2015 Annual Security & Awareness Test

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Atigeo
A
Atigeo
Community Contributor
Quizzes Created: 1 | Total Attempts: 106
Questions: 25 | Attempts: 106

SettingsSettingsSettings
2015 Annual Security & Awareness Test - Quiz

Questions and Answers
  • 1. 

    Any comments for the scorer to take into account?

  • 2. 

    You receive work email on your phone, and you are getting ready to pay at a restaurant. You need to provide a promotion code that's on your phone. The waiter asks to take your phone to scan the information at his kiosk. Which action would keep your email safe? (choose all that apply)

    • A.

      Give the waiter your fully unlocked phone, so he can scan the information.

    • B.

      Ask the waiter to write down the human readable promotion code from your phone instead of scanning.

    • C.

      Ask the waiter to bring the scanner to you, keeping control of your phone.

    • D.

      You have separated access of the promotion code app from all parts of your phone that you don't want to be accessed. You give the waiter your phone with access to the promotion code app opened.

    • E.

      You have your work email automatically forwarded to your personal email account, so it's okay to give the phone to the waiter.

    Correct Answer(s)
    B. Ask the waiter to write down the human readable promotion code from your phone instead of scanning.
    C. Ask the waiter to bring the scanner to you, keeping control of your phone.
    D. You have separated access of the promotion code app from all parts of your phone that you don't want to be accessed. You give the waiter your phone with access to the promotion code app opened.
    Explanation
    To keep your email safe, you should ask the waiter to write down the human readable promotion code from your phone instead of scanning. This way, you maintain control of your phone and prevent any unauthorized access to your email. Additionally, you can ask the waiter to bring the scanner to you, allowing you to keep control of your phone throughout the process. Alternatively, if you have separated access to the promotion code app from other parts of your phone, you can give the waiter your phone with only the app opened, ensuring that your email and other sensitive information remains protected.

    Rate this question:

  • 3. 

    Someone outside the office says "Hi, I'm a new employee starting today.  Can you let me in since I don't have an access card yet?"  What action should you take?  (choose all that apply)

    • A.

      You let the person in, and point them in the direction of where their group sits.

    • B.

      You escort them to the receptionist.  If the receptionist isn't there, tell them to have a seat and you find someone to help them.

    • C.

      You let the person in, and let office manager know that the person needs an access card.

    • D.

      You don't let the person in, and tell them to wait outside the door for someone to come get them.

    Correct Answer(s)
    B. You escort them to the receptionist.  If the receptionist isn't there, tell them to have a seat and you find someone to help them.
    D. You don't let the person in, and tell them to wait outside the door for someone to come get them.
    Explanation
    The correct answer is to escort the person to the receptionist and if the receptionist isn't there, tell them to have a seat and find someone to help them. This is the appropriate action to take because as a new employee, they would need guidance and assistance in getting settled into the office. The receptionist is usually responsible for welcoming and assisting visitors, so directing the new employee to them ensures that they receive the necessary support. If the receptionist is unavailable, asking the person to wait and finding someone else to help them ensures that their needs are addressed promptly.

    Rate this question:

  • 4. 

    You want to host an event in the office. It includes people that you don't know. What action should you take?

    • A.

      Contact the Office Manager to coordinate the event.

    • B.

      Make arrangements on your own. Don't let guests bring mobile phones since they have cameras.

    • C.

      Make arrangments on your own. Let people into the office.

    • D.

      Make arrangements on your own. Let people in the office, but keep a close watch on them.

    Correct Answer
    A. Contact the Office Manager to coordinate the event.
    Explanation
    When hosting an event in the office that includes people you don't know, it is best to contact the Office Manager to coordinate the event. The Office Manager will have the necessary knowledge and resources to ensure the event runs smoothly and safely. They can handle tasks such as organizing the space, managing security measures, and communicating with the attendees. This will help maintain a professional and controlled environment, ensuring the event is successful and all participants feel comfortable and secure.

    Rate this question:

  • 5. 

    Visitors have arrived, but it's after business hours or you can't find the receptionist. In these special cases, visitors don't need to write their names in the log.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    In this scenario, the statement "Visitors have arrived, but it's after business hours or you can't find the receptionist" suggests that there may be situations where visitors are present but unable to write their names in the log due to the absence of staff or the facility being closed. Therefore, the correct answer is False, indicating that visitors still need to write their names in the log even in these special cases.

    Rate this question:

  • 6. 

    You need to access a system immediately to complete your work, but have not received approval, credentials, or other access set up yet. What action should you take?  (choose all that apply)

    • A.

      You wait for approval and for credentials to be provided.

    • B.

      Your supervisor gives you their credentials to access the system, and you use them to do your work.

    • C.

      You borrow a co-worker's credentials with their agreement. This ensures that you both have backup credentials, just in case of an emergency.

    • D.

      You let your supervisor know that you are delayed because you don't have system access.

    • E.

      You find a way to access the system without credentials. Since this increases productivity, you don't tell anyone about this easy way into the system.

    Correct Answer(s)
    A. You wait for approval and for credentials to be provided.
    D. You let your supervisor know that you are delayed because you don't have system access.
    Explanation
    The correct answer is to wait for approval and credentials to be provided because it is important to follow the proper protocols and obtain the necessary permissions before accessing a system. This ensures that you are authorized to use the system and protects the security and integrity of the system and its data. Additionally, letting your supervisor know about the delay shows transparency and accountability in your work.

    Rate this question:

  • 7. 

    You had your password reset, and were provided a temporary password. You were told to change it immediately. What do you do? 

    • A.

      You type the temporary password and immediately change the temporary password to meet password standards.

    • B.

      You write down the temporary password and continue to use it. No one will know.

    • C.

      You write down the password and post it for anyone that might need access to your computer.

    • D.

      You type the temporary password in the system and change it to the password you used last month.

    Correct Answer
    A. You type the temporary password and immediately change the temporary password to meet password standards.
    Explanation
    The correct answer is to type the temporary password and immediately change it to meet password standards. This is the recommended action because using a temporary password for an extended period of time can pose a security risk. Changing the password immediately ensures that the account is protected with a strong and unique password that meets the required standards.

    Rate this question:

  • 8. 

    You notice an unattended and unlocked work device. What do you do? (choose all that apply)

    • A.

      You play it off as insignificant and ignore the situation.

    • B.

      You have someone run an audit trail report to determine if any information was inappropriately accessed.

    • C.

      You get the owner of the device, and chastise them in front of their peers so everyone can see you take the incident seriously.

    • D.

      You don't know how to lock the device, and you can't leave the device unattended.  You have someone find the owner, so the device can be locked.

    • E.

      You're familiar with the device, and you lock the device immediately.

    Correct Answer(s)
    B. You have someone run an audit trail report to determine if any information was inappropriately accessed.
    D. You don't know how to lock the device, and you can't leave the device unattended.  You have someone find the owner, so the device can be locked.
    E. You're familiar with the device, and you lock the device immediately.
    Explanation
    If you notice an unattended and unlocked work device, the correct course of action is to have someone run an audit trail report to determine if any information was inappropriately accessed. This helps to ensure that any potential security breaches are identified and addressed. Additionally, if you don't know how to lock the device and can't leave it unattended, it is important to have someone find the owner so that the device can be locked. If you are familiar with the device, it is also appropriate to lock it immediately to prevent any unauthorized access.

    Rate this question:

  • 9. 

    You're upgrading to a new version of an open source software, and the change will be better all around. Since the change makes things better and even fixes some of the bugs in a product, you can bypass the change request process.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    The statement suggests that because the change will make things better and fix some bugs, one can bypass the change request process. However, this is not true. Even if the change is beneficial, it is still important to follow the change request process to ensure proper documentation, evaluation, and approval of the changes being made. Bypassing the process can lead to potential issues or conflicts in the future.

    Rate this question:

  • 10. 

    Only supervisors are responsible for knowing security incident or security breach response procedures.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    This statement is false because it is not only supervisors who are responsible for knowing security incident or security breach response procedures. In any organization, all employees, regardless of their position or level of authority, should be familiar with these procedures. This ensures that everyone is prepared to respond appropriately in the event of a security incident or breach, promoting a culture of security and minimizing potential risks.

    Rate this question:

  • 11. 

    You have an unscheduled change that has to be implemented for a customer tonight. It's already past the customer's normal operating hours for the application, so you don't need to notify them.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    The statement is false because even though it is past the customer's normal operating hours for the application, it is still necessary to notify them about the unscheduled change that will be implemented tonight. Keeping the customer informed about any changes or updates is important for maintaining a good relationship and ensuring their satisfaction.

    Rate this question:

  • 12. 

    You find confidential data that is not encrypted for storage. What action do you take? (choose all that apply)

    • A.

      You find out how to encrypt the data, or ensure someone will encrypt the data.

    • B.

      You notify your supervisor or a security champion that you had discovered unencrypted confidential data.

    • C.

      You copy the data to another location that is encrypted, and leave the original data untouched.

    • D.

      You re-classify the data as public.

    Correct Answer(s)
    A. You find out how to encrypt the data, or ensure someone will encrypt the data.
    B. You notify your supervisor or a security champion that you had discovered unencrypted confidential data.
    Explanation
    The given correct answers are to find out how to encrypt the data or ensure someone will encrypt it, and to notify your supervisor or a security champion about the discovery of unencrypted confidential data. Encrypting the data will help protect it from unauthorized access and ensure its confidentiality. Notifying a supervisor or security champion is important to report the issue and take appropriate actions to secure the data. The other options of copying the data to an encrypted location or reclassifying the data as public do not address the issue of data security and confidentiality.

    Rate this question:

  • 13. 

    From the list below, identify which items are considered PHI.

    • A.

      Name: Stuart Holmes

    • B.

      Occupation: Retired

    • C.

      Age: 94

    • D.

      Discharge Date: March 6, 2015

    • E.

      Born: May 9, 1920

    • F.

      Patient ID: 65446571

    • G.

      Lives at: 123 belle Ln Apt 2 Fairyland, WA

    • H.

      Marital Status: Married

    • I.

      Zipcode: 981 (Seattle, WA zip with population > 20,000)

    • J.

      Check Number (Not account number): 4838

    Correct Answer(s)
    A. Name: Stuart Holmes
    C. Age: 94
    D. Discharge Date: March 6, 2015
    E. Born: May 9, 1920
    F. Patient ID: 65446571
    G. Lives at: 123 belle Ln Apt 2 Fairyland, WA
    Explanation
    The items considered PHI (Protected Health Information) in this list are Name: Stuart Holmes, Age: 94, Discharge Date: March 6, 2015, Born: May 9, 1920, Patient ID: 65446571, and Lives at: 123 belle Ln Apt 2 Fairyland, WA. These items contain personal information related to the individual's health and can be used to identify the person.

    Rate this question:

  • 14. 

    You receive an email with PHI. What action do you take? (choose all that apply)

    • A.

      Do nothing

    • B.

      Contact Security Operations or your manager to find out what to do.

    • C.

      Forward the email to others, asking what you should do.

    • D.

      Delete the data, and don't tell anyone else.

    • E.

      Work with Security Operations or the project owner to ensure the incident is recorded, and the email is properly removed from our systems.

    Correct Answer(s)
    B. Contact Security Operations or your manager to find out what to do.
    E. Work with Security Operations or the project owner to ensure the incident is recorded, and the email is properly removed from our systems.
    Explanation
    If you receive an email with PHI (Protected Health Information), the correct actions to take are to contact Security Operations or your manager to find out what to do and to work with Security Operations or the project owner to ensure the incident is recorded and the email is properly removed from the systems. This is because PHI is sensitive information that needs to be handled carefully and in accordance with security protocols. It is important to seek guidance from the appropriate authorities and take necessary steps to protect the privacy and security of the PHI.

    Rate this question:

  • 15. 

    You and others on your team see some data that may be PHI or PII. None of you are sure if you should see or use the data. What action do you take? (choose all that apply)

    • A.

      Do nothing. Let someone else on the team figure it out.

    • B.

      Check with the project owner to see if the data is part of the project.

    • C.

      Ensure the data is encrypted at-rest and in-transit.

    • D.

      Delete the data, and don't tell anyone else.

    • E.

      Check with the project owner to find out whether the data is PHI or PII.

    Correct Answer(s)
    B. Check with the project owner to see if the data is part of the project.
    C. Ensure the data is encrypted at-rest and in-transit.
    E. Check with the project owner to find out whether the data is PHI or PII.
    Explanation
    The correct answer is to check with the project owner to see if the data is part of the project, ensure the data is encrypted at-rest and in-transit, and check with the project owner to find out whether the data is PHI or PII. These actions prioritize communication and clarification with the project owner to determine the appropriate course of action regarding the data. Additionally, ensuring that the data is encrypted both at-rest and in-transit helps to protect its confidentiality and integrity.

    Rate this question:

  • 16. 

    A server or hard drive with PHI isn't needed anymore. It can be retired or used for a low priority situation. (choose all that apply)

    • A.

      Take it to a recycling center, as-is. The recycling center will take care of it.

    • B.

      Leave it on the shelf in case someone needs an old server.

    • C.

      Delete the files, then recycle the hard drives in a bin that accepts metal.

    • D.

      Install a new OS, and it should wipe the hard drive. Then, it's ready to use.

    • E.

      Work with Security Operations to figure out next steps.

    Correct Answer
    E. Work with Security Operations to figure out next steps.
    Explanation
    Working with Security Operations is the correct answer because when dealing with a server or hard drive that contains PHI (Protected Health Information), it is important to follow proper protocols for data security and privacy. Security Operations can provide guidance on the appropriate steps to take, such as securely wiping the data, ensuring compliance with regulations, and determining the best course of action for retiring or repurposing the server or hard drive.

    Rate this question:

  • 17. 

    A customer asks for a report that contains patient information on it. The customer is okay with ePHI or paper format. What should you do?  (choose all that apply)

    • A.

      Reassure the customer that you're on it. Email the report right away before you forget. The customer is a top priority.

    • B.

      Determine if he has access to encrypted email and if not, request IT to set up an SFTP or other secured communication protocol to transfer the report.

    • C.

      Do not tell anyone, but go ahead and fax the report. Chances are slim anything will happen.

    • D.

      Encrypt the report and email the report the customer.  And provide the de-crypt key in a separate secured method such as SMS, Skype, or an email with a different subject and hidden in the body of the email.

    • E.

      You print the report with standard confidentiality cover sheet, and store it securely until your meeting with the customer tomorrow.

    Correct Answer(s)
    B. Determine if he has access to encrypted email and if not, request IT to set up an SFTP or other secured communication protocol to transfer the report.
    E. You print the report with standard confidentiality cover sheet, and store it securely until your meeting with the customer tomorrow.
    Explanation
    The correct answers are to determine if the customer has access to encrypted email and if not, request IT to set up a secure communication protocol, and to print the report with a confidentiality cover sheet and store it securely until the meeting with the customer tomorrow. These options prioritize the security and confidentiality of patient information, ensuring that it is transferred and stored in a secure manner.

    Rate this question:

  • 18. 

    Can I have PHI on my laptop or desktop? I'll have the data stored on an encrypted drive.

    • A.

      Though local machines are secured with passwords and drive encrypted, the policy is to never store PHI on them.

    • B.

      PHI can be on a laptop or desktop, even unencrypted, as long as the computer stays in the office

    • C.

      The laptop is covered under our office insurance policy, so it's okay as long as I'm careful with it.

    Correct Answer
    A. Though local machines are secured with passwords and drive encrypted, the policy is to never store PHI on them.
    Explanation
    The correct answer is that the policy is to never store PHI on local machines, even if they are secured with passwords and drive encryption. This is because local machines are still vulnerable to physical theft, malware attacks, and other security breaches. Storing PHI on encrypted drives may provide an additional layer of protection, but it is still not recommended according to the policy. It is important to follow the policy and ensure that PHI is stored on secure servers or other approved platforms to minimize the risk of unauthorized access or data breaches.

    Rate this question:

  • 19. 

    Your laptop was stolen out of your car, and you don't think it was encrypted. You had temporarily decided to put PHI on the laptop to do some work at home. What do you do? (choose all that apply)

    • A.

      Report the issue to security operations, and work with them to provide the information needed to have the situation properly assessed.

    • B.

      Review internal procedures and training on handling of mobile devices.

    • C.

      Work with HR and Finance to be compensated for the damage to your car caused by the thieves.

    • D.

      Report the laptop stolen, but don't mention the PHI. That is SecOps' and IT's job to figure out what they need to do.

    • E.

      This will be classified as a data breach and the HITECH Breach Notification Rule will need to be followed. In addition to penalties, notifications would include: patients, media outlets, and the HHS Secretary.

    Correct Answer(s)
    A. Report the issue to security operations, and work with them to provide the information needed to have the situation properly assessed.
    B. Review internal procedures and training on handling of mobile devices.
    E. This will be classified as a data breach and the HITECH Breach Notification Rule will need to be followed. In addition to penalties, notifications would include: patients, media outlets, and the HHS Secretary.
    Explanation
    In this scenario, the correct answers are to report the issue to security operations and work with them to assess the situation, review internal procedures and training on handling mobile devices, and follow the HITECH Breach Notification Rule. By reporting the issue to security operations, they can take appropriate action to address the theft and potential data breach. Reviewing internal procedures and training can help prevent similar incidents in the future. Following the HITECH Breach Notification Rule is necessary to comply with regulations and ensure that affected parties are notified of the breach.

    Rate this question:

  • 20. 

    You have a new feature or application, and just need a few patient records to demo it.

    • A.

      You get a few records from a current customer's project to use.

    • B.

      You get a few records from a past customer's project to use.

    • C.

      You create random/fictitious test data to use

    • D.

      You ask your peers for their records.

    • E.

      You know everything is perfect, and will bypass testing, and just release to production.

    Correct Answer
    C. You create random/fictitious test data to use
    Explanation
    Creating random/fictitious test data is the best option in this scenario because it allows you to showcase the new feature or application without compromising the privacy or confidentiality of any real patient records. Using records from a current or past customer's project may violate data protection regulations and could potentially expose sensitive information. Asking peers for their records may also lead to privacy concerns. Bypassing testing and releasing directly to production is not recommended as it can lead to unforeseen issues and bugs. Therefore, creating random/fictitious test data ensures a safe and reliable demonstration of the new feature or application.

    Rate this question:

  • 21. 

    Your computer is at your desk, and you need to walk away from your computer for a few minutes. It's okay to leave your computer unlocked.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    Leaving the computer unlocked while walking away from the desk is not okay because it poses a security risk. Unlocked computers can be accessed by unauthorized individuals who may tamper with or steal sensitive information. It is important to lock the computer or log out before leaving to ensure the security and privacy of the data on the device.

    Rate this question:

  • 22. 

    You accidentally left your building access card in a backpack that you loaned to a friend over the weekend.  You get your backpack back and find the building access card.  What do you do? (choose all that apply)

    • A.

      Do nothing because you trust your friend.

    • B.

      Report it to the Office Manager when you happen to see them next.

    • C.

      Your friend doesn't know where your office is, but you still report it to the Office Manager immediately.

    • D.

      Your access card doesn't have any identifiers on it, so don't mention it to anyone. And, if you're in an office that requires the card and a PIN, that's extra security and really don't have to report it.

    Correct Answer
    C. Your friend doesn't know where your office is, but you still report it to the Office Manager immediately.
    Explanation
    The correct answer is to report it to the Office Manager immediately. Although you trust your friend and they don't know where your office is, it is still important to inform the Office Manager about the situation. This ensures that they are aware of the potential security breach and can take appropriate measures to protect the building and its occupants. It is better to err on the side of caution and prioritize the security of the building.

    Rate this question:

  • 23. 

    A customer needs us to receive PHI to develop a custom solution.  What do you do?

    • A.

      Ensure there's a BAA.

    • B.

      Review requirements in the BAA.

    • C.

      Bypass getting a BAA because the solution needs to be done fast.

    • D.

      Take the customer's data right away because you know the BAA is coming soon.

    • E.

      The BAA requirements are going to cause the due date for the solution to be missed, so you skip some of the requirements.

    Correct Answer(s)
    A. Ensure there's a BAA.
    B. Review requirements in the BAA.
    Explanation
    The correct answer is to ensure there's a BAA and to review the requirements in the BAA. This is because PHI (Protected Health Information) is subject to strict regulations under HIPAA (Health Insurance Portability and Accountability Act), and it is essential to have a Business Associate Agreement (BAA) in place before receiving PHI. The BAA outlines the responsibilities and obligations of both parties regarding the handling and protection of PHI. Reviewing the requirements in the BAA ensures compliance with HIPAA regulations and helps to ensure the security and privacy of the customer's data.

    Rate this question:

  • 24. 

    You need to bring up an environment for PHI in AWS.  What will you ensure is done?

    • A.

      Only use dedicated instances.

    • B.

      Only use encrypted disks, ensuring root level encryption or that processes ensure there is no PHI at root level.

    • C.

      Make sure all data is encrypted at-rest.

    • D.

      You skip encryption in-transit because it's not an absolute requirement.

    Correct Answer(s)
    A. Only use dedicated instances.
    B. Only use encrypted disks, ensuring root level encryption or that processes ensure there is no PHI at root level.
    C. Make sure all data is encrypted at-rest.
    Explanation
    The correct answer is to ensure that only dedicated instances are used, encrypted disks are used with root level encryption or processes that ensure no PHI at root level, and all data is encrypted at-rest. This is because PHI (Protected Health Information) needs to be handled securely in accordance with privacy regulations. Using dedicated instances ensures that the resources are not shared with other customers, reducing the risk of unauthorized access. Encrypting disks with root level encryption or ensuring processes prevent PHI at root level adds an extra layer of protection. Encrypting data at-rest ensures that even if the storage is compromised, the data remains protected. Encryption in-transit is not an absolute requirement, but it is still recommended for comprehensive security.

    Rate this question:

  • 25. 

    If the customer has not provided any requirements or specifications for a secured environment in the BAA, you don't have to worry about encrypting at-rest or in-transit.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    If the customer has not provided any requirements or specifications for a secured environment in the BAA, it does not mean that you don't have to worry about encrypting at-rest or in-transit. It is always important to prioritize the security of sensitive data, regardless of whether specific requirements are provided or not. Encrypting data at-rest and in-transit helps protect it from unauthorized access and ensures compliance with data protection regulations. Therefore, the statement is false.

    Rate this question:

Back to Top Back to top
Advertisement