Policies, Plans, and Procedures Flashcards
What is the name given to the step-by-step instructions on how to implement policies in an organization?
Guidelines
Regulations
Procedures
Procedures
Procedures are the step-by-step instructions on how to implement policies in an organization
What is the name given to mandatory elements regarding the implementation of a policy?
Standards
Guidelines
Regulations
Standards
Standards is the term given to mandatory elements regarding the implementation of a policy
Which of the following is a description of a business partnership agreement (BPA)?
A negotiated agreement between parties detailing the expectations between a customer and a service provider.
A legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities.
A written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal.
A legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities.
A business partnership agreement is a legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities
Which of the following is used to essentially set the requisite level of performance of a given contractual service?
Inter-organizational service agreement (ISA)
Memorandum of agreement
Service level agreement (SLA)
Service level agreement (SLA)
A service level agreement (SLA) essentially sets the requisite level of performance for a given contractual service
Which of the following is an issue that must be addressed if an organization enforces a mandatory vacation policy?
Enforcing a mandatory vacation policy in most cases is a costly policy.
Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation.
Vacations often occur at the most inopportune time for the organization and can affect its ability to complete projects or deliver services.
Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation.
Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. The organization must therefore ensure that they have a second person who is familiar with the vacationing employee’s duties
Which of the following are reasons for an organization to have a job rotation policy? (Choose all that apply.)
Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization’s security problems.
It helps to maintain a high level of employee morale.
It ensures all important operations can still be accomplished should budget cuts result in the termination of a number of employees.
It eliminates the need to rely on one individual for security expertise.
Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization’s security problems.
It eliminates the need to rely on one individual for security expertise.
Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization’s security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security tasks are the domain of one employee, security will suffer if that individual is lost from the organization
Which of the following statements are true when discussing separation of duties? (Choose all that apply.)
Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone.
Employing separation of duties means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened.
Separating duties as a security tool is a good practice, but it is possible to go overboard and break up transactions into too many pieces or require too much oversight.
Separation of duties spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the “keys to the kingdom” or unique knowledge about how to make everything work.
Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone.
Employing separation of duties means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened.
Separating duties as a security tool is a good practice, but it is possible to go overboard and break up transactions into too many pieces or require too much oversight.
Separation of duties spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the “keys to the kingdom” or unique knowledge about how to make everything work.
All of the statements are true when discussing separation of duties
Which of the following are true in regard to a clean desk policy for security? (Choose all that apply.)
While a clean desk policy makes for a pleasant work environment, it actually has very little impact on security.
Sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian.
Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise.
A clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads.
Sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian.
Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise.
A clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads.
A clean desk policy can actually have a positive impact on security for the reasons listed
While all employees may need general security awareness training, they also need specific training in areas where they have individual responsibilities. This type of training is referred to as which of the following?
Functional training
User training
Role-based training
Role-based training
Training targeted to the user with regard to their role in the organization is generally referred to as role-based training or role-based awareness training
Security, privacy, and retention policies for data are important to an organization. Not all data requires the same handling restrictions, but all data requires these characteristics to be defined. Defining these characteristics for specific information is generally the responsibility of which of the following?
The data security office
The data owner
An individual specifically given this responsibility for the organization
The data owner
Defining these characteristics is the responsibility of the data owner
Which of the following is the name typically given to administrative users with the responsibility of maintaining a system within its defined requirements?
System owner
System administrator
Privileged user
System administrator
System administrators are administrative users with the responsibility of maintaining a system within its defined requirements
Which of the following is the term used for a document used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties, and to obtain agreement to follow these limits?
Non-disclosure agreement (NDA)
Data disclosure agreement (DDA)
Data release agreement (DRA)
Non-disclosure agreement (NDA)
Non-disclosure agreements (NDA) are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties
What is the name given to a policy that outlines what an organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks?
Resource usage policy (RUP)
Organizational use policy (OUP)
Acceptable use policy (AUP)
Acceptable use policy (AUP)
An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks
What is the greatest risk to an organization when employees comingle corporate and personal e-mail?
Lost work productivity
Introduction of malware to the network
Use of server resources for personal mail storage
Introduction of malware to the network
Malware can come from personal e-mail as well as corporate e-mail, and serious mail screening on corporate mail servers before users get the mail does not occur with third-party mail apps. While occasional use of work e-mail for personal use probably doesn’t add enough data to be a storage concern, nor is the loss of work productivity typically significant, malware should always be a concern
What is the term used for a high-level statement produced by senior management that outlines what security means to the organization and what the organization’s goals are for security?
Security standard
Security policy
Security guidance
Security policy
A security policy is a high-level statement produced by senior management that outlines what security means to the organization and what the organization’s goals are for security
