AND ANSWERS SURE A+
✔✔Update Policy to address current risks (3:133) - ✔✔Business email compromise is
an issue that requires a change in business policy.
✔✔Mobile Device Risks (3:135) - ✔✔Mobile devices cause a number of issues; use of
personal devices without standard, centralized security controls, misconfigured devices
that result in a control deficiency, use of insecure mobile applications.
✔✔Mobile Legal Liability (3:138) - ✔✔Risk of mobile device use while driving
✔✔Inappropriate Use (sexting) (3:139) - ✔✔May lead to sexual harrassment lawsuits,
public exposure, brand damage, and relationship damage. All these activities fall under
the AUP and driven by HR
✔✔What type of Policy (3:143) - ✔✔establishing the boundaries of acceptable behavior.
Goal of this policy would be to protect the company.
✔✔One Sentence Position Statement (3:144) - ✔✔state the core of the organization's
position in a single sentence.
✔✔Organizational Position (3:146) - ✔✔Create a clear and simple position statement
✔✔Application Security Issues (3:149) - ✔✔Security Vulnerabilities - Injection, XSS,
Broken Access controls; Unpatched dependencies. Identify the issues that can occur if
application security is left unaddressed
✔✔Secure Development Policy Statement (3:150) - ✔✔Policy should define various
activities that need to be injected throughout the software development life cycle
(SDLC)
✔✔Secure Development Standards (3:151) - ✔✔After the policy statement that defines
the high-level activities that need to be conducted, the next level down defines the
standards
✔✔Secure Development Standards: Protecting Data (3:152) - ✔✔important mechanism
for protecting data is to ensure that production data is never used for development and
testing
✔✔Policy Enforcement (3:154) - ✔✔Policies have a statement that failure to follow this
policy can result in discipline up to and including termination.
, ✔✔Policy Components (3:155) - ✔✔Purpose/Overview; Related Documents;
Cancellation; Background; Scope; Responsibility.
✔✔Roles, Define (3:157) - ✔✔Executive Management, Security Personnel(security
program managers and security officers); Business Unit Managers; System
Administrators/IT Support; Lower-Level Operational Managers/System Users.
✔✔Define approval process (3:158) - ✔✔ID stakeholders required for approval; run
policy by legal before sending it out for approval; complete the entire policy and submit
for review/revisions.
✔✔Socialize the Approved Policy (3:159) - ✔✔Once approved, ensure it's distributed to
all parties affected.
✔✔Policy Awareness & Training (3:160) - ✔✔Awareness - description of risks, new
employee onboarding, annual awareness training, regular quiz on key elements of
policy, tip of the day; Training - provide skills so people can follow the policy, outline
procedures that support the policy, instruct where to go for additional support.
✔✔Measuring Policy (3:161) - ✔✔monitor adherence to policy by auditing and reporting
violations.
✔✔Enforcement Responsibilities (3:162) - ✔✔Empower users to enforce controls on
themselves by utilizing services responsibly.
✔✔Enforcement Consequences (3:163) - ✔✔Policy must include consequences of
sanctions in the event of noncompliance
✔✔Exception Requests (3:164) - ✔✔Process that allows the organization to review
exception requests enables the organization to make changes over time.
✔✔Handling Exception Requests (3:165) - ✔✔All exception requests should include
Business Justification, Assessment of risk, and Compensating controls
✔✔Expiration Date (3:166) - ✔✔Policies need to be reviewed regularly to determine if
the risk is still valid and whether the controls work. Should be reviewed or rewritten
when changes occur, annually or biannually.
✔✔Policy Life Cycle Management (3:168) - ✔✔Policies must be updated based on
evolving business requirements and technology/risks change.
✔✔SMART Approach (3:170) - ✔✔Specific - targets specific area; Measurable - can be
quantified to show progress; Achievable - is attainable and action oriented; Realistic -