INMT 441 Exam 2 Questions Complete Solutions

INMT 441 Exam 2 Questions Complete Solutions Policy - Answer -an organization's statement of intent IT policy - Answer -an organization's policy regarding IT investment, management, and use Information Security Policy (ISP) - Answer -a subset of IT policy that specifies the requirements regarding information security or cybersecurity Other Concepts Related to ISP - Answer --procedures -rules -standards -guidelines Procedures - Answer -specific actions taken to address a situation Rules - Answer -specific statements of what are allowed and/or disallowed Standards - Answer -specific performance expectations Guidelines - Answer -nonmandatory recommendations the employee may use as a reference in complying with a policy Major Elements of an ISP - Answer --IT assets to protect and why: purpose and scope -protection roles and responsibility -administration and interpretations of the policy -amendements/ -termination (if any) -references to applicable policies (if applicable) -key definitions (if necessary) Major Types of ISPs in Organizations - Answer -a complete system of ISPs contain the following three types of policies: -enterprise information security policy -systems specific policies -issue specific security policies Enterprise Information Security Policy (EISP) - Answer -a high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts -usually drafted/led by the CISO -typically 2-10 pages -governs the development of other system-specific and issue-specific ISPs EISP Elements - Answer --an overview of the corporate philosophy on security an overview of the structure of the information security organization and individuals who fulfill the information security role -fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) -fully articulated responsibilities for security that are unique to each role within the organization System Specific Information Security Policy - Answer --an organizational policy that functions as standards or procedures to be used when configuring or maintaining a specific information system -created by the management to guide the implementation and configuration of technology, as well as to address the behavior of people in the organization in ways that support the security of information -can be combined or separated Issue Specific Security Policy (ISSP) - Answer --an organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource -in some organizations, ISSPs are referred to as fair and responsible use policies, describing the intent of the policy to regulate appropriate use -should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource Examples of ISSP - Answer --confidential information policy -use policy -backup policy -account management policy -incident handling procedures -disaster recovery plan Establishing an ISP - Answer -steps to create and ISP: -determine which assets to protect from which threats -determine access needs to various system parts -identify resources to protect assets -develop written security policy -commit resources