CompTIA Security+® All-in-One Exam Guide, Fifth Edition (Exam SY0-501)

CHAPTER 21 Policies, Plans, and Procedures

In this chapter, you will

• Understand the importance of policies, plans, and procedures related to organizational security

• Distinguish between the standard types of agreements

• Be introduced to personnel management policies and procedures

• Examine some general security policies

Policies and procedures govern the operation of the organization and represent a set of requirements developed from both internal and external requirements. External requirements may come from laws and regulations, contractual terms such as incorporation of the Payment Card Industry Data Security Standard (PCI DSS), or customer specifications. There are regulatory situations where specific business actions are required by law or regulation. In many cases, the laws or regulations specify that specific policies are in place to govern compliance. Understanding the specific requirements of the business environment may require assistance from supporting business functions, guidance from industry groups, or help from other sources. Determining the relevant security policies and procedures that apply to third-party relationships is a key endeavor in ensuring that all elements of them are met during business operations. The bottom line is simple: in some business situations, policies and procedures may be mandated by outside regulation, and assistance may be required in ensuring compliance.

Certification Objective This chapter covers CompTIA Security+ exam objective 5.1, Explain the importance of policies, plans and procedures related to organizational security.

Standard Operating Procedure

Procedures are the step-by-step instructions on how to implement policies in the organization. They describe exactly how employees are expected to act in a given situation or to accomplish a specific task. Standards are mandatory elements regarding the implementation of a policy. They are accepted specifications that provide specific details on how a policy is to be enforced. Some standards are externally driven. Regulations for banking and financial institutions, for example, require certain security measures be taken by law. Other standards may be set by the organization to meet its own security goals. Standard operating procedures are just that, mandatory step-by-step instructions set by the organization so that in the performance of their duties, employees will meet the stated security objectives of the firm.

Agreement Types

Many business operations involve actions between many different parties—some within an organization, and some in different organizations. These actions require communication between the parties, defining the responsibilities and expectations of the parties, the business objectives, and the environment within which the objectives will be pursued. To ensure an agreement is understood between the parties, written agreements are used. Numerous forms of legal agreements and contracts are used in business, but with respect to security, some of the most common ones are the business partnership agreement, service level agreement, interconnection security agreement, and memorandum of understanding.

BPA

A business partnership agreement (BPA) is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners. These details can cover a wide range of issues, including typical items such as the sharing of profits and losses, the responsibilities of each partner, the addition or removal of partners, and any other issues. The Uniform Partnership Act (UPA), established by state law and convention, lays out a uniform set of rules associated with partnerships to resolve any partnership terms. The terms in a UPA are designed as “one size fits all” and are not typically in the best interest of any specific partnership. To avoid undesired outcomes that may result from UPA terms, it is best for partnerships to spell out specifics in a BPA.

SLA

A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider. SLAs essentially set the requisite level of performance of a given contractual service. SLAs are typically included as part of a service contract and set the level of technical expectations. An SLA can define specific services, the performance level associated with a service, issue management and resolution, and so on. SLAs are negotiated between customer and supplier and represent the agreed-upon terms. Specific security requirements can be specified in an SLA, and enforced once both parties agree. Once entered into, the SLA becomes a legally binding document.

ISA

An interconnection security agreement (ISA) is a specialized agreement between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the interconnection. An ISA can be a part of an MOU detailing the specific technical security aspects of a data interconnection.

MOU/MOA

A memorandum of understanding (MOU) and memorandum of agreement (MOA) are legal documents used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal. Typically, an MOU has higher-level descriptions, while an MOA is more specific, but the boundaries between these two legal terms are blurry and they are often used interchangeably. Each is more formal and detailed than a simple handshake, but generally lacks the binding powers of a contract. MOUs/MOAs are also commonly used between different units within an organization to detail expectations associated with the common business interest, including security requirements.

Images

EXAM TIP Be sure you understand the differences between the interoperability agreements SLA, BPA, ISA, and MOU/MOA for the CompTIA Security+ exam. All of them can be used to communicate security requirements between parties, but each is specific as to when it should be used. Look at usage for hints as to which would apply.

Personnel Management

A significant portion of human-created security problems results from poor security practices. These poor practices may be those of an individual user who is not following established security policies or processes, or they may be caused by a lack of security policies, procedures, or training within the user’s organization. Through the establishment, enforcement, and monitoring of personnel-related policies—personnel management—an organization can create a framework that empowers its workers to achieve business objects, yet keeps them constrained within security recommended practices. This section covers a dozen security topics related to the management of personnel.

Mandatory Vacations

Organizations have been providing vacation time for their employees for many years. Until recently, however, few organizations forced employees to take this time if they didn’t want to. Some employees are given the choice to either “use or lose” their vacation time, and if they do not take all of their time, they’ll lose at least a portion of it. Many arguments can be made as to the benefit of taking time off, but more importantly, from a security standpoint, an employee who never takes time off is a potential indicator of nefarious activity. Employees who never take any vacation time could be involved in activity such as fraud or embezzlement and might be afraid that if they leave on vacation, the organization would discover their illicit activities. As a result, requiring employees to use their vacation time through a policy of mandatory vacations can be a security protection mechanism. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. Having a second person familiar with security procedures is also a good policy in case something happens to the primary.

Job Rotation

Another policy that provides multiple benefits is job rotation. Rotating through jobs provides individuals with a better perspective of how the various parts of the organization can enhance (or hinder) the business. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization’s security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security tasks are the domain of one employee, security will suffer if that individual is lost from the organization. In addition, if only one individual understands the security domain, should that person become disgruntled and decide to harm the organization, recovering from their attack could be very difficult.

Separation of Duties

Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. This means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened. An example might be an organization in which one person has the ability to order equipment, but another individual makes the payment. An individual who wants to make an unauthorized purchase for his own personal gain would have to convince another person to go along with the transaction.

Separating duties as a security tool is a good practice, but it is possible to go overboard and break up transactions into too many pieces or require too much oversight. This results in inefficiency and can actually be less secure, since individuals may not scrutinize transactions as thoroughly because they know others will also be reviewing them. The temptation is to hurry something along and assume that somebody else will examine it or has examined it.

Images

EXAM TIP Another aspect of the separation of duties principle is that it spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the “keys to the kingdom” or unique knowledge about how to make everything work. If enough tasks have been distributed, assigning a primary and a backup person for each task will ensure that the loss of any one individual will not have a disastrous impact on the organization.

Clean Desk

Preventing access to information is also important in the work area. Firms with sensitive information should have a clean desk policy specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise. The clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads or in unsecured desk drawers.

Background Checks

Personnel are key to security in the enterprise. Hiring good personnel has always been a challenge in the technical field, but it is equally important to hire trustworthy people, especially in key roles that have greater system access. Performing routine background checks provides the HR team the necessary information needed to make the correct decisions. Background checks can validate previous employment, criminal backgrounds, and financial background. Depending upon the industry, firm, and position, different elements from these areas may be included.

Images

NOTE It is commonly heard that hiring a talented security hacker requires accepting someone with a shady past. The veracity of that comment aside, the real question to ask is not “Would I hire this person?” but rather “Would I be afraid of firing them?”

Exit Interviews

Exit interviews can be powerful tools for gathering information when people leave an organization. From a security perspective, the off-boarding process for personnel is very important. Employee termination needs to be modified to include termination of all accounts, including those enabled on mobile devices. It’s not uncommon to find terminated employees with accounts or even company devices still connecting to the corporate network months after being terminated. E-mail accounts should be removed promptly as part of the employee termination policy and process. Mobile devices supplied by the company should be collected upon termination. BYOD equipment should have its access to corporate resources terminated as part of the off-boarding process. Regular audits for old or unterminated accounts should be performed to ensure prompt deletion of accounts for terminated employees.

Role-Based Awareness Training

For training to be effective, it needs to be targeted to the user with regard to their role in the subject of the training. While all employees may need general security awareness training, they also need specific role-based awareness training in areas where they have individual responsibilities. Role-based training with regard to information security responsibilities is an important part of information security training.

If a person has job responsibilities that may impact information security, then role-specific training is needed to ensure that the individual understands the responsibilities as they relate to information security. Some roles, such as system administrator or developer, have clearly defined information security responsibilities. The roles of others, such as project manager or purchasing manager, have information security impacts that are less obvious, but these roles require training as well. In fact, the less-obvious but wider-impact roles of middle management can have a large effect on the information security culture, and thus if a specific outcome is desired, it requires training.

As in all personnel-related training, two elements need attention. First, retraining over time is necessary to ensure that personnel keep proper levels of knowledge. Second, as people change jobs, a reassessment of the required training basis is needed, and additional training may be required. Maintaining accurate training records of personnel is the only way this can be managed in any significant enterprise.

Data Owner

Data requires a data owner. Data ownership roles for all data elements need to be defined in the business. Data ownership is a business function, where the requirements for security, privacy, retention, and other business functions should be established. Not all data requires the same handling restrictions, but all data requires these characteristics to be defined. This is the responsibility of the data owner. It is important that data owners receive training and understand their responsibilities with respect to this important requirement.

System Administrator

System administrators are administrative users with the responsibility of maintaining a system within its defined requirements. The system owner defines the requirements, such as frequency of backups, whereas the system administrator configures the system to operationally meet these requirements. System administrators have virtually unlimited power over the system, for they can control all functions, but they should not have the power, or the responsibility, to set policies for the system. That falls to the system owner. It is important that system administrators receive training and understand their responsibilities with respect to this important requirement, and the delineation of their responsibilities.

System Owner

Every system requires a system owner. Like data ownership, system ownership is a business function, where the requirements for security, privacy, retention, and other business functions are established for an entire system. Not all systems require the same policies, but the determination of what the policies for a given system are is the responsibility of the system owner. It is important that system owners receive training and understand their responsibilities with respect to this important requirement.

User

Normal users need limited access based on their job role and tasks assigned. This is where the principle of least privilege comes into play. Limiting an object’s privileges limits the amount of harm that can be caused, thus limiting an organization’s exposure to damage. Users may have access to the files on their workstations and a select set of files on a file server, but they have no access to critical data that is held within the database. This rule helps an organization protect its most sensitive resources and helps ensure that whoever is interacting with these resources has a valid reason to do so. Users should be trained as to the limits of their use and their responsibilities associated with those limits.

Privileged User

A privileged user has more authority than a standard user. Short of full administrative or root access, a privileged user has permissions to do a wider range of tasks, as their job role may require greater responsibilities. For example, a database administrator would need the equivalent of root access to database functions, but not to all servers or other OS options. Aligning privileges to user responsibilities is good standard policy.

Executive User

Executive users are a special type of user. Their business responsibility may be broad and deep, covering many levels and types of business functions. This work level of responsibilities may not translate directly to their needed computer access. Does the CIO, the highest IT level employee, require all of the permissions of all of their subordinates? The true answer is no, for they will not be performing the same level of tasks in their work. And should they on occasion need the access, it can be granted at the time of need.

Limiting the access of executives is not meant to limit their work, but rather limit the range of damage should an account become compromised. Executive users are natural targets for spear phishing attacks, and limiting their system privileges to what is truly needed for them to perform their system-level tasks, limits the damage a hacker could cause by compromising an executive account.

NDA

Non-disclosure agreements (NDAs) are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties. NDAs are frequently used to delineate the level and type of information, and with whom it can be shared. NDAs can be executed between any two parties where one party wishes that the material being shared is not further shared, enforcing confidentiality via contract.

Onboarding

A key element when on-boarding personnel is to ensure that the personnel are aware of and understand their responsibilities with respect to securing company information and assets. Agreements with business partners tend to be fairly specific with respect to terms associated with mutual expectations associated with the process of the business. Ensuring the correct security elements are covered during onboarding is essential to setting proper employee expectations. These considerations need to be made prior to the establishment of the relationship, not added at the time that it is coming to an end.

Images

EXAM TIP Onboarding and offboarding business procedures should be well documented to ensure compliance with legal requirements.

Continuing Education

Technology and security practices are far from static environments. They advance every year, and relevant skills can become outdated in as little as a couple of years. Maintaining a skilled workforce in security necessitates ongoing training and education. A continuing education program can assist greatly in helping employees keep their skills up to date.

Acceptable Use Policy/Rules of Behavior

An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks. Organizations should be concerned about any personal use of organizational assets that does not benefit the company.

The goal of the policy is to ensure employee productivity while limiting potential organizational liability resulting from inappropriate use of the organization’s assets. The policy should clearly delineate what activities are not allowed. The AUP should address issues such as the use of resources to conduct personal business, installation of hardware or software, remote access to systems and networks, the copying of company-owned software, and the responsibility of users to protect company assets, including data, software, and hardware. Statements regarding possible penalties for ignoring any of the policies (such as termination) should also be included.

Related to appropriate use of the organization’s computer systems and networks by employees is the appropriate use by the organization. The most important of such issues is whether the organization will consider it appropriate to monitor the employees’ use of the systems and network. If monitoring is considered appropriate, the organization should include a statement to this effect in the banner that appears at login. This repeatedly warns employees, and possible intruders, that their actions are subject to monitoring and that any misuse of the system will not be tolerated. Should the organization need to use in either a civil or criminal case any information gathered during monitoring, the issue of whether the employee had an expectation of privacy, or whether it was even legal for the organization to be monitoring, is simplified if the organization can point to its repeatedly displayed statement that use of the system constitutes consent to monitoring. Before any monitoring is conducted, or the actual wording on the warning message is created, the organization’s legal counsel should be consulted to determine the appropriate way to address this issue.

Images

EXAM TIP Make sure you understand that an acceptable use policy outlines what is considered acceptable behavior for a computer system’s users. This policy often goes hand-in-hand with an organization’s Internet usage policy.

Adverse Actions

Punishing employees when they violate policies is always a difficult subject. There are two schools of thought regarding when to take adverse actions:

• Zero-tolerance One strike and you are out is the norm. The defense of this view is that by setting the bar high, you get better performers and stricter adherence to policies. The downside is that the lack of flexibility means an otherwise excellent long-term employee who makes an uncharacteristic mistake in judgment must be treated the same as a middling employee who violates the same policy his first week on the job. There is no flexibility to save the employee’s career, or their future contributions to the organization. In an environment where highly skilled workers are not readily available, this lack of flexibility can lead to staffing and morale issues.

• Discretionary action Adverse issues are handled using the principle “violations will be punished via a range of HR actions, up to and including termination.” The flexibility that this offers makes handling cases more challenging because management must determine the correct level of adverse action, but it also gives the flexibility to salvage good employees who have made an uncharacteristic mistake.

Regardless of which path an organization takes, the key to being legal and ethical is consistency in practice.

Images

EXAM TIP Understanding the importance of various policies and procedures is specifically called for in the exam objectives. Learning how to differentiate which policy is relevant to address a specific situation is important from a testing point of view.

General Security Policies

In keeping with the high-level nature of policies, the security policy is a high-level statement produced by senior management that outlines what security means to the organization and what the organization’s goals are for security. The main security policy can then be broken down into additional policies that cover specific topics. Statements such as “this organization will exercise the principle of least privilege in its handling of client information” would be an example of a security policy. The security policy can also describe how security is to be handled from an organizational point of view (such as describing which office and corporate officer or manager oversees the organization’s security program).

In addition to policies related to access control, the organization’s security policy should include the specific policies described in this chapter. All policies should be reviewed on a regular basis and updated as needed. Generally, policies should be updated less frequently than the procedures that implement them, since the high-level goals will not change as often as the environment in which they must be implemented. All policies should be reviewed by the organization’s legal counsel, and a plan should be outlined describing how the organization will ensure that employees will be made aware of the policies. Policies can also be made stronger by including references to the authority who made the policy (whether this policy comes from the CEO or is a department-level policy) and to any laws or regulations that are applicable to the specific policy and environment.

Social Media Networks/Applications

The rise of social media networks and applications has changed many aspects of business. Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party. One of the challenges in working with social media networks and/or applications is their terms of use. While a relationship with a typical third party involves a negotiated set of agreements with respect to requirements, there is no negotiation with social media networks. The only option is to adopt their terms of service, so it is important to understand the implications of these terms with respect to the business use of the social network.

The use of social media sites by employees at work brings in additional risks, in the form of viruses, worms, and spear phishing data collection. In years past, employers worried about employees using the machines at work to shop on eBay or surf the Web rather than work. Today, the risks are increased beyond just lost time to now include malware introduction to work machines. It is common for firms to use AUPs to restrict employee personal use of things like social media, peer-to-peer (P2P) networking, BitTorrent, and other non-work-related applications.

Personal E-mail

Comingling of personal and work-related materials may not appear to be a real problem when viewed from an employee’s perspective … what can be the harm? But the reality of modern e-discovery and other processes raises many concerns from a corporate perspective. While occasional use of work e-mail for personal use probably doesn’t add enough data to be a storage concern, what happens when that e-mail becomes involved in a personal legal dispute? Whether the issue is one inherently personal, as in divorce, or financial, as in a case of suspected fraud, when the lawyers get involved and send a litigation hold request to a firm for an employee’s personal e-mail on a corporate server, the comingling becomes a problem. The simplest and easiest policy is to disallow use of corporate resources for personal use, including e-mail, storage, devices, and so forth.

Using third-party e-mail services such as Gmail, Hotmail, and so forth also introduces risk to the corporate environment in that this provides yet another channel for malware, including worms, viruses, Trojans, and ransomware. As in other use issues associated with corporate resources, this topic should be covered in the AUP.

Images

EXAM TIP Employees should be trained to be cognizant of the risks to the organization whenever using computer resources. Because malware, including Trojans and ransomware, is so common on the Web, users are part of the defense in keeping this material off of the organization’s network. This duty extends to the use of non-work-related applications, such as social media, P2P networks for file sharing, personal e-mail services, and so forth. Understanding where the risk originates, and that personal accounts and applications are not immune, is important.

Chapter Review

In this chapter, you became acquainted with policies and procedures. The chapter opened with various types of business agreements, including the business partnership agreement (BPA), service level agreement (SLA), interconnection security agreement (ISA), and memorandum of understanding/memorandum of agreement (MOU/MOA), and then ventured into the area of policies associated with personnel management. From work policies such as mandatory vacations, separation of duties, and clean desk, to role-based training, the bulk of the chapter centered on personnel policies. The chapter concluded with some general security policies that affect most users.

Questions

To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.

1. What is the name given to the step-by-step instructions on how to implement policies in an organization?

A. Standards

B. Guidelines

C. Regulations

D. Procedures

2. What is the name given to mandatory elements regarding the implementation of a policy?

A. Standards

B. Guidelines

C. Regulations

D. Procedures

3. Which of the following is a description of a business partnership agreement (BPA)?

A. A negotiated agreement between parties detailing the expectations between a customer and a service provider.

B. A legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities.

C. A specialized agreement between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the interconnection.

D. A written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal.

4. Which of the following is used to essentially set the requisite level of performance of a given contractual service?

A. Memorandum of understanding

B. Inter-organizational service agreement (ISA)

C. Memorandum of agreement

D. Service level agreement (SLA)

5. Which of the following is an issue that must be addressed if an organization enforces a mandatory vacation policy?

A. Enforcing a mandatory vacation policy in most cases is a costly policy.

B. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation.

C. Vacations often occur at the most inopportune time for the organization and can affect its ability to complete projects or deliver services.

D. Forcing employees to take a vacation if they don’t want to often will result in disgruntled employees, which can introduce another security threat.

6. Which of the following are reasons for an organization to have a job rotation policy? (Choose all that apply.)

A. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization’s security problems.

B. It helps to maintain a high level of employee morale.

C. It ensures all important operations can still be accomplished should budget cuts result in the termination of a number of employees.

D. It eliminates the need to rely on one individual for security expertise.

7. Which of the following statements are true when discussing separation of duties? (Choose all that apply.)

A. Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone.

B. Employing separation of duties means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened.

C. Separating duties as a security tool is a good practice, but it is possible to go overboard and break up transactions into too many pieces or require too much oversight.

D. Separation of duties spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the “keys to the kingdom” or unique knowledge about how to make everything work.

8. Which of the following are true in regard to a clean desk policy for security? (Choose all that apply.)

A. While a clean desk policy makes for a pleasant work environment, it actually has very little impact on security.

B. Sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian.

C. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise.

D. A clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads.

9. While all employees may need general security awareness training, they also need specific training in areas where they have individual responsibilities. This type of training is referred to as which of the following?

A. Functional training

B. User training

C. Role-based training

D. Advanced user training

10. Security, privacy, and retention policies for data are important to an organization. Not all data requires the same handling restrictions, but all data requires these characteristics to be defined. Defining these characteristics for specific information is generally the responsibility of which of the following?

A. The data security office

B. The privacy office

C. The data owner

D. An individual specifically given this responsibility for the organization

11. Which of the following is the name typically given to administrative users with the responsibility of maintaining a system within its defined requirements?

A. System owner

B. System administrator

C. Privileged user

D. Executive user

12. Which of the following is the term used for a document used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties, and to obtain agreement to follow these limits?

A. Non-disclosure agreement (NDA)

B. Data access agreement (DAA)

C. Data disclosure agreement (DDA)

D. Data release agreement (DRA)

13. What is the name given to a policy that outlines what an organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks?

A. Resource usage policy (RUP)

B. Acceptable use of resources policy (AURP)

C. Organizational use policy (OUP)

D. Acceptable use policy (AUP)

14. What is the greatest risk to an organization when employees comingle corporate and personal e-mail?

A. Lost work productivity

B. Introduction of malware to the network

C. Loss of company data

D. Use of server resources for personal mail storage

15. What is the term used for a high-level statement produced by senior management that outlines what security means to the organization and what the organization’s goals are for security?

A. Security standard

B. Statement of security goals (SSG)

C. Security policy

D. Security guidance

Answers

1. D. Procedures are the step-by-step instructions on how to implement policies in an organization.

2. A. Standards is the term given to mandatory elements regarding the implementation of a policy.

3. B. A business partnership agreement is a legal agreement between entities establishing the terms, conditions, and expectations of the relationship between the entities.

4. D. A service level agreement (SLA) essentially sets the requisite level of performance for a given contractual service.

5. B. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. The organization must therefore ensure that they have a second person who is familiar with the vacationing employee’s duties.

6. A and D. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization’s security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security tasks are the domain of one employee, security will suffer if that individual is lost from the organization

7. A, B, C, and D. All of the statements are true when discussing separation of duties.

8. B, C, and D. A clean desk policy can actually have a positive impact on security for the reasons listed.

9. C. Training targeted to the user with regard to their role in the organization is generally referred to as role-based training or role-based awareness training.

10. C. Defining these characteristics is the responsibility of the data owner.

11. B. System administrators are administrative users with the responsibility of maintaining a system within its defined requirements.

12. A. Non-disclosure agreements (NDA) are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties.

13. D. An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks.

14. B. Malware can come from personal e-mail as well as corporate e-mail, and serious mail screening on corporate mail servers before users get the mail does not occur with third-party mail apps. While occasional use of work e-mail for personal use probably doesn’t add enough data to be a storage concern, nor is the loss of work productivity typically significant, malware should always be a concern.

15. C. A security policy is a high-level statement produced by senior management that outlines what security means to the organization and what the organization’s goals are for security.