Module 4 - Understanding Security Governance - Q&A Flashcards
Which of the following is the highest form of governance that applies to businesses? A. Statutes B. Policies C. Guidelines D. Standards
A. Statutes are public laws that override any internal organizational governance.
Which of the following describes, in detail, how a policy will be implemented? A. Best practice B. Guideline C. Procedure D. Standard
C. A procedure describes, in detail, how a policy will be implemented.
All of the following are reasons for an organization to develop its policies, except: A. Compliance with law B. Organizational ethics C. Satisfy business objectives D. Avoid lawsuits
D. Developing a policy alone will not help an organization avoid lawsuits; however, it might demonstrate due care and diligence and reduce legal liability.
Mike has been using the company’s Internet connection to play online games during work hours. Which of the following could he be in violation of? A. Security procedures B. Federal law C. Company policy D. FIPS standards
C. Mike could be in violation of any existing company policy that restricts Internet usage. He would not be in violation of any federal law, since playing online games during work hours is not illegal. Security procedures dictate how to accomplish a task, and FIPS standards do not cover Internet usage requirements.
Which of the following is an optional form of governance? A. Policy B. Guideline C. Standard D. Procedure
B. Guidelines are optional forms of governance.
A business wants to ensure that employees cannot access non– work-related sites during business hours. Which policy would it create to include the restriction? A. Social media policy B. Acceptable use policy C. Equipment use policy D. Privacy policy
B. The acceptable use policy would be created to cover restrictions on Internet use during work hours.
Which of the following policies might require that data from critical servers be saved on a nightly basis? A. Data classification policy B. Care of equipment policy C. Acceptable use policy D. Backup policy
D. The company’s backup policy would dictate requirements to back up critical data on a routine basis.
Mike, a system administrator, has failed to complete several assigned tasks over the past few months, yet he continually works overtime. Which of the following types of policy would the company use to audit Mike’s actions, as well as discipline him for failure to complete these projects? A. Acceptable use policy B. Privacy policy C. Personnel policy D. Data sensitivity policy
C. Personnel policies would address security concerns such as separation of duties, mandatory vacations, and job rotation in order to audit an employee’s activities, as well as the process for disciplining an employee for failure to perform his or her assigned duties.
Your company is being sued because it allowed another company to use its customers’ personal information without their prior consent. Which of the following should be reviewed to ensure that it addresses concerns regarding the transfer of personal information to third parties? A. Customer privacy policy B. Employee privacy policy C. Access control policy D. Data sensitivity policy
A. The company’s customer privacy policy should be examined to ensure that it addresses transfer of personal customer data to third parties.
A company employee has recently posted details of a pending partnership with another business on her blog site and Twitter account. You want to discipline her for this, but your human resources department tells you that there are currently no social media restrictions prohibiting her action. Which of the following should you do to prevent further incidences of this sort?
A. Terminate her immediately to set an example for other employees.
B. Terminate the partnership.
C. Discipline the employee for violating the acceptable use policy.
D. Create a social media policy and ensure that all employees are made aware of it.
D. The first step you should take is to create a company social media policy restricting what employees can post on social media regarding the company. You should also make sure that each employee is made aware of the new policy and understands its ramifications. Terminating her without a policy already in place would open up the company to legal liability, since she may sue the company for firing her when there were no restrictions on what she did. The same would apply to disciplining her, since the acceptable use policy does not contain social media restrictions. Terminating the partnership over this infraction does not make good business sense.
