Security Policies and Standards

Question 1

our online retail business accepts PayPal and credit card payments. You need to ensure that your company is compliant with the relevant security standards. Which payment security standard should you focus on?

GDPR

PCI DSS

HIPAA

Answer 1

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) provides guidance on securing environments where credit card information is processed

Question 2

Your legal consulting services company is headquartered in Berlin with a branch office in Paris. You are determining how to comply with applicable data privacy regulations. Which of the following security standards must your company comply with?

GDPR

PCI DSS

HIPAA

Answer 2

GDPR

The GDPR is designed to protect sensitive EU citizen data

Question 3

You have been hired to review security controls for a medical practice in rural Tennessee. Which of the following data privacy frameworks must the medical practice be compliant with?

GDPR

PCI DSS

HIPAA

Answer 3

HIPAA

HIPAA is American legislation designed to protect sensitive medical patient information

Question 4

Which action will have the largest impact on mitigating against SQL injection attacks?

Enable HTTPS

Change default web server settings

Enable input validation

Answer 4

Enable input validation

Input validation is used to prevent unexpected characters or data from being sent to a server in a SQL injection attack. This can prevent sensitive data disclosure

Question 5

You are planning the secure management of servers and network infrastructure devices on your corporate LAN. Which design will best protect these devices from RDP and SSH attacks?

Periodic vulnerability scanning

SSH public key authentication

Dedicated network management interface

Answer 5

Dedicated network management interface

A dedicated network management interface connects to a dedicated secure network used only for management purposes. Because no user traffic is present, this will protect devices from Remote Desktop Protocol (RDP) and Secure Shell (SSH) attacks

Question 6

You need to manage cloud-based Windows virtual machines (VMs) from your on-premises network. Which option presents the most secure remote management solution?

Configure each VM with a public IPv6 address

Use PowerShell remoting for remote management

Manage the VMs through a jump box

Answer 6

Manage the VMs through a jump box

A jump box is a host with a connection to a public and a private network. After successfully authenticating to the jump box, administrators can remotely connect to hosts on the private network. This prevents the direct exposure of hosts to the public network

Question 7

During customer support calls, customer service representatives periodically pull up customer details on their screens, including credit card numbers. What should be enabled to prevent the disclosure of credit card numbers?

Tokenization

Data minimization

Data masking

Answer 7

Data masking

Data masking replaces sensitive characters (such as credit card number digits) with other characters, such as asterisks (*). Normally, only the last four digits of a credit number are shown. Data masking is an option available in many database solutions

Question 8

You have been tasked with creating a corporate security policy regarding smart phone usage for business purposes. What should you do first?

Issue smart phones to all employees.

Obtain support from management.

Get a legal opinion.

Answer 8

Obtain support from management.

Management support is crucial in the successful implementation of corporate security policies

Question 9

Christine is the server administrator for your organization. Her manager provided step-by-step security policies outlining how servers should be configured to maximize security. Which type of security policy will Christine be implementing?

Mail server acceptable use policy

VPN server acceptable use policy

Procedural policy

Answer 9

Procedural policy

Procedural policies provide step-by-step instructions for configuring servers

Question 10

Which of the following are examples of PII? (Choose two.)

Public IP address of a NAT router

Mobile phone number

Digital certificate

Gender

Answer 10

Mobile phone number

Digital certificate

Personally identifiable information (PII) is data that uniquely identifies a person, such as a mobile phone number or digital certificate. The appropriate security controls must be put in place to prevent identify theft, which can include pseudo-anonymization to prevent tracing data back to an individual

Question 11

After a lengthy background check and interviewing process, your company hired a new payroll clerk named Tammy. Tammy will be using a web browser on a company computer at the office to access the payroll application on a public cloud provider web site over the Internet. Which type of document should Tammy read and sign?

Internet acceptable use policy

Password policy

Service level agreement

Answer 11

Internet acceptable use policy

Because Tammy will be using company equipment to access the Internet, she should read and sign an Internet acceptable use policy

Question 12

You are configuring a password policy for users in the Berlin office. Passwords must be changed every 60 days. You must ensure that user passwords cannot be changed more than once within the 60-day interval. What should you configure?

Minimum password age

Maximum password age

Password complexity

Answer 12

Minimum password age

The minimum password age is a period of time that must elapse before a password can be changed. This prevents users from changing passwords multiple times in a short period to reuse old passwords

Question 13

Your company has decided to adopt a public cloud device management solution whereby all devices are centrally managed from a web site hosted on servers in a data center. Management has instructed you to ensure that the solution is reliable and always available. Which type of document should you focus on?

Password policy

Service level agreement

Remote access acceptable use policy

Answer 13

Service level agreement

A service level agreement is a contract stipulating what level of service and availability can be expected from a third party

Question 14

Which of the following options best describe the proper use of PII? (Choose two.)

Law enforcement tracking an Internet offender using a public IP address

Distributing an e-mail contact list to marketing firms

Logging into a secured laptop using a fingerprint scanner

Practicing due diligence

Answer 14

Law enforcement tracking an Internet offender using a public IP address

Logging into a secured laptop using a fingerprint scanner

Proper use of PII means not divulging a person’s or entity’s personal information to other parties. Law enforcement tracking criminals using IP addresses and logging in with a fingerprint scanner are proper uses of PII

Question 15

Your company restricts firewall administrators from modifying firewall rules unless they make the modifications with a member of the IT security team. What is this an example of?

Due care

Separation of duties

Principle of least privilege

Answer 15

Separation of duties

Separation of duties requires more than one person to complete a process such as controlling a firewall and its rules

Question 16

You are the network administrator for a legal firm. Users in Vancouver must be able to view trade secrets for patent submission. You have shared a network folder called Trade Secrets and allowed the following NTFS permissions:

Vancouver_Staff: Read, List Folder Contents

Executives: Write

IT_Admins: Full Control

Regarding Vancouver staff, which principle is being adhered to?

Job rotation

Least privilege

Mandatory vacations

Answer 16

Least privilege

The principle of least privilege states that people should be granted access based on the minimum access required to do their job. In this case, Vancouver staff members have only read access to the Trade Secrets because they should not be allowed to make changes

Question 17

The Accounts Payable department notices large out-of-country purchases made using a corporate credit card. After discussing the matter with Juan, the employee whose name is on the credit card, they realize that somebody has illegally obtained the credit card details. You also learn that Juan recently received an e-mail from what appeared to be the credit card company asking him to sign in to their web site to validate his account, which he did. How could this have been avoided?

Provide credit card holders with smartcards.

Tell users to increase the strength of online passwords.

Provide security awareness training to employees.

Answer 17

Provide security awareness training to employees.

If Juan had been made aware of phishing scams by attending phishing training campaigns or by being shown phishing simulations, he would have ignored the e-mail message. Perpetrators of this type of crime can be charged with fraud, which can result in fines or imprisonment, depending on applicable laws

Question 18

Which of the following statements are true? (Choose two.)

Security labels are used for data classifications, such as restricted and top secret.

PII is applicable only to biometric authentication devices.

Forcing user password changes is considered change management.

A person’s signature on a check is considered PII.

Answer 18

Security labels are used for data classifications, such as restricted and top secret.

A person’s signature on a check is considered PII.

Restricted and top secret are examples of security data labeling. A signature on a check is considered PII, since it is a personal characteristic

Question 19

What is the primary purpose of enforcing a mandatory vacation policy?

To adhere to government regulation

To ensure employees are refreshed

To prevent improper activity

Answer 19

To prevent improper activity

Knowledge that vacation time is mandatory means employees are less likely to engage in improper business practices, because when a different employee fills a job role while the vacationing employee is out of the office, he or she is likely to notice any irregularities

Question 20

Which of the following is an example of PHI?

Education records

Employment records

Fingerprints

Answer 20

Fingerprints

Fingerprints are considered protected health information (PHI) under the American HIPAA rules

Question 21

As the IT security officer, you establish a security policy requiring that users protect all paper documents so that sensitive client, vendor, or company data is not stolen. What type of policy is this?

Privacy

Acceptable use

Clean desk

Answer 21

Clean desk

A clean desk policy requires paper documents to be safely stored (and not left on desks) to prevent malicious users from acquiring them

Question 22

Which of the following best illustrates potential security problems related to social media sites?

Other users can easily see your IP address.

Talkative employees can expose a company’s intellectual property.

Malicious users can use your pictures for steganography.

Answer 22

Talkative employees can expose a company’s intellectual property.

People tend to speak more freely on social networking sites than anywhere else. Exposing sensitive company information could pose a problem

Question 23

Margaret, the head of HR, conducts an exit interview with a departing IT server technician named Irving. The interview encompasses Irving’s view of the organization, such as the benefits of the job he held and suggestions of improvements that could be made. Which of the following issues should also be addressed in the exit interview? (Choose two.)

Background check

Job rotation

Nondisclosure agreement

Property return form

Answer 23

Nondisclosure agreement

Property return form

Nondisclosure agreements (NDAs) are used to ensure that sensitive data an employees or contractor may have been exposed to is not revealed outside of the organization. An NDA is signed during employee onboarding, when other contracts are signed; reminding employees leaving the organization of their responsibility of not violating NDAs is important. Any equipment, access codes, passes, and keys must be surrendered to the company when an employee leaves the organization (employee offboarding). This is formalized and recorded on a property return form

Question 24

You are a file server administrator for a health organization. Management has asked you to configure your servers appropriately to classify files containing unique manufacturing processes. What is an appropriate data classification for these types of files?

Proprietary

PII

PHI

Answer 24

Proprietary

Company trade secrets such as unique manufacturing processes should be labeled as proprietary

Question 25

Your organization must observe the appropriate cloud security ISO compliance standards. Which ISO standard must be observed?

ISO 27001

ISO 27017

ISO 27002

Answer 25

ISO 27017

International Organization for Standardization (ISO) 27017 provides guidelines related to the secure use of cloud computing

Question 26

Which of the following security standards focuses on assessing and managing risk?

SOC 2

NIST CSF

NIST RMF

Answer 26

NIST RMF

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) provides guidance regarding how to assess, frame, monitor, and respond to risks, including how to apply security controls to mitigate risk. The Cloud Security Alliance (CSA) Reference Architecture can also be used to assess risk, and the Cloud Controls Matrix can be used to organize risk mitigations

Question 27

To enhance your organization’s security posture, management has decided that new and existing security technician employee IT security awareness will be implemented through gamification. What is the best way to achieve this?

Computer-based training

Role-based training

Capture the flag

Answer 27

Capture the flag

Gamification involves using game-style drills to prepare for cybersecurity incident response, or using a reward system that provides some kind of incentive for demonstrating cybersecurity acumen. Capture the flag security competitions work by awarding a flag when a team overcomes a security problem. The flag owner submits the flag to a central authority to earn points. Individuals or teams with the highest number of points win the competition

Question 28

Which type of document is a nonbinding agreement between two parties?

BPA

MSA

MOU

Answer 28

MOU

A memorandum of understanding (MOU) is a document outlining an agreement between entities such as business partners; unlike a contract, it is not legally binding. An example of how a MOU is used between organizations that connect IT environments together is an interconnection security agreement (ISA) which can be put in place to ensure the secure transmission of sensitive data between organizations

Question 29

You have instructed your web app developers to include a message for web site visitors detailing how their data will be processed and used. What should web app develops add to the site?

Terms of agreement

Public disclosure

Privacy notice

Answer 29

Privacy notice

A privacy notice provides details regarding how sensitive data will be collected, stored, used, and shared and may be required for legal or regulatory compliance