CHAPTER SUMMARY

You learned in this chapter how to approach the implementation of security policies. This included standardizing a process approach. You learned the importance of executive buy-in and users’ acceptance of policies. The goal is to have the policies become second nature to users over time. When users embrace security policies as part of their daily routines, you begin to see a cultural change. You learned about the importance of security awareness training. It ensures that everyone understands the policies. It also increases the chance policies will be used. You can hold users accountable if they understand the policies.

The chapter also examined the importance of governance and monitoring. It discussed how security policies are published and disseminated. You explored various communication methods. You learned the importance of a communications plan and how it’s used to coordinate a consistent message. Finally, the chapter examined how to overcome technical and nontechnical hindrances. This included a discussion of best practices.

KEY CONCEPTS AND TERMS

Agent

Agentless central management tool

Bolt-on

Communications plan

Computer-based training (CBT)

Control environment

Distributed infrastructure

Early adopter

Executive management sponsorship

Outdated technology

Target state

Threat vector

Town hall meeting

CHAPTER 13 ASSESSMENT

  1. Which of the following indicates that the culture of an organization is adopting IT security policies?
    1. Security policies are part of routine daily interaction.
    2. Security policies are supported by organizational committees.
    3. Security policies’ core values are demonstrated in workers’ instinctive reactions to situations.
    4. All of the above
  2. Effective security policies require that everyone in the organization be accountable for policy implementation.
    1. True
    2. False
  3. A control environment is defined as:
    1. An inventory of the security policy controls
    2. A well-defined framework to track control exceptions
    3. The overall way in which the organization’s controls are governed and executed
    4. None of the above
  4. Deliberate acts and malicious behavior by employees are easy to control, especially when proper deterrents are installed.
    1. True
    2. False
  5. Which of the following is not an organizational challenge when implementing security policies?
    1. Accountability
    2. Surplus of funding
    3. Lack of priority
    4. Tight schedules
  6. Which type of plan is critical to ensuring security awareness reaches specific types of users?
    1. Rollout plan
    2. Media plan
    3. Executive project plan
    4. Communications plan
  7. Why should a security policy implementation be flexible to allow for updates?
    1. Unknown threats will be discovered.
    2. New ways of teaching will be introduced.
    3. New technologies will be introduced.
    4. A and C
    5. A, B, and C
  8. Which of the following is the least objectionable when dealing with policies with regard to outdated technology?
    1. Write security policies to best practices and issue a policy waiver for outdated technology that inherently cannot comply.
    2. Write security policies to the lowest, most common security standard the technology can support.
    3. Write different sets of policies for outdated technologies.
    4. All of the above
  9. What is a strong indicator that awareness training is not effective?
    1. A firewall breach
    2. Sharing your password with a supervisor
    3. Sharing a laptop with a coworker
    4. A fire in the data center
  10. A target state is generally defined as:
    1. A future state
    2. A way to describe specific policy goals and objectives
    3. A way to describe what tools, processes, and resources (including people) are needed to achieve the goals and objectives
    4. All of the above
    5. None of the above
  11. Classroom training for security policy awareness is always the superior option to other alternatives, such as online training.
    1. True
    2. False
  12. To get employees to comply and accept security policies, the organization must understand the employees’ ________.
  13. A brown bag session is a formal training event with a tightly controlled agenda.
    1. True
    2. False
  14. What is the best way to disseminate a new policy?
    1. Hardcopy
    2. Intranet
    3. Brown bag session
    4. All of the above
  15. A formal communication plan is ________ when implementing major security policies.
    1. Always needed
    2. Optional
    3. Never needed

ENDNOTES

1. Lago, Cristina, “How to Implement a Successful Cybersecurity Plan,” July 10, 2019, https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html, accessed May 8, 2020.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.120.161