Question 1

A(n)____ security policy provides detailed,targeted guidance to instruct all members of the organization in the use of technology-based systems.

Accepted Answer

A)   issue-specific
B)   enterprise information
C)   system-specific
D)   information A

Question 2

Technical controls ____.

Accepted Answer

A)   must be implemented using access control list
B)   must be implemented using configuration rules
C)   must be implemented using user profiles
D)   can be implemented using access control lists or configuration rules D

Question 3

The champion and manager of the information security policy is called the ____________________.

Accepted Answer

policy administrator

Question 4

During the implementation phase of the policy development SecSDLC,the development team creating the information security policy should make sure that the policy is written at a reasonable reading level._________________________

Accepted Answer

A) True 
 B)False

Question 5

A disadvantage of creating a modular ISSP document is that it ____.

Accepted Answer

A)   can suffer from poor policy enforcement
B)   may overgeneralize the issues
C)   can suffer from poor policy review
D)   may be more expensive than other alternatives

Question 6

It is recommended that the ____ approach(es)to creating and managing ISSPs be used.

Accepted Answer

A)   individual
B)   comprehensive
C)   modular
D)   individual or modular

Question 7

Once policies are created,they should not be changed.

Accepted Answer

A) True 
 B)False

Question 8

Unless a particular use is clearly prohibited,the organization cannot penalize employees for it.

Accepted Answer

A) True 
 B)False

Question 9

The ISSP should begin with a ____.

Accepted Answer

A)   description of authorized access
B)   statement of purpose
C)   list of prohibited usage of equipment
D)   list of rules regarding the use of electronic documents

Question 10

An effective issue-specific security policy serves to demonstrate that the organization has made a good-faith effort to ensure that its facilities will not be used in an inappropriate manner._________________________

Accepted Answer

A) True 
 B)False

Question 11

In the Flesch Reading Ease scale,the higher the score,the harder it is to understand the writing.

Accepted Answer

A) True 
 B)False

Question 12

Many organizations create a single document that combines elements of both the management guidance SysSP and the technical specifications SysSP,known as a(n)____.

Accepted Answer

A)   Modular SysSP
B)   Combination SysSP
C)   Integrated SysSP
D)   None of these

Question 13

The EISP guides the development,implementation,and management requirements of the information security program._________________________

Accepted Answer

A) True 
 B)False

Question 14

The ____ model describes the layers at which marginal assessment of security controls can be performed and is a proven mechanism for prioritizing complex changes.

Accepted Answer

A)   NSTISSC
B)   EISP
C)   bull's-eye
D)   policy

Question 15

The ____________________ phase is the last phase of the SecSDLC.

Accepted Answer

The answer of The ____________________ phase is the last phase...

Question 16

All the application systems of an organization are part of the ____________________ layer in the bull's-eye model.

Accepted Answer

The answer of All the application systems of an organization...

Question 17

Capability tables are also known as ____.

Accepted Answer

A)   system policies
B)   user policies
C)   system profiles
D)   account lists

Question 18

Policies should be published without a date of origin.

Accepted Answer

A) True 
 B)False

Question 19

Rule-based policies are less specific to the operation of a system than access control lists.

Accepted Answer

A) True 
 B)False

Question 20

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected violations?

Accepted Answer

A)   Violations of Policy
B)   Policy Review and Modification
C)   Prohibited Usage of Equipment
D)   Authorized Access and Usage of Equipment

Exam 4: Information Security Policy

A(n) ____ security policy provides detailed,targeted guidance to instruct all members of the organization in the use of technology-based systems.

Technical controls ____.

The champion and manager of the information security policy is called the ____________________.

During the implementation phase of the policy development SecSDLC,the development team creating the information security policy should make sure that the policy is written at a reasonable reading level._________________________

A disadvantage of creating a modular ISSP document is that it ____.

It is recommended that the ____ approach(es) to creating and managing ISSPs be used.

Once policies are created,they should not be changed.

Unless a particular use is clearly prohibited,the organization cannot penalize employees for it.

The ISSP should begin with a ____.

An effective issue-specific security policy serves to demonstrate that the organization has made a good-faith effort to ensure that its facilities will not be used in an inappropriate manner._________________________

In the Flesch Reading Ease scale,the higher the score,the harder it is to understand the writing.

Many organizations create a single document that combines elements of both the management guidance SysSP and the technical specifications SysSP,known as a(n) ____.

The EISP guides the development,implementation,and management requirements of the information security program._________________________

The ____ model describes the layers at which marginal assessment of security controls can be performed and is a proven mechanism for prioritizing complex changes.

The ____________________ phase is the last phase of the SecSDLC.

All the application systems of an organization are part of the ____________________ layer in the bull's-eye model.

Capability tables are also known as ____.

Policies should be published without a date of origin.

Rule-based policies are less specific to the operation of a system than access control lists.

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected violations?