Security Policies and Standards Flashcards
our online retail business accepts PayPal and credit card payments. You need to ensure that your company is compliant with the relevant security standards. Which payment security standard should you focus on?
GDPR
PCI DSS
HIPAA
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) provides guidance on securing environments where credit card information is processed
Your legal consulting services company is headquartered in Berlin with a branch office in Paris. You are determining how to comply with applicable data privacy regulations. Which of the following security standards must your company comply with?
GDPR
PCI DSS
HIPAA
GDPR
The GDPR is designed to protect sensitive EU citizen data
You have been hired to review security controls for a medical practice in rural Tennessee. Which of the following data privacy frameworks must the medical practice be compliant with?
GDPR
PCI DSS
HIPAA
HIPAA
HIPAA is American legislation designed to protect sensitive medical patient information
Which action will have the largest impact on mitigating against SQL injection attacks?
Enable HTTPS
Change default web server settings
Enable input validation
Enable input validation
Input validation is used to prevent unexpected characters or data from being sent to a server in a SQL injection attack. This can prevent sensitive data disclosure
You are planning the secure management of servers and network infrastructure devices on your corporate LAN. Which design will best protect these devices from RDP and SSH attacks?
Periodic vulnerability scanning
SSH public key authentication
Dedicated network management interface
Dedicated network management interface
A dedicated network management interface connects to a dedicated secure network used only for management purposes. Because no user traffic is present, this will protect devices from Remote Desktop Protocol (RDP) and Secure Shell (SSH) attacks
You need to manage cloud-based Windows virtual machines (VMs) from your on-premises network. Which option presents the most secure remote management solution?
Configure each VM with a public IPv6 address
Use PowerShell remoting for remote management
Manage the VMs through a jump box
Manage the VMs through a jump box
A jump box is a host with a connection to a public and a private network. After successfully authenticating to the jump box, administrators can remotely connect to hosts on the private network. This prevents the direct exposure of hosts to the public network
During customer support calls, customer service representatives periodically pull up customer details on their screens, including credit card numbers. What should be enabled to prevent the disclosure of credit card numbers?
Tokenization
Data minimization
Data masking
Data masking
Data masking replaces sensitive characters (such as credit card number digits) with other characters, such as asterisks (*). Normally, only the last four digits of a credit number are shown. Data masking is an option available in many database solutions
You have been tasked with creating a corporate security policy regarding smart phone usage for business purposes. What should you do first?
Issue smart phones to all employees.
Obtain support from management.
Get a legal opinion.
Obtain support from management.
Management support is crucial in the successful implementation of corporate security policies
Christine is the server administrator for your organization. Her manager provided step-by-step security policies outlining how servers should be configured to maximize security. Which type of security policy will Christine be implementing?
Mail server acceptable use policy
VPN server acceptable use policy
Procedural policy
Procedural policy
Procedural policies provide step-by-step instructions for configuring servers
Which of the following are examples of PII? (Choose two.)
Public IP address of a NAT router
Mobile phone number
Digital certificate
Gender
Mobile phone number
Digital certificate
Personally identifiable information (PII) is data that uniquely identifies a person, such as a mobile phone number or digital certificate. The appropriate security controls must be put in place to prevent identify theft, which can include pseudo-anonymization to prevent tracing data back to an individual
After a lengthy background check and interviewing process, your company hired a new payroll clerk named Tammy. Tammy will be using a web browser on a company computer at the office to access the payroll application on a public cloud provider web site over the Internet. Which type of document should Tammy read and sign?
Internet acceptable use policy
Password policy
Service level agreement
Internet acceptable use policy
Because Tammy will be using company equipment to access the Internet, she should read and sign an Internet acceptable use policy
You are configuring a password policy for users in the Berlin office. Passwords must be changed every 60 days. You must ensure that user passwords cannot be changed more than once within the 60-day interval. What should you configure?
Minimum password age
Maximum password age
Password complexity
Minimum password age
The minimum password age is a period of time that must elapse before a password can be changed. This prevents users from changing passwords multiple times in a short period to reuse old passwords
Your company has decided to adopt a public cloud device management solution whereby all devices are centrally managed from a web site hosted on servers in a data center. Management has instructed you to ensure that the solution is reliable and always available. Which type of document should you focus on?
Password policy
Service level agreement
Remote access acceptable use policy
Service level agreement
A service level agreement is a contract stipulating what level of service and availability can be expected from a third party
Which of the following options best describe the proper use of PII? (Choose two.)
Law enforcement tracking an Internet offender using a public IP address
Distributing an e-mail contact list to marketing firms
Logging into a secured laptop using a fingerprint scanner
Practicing due diligence
Law enforcement tracking an Internet offender using a public IP address
Logging into a secured laptop using a fingerprint scanner
Proper use of PII means not divulging a person’s or entity’s personal information to other parties. Law enforcement tracking criminals using IP addresses and logging in with a fingerprint scanner are proper uses of PII
Your company restricts firewall administrators from modifying firewall rules unless they make the modifications with a member of the IT security team. What is this an example of?
Due care
Separation of duties
Principle of least privilege
Separation of duties
Separation of duties requires more than one person to complete a process such as controlling a firewall and its rules
You are the network administrator for a legal firm. Users in Vancouver must be able to view trade secrets for patent submission. You have shared a network folder called Trade Secrets and allowed the following NTFS permissions:
Vancouver_Staff: Read, List Folder Contents
Executives: Write
IT_Admins: Full Control
Regarding Vancouver staff, which principle is being adhered to?
Job rotation
Least privilege
Mandatory vacations
Least privilege
The principle of least privilege states that people should be granted access based on the minimum access required to do their job. In this case, Vancouver staff members have only read access to the Trade Secrets because they should not be allowed to make changes
The Accounts Payable department notices large out-of-country purchases made using a corporate credit card. After discussing the matter with Juan, the employee whose name is on the credit card, they realize that somebody has illegally obtained the credit card details. You also learn that Juan recently received an e-mail from what appeared to be the credit card company asking him to sign in to their web site to validate his account, which he did. How could this have been avoided?
Provide credit card holders with smartcards.
Tell users to increase the strength of online passwords.
Provide security awareness training to employees.
Provide security awareness training to employees.
If Juan had been made aware of phishing scams by attending phishing training campaigns or by being shown phishing simulations, he would have ignored the e-mail message. Perpetrators of this type of crime can be charged with fraud, which can result in fines or imprisonment, depending on applicable laws
Which of the following statements are true? (Choose two.)
Security labels are used for data classifications, such as restricted and top secret.
PII is applicable only to biometric authentication devices.
Forcing user password changes is considered change management.
A person’s signature on a check is considered PII.
Security labels are used for data classifications, such as restricted and top secret.
A person’s signature on a check is considered PII.
Restricted and top secret are examples of security data labeling. A signature on a check is considered PII, since it is a personal characteristic
What is the primary purpose of enforcing a mandatory vacation policy?
To adhere to government regulation
To ensure employees are refreshed
To prevent improper activity
To prevent improper activity
Knowledge that vacation time is mandatory means employees are less likely to engage in improper business practices, because when a different employee fills a job role while the vacationing employee is out of the office, he or she is likely to notice any irregularities
Which of the following is an example of PHI?
Education records
Employment records
Fingerprints
Fingerprints
Fingerprints are considered protected health information (PHI) under the American HIPAA rules
As the IT security officer, you establish a security policy requiring that users protect all paper documents so that sensitive client, vendor, or company data is not stolen. What type of policy is this?
Privacy
Acceptable use
Clean desk
Clean desk
A clean desk policy requires paper documents to be safely stored (and not left on desks) to prevent malicious users from acquiring them
Which of the following best illustrates potential security problems related to social media sites?
Other users can easily see your IP address.
Talkative employees can expose a company’s intellectual property.
Malicious users can use your pictures for steganography.
Talkative employees can expose a company’s intellectual property.
People tend to speak more freely on social networking sites than anywhere else. Exposing sensitive company information could pose a problem
Margaret, the head of HR, conducts an exit interview with a departing IT server technician named Irving. The interview encompasses Irving’s view of the organization, such as the benefits of the job he held and suggestions of improvements that could be made. Which of the following issues should also be addressed in the exit interview? (Choose two.)
Background check
Job rotation
Nondisclosure agreement
Property return form
Nondisclosure agreement
Property return form
Nondisclosure agreements (NDAs) are used to ensure that sensitive data an employees or contractor may have been exposed to is not revealed outside of the organization. An NDA is signed during employee onboarding, when other contracts are signed; reminding employees leaving the organization of their responsibility of not violating NDAs is important. Any equipment, access codes, passes, and keys must be surrendered to the company when an employee leaves the organization (employee offboarding). This is formalized and recorded on a property return form
You are a file server administrator for a health organization. Management has asked you to configure your servers appropriately to classify files containing unique manufacturing processes. What is an appropriate data classification for these types of files?
Proprietary
PII
PHI
Proprietary
Company trade secrets such as unique manufacturing processes should be labeled as proprietary
Your organization must observe the appropriate cloud security ISO compliance standards. Which ISO standard must be observed?
ISO 27001
ISO 27017
ISO 27002
ISO 27017
International Organization for Standardization (ISO) 27017 provides guidelines related to the secure use of cloud computing
Which of the following security standards focuses on assessing and managing risk?
SOC 2
NIST CSF
NIST RMF
NIST RMF
The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) provides guidance regarding how to assess, frame, monitor, and respond to risks, including how to apply security controls to mitigate risk. The Cloud Security Alliance (CSA) Reference Architecture can also be used to assess risk, and the Cloud Controls Matrix can be used to organize risk mitigations
To enhance your organization’s security posture, management has decided that new and existing security technician employee IT security awareness will be implemented through gamification. What is the best way to achieve this?
Computer-based training
Role-based training
Capture the flag
Capture the flag
Gamification involves using game-style drills to prepare for cybersecurity incident response, or using a reward system that provides some kind of incentive for demonstrating cybersecurity acumen. Capture the flag security competitions work by awarding a flag when a team overcomes a security problem. The flag owner submits the flag to a central authority to earn points. Individuals or teams with the highest number of points win the competition
Which type of document is a nonbinding agreement between two parties?
BPA
MSA
MOU
MOU
A memorandum of understanding (MOU) is a document outlining an agreement between entities such as business partners; unlike a contract, it is not legally binding. An example of how a MOU is used between organizations that connect IT environments together is an interconnection security agreement (ISA) which can be put in place to ensure the secure transmission of sensitive data between organizations
You have instructed your web app developers to include a message for web site visitors detailing how their data will be processed and used. What should web app develops add to the site?
Terms of agreement
Public disclosure
Privacy notice
Privacy notice
A privacy notice provides details regarding how sensitive data will be collected, stored, used, and shared and may be required for legal or regulatory compliance
