Question 1

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

Accepted Answer

A)  Violations of Policy 
B)  Systems Management 
C)  Prohibited Usage of Equipment 
D)  Authorized Access and Usage of Equipment 
A)  Violations of Policy 
B)  Systems Management 
C)  Prohibited Usage of Equipment 
D)  Authorized Access and Usage of Equipment

Question 2

The high-level information security policy that sets the strategic direction,scope,and tone for all of an organization's security efforts

Accepted Answer

A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP 
A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP

Question 3

Which of the following are the two general groups into which SysSPs can be separated?

Accepted Answer

A)  technical specifications and managerial guidance 
B)  business guidance and network guidance 
C)  user specifications and managerial guidance 
D)  technical specifications and business guidance 
A)  technical specifications and managerial guidance 
B)  business guidance and network guidance 
C)  user specifications and managerial guidance 
D)  technical specifications and business guidance

Question 4

Specifies which subjects and objects that users or groups can access.

Accepted Answer

A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP 
A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP

Question 5

​Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.​

Accepted Answer

A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP 
A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP

Question 6

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates,what is it ensuring?

Accepted Answer

A)  policy administration 
B)  due diligence 
C)  adequate security measures 
D)  certification and accreditation 
A)  policy administration 
B)  due diligence 
C)  adequate security measures 
D)  certification and accreditation

Question 7

Which of the following is NOT an aspect of access regulated by ACLs?

Accepted Answer

A)  what authorized users can access 
B)  where the system is located 
C)  how authorized users can access the system 
D)  when authorized users can access the system 
A)  what authorized users can access 
B)  where the system is located 
C)  how authorized users can access the system 
D)  when authorized users can access the system

Question 8

List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.

Accepted Answer

The advantages of the modular ISSP polic

Question 9

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

Accepted Answer

A) True 
 B)False

Question 10

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

Accepted Answer

A)  design 
B)  analysis 
C)  implementation 
D)  investigation 
A)  design 
B)  analysis 
C)  implementation 
D)  investigation

Question 11

According to NIST SP 800-18,Rev.1,which individual is responsible for the creation,revision,distribution,and storage of the policy?

Accepted Answer

A)  policy developer 
B)  policy reviewer 
C)  policy enforcer 
D)  policy administrator 
A)  policy developer 
B)  policy reviewer 
C)  policy enforcer 
D)  policy administrator

Question 12

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

Accepted Answer

A)  design 
B)  implementation 
C)  investigation 
D)  analysis 
A)  design 
B)  implementation 
C)  investigation 
D)  analysis

Question 13

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

Accepted Answer

A)  issue-specific 
B)  enterprise information 
C)  system-specific 
D)  user-specific 
A)  issue-specific 
B)  enterprise information 
C)  system-specific 
D)  user-specific

Question 14

What should an effective ISSP accomplish?

Accepted Answer

It articulates the organization's expect

Question 15

What is a SysSP and what is one likely to include?

Accepted Answer

SysSPs often function as standards or pr

Question 16

In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed?  Why is this important?

Accepted Answer

During the design phase,the team must cr

Question 17

When issues are addressed by moving from the general to the specific, always starting with policy.

Accepted Answer

A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP 
A)  capability table 
B)  statement of purpose 
C)  Bull's eye model 
D)  SysSP 
E)  Procedures
F) InfoSec policy
G) standard
H) access control lists
I) systems management
J) ISSP

Question 18

Policies must specify penalties for unacceptable behavior and define an appeals process.

Accepted Answer

A) True 
 B)False

Question 19

Rule-based policies are less specific to the operation of a system than access control lists.

Accepted Answer

A) True 
 B)False

Question 20

In addition to specifying the penalties for unacceptable behavior,what else must a policy specify?

Accepted Answer

A)  appeals process 
B)  legal recourse 
C)  what must be done to comply 
D)  the proper operation of equipment 
A)  appeals process 
B)  legal recourse 
C)  what must be done to comply 
D)  the proper operation of equipment

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

The high-level information security policy that sets the strategic direction,scope,and tone for all of an organization's security efforts

Which of the following are the two general groups into which SysSPs can be separated?

Specifies which subjects and objects that users or groups can access.

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates,what is it ensuring?

Which of the following is NOT an aspect of access regulated by ACLs?

List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

According to NIST SP 800-18,Rev.1,which individual is responsible for the creation,revision,distribution,and storage of the policy?

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

What should an effective ISSP accomplish?

What is a SysSP and what is one likely to include?

In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important?

When issues are addressed by moving from the general to the specific, always starting with policy.

Policies must specify penalties for unacceptable behavior and define an appeals process.

Rule-based policies are less specific to the operation of a system than access control lists.

In addition to specifying the penalties for unacceptable behavior,what else must a policy specify?

Introduction to the Management of Information Security

Compliance: Law and Ethics

Governance and Strategic Planning for Security

Developing the Security Program

Risk Management: Identifying and Assessing Risk

Risk Management: Controlling Risk

Security Management Models

Security Management Practices

Planning for Contingencies

Personnel and Security

Protection Mechanisms

Filters

Exam 4: Information Security Policy

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?

The high-level information security policy that sets the strategic direction,scope,and tone for all of an organization's security efforts

Which of the following are the two general groups into which SysSPs can be separated?

Specifies which subjects and objects that users or groups can access.

​Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.​

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates,what is it ensuring?

Which of the following is NOT an aspect of access regulated by ACLs?

List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.

One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?

According to NIST SP 800-18,Rev.1,which individual is responsible for the creation,revision,distribution,and storage of the policy?

In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?

Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?

What should an effective ISSP accomplish?

What is a SysSP and what is one likely to include?

In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important?

When issues are addressed by moving from the general to the specific, always starting with policy.

Policies must specify penalties for unacceptable behavior and define an appeals process.

Rule-based policies are less specific to the operation of a system than access control lists.

In addition to specifying the penalties for unacceptable behavior,what else must a policy specify?

Introduction to the Management of Information Security

Compliance: Law and Ethics

Governance and Strategic Planning for Security

Developing the Security Program

Risk Management: Identifying and Assessing Risk

Risk Management: Controlling Risk

Security Management Models

Security Management Practices

Planning for Contingencies

Personnel and Security

Protection Mechanisms

Filters

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.