1. What is information security policy? Why is it critical to the success of the InfoSec program?
2. Of the controls or countermeasures used to control InfoSec risk, which is viewed as the least
expensive? What are the primary costs of this type of control?
3. List and describe the three challenges in shaping policy.
4. List and describe the three guidelines for sound policy, as stated by Bergeron and Bérubé.
5. Describe the bull’s-eye model. What does it say about policy in the InfoSec program?
6. In what way are policies different from standards?
7. In what way are policies different from procedures?
8. For a policy to have any effect, what must happen after it is approved by management? What are

 

 

 

 

 

 

 

some ways to accomplish this?
9. Is policy considered static or dynamic? Which factors might determine this status?
10. List and describe the three types of InfoSec policy as described by NIST SP 800-14.
11. What is the purpose of an EISP?
12. What is the purpose of an ISSP?
13. What is the purpose of a SysSP?
14. To what degree should the organization’s values, mission, and objectives be integrated into the
policy documents?
15. List and describe four elements that should be present in the EISP.
16. List and describe three functions that the ISSP serves in the organization.
17. What should be the first component of an ISSP when it is presented? Why? What should be the
second major component? Why?
18. List and describe three common ways in which ISSP documents are created and/or managed.
19. List and describe the two general groups of material included in most SysSP documents.
20. List and describe the three approaches to policy development presented in this chapter. In your
opinion, which is best suited for use by a smaller organization and why? If the target organization
were very much larger, which approach would be more suitable and why?