2019 Security Awareness Training Assessment

1. What is a phishing email?

An email with an embedded virus

An email that informs the sender when you have read it

An email attempting to trick you into sending the sender your confidential information

An email about jam bands

A phishing email is an email that is designed to deceive and trick the recipient into revealing their confidential information, such as passwords, credit card numbers, or social security numbers. The sender of the email pretends to be a trustworthy entity, such as a bank or a reputable company, in order to gain the recipient's trust and convince them to provide their sensitive information. This type of email is a common method used by cybercriminals to carry out identity theft and financial fraud.

Explanation

A phishing email is an email that is designed to deceive and trick the recipient into revealing their confidential information, such as passwords, credit card numbers, or social security numbers. The sender of the email pretends to be a trustworthy entity, such as a bank or a reputable company, in order to gain the recipient's trust and convince them to provide their sensitive information. This type of email is a common method used by cybercriminals to carry out identity theft and financial fraud.

2. What is an insider threat?

A virus residing on a Credly employee’s laptop

A malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems

A bug in the Credly source code that creates a security vulnerability that a hacker can exploit

A phishing email sent to a Credly employee

The correct answer is the definition of an insider threat, which refers to a malicious threat that originates from individuals within an organization. These individuals, including employees, former employees, contractors, or business associates, possess insider knowledge about the organization's security practices, data, and computer systems. This type of threat can pose a significant risk to the organization's security and can lead to unauthorized access, data breaches, or other malicious activities.

Explanation

The correct answer is the definition of an insider threat, which refers to a malicious threat that originates from individuals within an organization. These individuals, including employees, former employees, contractors, or business associates, possess insider knowledge about the organization's security practices, data, and computer systems. This type of threat can pose a significant risk to the organization's security and can lead to unauthorized access, data breaches, or other malicious activities.

3. What is the most important aspect of a Company's security program?

The Security Officer

The General Counsel

The company’s firewall software

The company’s employees

The most important aspect of a company's security program is the company's employees. This is because employees are often the weakest link in a company's security system. They have access to sensitive information and systems, and can inadvertently or intentionally compromise security. Therefore, it is crucial for companies to educate and train their employees on security best practices, enforce strong password policies, and implement measures such as multi-factor authentication to ensure the security of their systems and data.

Explanation

The most important aspect of a company's security program is the company's employees. This is because employees are often the weakest link in a company's security system. They have access to sensitive information and systems, and can inadvertently or intentionally compromise security. Therefore, it is crucial for companies to educate and train their employees on security best practices, enforce strong password policies, and implement measures such as multi-factor authentication to ensure the security of their systems and data.

4. What is NOT a purpose of an Information Security Program

Confidentiality

Integrity

Chiasmus

Availability

not-available-via-ai

Explanation

not-available-via-ai

5. Which of the following is an acceptable password?

Credly1234

RamtinTaheri3

Fr33d0m89?

PY3%

The password "Fr33d0m89?" is an acceptable password because it meets the criteria for a strong password. It includes a combination of uppercase and lowercase letters, numbers, and special characters. The use of numbers and special characters adds complexity to the password, making it harder for hackers to guess or crack. Additionally, the password is at least 8 characters long, which is generally considered a minimum requirement for a secure password.

Explanation

The password "Fr33d0m89?" is an acceptable password because it meets the criteria for a strong password. It includes a combination of uppercase and lowercase letters, numbers, and special characters. The use of numbers and special characters adds complexity to the password, making it harder for hackers to guess or crack. Additionally, the password is at least 8 characters long, which is generally considered a minimum requirement for a secure password.

6. Which of the following security practices requires all Credly employees to take a screenshot when completed?

Locking your screen when stepping away from the computer

Deleting confidential information

Receiving phishing emails

Installing antivirus software

not-available-via-ai

Explanation

not-available-via-ai

7. What is the first thing you should do when receiving a phishing email to your Credly email address?

Contact the Federal Bureau of Investigation

Respond to the email to see what is going on

Forward the email to the Security Council

Ignore the email

When receiving a phishing email to your Credly email address, the first thing you should do is forward the email to the Security Council. This is because the Security Council is responsible for handling security-related issues, including phishing attempts. By forwarding the email to them, you are alerting the appropriate team who can investigate and take necessary actions to mitigate the threat.

Explanation

When receiving a phishing email to your Credly email address, the first thing you should do is forward the email to the Security Council. This is because the Security Council is responsible for handling security-related issues, including phishing attempts. By forwarding the email to them, you are alerting the appropriate team who can investigate and take necessary actions to mitigate the threat.

8. Which of the following statements about a password is TRUE?

It must be changed only when compromised

It cannot contain special character symbols.

It must be changed on a quarterly basis.

It must be registered with a system administrator.

A password must be changed on a quarterly basis to ensure security. Regularly changing passwords helps to prevent unauthorized access to accounts or systems. By changing passwords every three months, it reduces the risk of passwords being compromised and provides an additional layer of protection.

Explanation

A password must be changed on a quarterly basis to ensure security. Regularly changing passwords helps to prevent unauthorized access to accounts or systems. By changing passwords every three months, it reduces the risk of passwords being compromised and provides an additional layer of protection.

9. Which of the following constitutes confidential information? Select all that apply

Documents or other information that are marked confidential

Documents or other information that you reasonably believe to be confidential

Credly’s social media postings

Documents or other information that you are told are confidential

The correct answer is that confidential information includes documents or other information that are marked confidential, documents or other information that you reasonably believe to be confidential, and documents or other information that you are told are confidential. This means that any information or documents that are explicitly labeled as confidential, any information or documents that you have a reasonable belief are confidential, and any information or documents that someone explicitly tells you are confidential are considered confidential information.

Explanation

The correct answer is that confidential information includes documents or other information that are marked confidential, documents or other information that you reasonably believe to be confidential, and documents or other information that you are told are confidential. This means that any information or documents that are explicitly labeled as confidential, any information or documents that you have a reasonable belief are confidential, and any information or documents that someone explicitly tells you are confidential are considered confidential information.

Submit

10. Which of the following security laws do NOT apply to Credly?

Health Insurance Portability and Accountability Act (HIPPA)

Family Educational Rights and Privacy Act (FERPA)

Children's Online Privacy Protection Act (COPPA)

The European Union General Data Protection Regulation (GDPR)

The Health Insurance Portability and Accountability Act (HIPPA) does not apply to Credly. HIPPA is a US law that ensures the privacy and security of health information. However, Credly is a digital credentialing platform and does not deal with health information. Therefore, HIPPA does not apply to Credly.

Explanation

The Health Insurance Portability and Accountability Act (HIPPA) does not apply to Credly. HIPPA is a US law that ensures the privacy and security of health information. However, Credly is a digital credentialing platform and does not deal with health information. Therefore, HIPPA does not apply to Credly.

11. Which of the following is true about sensitive information?

No Credly employee should ever see sensitive information

Credly employees must follow the “minimum necessary” rule for disclosing sensitive information

Sensitive information does not include earner personal information

Sensitive information only includes data that is regulated by the GDPR

Credly employees must follow the "minimum necessary" rule for disclosing sensitive information means that employees should only access and disclose sensitive information when it is necessary for their job responsibilities. This ensures that sensitive information is protected and only accessed by authorized individuals who need it to perform their duties.

Explanation

Credly employees must follow the "minimum necessary" rule for disclosing sensitive information means that employees should only access and disclose sensitive information when it is necessary for their job responsibilities. This ensures that sensitive information is protected and only accessed by authorized individuals who need it to perform their duties.

12. Who manages the Credly security program?

The Development Team

The Legal Department

The Security Council

The Customer Success Team

The Security Council manages the Credly security program.

Explanation

The Security Council manages the Credly security program.

13. What are appropriate networks you can use when doing Credly work? (Select all that apply)

Your secure home WiFi

Public WiFi

The WeWork WiFi

Your friend’s WiFi network

Appropriate networks that can be used when doing Credly work include your secure home WiFi and The WeWork WiFi. These networks are considered suitable because they are secure and provide a stable internet connection, ensuring the safety and reliability of the work being done on Credly. Public WiFi and your friend's WiFi network may not be as secure or stable, making them less appropriate for Credly work.

Explanation

Appropriate networks that can be used when doing Credly work include your secure home WiFi and The WeWork WiFi. These networks are considered suitable because they are secure and provide a stable internet connection, ensuring the safety and reliability of the work being done on Credly. Public WiFi and your friend's WiFi network may not be as secure or stable, making them less appropriate for Credly work.

Submit

14. What is piggybacking?

Using another Credly employees username or login

Hacking the Credly production server and stealing earner information

Forgetting to unlock your laptop when walking away from your screen

Following a Credly employee into a restricted area after they have already used their badge to gain access

not-available-via-ai

Explanation

not-available-via-ai

15. What are the Credly Information Classification categories?

Public Information, Intellectual Property, Confidential Information

Confidential Information, Sensitive Information, Public Information

Confidential Information, Proprietary Information, Legal Documents

Customer Information, Source Code, Business Documents

The Credly Information Classification categories include Confidential Information, Sensitive Information, and Public Information. These categories help classify and protect different types of information based on their level of sensitivity and importance. Confidential Information refers to data that should only be accessed by authorized individuals, while Sensitive Information includes data that requires special handling and protection. Public Information is data that can be freely accessed and shared by anyone.

Explanation

The Credly Information Classification categories include Confidential Information, Sensitive Information, and Public Information. These categories help classify and protect different types of information based on their level of sensitivity and importance. Confidential Information refers to data that should only be accessed by authorized individuals, while Sensitive Information includes data that requires special handling and protection. Public Information is data that can be freely accessed and shared by anyone.

16. What policy governs emergencies at Credly?

Acceptable Use Policy

Business Continuity Plan

Access Control Policy

Risk Assessment Plan

The Business Continuity Plan governs emergencies at Credly. This plan outlines the procedures and protocols to be followed in the event of an emergency or disruption to normal business operations. It ensures that essential functions and services can continue to operate during and after an emergency, minimizing the impact on the organization. The Business Continuity Plan includes strategies for disaster recovery, communication, resource allocation, and coordination of response efforts.

Explanation

The Business Continuity Plan governs emergencies at Credly. This plan outlines the procedures and protocols to be followed in the event of an emergency or disruption to normal business operations. It ensures that essential functions and services can continue to operate during and after an emergency, minimizing the impact on the organization. The Business Continuity Plan includes strategies for disaster recovery, communication, resource allocation, and coordination of response efforts.

17. What policy governs workspace security?

Access Control Policy

Acceptable Use Policy

Business Continuity Plan

Clean Desk Policy

The Clean Desk Policy is a policy that governs workspace security by requiring employees to keep their work areas clean and free of sensitive or confidential information. This policy helps prevent unauthorized access to sensitive data and reduces the risk of information theft or loss. By implementing the Clean Desk Policy, organizations can ensure that employees properly secure and protect sensitive information when they are not at their desks, promoting a culture of security awareness and accountability.

Explanation

The Clean Desk Policy is a policy that governs workspace security by requiring employees to keep their work areas clean and free of sensitive or confidential information. This policy helps prevent unauthorized access to sensitive data and reduces the risk of information theft or loss. By implementing the Clean Desk Policy, organizations can ensure that employees properly secure and protect sensitive information when they are not at their desks, promoting a culture of security awareness and accountability.

18. What is the greatest security threat to Credly?

An accident triggered by a non-malicious workforce member

A failure of the AWS security apparatus

Hackers from overseas

Insider threats

An accident triggered by a non-malicious workforce member can be the greatest security threat to Credly because it is difficult to anticipate and prevent such incidents. While hackers from overseas and insider threats can pose significant risks, they are often intentional and can be detected and mitigated with proper security measures. On the other hand, accidents caused by non-malicious employees can lead to unintentional data breaches or system failures, potentially causing significant damage to Credly's security and operations. It is important for organizations to have robust training and protocols in place to minimize the risk of accidents caused by employees.

Explanation

An accident triggered by a non-malicious workforce member can be the greatest security threat to Credly because it is difficult to anticipate and prevent such incidents. While hackers from overseas and insider threats can pose significant risks, they are often intentional and can be detected and mitigated with proper security measures. On the other hand, accidents caused by non-malicious employees can lead to unintentional data breaches or system failures, potentially causing significant damage to Credly's security and operations. It is important for organizations to have robust training and protocols in place to minimize the risk of accidents caused by employees.

19. What is an example of information that is sensitive but NOT confidential?

A Credly employee’s birthday

A press release that has been authorized for release by the VP of marketing

Contract terms

Badges that have been shared by Earners on social media websites

Badges that have been shared by Earners on social media websites can be considered sensitive information because they may reveal someone's skills, achievements, or affiliations. However, they are not confidential because they have been willingly shared by the Earners on public platforms.

Explanation

Badges that have been shared by Earners on social media websites can be considered sensitive information because they may reveal someone's skills, achievements, or affiliations. However, they are not confidential because they have been willingly shared by the Earners on public platforms.

20. Where should Earner Information be stored?

Google Drive

Amazon Web Services production server

Your personal laptop

A and B

A, B, and C

Earner Information should be stored on the Amazon Web Services (AWS) production server. This is because AWS provides a secure and reliable platform for storing and managing sensitive data. Storing the information on a personal laptop or Google Drive may not provide the same level of security and accessibility as an AWS production server. Additionally, using both AWS and a personal laptop (option C) or using all three options (option D) would not be necessary if the AWS production server is already available.

Explanation

Earner Information should be stored on the Amazon Web Services (AWS) production server. This is because AWS provides a secure and reliable platform for storing and managing sensitive data. Storing the information on a personal laptop or Google Drive may not provide the same level of security and accessibility as an AWS production server. Additionally, using both AWS and a personal laptop (option C) or using all three options (option D) would not be necessary if the AWS production server is already available.