Page 837 - StudyBook.pdf
P. 837

Self Test Appendix • Appendix  821

                 14. You have identified a number of risks to which your company’s assets are exposed, and want to
                    implement policies, procedures and various security measures. In doing so, what will be your
                    objective?
                      A. Eliminate every threat that may affect the business.
                      B. Manage the risks so that the problems resulting from them will be minimized.
                      C. Implement as many security measures as possible to address every risk that an asset may
                         be exposed to.
                      D. Ignore as many risks as possible to keep costs down.
                  Answer B. Manage the risks so that the problems resulting from them will be minimized. Since
                    there is no way to eliminate every risk from a company, the goal is to keep risks and their
                    impact minimized.This involves finding cost-effective measures of protecting assets.This may
                    involve installing security software, implementing policies and procedures, or adding additional
                    security measures to protect the asset.
                  Answers A and C are incorrect, because there is no way to eliminate every threat that may
                    affect your business, and there is no way to implement so many security measures that every
                    asset is exposed to.There is no such thing as absolute security.To make a facility absolutely
                    secure would be excessive in price, and would be so secure that no one would be able to enter
                    and do any work.The goal is to manage risks, so that the problems resulting from them will be
                    minimized.Answer D is incorrect, because ignoring risks doesn’t make them go away.You need
                    to find cost-effective measures of protecting assets, not keep costs down by doing nothing.


                 Chapter 12: Operational and
                 Organizational Security: Policies and

                 Disaster Recovery


                 1.  An organization has just installed a new T1 Internet connection, which employees may use to
                    research issues related to their jobs and send e-mail. Upon reviewing firewall logs, you see that
                    several users have visited inappropriate sites and downloaded illegal software. Finding this infor-
                    mation, you contact senior management to have the policy relating to this problem enforced.
                    Which of the following policies would you recommend as applicable to this situation?
                      A. Privacy policy
                      B. Acceptable use policy
                      C. HR Policy
                      D. SLAs
                  Answer B. Acceptable use policy.An acceptable use policy establishes guidelines on the appro-
                    priate use of technology. It is used to outline what activities are permissible when using a com-
                    puter or network, and what an organization considers proper behavior.Acceptable use policies
                    not only protect an organization from liability, but also provide employees with an under-
                    standing of what they can and cannot do when using technology.




                                                                              www.syngress.com
   832   833   834   835   836   837   838   839   840   841   842