Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
A. Policy should never conflict with law
B. Policy must be able to stand up in court if challenged
C. Policy should be agreed upon by all employees and manag
C. Policy should be agreed upon by all employees and management
pg. 125
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
A. On-target model
b. Wood's model
c. Bull's-eye model
d. Bergeron and Ber
C. Bull's-eye model
pg. 126
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
a. Enterprise info sec policy
b. User-specific sec policies
c. Issue-specific sec policies
d. System-specific sec policies
B. User-specific sec policies
pg. 128
In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
a. Appeals process
b. Legal recourse
c. Must be done to comply
d. The proper operation of equipment
A. Appeals process
pg. 128
Which policy is the highest level of policy and is usually created first?
a. SysSP
b. USSP
c. ISSP
d. EISP
D. EISP
pg. 128
T or F
Policies must specify penalties for unacceptable behavior and define an appeals process.
True
pg. 128
T or F
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
pg. 128
T or F
Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.
False
pg. 135
T or F
Rule-based policies are less specific to the operation of a system than access control lists.
False
pg. 142
T or F
Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex
False
pg. 155