chapter 4 info security
The ISSP is a plan which sets out the requirements that must be met by the information security blueprint or framework.
false
Good security programs begin and end with policy.
True
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.
blueprint
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards.
de jure
The ________is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.
enterprise information security policy EISP
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.
strategic
________often function as standards or procedures to be used when configuring or maintaining systems.
SysSP
The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates
True
Each policy should contain procedures and a timetable for periodic review
true
A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.
False, created by management
A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.
False, policy
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee's actions.
False, the complete opposite
ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
False, this is configuration rules policy
Redundancy can be implemented at a number of points throughout the security architecture, such as in ________.
Firewalls, proxy servers, and access controls so if one thing fails there are other to back up the security of information
An information security ________ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training.
Framework
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.
People
The goals of information security governance include all but which of the following?
Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799. They had not defined the code yet
You can create a single, comprehensive ISSP document covering all information security issues
true