04. Information Security Policies, Procedures, and Guidelines

Question 1

Information Security Policies, Procedures, and Guidelines

Information security policies, standards, guidelines, and procedures are the written artifacts that define…

Answer 1

the business and technical rules for information and information systems protection

222

Question 2

Policy Development

Defines the principles and required actions for the organisation to protect its assets and personnel properly

Answer 2

Information Security Policy

222

Question 3

Policy Development

The audience for security policy is the organisations personnel, which includes…

Answer 3

all workers, not just full time, but temporary, contractors, and consultants

222

Question 4

Policy Development

4 key considerations that the development of policy should include…

Answer 4

1. Laws, regulations, standards, legal obligations
2. Risk tolerance
3. Controls
4. Organisational Culture

222

Question 5

Policy Development

Security policy and controls need to be in alignment. Policies and controls must not…

Answer 5

contradict each other

222

Question 6

Policy Development

Security policy needs to align with the audience, meaning that policy statements need to be…

Answer 6

understood by workers

A common mistake is developing security policies with the inclusion of highly technical detail that would not be easily understood by non technical people

222

Question 7

Policy Development

Policy statements should state…

Answer 7

what needs to be done, not how

Security policies should be general and not cite specific devices, technologies etc..

223

Question 8

Policy Development

Security policy statements should be general and not cite specific devices, technologies, algorithms, or configurations. This will esnure that policies will be…

Answer 8

durable and not need to be changed frequently

223

Question 9

Policy Development

In comparison to security policy statements, security standards and procedure documents may need to change more frequently as..

Answer 9

practices, techniques and technologies change

223

Question 10

Standards

Where a policy states “what to do”, a standard describes…

Answer 10

how to do it or what to do

224

Question 11

Guidelines

Guidelines are nonbinding statements or narratives that provide additional direction to personnel regarding compliance with…

Answer 11

security policies, standards, and controls

224

Question 12

Requirements

A formal statement that describes the characteristics of a system that is to be changed, developed, or acquired

Answer 12

Requirements

224

Question 13

Requirements

Requirements should flow from, and align with…

Answer 13

the structure and content of policies and standards

224

Question 14

Requirements

Requirements must be…

Answer 14

specific and verifiable

Ambiguity should be resolved, there needs to be a clear understanding of each requirement

224

Question 15

Requirements

Requirements should be used in a step-by-step procedure for verifying that a system, service, or process complies with said requirements. Therefore, requirements can be considered a basis for…

Answer 15

a valid test plan

In testing, do we meet all the requirements?

224

Question 16

Requirements

Project managers and subject matter experts should prioritize requirements to distinguish….

Answer 16

those that are “must haves” v’s those that are “nice to have”

225

Question 17

Requirements

Some organisations distinguish function requirements from nonfunctional requirements.

1. Nonfunctional requirements define what a system…
2. Functional requirements define what a system…

Answer 17

1. Is supposed to BE
2. Is supposed to DO

225

Question 18

Processes and Procedures

Processes and procedures are detailed, sequenced instructions used to complete routine tasks and ensure….

Answer 18

consistency and compliance with individual policies and controls

225

Question 19

Processes and Procedures

A collection of one or more procedures that together fulfil a higher purpose

Answer 19

Process

225

Question 20

Processes and Procedures

A written set of instructions for a single task

Answer 20

Procedure

225

Question 21

Processes and Procedures

Auditors regard process and procedure documents to be outdated and invalid if…

Answer 21

they have not been reviewed for more than one year

225