Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
25 Cards in this Set
- Front
- Back
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? |
investigation |
|
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions? |
Violations of Policy |
|
Which type of document is a more detailed statement of what must be done to comply with a policy? |
standard |
|
Rule-based policies are less specific to the operation of a system than access control lists. |
False |
|
The champion and manager of the information security policy is called the _____. |
policy administrator |
|
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is ensuring? |
due dilligence |
|
Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. (T/F) |
false |
|
A risk assessment is performed during which phase of the SecSDLC? |
analysis |
|
Which of the following is an element of the enterprise information security policy? |
information on the structure of the Information Security organization |
|
**The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the _______ security policy. |
system-specific |
|
______ include the user access lists, matrices, and capability tables that govern the rights and privileges of users. |
access control lists |
|
**? The responsibilities of both the users and the systems administrators with regard to specific technology rules should be included in the ________ section of the ISSP. |
authorized access and usage of equipment - THIS IS WRONG and idk the right answer at all |
|
In the bull's-eye model, the _______ layer is the place where threats from public networks meet the organization's networking infrastructure. |
networks |
|
Users have the right to use an organization's information system to browse the Web, even if this right is not specified in the ISSP. |
false |
|
In addition to specifying the penalties for unacceptable behavior, what else must the policy specify? |
appeals process |
|
Which of the following is NOT among the three types of Information Security policies based on NIST's Special Publications 800-14? |
user-specific security policies |
|
**? Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource? |
system-specific - THIS IS WRONG and "issue specific" is wrong but idk the right answer |
|
Which individual is responsible for the creation, revision, distribution, and storage of the policy? |
policy administration |
|
Which policy is the highest level of policy and is usually created first? |
EISP |
|
Which of the following is NOT an aspect of access regulated by ACLs? |
why authorized users need access to the system |
|
Which of the following are instructional codes that guide the execution of the system when info is passing through it? |
configuration rules |
|
One of the goals of an issue-specific security policy is to idemnify the organization against liability for an employee's inappropriate or illegal use of the system. (T/F) |
true |
|
What are the two general methods for implementing technical controls? |
access control lists and configuration rules |
|
Which of the following is NOT one of the basic rules that must be followed when shaping a policy? |
policy should be agreed upon by all employees and management |
|
Which of the following is a disadvantage of the individual policy organization approach? |
can suffer from poor policy enforcement |