This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Management of Information Security, 2 nd ed. _____________________________________________________________________________ _ John Moura Chapter 4: Information Security Policy Review Questions 1. What is information security policy? Why it is critical to the success of the information security program? Answer: is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a committee. A security policy goes far beyond the simple idea of "keep the bad guys out". It's a very complex document, meant to govern data access, web-browsing habits, use of passwords and encryption, email attachments and more. It is critical because every security measure that is to be taken needs to be supported by the INFOSEC policy. 2. Of the controls or countermeasures used to control information security risk, which is viewed as the least expensive? What are the primary costs of this type of control? Answer: INFOSEC policy is least expensive, but more difficult to enforce and implement. Employee time and effort. 3. List and describe the three challenges in shaping policy. Answer: Never conflict with law Stand up in court Properly supported and administered Contribute to the success of the organization Involve end users of information systems 4. List and describe the three guidelines for sound policy, as stated by Bergeron and Bérubé. Answer: “ All policies must contribute to the success of the organization, management must ensure the adequate sharing of responsibility for proper use of information systems, and End users of information systems should be involved in the steps of policy formulation.” Bergeron and Berube further note that while it is an admirable goal for policies to be complete and comprehensive, too many policies or policies that are too complex can lower end user satisfaction. _____________________________________________________________________________________________ Page: 1 Management of Information Security, 2 nd ed....
View Full Document
- Spring '07
- Information Security, security policy, Information Security Program