CHAPTER SUMMARY
This chapter addressed techniques for designing, organizing, implementing, and maintaining an IT security policy and standards library. The importance of understanding the organizational culture and creating shared beliefs was discussed. You learned how to understand a business’s perspective and mindset through an understanding of its operating model. You learned characteristics of policies and standards that make them easy to understand. Core security principles were covered, which are important to remember when developing security documents. Training and awareness programs help you enforce policies and get buy-in from employees.
You also learned about the review and approval processes that are part of creating and maintaining library documents. A policy change control board, for example, is an efficient way to maintain policies and standards. It also helps minimize unforeseen impacts on the organization. Additionally, you learned the importance of creating a “lessons learned” process to keep the policies current. Finally, you learned about some leading practices that others have found useful for developing and maintaining a policy and standards library.
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
- When writing policies and standards, you should address the six key questions: who, what, where, when, why, and how.
- True
- False
- Which of the following are important to consider before a policy?
- Operating model
- Intent
- Policy change control board
- A and B
- B and C
- A, B, and C
- Guideline documents are often tied to a specific control standard.
- True
- False
- Which of the following is not an administrative control?
- Development of policies, standards, procedures, and guidelines
- Screening of personnel
- Change control procedures
- Logical access control mechanisms
- Which of the following are common steps taken in the development of documents such as security policies, standards, and procedures?
- Design, development, publication, coding, and testing
- Feasibility, development, approval, implementation, and integration
- Initiation, evaluation, development, approval, publication, implementation, and maintenance
- Design, coding, evaluation, approval, publication, and implementation
- The sole purpose of an operating model is to define how all the businesses technology will be implemented.
- True
- False
- Exceptions or waivers to security policies are a bad idea and should never be approved.
- True
- False
- Which type of control is associated with responding to and fixing a security incident?
- Deterrent
- Compensating
- Corrective
- Detective
- List examples of physical security control items.
- A process to refresh policies as needed based on a major event uses the principle called ________.
- A(n) ________ is a plan or course of action used by an organization to convey instructions from its senior-most management to those who make decisions, take actions, and perform other duties on behalf of the organization.
- The principle that states security is improved when it is implemented as a series of overlapping controls is called ________.
- Security principles are needed in the absence of complete information to make high-quality security decisions.
- True
- False
- “Access to all Organization information resources connected to the <Organization> network must be controlled by using user IDs and appropriate authentication” is a statement you might find in a procedure document.
- True
- False
- Which of the following does a policy change control board do? (Select two.)
- Assesses policies and standards and makes recommendations for change
- Determines the policies and standards library numbering scheme
- Implements technical controls as business conditions change
- Reviews requested changes to the policy framework
ENDNOTES
1. Cyprus Shipping Chamber, “Cyber Security Case Study,” July 2017, https://csc-cy.org/wp-content/uploads/2018/06/Cyprus-Shipping-Chamber-Cyber-Security-Case-Study.pdf, accessed April 20, 2020.