Chapter 4 - Policy

Question 1

Policy

• should never conflict with law
• must be able to stand up in court if challenged
• must be properly supported and administered

Answer 1

..

Question 2

Bulls Eye model

Answer 2

Policies

Networks

Systems

Applications

Question 3

Policies
Standards
Guidelines
Procedures

Answer 3

Policies : Sanctioned by management, defines what you can do and not do

Standards: Detailed minimum specification

Guidelines: Recommendation for compliance

Procedures: Step by step instructions for compliance

Question 4

Example

Policies :
Standards:
Guidelines:
Procedures:

Answer 4

Policies : Use strong policy, frequently changed

Standards:must be at least 8 characters, with ag least…

Guidelines: We recommend you don’t use family or pet names

Procedures: in order to change your password, first click on the Windows Start button, then …

practices: according to X, most organisations requires employees to change passwords semi annually

Question 5

Enterprise infosec policy (EISP), based on and supports organisation’s mission and vision.

Issues specific Infosec policy (ISSP), provides guidance to all members of the organisation regarding the use of IT

System specific infosec policy (SysPs), guides the management and technical specifications of particular technologies and systems.

Answer 5

Guidelines for development and implementation:

1. Develop using industry accepted practices, and formally approved by management
2. Distributed to all employees
3. Read by all employees
4. Understood by all employees
5. Formally agreed by act of affirmation
6. Uniformly applied and enforced

Question 6

Three general causes lead to unethical and illegal behaviour: ignorance, accident, and intent.

Answer 6

Deterrence can be created when three conditions are present:

1. fear of penalty
2. probability of being caught
3. probability of the penalty being applied