CHAPTER 16 Questions Flashcards
Which security principle involves the knowledge and possession of sensitive material as an aspect of one’s occupation?
A. Principle of least privilege
B. Separation of duties
C. Need to know
D. As-needed basis
C. Need to know
The need-to-know policy operates on the basis that any given system user should be granted access only to portions of sensitive information or materials necessary to perform some task. The principle of least privilege ensures that personnel are granted only the permissions they need to perform their job and no more. Separation of duties ensures that no single person has total control over a critical function or system. There isn’t a standard principle called “as-needed basis.”
An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following?
A. Principle of least permission
B. Separation of duties (SoD)
C. Need to know
D. Job rotation
C. Need to know
Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties (SoD) ensures that a single person doesn’t control all the elements of a process. A separation of duties policy ensures that no single person has total control over a critical function. A job rotation policy requires employees to rotate to different jobs periodically.
What concept is used to grants users only the rights and permissions they need to complete their job responsibilities?
A. Need to know
B. Mandatory vacations
C. Least privilege principle
D. Service-level agreement (SLA)
C. Least privilege principle
An organization applies the least privilege principle to ensure employees receive only the access they need to complete their job responsibilities. Need to know refers to permissions only, whereas privileges include both rights and permissions. A mandatory vacation policy requires employees to take a vacation in one- or two-week increments. An SLA identifies performance expectations and can include monetary penalties.
A large organization using a Microsoft domain wants to limit the amount of time users have elevated privileges. Which of the following security operation concepts can be used to support this goal?
A. Principle of least permission
B. Separation of duties
C. Need to know
D. Privileged account management
D. Privileged account management
Microsoft domains include a privileged account management solution that grants administrators elevated privileges when they need them but restrict the access using a time-limited ticket. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn’t control all the elements of a process or a critical function. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more.
An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization?
A. Read
B. Modify
C. Full access
D. No access
D. No access
The default level of access should be no access. The principle of least privilege dictates that users should only be granted the level of access they need for their job, and the question doesn’t indicate that new users need any access to the database. Read access, modify access, and full access grants users some level of access, which violates the principle of least privilege.
You want to apply the least privilege principle when creating new accounts in the software development department. Which of the following should you do?
A. Create each account with only the rights and permissions needed by the employee to perform their job.
B. Give each account full rights and permissions to the servers in the software development department.
C. Create each account with no rights and permissions.
D. Add the accounts to the local Administrators group on the new employee’s computer.
A. Create each account with only the rights and permissions needed by the employee to perform their job.
Each account should have only the rights and permissions needed to perform their job when following the least privilege policy. New employees would not need full rights and permissions to a server. Employees will need some rights and permissions in order to do their jobs. Regular user accounts should not be added to the Administrators group.
Your organization has divided a high-level auditing function into several individual job tasks. These tasks are divided between three administrators. None of the administrators can perform all of the tasks. What does this describe?
A. Job rotation
B. Mandatory vacation
C. Separation of duties
D. Least privilege
C. Separation of duties
Separation of duties ensures that no single entity can perform all the tasks for a job or function. A job rotation policy moves employees to different jobs periodically. A mandatory vacation policy requires employees to take vacations. A least privilege policy ensures users have only the privileges they need, and no more.
A financial organization commonly has employees switch duty responsibilities every 6 months. What security principle are they employing?
A. Job rotation
B. Separation of duties
C. Mandatory vacations
D. Least privilege
A. Job rotation
A job rotation policy has employees rotate jobs or job responsibilities and can help detect collusion and fraud. A separation of duties policy ensures that a single person doesn’t control all elements of a specific function. Mandatory vacation policies ensure that employees take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. Least privilege ensures that users have only the permissions they need to perform their jobs and no more.
Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy?
A. To rotate job responsibilities
B. To detect fraud
C. To increase employee productivity
D. To reduce employee stress levels
B. To detect fraud
Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their jobs, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. It does not rotate job responsibilities. Although mandatory vacations might help employees reduce their overall stress levels and increase productivity, these are not the primary reasons for mandatory vacation policies.
Your organization has contracted with a third-party provider to host cloud-based servers. Management wants to ensure there are monetary penalties if the third party doesn’t meet their contractual responsibilities related to uptimes and downtimes. Which of the following is the best choice to meet this requirement?
A. MOU
B. ISA
C. SLA
D. SED
C. SLA
A service-level agreement (SLA) can provide monetary penalties if a third-party provider doesn’t meet its contractual requirements. Neither a memorandum of understanding (MOU) nor an interconnection security agreement (ISA) includes monetary penalties. Separation of duties is sometimes shortened to SED, but this is unrelated to third-party relationships.
Which one of the following is a cloud-based service model that gives an organization the most control and requires the organization to perform all maintenance on operating systems and applications?
A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Public
A. Infrastructure as a service (IaaS)
The IaaS service model provides an organization with the most control compared to the other models, and this model requires the organization to perform all maintenance on operating systems and applications. The SaaS model gives the organization the least control, and the cloud service provider (CSP) is responsible for all maintenance. The PaaS model splits control and maintenance responsibilities between the CSP and the organization.
Which one of the following is a cloud-based service model that allows users to access email via a web browser?
A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Public
C. Software as a service (SaaS)
The SaaS service model provides services such as email available via a web browser. IaaS provides the infrastructure (such as servers), and PaaS provides a platform (such as an operating system and application installed on a server). Public is a deployment method, not a service model.
The IT department routinely uses images when deploying new systems. Of the following choices, what is a primary benefit of using images?
A. Provides a baseline for configuration management
B. Improves patch management response times
C. Reduces vulnerabilities from unpatched systems
D. Provides documentation for changes
A. Provides a baseline for configuration management
When images are used to deploy systems, the systems start with a common baseline, which is important for configuration management. Images don’t necessarily improve the evaluation, approval, deployment, and audits of patches to systems within the network. Although images can include current patches to reduce their vulnerabilities, this is because the image provides a baseline. Change management provides documentation for changes.
A server administrator recently modified the configuration for a server to improve performance. Unfortunately, when an automated script runs once a week, the modification causes the server to reboot. It took several hours of troubleshooting to ultimately determine the problem wasn’t with the script but instead with the modification. What could have prevented this?
A. Vulnerability management
B. Patch management
C. Change management
D. Blocking all scripts
C. Change management
An effective change management program helps prevent outages from unauthorized changes. Vulnerability management helps detect weaknesses but wouldn’t block the problems from this modification. Patch management ensures systems are kept up to date. Blocking scripts removes automation, which would increase the overall workload.
Which of the following steps would be included in a change management process? (Choose three.)
A. Immediately implement the change if it will improve performance.
B. Request the change.
C. Create a rollback plan for the change.
D. Document the change.
B. Request the change.
C. Create a rollback plan for the change.
D. Document the change.
Change management processes include requesting a change, creating a rollback plan for the change, and documenting the change. Changes should not be implemented immediately without evaluating the change.
