Deck 13: Policies, Standards and Guidelines

A) Time lapse since last review
B) Change in vendors for significant technologies
C) Significant technology change
D) Changes in regulatory compliance

A) Procedures that tell units when it would be nice if things were operated a certain way, but it is not a requirement to do so
B) Guidelines to users and customers on what is appropriate and what is not appropriate to do with information technology resources
C) A document that records a high-level principle or course of action that has been decided on
D) A defined set of rules, accepted and adopted by several organizations

A) Procedures that tell units when it would be nice if things were operated a certain way, but it is not a requirement to do so
B) Guidelines to users and customers on what is appropriate and what is not appropriate to do with information technology resources
C) Following specifications put forth by policies or legal requirements
D) A defined set of rules, accepted and adopted by several organizations

A) Requirements for financial institutions to protect the privacy of their customers' non-public, personal information
B) Protections for the privacy of student education records
C) The responsibilities of top executives of publicly traded companies for the accuracy and timeliness of financial data
D) Safeguards that covered entities must use to protect the confidentiality, integrity and availability of electronic protected health information

A) Policies and standards emanate from guidelines
B) Standards and guidelines emanate from policies
C) Policies emanate from standards and guidelines
D) Standards, but not guidelines emanate from policies

A) Scope
B) Statement
C) Overview
D) Enforcement

A) Guideline
B) Standard
C) Policy
D) Law

A) Procedures that tell units when it would be nice if things were operated a certain way, but it is not a requirement to do so
B) A defined set of rules, accepted and adopted by several organizations
C) Guidelines to users and customers on what is appropriate and what is not appropriate to do with information technology resources
D) A document that records a high-level principle or course of action that has been decided on

A) Statement
B) Enforcement
C) Overview
D) Scope

A) Overview
B) Statement
C) Enforcement
D) Scope

A) Who or what is covered by the policy
B) Any definitions used in the policy
C) The statement of the policy
D) The need for the policy

A) Overview, scope, definitions, statement, enforcement
B) Definitions, overview, scope, statement, enforcement
C) Overview, definitions, statement, scope, enforcement
D) Overview, enforcement, scope, definitions, statement

A) Global policies
B) General guidelines
C) Acceptable use policies
D) Industry standards

A) Procedures that tell units when it would be nice if things were operated a certain way, but it is not a requirement to do so
B) Guidelines to users and customers on what is appropriate and what is not appropriate to do with information technology resources
C) A defined set of rules, accepted and adopted by several organizations
D) A document that records a high-level principle or course of action that has been decided on

A) National Institute of Standards and Technology
B) Massachusetts Institute of Technology
C) Harvard University
D) US State Department

A) Allow security administrators to obtain executive level endorsement for security objectives
B) Keep managers busy generating documents
C) Allow security administrators to educate the organization's leadership about information security
D) Help in detecting information security incidents

A) Conveying organizational priorities
B) Obtaining managerial backing
C) Evading responsibility
D) Ensuring organizational consistency

A) Procedures that tell units when it would be nice if things were operated a certain way, but it is not a requirement to do so
B) Guidelines to users and customers on what is appropriate and what is not appropriate to do with information technology resources
C) A document that records a high-level principle or course of action that has been decided on
D) A defined set of rules, accepted and adopted by several organizations

A) Requirements for financial institutions to protect the privacy of their customers' non-public, personal information
B) Protections for the privacy of student education records
C) The responsibilities of top executives of publicly traded companies for the accuracy and timeliness of financial data
D) Safeguards that covered entities must use to protect the confidentiality, integrity and availability of electronic protected health information

A) Requirements for financial institutions to protect the privacy of their customers' non-public, personal information
B) Protections for the privacy of student education records
C) The responsibilities of top executives of publicly traded companies for the accuracy and timeliness of financial data
D) Safeguards that covered entities must use to protect the confidentiality, integrity and availability of electronic protected health information

A) Requirements for financial institutions to protect the privacy of their customers' non-public, personal information
B) Protections for the privacy of student education records
C) The responsibilities of top executives of publicly traded companies for the accuracy and timeliness of financial data
D) Safeguards that covered entities must use to protect the confidentiality, integrity and availability of electronic protected health information

A) Requirements for financial institutions to protect the privacy of their customers' non-public, personal information
B) Protections for the privacy of student education records
C) The responsibilities of top executives of publicly traded companies for the accuracy and timeliness of financial data
D) Prohibitions regarding the unlicensed export of specified materials or information

A) Employee count
B) Incident response
C) Acceptable use
D) Information classification