This chapter addressed techniques for designing, organizing, implementing, and maintaining an IT security policy and standards library. The importance of understanding the organizational culture and creating shared beliefs was discussed. You learned how to understand a business’s perspective and mindset through an understanding of its operating model. You learned characteristics of policies and standards that make them easy to understand. Core security principles were covered, which are important to remember when developing security documents. Training and awareness programs help you enforce policies and get buy-in from employees.
You also learned about the review and approval processes that are part of creating and maintaining library documents. A policy change control board, for example, is an efficient way to maintain policies and standards. It also helps minimize unforeseen impacts on the organization. Additionally, you learned the importance of creating a “lessons learned” process to keep the policies current. Finally, you learned about some leading practices that others have found useful for developing and maintaining a policy and standards library.
When writing policies and standards, you should address the six key questions: who, what, where, when, why, and how.
True
False
Which of the following are important to consider before a policy?
Operating model
Intent
Policy change control board
A and B
B and C
A, B, and C
Guideline documents are often tied to a specific control standard.
True
False
Which of the following is not an administrative control?
Development of policies, standards, procedures, and guidelines
Screening of personnel
Change control procedures
Logical access control mechanisms
Which of the following are common steps taken in the development of documents such as security policies, standards, and procedures?
Design, development, publication, coding, and testing
Feasibility, development, approval, implementation, and integration
Initiation, evaluation, development, approval, publication, implementation, and maintenance
Design, coding, evaluation, approval, publication, and implementation
The sole purpose of an operating model is to define how all the businesses technology will be implemented.
True
False
Exceptions or waivers to security policies are a bad idea and should never be approved.
True
False
Which type of control is associated with responding to and fixing a security incident?
Deterrent
Compensating
Corrective
Detective
List examples of physical security control items.
A process to refresh policies as needed based on a major event uses the principle called ________.
A(n) ________ is a plan or course of action used by an organization to convey instructions from its senior-most management to those who make decisions, take actions, and perform other duties on behalf of the organization.
The principle that states security is improved when it is implemented as a series of overlapping controls is called ________.
Security principles are needed in the absence of complete information to make high-quality security decisions.
True
False
“Access to all Organization information resources connected to the <Organization> network must be controlled by using user IDs and appropriate authentication” is a statement you might find in a procedure document.
True
False
Which of the following does a policy change control board do? (Select two.)
Assesses policies and standards and makes recommendations for change
Determines the policies and standards library numbering scheme
Implements technical controls as business conditions change