IS4550 CHAPTER 6 Flashcards
The ability to reasonably ensure conformity and adherence to organization policies, standards, procedures to laws and regulations is called ___.
COMPLIANCE
A deviation from a centrally supported and approved IT security standard and can come about because of a lack of preparedness by the organization to comply with a standard or due to the use of a technology that has not been sanctioned by the standards is called ___.
EXCEPTION
A capstone document that establishes the reporting lines and delegation of responsibilities for Information Security to management below the organization’s chief information officer (CIO) or other executive leader is called ___.
INFORMATION SECURITY PROGRAM CHARTER
Information security standards published by the ISO and by the International Electrotecnical Commission (IEC)
ISO/IEC 27000 SERIES
A standard that focuses on areas of current relevance and concern to an organization. This is used to express security control requirement, typically for non-technical processes and are used to guide human behavior is called ___.
ISSUE-SPECIFIC STANDARD
A logical structure that is established to organize policy documentation into groupings and categories that make it easier for employees to find and understand the contents of various policy documents is called ___.
IT POLICY FRAMEWORK
A publication for the US National Institute of standards and Technology (NIST) and is titled “Recommended Security controls for Federal Information Systems and Organizations is called ___.
NIST SP 800-53
A standard that focusses on specific technology or systems being used within an organization. These are used to express the security control implementation requirements for some specific technology is called ___.
SYSTEM-SPECIFIC STANDARD
- An IT policy framework charter includes which of the following?
- The program’s purpose and mission
- The program’s scope within the organization
- Assignment of responsibilities for program implementation
- Compliance management
- 1, 2, and 3 only
- 1, 2, 3, and 4
- The program’s purpose and mission
- The program’s scope within the organization
- Assignment of responsibilities for program implementation
- Compliance management
ALL ANSWERS
- Which of the following is the first step in establishing an information security program?
- Adoption of an information security policy framework or charter
- Development and implementation of an information security standards manual
- Development of a security awareness-training program for employees
- Purchase of security access control software
Adoption of an information security policy framework or charter
- Which of the following are generally accepted and widely used policy frameworks? Select three
- COBIT
- ISO/IEC 27002
- NIST SP 800-53
- NIPP
COBIT
ISO/IEC 27002
NIST SP 800-53
- Security policies provide the “what” and “why” of security measures.
TRUE OR FALSE
TRUE
- ___ are best defined as high-level statements, beliefs, goals, and objectives.
Policies
- which of the following is not mandatory?
- Standard
- Guideline
- Procedure
- Baseline
Guideline
- Which of the following includes all of the detailed actions and tasks that personnel are required to follow?
- Standard
- Guideline
- Procedure
- Baseline
Procedure