CHAPTER SUMMARY
This chapter discussed security documents that relate to each domain of a typical IT infrastructure. You learned there is more than one approach to creating standards. It is important to separate core policy language from specific technology configuration. One way to approach this is to have two separate documents, such as control standards and baseline standards. Supporting documents include procedures and guidelines. Collectively, these documents represent a comprehensive way of addressing risk.
The chapter examined both the form and substance of many standards. In fact, the volume of policy and standard topics is enormous. No one chapter could cover in detail every aspect of infrastructure policies and related controls. Policies that are well organized are likely to be better understood and more fully adopted. Early adoption of security policies can be a source of pride for both the individual and the team. Organizing this material in a searchable and useful manner is important to drive this understanding. This chapter also discussed how to categorize various documents in the library and how to describe their relationships. Finally, the chapter examined best practices that included a number of sources for policy and standard material. Organizations rarely create new policies from scratch. It is far better to leverage best practices security frameworks and related policies.
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
- The steps to implement security controls on a firewall would be documented within which of the following?
- Policy
- Control standard
- Baseline standard
- Procedure
- A DMZ separates a LAN from which of the following?
- Phone network
- Internet
- Cellular network
- VoIP network
- Visitor control is an aspect of which of the following?
- Network security
- Personnel security
- Workstation security
- Physical security
- Which of the following can you use to segment LANs?
- Routers and firewalls
- Routers and gateways
- Gateways and servers
- Servers and workstations
- Without a policy that leads to controls that restrict employees from installing their own software on a company workstation, a company could suffer which of the following consequences?
- Malware on the network
- Lawsuits from software licensing issues
- Loss of productivity
- All of the above
- Good sources for security policies and standards include which of the following?
- U.S. government
- Private companies selling standards
- Professional organizations
- Vendors
- All of the above
- Two-factor authentication is a typical control used by employees to remotely access which of the following?
- Workstation
- LAN
- DMZ website
- WAN
- Which document outlines the specific controls that a technology device needs to support?
- Control standard
- Baseline standard
- Procedure
- Policy
- In information security, EDM typically refers to ________.
- The content for the documents in the policies and standards library should be written so they are ________ and ________.
- Production data should be sanitized before being used in a test environment.
- True
- False
- Organizations should always create new policies tailored to their needs rather than adapt industry norms found on the Internet.
- True
- False
- An owner of the data must obtain approval from the custodian of the resource to use the data.
- True
- False
- What is the difference between a stateless firewall and a stateful one?
- A stateful firewall looks at each packet individually, and a stateless firewall examines the packet in the context of the connection and other packets.
- A stateless firewall looks at each packet individually, and a stateful firewall examines the packet in the context of the connection and other packets.
- There isn’t a difference.
- A stateful firewall requires authentication, whereas a stateful firewall does not.