Security Policies and Standards Flashcards
The primary purpose of security policies is to:
Establish legal grounds for prosecution.
Improve IT service performance.
Reduce the risk of security breaches.
Reduce the risk of security breaches.
Security policies are an organized manner through which the corporate security strategy is realized in order to reduce the risk of security breaches
You have been tasked with creating a corporate security policy regarding smart phone usage for business purposes. What should you do first?
Issue smart phones to all employees.
Obtain support from management.
Get a legal opinion.
Obtain support from management.
Management support is crucial in the successful implementation of corporate security policies
Christine is the server administrator for Contoso Corporation. Her manager provided step-by-step security policies outlining how servers should be configured to maximize security. Which type of security policy will Christine be implementing?
Mail server acceptable use policy
VPN server acceptable use policy
Procedural policy
Procedural policy
Procedural policies provide step-by-step instructions for configuring servers
Which of the following are examples of PII? (Choose two.)
Private IP address on an internal network
Mobile phone number
Digital certificate
Gender
Mobile phone number
Digital certificate
Personally identifiable information (PII) is data that uniquely identifies a person, such as a mobile phone number or digital certificate
After a lengthy background check and interviewing process, your company hired a new payroll clerk named Stacey. Stacey will be using a web browser on a company computer at the office to access the payroll application on a public cloud provider web site over the Internet. Which type of document should Stacey read and sign?
Internet acceptable use policy
Password policy
Service level agreement
Internet acceptable use policy
Because Stacey will be using company equipment to access the Internet, she should read and sign an Internet acceptable use policy
You are configuring a password policy for users in the Berlin office. Passwords must be changed every 60 days. You must ensure that user passwords cannot be changed more than once within the 60-day interval. What should you configure?
Minimum password age
Maximum password age
Password complexity
Minimum password age
The minimum password age is a period of time that must elapse before a password can be changed
You have been hired as a consultant by a pharmaceutical company. The company is concerned that confidential drug research documents might be recovered from discarded hard disks. What should you recommend?
Repartition the hard disks.
Freeze the hard drives.
Physically shred the hard disks.
Physically shred the hard disks.
Physically shredding the hard disk is the most effective way of ensuring confidential data cannot be retrieved
Acme Corporation is upgrading its network routers. The old routers will be sent to the head office before they are disposed of. What must be done to the routers prior to disposal to minimize security breaches?
Change the router privileged mode password.
Remove DNS server entries from the router configuration.
Set the router to factory default settings.
Set the router to factory default settings.
Network equipment such as routers should be reset to factory default settings before disposal to remove company-specific configurations
Your company has decided to adopt a public cloud device management solution where all devices are centrally managed from a web site hosted on servers in a data center. Management has instructed you to ensure that the solution is reliable and always available. Which type of document should you focus on?
Password policy
Service level agreement
Remote access acceptable use policy
Service level agreement
A service level agreement is a contract stipulating what level of service and availability can be expected
Which of the following best embodies the concept of least privilege?
Detecting malware running without elevated privileges
Assigning users full control permissions to network resources
Assigning needed permissions to enable users to complete a task
Assigning needed permissions to enable users to complete a task
The least privilege principle specifies that only the needed permissions to perform a task should be assigned to users
The creation of data security policies is most affected by which two factors? (Choose two.)
Industry regulations
IP addressing scheme being used
Operating system version being used
PII
Industry regulations
PII
Industry regulations as well as the protection of personally identifiable information (PII) will have a large impact on the details contained within data security policies
As the network administrator for your company, you are creating a security policy such that devices connecting to the corporate VPN must have a trusted digital certificate installed. Which type of security policy are you creating?
Mobile device encryption policy
Authentication policy
Remote access policy
Remote access policy
VPNs are remote access solutions, so in this case you would be creating a remote access policy
You are reviewing surveillance camera footage after items have gone missing from your company’s office in the evenings. On the video you notice an unidentified person entering the building’s main entrance behind an employee who unlocked the door with a swipe card. What type of security breach is this?
Tailgating
Mantrapping
Horseback riding
Tailgating
Tailgating occurs when an unauthorized person follows an authorized person closely to gain access to a restricted resource such as a building or room
You receive the e-mail message shown here. What type of threat is this?
Dear valued Acme Bank customer, Acme Bank will be updating web server banking software next week. To ensure continued access to your accounts, we ask that you go to http://www.acmebank.us/accounts and reset your password within the next 24 hours. We sincerely appreciate your business.
Acme Bank
Denial of service
Phishing attack
Zero-day exploit
Phishing attack
Phishing attacks attempt to fool people to connect to seemingly authentic web sites in order for the unsuspecting user to disclose personal information such as bank account numbers and passwords
You are testing your router configuration and discover a security vulnerability. After searching the Internet, you realize that this vulnerability is unknown. Which type of attack is your router vulnerable to?
Denial of service
Phishing attack
Zero-day exploit
Zero-day exploit
Zero-day exploits are recently discovered vulnerabilities for which there is no fix, usually because it is unknown to the manufacturer