Security Pro: Chapter 3 (3.1.8) Practice Questions

Answer: 4. Service level agreement Explanation: A service level agreement is defined as a contract that prescribes the technical support or business parameters a provider will bestow to its client. Why not 1, 2, or 3?: A mutual aid agreement is an agreement between two organizations to support each other in the event of a disaster. A final audit report is the result of an external auditor's inspection and analysis of an organization's security status. A certificate practice statement defines the actions and promises of a certificate service authority.

Answer: 3. Privacy Explanation: HIPAA is a set of federal regulations that enforce the protection of privacy. Specially, HIPAA protects the privacy of medical records.

Answer: 1. A guarantee of specific level of service Explanation: An SLA is a guarantee of a specific level of service from a vendor. That service may be communication links, hardware, or operational services. An SLA is a form of insurance against disasters or security intrusions that may affect your organization's mission-critical business functions. Why not 2, 3, or 4?: An agreement to support another company in the event of a disaster is known as a mutual aid agreement. A contract with a legal entity to limit your asset loss liability is an insurance policy. A contract with an ISP for specific level bandwidth is a service contract.

Answer: 2. Clear and detailed descriptions of penalties if the level of service is not provided. 3. Detailed provider responsibilities for all continuity and disaster recovery mechanisms Explanation: A Service Level Agreement (SLA) should define, with sufficient detail, any penalties incurred if the level of service is not maintained. In the information security realm, it is also vital that the provider's role in disaster recovery operations and continuity planning is clearly defined. Industry standard templates are frequently used as a starting point for SLA design, but must be tailored to the specific project or relationship to be effective.

Answer: 1. Change management Explanation: A change and configuration management policy provides a structured approach to securing company assets and making changes. Change management: 1. Establishes hardware, software, and infrastructure configurations that are universally deployed throughout the corporation. 2. Tracks and documents significant changes to the infrastructure. 3. Assesses the risk of implementing new processes, hardware, or software. 4. Ensures that proper testing and approval processes are followed before changes are allowed. Why not 2, 3, or 4?: An Acceptable Use Policy (AUP) identifies employees rights to use company property, such as internet access and computer equipment, for personal use. A resource allocation policy outlines how resources are allocated. Resources could include staffing, technology, or budgets. Service Level Agreements (SLAs), sometimes called maintenance contracts, guarantee the quality of a service to a subscriber by a network service provider.

Answer: 1. Disabling their network access Explanation: When an employee is terminated, you should disable their network access immediately. Often, an employee is taken into an exit interview where they are informed of the termination and asked to review their NDA and other security agreements. While the exit interview is occurring, the system administrator disables the user's network access and security codes. Why not 2, 3, or 4?: Returning personal items is the least important task when removing an employee. Terminated employees should not be allowed to complete work projects, nor should they be given two week's notice. Both of these activities grant the ex-employee the ability to cause damage to your secure environment as a form of retaliation.

Answer: 4. Providing user-awareness training Explanation: The most effective way to improve and enforce security in any environment is user awareness training. If users are educated about security and how to perform their work tasks securely, the overall security of the environment improves. Why not 1, 2, or 3?: Enforcing account lockout, two-factor authentication, and disabling Internet access are all valid security countermeasures or improvements. However, they do not have as large a positive impact on overall security as user awareness training.

Answers: 3. Shred the disks Explanation: To completely prevent reading data from discs, destroy them using a DVD shredder or crusher Why not 1, 2, or 4? Degaussing works for magnetic media such as floppy and hard disk drives. Simply deleting data offers little protection. Writing junk data over the media sanitizes the discs by removing data remanence.

Answer: 1. Reasonable precautions based on industry best practices are utilized and documented Explanation: Due care or due diligence are legal terms that describe the responsibility of one party to act reasonably in relation to the rights of another. In this example, due care is best described as the utilization and documentation of reasonable precautions based on industry best practices. The subjective nature of the term 'reasonable' is frequently determined by courts. Any deviation from accepted industry best practices may subject an organization or individual to legal action based on these grounds.

Answer: 3. a8bT11$yi Explanation: A strong password should not contain dictionary words or any part of the login name. They should include upper and lower-case letters, numbers, and symbols. In addition, longer passwords are stronger than shorter passwords.

Answer: 4. Guideline Explanation: A guideline is a recommendation to use when a specific standard or procedure does not exist. Why not 1, 2, or 3?: # 1 A standard is a legal, industry, or best business practice that a company implements, such as building code. # 2 A baseline dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards. #3 A procedure is a detailed, specific step-by-step instruction for a process.

Answer: 3. Defense in-depth Explanation: Defense in-depth is the best protection against security violations Why not 1, 2, or 4?: Monolithic security and fortress mentality are both poor security perspectives, as they rely upon a single protection mechanism. Bottom-up decision-making is a poor security process, as it does not firmly establish responsibility, management control, or standards enforcement. Ultimately, such a process will lead to chaos rather than security.

Answer: 4. To obtain change rights over software after the vendor goes out of business Explanation: Source code escrow is used to obtain change rights over software after the vendor goes out of business Source code escrow is not used to obtain rights, backup software, or withhold funds from programmers

Answer: 1. Every aspect Explanation: Every aspect of an organization should be monitored and managed by change control Why not 2, 3, or 4?: Focusing only on hardware and software, personnel and policies, or physical environment will limit the effectiveness of change control. Change control should cover the entire organization

Answer: 2. Contact your customers to let them know about the security breach Explanation: After you have analyzed the attack and gathered evidence, be aware that, in some states, you are required to notify individuals if their personal information might have been compromised. For example, if an incident involves the exposure of credit card numbers, identifying information (such as Social Security numbers), or medical information, you might be legally obligated to notify potential victims and take measures to help protect their information from further attack.