CHAPTER SUMMARY
Policy framework development is needed for the establishment and ongoing operation of the organization’s security program. It establishes the top leadership’s intent as to how information security should be managed. This program begins with documentation in the form of policies, standards, baselines, procedures, and guidance for compliance. The library of documents is arranged as a hierarchy with the highest level consisting of a charter. The next level includes policies, followed by an increasing number of standard and baseline documents. These documents are supplemented with guidelines to aid in implementation. Finally, many procedure documents that explicitly describe how to implement a security control or process are included. The library should be developed and managed by dedicated personnel who are experts in the subject matter related to the organization’s industry or mission.
Any effective IT security program includes top-down sponsorship to establish and enforce these policies and standards. This framework of documents identifies how an organization manages security risk within its risk appetite and risk tolerance. Because information security never stands still for long, most of the documents in a policy and standards library must be considered living documents that are updated as technology and the environment changes.
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
- An IT policy framework charter includes which of the following?
- The program’s purpose and mission
- The program’s scope within the organization
- Assignment of responsibilities for program implementation
- Compliance management
- A, B, and C only
- A, B, C, and D
- Which of the following is the first step in establishing an information security program?
- Adoption of an information security policy framework or charter
- Development and implementation of an information security standards manual
- Development of a security awareness training program for employees
- Purchase of security access control software
- Which of the following are generally accepted and widely used policy frameworks? (Select all that apply.)
- COBIT
- ISO/IEC 27002
- NIST SP 800-53
- NIPP
- Security policies provide the “what” and “why” of security measures.
- True
- False
- ________ are best defined as high-level statements, beliefs, goals, and objectives.
- Which of the following is not mandatory?
- Standard
- Guideline
- Procedure
- Baseline
- Which of the following includes all of the detailed actions and tasks that personnel are required to follow?
- Standard
- Guideline
- Procedure
- Baseline
- Accounts that have not been accessed for an extended period of time are often referred to as ________.
- Upperalpha the five tenets of information assurance that you should consider when building an IT policy framework.
- The purpose of a consequence model is to discipline an employee in order to ensure future compliance with information security policies.
- True
- False
- When building a policy framework, which of the following information systems factors should be considered?
- Unauthorized access to and use of the system
- Unauthorized disclosure of information
- Disruption of the system
- Modification of information
- Destruction of information resources
- A, B, and E only
- A, B, C, D, and E
- What is the difference between risk appetite and risk tolerance?
- Risk tolerance measures impact and likelihood, whereas risk appetite measures variance from a target goal.
- Risk appetite measures impact and likelihood, whereas risk tolerance measures variance from a target goal.
- There is no difference between the two.
- A mitigating control eliminates the risk by achieving the policy goal in a different way.
- True
- False
ENDNOTES
1. Alberta Health Services, “Policy Development Framework,” April 25, 2016,https://extranet.ahsnet.ca/teams/policydocuments/1/clp-pdf-pol-devt-framework.pdf, accessed April 18, 2020.
2. University of Huddlesfield, “Policy Framework,” https://www.hud.ac.uk/media/policydocuments/Policy-Framework.pdf, accessed April 18, 2020.