A is correct. An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior. A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others. A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. A measurement systems analysis (MSA) evaluates the processes and tools used to make measurements.

C is correct. Mandatory vacations help to reduce the possibility of fraud and embezzlement. An acceptable use policy informs users of company policies, and even though users sign them, they don’t deter someone considering theft by embezzling funds. Training can help reduce incidents by ensuring personnel are aware of appropriate policies. A background check is useful before hiring employees, but it doesn’t directly reduce risks related to employees colluding to embezzle funds.

A is correct. When following the principle of least privilege, individuals have only enough rights and permissions to perform their job. Lisa needs to maintain the training lab, but there is no indication she needs to join the training lab computers to the domain. A measurement systems analysis (MSA) uses various methods to identify variations within a measurement process and is completely unrelated to this question. Diversity of training techniques refers to using different training techniques for end users. Offboarding is the process of removing employees’ access when they leave the company but has nothing to do with the privileges of a training instructor.

C is correct. This practice enforces a job rotation policy where employees rotate into different jobs, and it is designed to reduce potential incidents. A separation of duties policy prevents any single person from performing multiple job functions to help prevent fraud, but it doesn’t force users to switch roles. A mandatory vacation policy requires employees to take time away from their job. An acceptable use policy informs users of their responsibilities when using an organization’s equipment.

A is correct. The preparation phase is the first phase of common incident response procedures and attempts to prevent security incidents. Incident identification occurs after a potential incident occurs and verifies it is an incident. Containment attempts to limit the damage by preventing an incident from spreading, but it doesn’t prevent the original incident. Eradication attempts to remove all malicious elements of an incident after it has been contained. All six steps in order are preparation, identification, containment, eradication, recovery, and lessons learned.

D is correct. You should analyze an incident during the lessons learned phase of incident response to identify steps to prevent reoccurrence. Preparation is a planning step done before an incident, to prevent incidents and identify methods to respond to incidents. Identification is the first step after hearing about a potential incident to verify it is an incident. Eradication attempts to remove all malicious elements of an incident after containing it.

1.             C is correct. It’s important to keep a chain of custody for any confiscated physical items, and the chain of custody is a record of everyone who took possession of the asset after it was first confiscated. Hashes should be taken before capturing an image of a disk, but hashes are not required before confiscating equipment. Security personnel should be aware of the order of volatility and protect volatile data, but there isn’t any way to maintain the order of volatility. It’s important to perform interviews of anyone who observed the incident, but it isn’t necessary to interview people who were present when the asset is confiscated.