Topics

Explore all topics

Universities

uni logo
University of North Carolina at Chapel Hill
uni logo
University of Notre Dame
uni logo
Clemson University
Explore all Universities

Professors

Overall Quality
-/5
c c
Overall Quality
-/5
Billt Camp
Overall Quality
-/5
mathio g
Explore all Professors
Add Browser Extension
Start Free Trial
Need Help? Contact us
title
Textbook Solutions
Step-by-step solutions verified by experts
title
24/7 Homework Help
Complete assignments with the help of our community
title
Flashcards
Stimulate your visual memory & walk into test day with confidence
title
DocuAssist
Upload your study materials and we’ll help fill in the answers.
title
Campus Reps
Become a Campus Rep and earn up to 20% commission, plus weekly and monthly cash prizes.
title
My Courses
Add the courses you're enrolled in for tailored study material to meet your requirements
Explore all services
Add Browser Extension
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
العربية
search
ai logoChat with AI
Servicesarrow
Textbook Solutions icon
Textbook Solutions
24/7 Homework Help icon
24/7 Homework Help
Flashcards icon
Flashcards
DocuAssist icon
DocuAssist
Campus Reps icon
Campus Reps
My Courses icon
My Courses
Mobile App icon
Mobile App
Explore All Services
Discoverarrow

Topics

Explore All Services

Universities

uni logo
University of North Carolina at Chapel Hill
uni logo
University of Notre Dame
uni logo
Clemson University
Explore all Universities

professors

/5
c c
/5
Billt Camp
/5
mathio g
Explore all Professors
Explore all topics
Discover more topics
HomeSchoolingAsk a question

Deck 4: Information Security Policy

Full screen (f)
exit full mode
Question
In addition to specifying the penalties for unacceptable behavior,what else must a policy specify?

A) appeals process
B) legal recourse
C) what must be done to comply
D) the proper operation of equipment
Use Space or
up arrow
down arrow
to flip the card.
Question
Technology is the essential foundation of an effective information security program​._____________
Question
Examples of actions that illustrate compliance with policies are known as laws.
Question
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

A) Policy Review and Modification
B) Limitations of Liability
C) Systems Management
D) Statement of Purpose
Question
Which type of document is a more detailed statement of what must be done to comply with a policy?

A) procedure
B) standard
C) guideline
D) practice
Question
Since most policies are drafted by a single person and then reviewed by a higher-level manager,employee input should not be considered since it makes the process too complex.
Question
Information securitypolicies are designed to provide structure in the workplace and explain the will of the organization'smanagement.____________
Question
Non mandatory recommendations that the employee may use as a reference incomplying with a policy.are known as regulations.____________
Question
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

A) issue-specific
B) enterprise information
C) system-specific
D) user-specific
Question
Policies must specify penalties for unacceptable behavior and define an appeals process.
Question
Which of the following is NOT one of the basic rules that must be followed when shaping a policy?

A) policy should never conflict with law
B) policy must be able to stand up in court if challenged
C) policy should be agreed upon by all employees and management
D) policy must be properly supported and administered
Question
Which policy is the highest level of policy and is usually created first?

A) SysSP
B) USSP
C) ISSP
D) EISP
Question
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
Question
Rule-based policies are less specific to the operation of a system than access control lists.
Question
The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.
Question
The need for effective policy management has led to the emergence of a class of hardwaretools that supports policy development,implementation,and maintenance.
Question
Which of the following is an element of the enterprise information security policy?

A) access control lists
B) information on the structure of the InfoSec organization
C) articulation of the organization's SDLC methodology
D) indemnification of the organization against liability
Question
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

A) On-target model
B) Wood's model
C) Bull's-eye model
D) Bergeron and Berube model
Question
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?

A) Enterprise information security policy
B) User-specific security policies
C) Issue-specific security policies
D) System-specific security policies
Question
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

A) Violations of Policy
B) Systems Management
C) Prohibited Usage of Equipment
D) Authorized Access and Usage of Equipment
Question
List the major components of the ISSP.
Question
A(n)____________________,which is usually presented on a screen to the user during software installation,spells out fair and responsible use of the software being installed.
Question
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?

A) can suffer from poor policy dissemintation, enforcement, and review
B) may skip vulnerabilities otherwise reported
C) may be more expensive than necessary
D) implementation can be less difficult to manage
Question
Which of the following are the two general groups into which SysSPs can be separated?

A) technical specifications and managerial guidance
B) business guidance and network guidance
C) user specifications and managerial guidance
D) technical specifications and business guidance
Question
Which of the following are instructional codes that guide the execution of the system when information is passing through it?

A) access control lists
B) user profiles
C) configuration rules
D) capability tables
Question
List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.
Question
In the bull's-eye model,the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.
Question
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

A) design
B) implementation
C) investigation
D) analysis
Question
____________________ include the user access lists,matrices,and capability tables that govern the rights and privileges of users.
Question
The champion and manager of the information security policy is called the ____________________.
Question
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

A) design
B) analysis
C) implementation
D) investigation
Question
How should a policy administrator facilitate policy reviews?
Question
According to NIST SP 800-18,Rev.1,whichindividual is responsible for the creation,revision,distribution,and storage of the policy?

A) policy developer
B) policy reviewer
C) policy enforcer
D) policy administrator
Question
A risk assessment is performed during which phase of the SecSDLC?

A) implementation
B) analysis
C) design
D) investigation
Question
The responsibilities of both the users and the systems administrators with regard to specific systems administration duties should be specified in the ____________________ section of the ISSP.
Question
The three types of information security policies include the enterprise information security policy,the issue-specific security policy,and the ____________________ security policy.
Question
What are the two general methods for implementing technical controls?

A) profile lists and configuration filters
B) firewall rules and access filters
C) user profiles and filters
D) access control lists and configuration rules
Question
List the significant guidelines used in the formulation of effective information security policy.
Question
Which of the following is NOT an aspect of access regulated by ACLs?

A) what authorized users can access
B) where the system is located
C) how authorized users can access the system
D) when authorized users can access the system
Question
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates,what is it ensuring?

A) policy administration
B) due diligence
C) adequate security measures
D) certification and accreditation
Question
What are the four elements that an EISP document should include?
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A section of policy that should specify users' and systems administrators' responsibilities.
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Step-by-step instructions designed to assist employees in following policies,standards and guidelines.
Question
What are configuration rules?Provide examples.
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Specifications of authorization that govern the rights and privileges ofusers to a particular information asset.
Question
What is a SysSP and what is one likely to include?
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A clear declaration thatoutlines the scope and applicability of a policy.
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Specifies which subjects and objects that users or groups can access.
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
When issues are addressed by moving from the general to the specific,always starting with policy.
Question
What should an effective ISSP accomplish?
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Organizational policies that often function asstandards or procedures to be used when configuring or maintaining systems. ​
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
The high-level information security policy thatsets the strategic direction,scope,and tone for all of an organization's security efforts
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A detailed statement of what must be done to comply with policy,sometimes viewed?as the rules governing policy compliance.
Question
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
An organizational policy that provides detailed,targetedguidance to instruct all members of the organization in the use of a resource,such as one of itsprocesses or technologies.
Question
In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed?Why is this important?
Question
What is the final component of the design and implementation of effective policies?Describe this component.
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/56
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 4: Information Security Policy
1
In addition to specifying the penalties for unacceptable behavior,what else must a policy specify?

A) appeals process
B) legal recourse
C) what must be done to comply
D) the proper operation of equipment
D
2
Technology is the essential foundation of an effective information security program​._____________
False - Policy
3
Examples of actions that illustrate compliance with policies are known as laws.
False - practices
4
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?

A) Policy Review and Modification
B) Limitations of Liability
C) Systems Management
D) Statement of Purpose
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
5
Which type of document is a more detailed statement of what must be done to comply with a policy?

A) procedure
B) standard
C) guideline
D) practice
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
6
Since most policies are drafted by a single person and then reviewed by a higher-level manager,employee input should not be considered since it makes the process too complex.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
7
Information securitypolicies are designed to provide structure in the workplace and explain the will of the organization'smanagement.____________
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
8
Non mandatory recommendations that the employee may use as a reference incomplying with a policy.are known as regulations.____________
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
9
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

A) issue-specific
B) enterprise information
C) system-specific
D) user-specific
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
10
Policies must specify penalties for unacceptable behavior and define an appeals process.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
11
Which of the following is NOT one of the basic rules that must be followed when shaping a policy?

A) policy should never conflict with law
B) policy must be able to stand up in court if challenged
C) policy should be agreed upon by all employees and management
D) policy must be properly supported and administered
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
12
Which policy is the highest level of policy and is usually created first?

A) SysSP
B) USSP
C) ISSP
D) EISP
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
13
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
14
Rule-based policies are less specific to the operation of a system than access control lists.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
15
The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
16
The need for effective policy management has led to the emergence of a class of hardwaretools that supports policy development,implementation,and maintenance.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
17
Which of the following is an element of the enterprise information security policy?

A) access control lists
B) information on the structure of the InfoSec organization
C) articulation of the organization's SDLC methodology
D) indemnification of the organization against liability
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
18
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?

A) On-target model
B) Wood's model
C) Bull's-eye model
D) Bergeron and Berube model
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
19
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?

A) Enterprise information security policy
B) User-specific security policies
C) Issue-specific security policies
D) System-specific security policies
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
20
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

A) Violations of Policy
B) Systems Management
C) Prohibited Usage of Equipment
D) Authorized Access and Usage of Equipment
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
21
List the major components of the ISSP.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
22
A(n)____________________,which is usually presented on a screen to the user during software installation,spells out fair and responsible use of the software being installed.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
23
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?

A) can suffer from poor policy dissemintation, enforcement, and review
B) may skip vulnerabilities otherwise reported
C) may be more expensive than necessary
D) implementation can be less difficult to manage
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
24
Which of the following are the two general groups into which SysSPs can be separated?

A) technical specifications and managerial guidance
B) business guidance and network guidance
C) user specifications and managerial guidance
D) technical specifications and business guidance
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
25
Which of the following are instructional codes that guide the execution of the system when information is passing through it?

A) access control lists
B) user profiles
C) configuration rules
D) capability tables
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
26
List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
27
In the bull's-eye model,the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
28
In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

A) design
B) implementation
C) investigation
D) analysis
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
29
____________________ include the user access lists,matrices,and capability tables that govern the rights and privileges of users.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
30
The champion and manager of the information security policy is called the ____________________.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
31
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

A) design
B) analysis
C) implementation
D) investigation
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
32
How should a policy administrator facilitate policy reviews?
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
33
According to NIST SP 800-18,Rev.1,whichindividual is responsible for the creation,revision,distribution,and storage of the policy?

A) policy developer
B) policy reviewer
C) policy enforcer
D) policy administrator
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
34
A risk assessment is performed during which phase of the SecSDLC?

A) implementation
B) analysis
C) design
D) investigation
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
35
The responsibilities of both the users and the systems administrators with regard to specific systems administration duties should be specified in the ____________________ section of the ISSP.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
36
The three types of information security policies include the enterprise information security policy,the issue-specific security policy,and the ____________________ security policy.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
37
What are the two general methods for implementing technical controls?

A) profile lists and configuration filters
B) firewall rules and access filters
C) user profiles and filters
D) access control lists and configuration rules
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
38
List the significant guidelines used in the formulation of effective information security policy.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
39
Which of the following is NOT an aspect of access regulated by ACLs?

A) what authorized users can access
B) where the system is located
C) how authorized users can access the system
D) when authorized users can access the system
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
40
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates,what is it ensuring?

A) policy administration
B) due diligence
C) adequate security measures
D) certification and accreditation
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
41
What are the four elements that an EISP document should include?
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
42
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A section of policy that should specify users' and systems administrators' responsibilities.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
43
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Step-by-step instructions designed to assist employees in following policies,standards and guidelines.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
44
What are configuration rules?Provide examples.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
45
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Specifications of authorization that govern the rights and privileges ofusers to a particular information asset.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
46
What is a SysSP and what is one likely to include?
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
47
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A clear declaration thatoutlines the scope and applicability of a policy.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
48
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Specifies which subjects and objects that users or groups can access.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
49
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
When issues are addressed by moving from the general to the specific,always starting with policy.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
50
What should an effective ISSP accomplish?
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
51
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
Organizational policies that often function asstandards or procedures to be used when configuring or maintaining systems. ​
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
52
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
The high-level information security policy thatsets the strategic direction,scope,and tone for all of an organization's security efforts
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
53
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
A detailed statement of what must be done to comply with policy,sometimes viewed?as the rules governing policy compliance.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
54
a.capability table
b.statement of purpose
c.Bull's eye model
d.SysSP
e.procedures
f.InfoSec policy
g.standard
h.access control lists
i.systems management
j.ISSP
An organizational policy that provides detailed,targetedguidance to instruct all members of the organization in the use of a resource,such as one of itsprocesses or technologies.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
55
In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed?Why is this important?
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
56
What is the final component of the design and implementation of effective policies?Describe this component.
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 56 flashcards in this deck.
QuizPlus
surly
Quizplus
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App
surly
English
English
العربية
Scan to downloadDownload the App
qr-code

English
English
العربية
Copyright © 2025 Quizplus LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree