Security Policies and Standards Flashcards by Alex valentine

The primary purpose of security policies is to:

Establish legal grounds for prosecution.

Improve IT service performance.

Reduce the risk of security breaches.

Security policies are an organized manner through which the corporate security strategy is realized in order to reduce the risk of security breaches

How well did you know this?

Not at all

Perfectly

You have been tasked with creating a corporate security policy regarding smart phone usage for business purposes. What should you do first?

Issue smart phones to all employees.

Obtain support from management.

Get a legal opinion.

Obtain support from management.

Management support is crucial in the successful implementation of corporate security policies

How well did you know this?

Not at all

Perfectly

Christine is the server administrator for Contoso Corporation. Her manager provided step-by-step security policies outlining how servers should be configured to maximize security. Which type of security policy will Christine be implementing?

Mail server acceptable use policy

VPN server acceptable use policy

Procedural policy

Procedural policies provide step-by-step instructions for configuring servers

How well did you know this?

Not at all

Perfectly

Which of the following are examples of PII? (Choose two.)

Private IP address on an internal network

Mobile phone number

Digital certificate

Gender

Mobile phone number

Digital certificate

Personally identifiable information (PII) is data that uniquely identifies a person, such as a mobile phone number or digital certificate

How well did you know this?

Not at all

Perfectly

After a lengthy background check and interviewing process, your company hired a new payroll clerk named Stacey. Stacey will be using a web browser on a company computer at the office to access the payroll application on a public cloud provider web site over the Internet. Which type of document should Stacey read and sign?

Internet acceptable use policy

Password policy

Service level agreement

Internet acceptable use policy

Because Stacey will be using company equipment to access the Internet, she should read and sign an Internet acceptable use policy

How well did you know this?

Not at all

Perfectly

You are configuring a password policy for users in the Berlin office. Passwords must be changed every 60 days. You must ensure that user passwords cannot be changed more than once within the 60-day interval. What should you configure?

Minimum password age

Maximum password age

Password complexity

Minimum password age

The minimum password age is a period of time that must elapse before a password can be changed

How well did you know this?

Not at all

Perfectly

You have been hired as a consultant by a pharmaceutical company. The company is concerned that confidential drug research documents might be recovered from discarded hard disks. What should you recommend?

Repartition the hard disks.

Freeze the hard drives.

Physically shred the hard disks.

Physically shredding the hard disk is the most effective way of ensuring confidential data cannot be retrieved

How well did you know this?

Not at all

Perfectly

Acme Corporation is upgrading its network routers. The old routers will be sent to the head office before they are disposed of. What must be done to the routers prior to disposal to minimize security breaches?

Change the router privileged mode password.

Remove DNS server entries from the router configuration.

Set the router to factory default settings.

Network equipment such as routers should be reset to factory default settings before disposal to remove company-specific configurations

How well did you know this?

Not at all

Perfectly

Your company has decided to adopt a public cloud device management solution where all devices are centrally managed from a web site hosted on servers in a data center. Management has instructed you to ensure that the solution is reliable and always available. Which type of document should you focus on?

Password policy

Service level agreement

Remote access acceptable use policy

Service level agreement

A service level agreement is a contract stipulating what level of service and availability can be expected

How well did you know this?

Not at all

Perfectly

Which of the following best embodies the concept of least privilege?

Detecting malware running without elevated privileges

Assigning users full control permissions to network resources

Assigning needed permissions to enable users to complete a task

The least privilege principle specifies that only the needed permissions to perform a task should be assigned to users

How well did you know this?

Not at all

Perfectly

The creation of data security policies is most affected by which two factors? (Choose two.)

Industry regulations

IP addressing scheme being used

Operating system version being used

PII

Industry regulations

PII

Industry regulations as well as the protection of personally identifiable information (PII) will have a large impact on the details contained within data security policies

How well did you know this?

Not at all

Perfectly

As the network administrator for your company, you are creating a security policy such that devices connecting to the corporate VPN must have a trusted digital certificate installed. Which type of security policy are you creating?

Mobile device encryption policy

Authentication policy

Remote access policy

VPNs are remote access solutions, so in this case you would be creating a remote access policy

How well did you know this?

Not at all

Perfectly

You are reviewing surveillance camera footage after items have gone missing from your company’s office in the evenings. On the video you notice an unidentified person entering the building’s main entrance behind an employee who unlocked the door with a swipe card. What type of security breach is this?

Tailgating

Mantrapping

Horseback riding

Tailgating

Tailgating occurs when an unauthorized person follows an authorized person closely to gain access to a restricted resource such as a building or room

How well did you know this?

Not at all

Perfectly

You receive the e-mail message shown here. What type of threat is this?

Dear valued Acme Bank customer, Acme Bank will be updating web server banking software next week. To ensure continued access to your accounts, we ask that you go to http://www.acmebank.us/accounts and reset your password within the next 24 hours. We sincerely appreciate your business.
Acme Bank

Denial of service

Phishing attack

Zero-day exploit

Phishing attack

Phishing attacks attempt to fool people to connect to seemingly authentic web sites in order for the unsuspecting user to disclose personal information such as bank account numbers and passwords

How well did you know this?

Not at all

Perfectly

You are testing your router configuration and discover a security vulnerability. After searching the Internet, you realize that this vulnerability is unknown. Which type of attack is your router vulnerable to?

Denial of service

Phishing attack

Zero-day exploit

Zero-day exploits are recently discovered vulnerabilities for which there is no fix, usually because it is unknown to the manufacturer

How well did you know this?

Not at all

Perfectly

Which of the following options best describe proper usage of PII? (Choose two.)

Law enforcement tracking an Internet offender using a public IP address

Distributing an e-mail contact list to marketing firms

Logging into a secured laptop using a fingerprint scanner

Due diligence

Law enforcement tracking an Internet offender using a public IP address

Logging into a secured laptop using a fingerprint scanner

Proper use of PII means not divulging a person’s or entity’s personal information to other parties. Tracking criminals using IP addresses and logging in with a fingerprint scanner are proper uses of PII

Your company restricts firewall administrators from modifying firewall logs. Only IT security personnel are allowed to do this. What is this an example of?

Due care

Separation of duties

Principle of least privilege

Separation of duties

Separation of duties requires more than one person to complete a process such as controlling a firewall and its logs

Your local ISP provides a PDF file stating a 99.97 percent service availability for T1 connectivity to the Internet. How would you classify this type of documentation?

Top secret

Acceptable use policy

Service level agreement

Service level agreements (SLAs) formally define an expected level of service, such as 99.97 percent availability

The Accounts Payable department notices large out-of-country purchases made using a corporate credit card. After discussing the matter with Juan, the employee whose name is on the credit card, they realize somebody has illegally obtained the credit card details. You also learn that he recently received an e-mail from what appeared to be the credit card company asking him to sign in to their web site to validate his account, which he did. How could this have been avoided?

Provide credit card holders with smartcards.

Tell users to increase the strength of online passwords.

Provide security awareness training to employees.

If Juan had been aware of phishing scams, he would have ignored the e-mail message

Which of the following statements are true? (Choose two.)

Security labels are used for data classifications such as restricted and top secret.

PII is applicable only to biometric authentication devices.

Forcing user password changes is considered change management.

A person’s signature on a check is considered PII.

Security labels are used for data classifications such as restricted and top secret.

A person’s signature on a check is considered PII.

Restricted and top secret are examples of security data labeling. A signature on a check is considered PII, since it is a personal characteristic

Which of the following best illustrates potential security problems related to social networking sites?

Other users can easily see your IP address.

Talkative employees can expose a company’s intellectual property.

Malicious users can use your pictures for steganography.

Talkative employees can expose a company’s intellectual property.

People tend to speak more freely on social networking sites than anywhere else. Exposing important company information could pose a problem

As the IT security officer, you establish a security policy requiring that users protect all paper documents so that sensitive client, vendor, or company data is not stolen. What type of policy is this?

Privacy

Acceptable use

Clean desk

A clean desk policy requires paper documents to be safely stored (and not left on desks) to prevent malicious users from acquiring them

What is the primary purpose of enforcing a mandatory vacation policy?

To adhere to government regulation

To ensure that employees are refreshed

To prevent improper activity

Knowledge that vacation time is mandatory means employees are less likely to engage in improper business practices. A different employee filling that job role is more likely to notice irregularities

What does a privacy policy protect?

Customer data

Trade secrets

Employee home directories

Customer data

Privacy policies are designed to protect customer, guest, or patient confidential information

Which of the following statements about a security policy are true? (Choose two.) Users must read and sign the security policy. It guarantees a level of uptime for IT services. It is composed of subdocuments. Management approval must be obtained.

It is composed of subdocuments. Management approval must be obtained. Security policies are composed of subdocuments such as an Internet use policy and remote access policy. Management approval is required for security policies to make an impact

You are developing a security training outline for the Accounting department that will take place in the office. Which two items should not be included in the training? (Choose two.) Firewall configuration The Accounting department's support of security initiatives Physical security Social engineering

Firewall configuration The Accounting department's support of security initiatives The IT technical team will be interested in firewall configurations; this is not relevant to the Accounting department. Management must support security initiatives as a first step, even before creating security policies; this is not the job of the Accounting department

# Choose the correct statement: Users are assigned classification labels to access sensitive data. Data is assigned clearance levels to access sensitive data. Users are assigned clearance levels to access sensitive data.

Users are assigned clearance levels to access sensitive data. Data is assigned a specific classification label such as top secret, and only users with the appropriate clearance levels can access that data

You are a file server administrator for a health organization. Management has asked you to configure your servers to classify files containing patient medical history data appropriately. What is an appropriate data classification for these types of files? (Choose all that apply.) High Medium Low Private Public Confidential

High Private Confidential Organizations will differ in how they specifically label sensitive data. Patient medical history is considered sensitive; therefore, classifying the data as a high security risk if exposed to the public, as private, or as confidential are all valid labels

You are configuring a Wi-Fi network for a clothing retail outlet. In accordance with the Payment Card Industry (PCI) regulations for companies handling payment cards, you must ensure default passwords are changed on the wireless router. This is best described as: PCI policy Compliance with security standards User education and awareness

Compliance with security standards Securing a wireless network to meet industry regulations is best described as complying with security standards

Your company provides a paper document shredder on each floor of a building. What security issue does this address? Data handling Clean desk policy Tailgating

Data handling Part of data handling includes the physical shredding of physical documents to prevent unauthorized persons from viewing printed sensitive information

Your company's BYOD policy pays a monthly stipend to employees who use their personal smart phones for work purposes. What type of app should the company ensure is installed and running on all BYOD smart phones? eBay app PDF reader app Antivirus app

Antivirus app Companies with BYOD policies should ensure some type of anti-malware is running on smart phones, whereas other companies might strictly prohibit personally owned devices being used for business purposes

What is the best defense against new viruses? Keeping antivirus definitions up to date Turning off the computer when not in use Not connecting to Wi-Fi networks

Keeping antivirus definitions up to date New viruses come into existence every day. Antivirus software must be updated on a regular basis to counter these new threats

You and your IT team have completed drafting security policies for e-mail acceptable use and remote access through the company VPN. Users currently use both e-mail and the VPN. What must be done next? (Choose two.) Update VPN appliance firmware. Provide security user awareness training. Encrypt all user mail messages. Mandate security awareness testing for users.

Provide security user awareness training. Mandate security awareness testing for users. The best defense against security breaches of any kind is user awareness. This is provided through training, such as ensuring that employees know not to send or receive personal e-mail messages using the work e-mail account. To ensure the training is effective, users should be tested

Margaret, the head of HR, conducts an exit interview with a departing IT server technician named Irving. The interview encompasses Irving's view on the organization, the benefits of the job role he held, and potential improvements that could be made. Which of the following issues should also be addressed in the exit interview? Background check Job rotation Property return form

Property return form All equipment, access codes, keys, and passes must be surrendered to the company when an employee leaves the organization. This is formalized and recorded on a property return form

An IT security officer is configuring data label options for a company research file server. Users can currently label documents as public, contractor, or human resources. For company trade secrets, which label should be used? Proprietary High Low

Proprietary Company trade secrets should be labeled as proprietary

Which of the following in an example of PHI? Education records Employment records Fingerprints

Fingerprints Fingerprints are considered protected health information (PHI) under the American HIPAA rules

A security auditor is attempting to determine an organization's data backup and long-term archiving strategy. Which type of organization document should the auditor refer to? Security policy Data retention policy Data leakage policy

Data retention policy Data retention policies specify details about data storage for various types of information. This includes storage location, the length of time data is retained, the type of storage medium such as magnetic tape or cloud archiving, and so on