Security Policies and Standards

Question 1

The primary purpose of security policies is to:

Establish legal grounds for prosecution.

Improve IT service performance.

Reduce the risk of security breaches.

Answer 1

Reduce the risk of security breaches.

Security policies are an organized manner through which the corporate security strategy is realized in order to reduce the risk of security breaches

Question 2

You have been tasked with creating a corporate security policy regarding smart phone usage for business purposes. What should you do first?

Issue smart phones to all employees.

Obtain support from management.

Get a legal opinion.

Answer 2

Obtain support from management.

Management support is crucial in the successful implementation of corporate security policies

Question 3

Christine is the server administrator for Contoso Corporation. Her manager provided step-by-step security policies outlining how servers should be configured to maximize security. Which type of security policy will Christine be implementing?

Mail server acceptable use policy

VPN server acceptable use policy

Procedural policy

Answer 3

Procedural policy

Procedural policies provide step-by-step instructions for configuring servers

Question 4

Which of the following are examples of PII? (Choose two.)

Private IP address on an internal network

Mobile phone number

Digital certificate

Gender

Answer 4

Mobile phone number

Digital certificate

Personally identifiable information (PII) is data that uniquely identifies a person, such as a mobile phone number or digital certificate

Question 5

After a lengthy background check and interviewing process, your company hired a new payroll clerk named Stacey. Stacey will be using a web browser on a company computer at the office to access the payroll application on a public cloud provider web site over the Internet. Which type of document should Stacey read and sign?

Internet acceptable use policy

Password policy

Service level agreement

Answer 5

Internet acceptable use policy

Because Stacey will be using company equipment to access the Internet, she should read and sign an Internet acceptable use policy

Question 6

You are configuring a password policy for users in the Berlin office. Passwords must be changed every 60 days. You must ensure that user passwords cannot be changed more than once within the 60-day interval. What should you configure?

Minimum password age

Maximum password age

Password complexity

Answer 6

Minimum password age

The minimum password age is a period of time that must elapse before a password can be changed

Question 7

You have been hired as a consultant by a pharmaceutical company. The company is concerned that confidential drug research documents might be recovered from discarded hard disks. What should you recommend?

Repartition the hard disks.

Freeze the hard drives.

Physically shred the hard disks.

Answer 7

Physically shred the hard disks.

Physically shredding the hard disk is the most effective way of ensuring confidential data cannot be retrieved

Question 8

Acme Corporation is upgrading its network routers. The old routers will be sent to the head office before they are disposed of. What must be done to the routers prior to disposal to minimize security breaches?

Change the router privileged mode password.

Remove DNS server entries from the router configuration.

Set the router to factory default settings.

Answer 8

Set the router to factory default settings.

Network equipment such as routers should be reset to factory default settings before disposal to remove company-specific configurations

Question 9

Your company has decided to adopt a public cloud device management solution where all devices are centrally managed from a web site hosted on servers in a data center. Management has instructed you to ensure that the solution is reliable and always available. Which type of document should you focus on?

Password policy

Service level agreement

Remote access acceptable use policy

Answer 9

Service level agreement

A service level agreement is a contract stipulating what level of service and availability can be expected

Question 10

Which of the following best embodies the concept of least privilege?

Detecting malware running without elevated privileges

Assigning users full control permissions to network resources

Assigning needed permissions to enable users to complete a task

Answer 10

Assigning needed permissions to enable users to complete a task

The least privilege principle specifies that only the needed permissions to perform a task should be assigned to users

Question 11

The creation of data security policies is most affected by which two factors? (Choose two.)

Industry regulations

IP addressing scheme being used

Operating system version being used

PII

Answer 11

Industry regulations

PII

Industry regulations as well as the protection of personally identifiable information (PII) will have a large impact on the details contained within data security policies

Question 12

As the network administrator for your company, you are creating a security policy such that devices connecting to the corporate VPN must have a trusted digital certificate installed. Which type of security policy are you creating?

Mobile device encryption policy

Authentication policy

Remote access policy

Answer 12

Remote access policy

VPNs are remote access solutions, so in this case you would be creating a remote access policy

Question 13

You are reviewing surveillance camera footage after items have gone missing from your company’s office in the evenings. On the video you notice an unidentified person entering the building’s main entrance behind an employee who unlocked the door with a swipe card. What type of security breach is this?

Tailgating

Mantrapping

Horseback riding

Answer 13

Tailgating

Tailgating occurs when an unauthorized person follows an authorized person closely to gain access to a restricted resource such as a building or room

Question 14

You receive the e-mail message shown here. What type of threat is this?

Dear valued Acme Bank customer, Acme Bank will be updating web server banking software next week. To ensure continued access to your accounts, we ask that you go to http://www.acmebank.us/accounts and reset your password within the next 24 hours. We sincerely appreciate your business.
Acme Bank

Denial of service

Phishing attack

Zero-day exploit

Answer 14

Phishing attack

Phishing attacks attempt to fool people to connect to seemingly authentic web sites in order for the unsuspecting user to disclose personal information such as bank account numbers and passwords

Question 15

You are testing your router configuration and discover a security vulnerability. After searching the Internet, you realize that this vulnerability is unknown. Which type of attack is your router vulnerable to?

Denial of service

Phishing attack

Zero-day exploit

Answer 15

Zero-day exploit

Zero-day exploits are recently discovered vulnerabilities for which there is no fix, usually because it is unknown to the manufacturer

Question 16

Which of the following options best describe proper usage of PII? (Choose two.)

Law enforcement tracking an Internet offender using a public IP address

Distributing an e-mail contact list to marketing firms

Logging into a secured laptop using a fingerprint scanner

Due diligence

Answer 16

Law enforcement tracking an Internet offender using a public IP address

Logging into a secured laptop using a fingerprint scanner

Proper use of PII means not divulging a person’s or entity’s personal information to other parties. Tracking criminals using IP addresses and logging in with a fingerprint scanner are proper uses of PII

Question 17

Your company restricts firewall administrators from modifying firewall logs. Only IT security personnel are allowed to do this. What is this an example of?

Due care

Separation of duties

Principle of least privilege

Answer 17

Separation of duties

Separation of duties requires more than one person to complete a process such as controlling a firewall and its logs

Question 18

Your local ISP provides a PDF file stating a 99.97 percent service availability for T1 connectivity to the Internet. How would you classify this type of documentation?

Top secret

Acceptable use policy

Service level agreement

Answer 18

Service level agreement

Service level agreements (SLAs) formally define an expected level of service, such as 99.97 percent availability

Question 19

The Accounts Payable department notices large out-of-country purchases made using a corporate credit card. After discussing the matter with Juan, the employee whose name is on the credit card, they realize somebody has illegally obtained the credit card details. You also learn that he recently received an e-mail from what appeared to be the credit card company asking him to sign in to their web site to validate his account, which he did. How could this have been avoided?

Provide credit card holders with smartcards.

Tell users to increase the strength of online passwords.

Provide security awareness training to employees.

Answer 19

Provide security awareness training to employees.

If Juan had been aware of phishing scams, he would have ignored the e-mail message

Question 20

Which of the following statements are true? (Choose two.)

Security labels are used for data classifications such as restricted and top secret.

PII is applicable only to biometric authentication devices.

Forcing user password changes is considered change management.

A person’s signature on a check is considered PII.

Answer 20

Security labels are used for data classifications such as restricted and top secret.

A person’s signature on a check is considered PII.

Restricted and top secret are examples of security data labeling. A signature on a check is considered PII, since it is a personal characteristic

Question 21

Which of the following best illustrates potential security problems related to social networking sites?

Other users can easily see your IP address.

Talkative employees can expose a company’s intellectual property.

Malicious users can use your pictures for steganography.

Answer 21

Talkative employees can expose a company’s intellectual property.

People tend to speak more freely on social networking sites than anywhere else. Exposing important company information could pose a problem

Question 22

As the IT security officer, you establish a security policy requiring that users protect all paper documents so that sensitive client, vendor, or company data is not stolen. What type of policy is this?

Privacy

Acceptable use

Clean desk

Answer 22

Clean desk

A clean desk policy requires paper documents to be safely stored (and not left on desks) to prevent malicious users from acquiring them

Question 23

What is the primary purpose of enforcing a mandatory vacation policy?

To adhere to government regulation

To ensure that employees are refreshed

To prevent improper activity

Answer 23

To prevent improper activity

Knowledge that vacation time is mandatory means employees are less likely to engage in improper business practices. A different employee filling that job role is more likely to notice irregularities

Question 24

What does a privacy policy protect?

Customer data

Trade secrets

Employee home directories

Answer 24

Customer data

Privacy policies are designed to protect customer, guest, or patient confidential information

Question 25

Which of the following statements about a security policy are true? (Choose two.)

Users must read and sign the security policy.

It guarantees a level of uptime for IT services.

It is composed of subdocuments.

Management approval must be obtained.

Answer 25

It is composed of subdocuments.

Management approval must be obtained.

Security policies are composed of subdocuments such as an Internet use policy and remote access policy. Management approval is required for security policies to make an impact

Question 26

You are developing a security training outline for the Accounting department that will take place in the office. Which two items should not be included in the training? (Choose two.)

Firewall configuration

The Accounting department’s support of security initiatives

Physical security

Social engineering

Answer 26

Firewall configuration

The Accounting department’s support of security initiatives

The IT technical team will be interested in firewall configurations; this is not relevant to the Accounting department. Management must support security initiatives as a first step, even before creating security policies; this is not the job of the Accounting department

Question 27

Choose the correct statement:

Users are assigned classification labels to access sensitive data.

Data is assigned clearance levels to access sensitive data.

Users are assigned clearance levels to access sensitive data.

Answer 27

Users are assigned clearance levels to access sensitive data.

Data is assigned a specific classification label such as top secret, and only users with the appropriate clearance levels can access that data

Question 28

You are a file server administrator for a health organization. Management has asked you to configure your servers to classify files containing patient medical history data appropriately. What is an appropriate data classification for these types of files? (Choose all that apply.)

High

Medium

Low

Private

Public

Confidential

Answer 28

High

Private

Confidential

Organizations will differ in how they specifically label sensitive data. Patient medical history is considered sensitive; therefore, classifying the data as a high security risk if exposed to the public, as private, or as confidential are all valid labels

Question 29

You are configuring a Wi-Fi network for a clothing retail outlet. In accordance with the Payment Card Industry (PCI) regulations for companies handling payment cards, you must ensure default passwords are changed on the wireless router. This is best described as:

PCI policy

Compliance with security standards

User education and awareness

Answer 29

Compliance with security standards

Securing a wireless network to meet industry regulations is best described as complying with security standards

Question 30

Your company provides a paper document shredder on each floor of a building. What security issue does this address?

Data handling

Clean desk policy

Tailgating

Answer 30

Data handling

Part of data handling includes the physical shredding of physical documents to prevent unauthorized persons from viewing printed sensitive information

Question 31

Your company’s BYOD policy pays a monthly stipend to employees who use their personal smart phones for work purposes. What type of app should the company ensure is installed and running on all BYOD smart phones?

eBay app

PDF reader app

Antivirus app

Answer 31

Antivirus app

Companies with BYOD policies should ensure some type of anti-malware is running on smart phones, whereas other companies might strictly prohibit personally owned devices being used for business purposes

Question 32

What is the best defense against new viruses?

Keeping antivirus definitions up to date

Turning off the computer when not in use

Not connecting to Wi-Fi networks

Answer 32

Keeping antivirus definitions up to date

New viruses come into existence every day. Antivirus software must be updated on a regular basis to counter these new threats

Question 33

You and your IT team have completed drafting security policies for e-mail acceptable use and remote access through the company VPN. Users currently use both e-mail and the VPN. What must be done next? (Choose two.)

Update VPN appliance firmware.

Provide security user awareness training.

Encrypt all user mail messages.

Mandate security awareness testing for users.

Answer 33

Provide security user awareness training.

Mandate security awareness testing for users.

The best defense against security breaches of any kind is user awareness. This is provided through training, such as ensuring that employees know not to send or receive personal e-mail messages using the work e-mail account. To ensure the training is effective, users should be tested

Question 34

Margaret, the head of HR, conducts an exit interview with a departing IT server technician named Irving. The interview encompasses Irving’s view on the organization, the benefits of the job role he held, and potential improvements that could be made. Which of the following issues should also be addressed in the exit interview?

Background check

Job rotation

Property return form

Answer 34

Property return form

All equipment, access codes, keys, and passes must be surrendered to the company when an employee leaves the organization. This is formalized and recorded on a property return form

Question 35

An IT security officer is configuring data label options for a company research file server. Users can currently label documents as public, contractor, or human resources. For company trade secrets, which label should be used?

Proprietary

High

Low

Answer 35

Proprietary

Company trade secrets should be labeled as proprietary

Question 36

Which of the following in an example of PHI?

Education records

Employment records

Fingerprints

Answer 36

Fingerprints

Fingerprints are considered protected health information (PHI) under the American HIPAA rules

Question 37

A security auditor is attempting to determine an organization’s data backup and long-term archiving strategy. Which type of organization document should the auditor refer to?

Security policy

Data retention policy

Data leakage policy

Answer 37

Data retention policy

Data retention policies specify details about data storage for various types of information. This includes storage location, the length of time data is retained, the type of storage medium such as magnetic tape or cloud archiving, and so on