Security Policies and Standards Flashcards
The primary purpose of security policies is to:
Establish legal grounds for prosecution.
Improve IT service performance.
Reduce the risk of security breaches.
Reduce the risk of security breaches.
Security policies are an organized manner through which the corporate security strategy is realized in order to reduce the risk of security breaches
You have been tasked with creating a corporate security policy regarding smart phone usage for business purposes. What should you do first?
Issue smart phones to all employees.
Obtain support from management.
Get a legal opinion.
Obtain support from management.
Management support is crucial in the successful implementation of corporate security policies
Christine is the server administrator for Contoso Corporation. Her manager provided step-by-step security policies outlining how servers should be configured to maximize security. Which type of security policy will Christine be implementing?
Mail server acceptable use policy
VPN server acceptable use policy
Procedural policy
Procedural policy
Procedural policies provide step-by-step instructions for configuring servers
Which of the following are examples of PII? (Choose two.)
Private IP address on an internal network
Mobile phone number
Digital certificate
Gender
Mobile phone number
Digital certificate
Personally identifiable information (PII) is data that uniquely identifies a person, such as a mobile phone number or digital certificate
After a lengthy background check and interviewing process, your company hired a new payroll clerk named Stacey. Stacey will be using a web browser on a company computer at the office to access the payroll application on a public cloud provider web site over the Internet. Which type of document should Stacey read and sign?
Internet acceptable use policy
Password policy
Service level agreement
Internet acceptable use policy
Because Stacey will be using company equipment to access the Internet, she should read and sign an Internet acceptable use policy
You are configuring a password policy for users in the Berlin office. Passwords must be changed every 60 days. You must ensure that user passwords cannot be changed more than once within the 60-day interval. What should you configure?
Minimum password age
Maximum password age
Password complexity
Minimum password age
The minimum password age is a period of time that must elapse before a password can be changed
You have been hired as a consultant by a pharmaceutical company. The company is concerned that confidential drug research documents might be recovered from discarded hard disks. What should you recommend?
Repartition the hard disks.
Freeze the hard drives.
Physically shred the hard disks.
Physically shred the hard disks.
Physically shredding the hard disk is the most effective way of ensuring confidential data cannot be retrieved
Acme Corporation is upgrading its network routers. The old routers will be sent to the head office before they are disposed of. What must be done to the routers prior to disposal to minimize security breaches?
Change the router privileged mode password.
Remove DNS server entries from the router configuration.
Set the router to factory default settings.
Set the router to factory default settings.
Network equipment such as routers should be reset to factory default settings before disposal to remove company-specific configurations
Your company has decided to adopt a public cloud device management solution where all devices are centrally managed from a web site hosted on servers in a data center. Management has instructed you to ensure that the solution is reliable and always available. Which type of document should you focus on?
Password policy
Service level agreement
Remote access acceptable use policy
Service level agreement
A service level agreement is a contract stipulating what level of service and availability can be expected
Which of the following best embodies the concept of least privilege?
Detecting malware running without elevated privileges
Assigning users full control permissions to network resources
Assigning needed permissions to enable users to complete a task
Assigning needed permissions to enable users to complete a task
The least privilege principle specifies that only the needed permissions to perform a task should be assigned to users
The creation of data security policies is most affected by which two factors? (Choose two.)
Industry regulations
IP addressing scheme being used
Operating system version being used
PII
Industry regulations
PII
Industry regulations as well as the protection of personally identifiable information (PII) will have a large impact on the details contained within data security policies
As the network administrator for your company, you are creating a security policy such that devices connecting to the corporate VPN must have a trusted digital certificate installed. Which type of security policy are you creating?
Mobile device encryption policy
Authentication policy
Remote access policy
Remote access policy
VPNs are remote access solutions, so in this case you would be creating a remote access policy
You are reviewing surveillance camera footage after items have gone missing from your company’s office in the evenings. On the video you notice an unidentified person entering the building’s main entrance behind an employee who unlocked the door with a swipe card. What type of security breach is this?
Tailgating
Mantrapping
Horseback riding
Tailgating
Tailgating occurs when an unauthorized person follows an authorized person closely to gain access to a restricted resource such as a building or room
You receive the e-mail message shown here. What type of threat is this?
Dear valued Acme Bank customer, Acme Bank will be updating web server banking software next week. To ensure continued access to your accounts, we ask that you go to http://www.acmebank.us/accounts and reset your password within the next 24 hours. We sincerely appreciate your business.
Acme Bank
Denial of service
Phishing attack
Zero-day exploit
Phishing attack
Phishing attacks attempt to fool people to connect to seemingly authentic web sites in order for the unsuspecting user to disclose personal information such as bank account numbers and passwords
You are testing your router configuration and discover a security vulnerability. After searching the Internet, you realize that this vulnerability is unknown. Which type of attack is your router vulnerable to?
Denial of service
Phishing attack
Zero-day exploit
Zero-day exploit
Zero-day exploits are recently discovered vulnerabilities for which there is no fix, usually because it is unknown to the manufacturer
Which of the following options best describe proper usage of PII? (Choose two.)
Law enforcement tracking an Internet offender using a public IP address
Distributing an e-mail contact list to marketing firms
Logging into a secured laptop using a fingerprint scanner
Due diligence
Law enforcement tracking an Internet offender using a public IP address
Logging into a secured laptop using a fingerprint scanner
Proper use of PII means not divulging a person’s or entity’s personal information to other parties. Tracking criminals using IP addresses and logging in with a fingerprint scanner are proper uses of PII
Your company restricts firewall administrators from modifying firewall logs. Only IT security personnel are allowed to do this. What is this an example of?
Due care
Separation of duties
Principle of least privilege
Separation of duties
Separation of duties requires more than one person to complete a process such as controlling a firewall and its logs
Your local ISP provides a PDF file stating a 99.97 percent service availability for T1 connectivity to the Internet. How would you classify this type of documentation?
Top secret
Acceptable use policy
Service level agreement
Service level agreement
Service level agreements (SLAs) formally define an expected level of service, such as 99.97 percent availability
The Accounts Payable department notices large out-of-country purchases made using a corporate credit card. After discussing the matter with Juan, the employee whose name is on the credit card, they realize somebody has illegally obtained the credit card details. You also learn that he recently received an e-mail from what appeared to be the credit card company asking him to sign in to their web site to validate his account, which he did. How could this have been avoided?
Provide credit card holders with smartcards.
Tell users to increase the strength of online passwords.
Provide security awareness training to employees.
Provide security awareness training to employees.
If Juan had been aware of phishing scams, he would have ignored the e-mail message
Which of the following statements are true? (Choose two.)
Security labels are used for data classifications such as restricted and top secret.
PII is applicable only to biometric authentication devices.
Forcing user password changes is considered change management.
A person’s signature on a check is considered PII.
Security labels are used for data classifications such as restricted and top secret.
A person’s signature on a check is considered PII.
Restricted and top secret are examples of security data labeling. A signature on a check is considered PII, since it is a personal characteristic
Which of the following best illustrates potential security problems related to social networking sites?
Other users can easily see your IP address.
Talkative employees can expose a company’s intellectual property.
Malicious users can use your pictures for steganography.
Talkative employees can expose a company’s intellectual property.
People tend to speak more freely on social networking sites than anywhere else. Exposing important company information could pose a problem
As the IT security officer, you establish a security policy requiring that users protect all paper documents so that sensitive client, vendor, or company data is not stolen. What type of policy is this?
Privacy
Acceptable use
Clean desk
Clean desk
A clean desk policy requires paper documents to be safely stored (and not left on desks) to prevent malicious users from acquiring them
What is the primary purpose of enforcing a mandatory vacation policy?
To adhere to government regulation
To ensure that employees are refreshed
To prevent improper activity
To prevent improper activity
Knowledge that vacation time is mandatory means employees are less likely to engage in improper business practices. A different employee filling that job role is more likely to notice irregularities
What does a privacy policy protect?
Customer data
Trade secrets
Employee home directories
Customer data
Privacy policies are designed to protect customer, guest, or patient confidential information
Which of the following statements about a security policy are true? (Choose two.)
Users must read and sign the security policy.
It guarantees a level of uptime for IT services.
It is composed of subdocuments.
Management approval must be obtained.
It is composed of subdocuments.
Management approval must be obtained.
Security policies are composed of subdocuments such as an Internet use policy and remote access policy. Management approval is required for security policies to make an impact
You are developing a security training outline for the Accounting department that will take place in the office. Which two items should not be included in the training? (Choose two.)
Firewall configuration
The Accounting department’s support of security initiatives
Physical security
Social engineering
Firewall configuration
The Accounting department’s support of security initiatives
The IT technical team will be interested in firewall configurations; this is not relevant to the Accounting department. Management must support security initiatives as a first step, even before creating security policies; this is not the job of the Accounting department
Choose the correct statement:
Users are assigned classification labels to access sensitive data.
Data is assigned clearance levels to access sensitive data.
Users are assigned clearance levels to access sensitive data.
Users are assigned clearance levels to access sensitive data.
Data is assigned a specific classification label such as top secret, and only users with the appropriate clearance levels can access that data
You are a file server administrator for a health organization. Management has asked you to configure your servers to classify files containing patient medical history data appropriately. What is an appropriate data classification for these types of files? (Choose all that apply.)
High
Medium
Low
Private
Public
Confidential
High
Private
Confidential
Organizations will differ in how they specifically label sensitive data. Patient medical history is considered sensitive; therefore, classifying the data as a high security risk if exposed to the public, as private, or as confidential are all valid labels
You are configuring a Wi-Fi network for a clothing retail outlet. In accordance with the Payment Card Industry (PCI) regulations for companies handling payment cards, you must ensure default passwords are changed on the wireless router. This is best described as:
PCI policy
Compliance with security standards
User education and awareness
Compliance with security standards
Securing a wireless network to meet industry regulations is best described as complying with security standards
Your company provides a paper document shredder on each floor of a building. What security issue does this address?
Data handling
Clean desk policy
Tailgating
Data handling
Part of data handling includes the physical shredding of physical documents to prevent unauthorized persons from viewing printed sensitive information
Your company’s BYOD policy pays a monthly stipend to employees who use their personal smart phones for work purposes. What type of app should the company ensure is installed and running on all BYOD smart phones?
eBay app
PDF reader app
Antivirus app
Antivirus app
Companies with BYOD policies should ensure some type of anti-malware is running on smart phones, whereas other companies might strictly prohibit personally owned devices being used for business purposes
What is the best defense against new viruses?
Keeping antivirus definitions up to date
Turning off the computer when not in use
Not connecting to Wi-Fi networks
Keeping antivirus definitions up to date
New viruses come into existence every day. Antivirus software must be updated on a regular basis to counter these new threats
You and your IT team have completed drafting security policies for e-mail acceptable use and remote access through the company VPN. Users currently use both e-mail and the VPN. What must be done next? (Choose two.)
Update VPN appliance firmware.
Provide security user awareness training.
Encrypt all user mail messages.
Mandate security awareness testing for users.
Provide security user awareness training.
Mandate security awareness testing for users.
The best defense against security breaches of any kind is user awareness. This is provided through training, such as ensuring that employees know not to send or receive personal e-mail messages using the work e-mail account. To ensure the training is effective, users should be tested
Margaret, the head of HR, conducts an exit interview with a departing IT server technician named Irving. The interview encompasses Irving’s view on the organization, the benefits of the job role he held, and potential improvements that could be made. Which of the following issues should also be addressed in the exit interview?
Background check
Job rotation
Property return form
Property return form
All equipment, access codes, keys, and passes must be surrendered to the company when an employee leaves the organization. This is formalized and recorded on a property return form
An IT security officer is configuring data label options for a company research file server. Users can currently label documents as public, contractor, or human resources. For company trade secrets, which label should be used?
Proprietary
High
Low
Proprietary
Company trade secrets should be labeled as proprietary
Which of the following in an example of PHI?
Education records
Employment records
Fingerprints
Fingerprints
Fingerprints are considered protected health information (PHI) under the American HIPAA rules
A security auditor is attempting to determine an organization’s data backup and long-term archiving strategy. Which type of organization document should the auditor refer to?
Security policy
Data retention policy
Data leakage policy
Data retention policy
Data retention policies specify details about data storage for various types of information. This includes storage location, the length of time data is retained, the type of storage medium such as magnetic tape or cloud archiving, and so on
