Security Policy and Controls

Question 1

What are the four major categories controls are divided into?

Answer 1

The control itself and its purpose, the attributes of the control, the implementation guidance given, and ‘other’

Question 2

What should a top level policy contain?

Answer 2

A top level policy should contain definitions of information security, objectives and principles; commitments to meeting specific security requirements; assignments of general and specific responsibilities; and processes for handling deviations and exceptions

Question 3

Give 3 examples of policy topics

Answer 3

Choose from: access control, physical and environmental safety, asset management, information transfer, secure configuration, networking security, information security incident management, backup, cryptography, information classification, management of technical vulnerabilities, secure development

Question 4

What is the difference between a policy and a procedure?

Answer 4

A policy gives the principles, rules and responsibilities, a procedure describes the specific steps to achieve the goal

Question 5

Where are internal policies the most useful?

Answer 5

Inside larger and more complex organisations, where those defining the controls are separate from those implementing them

Question 6

When should policies be reviewed?

Answer 6

Policies should be reviewed in specific intervals or when there are significant changes made to them

Question 7

What is the difference between preventive versus reactive security controls?

Answer 7

Preventive controls are those that help to prevent security breaches, while reactive controls are those that detect and rectify security breaches after they occur

Question 8

What is the Classification of Information control?

Answer 8

It is the procedures for classifying and organising information

Question 9

What is the Privacy and Protection of PII control?

Answer 9

Privacy and Protection of Personally Identifiable Information

Question 10

What is the Collection of Evidence control?

Answer 10

The procedures for documenting, identifying, collecting and preserving evidence

Question 11

What is the Screening control?

Answer 11

Background checks on all members should be carried out

Question 12

What is the Responsibilities after Termination control?

Answer 12

Information Security responsibilities and duties that remain after termination should be defined

Question 13

What is the Terms and Conditions of Employment control?

Answer 13

The employment contract should describe information security responsibilities

Question 14

What should be covered in the Terms and Conditions of Employment?

Answer 14

Confidentiality agreements, legal responsibilities and rights, information classification responsibilities, and actions to be taken if staff breach policies

Question 15

What is the Disciplinary Process control?

Answer 15

A process that communicates the punishment that would occur should a member commit a security violation

Question 16

What is the Confidentiality control?

Answer 16

Confidentiality reflecting the organisation’s needs should be identified and documented

Question 17

What is the Security Awareness control?

Answer 17

An information security awareness and training programme should be implemented

Question 18

What is the Remote Working control?

Answer 18

Security measures should be implemented if workers are working remotely

Question 19

What is the Information Security Event Reporting control?

Answer 19

There should be a way for personnel to report observed or suspected Security Events

Question 20

What is the Physical Entry control?

Answer 20

Any method used to prevent unauthorised physical access to systems, or logging all access

Question 21

What is the Clear Desk and Clear Screen control?

Answer 21

Clear desk for papers or drives and clear screens for information rules should be established

Question 22

What is the Storage Media control?

Answer 22

Storage Media should be managed through their lifecycle

Question 23

What is the Cabling Security control?

Answer 23

Cables carrying power, data or anything else should be protected

Question 24

What is the Secure Disposal control?

Answer 24

Items containing information should be verified to ensure that all information is removed before disposal

Question 25

What is the Physical Threat Protection control?

Answer 25

Protection against physical and environmental threats such as natural disasters should be implemented

Question 26

What is the Security of Assets Off-Premise control?

Answer 26

Off-site assets should still be protected

Question 27

What is the Privileged Access Rights control?

Answer 27

The use of privileged access rights should be restricted and controlled

Question 28

What is the Protection against Malware control?

Answer 28

Protection against malware should be implemented

Question 29

What is the Management of Technical Vulnerabilities control?

Answer 29

Information about technical vulnerabilities should be obtained and evaluated

Question 30

What is the Web Filtering control?

Answer 30

Access to external websites should be managed to reduce exposure