Security+ Study Guide-11 Implement Policies to Mitigating Risks Professional Development Quiz

1.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Management within your organization wants to ensure that users understand the rules of behavior when they access the organization's computer systems and networks.

Which of the following BEST describes what they would implement to meet this requirement?

AUP

NDA

SLA

MSA

Answer explanation

An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior.

A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others.

A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

A measurement systems analysis (MSA) evaluates the processes and tools used to make measurements.

2.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Management recently decided to upgrade the organization's security policy. Among other items, they want to implement a policy that will reduce the risk of personnel within the organization colluding to embezzle company funds.

Which of the following is the BEST choice to meet this need?

AUP

Training

Mandatory vacations

Background check

Answer explanation

Mandatory vacations help to reduce the possibility of fraud ad embezzlement. An acceptable use policy informs users of company policies, and even though users sign them, they don't deter someone considering theft by embezzling funds.

Training can help reduce incidents by ensuring personnel are aware of appropriate policies.

A background check is useful before hiring

3.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Lisa is a training instructor, and she maintains a training lab with 16 computers. She has enough rights and permissions on these machines to configure them as needed for classes. However, she does not have the rights to add them to the organization's domain.

Which of the following choices BEST describes the reasoning for this?

Least privilege

MSA

Diversity of training

Offboarding

Answer explanation

When following the principle of least privilege, individuals have only enough rights and permissions to perform their job. Lisa needs to maintain the training lab, but there is no indication she needs to join the training lab computers to the domain.

A measurement systems analysis (MSA) uses various methods to identify variations within a measurement process and is completely unrelated to this question.

Diversity of training techniques refers to using different training techniques for end users.

Offboarding is the process of removing employees’ access when they leave the company but has nothing to do with the privileges of a training instructor.

4.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

Your organization includes a software development division within the IT department. One developer writes and maintains applications for the Payroll department. Once a year, they switch roles for at leas a month.

What is the purpose of this practice?

To enforce a separation of duties policy

To enforce a mandatory vacation policy

To enforce a job rotation policy

To enforce an acceptable use policy

Answer explanation

This practice enforces a job rotation policy where employees rotate into different jobs, and it is designed to reduce potential incidents.

A separation of duties policy prevents any single person from performing multiple job functions to help prevent fraud, but it doesn’t force users to switch roles.

A mandatory vacation policy requires employees to take time away from their job.

An acceptable use policy informs users of their responsibilities when using an organization’s equipment.

5.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Your organization recently suffered a costly malware attack. Management wants to take steps to prevent damage from malware in the future.

Which of the following phases of common incident response procedures is the BEST phase to address this?

Preparation

Identification

Containment

Eradication

Answer explanation

The preparation phase is the first phase of common incident response procedures and attempts to prevent security incidents. Incident identification occurs after a potential incident occurs and verifies it is an incident.

Containment attempts to limit the damage by preventing an incident from spreading, but it doesn’t prevent the original incident.

Eradication attempts to remove all malicious elements of an incident after it has been contained.

All six steps in order are preparation, identification, containment, eradication, recovery, and lessons learned.

6.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

An incident response team is following typical incident response procedures. Which of the following phases is the BEST choice for analyzing an incident to identify steps to prevent a reoccurrence of the incident?

Preparation

Identification

Eradication

Lessons learned

Answer explanation

You should analyze an incident during the lessons learned phase of incident response to identify steps to prevent reoccurrence.

Preparation is a planning step done before an incident, to prevent incidents and identify methods to respond to incidents.

Identification is the first step after hearing about a potential incident to verify it is an incident.

Eradication attempts to remove all malicious elements of an incident after containing it.

7.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

After a recent cybersecurity incident resulting in a significant loss, your organization decided to create a security policy for incident response.

Which of the following choice is the BEST choice to include in the policy when an incident requires confiscation of a physical asset?

Ensure hashes are taken first

Maintain the order of volatility

Keep a record of everyone who took possession of the physical asset

Require interviews of all witnesses present when the asset is confiscated

Answer explanation

It's important to keep a chain of custody for any confiscated physical items, and the chain of custody is a record of everyone who took possession of the asset after it was first confiscated.

Hashes should be taken before capturing an image of a disk, but hashes are not required before confiscating equipment.

Security personnel should be aware of the order of volatility and protect volatile data, but there isn't any way to maintain the order of volatility.

It's important to perform interviews of anyone who observed the incident, but it isn't necessary to interview people who were present when the asset is confiscated.

8.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A forensic analyst was told of a suspected attack on a Virginia-based web server from IP address 72.52.230.233 at 01:23:45 GMT. However, after investigation the logs, he doesn't see any traffic from that IP address at that time.

Which of the following is the MOST likely reason why the analyst was unable to identify the traffic?

He did not account for the time offset

He did not capture the image

The IP address has expired

The logs were erased when the system was rebooted

Answer explanation

The most likely reason is that he did not account for the time offset. The attack occurred at 01:23:45 Greenwich Mean Time (GMT), which is the same time in London (except when daylight savings time starts). The web server is in the Eastern Standard Time (EST) zone in Virginia, which is five hours different from GMT. There is no need to capture an image to view logs.

IP addresses on the Internet do not expire.

Logs are written to a hard drive or a central location; they are not erased when a system is rebooted.

9.

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Homer called the help desk complaining this computer is giving random errors. Cybersecurity professionals suspect his system is infected with malware and decide to use digital forensic methods to acquire data on his system.

Which of the following should be collected before turning the system off? (Choose TWO)

Image of disk

RAM

OS

ROM

Cache

Answer explanation

Random access memory (RAM) and cache are the most volatile of the items listed and should be collected before the system is turned off.

You can collect an image of the disk and the operating system (OS) after it is powered off.

Read only memory (ROM) will be retained even when the power is removed. While the swap/pagefile is not listed, it should also be collected. If the system is turned back on after it is turned off, the swap/pagefile will be overwritten.

10.

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

After a recent incident, a forensic analyst was given several hard drives to analyze.

Which of the following actions should she take FIRST?

Capture drive images for integrity

Take hashes for provenance

Review the logs on the disks

Create a chain of custody document

Answer explanation

Forensic analysts take hashes to prove provenance of the copy. The hash (or checksum) provides proof that the copy is the same as the original and has not lost integrity.

A drive image shouldn't be captured before creating a hash, and just having a drive image doesn't provide integrity or prove that it is the same as the original.

Reviewing any data on an original disk will potentially modify the data so it shouldn't be done.

A chain of custody document is created when evidence is collected, so it should already exist.

Create a free account and access millions of resources

Similar Resources on Wayground

Popular Resources on Wayground