Ch. 9 Security Awareness and Training
Your boss calls you into his office and asks you to outline a plan to implement a security awareness program. Outline a training program with at least two areas of training you think all personnel should receive.
1. based on the policies established, and should include a plan to initially train all employees 2.tracking completion, and define the period of recurring training.
Your boss calls you into his office and asks you to outline a plan to implement security policies. Discuss the first three policies you'd implement, and justify why you would implement them.
1.An acceptable use policy, 2.an Internet usage policy 3.e-mail usage policy should be among the first policies implemented.
List nine typical data classification categories.
1.High 2.medium 3.low 4. sensitive 5. unclassified 6.confidential 7. secret 8.top secret 9.public
You've been working in the security business for a few years now. You've just hired a new intern. You have about 15 minutes before your next meeting and would like to share some of your security experience with your new intern. List five aspects of Safe Harbor principles that you could discuss with your employee.
1.Notice 2.Choice 3.Onward Transfer 4.Security 5.Data Integrity, Access, and Enforcement.
Which of the following can mandate information security training?
1.PCI DSS 2.HIPAA 3.Best practices
Which of the following is a security label used by the U.S. government to implement mandatory access control (MAC)?
1.Top secret 2.Secret 3.Confidential 4.Unclassified
The CISO has come to you seeking advice on fostering good user habits. Outline at least seven important principles that could be incorporated into an annual employee training program.
1.lock the door to your office or workspace (keep a clean desk); 2.do not leave sensitive information inside your car unprotected; 3.secure storage media containing sensitive information in a secure storage device; 4.shred paper containing organizational information; 5.do not divulge sensitive information to individuals who do not have an authorized need to know; 6.do not discuss sensitive information with family members; 7.protect laptops and other mobile devices that contain sensitive organizational information; 8. be aware of who is around you when discussing sensitive information; 9. enforce corporate access control procedures (to avoid piggybacking, shoulder surfing, and so on); 10.be aware of correct procedures to report violations of security policies; 11.follow procedures to enforce good password security practices.
Which of the following correctly defines the Safe Harbor principle of notice?
A firm must identify what information is being collected, how it will be used, and with whom it will be shared.
Which of the following most accurately describes an acceptable use policy?
A policy that communicates to users what specific uses of computer resources are permitted.
What is a zero-day exploit?
An attack that exploits a previously unknown vulnerability.
Which of the following defines security policy?
High-level statements created by management that lay out the organization's positions on particular issues.
Which of the following correctly describes data that can be used to identify a specific individual or from which contact information of an individual can be derived?
Personally identifiable information
Describe why a data classification system is important to an enterprise.
System ensures that company information is properly protected. It provides the foundation for a company disposal and destruction policy. It also is fundamental for defining access controls and role-based access controls.
Which of the following best defines social engineering?
The art of deceiving another person to reveal confidential information.
Which of the following correctly defines phishing?
The use of social engineering to trick a user into responding to an e-mail to initiate a malware-based attack.
