Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Chapter 4 True/False Indicate whether the statement is true or false. ____ 1. The bull’s-eye model emphasizes the role of policy in an information security program. ____ 2. Policies must note the existence of penalties for unacceptable behavior. ____ 3. The ISSP is not a binding agreement between the organization and its members. ____ 4. Users have a right to use an organization’s information systems for personal e-mails, even if this right is not specified in the ISSP. ____ 5. In some systems, capability tables are called user profiles. ____ 6. Access control lists can only be used to restrict access according to the user. ____ 7. Rule-based policies are less specific to the operation of a system than access control lists. ____ 8. All rule-based policies must deal with users directly. ____ 9. An automated policy management system is able to assess readers’ understanding of the policy and electronically record reader acknowledgments. ____ 10. Today, most EULAs are presented on blow-by screens. ____ 11. The Flesch-Kincaid Grade Level score evaluates writing on a U.S. grade-school level. ____ 12. When a policy is created and distributed without software automation tools, it is often not clear which manager has approved it. ____ 13. If multiple audiences exist for information security policies, different documents must be created for each audience. ____ 14. An ISSP will typically not cover the use of e-mail or the Internet. ____ 15. Access control lists can be used to control access to file storage systems. Multiple Choice Identify the choice that best completes the statement or answers the question. ____ 16. The ____ layer is the outer layer of the bull’s-eye model. a. Systems c. Policies b. Networks d. Applications ____ 17. The ____ model describes the layers at which security controls can be applied. a. NSTISSC c. bull’s-eye b. EISP d. policy ____ 18. Which of the following is a type of information security policy that deals with all of an organization’s security efforts? a. issue-specific security policy c. company-wide security policy b. system-specific security policy d. enterprise information security policy ____ 19. The ____ section of an ISSP explains who can use the technology governed by the policy and for what purposes. a. Violations of Policy ____ 20. ____ 21. ____ 22. ____ 23. ____ 24. ____ 25. ____ 26. ____ 27. ____ 28. ____ 29. ____ 30. b. Limitations of Liability c. Systems Management d. Authorized Access and Usage of Equipment Capability tables are also known as ____. a. system policies c. system profiles b. user policies d. account lists Configuration codes entered into security systems to guide the execution of the system when information is passing through it are called ____. a. access control lists c. configuration rules b. user profiles d. capability table A detailed outline of the scope of the policy development project is created during the ____ phase of the SecSDLC. a. design c. implementation b. analysis d. investigation During the ____ phase of the SecSDLC, the information security policy is monitored, maintained, and modified as needed. a. implementation c. analysis b. maintenance d. investigation The policy champion and manager is called the ____. a. policy developer c. policy enforcer b. lead policy developer d. policy administrator The ____ component of an EISP defines the organizational structure designed to support information security within the organization. a. Information Technology Security Responsibilities and Roles b. Need for Information Technology Security c. Reference to Other Information Technology Standards and Guidelines d. Information Technology Security Elements A typical blow-by screen may require the user to ____. a. click a button on the screen c. type words b. press any key d. press a function key The Flesch Reading Ease scale evaluates writing on a scale of ____. a. 1 to 10 c. 1 to 50 b. 1 to 20 d. 1 to 100 For most corporate documents, a score of ____ is preferred on the Flesch Reading Ease scale. a. 9 to 10 c. 60 to 70 b. 15 to 20 d. 90 to 100 For most corporate documents, a score of ____ is preferred as a Flesch-Kincaid Grade Level score. a. 4.0 to 5.0 c. 9.0 to 10.0 b. 7.0 to 8.0 d. 11.0 to 12.0 In its simplest form, a coverage matrix is a ____. a. list c. three-dimensional table b. two-dimensional table d. queue Completion Complete each statement. 31. The ____________________ layer is the place where threats from public networks meet the organization’s networking infrastructure in the bull’s-eye model. 32. The computers used in an organization are part of the ____________________ layer of the bull’s-eye model. 33. The responsibilities of both the users and the systems administrators should be specified in the ____________________ section of the ISSP. 34. The ____________________ section of the ISSP should provide instructions to employees on how to report observed or suspected violations of the usage and systems management policies. 35. SysSPs can be separated into two general groups: managerial guidance and ____________________. 36. The champion and manager of the information security policy is called the ____________________. 37. An implementation model that emphasizes the role of policy in an information security program is the ____________________ model. 38. The formulation of program policy in the ____________________ document establishes the overall information security environment. 39. In an organization, a(n) ____________________ security policy provides detailed, targeted guidance to instruct all the members in the use of technology-based systems. 40. The ____________________ section of the ISSP should specify users’ and systems administrators’ responsibilities. Essay 41. List the significant guidelines used in the formulation of effective information security policy. 42. Describe the advantages and disadvantages of using a modular approach for creating and managing the ISSP. 43. List the goals of the issue-specific security policy (ISSP) of an organization.