me and, and I remember; let me do and I ____."

Understand

Capability tables are also known as ____ .

User policies or User profiles

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected violations?

Violations of Policy

Technical controls alone are adequately equipped to ensure a secure IT environment.

False

The ISSP is not a binding agreement between the organization and its members.

False

The policy administrator must be technically oriented.

False

Today, most EULAs are presented on blow-by screens.

False

Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.

False

During the ____ phase, the information security policy development team must provide for policy distribution.

Implementation

The information security policy is written during the ____ phase of the SecSDLC.

Implementation

Information security is defined in the ____ component of an EISP.

Information Technology Security Elements

The ____ component of an EISP defines the organizational structure designed to support information security within the organization.

Information Technology Security Responsibilities and Roles

For most corporate documents, a score of ____ is preferred on the Flesch Reading Ease scale.

60 to 70

For most corporate documents, a score of ____ is preferred as a Flesch-Kincaid Grade Level score.

7.0 to 8.0

A detailed outline of the scope of the policy development project is created during the ____ phase of the SecSDLC.

Investigation

Typically, the information security policy administrator is ____. a. the CEO b. the COO c. a mid-level staff member d. the CIO

A mid-level staff member. (Unsure of answer)

Which of the following would not necessarily be good reference or resource in writing good policy documents from scratch?

A public bookstore

A typical EULA screen may require the user to ____. a. click a button on the screen b. type specific words c. press a function key d. All of these

All of these

A risk assessment is performed during the ____ phase of the SecSDLC.

Analysis

Policies must also specify the penalties for unacceptable behavior and define a(n) ____.

Appeals Process

The ISSP sections Authorized Access and Usage of Equipment and Prohibited Usage of Equipment may be combined into a section called ____ .

Appropriate Use Policy

According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".

Audits

The ____ section of an ISSP explains who can use the technology governed by the policy and for what purposes.

Authorized Access and Usage of Equipment

A(n) ____ security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems.

Issue-specific

Some policies incorporate a ____ indicating a specific date the policy will expire.

Sunset clause

A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____.

Blow-by screen

The ____ model describes the layers at which marginal assessment of security controls can be performed and is proven mechanism for prioritizing complex changes.

Bull's-eye

Access control lists can only be used to restrict access according to the user.

False

All rule-based policies must deal with user directly.

False

An ISSP will typically not cover the use of e-mail or the Internet.

False

An individual approach to creating the ISSPs is well controlled by centrally managed procedures assuring complete topic coverage.

False

If multiple audiences exists for information security policies, different documents must be created for each audience.

False

In the Flesch Reading Ease scales, the higher the score, the harder it is to understand the writing.

False

Information security policies do not require a champion

False

Once policies are created, they should not be changed

False

Policies should be published without a date of origin.

False

Rule-based policies are less specific to the operation of a system than access control lists

False

SysSPs focus on the proper handling of issues in the organization, like the use of technologies.

False

Technical controls ____.

Can be implemented using access control lists or configurations rules.

A ____ specifies which subjects and objects users or groups can access.

Capability Table

Many organizations create a single document that combines elements of both the management guidance SysSP and the technical specifications SysSP, know as a(n) ____.

Combination SysSP

Configuration codes entered into security systems to guide the execution of the system when information is passing through it are called ____.

Configuration rules

During the ____ phase of the SecSDLC, the team must create a plan to distribute, and verify the distribution of, the policies.

Design

To ensure ____, an organization must demonstrate that it is continuously attempting to meet the requirements of the market in which it operates.

Due diligence

Which of the following is a type of information security policy that deals with entirety of an organization's information security efforts?

Enterprise information security policy

A disadvantage of creating a modular ISSP document is that it ____.

May be more expensive than other alternatives.

A disadvantage of creating a single comprehensive ISSP document is that such a document ____ .

May overgeneralize the issues and skip over vulnerabilities.

It is recommended that the ____ approach(es) to creating and managing ISSPs be used.

Modular

For instance, if policy mandates that all employees wear identification badges in a clearly visible location, and select members of management decide they are not require to follow this policy, any actions taken against other employees will ____.

Not withstand legal challenge.

The ____ layer is the outermost layer of the bull's-eye model, hence the first to be assessed for marginal improvement.

Policies

____ comprise a set of rules that dictates acceptable and unacceptable behavior within a organization.

Policies

Which of the following is NOT a guideline that may help in the formulation of information technology (IT) policy as well as information security policy?

Policies must be reviewed and approved by legal council before administration.

A standard is built from a ____.

Policy

The policy champion and manager is called the ____.

Policy administrator

A ____ is more detailed statement identifying a measurement of behavior and specifies what must be done to comply with a policy.

Standard

The ISSP should begin with a ____ .

Statement of Purpose

A disadvantage of creating a number of independent ISSP documents is that the results may ____.

Suffer from poor policy dissemination

A policy should be "signed into law" by a high-level manager before the collection and review of employee input.

True

A quality information security program begins and ends with policy.

True

Access control lists can be used to control access to file storage systems

True