2 - Security Policies and Procedures

Question 1

Internal and external changes force organizations to evolve on what levels?

Answer 1

operation, tactical, and strategic

Question 2

What are security policies?

Answer 2

documents that provide the foundation for organization security goals

Question 3

Policies created by organizations are a reflection of what?

Answer 3

The external laws and regulations that apply to the organization

Question 4

What does policy life cycle management involve?

Answer 4

the creation, usage, and retirement of policies

Question 5

What does performing a risk assessment identify?

Answer 5

risks to organizational assets

Question 6

What should be used to guide policy creation?

Answer 6

policy templates

Question 7

Where should policy input be sought?

Answer 7

from executives and other stakeholders

Question 8

What should be established for policy violations?

Answer 8

penalties

Question 9

To whom should organizational policies be published?

Answer 9

all employees in the organization

Question 10

The organization should ensure staff members do what when a policy is published?

Answer 10

read, understand, and sign the policy

Question 11

What should be used to enforce policies whenever possible?

Answer 11

technology

Question 12

Who should be educated about organizational policy contents?

Answer 12

organizational staff

Question 13

How often should policy reviews be scheduled?

Answer 13

annually or semi-annually

Question 14

When should a policy be retired?

Answer 14

When it’s no longer applicable

Question 15

Organizational policies can focus on what?

Answer 15

all aspects of an organization

Question 16

System-specific policies focus on what?

Answer 16

specific computers or network systems, and the necessary security controls that protect them

Question 17

Issue-specific policies focus on what?

Answer 17

specific organizational issues such as department issues, business products, processes, and others

Question 18

Regulatory policies ensure that an organization does what?

Answer 18

follows the legal requirements of compliance law

Question 19

Advisory polices do what?

Answer 19

provide strong recommendations or reminders for employees to consider

Question 20

Informative policies do what?

Answer 20

gentle recommendations or reminders for employees to consider

Question 21

Standards are required elements regarding what?

Answer 21

the implementation of controls or procedures in support of a policy

Question 22

Guidelines do what?

Answer 22

specify optional and recommended security controls or processes to be followed

Question 23

What is a process?

Answer 23

a predictable series of steps needed to achieve and objective

Question 24

What are procedures?

Answer 24

operation-level, step-by-step details on how to achieve specific business processes

Question 25

What are baselines?

Answer 25

point-in-time measurements of what we agree is the acceptable level or normal performance

Question 26

Policies need to be consulted and periodically revised due to what types of changes to the business?

Answer 26

new business, technologies, environmental changes, regulatory requirements, and emerging risks

Question 27

Policies are often driven by a combination of what requirements?

Answer 27

internal and external requirements

Question 28

The security requirements of policies are often best described by whom?

Answer 28

other departments within your organization - including human resources, legal, management, etc

Question 29

Security’s relationships with other business units and utilization of their skill sets are vital to what?

Answer 29

the success of an organization’s security program

Question 30

A documented process of determining the prioritization of responses to threats:

Answer 30

risk assessment

Question 31

A business impact analysis does what?

Answer 31

document the various risks to an organization and the resulting impact from disasters should those risks be realized

Question 32

What are interoperability agreements?

Answer 32

a board category of agreements that include data, technology, and communication sharing requirements between two or more organizations

Question 33

What are interconnection security agreements?

Answer 33

specialized agreements between organizations that have connected IT systems to document the security requirements associated with the interconnection

Question 34

What are memorandums of understanding?

Answer 34

legal documents used to describe a bilateral agreement between parties

Question 35

What is a service level agreements?

Answer 35

an agreement negotiated between parties detailing the expectations between a customer and a service provider

Question 36

What is an operating level agreement?

Answer 36

an internal document that defines the relationships between internal parties to support business activities

Question 37

What is a nondisclosure agreement?

Answer 37

an agreement between parties defining and establishing the rules for which information can be shared

Question 38

What is a business partnership agreement?

Answer 38

a type of legal agreement between partners establishing the terms, conditions, and expectations of the relationship

Question 39

What is a master service agreement?

Answer 39

an all-encompassing agreement between multiple organizations that serves as the building block for future agreements, transactions, and business documents

Question 40

When working with other businesses, formal documentation requests and security requirements should be included in what?

Answer 40

the contract with the other business

Question 41

Requests for proposal accomplish what goals?

Answer 41

• informs potential vendors of a product or service being sought
• provides specific details on what the organization wishes to purchase
• provides a basis from which to evaluate interested vendors

Question 42

What does a Request for Quote do?

Answer 42

further restricts the list of companies that will receive the full request by asking for price ranges for services or products

Question 43

A Request for Information is issued for what purpose?

Answer 43

to seek information regarding specific products or services in the marketplace

Question 44

Privacy is the desire to control the use of what?

Answer 44

personsal data

Question 45

Establishing and publishing the requirements associated with PII allows an organization to ensure what?

Answer 45

that the awareness of privacy requirements is spread throughout the organization and incorporated into plans, policies, and procedures

Question 46

With regard to PII storage, organizations must clearly designate what?

Answer 46

• elements of PII that are being collected
• elements of PII that are stored
• security provisions
• storage time

Question 47

With regard to PII usage, organizations must clearly state what?

Answer 47

what the PII will be used for, including any transfer to third parties

Question 48

With regard to security policies, due care addresses what?

Answer 48

whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security

(involves taking action)

Question 49

With regard to security, due diligence requires what?

Answer 49

that management do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior

Question 50

Incident response is a team-led activity that does what?

Answer 50

prevents, detects, and responds to security breaches

Question 51

What do forensic tasks involve?

Answer 51

the collection and perseverance of digital evidence

Question 52

Continuous monitoring involves what?

Answer 52

tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls

Question 53

Ongoing security is a coordinate effort that can do what?

Answer 53

move protection priorities in response to the shifting threat landscape and requirements

Question 54

User training and awareness have what benefits for the company?

Answer 54

they ensure employees understand what security expectations are placed on them so they can better protect organizational assets and business objectives

Question 55

Auditing requirements and frequency function as what?

Answer 55

a set of checks and balances to measure that he desired level of security control is actually present and functioning as designed