Classified Data Security Guidelines

Questions and Answers

How should you respond when a vendor conducting a pilot program contacts you for organizational data to use in a prototype?

Refer the vendor to the appropriate personnel.

How can you protect classified data when it is not in use?

Store classified data appropriately in a GSA-approved vault/container.

What is the basis for handling and storage of classified data?

Classification markings and handling caveats.

Before using an unclassified laptop and peripherals in a collateral classified environment, what must you do?

Ensure that any cameras, microphones, and Wi-Fi embedded in the laptop are physically disabled.

What level of damage to national security can you reasonably expect Top Secret information to cause if disclosed?

Exceptionally grave damage.

What must you have to telework?

Your organization's permission.

What is true about protecting classified data?

Classified material must be appropriately marked.

What is a reportable insider threat activity?

Attempting to access sensitive information without need-to-know.

Which scenario might indicate a reportable insider threat?

A colleague removes sensitive information without seeking authorization in order to perform authorized telework.

Which of the following is a potential insider threat indicator? (Select all that apply)

Difficult life circumstances, such as the death of a spouse.

What is the safest piece of information to include on your social media profile?

Your favorite movie.

What is true of many apps and smart devices?

Many apps and smart devices collect and share your personal information and contribute to your online identity.

How can you protect your organization on social networking sites?

Ensure there are no identifiable landmarks visible in any photos taken in a work setting that you post.

What is a best practice for protecting Controlled Unclassified Information (CUI)?

Store it in a locked desk drawer after working hours.

How should Controlled Unclassified Information (CUI) be transmitted safely?

Paul verifies that the information is CUI, includes a CUI marking in the subject header, and digitally signs an e-mail containing CUI.

Which designation includes Personally Identifiable Information (PII) and Protected Health Information (PHI)?

Controlled Unclassified Information (CUI).

Which of the following is NOT an example of CUI?

Press release data.

Which of the following is NOT a correct way to protect CUI?

CUI may be stored on any password-protected system.

What best describes good physical security?

Lionel stops an individual in his secure area who is not wearing a badge.

What is an example of two-factor authentication?

A Common Access Card and Personal Identification Number.

What is the best way to protect your Common Access Card (CAC) or Personal Identity Verification (PIV) card?

Store it in a shielded sleeve.

What must authorized personnel do before permitting another individual to enter a Sensitive Compartmented Information Facility (SCIF)?

Confirm the individual's need-to-know and access.

What is true of Sensitive Compartmented Information (SCI)?

Access requires Top Secret clearance and indoctrination into the SCI program.

Which of the following is NOT a potential consequence of using removable media unsafely in a SCIF?

Damage to the removable media.

What portable electronic devices (PEDs) are permitted in a SCIF?

Only expressly authorized government-owned PEDs.

What is the response to an incident such as opening an uncontrolled DVD on a computer in a SCIF?

All of these.

Which of the following is NOT a type of malicious code?

Executables.

What action can help to protect your identity?

Shred personal documents.

What is an appropriate use of government e-mail?

Use a digital signature when sending attachments or hyperlinks.

What type of social engineering targets particular groups of people?

Spear phishing.

How can you protect yourself from social engineering?

Verify the identity of all individuals.

What is true of traveling overseas with a mobile phone?

A personally owned device approved under Bring Your Own Approved Device (BYOAD) policy must be unenrolled while out of the country.

What should Sara do when using publicly available Internet, such as hotel Wi-Fi?

Only connect with Government VPN.

What is the danger of using public Wi-Fi connections?

Both of these.

Which personally-owned computer peripheral is permitted for use with Government-furnished equipment?

A headset with a microphone through a Universal Serial Bus (USB) port.

How can you protect data on your mobile computing and portable electronic devices (PEDs)?

Enable automatic screen locking after a period of inactivity.

Which of the following is an example of removable media?

USB drive.

What is true of Internet of Things (IoT) devices?

They can become an attack vector to other devices on your home network.

When is it appropriate to have your security badge visible?

At all times when in the facility.

What should the owner of printed SCI do differently?

Retrieve classified documents promptly from printers.

What should the participants in a conversation involving SCI do differently?

Physically assess that everyone within listening distance is cleared and has a need-to-know for the information being discussed.

Which demonstrates proper protection of mobile devices?

Linda encrypts all of the sensitive data on her government-issued mobile devices.

Which of the following does NOT constitute spillage?

Classified information that should be unclassified and is downgraded.

Which of the following is NOT an appropriate way to protect against inadvertent spillage?

Use the classified network for all work, including unclassified work.

What should you NOT do if you find classified information on the internet?

Download the information.

Who designates whether information is classified and its classification level?

Original classification authority.

Which of the following is a good practice to protect classified information?

Don't assume open storage in a secure facility is authorized.

How many insider threat indicators does Alex demonstrate?

Three or more.

What should Alex's colleagues do?

Report the suspicious behavior in accordance with their organization's threat policy.

Which of the following is true?

Digitally signed e-mails are more secure.

Which of the following best describes the conditions under which mobile devices and applications can track your location?

It is often the default but can be prevented by disabling the location function.

When is it okay to charge a personal mobile device using government-furnished equipment (GFE)?

This is never okay.

What security risk does a public Wi-Fi connection pose?

It may prohibit the use of a virtual private network (VPN).

Which of the following represents an ethical use of your Government-furnished equipment (GFE)?

Checking personal e-mail when allowed by your organization.

When may you be subject to criminal, disciplinary, and/or administrative action due to online harassment, bullying, stalking, hazing, discrimination, or retaliation?

If you participate in or condone it at any time.

How can you protect yourself on social networking sites?

Validate friend requests through another source before confirming them.

Which piece of information is safest to include on your social media profile?

Photos of your pet.

Which of the following is true of removable media and portable electronic devices (PEDs)?

They have similar features, and the same rules and protections apply to both.

What is a security best practice for protecting Personally Identifiable Information (PII)?

Only use Government-approved equipment to process PII.

What is true of Controlled Unclassified Information (CUI)?

CUI must be handled using safeguarding or dissemination controls.

Which Cyber Protection Condition (CPCON) establishes a protection priority focus on critical functions only?

CPCON 1.

What is true of the Common Access Card (CAC) or Personal Identity Verification (PIV) card?

You should remove and take your CAC/PIV card whenever you leave your workstation.

Which of the following is an example of a strong password?

%2ZN=Ugq

A compromise of Sensitive Compartmented Information (SCI) occurs when a person who does not have the required clearance or access caveats comes into possession of SCI ________.

in any manner.

What is a good practice to protect classified information?

Don't assume open storage in a secure facility is authorized.

Based on the description that follows, how many potential insider threat indicators(s) are displayed? A colleague saves money for an overseas vacation every year, is a single father, and occasionally consumes alcohol.

2 indicators.

Which of the following statements is true?

Adversaries exploit social networking sites to disseminate fake news.

Which of the following is true about URLs?

May be used to mask malicious intent.

Study Notes

Organizational Data and Vendors

• Refer vendors conducting pilot programs for prototypes to the appropriate personnel for data requests.

Classified Data Protection

• Store classified data in a GSA-approved vault or container when not in use to ensure its security.
• Handling and storage of classified data is governed by specific classification markings and handling caveats.

Classified Equipment Usage

• Disable cameras, microphones, and Wi-Fi on unclassified laptops before using them in classified environments to prevent security breaches.

National Security Impact

• Disclosure of Top Secret information can cause exceptionally grave damage to national security.

Teleworking Protocols

• Obtain organizational permission before engaging in telework to ensure compliance with policies.

Marking Classified Material

• Properly mark all classified materials to maintain security and compliance with regulations.

Insider Threat Indicators

• Accessing sensitive information without proper need-to-know is a reportable insider threat activity.
• Observing unusual interest in classified information or personal difficulties may indicate potential insider threats.

Social Media and Personal Information

• Safest information to include on social media profiles is non-identifiable content, such as favorite movies.
• Apps and devices collect personal information, impacting online identity.

Controlled Unclassified Information (CUI) Management

• Store Controlled Unclassified Information in locked drawers after hours to protect sensitive data.
• Transmit CUI securely by verifying its classification and properly marking communications.

Physical Security Practices

• Good physical security is demonstrated by actively stopping unbadged individuals in secure areas.

Authentication Methods

• Utilizing two-factor authentication can enhance security, such as requiring a Common Access Card and Personal Identification Number.

Sensitive Compartmented Information (SCI) Protocol

• Access to SCI requires Top Secret clearance and indoctrination; confirm need-to-know before entry.

Removable Media Safety

• Removable media should be used cautiously within Sensitive Compartmented Information Facilities; non-compliance can lead to serious security incidents.

Identity Protection

• Protect personal identity by shredding sensitive documents and verifying identities before sharing information.

E-mail Security

• Digitally signed emails are considered more secure, ensuring communication integrity.

Public Wi-Fi Security

• Using public Wi-Fi poses risks; only connect through a Government VPN to secure sensitive information on personal devices.

Government-Furnished Equipment (GFE) Usage

• It is not permissible to charge personal mobile devices using GFE; this maintains equipment integrity.

Document Handling

• Promptly retrieve classified documents from printers to minimize unauthorized access.

Proper Mobile Device Protection

• Encrypt sensitive data on mobile devices to ensure compliance with security standards.

Spillage Protocol

• Spillage does not include classified information that is downgraded correctly; preventing inadvertent spillage involves adhering to transfer procedures.

Ethical Online Behavior

• Participants in discussions involving sensitive content should assess security clearances to avoid unauthorized dealings.

Online Security and Reputation

• Adversaries may exploit social media for malicious purposes, emphasizing the importance of maintaining a secure digital presence.

Effective URL Use

• URLs can be manipulated to disguise harmful intentions, necessitating caution when clicking on links.

Insider Threat Awareness

• Recognizing and reporting suspicious behaviors within organizations is crucial for maintaining security integrity.

Description

This quiz covers essential guidelines for handling classified data, including storage, equipment usage, and teleworking protocols. Understand the importance of compliance with security measures to protect national security and prevent insider threats.