5_3_1 Section 5 – Governance, Risk, and Compliance - 5.3 – Organizational Security Policies - Personnel Security

Questions and Answers

What is the primary purpose of an Acceptable Use Policy (AUP) in an organization?

• To specify job rotations within the organization
• To minimize risks associated with job specialization
• To require vacation time for employees
• To outline the rules for technology use in the workplace (correct)

Which security policy helps to minimize the risk of fraud by limiting the time an individual spends in a particular role?

• Acceptable Use Policy implementation
• Job rotation and mandatory vacations (correct)
• Job rotation with regular performance reviews
• Regular security audits and inspections

What is a key benefit of documenting an organization's rules and policies?

• To have a reference in case of policy violations (correct)
• To ensure employee compliance
• To specify technology usage guidelines
• To outline job responsibilities

What is the primary goal of requiring employees to take vacations?

To reduce the risk of fraud and security issues (A)

What type of documentation outlines how technologies should be used in an organization?

Acceptable Use Policy (AUP) (C)

Why is it essential for organizations to have security policies in place?

To minimize risk and prevent fraud (C)

What is the primary advantage of computer-based training?

Provides standardized training to all users (B)

Why might users be required to undergo IT security training?

To gain access to the company's network (A)

What type of training might partners or vendors receive?

Network access training (B)

Why is it important to keep detailed records of training?

To ensure everyone has received standard training (C)

What type of content might be included in computer-based training?

Video, audio, Q&A, or games (A)

What is a key benefit of standardized training?

Everyone receives the same training (A)

What is the purpose of separation of duties in a high-security environment?

To ensure no single individual has complete knowledge or control (A)

What is the concept where one person knows part of the combination and another person knows the other part?

Split knowledge (A)

What is the purpose of a clean desk policy in a high-security environment?

To ensure sensitive data is not left unattended (B)

What is the benefit of configuring a least privileged policy for users and applications?

It limits the scope of malicious software damage (A)

Why do employers conduct background checks before hiring?

To verify the information provided by the applicant (A)

What is the term for not hiring someone based on the information gathered during a background check?

Adverse action (C)

What is the main purpose of dual control?

To ensure two people are present to perform a specific function (B)

What is the benefit of limiting access to sensitive data?

It reduces the risk of data breaches (D)

What is the term for limiting user rights and permissions to only what is necessary for their job?

Least privileged policy (C)

Why is it important to limit the scope of malicious software?

To reduce the risk of data breaches (D)

Why might an organization conduct background checks on existing employees?

To identify potential security risks or issues (D)

What is the purpose of a Non-Disclosure Agreement (NDA)?

To establish a confidentiality agreement (C)

Why might an employer evaluate a candidate's social media presence?

To gain more context about the candidate (D)

What is a common procedure during the on-boarding process?

Setting up network accounts and providing equipment (C)

What is the purpose of off-boarding procedures?

To ensure a smooth transition when an employee leaves (A)

What type of training is used to simulate real-world security threats?

Capture The Flag (CTF) training (D)

What is the purpose of phishing simulations?

To raise awareness about phishing attacks (B)

What type of training involves competing with others and earning badges?

Gamification training (A)

Why might an organization disable an employee's account when they leave?

To prevent them from accessing company resources (A)

What type of training is used to simulate voice phishing attacks?

Vishing simulations (A)

What is an advantage of computer-based training?

It allows for standardized training for all users (A)

Why might users be required to undergo IT security training?

To gain access to the network (A)

What type of training is often provided to partners or vendors?

Specialized training for their role (A)

Why is it important to keep detailed records of training?

To ensure everyone is informed of security requirements (B)

What type of content might be included in computer-based training?

Video, audio, Q&A, or games (D)

Study Notes

Acceptable Use Policy (AUP)

• A documented set of rules that covers how to use technology in an organization, including internet, telephones, computers, mobile devices, and tablets.
• Provides a way to set expectations and specify rules for technology use in the organization.

Security Policies

• Job rotation: rotating employees through different jobs to reduce the risk of security breaches.
• Mandatory vacations: require employees to take vacations to ensure that someone else covers their responsibilities and limits the ability of any one person to commit fraud.
• Separation of duties: dividing responsibilities among multiple employees to prevent any one person from having too much power or access.
• Dual control: requiring two people to be present to perform a business function.
• Split knowledge: divided knowledge among multiple employees to prevent any one person from having access to sensitive information.
• Clean desk policy: requiring employees to clear their desks of sensitive information when leaving their workspace.

Limiting Access and Privileges

• Least privileged policy: configuring users with limited rights and permissions to perform their job duties.
• Limiting access to sensitive data and minimizing the scope of malicious software.
• Configuring applications to run with minimal privileges.

Background Checks and Employment

• Background checks: screening process to verify information provided in job applications and resumes.
• Adverse action: denying employment or taking action against an employee based on information found in a background check.

Non-Disclosure Agreements (NDAs)

• Confidentiality agreements between two parties to limit the sharing of sensitive information.
• Commonly used in business contracts to ensure privacy.

Social Media Analysis

• Evaluating an individual's presence on social media to gather more information about them during the hiring process.

On-boarding and Off-boarding Processes

• On-boarding: bringing new employees into the organization, including setting up accounts, providing equipment, and signing agreements.
• Off-boarding: procedures for when an employee leaves the organization, including returning equipment and disabling accounts.

Training and Awareness

• Gamification: training style that uses points, competition, and badges to engage users.
• Capture The Flag (CTF): security-related competition for training and awareness.
• Phishing simulations: training users to identify and avoid phishing attacks.
• Computer-based training: self-paced training that includes video, audio, and Q&A.

Acceptable Use Policy (AUP)

• A documented set of rules that covers how to use technology in an organization, including internet, telephones, computers, mobile devices, and tablets.
• Provides a way to set expectations and specify rules for technology use in the organization.

Security Policies

• Job rotation: rotating employees through different jobs to reduce the risk of security breaches.
• Mandatory vacations: require employees to take vacations to ensure that someone else covers their responsibilities and limits the ability of any one person to commit fraud.
• Separation of duties: dividing responsibilities among multiple employees to prevent any one person from having too much power or access.
• Dual control: requiring two people to be present to perform a business function.
• Split knowledge: divided knowledge among multiple employees to prevent any one person from having access to sensitive information.
• Clean desk policy: requiring employees to clear their desks of sensitive information when leaving their workspace.

Limiting Access and Privileges

• Least privileged policy: configuring users with limited rights and permissions to perform their job duties.
• Limiting access to sensitive data and minimizing the scope of malicious software.
• Configuring applications to run with minimal privileges.

Background Checks and Employment

• Background checks: screening process to verify information provided in job applications and resumes.
• Adverse action: denying employment or taking action against an employee based on information found in a background check.

Non-Disclosure Agreements (NDAs)

• Confidentiality agreements between two parties to limit the sharing of sensitive information.
• Commonly used in business contracts to ensure privacy.

Social Media Analysis

• Evaluating an individual's presence on social media to gather more information about them during the hiring process.

On-boarding and Off-boarding Processes

• On-boarding: bringing new employees into the organization, including setting up accounts, providing equipment, and signing agreements.
• Off-boarding: procedures for when an employee leaves the organization, including returning equipment and disabling accounts.

Training and Awareness

• Gamification: training style that uses points, competition, and badges to engage users.
• Capture The Flag (CTF): security-related competition for training and awareness.
• Phishing simulations: training users to identify and avoid phishing attacks.
• Computer-based training: self-paced training that includes video, audio, and Q&A.

Description

Learn about Acceptable Use Policies (AUP) and Security Policies in an organizational setting, including rules for technology use and measures to reduce security risks.