Chapter 4

Question 1

3 basic rules when making a policy:

Answer 1

• Policy shouldn’t conflict with the law.
• Policy must be able to stand in court.
• Policy should be supported and administered.

Question 2

What are the 4 Bulls-eye model layers?

Answer 2

• Policies.
• Networks.
• Systems.
• Applications.

Question 3

Explain the difference between the following:
1- Policy
2- Standard
3- Guidelines
4- Procedures
5- Practices

Answer 3

1- policy is the guidelines for behavior in an organization.

2- standards are specifications in how the policy should be followed.

3- guidelines are non-mandatory recommendations.

4- procedures are step-by-step instructions to help follow policies.

5- practices are examples of actions that follow policies.

Question 4

What are 6 guidelines for effective policy? / How to make policies effective?

Answer 4

1- approved by management.
2- properly spread.
3- read.
4- understood.
5- agreed-to.
6- fairly enforced.

Question 5

What are the 3 types of IS policy?

Answer 5

• Enterprise IS program policy.
• Issue-specific IS policy.
• System-specific policy.

Question 6

What’s “Enterprise Information Security Policy” (EISP)?

Answer 6

It sets the strategic direction of the organization’s security.

Question 7

What’s “Issue-specific IS policy” (ISSP) and it’s elements?

Answer 7

It provides guidance and regulation for usage of IT.

ISSP elements:
- Statement of purpose.
- Authorized usage.
- Prohibition.
- System management.
- Violations of policy.
- Policy review and updates.
- Limitations of liability.

Question 8

What’s “System-specific policy” (SysSP) and it’s elements?

Answer 8

They often function as procedures that are used when configuring or maintaining systems.

2 types of SysSP’s:
– Managerial guidance
– Technical specifications
Or combined in a single document.

Question 9

2 types of SysSP’s:

Answer 9

– Managerial guidance
– Technical specifications
Or combined in a single document.

Question 10

What are “Managerial Guidance SysSP’s”?

Answer 10

• Created by management
• Guides implementation of tech.
  -Informs technologists of management intent.

Question 11

What are “Technical specification SysSPs”?

Answer 11

It’s the system admins directions on implementing managerial policy.

Has 2 methods:
- Access Control Lists (ACLs).
- Configuration rules.

Question 12

Name and explain the 2 methods for Technical specification SysSPs:

Answer 12

1- Access control lists: enables restricted access according to user, computer, time, etc.

2- Configuration rules: instructional codes that guide the execution of the system when information is passing through it.

Question 13

What can ACLs regulate?
Name 4:

Answer 13

• Type of user. (Who)
• Time. (When)
• Location. (Where)
• Device. (How)

Question 14

It is useful to view policy development as a 3 part project.
Explain the 3 parts of developing policy:

Answer 14

1- The policy is designed and written.
2- then, formal approval to the policy by the management.
3- lastly, the policy is applied in the organization.

Question 15

How is policy distribution done?

Answer 15

Can be distributed by:
- hard copy.
- electronic.

*The organization must prove that the policy reached the end user.

*Destruction of old versions must be done to assure confidentiality

Question 16

What are some barriers to policy reading?
name 2:

Answer 16

There can be language barriers, and visually impaired employees that require additional assistance.

Question 17

You have to be certain that employees can comprehend the policy.
How do u make sure that is the case?

Answer 17

Scored quizzes and exams.

Question 18

Why do we need policy?

Answer 18

to inform what is and is not acceptable behavior in the organization and increase productivity.