dentify the functions and methods you usually use to enable looping when coding a generic enumerator.

You have not made any correct choices. The correct options are as follows foreach loop Current function MoveNext function return function Suppose you want to take a strongly typed collection and provide an abstract base class for it. Which class gives the required abstract base class? Incorrect. The correct option is as follows CollectionBase DictionaryBase ReadOnlyCollectionBase AbstractBaseClass Topic title: Generic Classes and Enumerators in C# 2005 You want to declare myList, a string type instance of the generic List collection class. Which code do you use to do this? Correct myList<string> List = null; List<string> myList = null; List<string> myList = new List<string>(); NEW myList List<string>; Suppose you declared and used an object called testing. You now want to remove all references to the object. Which code do you use to do this? Incorrect. The correct option is as follows testing.close(); testing.disable(); testing = null; testing = clear; How does the Queue class manage its data? Partially correct. The correct options are as follows

By allowing only certain objects to be part of a Queue By collecting and sorting value pairs By only allowing data that has been in the queue for the longest time to be taken out of the line By ordering data in a linear sequence from the oldest at the front to the most recent at the back Suppose you want to establish the characteristics and associated objects of a collection that is non-generic. Which System.Collections namespace do you use? Correct ICollection IComparer IEqualityComparer IList Topic title: Essential Interfaces in C# 2005 The System.Collections namespace includes classes and interfaces for manipulating data collections. Which interface enables you to call an enumerator for use against a non-generic data collection? Correct ICollection IComparer IEnumerable IEnumerator Suppose you want to declare a variable that is accessible only to code in the same class, module, and structure. Which access modifier do you use to do this? Correct private protected internal public Topic title: C# 2005 Overview

Which ASP.NET - or web form - events react when a user first accesses and runs an application? Correct End Init Start Unload Which features are new or have been enhanced in C# 2005? Partially correct. The correct options are as follows A common language runtime (CLR) environment A Component Object Model (COM) A Framework Class Library Object orientation title: Types and Classes in C# 2005 Suppose you are running an application and a security error is thrown. Which statement do you use to check the error? Correct catch (Exception myException) Public Function AddEmUp return Owner; Try Suppose you want to ensure that only data on the top of a stack can be removed. Which System.Collections namespace class do you use to do this? Correct ArrayList BitArray SortedList Stack Topic title: Types and Classes in C# 2005 Suppose you have already declared a self-defined object and an object of the DBNull type. Now you want to check whether the new objects - called newInteger and newNullValue respectively are functionally equivalent.

Which assignment or conditional statement do you use to do this? Correct int myOwnInteger = "This is my own integer"; if (myInt == NullVal) {} if (myInt == newNullValue) {} if (newInteger == newNullValue) { } Topic title: Generic Classes and Enumerators in C# 2005 Suppose you want to use a generic enumerator to enable looping in the Reservation class. Which code do you use? Correct Call IEnumerator(Reservation) : IEnumerator<Reservation> : Reservation.Enumerator public Reservation class : Enumerator What are the advantages of the Hashtable class? Partially correct. The correct options are as follows It allows quicker access to value pairs It organizes values by key without linear ordering It makes the values accessible to all collections It searches for and obtains information about values Suppose you want to declare a new instance of the generic Stack collection class named MyStack, with type Double. Which code do you use to declare the new collection? Correct NewStack<double> MyStack = null; Stack<double> MyStack = new Stack<double>(); Stack<T> MyStack = new Stack<T>(); MyStack<double> NewStack = null; Suppose you declared and used an object called testing. You now want to remove all references to the object. Which code do you use to do this?

Correct testing.close(); testing.disable(); testing = null; testing = clear; Suppose you're coding a List class, and you want to use the IDictionary interface. Which code do you use to do this? Correct : IDictionary < List> interface IDictionary < List> public : IDictionary < List> public interface IDictionary< List> Suppose you want to set a specified statement to execute only if a particular condition is met at runtime, and another statement to execute if the condition isn't met. Which type of statement do you use to do this in C# 2005? Correct do ..while For loop if..else while You want to create a new generic interface named IAverage. Which code do you use to do this? Correct : IAverage< T>{} private interface IAverage< T>{} public : IAverage < T>{} public interface IAverage< T>{} Suppose you want to create a generic File class in which the parameter is constrained to a new type. Which code do you use to do this? Correct

public class where Type : new() public class where File<Type> public class File<where new : Type> public class File<Type> where Type : new() Suppose you are running an application and a security error is thrown. Which statement do you use to check the error? Correct catch (Exception myException) Public Function AddEmUp return Owner; Try Suppose you want to characterize a generalized comparison method through which instances are ordered. You need to implement the generalized comparison method by a class or value type. Which interface in the System namespace do you use for the characterization to occur? Correct IComparable ICloneable IConvertible IFormattable Suppose you want to declare an Integer-type array called newIntArray and then set it to include three indices - 1, 2 and 3. Correct object[] newIntArray((int) 1, 2, 3); int[] newIntArray = {"Test 1", "Test 2", "Test 3"}; int[] newIntArray = {1, 2, 3}; int[] newIntArray = {"Word 1", "Word 2", "Word 3"}; What are the advantages of the Hashtable class? Partially correct. The correct options are as follows It allows quicker access to value pairs It organizes values by key without linear ordering

It makes the values accessible to all collections It searches for and obtains information about values Which method enables you to scan through a file stream? Correct FileMode.Open FileMode.OpenOrCreate Seek SeekOrigin.Begin You want to deserialize an object from an XML document. Which System.Xml.Serialization namespace class do you use to do this? Correct XmlAttributeAttribute XmlIgnoreAttribute XmlRootAttribute XmlSerializer Assuming its functions and properties are correctly implemented, what does the IFormatter interface allow for in C# 2005? Incorrect. The correct option is as follows It converts objects into a series of bytes It enables notification of a class when deserialization is complete It enables objects to control serialization and deserialization It enables the formatting of serialized objects Suppose you need to monitor your file system for changes to files or directories. Which class in the System.IO namespace can you use to do this? Incorrect. The correct option is as follows DirectoryInfo FileInfo FileSystemInfo FileSystemWatcher

Which steps occur during remoting from the client side? Partially correct. The correct options are as follows A client calls a method of a transparent proxy A formatter object serializes the information in a message A message is sent to a remote server A message sink decrypts the information in a message You need to open a file and read data from it. Which class in the System.IO namespace enables you to do this? Correct DirectoryInfo FileInfo FileSystemInfo FileSystemWatcher What do you use object serialization to do? Correct Access stored information Convert objects for storage Convert stored information into a replica of an existing object Release object memory Suppose you want to declare a class that will store the data needed to serialize and deserialize an object. Which line of code do you use to do this? Correct ObjectManager instance = null SerializationInfo instance = null public class ObjectManger public sealed class SerializationInfo Suppose you've created isolated storage for a file containing user details. Which classes do you use directly in order to read user details from the stored file? Correct

IsolatedStorage IsolatedStorageFile IsolatedStorageFileStream IsolatedStorageScope Which steps occur during remoting on the server side? Partially correct. The correct options are as follows A channel passes a message to a message sink A formatter object deserializes the information in the message A message sink decompresses message information A server calls the Initialize method of a proxy Suppose you want to serialize an object in binary format in C# 2005. Which line of code creates the required formatter? Correct Hashtable addresses = new Hashtable(); BinaryFormatter bformat = new BinaryFormatter(); : IRemotingFormatter, IFormatter public sealed class BinaryFormatter Suppose you want to enable an object to control its own serialization and deserialization. Which code do you use to do this? Incorrect. The correct option is as follows : System.Runtime.Serialization.IDeserializationCallback.OnDeserialization : IDeserializationCallback : IFormatter : ISerializable Which class supports the StreamWriter class? Correct BinaryWriter Stream StringWriter

TextWriter You want to create a list of derived types that can be arranged in a serialized order. Which System.Xml.Serialization namespace class do you use to do this? Incorrect. The correct option is as follows SoapAttributeAttribute XmlArrayItemAttribute XmlElementAttribute XmlSerializer Which StreamWriter method clears the buffer, as well as releasing file handles, network connections, and buffer memory? Incorrect. The correct option is as follows Close() Flush() Peek() SeekOrigin() Which code ensures that a class will be notified immediately once the deserialization process is complete, so that the original object can be replicated? Correct [Serializable()] : IDeserializationCallback, ISerializable public interface IDeserializationCallback : ISerializable Suppose you want to obtain serialization information about an object. Which line of code correctly begins the definition of the subroutine commonly used to do this? Incorrect. The correct option is as follows SerializationInfo info = new SerializationInfo(); private void GetObjectData() private void GetObjectData(SerializationInfo data) public class FirstClass Topic title: Input and Output Streams in C# 2005

Which class of the following only serves as a base class in the System.IO namespace? Incorrect. The correct option is as follows BinaryReader BufferedStream MemoryStream Stream Topic title: C# 2005: File Management and Isolated Storage Suppose you need to change a directory structure in the file system. Which class in the System.IO namespace enables you to do this directly? Incorrect. The correct option is as follows DirectoryInfo FileInfo FileSystemInfo Watcher You want to create a list of derived types that can be arranged in a serialized order. Which System.Xml.Serialization namespace class do you use to do this? Incorrect. The correct option is as follows SoapAttributeAttribute XmlArrayItemAttribute XmlElementAttribute XmlSerializer Topic title: C# 2005: File Management and Isolated Storage Suppose you need to change a directory structure in the file system. Which class in the System.IO namespace enables you to do this directly? Correct DirectoryInfo FileInfo FileSystemInfo Watcher

Which steps occur during remoting on the server side? Partially correct. The correct options are as follows A channel passes a message to a message sink A formatter object deserializes the information in the message A message sink decompresses message information A server calls the Initialize method of a proxy Assuming its functions and properties are correctly implemented, what does the IFormatter interface allow for in C# 2005? Correct It converts objects into a series of bytes It enables notification of a class when deserialization is complete It enables objects to control serialization and deserialization It enables the formatting of serialized objects Suppose you want to obtain serialization information about an object. Which line of code correctly begins the definition of the subroutine commonly used to do this? Correct SerializationInfo info = new SerializationInfo(); private void GetObjectData() private void GetObjectData(SerializationInfo data) public class FirstClass Which code ensures that a class will be notified immediately once the deserialization process is complete, so that the original object can be replicated? Correct [Serializable()] : IDeserializationCallback, ISerializable public interface IDeserializationCallback : ISerializable Suppose you want to deserialize an object in Simple Object Access Protocol (SOAP) format in C# 2005. Which line of code performs deserialization? Incorrect. The correct option is as follows

addresses = (Hashtable)(sformat.Deserialize(temp)); Console.WriteLine("Failed to deserialize."); Hashtable addresses = null; FileStream temp = new FileStream("C:\\Data.dat", FileMode.Open); Suppose you have loaded an image to the PictureBox1 control and you now want to flip the image. Identify the method you use to do this, without including parameter enumeration. Incorrect. The correct option is as follows this.CreateGraphics.Flip(); this.Image.RotateFlip(); PictureBox1.CreateGraphics.Flip(); PictureBox1.Image.RotateFlip(); Say you want to create a dynamic assembly at runtime. Which class of the System.Reflection.Emit namespace would you use to create an attribute for the type that will be held in the assembly? Incorrect. The correct option is as follows AssemblyFileVersionAttribute ConstructorInfo CustomAttributeBuilder MethodBody Topic title: Mailing Functionality in C# 2005 Suppose you have started configuring a function to send an e-mail message. You first want to specify an object called "EMobj" that you can configure with the e-mail properties. Which line of code do you use to do this? Incorrect. The correct option is as follows MailMessage EMobj = new MailMessage(); NetworkCredential EMobj = new NetworkCredential(); SmtpClient EMobj = new SmtpClient(); Suppose you want to use the Graphics Device Interface (GDI+) to draw a shape on a custom control. In the onPaint method for the control, you now need to create the required code. Which step do you perform first? Correct Call a method of the Graphics class

Call the control's CreateGraphics method Create a drawing tool using an object of the required class Pass required parameters to the method that will draw the shape Topic title: Interoperability and COM in C# 2005 Say you want to use the Type Library Importer to import the type libraries of the myAccounts.dll COM component into an interop assembly. Which code do you use to do this? Incorrect. The correct option is as follows COMException myAccounts.dll DllImportAttribute my Accounts.dll tlbimp myAccounts.dll TypeLibConverter myAccounts.dll Topic title: Interoperability and COM in C# 2005 Say you want to use the Type Library Importer to import the type libraries of the myAccounts.dll COM component into an interop assembly. Which code do you use to do this? Incorrect. The correct option is as follows COMException myAccounts.dll DllImportAttribute my Accounts.dll tlbimp myAccounts.dll TypeLibConverter myAccounts.dll Which mechanism should you use to automatically convert the type library of the AspNetMMCExt.dll COM component into an interop assembly? Correct Custom Wrappers The TypeLibConverter class The Type Library Importer Visual Studio .NET Suppose you want to call the unmanaged Beep function of the kernel32.dll Win API from your managed code using Platform invoke so that Platform invoke automatically determines the marshaling for the unmanaged function. Which piece of code enables you to do this? Correct [ComImport("kernel32.dll")] public object Beep()

[Guid("user32.dll")] public object Beep() [DllImport("user32.dll")] public object Beep() [DllImport("user32.dll")] <DispId(1)> public object Beep() Suppose you've initialized an AssemblyBuider object called dAss that you want to use to create a dynamic assembly. Which code should you use to create a dynamic assembly based on the current application domain, the method required to save the assembly, and the current executing assembly aName? Incorrect. The correct option is as follows dAss = AppDomain.CurrentDomain.Assembly(AssemblyBuilderAccess.Save, aName); dAss = AppDomain.CurrentDomain.ConstructorInfor(aName, [Save]); dAss = AppDomain.CurrentDomain.DefineDynamicAssembly(aName, AssemblyBuilderAccess.Save); dAss = AppDomain.CurrentDomain.DefineDynamicModule(aName, AssemblyBuilderAccess.Save); Say you have an unmanaged function called GetData that returns an array, and you want to specify that the array be marshaled as an LPArray data type by the interop marshaler. Which piece of code enables you to do this? Incorrect. The correct option is as follows public object GetData([MarshalAs(DllImportAttribute.LPArray)] public object GetData([MarshalAs(Marshal.LPArray)] public object GetData([MarshalAs(OutAttribute.LPArray)] public object GetData([MarshalAs(UnmanagedType.LPArray)] Say you want to load the contents of an assembly file called myObj.dll located in the D:\app directory. You've already declared an instance of the assembly file called myAss. Which code do you use to load the contents of the file? Partially correct. The correct options are as follows MyAss = Assembly.Load("D:\\app directory\myObj.dll"); MyAss = Assembly.LoadFile("D:\\app directory\myObj.dll"); MyAss = Assembly.LoadFrom("D:\\app directory\myObj.dll"); MyAss = Assembly.LoadModule("D:\\app directory\myObj.dll"); Suppose you want to create a new CultureInfo object called CSQ. The culture must represent Chinese speakers in Singapore, using the culture code zh-SQ. Which line of code do you use to create the required CultureInfo object? Incorrect. The correct option is as follows

CultureInfo CSQ = new CultureInfo("zh-SQ"); DateTimeFormatInfo CSQ = new DateTimeFormatInfo(); CultureInfo CZA = new CultureInfo("en-ZA"); Thread.CurrentThread.CurrentCulture = CSQ; Topic title: Globalization in C# 2005 Suppose you're creating a culture-specific application. You've already created a CultureInfo object called MyCult. Now you need to declare a NumberFormatInfo object called MyNumFI and initialize it so that you can update MyCult with new number formatting preferences. Which code will do this? Incorrect. The correct option is as follows NumberFormatInfo MyNumFI = null; DateTimeFormatInfo MyNumFI = MyCult.DateTimeFormat; NumberFormatInfo MyNumFI = MyCult.CurrentInfo; NumberFormatInfo MyNumFI = MyCult.NumberFormat; Which class in the System.Net.Mail namespace enables to configure properties such as Credentials, Host, Port, and EnableSsl? Correct Attachments MailAddress MailMessage SmtpClient Which System.Drawing namespace class do you use to draw an ellipse on a control? Correct Brush Image Path Pen You have already created an e-mail message and its associated properties using the MailMessage instance "myM". You now want to attach a file to the e-mail. What must you do before you attach the file? Correct

Create an instance of the Attachment class and pass it the file Create a second instance of the MailMessage class and pass it the file Provide the name and/or path of the file to be attached Specify the Simple Mail Transfer Protocol (SMTP) server and port number Topic title: Globalization in C# 2005 Suppose you wanted to create a culture specific application that was going to be in English in the US format. Which of the classes in the System.Globalization namespace would you use to specify these details? Incorrect. The correct option is as follows CultureInfo DateTimeFormatInfo NumberFormatInfo RegionInfo Topic title: Reflection in C# 2005 You have declared an Assembly object, but wish to initialize your object with another assembly that is neither currently loaded into memory, nor will be loaded into memory when the initialization is done. Which method could you use to best accomplish this? Correct Binder GetExecutingAssembly GetType MethodBase Suppose you want to use a regular expression to replace all instances of "the" with "a" in an existing array of strings. Which step is the most likely to help accomplish this task? Incorrect. The correct option is as follows Call the Regex.Escape method Call the Regex.Replace method Create a StringBuilder object Call the Regex.modifyArray method Topic title: Text Manipulation in C# 2005 Identify the code that uses the myMatch instance of the Regex class to verify whether the myReg substring contains a match in the myStr string.

Incorrect. The correct option is as follows StringBuilder myMatch = myMatch.IsMatch(myStr, myReg); string mystr = Match(myMatch, myReg); myMatch.IsMatch(myStr, myReg); myReg.IsMatch(myStr, myMatch); Topic title: Text Manipulation in C# 2005 Identify the correct code for retrieving a reference to the string object defined in the StringBuilder object named refr. Correct StringBuilder refr = new StringBuilder(str); string refr = str.ToString(); string str = refr.ToString(); refr.StringBuilder = ToString(str); Suppose you're configuring the RegionInfo class for a culture-specific application. You have created an instance of the class named MyReg2. You now want to display the English name of the region that was set up in the CultureInfo object. Which line of code do you use to do this? Incorrect. The correct option is as follows 1. Console.WriteLine(MyReg2.CurrencyEnglishName); 2. Console.WriteLine(MyReg2.CurrentRegion); 3. Console.WriteLine(MyReg2.EnglishName); 4. Console.WriteLine(MyReg2.IsMetric); Topic title: Drawing in C# 2005 Suppose you want to display a solid blue rectangular block on a control, with no space within its center region. The rectangle must have a width of 150 pixels and a height of 200 pixels, and its top left corner must be positioned at the coordinates (20, 20). Which method do you use to draw the rectangle on the control? Incorrect. The correct option is as follows this.CreateGraphics.DrawRectangle(Pens.Blue, 20, 20, 150, 200); this.CreateGraphics.DrawRectangle(Pens.Blue, 150, 200, 20, 20); this.CreateGraphics.FillRectangle(Brushes.Blue, 20, 20, 150, 200); this.CreateGraphics.FillRectangle(Brushes.Blue, 150, 200, 20, 20);

Suppose you're configuring a function to send an e-mail message. You now want to configure a property of the MailMessage instance named "myM" so that the e-mail will be sent to jcaruso@interswift.com. Which line of code do you use to do this? Incorrect. The correct option is as follows myM.Body = "jcaruso@interswift.com"; myM.Subject = "jcaruso@interswift.com"; myM.To.Add("jcaruso@interswift.com"); myM.To("jcaruso@interswift.com"); What does the following method return? result = Encoding.GetEncoding(str); Incorrect. The correct option is as follows The ASCII encoding for the result instance of the String class The encoded byte sequence for the result instance of the String class The Unicode encoding for the str instance of the String class The Windows Code Page character encoding for the str instance of the String class Which classes can you use to implement authentication for use in role-based security? You have not made any correct choices. The correct options are as follows IsAuthenticated GenericPrincipal Username WindowsPrincipal Topic title: Code Access Security in C# 2005 Suppose you want to view the permissions requested by the assembly user1.exe. Which command-line statement do you use to do this? Incorrect. The correct option is as follows caspol addfulltrust user1.exe caspol machine addfulltrust user1.exe FileIOPermissionAccess.Read permview user1.exe

Suppose you want to create a class that will call an exception if an authentication stream fails but can be re-authenticated in C# 2005. Which class do you use to do this? Correct AuthenticationException InvalidCredentialException MutexSecurity SemaphoreSecurity Suppose you've created a FileSecurity instance to store the full security descriptor for a text file. You now want to modify a setting in the descriptor in C# 2005. Which method do you use to do this? Incorrect. The correct option is as follows AccessControlSections GetSecurityDescriptorSddlForm SetAccessControl SetSecurityDescriptorSddlForm Suppose you're currently implementing role-based security in a C# 2005 application. Which code tests whether the principal object GenPrinc is authenticated successfully? Incorrect. The correct option is as follows blAuth = GenPrinc.Identity.AuthenticationType blAuth = GenPrinc.Identity.IsAuthenticated blAuth = GenPrinc.Identity.IsInRole blAuth = GenPrinc.Identity.Name Suppose you've created an instance of the Evidence class named myEvid. You now want to use this instance to store the evidence information from the assembly named myAssembly. Which line of code do you use to do this? Incorrect. The correct option is as follows Evidence myEvid = new Evidence(); myAssembly = [Assembly].GetAssembly(myEvid); myEvid = myAssembly.Evidence; You're implementing evidence-based security in an application. Which code retrieves the loaded view of the application's assembly containing the type or class of the myType object, storing it in

the myAssembly object? Incorrect. The correct option is as follows myAssembly = Assembly.GetAssembly(myType); myAssembly = myAssembly.myType; myType = myAssembly.GetEnumerator(); myType = Type.GetType("System.Object"); Suppose you want to use the FileIOPermission class to enable an object to read and write information to a specified file in an application. Which line of code do you use to do this? Incorrect. The correct option is as follows FileIOPermission filepermissions FileIOPermission fpermission = new FileIOPermission(FileIOPermissionAccess.Read, "e:\\applications\\test"); filepermissions.Demand fpermission.AddPathList(FileIOPermissionAccess.Write | FileIOPermissionAccess.Read, "e:\\applications\\test.txt"); Say you're creating a new principal for a generic end user. Which code creates a new principal gPrinc from the generic identity named gID and roles contained in the array named rArray? Incorrect. The correct option is as follows gPrinc = New GenericIdentity(gID, rArray); gPrinc = New GenericPrincipal(gID, rArray); gPrinc = New WindowsIdentity(gID, rArray); gPrinc = New WindowsPrincipal(gID, rArray); You want to retrieve evidence for the MyEvidence object, to enable evidence-based security. Which code do you use to access the number of evidence objects? Incorrect. The correct option is as follows MyEvidence.Count MyEvidence.GetEnumerator() MyEvidence.Evidence MyEvidence.ToString() Which namespace do you need to import before you use the GenericIdentity class to create an identity for a generic user?

Correct System.Security.Policy System.Security.Principal System.Security.Permissions Identify the method that enables you to use the DPAPI to encrypt information into a byte array. Correct DataProtection Protect ProtectedData Unprotect Suppose you have used a public key to sign a hashed file and have encrypted the file with a private key. Which class do you call when implementing the algorithm required for this type of encryption? Incorrect. The correct option is as follows The AsymmetricAlgorithm class The DESCryptoServiceProvider class The DSACryptoServiceProvider class The RSACryptoServiceProvider class Which class of the System.Security namespace serves as the base class for a permission to a resource? Incorrect. The correct option is as follows CodeAccessPermission NamedPermissionSet PermissionSet SecurityManager You're currently implementing evidence-based security for an application. Which namespace must you import to enable you to map permissions contained in the security policy to an assembly's evidence? Incorrect. The correct option is as follows

System.Reflection System.Security System.Security.Permissions System.Security.Policy You want to use a fast symmetric algorithm to encrypt a large file. You want to use 256-bit data blocks and a 192-bit key. Which symmetric algorithm should you use? Correct DES 3DES RC2 Rijndael Suppose you are using a Digital Signature Algorithm (DSA) and you need to implement a hash algorithm to compute a hash digest. Identify the code you use to create or initialize the object that will initiate the required algorithm. Incorrect. The correct option is as follows SHA1.ComputeHash(); SHA1.Create(); SHA1.Initialize(); SHA1.Protect(); Suppose you want to create an inheritable class to determine the level of access that should be allocated to objects. Which class do you use to do this in C# 2005? Correct AccessRule AuthorizationRule CommonAcl GenericAcl Which line of code writes client message bytes to an authentication stream in C# 2005? Incorrect. The correct option is as follows catch(AuthenticationException e) Console.WriteLine("Exception: {0}", e.Message); Console.WriteLine("Inner exception: {0}", e.InnerException.Message);

tcpstream.Write(message); Suppose you want to assign all users access to a specified folder in an application. Which line of code could you use to do this? Incorrect. The correct option is as follows FileIOPermission filepermissions= new FileIOPermission(FileIOPermissionAccess.AllAccess, "C:\Temp"); StringBuilder result = new StringBuilder(); filepermissions.Demand result.Append(se.Message) Suppose you want to assign a specific object permission to read information from the user folder. Which line of code do you use to do this? Correct FileIOPermission fpermission = new FileIOPermission(); FileIOPermissionAccess.Read, "e:\\applications\\user"; fpermission.AddPathList(FileIOPermissionAccess.Read, "e:\\applications\\user.txt"); fpermission.AddPathList(FileIOPermissionAccess.Write, "e:\\applications\\user.txt"); Say you are using the DPAPI to encrypt data. You have selected the LocalHost value in the DataProtectionScope enumeration. How does this affect the API? Correct The data is encrypted with an application-specific key The data is encrypted with a computer-specific key The data is encrypted with a network-specific key The data is encrypted with a user-specific key Suppose you are using DES to encrypt a file. Identify the line of code you use to create an object that will generate the encryption from the Key and IV field values in the DESCryptoServiceProvider object. Incorrect. The correct option is as follows AfterInput = myDES.Encrypt(mybyte, false); ICryptoTransform convert = D.CreateEncryptor(); DESCryptoServiceProvide myDES = new DESCryptoServiceProvider();

Encrypt(myDes, input, output); You've initialized the ServiceInstaller class. Now you want to set the password of the process installer to nothing. Which line of code do you use to do this in C# 2005? Correct this.myprocInstall.Password = null; this.myprocInstall.UserName = null; this.myservInstall.DisplayName = null; this.myservInstall.ServiceName = null; You've initialized the ServiceInstaller class. Now you want to set the password of the process installer to nothing. Which line of code do you use to do this in C# 2005? Correct this.myprocInstall.Password = null; this.myprocInstall.UserName = null; this.myservInstall.DisplayName = null; this.myservInstall.ServiceName = null; Suppose you are creating a Windows Service application and have just added an installer to the project. What should you do next? Incorrect. The correct option is as follows Build the project Create a control for the service Create a new project Define the properties of the installer Topic title: Advanced Service Processes in C# 2005 You want to identify the reason for the Terminal Services session change in C# 2005. What line of code begins the subroutine that will accomplish this? Incorrect. The correct option is as follows Console.WriteLine("SessionID " + myDesc.SessionId.ToString() + "has requested change"); SessionChangeReason myReason; : System.ServiceProcess.ServiceBase protected override void OnSessionChange(SessionChangeDescription myDesc) Topic title: Special Classes and Enumerations in C# 2005

Given the following code, what is the missing code that releases the semaphore from a thread? private Semaphore semaph = new Semaphore(2, 2); public void Semaphore_Example() { semaph.WaitOne(); MISSING CODE; } Correct semaph.Release semaph.Release() Release(semaph) Semaphore.Release() Which code gets a lock called myLock for the read process in a thread and holds it for two seconds? Incorrect. The correct option is as follows Acquire.myLock(ReaderLock)(2000); AcquireReaderLock(myLock).2000; myLock.AcquireLock(myLock).2000; myLock.AcquireReaderLock(2000); Suppose you have created an AppDomainSetup object called "myD1Setup". You now want to specify the name of the configuration file for your application as "Mine.Cfg". Which line of code would you use to do this? Incorrect. The correct option is as follows myD1Setup.ApplicationBase = "C:\Mine.Cfg"; myD1Setup.ConfigurationFile = "Mine.Cfg"; myD1setup.PrivateBinPath = "bin"; myDom1.SetupInformation = myD1Setup; Suppose you need to obtain the thread object of the thread being executed in the application domain. Which property enables you to do this? Correct Thread.CurrentThread

Thread.Name Thread.Priority Thread.State You want to declare a new object to help control the code access security permissions for a Windows Service you created in C# 2005. Which line of code do you use to do this? Correct Console.WriteLine("Insufficient Permissions: " + ex.Message); Console.WriteLine(serv.Status); ServiceControllerPermission perm = new ServiceControllerPermission(); public static void ServSwitch(serv As ServiceController) You want to specify the reason for a Terminal Service session change notice. What line of code declares the object necessary to contain this information? Incorrect. The correct option is as follows SessionChangeReason myReason; protected override void OnSessionChange(SessionChangeDescription myDesc) protected override void OnStart(string[] myA) System.ServiceProcess.ServiceBase.Run(Serv1); Which arguments would you pass to the EventWaitHandle class, in the following code, to set it as signaled and cause it to wait till you reset it manually? EventWaitHandle Event = new EventWaitHandle(MISSING CODE); Correct 0, EventResetMode. ManualReset 1, Reset false, EventResetMode.AutoReset true, EventResetMode.ManualReset Topic title: Basic Service Processes in C# 2005 Suppose you are creating a Windows Service application and have just created a timer control for the service. Which step do you take next? Correct Complete the code for the start and stop events of the service class Define the properties of the installer

Install the service Run the service Topic title: Advanced Service Processes in C# 2005 You've declared the ServiceProcessInstaller class in C# 2005. Now you want to initialize the ServiceProcessInstaller class. Which line of code do you use to do this? Incorrect. The correct option is as follows this.myprocInstall = new ServiceProcessInstaller(); this.myservInstall = new ServiceInstaller(); this.myservInstall.StartType = ServiceStartMode.Manual; private ServiceProcessInstaller myprocInstall Topic title: Introduction to Threading in C# 2005 The following code sets the priority of a thread, which is stored in the variable myThread. MISSING CODE.BelowNormal What is the missing code? Correct [MTAThread] myThread = new Thread myThread.Priority = ThreadPriority ThreadPool.SetMaxThreads Which code requests a lock on a reader? Incorrect. The correct option is as follows readwritelock.AcquireReaderLock(); readwritelock.AcquireReaderLock(timeOut); readwritelockAcquire.ReaderLock(timeOut); readwritelock.ReaderLock.Acquire(); Topic title: Introduction to Threading in C# 2005 What does the following code achieve? myThread = new Thread(new ThreadStart(Running)); Correct

It creates a thread at the address myThread and begins the Running method It creates the subroutine Running as a thread at the myThread address It initializes the object myThread as a thread that will execute the subroutine Running It uses the new Thread delegate to assign myThread to the Running subroutine Topic title: Basic Service Processes in C# 2005 Suppose you have created a Windows Service application in the .NET Framework. What is the correct sequence of steps you need to take to complete the application? Incorrect. The correct option is as follows Create a control, create a project, build the project, add an installer, install the service Create a control, install the service, create a project, build the project, add an installer Create a project, build the project, create a control, add an installer, install the service Create a project, create a control, add an installer, build the project, install the service Topic title: Application Domains in C# 2005 What are the advantages of using application domains? Partially correct. The correct options are as follows Enables code in one application to access code from another application Increases the scalability of a server Prevents code faults in one application domain from affecting other code Provides a more secure and versatile form of isolation Topic title: Application Domains in C# 2005 You have created an application domain called "myDom1", and configured it through the AppDomainSetup object called "myD1Setup". Now you need to shut it down gracefully so that no new threads can access it. Which line of code would you use? Correct AppDomain.Unload(myD1Setup); AppDomain.Unload(myDom1); myD1Setup.SetupInformation = myDom1; myDom1.SetupInformation = myD1Setup; Topic title: Thread Event Handling in C# 2005 Which of these processes are achieved via the WaitHandle class? Partially correct. The correct options are as follows

Adds synchronization functionality to methods via the WaitAll class Creates safely synchronized code by locking parts of the code Makes threads wait while many classes are signaled Treats a process like a single operation to protect from other threads Topic title: Basic Service Processes in C# 2005 Which of the System.ServiceProcess namespace classes enables you to create a new service class? Incorrect. The correct option is as follows ServiceBase ServiceProcessInstaller SessionChangeDescription SessionChangeReason Topic title: Introduction to Threading in C# 2005 What happens if you call Thread.Start twice or more in a program? Incorrect. The correct option is as follows A race condition will occur A ThreadStateException will be thrown There will be a deadlock Two or more threads will be started Suppose you want to create a new application domain to isolate some of the applications running on your machine. It is to be called "myDom1" and assigned the name "My Domain". Which line of code would you use to do this? Incorrect. The correct option is as follows AppDomain myDom1 = AppDomain.CreateDomain("My Domain"); AppDomainSetup myDom1 = New AppDomainSetup(); AppDomain MyDomain = AppDomain.CreateDomain("MyDom1"); AppDomainSetup MyDomain = New AppDomainSetup(); Youre building a new application and you want to create a new Windows Service for your application. Which line of code do you use to derive from the essential super class for your service? Incorrect. The correct option is as follows

CanStop = true; : System.ServiceProcess.ServiceBase protected override void OnStop() System.ServiceProcess.ServiceBase.Run(Serv1); What do the two values in the following code mean? Timer stateTimer = new Timer(timerDelegate, autoEvent, 500, 333); Incorrect. The correct option is as follows The timer will initially fire after 500 milliseconds, and then at intervals of 333 milliseconds The timer will initially fire after 333 milliseconds, then at intervals of 500 milliseconds The timer will fire 500 times in 333 milliseconds The timer will fire for 500 milliseconds after an interval of 333 milliseconds Topic title: Special Classes and Enumerations in C# 2005 The Monitor class maintains reference information about which of the following? Partially correct. The correct options are as follows Queue of threads ready to hold the lock Queue of threads waiting for the locked object to change state Queue of threads with the appropriate state to hold the lock Threads that have held and released the lock Suppose you want to control a debugger with a boolean switch. Identify the method you use to do this. Incorrect. The correct option is as follows Fail if...else Write WriteIf Suppose you are looking for configuration information about an application. In which .NET component can you find this information? Incorrect. The correct option is as follows The DEVPATH variable The Mscorcfg.msc tool

The .msi file The Web.config file Topic title: Configuration in C# 2005 Suppose you want to use the namespace that passes configuration data to the programming model that handles the configuration. What code do you use to do this? Incorrect. The correct option is as follows Class AppSettingsReader NameValueCollection arguments = new ConfigurationManager.AppSetting(); string[] keynames = ConfigurationManager.AppSettings.AllKeys; using System.Configuration; Topic title: Debugging and Tracing in C# 2005 You've added a trace listener to your application code, and written code to implement tracing. Now you want to write the tracing information to the listener at the same time as clearing the buffer. Identify the code you use to do this. Incorrect. The correct option is as follows Trace.Add Trace.Close Trace.Flush Trace.Write Suppose you are working with a given Configuration object and need to access the identity section of the XML schema with the file it represents. What code do you use to do this? Incorrect. The correct option is as follows Configuration config = WebConfigurationManager.OpenWebConfiguration(webconfigPath); IdentitySection targetsection = new IdentitySection(); targetsection = config.GetSection("system.web/identity"); string webconfigPath = "/RootFolder"; WebConfigurationManager.OpenWebConfiguration(webconfigPath); Suppose you want to use the DEVPATH environment variable to configure a .NET application because of its direct lead to the build output directory. What is the code that you use to do this? Correct

<configuration> <developmentMode developerInstallation="false"/> <developmentMode developerInstallation="true"/> <runtime> Topic title: Event Logs and System Processes in C# 2005 Identify the tasks you need to complete in order to start a process on your system. Partially correct. The correct options are as follows Call the Start method of the process component Declare a new process Enter the file name parameter as a string expression Specify the file name for the process Topic title: Embedding Management Information in C# 2005 Suppose you want to configure your application to subscribe to management events of the Windows Management Instrumentation (WMI) infrastructure so that it's alerted each time a process is created. Which class of the System.Management namespace do you use to subscribe to these events? Incorrect. The correct option is as follows ManagementBaseObject ManagementEventWatcher ManagementObjectSearcher ManagementScope Topic title: Embedding Management Information in C# 2005 Say you want to configure your application to retrieve information about all network connections. Which class of the Windows Management Instrumentation (WMI) infrastructure do you need to query to do this? Incorrect. The correct option is as follows Win32_NetworkAdapter-Configuration Win32_Process Win32_Service Topic title: Configuration in C# 2005

Which code allows you to access the collection of sections in a given configuration file? Correct col = con.Sections using System.Configuration; using ConfigurationManager; public void myDisplayedMapMachine() Topic title: Deployment and Installation in C# 2005 Suppose you want to implement the code that defines the methods that handle installer events. What is the second parameter type you pass into such a method? Incorrect. The correct option is as follows InstallEventArgs Install RunInstaller AddHandler Me Topic title: Embedding Management Information in C# 2005 Say you want your application to retrieve information about all paused services on the local system. You want to return a collection of information about the paused services using a ManagementObjectSearcher class instance and then pass this information to the ManagementObjectCollection instance named pArray. Which code do you use to do this? Incorrect. The correct option is as follows ManagementObjectCollection pArray = myMOS.DirectRead(); ManagementObjectCollection pArray = myMOS.Get(); ManagementObjectCollection pArray = myMOS.Query(); ManagementObjectCollection pArray = myMOS.Scope(); You want to add a new text writer trace listener to your application code. Which line of code do you use? Incorrect. The correct option is as follows new Trace.Listeners.Add(TextWriterTraceListener(Console.Out)); Trace.Listeners.Add(new TextWriterTraceListener(Console.Out)); Trace.Listeners.Add() new TextWriterTraceListener(Console.Out); Trace.Listeners.New(Add TextWriterTraceListener(Console.Out));

Topic title: Configuration in C# 2005 Which class provides access to classes and methods that you can use to configure files and sections? Incorrect. The correct option is as follows AppSettings ConfigurationManager configSections SectionInformation Topic title: Event Logs and System Processes in C# 2005 You want to start a process that opens the Calculator application. Identify the code that enables you to start the process by passing the FileName parameter. Correct Process myProcess = Process.GetProcess("Calculator.exe"); ProcessStartInfo myProcess = Process.GetProcessByName("Calculator.exe"); Process myProcess = Process.Start("Calculator.exe"); ProcessStartInfo myProcess = ProcessStartInfo.Start("Calculator.exe"); Topic title: Configuration in C# 2005 Which interface implements the general settings of application service providers? Incorrect. The correct option is as follows System.Configuration IApplicationSettingsProvider IConfigurationSystem IConfigurationSectionHandler Topic title: Debugging and Tracing in C# 2005 Suppose you're writing code for debugging purposes. Identify the method you use to ensure that the debugging output is easy to differentiate from other code. Correct Fail Flush Indent

Write Suppose you want to configure your application to enumerate disk drivers on your local computer. To provide the options that the ManagementObjectSearcher instance must use for enumeration, you decide to create an object named myOptions. Which code do you use to do this? Incorrect. The correct option is as follows EnumerationOptions myOptions = new EnumerationOptions(); EventQuery myOptions = new EventQuery(); Options myOptions = new Options(); Scope myOptions = new Scope (); Topic title: Event Logs and System Processes in C# 2005 Suppose you are writing an event log entry. You have created the EventLog component, registered the event source and log, and set the source properties. Identify the method you call to write the event log. Correct CreateEventSource ReadLog WriteEntry WriteLine Topic title: Deployment and Installation in C# 2005 Suppose you are loading an assembly and need to invoke the constructor that creates an instance of the assembly class. What code do you use to do this? Correct clo[0] = "/LogFile=demo.log"; AssemblyInstaller myassminstall = new AssemblyInstaller("test.exe",clo); using System.Configuration.Install; myassminstall.Install(savestate); Topic title: Event Logs and System Processes in C# 2005 Suppose you want to create an instance of the EventLog component. Identify the sequence of steps that will enable you to do so from the Toolbox. Partially correct. The correct options are as follows Add the component to the designer surface

Declare an instance of the EventLog class Select the event log Set the component properties

Corporate Security, and what it means to you

Learning Objective
After completing this topic, you should be able to

describe the role of the end user in maintaining information security

1. Organizational IT security
Organizations implement IT security plans by issuing policies and guidelines for safeguarding the valuable resources of the organization, its partners, and its customers against IT-related risks. Because the inappropriate actions of one user can affect all other system users, it's vital that you know where you fit into the security plan and how to help with its implementation. An organization uses many valuable resources to achieve its mission and objectives. Resources include data, hardware, and software, as well as physical and financial resources, the organization's reputation and legal position, its employees, and other tangible and intangible assets. The goal of information security is to support the organization by protecting the resources required to achieve its mission and objectives. Consider a company involved in the very competitive field of automotive manufacturing. To maintain a competitive advantage, it's crucial that new designs and upcoming developments are well protected. A new employee has written her login details, including her password, on a sheet of paper next to her computer. Anyone, authorized or not, who comes into this office can use the login details to access confidential information or to access the company systems for malicious purposes. Organizations can implement IT security in various ways:

by following international and government standards by maintaining the Confidentiality-Integrity-Availability triad, and The Confidentiality-Integrity-Availability triad is a triangle with one aspect at each point of the triangle. by implementing policies, procedures, standards, and guidelines

An important international standard for information security policies is the NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program. This policy was created to provide guidance for Federal agencies and departments in meeting the requirements set out by the Federal Information Security Management Act, or FISMA, when creating and maintaining their awareness and training programs. Another important standard is the ISO/IEC 27001 standard published in 2005. Designed for government agencies, public corporations, and private businesses, this standard identifies the necessity for creating, implementing, operating, monitoring, and maintaining a structured Information Security Management System, or ISMS. The standard also emphasizes the importance of users understanding their role in the information security management scheme.

Note
The full title of the ISO/IEC 27001 standard is Information technology Security techniques Information security management systems Requirements. All information security plans need to include support and controls to achieve the three key objectives that make up the CIA triad, which are confidentiality, integrity, and availability. Click each objective to learn more about it. Confidentiality Confidentiality ensures that private information is not disclosed to unauthorized parties. This includes data or information that's processed, stored, or transferred, and can range from sensitive company data that could jeopardize business operations, to personal details of employees or customers, which can be used in identity theft. One method for maintaining confidentiality is to encrypt all important information. This ensures that only authorized users can view the contents of secured documents. Integrity Integrity has two facets data integrity and system integrity. Data integrity ensures that data is recorded accurately and prevents unauthorized parties from manipulating the data. System integrity means a system's processes are correct and that unauthorized parties cannot manipulate systems. Data integrity and system integrity can be maintained by preventing access to the system by unauthorized persons. Integrity can also be maintained by implementing a series of validation checks at different stages of a document's lifecycle. Availability Availability ensures that authorized users have access to data and systems whenever they require it. This is achieved by preventing unauthorized deletion of data, either accidentally or maliciously, and ensuring system and data access are maintained in the event of human or environmental events. Human events that affect availability include attacks by hackers, disgruntled employees,

and terrorists, and unintentional damage by users. Environmental events include service disruptions caused by natural events such as floods and lightning, and infrastructure deficiencies such as poor wiring or insufficient cooling. Preventing unauthorized access to information systems, implementation of backup and recovery policies, and business continuity planning all contribute to maintaining availability. It's very important that comprehensive information security policies are created in an organization. In addition, the policies have to be well supported by correctly implemented procedures, standards, and guidelines. You can think of policies as the structures created by management to ensure that all members of the organization can work together to achieve a common goal. Policies contain the acceptable limits users of the system should be aware of when they make decisions that affect the organization. In most instances, the security policies, guidelines, and procedures are created by information security professionals in your organization with the support of senior management. These professionals are responsible for identifying and preventing known security issues to lessen the impact of future threats. Security professionals need to be up to date with current government legislation, new ideas and trends in the security industry, and the best methods to implement security solutions within their organization. It is also very important that the policy can be easily understood by all users. It is no good implementing a policy that doesn't make sense to an organization's personnel. Therefore, care should be taken that the policies don't contain too many technical details that end users or non-security professionals can't decipher. The security professional should gather input for an organization-wide policy by involving members of other business units in the company. This approach often leads to a better, more focused policy and easier buy-in from all the affected parties. Once a policy has been accepted by senior management, a framework for all the system users is established. If necessary, additional control mechanisms such as standards or baselines can be created to support the policy. A final consideration is that the most current version of a policy document should always be accessible for any authorized user to view. One way to do this is to make it available in a shared folder on the company intranet.

Question
Your organization has recently started implementing the CIA triad to maintain information security. However, you suspect that your company information is already being accessed by an unauthorized third party. You therefore decide that all future documents generated by you or your team will be encrypted to safeguard them from unauthorized access. Identify the CIA objective that's supported by using encryption techniques. Options: 1. Confidentiality 2. Integrity 3. Availability

Answer
Option 1: Correct. Confidentiality is concerned with providing information only to authorized recipients. By encrypting documents, you can prevent unauthorized users from accessing sensitive information. Option 2: Incorrect. Integrity ensures that the information you are using is accurate and trustworthy. Encryption supports the confidentiality of the information rather than integrity. Option 3: Incorrect. Availability ensures that authorized users have access to data and systems whenever they require it. Encryption supports the confidentiality of the information rather than availability. Correct answer(s): 1. Confidentiality

2. The end-user role in IT security

For an organization to keep its operations running as smoothly as possible, it is necessary that information used to make important business decisions is valid, accurate, available when required, and safe from unauthorized access. The responsibility of safeguarding the information falls to the upper management of the organization. Even though they may not be the actual implementers of the security plans, the decisions they make can significantly enhance or degrade an organization's security. Even though upper management has overall responsibility for safeguarding the information of the organization, the entire policy could fail if end-users don't play their part in contributing to its proper enforcement.

You can help to maintain security by adhering to the company security policies, procedures, standards, and guidelines, understanding your role in the CIA triad, and reporting any information security incidents. Typically, you're responsible for safeguarding the data you work with in the organization. You can do this by strictly following data security policies and taking the precautions set out by your managers or network administrators.

Graphic
There is a computer network consisting of four computers connected to a server. For instance, you shouldn't download or install software that is not permitted, or abuse the e-mail system by clicking on links or opening attachments from unknown sources. You should also take care to only visit known, safe web sites that are not likely to cause any malware to infect your system. Information security policies provide employees with guidelines for protecting the availability, integrity, and confidentiality of company information and information systems. In addition, policies outline the standards for systems and procedures within the organization, and employee responsibilities for maintaining information system security. Therefore, it is important for employees to read and follow the specified guidelines. Information security policies may cover a specific area, for example encryption, antivirus processes, or passwords. Click each policy to learn more about it. Encryption Encryption policies define the standards for acceptable encryption algorithms used within an organization. They ensure that sensitive data is encrypted using only algorithms that have been proven to work effectively. For example, the policy could specify that only Federal Information Processing S+E16 Standard (FIPS) 140-2-compliant encryption should be used for portable and mobile devices, and handheld PCs. Antivirus process Antivirus process policies specify guidelines for reducing the threat of computer viruses on an organization's network. For example, the policy could stipulate that virus definitions must be updated on a daily basis and that antivirus software runs both signature-based and heuristic scans on all accessed files. Passwords

Password policies establish a standard for the creation of passwords, the protection of those passwords, and the frequency of change. They ensure employees create strong, unique passwords appropriate to the sensitivity of the information they access. For example, a password policy could require users to create a password of a minimum length containing a combination of uppercase and lowercase letters, numbers, and at least one special character. When you violate information security policies, unauthorized parties may gain access to classified information, or aggregate unclassified information to a level that constitutes a risk. All the information compiled and used in your organization has some level of sensitivity. Therefore a minimum set of security controls has to be applied for all information. There are types of information typically deemed more sensitive, requiring additional security controls. These include company information, commercial or financial information, legal information, and personally identifiable information. Click each information type to learn more about it. Company information Company information is predominantly internal and not normally shared with the public, or it can be exempt from disclosure by statute. Pre-decisional and deliberative process information may also require additional controls. Commercial or financial information Commercial or financial information includes trade secrets and other commercial information that's privileged or confidential. Legal information Legal information refers to legal records, whether criminal, civil, or administrative. Personal information Personally identifiable information, or PII, is information that can be used by itself or in combination with other data to exploit private information. It can be used to identity fraud and may be subject to legislation protecting individual privacy. Examples include a person's name, social security number, or fingerprints. You can also make a positive contribution to information security in your organization by paying attention to potential security breaches or incidents and reporting them to the person responsible for dealing with these threats. You should expect to be trained in how to recognize security incidents and be familiar with the process for reporting them. Timely reporting and escalation of suspected security incidents ensures that the potential damage and cost to the company and its information systems is minimized.

IT security incidents are often the result of actions performed by employees who are unaware of the company's security policies and procedures. For example, users may unwittingly introduce malicious software to the company's network by opening e-mail attachments from unknown senders, installing unlicensed or pirated software, using infected personal devices, and even downloading files from the Internet. Users can also increase the risk of unauthorized access by sharing system login information, or using weak passwords. Typical security incidents include the following:

violation of IT security policy execution or presence of malicious code attempted or successful break-in to a computer or network lost or stolen IT devices, and loss of personally identifiable information, or PII

Question
Select the methods you can use to enhance information security in your organization. Options: 1. Upon noticing that a new employee working in the cubicle next to you has written his password on a piece of paper stuck to his computer, you introduce yourself and explain that this is a serious breach of the company's security policy 2. You receive an e-mail from an unknown source, which promotes a new anti-spyware program and you decide to click on the link to the product's page 3. You decide to install a word-processing program from a friend's CD on your office computer as you think it will allow you to work more efficiently than the currently installed option 4. You discover that the organization's IT security guidelines and security policy documents are not available on the corporate intranet and ask a network administrator to locate them

Answer
Option 1: Correct. Passwords that are weak or not secured properly can cause a major security incident if discovered by malicious users. Option 2: Incorrect. Even though you may believe that you're improving the security of your system, you could expose your computer and your organization's internal network and systems to an attack from an outside source.

Option 3: Incorrect. To maintain information security, you should never install unauthorized, unlicensed, or illegal software on a computer in your organization. Option 4: Correct. It is vital for the implementation of a proper IT security plan that guidelines and policies are kept updated and are freely available to all authorized system users. Correct answer(s): 1. Upon noticing that a new employee working in the cubicle next to you has written his password on a piece of paper stuck to his computer, you introduce yourself and explain that this is a serious breach of the company's security policy 4. You discover that the organization's IT security guidelines and security policy documents are not available on the corporate intranet and ask a network administrator to locate them

Summary
Most organizations regard information as an asset that should be safeguarded. So it's very important that your organization implements and maintains a proper IT and information security plan. IT security can be implemented by following international and government standards, maintaining the CIA triad, and implementing and following internal guidelines, standards, and policies. Even though senior management is ultimately responsible for information security, the daily users of the information need to promote and support the information security plan. You can take responsibility by knowing your role in the system, following recognized procedures and guidelines, and reporting security incidents.

Policies for Securing Your Work Environment

Learning Objective
After completing this topic, you should be able to

recognize policies for creating a secure workspace environment

1. Work environment security policies

Because the weakest link in an organization's security is often the people it employs, companies are vulnerable to social engineering attacks. Social engineering is used to manipulate unsuspecting victims into supplying sensitive information that can be used to undermine an organization's information security, reputation, or competitive advantage. Companies put

policies in place to guard against such threats. All employees need to be aware of these policies and follow them when working on their company computer and when using mobile devices. Company policies on information security provide guidelines to maintaining and protecting the integrity, confidentiality, and availability of your company's information and information systems. It's important to strictly adhere to these policies as they're designed to protect both you and your company from malicious actions. Security policies are designed to maintain information security in your work area and on mobile devices such as laptops, smartphones and tablets, and they protect you from external threats that may come from the Internet, e-mail, and social networks. They also stipulate how passwords should be created and maintained. Select each security policy type to learn more about it. Computer and hardware Computer and hardware security policies are put in place to ensure responsible precautionary measures are taken within the physical environment of your workspace. This includes maintaining a clean desk policy, along with printer security, and restricting administrative access for example, allowing the installation of software on a company system to system administrators only. Mobile device Many people carry a smartphone or tablet, with at least some business data on it, such as contact lists or confidential e-mails. Mobile device security policies help reduce the risk of information being leaked by specifying when you should use your personal versus company phone, and how it should be used and secured, for example. Organizations should also include a policy for the wireless connection of personal devices to corporate networks. E-mail and Internet E-mail and Internet security policies are designed to prevent incursions from outside threats, such as viruses, which can infect your computer through e-mail and the Internet, and seriously disrupt computer systems. In addition to requiring the installation of antispam filters and anti-malware software, this policy should include vigilance training to educate end users on the common methods used to breach security. Phishing attacks, vishing attacks, and malware can greatly compromise business security. Social networking Many employees in today's workplace use social networking sites, which make it very easy for information to inadvertently pass to online social contacts. This creates risks to your organization's data and reputation. Social networking security policies, such as the restriction of posting company business on these sites, or even blocking social networking sites, are designed to minimize the damage that can potentially be caused. Password Password policies inform users on the need for password security, such as securing passwords, and the best methods to create strong passwords, such as avoiding obvious

dates or names, and using combinations of alphanumeric characters. Password policies should also have well-defined expiry mechanisms to ensure passwords are changed on a frequent basis. Computer and hardware security concerns the physical area where you work and the equipment in that space. It's your responsibility to exercise care with the information entrusted to you. Company documents should be secured at the end of each work day. A clean-desk policy ensures papers containing sensitive or confidential information aren't left where unauthorized persons, such as janitorial staff, can access them. You should lock your computer when you leave your desk, and lock your filing cabinet, desk drawers, and your door when you leave your office. Random checks should be carried out periodically to make sure this policy is being followed. Checks should also be done on documents flagged for destruction by shredding to ensure this process is in fact carried out. Sensitive information can be leaked if it's placed in the trash instead of being properly disposed of. There are shredding companies which can safely dispose of printed materials. Often, these companies have strict procedures in place to ensure that printed material is safely destroyed. For example, many reputable companies provide tamper-proof bins, require that all their employees are bonded, and implement stringent processes to ensure that there is no risk of information being compromised. Most organizations produce some data in printed form, such as company payroll information, or research data, for example. If compromised, this data can be used in identity theft crimes, or used by a competitor for financial advantage. Your department may use a shared printer located in a public place. Ensure you collect sensitive documents as soon as you print them. The longer a document lies in the printer, the more likely it is that an unauthorized person will access the information it contains. If possible, configure your printer to accept a numeric password so it only begins a print job when you enter the password at the machine. Alternatively, have an authorized person wait at the printer when a sensitive document needs to be printed. Modern printers contain computer memory, and that means that print buffers can sometimes be used to retrieve previous print jobs. Where applicable, system administrators should set up printer drivers to flush their buffers once documents have been printed. Line printers the type used in accounting applications like printing of spreadsheets are still in use today and use impact-based ribbons that may contain retrievable data. Also, print drums used by laser printers may contain residual images of recently printed documents. In such instances, spent ribbons and drums should be treated the same way as printed documents and securely destroyed.

Today's smartphones and PDAs can access and store much more data than just phone numbers. Because they're easily lost or stolen, organizations need specific procedures and policies on the acceptable use of these devices. This includes when and how you should use your personal versus company phone. Devices supplied by your organization for work activities, which contain sensitive information, should support password locking when not in use, be able to encrypt data, and have a remote wipe features. This should also apply to personal devices used in a work context. Due to the increased popularity of smartphones and tablets, a recent phenomenon known as BYOD, or bring your own device, has become a popular notion with many organizations. In the BYOD model, employees are allowed, and even encouraged, to bring their devices to work and connect them wirelessly to the corporate network. While there are several benefits to this practice, BYOD also poses an additional security threat to organizations, since mobile malware is on the rise. In instances where personal devices are allowed to connect to a corporate network, all necessary measures should be addressed by security policies, and properly enforced.

Question
Which policies should be followed for computer and hardware security to ensure sensitive information is secured in your work area? Options: 1. Clear your desk of documents at the end of each work day 2. Collect documents printed on a shared printer as soon as you print them 3. Schedule checks at the same time each week to ensure your company's policies are being followed 4. Make sure sensitive documents are placed in the trash once they're no longer needed

Answer
Option 1: Correct. A clean-desk policy ensures sensitive documents aren't left lying out in the open where unauthorized persons can access them. Option 2: Correct. By collecting documents from a shared printer as soon as they've been printed, information contained on them isn't left exposed where unauthorized persons can access them. Option 3: Incorrect. Having checks at the same time each week allows employees to ensure their work area has been tidied ahead of inspections. Random checks are more likely to turn up policy infringements should they occur.

Option 4: Incorrect. Sensitive documents that are no longer required should be properly disposed of by shredding. Such information can be collected and leaked if it's just thrown in a trash can. Correct answer(s): 1. Clear your desk of documents at the end of each work day 2. Collect documents printed on a shared printer as soon as you print them Internet access is an essential tool for many organizations, but often subject to intrusion. E-mail and Internet security policies are designed to combat outside threats that can infect your PC through e-mail and interaction on the Internet. Internet usage should be restricted to company work only. A virus is a common type of attack that can be easily launched through carelessness. You should never open e-mail attachments, or click links from unknown users. If they contain a virus or malware, private information, along with your company's computer system, can be compromised.

Note
Malicious software, or malware, are programs created to access and disrupt computer systems, and steal information. Web browsing should be closely monitored and at-risk sites should be blocked from the corporate network. Cookie policies should be implemented and strictly enforced. Also, a policy should be put in place to handle browser-based controls such as ActiveX and JavaScript. Furthermore, browsers should be frequently updated to ensure security holes are patched, and anti-spyware software should be present and frequently updated. Phishing attacks are used to trick you into revealing passwords, credit card information, or user names. You're usually diverted by an e-mail link to a web site that appears to be controlled by a legitimate organization, such as a bank or government agency. The e-mail may inform you that your account details have been compromised, and you need to supply details such as account numbers to verify the information on their system. This information is later used to make fraudulent purchases, or steal your money. To limit the risk of being compromised by phishing attacks, you should always be suspicious of any e-mails that request personal or sensitive information, or include forms that request this information. Most organizations today have policies in place that state you will never be contacted by e-mail and asked to divulge personal information such as usernames and passwords. The most successful way of avoiding phishing attacks is to ensure that you and your co-workers are aware of these policies, and that you never click a suspicious link.

Vishing is an attack method used in combination with social engineering, which exploits the trust people have in landline services. These services are often interconnected with Voice over Internet Protocol, or VoIP, systems, used to communicate telephonically over the Internet. Vishing can access confidential information by attempting to take control of VoIP servers. Fake caller IDs cause users to think that a phone call is coming from a trusted source. The user is then convinced to part with confidential information. As with phishing attacks, your best defense is awareness, and a natural suspicion of any caller requesting confidential or personal information. Mobile malware is becoming increasingly more common, particularly with the ever-increasing popularity of smartphones and tablets. Since people always carry these devices with them including to and from work they are more susceptible to malicious attacks, since people generally don't exercise the same level of vigilance associated with personal computers. Mobile applications, or apps, have become very popular and ubiquitous in the use of mobile devices. While providers of these apps try to ensure that the software is free of malicious content, the risk that a user's device could become infected is significant. As everyday use of these devices continues to grow, the risk associated with these devices will continue to increase. With the popularity of SMS texting, the number of texting attacks has increased significantly. Spear phishing very targeted phishing attacks directed at a specific person and mobile spam, both through SMS, are very real security risks that must be considered. Organizations should implement a social networking security policy to keep company business from being posted on personal social networking sites. Employees must be made aware that social networks are public forums, and can be subject to scrutiny by criminal elements. You should never post information about projects or business being conducted by your organization, or even discuss such things with colleagues on social media sites. The information can be passed to competitors, who can then duplicate your work or find ways to sabotage your efforts, for example. These situations can be considered to fall within the category of policies that deal with non-disclosure of corporate information. Aside from making ill-considered posts, indiscriminately clicking on all the links and requests sent to you on social networking sites, even those that appear legitimate, are best avoided on work computers. These actions may lead you to accidentally open a virus, or cause a piece of malware to be installed on your computer, which could also spread to the internal network. In extreme instances, you may want to block social networking sites altogether, however, this is a difficult proposition since many businesses today use social networking as a tool for keeping customers informed and generating new business.

Password policies are put in place to safeguard all areas of information safety in your organization. Passwords can be used to secure various data sources, such as physical archives, or information stored on your personal workstation, for example. It's important to use strong, unique, and difficult-to-guess passwords, and to use a different password for different situations. This prevents an unauthorized person from gaining access to all your data should they manage to get hold of one password. Passwords should never be shared with anyone, and be changed on a regular basis, at least every three months, for example. Password expiration policies can guarantee this and should be strictly enforced. You can use these guidelines when considering how to create a unique password:

A strong password should be at least 15 characters long, and contain a combination of at least three upper and lower case characters, punctuation, numbers, or symbols such as brackets, hash, or dollar signs. Avoid using words found in dictionaries, and commonly used words such as a pet's name, computer terms, or your company's name. This includes spelling the word backwards. Personal information, such as anniversaries, phone numbers, or social security numbers are not suitable as passwords. Simple patterns such as 54321, or abccba are easy to guess, and best avoided. So is merely adding a single number to a word, such as password1.

A password should be meaningless, but still easy enough for you to remember so you don't have to make a note of it anywhere. You can use the first letters of a unique phrase, song lyric, or saying, exchanging some of the letters for numbers or symbols, for example.

Graphic
The phrase, This Password Is Easy To Remember, is condensed into the possible password TP1E2R. Password enforcement can be implemented by system administrators to ensure that these best practices represent a strict requirement, thus mitigating the risk that some employees will ignore the policy.

Question
Which social networking policies should be implemented to maintain information security for your organization? Options:

1. Never post information on social networking sites about business being conducted by your organization 2. Don't click links or requests sent via social networking sites on work computers 3. Limit usage of social networking sites to lunch hours 4. Keep sensitive discussions about team projects in private discussion groups on social networking sites

Answer
Option 1: Correct. Social networking sites are public forums. Any information you post can be easily accessed by unscrupulous people monitoring profile pages of people who work for your organization. Option 2: Correct. It's best not to click on links and requests sent to you on social networking sites on the computer you use at work, as you could potentially infect your system with a virus or malware. Option 3: Incorrect. While limiting the amount of time employees spend on social networking sites may help productivity, it doesn't prevent the possibility of a virus or malware attack should they open a link to a piece of malicious software. Option 4: Incorrect. Discussion groups on social networking sites are easily joined and have limited security, so it's best to never discuss any of your organization's work on a social networking site. Correct answer(s): 1. Never post information on social networking sites about business being conducted by your organization 2. Don't click links or requests sent via social networking sites on work computers

Summary
Companies implement information security policies to protect themselves from social engineering and other threats to data integrity, as well as to protect their reputation. Computer and hardware security policies define measures applied to your physical work environment, and include printer security, and clean-desk policies. Mobile device security policies govern how and when personal and work devices, such as smartphones and tablets, are used. Such devices should be password lockable, include encryption utilities, and be able to be wiped by remote if lost or stolen. E-mail and Internet security policies are designed to minimize the damage caused by external threats that can attack your organization, such as viruses and malware, or come from phishing and vishing attacks. Social networking sites are also potential places for such threats, and additional policies should cover restrictions on either access to, or company information posted

to, such sites. Password policies help in securing information by informing employees on the most effective ways to create passwords, as well as basic use.

Table of Contents
| Print | Contents | Close |

Security Policies for Remote Users

Learning Objective
After completing this topic, you should be able to

recognize policies for remote users

1. Policies for remote users

Many employees today work from home or while traveling. Advances in technology have enabled employees to access the applications and data they require from locations outside of the office. This allows companies to offer flexible working conditions to talented employees and to connect their employees who are on the road as part of their job. Sales employees can interact with, for example, inventory systems using a smartphone while at the customer's premises. However, allowing employees to work remotely also exposes an organization to a number of security risks. For example, hardware is much more likely to go missing, get stolen or become lost outside of the office. Furthermore, employees should be aware that they need to follow corporate security policies as if they were in the office. If you work remotely from home or on the go, you should consider yourself to be on the job in terms of your company's security policies. The security policy applies equally to you as it does to employees who are actually in the office. You should always remember your duties as an employee regardless of whether you are in the office or not. These include not only performing your work but also protecting the company's interests. When a remote employee loses a piece of hardware such as a laptop or smartphone that is stolen, it can have devastating effects on the security of the entire organization. Losing your remote hardware can be likened to losing the keys to the office, as it poses a similar security threat. In addition, there may be specific regulations for remote employees in the security policy that you should be aware of and follow. If you're an employee who works outside of the office, you should familiarize yourself with the regulations that apply to you. A security policy for remote users should consider the use of company-provided mobile devices, such as laptops, smartphones, and tablets. While these devices are in wide use today and offer

benefits such as increased accessibility, productivity, and convenience, they also represent a significant threat to an organization's security because they can be easily misplaced, lost, or stolen. To ensure these devices can't compromise company information, they should always be protected using the same strong password policies implemented in the office. Passwords should differ from those used at the office and there should be a preset limit for the number of times typically three to five times that an incorrect password can be entered before the device is locked, and can then only be unlocked by an administrator. Public wireless networks, such as those found in airports, hotels, and restaurants, are commonplace and represent a severe security threat since wireless data can be intercepted by users with malicious intent. Whenever possible, mobile devices should only be connected to hotspots using secure wireless transfer protocols such as WPA2, and strong wireless data encryption methods such as AES or TKIP. In the event that a mobile device is lost or stolen, the issue should immediately be escalated to the company's network administrators. All network passwords relating to the devices should be changed and an incident report should be created to ensure that the device's identity, for example its IP or MAC address, has been flagged as unsafe. Mobile devices should be registered for tracing with the manufacturer or cellular provider upon activation, and whenever possible they should have tracking software installed. For example, smartphones have tracing functions that can be implemented using either their GPS function or SIM card. Whenever possible, mobile devices should also have the ability to be wiped remotely. When a device has been lost or stolen and can't be traced, or if the data it contains is of a highly sensitive nature, system administrators should perform a remote wipe immediately. A security policy for remote users should also consider the use of employees' own computers. Often when employees use their own hardware, the security precautions in place for the organization aren't properly deployed. This makes the employees personal equipment a risk to the entire organization's security. Also, remote users may not be aware of the latest security technologies. The easiest solution to this problem is for organizations to disallow the use of privately owned hardware for working remotely. This enables the organization to supply hardware that contains strong security measures that have been tested. It can also mean that you don't have to purchase or insure the equipment you use when you're out of the office. If personal equipment is allowed for work use, the security policy should clearly define the security requirements and procedures that employees should follow to keep the organization and its information safe. The organization should supply and install the security measures that should be used.

This could include installing the antivirus software and antispyware software used by the company, and ensuring secure networking by configuring the hardware. If not correctly configured, information being transmitted between the employee's remote computer and the company network might not be protected and weakly encrypted data might become intercepted and cracked. Precautions defined in a security policy should cover the storage of documents by remote employees, the transmission of documents by remote employees, and the verification of remote users' identities. The first security precaution is the encryption of data that is stored on the hardware used by remote employees. This helps protect sensitive information if the hardware falls into the wrong hands because only authorized users can perform the procedure required to decrypt the data. A security policy should define the encryption method, strong password enforcement, what data to encrypt, and it should define the procedure for implementing encryption. The organization should install the software required for encryption on the hardware used by the remote employees. A security policy should also consider the use of printed documents at a remote user's home. As printed documents are easy to lose and may not be properly disposed of, their use should be minimized. This is especially true of printed documents containing sensitive information. If paper records are going to be used by remote employees, the security policy should define handling procedures, such as securing the documents in a cabinet and destroying old records with a good shredder. The second important security measure is the encryption of data as it is transmitted to and from the remote employee. Data can be vulnerable to security risks when it's in transit from one device to another. This is of particular concern when wireless networks are used to transmit information. For example, a malicious user can use a tool called a packet sniffer to determine the structure and content of data that's being transmitted over a wireless network, such as at an Internet cafe or an airport. This information can help the malicious user to decrypt the sensitive data or provide security information about the organization, such as which security protocols it uses. A security policy should define the procedures for when and how to encrypt communication of sensitive data. And the organization should provide and install the necessary software on the hardware used by the remote employee. A tool that's commonly used for encrypting communications is a Virtual Private Network, or VPN. As a remote employee, you should familiarize yourself with the requirements and procedures for encrypted communications set out in the organization's security policy documents. Part of the protection required by organizations is the need to identify and verify the identities of its remote employees. This prevents someone from pretending to be you with the intent of accessing sensitive data on your computer or on the organization's network. Identities are established and verified in a process called authentication. Your login credentials your user

name and password are an important component in authentication. A security policy should define the procedures for authenticating remote users. Remote users can be authenticated on their own computers but this often requires that the organization's IT department has to be familiar with all commercially available devices. There are a number of methods for authenticating users:

username and password software tokens or one-time passwords hardware tokens, and biometric devices

A username and password is the most common way of authenticating users whether they're in the office or on the road. However, you shouldn't use the same password that you use in the office to access data remotely. You should use passwords that aren't easy to guess, and you should change your password regularly. A software token is a password issued as and when the authorized person needs it. Often it's sent to the authorized person's cell phone using a pre-determined and confirmed phone number. This ensures that a malicious user can't find and use an old password to gain access to sensitive data. A hardware token is a password saved on a piece of hardware such as a USB thumb drive. A biometric scanning device, on the other hand, checks your identity using a physical characteristic such as your fingerprint, your facial features, your voice, or your retina.

Question
Why should remote employees not use their own equipment when dealing with sensitive corporate data? Options: 1. The hardware may not have been correctly configured to encrypt data stored on the hard disk 2. The hardware may not have been correctly configured for encrypting communications of sensitive data 3. Remote users cannot be authenticated when they use their own computers 4. The hardware may not have been correctly configured to perform at optimum speeds

Answer

Option 1: Correct. Incorrectly configured hardware can compromise sensitive data that appears to be encrypted. Option 2: Correct. Incorrectly configured hardware might not properly protect information as it is being transmitted. Option 3: Incorrect. Remote users can be authenticated on their own computers but this often requires overhead for an organization's IT department to be familiar with all commercially available devices. Option 4: Incorrect. The performance of the home computer does not expose an organization to risks associated with sensitive data. Correct answer(s): 1. The hardware may not have been correctly configured to encrypt data stored on the hard disk 2. The hardware may not have been correctly configured for encrypting communications of sensitive data

Question
How should a security policy deal with printed documents at a remote user's home? Options: 1. It should define storage and destruction requirements for printed documents 2. It should prevent any documents from being printed and stored at home 3. It should ensure that sensitive data is printed to create a business record

Answer
Option 1: Correct. The policy should inform remote employees about how to deal with paper documents in a secure manner. Option 2: Incorrect. The policy should set out the requirements for sensitive documents to be printed at home. Option 3: Incorrect. The policy should ensure that, if documents are printed, they are stored and destroyed securely. Correct answer(s): 1. It should define storage and destruction requirements for printed documents

Question

What's the definition of authentication? Options: 1. The process through which a user's identity is established and verified 2. The process through which sensitive documents are encrypted 3. The process through which the transmission of sensitive information is protected

Answer
Option 1: Correct. Authentication verifies that the remote user is an authorized employee. Option 2: Incorrect. File encryption is the process with which sensitive documents are protected while stored on hardware. Option 3: Incorrect. Communications encryption protects sensitive information as it is being transmitted to or from a remote user. Correct answer(s): 1. The process through which a user's identity is established and verified

Question
Suppose a security policy for remote employees defines requirements for what data to encrypt and how to securely transmit it. It also requires that remote users keep a hard token on a USB device to use as a password key to gain access to the organization's network. What factors has this security policy failed to consider? Options: 1. Whether remote employees are allowed to use their own personal equipment in the course and scope of their employment 2. Whether documents containing sensitive data can be printed and what storage requirements exist for them 3. Whether the remote employee is required to use a tool to encrypt communications of sensitive data 4. Whether the mobile device's entire hard disk should be protected or just a particular folder

Answer
Option 1: Correct. The policy should indicate whether personal equipment can be used.

Option 2: Correct. The policy should define the requirements for storing sensitive documents that have been printed, and the procedure for destroying old records. Option 3: Incorrect. The policy includes information on how to securely transmit data using encryption. Option 4: Incorrect. The policy includes information on what data needs to be encrypted when it is stored on remote employees' computers. Correct answer(s): 1. Whether remote employees are allowed to use their own personal equipment in the course and scope of their employment 2. Whether documents containing sensitive data can be printed and what storage requirements exist for them

Summary
Advances in technology have enabled employees to access the applications and data they require from locations outside of the office. This can expose an organization to security risks. A security policy for remote users should consider the use of employees' own computers. When an employee uses his or her own computer, the security precautions for an organization might not be properly deployed. A security policy should also define procedures for secure storage of sensitive data at home, such as encryption and secure storage of printed documents. It should also provide a procedure for secure transmission of sensitive information. Finally, security policies should deal with how the identities of remote users are verified. | Print | Contents | Close |

Securing Your Environment in the Office and Remotely

Learning Objectives
After completing this topic, you should be able to

recognize your role in maintaining information security in the workplace differentiate between workplace and remote user security policies

Exercise overview
In this exercise you are required to answer questions about securing your environment in the office and remotely.

This involves the following tasks:

maintaining information security in the workplace and differentiating between workplace and remote-user security policies

Maintaining information security

You work in an organization where the protection of information and organizational resources is of paramount importance.

Question
You discover that one of your colleagues is downloading files from a torrent site on his office computer. He asks you not to tell anybody. As he's new to the company, you reluctantly agree. Which security guideline have you compromised as an end-user in the organization's security plan? Options: 1. Adhering to the organization's policies and guidelines on downloadable content 2. Reporting a security incident 3. The CIA triad objectives

Answer
Option 1: Incorrect. Since you haven't been doing the downloading, you haven't contravened any organizational policy on downloading content. However, you may have contravened another guideline by not reporting the incident as you should have. Option 2: Correct. By not reporting the incident to a responsible person in your organization, you may have contributed to a serious security issue in your organization. It is your duty as an end-user to promote information security by reporting any incidents. Option 3: Incorrect. You haven't violated any of the CIA objectives as, to the best of your knowledge, the confidentiality, integrity, and availability of the company's information and its resources haven't been affected. Correct answer(s): 2. Reporting a security incident

Question

You want to ensure that data is verified as correct before it is sent to your manager to be reviewed. Identify the objective of the CIA triad that's concerned with data and system verification and validation. Options: 1. Confidentiality 2. Integrity 3. Availability

Answer
Option 1: Incorrect. The confidentiality objective is achieved by preventing unauthorized users from accessing private or sensitive data. One way to do this is to encrypt data files. Option 2: Correct. The integrity objective is achieved by ensuring that the data is accurate and has not been tampered with. You can also ensure system integrity by preventing unauthorized parties from manipulating systems. Option 3: Incorrect. The availability objective is achieved by ensuring that users have access to the desired information. The accuracy or lack thereof is not the main consideration for this objective. Correct answer(s): 2. Integrity

Using security policies

As an employee in an organization that deals with large amounts of sensitive and confidential information, you should be aware of, and follow, a number of information security policies.

Question
Match each security policy example to the description of its scope. Options: 1. Employees should lock all drawers so janitorial staff cannot access information 2. Employees should collect sensitive documents printed on a shared printer as soon as they print them 3. When employees travel, they should log in using only the supplied cell phone device 4. Employees at home must keep any printed business records in a locked cabinet

Targets: 1. Policy for securing work environments 2. Policy for remote users

Answer
A policy for securing information in your work environment can cover how documents are secured, and how access to information is both protected and restricted. A policy for remote users might cover use of privately owned devices and handling procedures for printed records. Correct answer(s): Target 1 = Option A, Option B Target 2 = Option C, Option D Ways of maintaining workplace security, and workplace and remote user security policies have been examined.