5.3.1 – Organizational Security Policies. Personal Security

Questions and Answers

Why is it important for organizations to have an Acceptable Use Policy (AUP)?

• To limit the number of employees in an organization.
• To set expectations for technology usage and provide a reference when rules are broken. (correct)
• To restrict employees from using any technology in the workplace.
• To encourage employees to work in different departments.

What is the purpose of implementing job rotation in organizations?

• To prevent employees from taking vacations.
• To minimize the risk of security issues by having employees switch roles. (correct)
• To increase the chances of someone taking advantage of security vulnerabilities.
• To ensure that employees remain in the same job for a long period of time.

How does requiring vacations help in organizations?

• It provides a chance for someone else to cover responsibilities and assess performance. (correct)
• It increases the chances of security breaches due to temporary staff.
• It ensures that every employee is always present at work.
• It gives opportunities for employees to commit fraud during their absence.
• It allows employees to work continuously without breaks.

What does an Acceptable Use Policy cover within an organization?

All technologies including internet, telephones, computers, and mobile devices. (A)

Why do some organizations implement security policies like job rotation?

To minimize the chance of individuals exploiting security vulnerabilities. (A)

What does an employer gain by specifying violations of rules in the Acceptable Use Policy (AUP)?

A way to hold employees accountable for their actions. (B)

What type of agreement is signed to limit the information shared with a third party?

NDA (C)

During the hiring process, what can employers gather from social media?

Social media presence (A)

What is usually done as part of the on-boarding process for a new employee in terms of IT requirements?

Setting up network accounts (D)

What is one of the critical steps during the off-boarding process for an employee?

Ensuring return of equipment (A)

What type of training involves giving points, competition, and badges to show progression?

Gamification training (D)

What does CTF stand for in the context of security professionals' training?

Capture The Flag (C)

What type of simulation involves sending phishing emails to test user awareness?

Fishing simulation (B)

What is vishing in the context of user training?

'Voice' phishing over the phone (C)

What is disabled rather than deleted during a user off-boarding process?

'All network accounts' (B)

'Capture The Flag' competitions help security professionals stay updated with recent ____________.

'Vulnerabilities and attacks' (A)

What is one example of a separation of duty mentioned in the text?

Dual control for opening a safe (D)

Why is it important to configure users with a least privileged policy in an organization?

To limit the scope of malicious software on user workstations (A)

What does the clean desk policy require employees to do before leaving their desks?

Lock everything away and clean the desk (A)

In which scenario would dual control be necessary according to the text?

Two people turning keys simultaneously to open a safe (A)

How does split knowledge apply in scenarios like safe combinations?

One person knows part of the combination and another knows the rest (D)

Why should applications be configured to run with minimal privileges according to the text?

To limit the scope of malicious software that may run on them (A)

What is the purpose of running background checks on applicants according to the text?

To verify information provided by the applicants (B)

How does split knowledge differ from dual control in security measures?

'Split knowledge' involves dividing information between two individuals, while 'dual control' requires two individuals to be present together for certain tasks. (C)

What is the main advantage of limiting access in an operating system by applying least privileged policies?

Minimizing the impact of potential malware threats by restricting user permissions. (C)

What could be a consequence of not adhering to a clean desk policy in an organization?

Leaving sensitive information exposed for unauthorized access. (C)

What is a key benefit of computer-based training mentioned in the text?

Ensuring everyone receives the same training (D)

Why might an organization require users to go through an IT security program?

To ensure everyone understands security requirements (D)

What type of training might partners or vendors accessing a network be required to undergo?

Minimum security requirements training (D)

Why is it important for some organizations to keep detailed records of training attendance?

To ensure security requirements are met by everyone (A)

What is a common feature included in computer-based training mentioned in the text?

Interactive Q&A sessions (C)

In what way does computer-based training differ from traditional classroom training?

Enables individuals to schedule their own training time (B)

What is a common feature included in computer-based training as mentioned in the text?

Interactive games and quizzes (C)

Why do some organizations require partners or vendors accessing their network to undergo specialized training?

To ensure they understand security requirements (D)

How does computer-based training differ from traditional classroom training in terms of content delivery?

It offers flexibility in scheduling and self-paced learning (C)

What might be a reason for organizations to keep detailed records of training attendance?

To ensure everyone is informed of security requirements (C)

Why is it important that everyone receives the same training in some organizations?

To ensure consistent security awareness and practices (D)

What type of training might be necessary before gaining access to an organization's network according to the text?

IT security program (B)

What is the purpose of an Acceptable Use Policy (AUP) in an organization?

To provide guidelines on the appropriate use of technology in the organization (C)

Why might organizations implement a job rotation policy?

To decrease the chances of someone exploiting a security issue (D)

What does a policy requiring vacations aim to achieve in an organization?

To ensure someone covers an employee's responsibilities during their absence (B)

How does a Clean Desk Policy benefit organizations?

By requiring employees to clear their desk before leaving to prevent data breaches (D)

Why do some organizations enforce security policies like job rotation?

To reduce the likelihood of security issues being exploited (A)

What is the main benefit of documenting rules in an Acceptable Use Policy (AUP)?

To provide employers with a way to set expectations and address rule violations (C)

What is the purpose of split knowledge in a high-security environment?

Preventing a single user from having full access to sensitive information (A)

How does dual control differ from split knowledge in security measures?

Dual control involves two people needing to be present together. (D)

What is the primary goal of configuring users with a least privileged policy?

To limit users' rights and permissions to only necessary functions. (D)

Why is limiting access in an operating system crucial in an organization?

To minimize the impact of malware by restricting user permissions. (C)

In what circumstance would a clean desk policy be most relevant?

When employees must lock away all information before leaving desks. (D)

What is the purpose of running background checks on job applicants according to the text?

To identify any criminal history and verify provided information. (C)

Why is it essential for employers to provide extensive documentation in the case of an adverse action due to a background check?

To ensure applicants understand why they were not hired. (B)

How does dual control enhance security measures within organizations?

"By requiring two individuals to be present for specific tasks." (A)

What is the purpose of a least privileged policy when configuring applications run within an organization?

To restrict applications' capabilities beyond their operational needs. (B)

What is the purpose of a Non-Disclosure Agreement (NDA) mentioned in the text?

To limit the information shared with third parties (A)

Why do employers evaluate someone's presence on social media during the hiring process?

To understand their online presence better (C)

What is a common step during the on-boarding process for a new employee in terms of IT requirements?

Providing accounts for network login (D)

Why do organizations often disable an employee's account during the off-boarding process?

To ensure data security and prevent logins (A)

What is the purpose of gamification in training, as mentioned in the text?

To provide points, competition, and badges for progression (D)

Why do organizations conduct phishing simulations as a form of user training?

To expose employees to real phishing attacks (C)

What is the purpose of Capture The Flag (CTF) competitions for security professionals?

To test hacking skills and awareness of vulnerabilities (A)

Why might an organization need to provide a new employee with a desktop or laptop during on-boarding?

To enable daily work tasks and network access (B)

What is the main reason for implementing training through gamification?

Reward competition and progress (D)

Why should organizations disable accounts during off-boarding?

To ensure data security (C)