Policy, Standards, and Procedures

5 minutes 5 Questions

Policies, standards, and procedures form the backbone of an effective security governance framework. Policies are high-level guidelines that provide direction on how an organization's security program should be managed and implemented. Standards are more detailed and define the specific requirements for implementing security controls within an organization. Procedures, on the other hand, outline step-by-step instructions for carrying out various security-related tasks. Together, these components aid in creating a consistent and unified approach to information security, ensuring that organizations remain compliant with applicable laws, regulations, and best practices.

Guide: Policy, Standards, and Procedures for CISSP Security Governance

What is it?
Policy, Standards, and Procedures are crucial in CISSP Security Governance as they act as guidelines for an organization's operations in terms of cybersecurity. Policies determine 'what' the organization needs to do while Standards and Procedures outline 'how' it should be implemented.
Why is it important?
Having robust Policy, Standards, and Procedures in place can ensure that all activities comply with legal, ethical, and contractual requirements. It sets the organization's direction and approach to information security, reducing cyber threat vulnerabilities.
How it works?
Policy: It is a high-level plan, providing a broad statement of objectives. Standards: Detailed descriptions of what must be done to comply with policy. Procedures: Step by step instructions on how to carry out a task or activity to meet the defined standards.
Exam Tips: Answering Questions on Policy, Standards, and Procedures
Understand the difference between Policy, Standards, and Procedures. Usually, the confusing part can be distinguishing between standards and procedures, focus on 'standards' being what and 'procedures' being how. Apply your understanding regarding their roles in an organizational structure while responding. Also, note that the policy is typically flexible, allowing for changes to standards and procedures while maintaining its overarching intent.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

A company is looking to improve the security of their visitor registration process. Which of the following would be MOST effective?

Increase video surveillance Issue temporary visitor access cards Hire additional security personnel Require non-disclosure agreements

Correct Answer: Issue temporary visitor access cards

Issuing temporary visitor access cards allows for better tracking and control of visitor access within the company. The other options might enhance security but do not specifically address visitor registration.

Question 2

A security officer is updating the corporate security policy. What is the most critical aspect that should be addressed when dealing with data handling procedures?

Data transfer protocols Data storage location Data backup schedules Data classification and protection requirements

Correct Answer: Data classification and protection requirements

Data classification and protection requirements are the most critical aspect of data handling procedures. They ensure that sensitive data is appropriately protected according to its classification. The other options are important but are secondary considerations.

Question 3

An organization has recently experienced a security breach due to outdated software. Which action would be most effective in preventing future breaches?

Disable access to external websites Provide security awareness training Implement a patch management policy Increase firewall rules

Correct Answer: Implement a patch management policy

A patch management policy ensures that software is regularly updated and secured against known vulnerabilities, whereas the other options address different aspects of security.

Go Premium

CISSP Preparation Package (2024)

More Policy, Standards, and Procedures questions

12 questions (total)