Deck 4: Information Security Policy

Technology is the essential foundation of an effective information security program​._____________

Examples of actions that illustrate compliance with policies are known as laws.

Since most policies are drafted by a single person and then reviewed by a higher-level manager,employee input should not be considered since it makes the process too complex.

Information securitypolicies are designed to provide structure in the workplace and explain the will of the organization'smanagement.____________

Non mandatory recommendations that the employee may use as a reference incomplying with a policy.are known as regulations.____________

Policies must specify penalties for unacceptable behavior and define an appeals process.

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

Rule-based policies are less specific to the operation of a system than access control lists.

The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.

The need for effective policy management has led to the emergence of a class of hardwaretools that supports policy development,implementation,and maintenance.

List the major components of the ISSP.

A(n)____________________,which is usually presented on a screen to the user during software installation,spells out fair and responsible use of the software being installed.

List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.

In the bull's-eye model,the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.

____________________ include the user access lists,matrices,and capability tables that govern the rights and privileges of users.

The champion and manager of the information security policy is called the ____________________.

How should a policy administrator facilitate policy reviews?

The responsibilities of both the users and the systems administrators with regard to specific systems administration duties should be specified in the ____________________ section of the ISSP.

The three types of information security policies include the enterprise information security policy,the issue-specific security policy,and the ____________________ security policy.

List the significant guidelines used in the formulation of effective information security policy.

What are the four elements that an EISP document should include?

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A section of policy that should specify users' and systems administrators' responsibilities.

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Step-by-step instructions designed to assist employees in following policies,standards and guidelines.

What are configuration rules?Provide examples.

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Specifications of authorization that govern the rights and privileges ofusers to a particular information asset.

What is a SysSP and what is one likely to include?

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A clear declaration thatoutlines the scope and applicability of a policy.

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Specifies which subjects and objects that users or groups can access.

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
When issues are addressed by moving from the general to the specific,always starting with policy.

What should an effective ISSP accomplish?

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Organizational policies that often function asstandards or procedures to be used when configuring or maintaining systems. ​

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
The high-level information security policy thatsets the strategic direction,scope,and tone for all of an organization's security efforts

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A detailed statement of what must be done to comply with policy,sometimes viewed?as the rules governing policy compliance.

a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
An organizational policy that provides detailed,targetedguidance to instruct all members of the organization in the use of a resource,such as one of itsprocesses or technologies.

In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed?Why is this important?

What is the final component of the design and implementation of effective policies?Describe this component.