5.3.1 – Organizational Security Policies. Personal Security

Questions and Answers

Why is it important for organizations to have an Acceptable Use Policy (AUP)?

To limit the number of employees in an organization.

To set expectations for technology usage and provide a reference when rules are broken. (correct)

To restrict employees from using any technology in the workplace.

To encourage employees to work in different departments.

What is the purpose of implementing job rotation in organizations?

To prevent employees from taking vacations.

To minimize the risk of security issues by having employees switch roles. (correct)

To increase the chances of someone taking advantage of security vulnerabilities.

To ensure that employees remain in the same job for a long period of time.

How does requiring vacations help in organizations?

It provides a chance for someone else to cover responsibilities and assess performance. (correct)

It increases the chances of security breaches due to temporary staff.

It ensures that every employee is always present at work.

It gives opportunities for employees to commit fraud during their absence.

It allows employees to work continuously without breaks.

What does an Acceptable Use Policy cover within an organization?

All technologies including internet, telephones, computers, and mobile devices.

Why do some organizations implement security policies like job rotation?

To minimize the chance of individuals exploiting security vulnerabilities.

What does an employer gain by specifying violations of rules in the Acceptable Use Policy (AUP)?

A way to hold employees accountable for their actions.

What type of agreement is signed to limit the information shared with a third party?

NDA

During the hiring process, what can employers gather from social media?

Social media presence

What is usually done as part of the on-boarding process for a new employee in terms of IT requirements?

Setting up network accounts

What is one of the critical steps during the off-boarding process for an employee?

Ensuring return of equipment

What type of training involves giving points, competition, and badges to show progression?

Gamification training

What does CTF stand for in the context of security professionals' training?

Capture The Flag

What type of simulation involves sending phishing emails to test user awareness?

Fishing simulation

What is vishing in the context of user training?

'Voice' phishing over the phone

What is disabled rather than deleted during a user off-boarding process?

'All network accounts'

'Capture The Flag' competitions help security professionals stay updated with recent ____________.

'Vulnerabilities and attacks'

What is one example of a separation of duty mentioned in the text?

Dual control for opening a safe

Why is it important to configure users with a least privileged policy in an organization?

To limit the scope of malicious software on user workstations

What does the clean desk policy require employees to do before leaving their desks?

Lock everything away and clean the desk

In which scenario would dual control be necessary according to the text?

Two people turning keys simultaneously to open a safe

How does split knowledge apply in scenarios like safe combinations?

One person knows part of the combination and another knows the rest

Why should applications be configured to run with minimal privileges according to the text?

To limit the scope of malicious software that may run on them

What is the purpose of running background checks on applicants according to the text?

To verify information provided by the applicants

How does split knowledge differ from dual control in security measures?

'Split knowledge' involves dividing information between two individuals, while 'dual control' requires two individuals to be present together for certain tasks.

What is the main advantage of limiting access in an operating system by applying least privileged policies?

Minimizing the impact of potential malware threats by restricting user permissions.

What could be a consequence of not adhering to a clean desk policy in an organization?

Leaving sensitive information exposed for unauthorized access.

What is a key benefit of computer-based training mentioned in the text?

Ensuring everyone receives the same training

Why might an organization require users to go through an IT security program?

To ensure everyone understands security requirements

What type of training might partners or vendors accessing a network be required to undergo?

Minimum security requirements training

Why is it important for some organizations to keep detailed records of training attendance?

To ensure security requirements are met by everyone

What is a common feature included in computer-based training mentioned in the text?

Interactive Q&A sessions

In what way does computer-based training differ from traditional classroom training?

Enables individuals to schedule their own training time

What is a common feature included in computer-based training as mentioned in the text?

Interactive games and quizzes

Why do some organizations require partners or vendors accessing their network to undergo specialized training?

To ensure they understand security requirements

How does computer-based training differ from traditional classroom training in terms of content delivery?

It offers flexibility in scheduling and self-paced learning

What might be a reason for organizations to keep detailed records of training attendance?

To ensure everyone is informed of security requirements

Why is it important that everyone receives the same training in some organizations?

To ensure consistent security awareness and practices

What type of training might be necessary before gaining access to an organization's network according to the text?

IT security program

What is the purpose of an Acceptable Use Policy (AUP) in an organization?

To provide guidelines on the appropriate use of technology in the organization

Why might organizations implement a job rotation policy?

To decrease the chances of someone exploiting a security issue

What does a policy requiring vacations aim to achieve in an organization?

To ensure someone covers an employee's responsibilities during their absence

How does a Clean Desk Policy benefit organizations?

By requiring employees to clear their desk before leaving to prevent data breaches

Why do some organizations enforce security policies like job rotation?

To reduce the likelihood of security issues being exploited

What is the main benefit of documenting rules in an Acceptable Use Policy (AUP)?

To provide employers with a way to set expectations and address rule violations

What is the purpose of split knowledge in a high-security environment?

Preventing a single user from having full access to sensitive information

How does dual control differ from split knowledge in security measures?

Dual control involves two people needing to be present together.

What is the primary goal of configuring users with a least privileged policy?

To limit users' rights and permissions to only necessary functions.

Why is limiting access in an operating system crucial in an organization?

To minimize the impact of malware by restricting user permissions.

In what circumstance would a clean desk policy be most relevant?

When employees must lock away all information before leaving desks.

What is the purpose of running background checks on job applicants according to the text?

To identify any criminal history and verify provided information.

Why is it essential for employers to provide extensive documentation in the case of an adverse action due to a background check?

To ensure applicants understand why they were not hired.

How does dual control enhance security measures within organizations?

"By requiring two individuals to be present for specific tasks."

What is the purpose of a least privileged policy when configuring applications run within an organization?

To restrict applications' capabilities beyond their operational needs.

What is the purpose of a Non-Disclosure Agreement (NDA) mentioned in the text?

To limit the information shared with third parties

Why do employers evaluate someone's presence on social media during the hiring process?

To understand their online presence better

What is a common step during the on-boarding process for a new employee in terms of IT requirements?

Providing accounts for network login

Why do organizations often disable an employee's account during the off-boarding process?

To ensure data security and prevent logins

What is the purpose of gamification in training, as mentioned in the text?

To provide points, competition, and badges for progression

Why do organizations conduct phishing simulations as a form of user training?

To expose employees to real phishing attacks

What is the purpose of Capture The Flag (CTF) competitions for security professionals?

To test hacking skills and awareness of vulnerabilities

Why might an organization need to provide a new employee with a desktop or laptop during on-boarding?

To enable daily work tasks and network access

What is the main reason for implementing training through gamification?

Reward competition and progress

Why should organizations disable accounts during off-boarding?

To ensure data security