Organizational Security and Compliance

Question 1

After a few incidents where customer data was transmitted to a third party, your organization is required to create and adhere to a policy that describes the distribution, protection, and confidentiality of customer data. Which of the following policies do you create?

Privacy

Due care

Acceptable use

Answer 1

Privacy

A privacy policy concerns the protection and distribution of private customer data. Any company, especially one engaged in online activities or e-commerce, has a responsibility to adopt and implement a policy for protecting the privacy of individually identifiable information

Question 2

You are performing a risk analysis for a complex web-based application. Based on your conclusions regarding the probability, impact, and mitigation cost of an attack based on domain name service (DNS) manipulation or poisoning against your web domain, you decide to place the responsibility of the risk on your Internet service provider (ISP), who handles your DNS services. Which risk management option is this an example of?

Deterrence

Avoidance

Transference

Answer 2

Transference

The risk of DNS attacks occurring against your web domain is something that can only be assumed by your ISP, who takes care of your DNS services. In this part of your risk analysis, you are transferring the responsibility of the risk to your ISP to protect your web services from DNS-based attacks

Question 3

As the centralized management location from which you provide Internet-based application services to several external clients, which of the following policies do you provide to your clients as an agreement for service uptime?

Code of ethics

Privacy

SLA

Answer 3

SLA

A service level agreement (SLA) is an understanding between a supplier of services and the clients of those services that the service in question will be available for a specific percentage of time. In this case, you might guarantee your clients a 99.5 percent uptime of communications services

Question 4

There is a suspicion that a specific employee is performing illegal activities on your company’s networks. To gather evidence about his activities, which of the following principles and techniques could you employ?

Password rotation

Mandatory vacation

Need-to-know

Answer 4

Mandatory vacation

When a user is forced to take a vacation, his activities can be audited, and any suspicious behavior will be more likely to be noticed and detected because the user is not there to prevent its discovery. You may also discover that the illegal activities completely cease while the user is away and then resume when he returns

Question 5

As part of a risk analysis of a very large and extensive back-end database, you need to calculate the probability and impact of data corruption. Which of the following impact factors allows you to calculate your annualized losses due to data corruption?

SLA

ARO

ALE

Answer 5

ALE

ALE (annual loss expectancy) describes how much money you expect to lose on an annual basis because of the impact from an occurrence of a specific risk. ALE is calculated by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE)

Question 6

You need to create an overall policy for your organization that describes how your users can properly make use of company communications services, such as web browsing, e-mail, and File Transfer Protocol (FTP) services. Which of the following policies do you implement?

Acceptable use policy

Due care

Privacy policy

Answer 6

Acceptable use policy

An acceptable use policy establishes rules for the appropriate use of computer networks within your organization. The policy describes the terms, conditions, and rules of using the Internet and its various services within the company’s networks

Question 7

After the initial configuration of an anti-spam e-mail-filtering appliance on your network, users are complaining that too many legitimate messages are being flagged as spam in their mailboxes. Which of the following concepts is this an example of?

Baseline threshold

False negative

False positive

Answer 7

False positive

A false positive is a legitimate action that is perceived as a risk or threat. The term false positive is often used in e-mail security scanning to indicate legitimate mail that was classified as spam

Question 8

Your organization deals with sensitive health insurance information for patients that is covered by the HIPAA compliance policies. Which of the following DLP security techniques would you implement to help protect the confidentiality and privacy of your patient’s health insurance data when communicating the information between healthcare facilities?

Encryption of outbound data containing health insurance information

A firewall to protect against inbound network attacks

Antivirus scanning of patient data

Answer 8

Encryption of outbound data containing health insurance information

To comply with the HIPAA regulations, you must protect the confidentiality of your patients’ health insurance information. When communicating this data, you must encrypt it to ensure that it cannot be read if intercepted or stolen

Question 9

It has been discovered that a former member of the IT department who switched to the development team still has administrative access to many major network infrastructure devices and servers. Which of the following mitigation techniques should be implemented to help reduce the risk of this event recurring?

Incident management and response policy

Change management notifications

Regular user permission and rights reviews

Answer 9

Regular user permission and rights reviews

User rights and permissions must be constantly reviewed to make sure that users have only the rights they require for their current responsibilities. When users change roles and responsibilities in the organization, you must review their permissions and modify their access accordingly

Question 10

Two friends have decided to go into business together to create a new gadget. They do not have existing businesses and wish to share the decisions and profits equally between them. Which type of agreement is most appropriate to begin the business?

MOA

SLA

BPA

Answer 10

BPA

A BPA is most appropriate type of agreement because the potential owners do not have existing businesses to interconnect and need to establish the ground rules and responsibilities for ownership, including how they will resolve differences and split any profits