Question 1

The steps outlined in guidelines must meet the requirements of the standards from which they were created.

Accepted Answer

The guidelines are created to ensure that the standards are met, therefore the steps outlined in guidelines must meet the requirements of the standards from which they were created.

Question 2

In the modular approach to creating the ISSP,each of the modules is created and updated by the individuals who are responsible for a specific issue.

Accepted Answer

In the modular approach, each module is created and updated by experts or individuals who are responsible for a specific issue. This decentralized approach allows for greater flexibility and efficiency in producing and updating the ISSP.

Question 3

Information security policies do not require a champion.

Accepted Answer

Information security policies do require a champion, typically someone in a leadership or management position who will champion the importance of the policies and ensure that they are implemented and followed throughout the organization.

Question 4

Rule-based policies are less specific to the operation of a system than access control lists.

Accepted Answer

This statement is actually the opposite of the truth. Rule-based policies are more specific in their application to a system than access control lists, which are usually broader and more general.

Question 5

Unless a policy actually reaches the end users,it cannot be enforced.

Accepted Answer

This statement is true because if the users are not aware of the policy and its requirements, they will not be able to comply with it. Therefore, it is essential to communicate the policy effectively to the end-users to ensure compliance and enforcement.

Question 6

SysSPs often function as standards or procedures to be used when configuring or maintaining systems.

Accepted Answer

SysSPs (System Security Plans) are documents that outline the security requirements and procedures to be followed when implementing and maintaining a system. They serve as a reference and guide for administrators and other personnel responsible for system configuration and maintenance.

Question 7

An automated policy management system is able to assess readers' understanding of the policy and electronically record reader acknowledgments.

Accepted Answer

An automated policy management system can assess readers' understanding of the policy and electronically record reader acknowledgments.

Question 8

A quality information security program begins and ends with policy.

Accepted Answer

Policies provide the framework for a company's security program by defining rules, responsibilities, and best practices for protecting information assets. Without policies, there is no clear direction for the security program to follow, which can lead to inconsistencies and vulnerabilities. Therefore, policies are an essential aspect of an effective information security program.

Question 9

Policies must note the existence of penalties for unacceptable behavior and define an appeals process.

Accepted Answer

Policies must not only describe acceptable behavior, but also specify consequences for unacceptable behavior, as well as outline an appeals process for individuals who feel that they have been treated unfairly.

Question 10

Once policies are created,they should not be changed.

Accepted Answer

Policies are not set in stone and should be regularly reviewed and updated as needed to adapt to changing circumstances or to improve outcomes.

Question 11

Today,most EULAs are presented on blow-by screens.

Accepted Answer

The answer of Today,most EULAs are presented on blow-by screens....

Question 12

In some systems,capability tables are known as user profiles.

Accepted Answer

The answer of In some systems,capability tables are known as...

Question 13

The ISSP is not a binding agreement between the organization and its members.

Accepted Answer

The answer of The ISSP is not a binding agreement...

Question 14

All rule-based policies must deal with users directly.

Accepted Answer

The answer of All rule-based policies must deal with users...

Question 15

Unless a particular use is clearly prohibited,the organization cannot penalize employees for it.

Accepted Answer

The answer of Unless a particular use is clearly prohibited,the...

Question 16

Users have the right to use an organization's information systems to browse the Web,even if this right is not specified in the ISSP.

Accepted Answer

The answer of Users have the right to use an...

Question 17

Access control lists can only be used to restrict access according to the user.

Accepted Answer

The answer of Access control lists can only be used...

Question 18

An individual approach to creating the ISSPs is well controlled by centrally managed procedures assuring complete topic coverage.

Accepted Answer

The answer of An individual approach to creating the ISSPs...

Question 19

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

Accepted Answer

The answer of One of the goals of an issue-specific...

Question 20

In the Flesch Reading Ease scale,the higher the score,the harder it is to understand the writing.

Accepted Answer

The answer of In the Flesch Reading Ease scale,the higher...

Question 21

Access control lists can be used to control access to file storage systems.

Accepted Answer

The answer of Access control lists can be used to...

Question 22

To be effective,policy must be uniformly applied to all employees,including executives.

Accepted Answer

The answer of To be effective,policy must be uniformly applied...

Question 23

A(n)standard is a more detailed statement of what must be done to comply with a policy._________________________

Accepted Answer

The answer of A(n)standard is a more detailed statement of...

Question 24

The policy administrator must be technically oriented.

Accepted Answer

The answer of The policy administrator must be technically oriented....

Question 25

The Flesch-Kincaid Grade Level score evaluates writing on a U.S.grade-school level.

Accepted Answer

The answer of The Flesch-Kincaid Grade Level score evaluates writing...

Question 26

If multiple audiences exist for information security policies,different documents must be created for each audience.

Accepted Answer

The answer of If multiple audiences exist for information security...

Question 27

The Prohibited Usage of Equipment section of the ISSP specifies the penalties and repercussions of violating the usage and systems management policies._________________________

Accepted Answer

The answer of The Prohibited Usage of Equipment section of...

Question 28

A(n)individual approach to creating the ISSPs can suffer from poor policy dissemination,enforcement,and review._________________________

Accepted Answer

The answer of A(n)individual approach to creating the ISSPs can...

Question 29

A policy should be &#34;signed into law&#34; by a high-level manager before the collection and review of employee input.

Accepted Answer

The answer of A policy should be &#34;signed into law&#34;...

Question 30

A(n)issue-specific security policy sets the strategic direction,scope,and tone for all of an organization's security efforts._________________________

Accepted Answer

The answer of A(n)issue-specific security policy sets the strategic direction,scope,and...

Question 31

Access control lists include user access lists,matrices,and capability tables._________________________

Accepted Answer

The answer of Access control lists include user access lists,matrices,and...

Question 32

Policies should be published without a date of origin.

Accepted Answer

The answer of Policies should be published without a date...

Question 33

An ISSP will typically not cover the use of e-mail or the Internet.

Accepted Answer

The answer of An ISSP will typically not cover the...

Question 34

The two general methods of implementing technical controls are access control lists and configuration rules._________________________

Accepted Answer

The answer of The two general methods of implementing technical...

Question 35

A(n)enterprise information security policy is a type of information security policy that provides detailed,targeted guidance to instruct all members of the organization in the use of technology-based systems._________________________

Accepted Answer

The answer of A(n)enterprise information security policy is a type...

Question 36

If an organization wants to prohibit the criminal use of the organization's information systems,it should do so in the Systems Management section of the ISSP._________________________

Accepted Answer

The answer of If an organization wants to prohibit the...

Question 37

In the bull's-eye model,issues are addressed by moving from the general to the specific,always starting with policy.That is,the focus is on

\text {\underline{ specific } }

solutions instead of individual problems._________________________

Accepted Answer

The answer of In the bull's-eye model,issues are addressed by...

Question 38

SysSPs focus on the proper handling of issues in the organization,like the use of technologies.

Accepted Answer

The answer of SysSPs focus on the proper handling of...

Question 39

When a policy is created and distributed without software automation tools,it is often not clear which manager has approved it.

Accepted Answer

The answer of When a policy is created and distributed...

Question 40

A(n)technical specifications SysSP document is created by management to guide the implementation and configuration of technology._________________________

Accepted Answer

The answer of A(n)technical specifications SysSP document is created by...

Question 41

For policies to be effective,they must first be developed using generally-accepted practices._________________________

Accepted Answer

The answer of For policies to be effective,they must first...

Question 42

The EISP guides the development,implementation,and management requirements of the information security program._________________________

Accepted Answer

The answer of The EISP guides the development,implementation,and management requirements...

Question 43

To ensure due diligence an organization must demonstrate that it is continuously attempting to meet the requirements of the market in which it operates._________________________

Accepted Answer

The answer of To ensure due diligence an organization must...

Question 44

During the implementation phase of the policy development SecSDLC,the development team creating the information security policy should make sure that the policy is written at a reasonable reading level._________________________

Accepted Answer

The answer of During the implementation phase of the policy...

Question 45

A(n)capability table specifies which subjects and objects that users or groups can access._________________________

Accepted Answer

The answer of A(n)capability table specifies which subjects and objects...

Question 46

A(n)blow-by screen is an organizational tool to ensure that all the appropriate information security policy messages are presented to all the appropriate audiences._________________________

Accepted Answer

The answer of A(n)blow-by screen is an organizational tool to...

Question 47

The policy administrator must be identified on the policy document as the primary contact for providing additional information or suggesting revisions to the policy._________________________

Accepted Answer

The answer of The policy administrator must be identified on...

Question 48

The analysis phase of the SecSDLC in policy development should produce a new or recent risk assessment or IT audit documenting the current information security needs of the organization._________________________

Accepted Answer

The answer of The analysis phase of the SecSDLC in...

Question 49

The ____ layer is the outermost layer of the bull's-eye model,hence the first to be assessed for marginal improvement.&#10;A) Systems&#10;B) Networks&#10;C) Policies&#10;D) Applications

Accepted Answer

The answer of The ____ layer is the outermost layer...

Question 50

Practices are built on sound policy and carry the weight of policy._________________________

Accepted Answer

The answer of Practices are built on sound policy and...

Question 51

Configuration rules are configuration codes that guide the execution of a system when information is passing through it._________________________

Accepted Answer

The answer of Configuration rules are configuration codes that guide...

Question 52

Granularity is the level of specificity and detail with which administrators can control access to their systems._________________________

Accepted Answer

The answer of Granularity is the level of specificity and...

Question 53

Policies must also specify the penalties for unacceptable behavior and define a(n)____.&#10;A) appeals process&#10;B) legal recourse&#10;C) responsible managers&#10;D) requirements for revision

Accepted Answer

The answer of Policies must also specify the penalties for...

Question 54

According to Charles Cresson Wood &#34;policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent&#34;.&#10;A) assessment&#10;B) awareness&#10;C) policies&#10;D) audits

Accepted Answer

The answer of According to Charles Cresson Wood &#34;policies are...

Question 55

The ____ model describes the layers at which marginal assessment of security controls can be performed and is a proven mechanism for prioritizing complex changes.&#10;A) NSTISSC&#10;B) EISP&#10;C) bull's-eye&#10;D) policy

Accepted Answer

The answer of The ____ model describes the layers at...

Question 56

Some policies incorporate a(n)sunset clause indicating a specific date the policy will expire._________________________

Accepted Answer

The answer of Some policies incorporate a(n)sunset clause indicating a...

Question 57

Policy servers code organization-specific policies in a special machine-readable language that then can be accessed by operating systems,access control packages,and network management systems._________________________

Accepted Answer

The answer of Policy servers code organization-specific policies in a...

Question 58

An effective issue-specific security policy serves to demonstrate that the organization has made a good-faith effort to ensure that its facilities will not be used in an inappropriate manner._________________________

Accepted Answer

The answer of An effective issue-specific security policy serves to...

Question 59

It is during the design phase of the SecSDLC that the policy development team must provide for policy distribution._________________________

Accepted Answer

The answer of It is during the design phase of...

Question 60

Which of the following is NOT a guideline that may help in the formulation of information technology (IT)policy as well as information security policy?&#10;A) All policies must contribute to the success of the organization&#10;B) Policies must be reviewed and approved by legal council before administration&#10;C) Management must ensure the adequate sharing of responsibility for proper use of information systems&#10;D) End users of information systems should be involved in the steps of policy formulation

Accepted Answer

The answer of Which of the following is NOT a...

Question 61

A disadvantage of creating a modular ISSP document is that it ____.&#10;A) can suffer from poor policy enforcement&#10;B) may overgeneralize the issues&#10;C) can suffer from poor policy review&#10;D) may be more expensive than other alternatives

Accepted Answer

The answer of A disadvantage of creating a modular ISSP...

Question 62

Technical controls ____.&#10;A) must be implemented using access control list&#10;B) must be implemented using configuration rules&#10;C) must be implemented using user profiles&#10;D) can be implemented using access control lists or configuration rules

Accepted Answer

The answer of Technical controls ____.&#10;A) must be implemented using...

Question 63

A ____ is a more detailed statement identifying a measurement of behavior and specifies what must be done to comply with a policy.&#10;A) procedure&#10;B) standard&#10;C) guideline&#10;D) practice

Accepted Answer

The answer of A ____ is a more detailed statement...

Question 64

Which of the following is a type of information security policy that deals with the entirety of an organization's information security efforts?&#10;A) Issue-specific security policy&#10;B) System-specific security policy&#10;C) Company-wide security policy&#10;D) Enterprise information security policy

Accepted Answer

The answer of Which of the following is a type...

Deck 4: Information Security Policy