Security Pro: Chapter 3 (3.1.8) & 4.1 Security Policies Answers

We thoroughly check each answer to a question to provide you with the most correct answers. Found a mistake? Let us know about it through the REPORT button at the bottom of the page.

Which of the following is defined as a contract that prescribes the technical support or business parameters a provider will bestow to it’s client?

1. Certificate practice statement
2. Final Audit report
3. Mutual aid agreement
4. Service level agreement

Answer:
4. Service level agreementExplanation:
A service level agreement is defined as a contract that prescribes the technical support or business parameters a provider will bestow to its client.Why not 1, 2, or 3?:
A mutual aid agreement is an agreement between two organizations to support each other in the event of a disaster. A final audit report is the result of an external auditor’s inspection and analysis of an organization’s security status. A certificate practice statement defines the actions and promises of a certificate service authority.

HIPAA is a set of federal regulations that defines security guidelines. What do HIPAA guidelines protect?

1. Availability
2.Integrity
3. Privacy
4. Non-repudiation

Answer:
3. PrivacyExplanation:
HIPAA is a set of federal regulations that enforce the protection of privacy. Specially, HIPAA protects the privacy of medical records.

What is a service level agreement (SLA)?

1. A guarantee of specific level of service

2. An agreement to support another company in the event of a disaster

3. A contract with an ISP for a specific level of bandwidth

4. A contract with a legal entity to limit your asset loss liability

Answer:
1. A guarantee of specific level of serviceExplanation:
An SLA is a guarantee of a specific level of service from a vendor. That service may be communication links, hardware, or operational services. An SLA is a form of insurance against disasters or security intrusions that may affect your organization’s mission-critical business functions.Why not 2, 3, or 4?:
An agreement to support another company in the event of a disaster is known as a mutual aid agreement. A contract with a legal entity to limit your asset loss liability is an insurance policy. A contract with an ISP for specific level bandwidth is a service contract.

A Service Level Agreement (SLA) defines the relationship and contractual responsibilities of providers and service recipients. Which of the following characteristics are most important when designing an SLA? (Select two)

1. Industry standard templates for all SLAs to ensure corporate compliance

2. Clear and detailed description of penalties if the level of service is not provided.

3. Detailed provider responsibilities for all continuity and disaster recovery mechanisms

4. Employee vetting procedures that don’t apply to contract labor

Answer:
2. Clear and detailed descriptions of penalties if the level of service is not provided.3. Detailed provider responsibilities for all continuity and disaster recovery mechanismsExplanation:
A Service Level Agreement (SLA) should define, with sufficient detail, any penalties incurred if the level of service is not maintained. In the information security realm, it is also vital that the provider’s role in disaster recovery operations and continuity planning is clearly defined. Industry standard templates are frequently used as a starting point for SLA design, but must be tailored to the specific project or relationship to be effective.

Your plan to implement a new security device on your network. Which of the following policies outlines the process you should follow implementing that device?

1. Change management
2. SLA
3. Resource allocation
4. Acceptance use

Answer:
1. Change managementExplanation:
A change and configuration management policy provides a structured approach to securing company assets and making changes. Change management:
1. Establishes hardware, software, and infrastructure configurations that are universally deployed throughout the corporation.2. Tracks and documents significant changes to the infrastructure.

3. Assesses the risk of implementing new processes, hardware, or software.

4. Ensures that proper testing and approval processes are followed before changes are allowed.

Why not 2, 3, or 4?:
An Acceptable Use Policy (AUP) identifies employees rights to use company property, such as internet access and computer equipment, for personal use. A resource allocation policy outlines how resources are allocated. Resources could include staffing, technology, or budgets. Service Level Agreements (SLAs), sometimes called maintenance contracts, guarantee the quality of a service to a subscriber by a network service provider.

When you inform an employee that they are being terminated, what is the most important activity?

1. Disabling their network access
2. Allowing them to collect their personal items
3. Allowing them to complete their current work projects
4. Giving them two weeks’ notice

Answer:
1. Disabling their network accessExplanation:
When an employee is terminated, you should disable their network access immediately. Often, an employee is taken into an exit interview where they are informed of the termination and asked to review their NDA and other security agreements. While the exit interview is occurring, the system administrator disables the user’s network access and security codes.Why not 2, 3, or 4?:
Returning personal items is the least important task when removing an employee. Terminated employees should not be allowed to complete work projects, nor should they be given two week’s notice. Both of these activities grant the ex-employee the ability to cause damage to your secure environment as a form of retaliation.

What is the most effective way to improve or enforce security in any environment?

1. Enforcing account lockout
2. Requiring two-factor authentication
3. Disabling Internet Access
4. Providing user-awareness training

Answer:
4. Providing user-awareness trainingExplanation:
The most effective way to improve and enforce security in any environment is user awareness training. If users are educated about security and how to perform their work tasks securely, the overall security of the environment improves.Why not 1, 2, or 3?:
Enforcing account lockout, two-factor authentication, and disabling Internet access are all valid security countermeasures or improvements. However, they do not have as large a positive impact on overall security as user awareness training.

You have a set of DVD-RW discs that have been used archive files for your latest development project. You need to dispose of the discs.

Which of the following methods should you use the best prevent data extraction from the discs?

1. Degauss the disks
2. Write junk data over the discs seven times
3. Shred the disks
4. Delete the data on the discs

Answers:
3. Shred the disksExplanation:
To completely prevent reading data from discs, destroy them using a DVD shredder or crusherWhy not 1, 2, or 4?
Degaussing works for magnetic media such as floppy and hard disk drives. Simply deleting data offers little protection. Writing junk data over the media sanitizes the discs by removing data remanence.

Which of the following best describes the concept of “due care” or “due diligence”?

1. Reasonable precautions based on industry best practices are utilized and documented

2. Security through obscurity is best accomplished by port stealthing

3. Legal disclaimers are consistently and conspicuously displayed on all systems

4. Availability supersedes security unless physical harm is likely

Answer:
1. Reasonable precautions based on industry best practices are utilized and documentedExplanation:
Due care or due diligence are legal terms that describe the responsibility of one party to act reasonably in relation to the rights of another. In this example, due care is best described as the utilization and documentation of reasonable precautions based on industry best practices. The subjective nature of the term ‘reasonable’ is frequently determined by courts. Any deviation from accepted industry best practices may subject an organization or individual to legal action based on these grounds.

Which of the following is an example of a strong password?

1. Robert694
2. at9iov45a
3. a8bT11$yi
4. desktop#7

Answer:
3. a8bT11$yiExplanation:
A strong password should not contain dictionary words or any part of the login name. They should include upper and lower-case letters, numbers, and symbols. In addition, longer passwords are stronger than shorter passwords.

Which of the following is a recommendation to use when a specific standard or procedure does not exits?

1. Standard
2. Baseline
3. Guideline
4. Procedure

Answer:
4. GuidelineExplanation:
A guideline is a recommendation to use when a specific standard or procedure does not exist.Why not 1, 2, or 3?:
# 1 A standard is a legal, industry, or best business practice that a company implements, such as building code.

# 2 A baseline dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.

#3 A procedure is a detailed, specific step-by-step instruction for a process.

Which of the following is the best protection against security violations?

1. Bottom-up decision-making
2. Monolithic security
3. Defense in-depth
4. Fortress mentality

Answer:
3. Defense in-depthExplanation:
Defense in-depth is the best protection against security violationsWhy not 1, 2, or 4?:
Monolithic security and fortress mentality are both poor security perspectives, as they rely upon a single protection mechanism. Bottom-up decision-making is a poor security process, as it does not firmly establish responsibility, management control, or standards enforcement. Ultimately, such a process will lead to chaos rather than security.

What is the primary purpose of source code escrow?

1. To provide a backup copy of software to use for recovery in the event of a disaster

2. To obtain resale rights over software after the vendor goes out of business

3. To hold funds in reserve for unpredicted costs before paying the fees of the programmer

4. To obtain change rights over software after the vendor goes out of business

Answer:
4. To obtain change rights over software after the vendor goes out of businessExplanation:
Source code escrow is used to obtain change rights over software after the vendor goes out of businessSource code escrow is not used to obtain rights, backup software, or withhold funds from programmers

Change control should be used to oversee and manage over what aspect of an organization?

1. Every aspect
2. Personnel and policies
3. Physical environment
4. IT hardware and software

Answer:
1. Every aspectExplanation:
Every aspect of an organization should be monitored and managed by change controlWhy not 2, 3, or 4?:

Focusing only on hardware and software, personnel and policies, or physical environment will limit the effectiveness of change control. Change control should cover the entire organization

You have recently discovered that a network attack has compromised your database server. The attacker may have stolen customer credit card numbers.

You have stopped the attack and implemented security measures to prevent the same incident from occurring in the future. What else might you be legally required to do?

1. Perform additional investigation to identify the attacker

2. Contact your customers to let them know about the security breach

3. Implement training for employees who handle personal information

4. Delete personally identifiable information from your computers

Answer:
2. Contact your customers to let them know about the security breachExplanation:
After you have analyzed the attack and gathered evidence, be aware that, in some states, you are required to notify individuals if their personal information might have been compromised. For example, if an incident involves the exposure of credit card numbers, identifying information (such as Social Security numbers), or medical information, you might be legally obligated to notify potential victims and take measures to help protect their information from further attack.
What is the primary purpose of source code escrow?
To obtain change rights over software after a vendor goes out of business
Who has the responsibility for the development of a security policy?
Senior management
What is the most effective means of improving or enforcing security in any environment?
User awareness training
You have a set of DVD-RW discs that have been used to archive files for your latest development project. You need to dispose of the discs. Which method should you use to best prevent extracting data from the discs?
Shredding
Which of the following is a high-level, general statement about the role of security in the organization?
Policy
Which policy specifically protects PII?
Privacy
HIPAA is a set of federal regulations that define security guidelines that enforce the protection of what?
Privacy
You have recently discovered that a network attack has compromised your database server. In the process, customer credit card numbers might have been taken by an attacker. You have stopped the attack and put measures in place to prevent the same incident from occuring in the future. What else might you be legally required to do?
Contact your customers to let them know of the security breach
Which of the following is a recommendation to use when a specific standard or procedure does not exist?
Guideline
Which of the following defines an acceptable use agreement?
An agreement which identifies the employee’s rights to use company property such as Internet access and computer equipment for personal use.
What is the primary purpose of change control?
Prevent unmanaged change
Which of the following best describes the concept of due care or due diligence?
Reasonable precautions, based on industry best practices, are utilized and implemented
Which of the following is defined as a contract which prescribes the technical support or business parameters that a provider will bestow its client?
Service level agreement
When informing an employee that they are being terminated, what is the most important activity?
Disabling their network access
Which of the following is the best protection against security violations?
Defense in depth

Was this helpful?