SC0-502 Security Certified Program (SCP) Exam Questions

Demo Question 9.

You got the router configured just as you wish, and it is time to get the team together for a meeting. You have the advantage of knowing several of these people for quite some time through your contracting, but this will be your first full meeting with them. The next day, you sit down with the CEO, HR Director, and other management people in EliteCertify. You wish for the meeting to be as short as possible, so in this initial meeting, you open with a short summary and project what you feel is a serious problem with the company. "Thanks for coming. I will try to keep this as brief as possible. As you all know, Purple was let go under difficult circumstances, and for the last week I have been working non-stop to get the network and security under control here. Very good progress has been made, but we are missing a fundamental component. There is no security policy here at EliteCertify." To this, you see some heads nod in agreement, others have no reaction whatsoever, and a few people let go disappointing sighs. "I agree that we need a security policy," adds the HR Director, "as long as it doesn't become too restrictive." "Policies are only used to document the posture of the organization, and to provide some guidance in the direction of the network and, in this case, the security of the network." You add, "Without a written policy, how is any employee supposed to know what is acceptable, what is not acceptable, and so on." "Our employees have common sense, we do not want the company to become overly regulated," says a middle manager who you have not spoken with before. "Common sense is great, the more the employees have, and the easier it is to implement the policies. But, there is no guarantee for the human element. A simple review of what just took place with Purple is a quick reminder of this." With that comment, the middle manager relaxed a bit, and hesitantly agreed. "So, what I would like to do is to lead the development of the policy here, and work with each of you to get it implemented. In the next few days, I will be requesting a bit of your time, so we can talk one on one about your needs and issues surrounding the policy." The next week, you meet with the management team, and you have a list of questions for them, designed to help you in drafting the security policy. You have decided to break up the creation of the policy into pieces, spending shorter blocks of time on the policy. This allows the management to be able to keep most of their days open for running the company. During the meeting, you focus solely on the Acceptable Use statement for the users of the network. You ask the following questions to the group, and the consensus answer (after taking your suggestions into account) is listed after each question. 1. Are users allowed to share user accounts? No. 2. Are users allowed to install software without approval? No. Approval must come through you, or the current Chief Security Officer (CSO). 3. Are users allowed to copy software for archive or other purpose? No, archives can only be made by the network administration staff. 4. Are users allowed to read and\or copy files that they do not own, but have access to? Yes. 5. Are users allowed to make copies of any operating system files (such as the Windows directory or the SAM file)? No. 6. Are users allowed to modify files they do not own, but for which they have write abilities? Yes, if they have write abilities, they are allowed to modify the file. Using the provided information from the meeting, you draft the Acceptable Use Statement. The statement reads as follows: This Acceptable Use Statement document covers EliteCertify , networks, computers, and computing resources. Network, computer, and computing resources are defined as physical personal computers, server systems, routers, switches, and network cabling. Also included in the definition are software (media) elements such as floppy disks, CD. ROMs (including writeable and re-writeable), DVD. ROMs, and tape backup systems. A user is defined as the individual account with authorization to access EliteCertify , resources. All users of the EliteCertify network are expected to conduct themselves in a respectful and legal manner. * The EliteCertify , general computing systems are unclassified systems. As such, top-level secret information is not to be processed or stored on any general unclassified computer system. * Individual users are responsible for the proper storage of their personal data on their workstations. For assistance on proper storage, users are instructed to contact the Security staff of EliteCertify. * In the event that a user has identified a security breech, weakness, or system misuse in a EliteCertify , system, they are required to contact the on-duty Security staff immediately. Users are to use a completed EliteCertify -TPS Report for their notice to the Security staff. Initial contact with the Security staff about the incident might be conducted via email or telephone. * Individual users are not granted access to systems and resources they have not been given explicit authority to access. In the event access to a resource is required, and access has not been granted, the user is to make a request to the on-duty Security staff. * Individual users shall not make unauthorized copies of copyrighted software, except as permitted by law or by the owner of the copyright. * Individual users are not permitted to make copies of system configuration files for their own, unauthorized personal use or to provide to other people or users for unauthorized uses. * Individual users are not permitted to share, loan, or otherwise allow access to a EliteCertify resource via the user's assigned account. * Individual users are not permitted to engage in any online or offline activity with the intent or harass other users; degrade the performance of any EliteCertify,system or resource;impede the ability of an authorized user to acess an authorized resource;or attempt to gain access to an unauthorized resource. * Electronic mail resources are for authorized use only. Messages that might be deemed fraudulent, harassing, or obscene shall not be sent from, to, or stored on EliteCertify , systems. * Individual users are not permitted to download, install, or run any unauthorized programs or utilities, including those which reveal weaknesses in the security of a system. This includes, but is not limited to network sniffing tools and password cracking utilities. Users who are found to be in violation of this policy will be reported to the on-duty Security staff and the EliteCertify CEO. The CEO will determine if the violation will result in the loss of EliteCertify , network privileges. In he event the violation warrants, the CEO may press civil or criminal charges against the user. I have read and understand the EliteCertify , Acceptable Use Statement, and agree to abide by it. With this information, and your knowledge of EliteCertify , choose the answer that will provide the best solution for implementing the Acceptable Use statement policy needs of EliteCertify :}

A. Once the meeting ends, you make the changes that were discussed during the meeting. They are not too extensive, but you make them and present the document to the team again on Friday. Now that you have made the changes, the policy is accepted, and the discussion moves towards getting every employee to sign and agree to the policy. "Well, it's Friday afternoon. Everyone needs their paychecks today." Comments the HR director. "Good point, let's just print out 100 of these, and tell everyone to sign them in order to get their check." Agrees one of the managers. After some discussion, it is agreed that this will be the fastest way to get all the employees to sign the policy document. The meeting wraps up around 2:00, and the printing and stapling of the policy documents ends around 4:00. Over the next hour, the HD director, with the help of the manager, hand our checks, making all the employees sign the document in order to get their check. You think to yourself that the efficiency of a small operation like this is nice to see in action. You go to get your check, sign your document, and are actually able to end your day at 5:00pm on a Friday.
B. You present the draft statement to the team at the next meeting. There is some discussion as to the wording in the clause regarding the internal TPS Report. Some in the group feel the TPS Report will be to tedious to use, others think with a distributed memo about the Report, everything will be fine. After further discussion all agree on the wording of the policy. The employees meet with the HR director over the next week, and are all presented with a copy of the policy and discuss how to it is to be implemented. There is some resistance, some of the employees are not happy about having a new procedure to follow. While walking back to your office, you see the CEO, and motion that you have a quick question, "How does the new policy seem to be going with HR?" you ask. "So far so good, there are a few folks not that happy, but I think we'll be fine." "I've got to get over there tomorrow to sign mine, when are you meeting with HR?" "Me? I've got too much going on right now.I have to oversee everything;whatever happens and goes on here has to go through me anyway. I don't have time to bother with that myself, I just wanted to be sure we had something legally binding to protect us and to assist the employees." "Fair enough. Listen, I need to talk with you soon about our firewall situation," you reply. "OK, stop by anytime. You know my door is always open." You walk away, and are pretty happy with how things are going here. You know you have more work to do, but so far your suggestions are being taken well and appreciated.
C. You present the draft statement to the team at the next meeting. There is some discussion as to the wording in the clause regarding the internal TPS Report. Some in the group feel the TPS Report will be to tedious to use, others think with a distributed memo about the Report, everything will be fine. After further discussion all agree on the wording of the policy. The team finishes the discussion, and the meeting ends with approval of the document. Once the document is approved, you move the discussion towards getting everyone in the company aware of and agreeing to it. "I suggest that we tie it into our paychecks, and have the document go through HR." "We could do that, I guess. I can present the document to all the employees over the rest of the month." the HR Director responds. Following that, the CEO brings up that there is going to be a company dinner next month, and that at the dinner the CEO will declare the policy in place, and that "As all of us become comfortable with this, we all should appreciate this step forward for our company." The next day, you post the policy on the company intranet site, so everyone has an electronic copy to go with their copy from the HR meeting. Once that is done, you move on to your next project.
D. You present the current draft to the team at the next meeting. There is some discussion now on the language of the different clauses, and it seems that no one can agree on the points. What you thought was close to being done, now seems to be at risk of never getting done. As the meeting escalates, and opinions start to get louder, the CEO interrupts the group, "Enough. We are a small group, we have enough in common, we know what we need out of this. We will bring in three contractors who specialize in policy writing. We'll give them our thoughts, they will work with our tireless Security Guru, and get this thing done." You are not all that thrilled about three consultants coming down on your territory, but realize the frustration of the CEO. You agree, "That's fine by me. I'll meet with them, and we will draft the document." There is other business on the agenda for the meeting, but it is not related to you, so you excuse yourself and go back to your office. After working with the three consultants for a month, you have the document, approved by EliteCertify. You organize a company wide meeting, where the consultants describe the policy and what it is for to all the employees. The employees are told where they can find the policy to review for themselves, and after a question and answer session everyone gets back to their work.
E. After the review of the policy it is decided that some of the bullet points in the document need to be changed. You make the requested changes, and the team reviews the document once more. "It all looks good to me now," says a manager in the meeting. "OK, how should we present this to the employees?" you ask. "I could take a copy to each employee and discuss it with them," offers the HR director. "No, that would be too time-consuming. That's not a good use of your time," responds the CEO. "We need to get this done, obviously. What is our most cost-effective way of doing this?" "Well, I could post the policy on our intranet site, and we could have the employees go and download it themselves. During lunch, perhaps?" you suggest. "That sounds good, let's take that approach," the CEO answers. Later that day, you create a quick intranet site, called EliteCertify policy and documents. You draft a quick email, which will be sent to all the employees in the company: "Dear _____, At EliteCertify we have just finished work on a security policy that will clearly define the use of the computers and other issues. This document will answer the questions that many of you have had recently on what you are allowed to do with the computer and when online. At your earliest convenience, please connect to the new site I have linked here, to download and read the new policy. Thanks and have a great day. - EliteCertify Security Staff." You verify the site is working, send the email out to all the employees, and go home for the day.


Display Answer

Answer: C

Explanation: