ITS 305 - Security Policies and Auditing

Review for Second Test

The following questions are provided to help you study for the second test. Do not expect to see these exact questions on the test.

  1. What is the hierarchical relationship between policies, standards, and practices? Which generally have the most and least detail?

  2. Why do we use security management models? What are the two kinds of documents the text tells us should be created from a model? Why do we create those instead of just using the model?

  3. What are some qualities that a security policy should have to be effective?

  4. If we allow staff to use their company issued cell phones for personal use, is there a need for a policy about that use? What might it say, if you were required to write it?

  5. What is the recommended score for a policy on the Flesch Reading Ease scale?

  6. What is the recommended score for a policy on the Flesch-Kincaid Grade Level scale?

  7. What are the IT security related duties that might be performed by:
    • non-technical staff outside IT
    • IT staff outside IT security
    • IT security staff who perform customer services
    • IT security staff who perform compliance services

  8. What are some of the other company divisions the text discussed as possible homes for an IT security unit? Would any of those company structures keep you from considering a job with a company that used it?

  9. SETA has to do with teaching your employees about IT security. What do the letters in the acronym stand for? How is education different from training?

  10. Some policies have sunset clauses or provisions in the, because they are not meant to last forever. What would be an example of a policy that should have a known end date?

  11. What would be the argument a lawyer would make against a policy that was not applied equally to all staff?

  12. How do EULA agreements relate to security policies? What does a EULA that appears on a computer screen typically require a user to do?

  13. The text discusses training in several formats. What would be an advantage and a disadvantage to training staff one-on-one? What about training in formal groups? What about training made available on a computer network?

  14. ISO 27000 is a series of documents that comprise a security model. Who created it? Is is extensive and detailed?

  15. Where did the NIST Model come from? Is it extensive and detailed?

  16. Who created the ITIL security model? Is it extensive and detailed?