Employee behavior is not a critical concern in ensuring the security of computer systems.

Chapter 17 – Human Resources Security

TRUE/FALSE QUESTIONS:

TF1. Complying with regulations and contractual obligations is a benefit of

security awareness, training, and education programs.

TF2. Employee behavior is not a critical concern in ensuring the security of

computer systems.

TF3. Employees cannot be expected to follow policies and procedures of

which they are unaware.

TF4. Security awareness, training, and education programs may be needed to

comply with regulations and contractual obligations.

TF5. The education and experience learning level provides the foundation

for subsequent training by providing a universal baseline of key security terms and concepts.

TF6. Security basics and literacy is required for those employees, including

contractor employees, who are involved in any way with IT systems.

TF7. Awareness only communicates information security policies and

procedures that need to be followed and does not provide the foundation for any sanctions or disciplinary actions imposed for noncompliance.

TF8. Awareness is used to explain the rules of behavior for using an

agency’s information systems and information and establishes a level of expectation on the acceptable use of the information and information systems.

TF9. To emphasize the importance of security awareness, an organization

should have a security awareness policy document that is provided to all employees.

TF10. Programmers, developers, and system maintainers require less

advanced security training than other employees.

Page 2

Page 3

MULTIPLE CHOICE QUESTIONS:

1._______ is a benefit of security awareness, training, and education programs to organizations.

A.Improving employee behavior

B.Increasing the ability to hold employees accountable for their actions

C.Mitigating liability of the organization for an employee’s behavior

D.All of the above

2.Security awareness, training, and education programs can serve as a deterrent to fraud and actions by disgruntled employees by increasing employees’ knowledge of their ________ and of potential penalties.

A. regulationsB. accountability

C. liabilityD. incidents

3.The _______ category is a transitional stage between awareness and training.

A.roles and responsibilities relative to IT systems

B.security basics and literacy

C.education and experience

D.security awareness

4.________ is explicitly required for all employees.

A.Security awareness

B.Education and experience

C.Security basics and literacy

D.Roles and responsibilities relative to IT systems

5.The _________ level focuses on developing the ability and vision to perform complex, multidisciplinary activities and the skills needed to further the IT security profession and to keep pace with threat and technology changes.

A.security basics and literacy

B.roles and responsibilities relative to IT systems

C.education and experience

D.security awareness

6._______ are ways for an awareness program to promote the security message to employees.

A. PostersB. Newsletters

C. Workshops and training sessionsD. All of the above

7.________ need training on the development of risk management goals, means of measurement, and the need to lead by example in the area of security awareness.

A. ExecutivesB. Analysts

C. ManagersD. Trainers

8. From a security point of view, which of the following actions should be done upon the termination of an employee?

A. remove the person’s name from all lists of authorized access

B. recover all assets, including employee ID, disks, documents and equipment

C. remove all personal access codes

D. all of the above

9. ________ is the process of receiving, initial sorting, and prioritizing of information to facilitate its appropriate handling.

A. IncidentB. Triage

C. ConstituencyD. Handling

10. CERT stands for ___________.

A. Computer Error Response Team

B. Compliance Error Repair Technology

C. Computer Emergency Response Team

D. Compliance Emergency Response Technology

Page 4

11. ________ can include computer viruses, Trojan horse programs, worms, exploit scripts, and toolkits.

A. ArtifactsB. Vulnerabilities

C. CSIRTD. Constituencies

12. A capability set up for the purpose of assisting in responding to computer security-related incidents that involve sites within a defined constituency is called a ______.

A. CIRTB. CIRC

C. CSIRTD. all of the above

13. ___________ scan critical system files, directories, and services to ensure they have not been changed without proper authorization.

A. Intrusion prevention systems

B. System integrity verification tools

C. Log analysis tools

D. Network and host intrusion detection systems

14. A _______ policy states that the company may access, monitor, intercept, block access, inspect, copy, disclose, use, destroy, or recover using computer forensics any data covered by this policy.

A. standard of conductB. unlawful activity prohibited

C. company rightsD. business use only

15. A _______ policy states that violation of this policy may result in immediate termination of employment or other discipline deemed appropriate by the company.

A. disciplinary actionB. company rights

C. policy scopeD. business use only

Page 5

SHORT ANSWER QUESTIONS:

1.The principal problems associated with employee behavior are errors and omissions, _______, and actions by disgruntled employees.

2.There is a need for a continuum of learning programs that starts with _______, builds to training, and evolves into education.

3.The four layers of the learning continuum as summarized by NIST SP 800-16 are: security awareness, security basics and literacy, roles and responsibilities relative to IT systems, and the _________ level.

4.After security basics and literacy, training becomes focused on providing the knowledge, skills, and abilities specific to an individual’s _______ relative to IT systems.

5.In general, a(n) ________ program seeks to inform and focus an employee’s attention on issues related to security within the organization.

6.The principles that should be followed for personnel security are: limited reliance on key employees, separation of duties, and _______.

7.In large and medium-sized organizations, a(n) _________ is responsible for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.

8.Any action that threatens one or more of the classic security services of confidentiality, integrity, availability, accountability, authenticity, and reliability in a system constitutes a(n) ________.

9.________ lists the following security objective with respect to current employees: “to ensure that employees, contractors, and third-party users are aware of information security threats and concerns and their responsibilities and liabilities with regard to information security and are equipped to support organizational security policy in the course of their normal work and to reduce the risk of human error”.

10.A(n) _______ is a characteristic of a piece of technology that can be exploited to perpetrate a security incident.