Chapter 4

Ace your homework & exams now with Quizwiz!

Policy

A manager's or other governing body's statement of intent regarding employee behavior with respect to the workplace

Standard

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy complianc

What are the three general causes of unethical and illegal behavior?

Ignorace, accident, intent

The responsibilities of users and systems administrators with regard to systems administration duties should be specified in the __ section of the ISSP.

Systems Management

How should a policy administrator facilitate policy reviews?

To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation. Recommendation methods could include e-mail, office mail, or an anonymous drop box.

Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. T/F

True

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system. T/F

True

Policies must specify penalties for unacceptable behavior and define an appeals process. T/F

True

The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. T/F

True

Policy must be able to stand up in __ if __.

court if challenged

Capability table

Specifies the subjects and objects that users or groups can access.

Policy should never conflict with __ .

Law

What is a SysSP and what is one likely to include?

SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access control list that defines levels of access for each authorized user.

What are the two general groups into which SysSPs can be separated?

Technical specifications and managerial guidance

What are the aspects of access regulated by ACLs?

Who, what, when, where, how authorized users can access the system

Writing a policy is not always as easy as it seems. However, the prudent __ always scours available resources for __________ that may be adapted to the organization.

security manager, examples

What are the four elements that an EISP document should include?

- An overview of the corporate philosophy on security - Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role - Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) - Fully articulated responsibilities for security that are unique to each role within the organization

List the major components of the ISSP.

-Statement of Purpose -Authorized Uses -Prohibited Uses -Systems Management -Violations of Policy -Policy Review and Modification -Limitations of Liability

Statement of purpose

A clear declaration that outlines the scope and applicability of a policy

Systems management

A section of policy that should specify users' and systems administrators' responsibilities.

__ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.

ACLs

What are instructional codes that guide the execution of the system when information is passing through it?s

Configuration rules

What are configuration rules? Provide examples

Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers.

Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to proper __, __, and __.

Design, development, implementation

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?

Due diligence

In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important?

During the implementation phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee.

Which policy is the highest level of policy and is usually created first?

EISP

Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. T/F

False

Technology is the essential foundation of an effective information security program. T/F

False

The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for. T/F

False

List the significant guidelines used in the formulation of effective information security policy.

For policies to be effective, they must be properly: 1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees 4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced

In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies?

Implementation

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

Policy Review and Modification

According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?

Policy administrator

Laws, policies, and their associated penalties only provide deterrence if which three conditions are present.

Probability of being apprehended, fear of penalty, probability of penalty being applied

To be certain that employees understand the policy, the document must be written at a reasonable __ , with minimal __ and management terminology.

Reading level, technical jargon

Access control lists

Specifications of authorization that govern the rights and privileges of users to a particular information asset.

Which type of document is a more detailed statement of what must be done to comply with a policy?

Standard

The final component of the design and implementation of effective policies is __.

Uniform and impartial enforcement

What section of the ISSP provides instructions on how to report observed or suspected policy infractions?

Violations of Policy

Bull's eye model

When issues are addressed by moving from the general to the specific, always starting with policy

Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.

management guidance, technical specifications

A good information security program begins and ends with __ .

policy

Access control list user privileges include __, __, __, and __.

read, write, execute, delete

What should an effective ISSP accomplish?

- It articulates the organization's expectations about how its technology-based system should be used. - It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. - It indemnifies the organization against liability for an employee's inappropriate or illegal use of the system.

A detailed outline of the scope of the policy development project is created during which phase of the SDLC?

Investigation

Which phase of the SDLC should get support from senior management?

Investigation

Which phase of the SDLC should see clear articulation of goals?

Investigation

What are the two general approaches for controlling user authorization for the use of a technology?

Access control lists and capability tables

Why is policy so important?

Among other reasons, policy may be one of the very few controls or safeguards protecting certain information. Also, properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Policy also serves to protect both the employee and the organization from inefficiency and ambiguity.

ISSP

An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

A gathering of key reference materials is performed during which phase of the SDLC?

Analysis

A risk assessment is performed during which phase of the SDLC?

Analysis

What is a common element of the enterprise information security policy?

Articulation of the organization's SDLC methodology

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

Issue-specific

What is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

Bull's-eye model

Practices

Examples of actions that illustrate compliance with policies

Access control lists regulate who, what, when, where, and why authorized users can access a system. T/F

False

Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex. T/F

False

Examples of actions that illustrate compliance with policies are known as laws. T/F

False

What is a disadvantage of the individual policy approach to creating and managing ISSPs?

Can suffer from poor policy dissemination, enforcement, and review

Policy __________ means the employee must agree to the policy.

Compliance

With policy, the most common distribution methods are __ and __.

Electronic, hard copy

Something presented on a screen to the user during software installation, spells out fair and responsible use of the software being installed.

End user license agreement (EULA)

What are the three types of InfoSec policies based on NIST's Special Publication 800-14?

Enterprice, issue-specfic, system-specific security policies

The EISP must directly support the organization's __.

Mission statement

In the bull's-eye model, the __ layer is the place where threats from public networks meet the organization's networking infrastructure.

Networks

Guidelines

Non-mandatory recommendations the employee may use as a reference in complying with a policy

SysSP

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.

Procedures

Step-by-step instructions designed to assist employees in following policies, standards, and guidelines.

List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.

The advantages of the modular ISSP policy are: - Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches - Well controlled by centrally managed procedures, assuring complete topic coverage - Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems The disadvantages of the modular ISSP policy are: - May be more expensive than other alternatives - Implementation can be difficult to manage

Policy administrator

The champion and manager of the information security policy

What is the final component of the design and implementation of effective policies? Describe this component.

The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management.

InfoSec policy

The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.

In addition to specifying acceptable and unacceptable behavior, what else must a policy specify?

The penalties for violation of the policy

Policy must be properly __ and __.

supported, administered

The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the __ security policy.

system-specific


Related study sets

Chapter 12 - Inflammation and Wound Healing, Tissue Integrity - NCLEX Questions

View Set

NURS 223 Evolve Practice Questions

View Set

Chapter 17 review questions- Maternal Newborn & Women's Health Nursing 7th Edition

View Set