5_3_1 Section 5 – Governance, Risk, and Compliance - 5.3 – Organizational Security Policies - Personnel Security

Questions and Answers

What is the primary purpose of an Acceptable Use Policy (AUP) in an organization?

To specify job rotations within the organization

To minimize risks associated with job specialization

To require vacation time for employees

To outline the rules for technology use in the workplace (correct)

Which security policy helps to minimize the risk of fraud by limiting the time an individual spends in a particular role?

Acceptable Use Policy implementation

Job rotation and mandatory vacations (correct)

Job rotation with regular performance reviews

Regular security audits and inspections

What is a key benefit of documenting an organization's rules and policies?

To have a reference in case of policy violations (correct)

To ensure employee compliance

To specify technology usage guidelines

To outline job responsibilities

What is the primary goal of requiring employees to take vacations?

To reduce the risk of fraud and security issues

What type of documentation outlines how technologies should be used in an organization?

Acceptable Use Policy (AUP)

Why is it essential for organizations to have security policies in place?

To minimize risk and prevent fraud

What is the primary advantage of computer-based training?

Provides standardized training to all users

Why might users be required to undergo IT security training?

To gain access to the company's network

What type of training might partners or vendors receive?

Network access training

Why is it important to keep detailed records of training?

To ensure everyone has received standard training

What type of content might be included in computer-based training?

Video, audio, Q&A, or games

What is a key benefit of standardized training?

Everyone receives the same training

What is the purpose of separation of duties in a high-security environment?

To ensure no single individual has complete knowledge or control

What is the concept where one person knows part of the combination and another person knows the other part?

Split knowledge

What is the purpose of a clean desk policy in a high-security environment?

To ensure sensitive data is not left unattended

What is the benefit of configuring a least privileged policy for users and applications?

It limits the scope of malicious software damage

Why do employers conduct background checks before hiring?

To verify the information provided by the applicant

What is the term for not hiring someone based on the information gathered during a background check?

Adverse action

What is the main purpose of dual control?

To ensure two people are present to perform a specific function

What is the benefit of limiting access to sensitive data?

It reduces the risk of data breaches

What is the term for limiting user rights and permissions to only what is necessary for their job?

Least privileged policy

Why is it important to limit the scope of malicious software?

To reduce the risk of data breaches

Why might an organization conduct background checks on existing employees?

To identify potential security risks or issues

What is the purpose of a Non-Disclosure Agreement (NDA)?

To establish a confidentiality agreement

Why might an employer evaluate a candidate's social media presence?

To gain more context about the candidate

What is a common procedure during the on-boarding process?

Setting up network accounts and providing equipment

What is the purpose of off-boarding procedures?

To ensure a smooth transition when an employee leaves

What type of training is used to simulate real-world security threats?

Capture The Flag (CTF) training

What is the purpose of phishing simulations?

To raise awareness about phishing attacks

What type of training involves competing with others and earning badges?

Gamification training

Why might an organization disable an employee's account when they leave?

To prevent them from accessing company resources

What type of training is used to simulate voice phishing attacks?

Vishing simulations

What is an advantage of computer-based training?

It allows for standardized training for all users

Why might users be required to undergo IT security training?

To gain access to the network

What type of training is often provided to partners or vendors?

Specialized training for their role

Why is it important to keep detailed records of training?

To ensure everyone is informed of security requirements

What type of content might be included in computer-based training?

Video, audio, Q&A, or games

Study Notes

Acceptable Use Policy (AUP)

• A documented set of rules that covers how to use technology in an organization, including internet, telephones, computers, mobile devices, and tablets.
• Provides a way to set expectations and specify rules for technology use in the organization.

Security Policies

• Job rotation: rotating employees through different jobs to reduce the risk of security breaches.
• Mandatory vacations: require employees to take vacations to ensure that someone else covers their responsibilities and limits the ability of any one person to commit fraud.
• Separation of duties: dividing responsibilities among multiple employees to prevent any one person from having too much power or access.
• Dual control: requiring two people to be present to perform a business function.
• Split knowledge: divided knowledge among multiple employees to prevent any one person from having access to sensitive information.
• Clean desk policy: requiring employees to clear their desks of sensitive information when leaving their workspace.

Limiting Access and Privileges

• Least privileged policy: configuring users with limited rights and permissions to perform their job duties.
• Limiting access to sensitive data and minimizing the scope of malicious software.
• Configuring applications to run with minimal privileges.

Background Checks and Employment

• Background checks: screening process to verify information provided in job applications and resumes.
• Adverse action: denying employment or taking action against an employee based on information found in a background check.

Non-Disclosure Agreements (NDAs)

• Confidentiality agreements between two parties to limit the sharing of sensitive information.
• Commonly used in business contracts to ensure privacy.

Social Media Analysis

• Evaluating an individual's presence on social media to gather more information about them during the hiring process.

On-boarding and Off-boarding Processes

• On-boarding: bringing new employees into the organization, including setting up accounts, providing equipment, and signing agreements.
• Off-boarding: procedures for when an employee leaves the organization, including returning equipment and disabling accounts.

Training and Awareness

• Gamification: training style that uses points, competition, and badges to engage users.
• Capture The Flag (CTF): security-related competition for training and awareness.
• Phishing simulations: training users to identify and avoid phishing attacks.
• Computer-based training: self-paced training that includes video, audio, and Q&A.

Acceptable Use Policy (AUP)

• A documented set of rules that covers how to use technology in an organization, including internet, telephones, computers, mobile devices, and tablets.
• Provides a way to set expectations and specify rules for technology use in the organization.

Security Policies

• Job rotation: rotating employees through different jobs to reduce the risk of security breaches.
• Mandatory vacations: require employees to take vacations to ensure that someone else covers their responsibilities and limits the ability of any one person to commit fraud.
• Separation of duties: dividing responsibilities among multiple employees to prevent any one person from having too much power or access.
• Dual control: requiring two people to be present to perform a business function.
• Split knowledge: divided knowledge among multiple employees to prevent any one person from having access to sensitive information.
• Clean desk policy: requiring employees to clear their desks of sensitive information when leaving their workspace.

Limiting Access and Privileges

• Least privileged policy: configuring users with limited rights and permissions to perform their job duties.
• Limiting access to sensitive data and minimizing the scope of malicious software.
• Configuring applications to run with minimal privileges.

Background Checks and Employment

• Background checks: screening process to verify information provided in job applications and resumes.
• Adverse action: denying employment or taking action against an employee based on information found in a background check.

Non-Disclosure Agreements (NDAs)

• Confidentiality agreements between two parties to limit the sharing of sensitive information.
• Commonly used in business contracts to ensure privacy.

Social Media Analysis

• Evaluating an individual's presence on social media to gather more information about them during the hiring process.

On-boarding and Off-boarding Processes

• On-boarding: bringing new employees into the organization, including setting up accounts, providing equipment, and signing agreements.
• Off-boarding: procedures for when an employee leaves the organization, including returning equipment and disabling accounts.

Training and Awareness

• Gamification: training style that uses points, competition, and badges to engage users.
• Capture The Flag (CTF): security-related competition for training and awareness.
• Phishing simulations: training users to identify and avoid phishing attacks.
• Computer-based training: self-paced training that includes video, audio, and Q&A.

Description

Learn about Acceptable Use Policies (AUP) and Security Policies in an organizational setting, including rules for technology use and measures to reduce security risks.