1. List and describe briefly the three guidelines for sound policy, as stated by Bergeron and Bérubé.
2. Are policies different from standards? In what way? Are policies different from procedures? In what way?
3. List and describe briefly the three types of information security policy as described by NIST SP 800-14.
4. List and describe briefly four elements that should be present in the Enterprise Information Security Policy.
Exercise
1. Using the Internet and a browser, go to the International Information Systems Security Certifications Consortium Web site (www.isc2.org) and look for the information security common body of knowledge (CBK). What are the areas addressed in the CBK? Was policy explicitly listed? If not, where do you feel it is addressed in the CBK?