CISSP-Topic 1, Security Management Practices || All Answers are
Flawless.
All of the following are basic components of a security policy EXCEPT the A. definition of the
issue and statement of relevant terms. B. statement of roles and responsibilities C. statement of
applicability and compliance requirements. D. statement of performance of characteristics and
requirements. Correct Answer: D Policies are considered the first and highest level of
documentation, from which the lower level elements of standards, procedures, and guidelines
flow. This order, however, does not mean that policies are more important than the lower
elements. These higher-level policies, which are the more general policies and statements, should
be created first in the process for strategic reasons, and then the more tactical elements can
follow.
A security policy would include all of the following EXCEPT A. Background B. Scope statement
C. Audit requirements D. Enforcement Correct Answer: B
Which one of the following is an important characteristic of an information security policy? A.
Identifies major functional areas of information. B. Quantifies the effect of the loss of the
information. C. Requires the identification of information owners. D. Lists applications that
support the business function. Correct Answer: A Information security policies area high-level
plans that describe the goals of the procedures. Policies are not guidelines or standards, nor are
they procedures or controls. Policies describe security in general terms, not specifics. They
provide the blueprints for an overall security program just as a specification defines your next
product
Ensuring the integrity of business information is the PRIMARY concern of A. Encryption
Security B. Procedural Security. C. Logical Security D. On-line Security Correct Answer: B
Procedures are looked at as the lowest level in the policy chain because they are closest to the
computers and provide detailed steps for configuration and installation issues. They provide the
steps to actually implement the statements in the policies, standards, and guidelines...Security
procedures, standards, measures, practices, and policies cover a number of different subject
areas.
Which of the following would be the first step in establishing an information security program?
A. Adoption of a corporate information security policy statement B. Development and
,implementation of an information security standards manual C. Development of a security
awareness-training program D. Purchase of security access control software Correct Answer: A
Which of the following department managers would be best suited to oversee the development of
an information security policy? A. Information Systems B. Human Resources C. Business
operations D. Security administration Correct Answer: C
What is the function of a corporate information security policy? A. Issue corporate standard to be
used when addressing specific security problems. B. Issue guidelines in selecting equipment,
configuration, design, and secure operations. C. Define the specific assets to be protected and
identify the specific tasks which must be completed to secure them. D. Define the main security
objectives which must be achieved and the security framework to meet business objectives.
Correct Answer: D Information security policies are high-level plans that describe the goals of
the procedures or controls. Policies describe security in general, not specifics. They provide the
blueprint from an overall security program just as a specification defines your next product.
Why must senior management endorse a security policy? A. So that they will accept ownership
for security within the organization. B. So that employees will follow the policy directives. C. So
that external bodies will recognize the organizations commitment to security. D. So that they can
be held legally accountable. Correct Answer: A This really does not a reference as it should be
known. Upper management is legally accountable (up to 290 million fine). External
organizations answer is not really to pertinent (however it stated that other organizations will
respect a BCP and disaster recovery plan). Employees need to be bound to the policy regardless
of who signs it but it gives validity. Ownership is the correct answer in this statement. However,
here is a reference. "Fundamentally important to any security program's success us the senior
management's high-level statement of commitment to the information security policy process
and a senior management's understanding of how important security controls and protections are
to the enterprise's continuity. Senior management must be aware of the importance of security
implementation to preserve the organization's viability (and for their own 'due care' protection)
and must publicly support that process throughout the enterprise."
In which one of the following documents is the assignment of individual roles and
responsibilities MOST appropriately defined? A. Security policy B. Enforcement guidelines C.
Acceptable use policy D. Program manual Correct Answer: C An acceptable use policy is a
document that the employee signs in which the expectations, roles and responsibilities are
outlined. Issue -specific policies address specific security issues that management feels need
, more detailed explanation and attention to make sure a comprehensive structure is built and all
employees understand how they are to comply to these security issues.
Which of the following defines the intent of a system security policy? A. A definition of the
particular settings that have been determined to provide optimum security. B. A brief, high-level
statement defining what is and is not permitted during the operation of the system. C. A
definition of those items that must be excluded on the system. D. A listing of tools and
applications that will be used to protect the system. Correct Answer: A "A system-specific policy
presents the management's decisions that are closer to the actual computers, networks,
applications, and data. This type of policy can provide an approved software list, which contains
a list of applications that can be installed on individual workstations. This policy can describe
how databases are to be protected, how computers are to be locked down, and how firewall,
intrusion diction systems, and scanners are to be employed."
When developing an information security policy, what is the FIRST step that should be taken? A.
Obtain copies of mandatory regulations. B. Gain management approval. C. Seek acceptance from
other departments. D. Ensure policy is compliant with current working practices. Correct
Answer: B
Which one of the following should NOT be contained within a computer policy? A. Definition of
management expectations. B. Responsibilities of individuals and groups for protected
information. C. Statement of senior executive support. D. Definition of legal and regulatory
controls. Correct Answer: B
Which one of the following is NOT a fundamental component of a Regulatory Security Policy?
A. What is to be done. B. When it is to be done. C. Who is to do it. D. Why is it to be done
Correct Answer: C Regulatory Security policies are mandated to the organization but it up to
them to implement it. "Regulatory - This policy is written to ensure that the organization is
following standards set by a specific industry and is regulated by law. The policy type is detailed
in nature and specific to a type of industry. This is used in financial institutions, health care
facilities, and public utilities."
Which one of the following statements describes management controls that are instituted to
implement a security policy? A. They prevent users from accessing any control function. B. They
eliminate the need for most auditing functions. C. They may be administrative, procedural, or
Flawless.
All of the following are basic components of a security policy EXCEPT the A. definition of the
issue and statement of relevant terms. B. statement of roles and responsibilities C. statement of
applicability and compliance requirements. D. statement of performance of characteristics and
requirements. Correct Answer: D Policies are considered the first and highest level of
documentation, from which the lower level elements of standards, procedures, and guidelines
flow. This order, however, does not mean that policies are more important than the lower
elements. These higher-level policies, which are the more general policies and statements, should
be created first in the process for strategic reasons, and then the more tactical elements can
follow.
A security policy would include all of the following EXCEPT A. Background B. Scope statement
C. Audit requirements D. Enforcement Correct Answer: B
Which one of the following is an important characteristic of an information security policy? A.
Identifies major functional areas of information. B. Quantifies the effect of the loss of the
information. C. Requires the identification of information owners. D. Lists applications that
support the business function. Correct Answer: A Information security policies area high-level
plans that describe the goals of the procedures. Policies are not guidelines or standards, nor are
they procedures or controls. Policies describe security in general terms, not specifics. They
provide the blueprints for an overall security program just as a specification defines your next
product
Ensuring the integrity of business information is the PRIMARY concern of A. Encryption
Security B. Procedural Security. C. Logical Security D. On-line Security Correct Answer: B
Procedures are looked at as the lowest level in the policy chain because they are closest to the
computers and provide detailed steps for configuration and installation issues. They provide the
steps to actually implement the statements in the policies, standards, and guidelines...Security
procedures, standards, measures, practices, and policies cover a number of different subject
areas.
Which of the following would be the first step in establishing an information security program?
A. Adoption of a corporate information security policy statement B. Development and
,implementation of an information security standards manual C. Development of a security
awareness-training program D. Purchase of security access control software Correct Answer: A
Which of the following department managers would be best suited to oversee the development of
an information security policy? A. Information Systems B. Human Resources C. Business
operations D. Security administration Correct Answer: C
What is the function of a corporate information security policy? A. Issue corporate standard to be
used when addressing specific security problems. B. Issue guidelines in selecting equipment,
configuration, design, and secure operations. C. Define the specific assets to be protected and
identify the specific tasks which must be completed to secure them. D. Define the main security
objectives which must be achieved and the security framework to meet business objectives.
Correct Answer: D Information security policies are high-level plans that describe the goals of
the procedures or controls. Policies describe security in general, not specifics. They provide the
blueprint from an overall security program just as a specification defines your next product.
Why must senior management endorse a security policy? A. So that they will accept ownership
for security within the organization. B. So that employees will follow the policy directives. C. So
that external bodies will recognize the organizations commitment to security. D. So that they can
be held legally accountable. Correct Answer: A This really does not a reference as it should be
known. Upper management is legally accountable (up to 290 million fine). External
organizations answer is not really to pertinent (however it stated that other organizations will
respect a BCP and disaster recovery plan). Employees need to be bound to the policy regardless
of who signs it but it gives validity. Ownership is the correct answer in this statement. However,
here is a reference. "Fundamentally important to any security program's success us the senior
management's high-level statement of commitment to the information security policy process
and a senior management's understanding of how important security controls and protections are
to the enterprise's continuity. Senior management must be aware of the importance of security
implementation to preserve the organization's viability (and for their own 'due care' protection)
and must publicly support that process throughout the enterprise."
In which one of the following documents is the assignment of individual roles and
responsibilities MOST appropriately defined? A. Security policy B. Enforcement guidelines C.
Acceptable use policy D. Program manual Correct Answer: C An acceptable use policy is a
document that the employee signs in which the expectations, roles and responsibilities are
outlined. Issue -specific policies address specific security issues that management feels need
, more detailed explanation and attention to make sure a comprehensive structure is built and all
employees understand how they are to comply to these security issues.
Which of the following defines the intent of a system security policy? A. A definition of the
particular settings that have been determined to provide optimum security. B. A brief, high-level
statement defining what is and is not permitted during the operation of the system. C. A
definition of those items that must be excluded on the system. D. A listing of tools and
applications that will be used to protect the system. Correct Answer: A "A system-specific policy
presents the management's decisions that are closer to the actual computers, networks,
applications, and data. This type of policy can provide an approved software list, which contains
a list of applications that can be installed on individual workstations. This policy can describe
how databases are to be protected, how computers are to be locked down, and how firewall,
intrusion diction systems, and scanners are to be employed."
When developing an information security policy, what is the FIRST step that should be taken? A.
Obtain copies of mandatory regulations. B. Gain management approval. C. Seek acceptance from
other departments. D. Ensure policy is compliant with current working practices. Correct
Answer: B
Which one of the following should NOT be contained within a computer policy? A. Definition of
management expectations. B. Responsibilities of individuals and groups for protected
information. C. Statement of senior executive support. D. Definition of legal and regulatory
controls. Correct Answer: B
Which one of the following is NOT a fundamental component of a Regulatory Security Policy?
A. What is to be done. B. When it is to be done. C. Who is to do it. D. Why is it to be done
Correct Answer: C Regulatory Security policies are mandated to the organization but it up to
them to implement it. "Regulatory - This policy is written to ensure that the organization is
following standards set by a specific industry and is regulated by law. The policy type is detailed
in nature and specific to a type of industry. This is used in financial institutions, health care
facilities, and public utilities."
Which one of the following statements describes management controls that are instituted to
implement a security policy? A. They prevent users from accessing any control function. B. They
eliminate the need for most auditing functions. C. They may be administrative, procedural, or
