PLANNING FOR SECURITY Flashcards
1
Q
- A standard is a plan or course of action that conveys instructions from an organization’s senior management to those who make decisions, take actions, and perform other duties.
A
F
2
Q
- Quality security programs begin and end with policy.
A
T
3
Q
- The ISSP sets out the requirements that must be met by the information security blueprint or framework.
A
F
4
Q
- You can create a single comprehensive ISSP document covering all information security issues.
A
T
5
Q
- Each policy should contain procedures and a timetable for periodic review.
A
T
6
Q
- A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company is liable for the employee’s actions.
A
F
7
Q
- A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.
A
F
8
Q
- ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.
A
F
9
Q
- To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date.
A
T
10
Q
- The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
A
T
11
Q
- The security framework is a more detailed version of the security blueprint.
A
F
12
Q
- The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.
A
F
13
Q
- Many industry observers claim that ISO/IEC 17799 is not as complete as other frameworks.
A
T
14
Q
- ISO/IEC 17799 is more useful than any other information security management approach.
A
F
15
Q
- Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program.
A
T
16
Q
- NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans.
A
T
17
Q
- NIST 800-14, The Principles for Securing Information Technology Systems, provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
A
F
18
Q
- The Security Area Working Group endorses ISO/IEC 17799.
A
F
19
Q
- Information security safeguards provide two levels of control: managerial and remedial.
A
F
20
Q
- Management controls address the design and implementation of the security planning process and security program management.
A
T
21
Q
- Informational controls guide the development of education, training, and awareness programs for users, administrators, and management.
A
F
22
Q
- The gateway router can be used as the front-line defense against attacks, as it can be configured to allow only set types of protocols to enter.
A
T