Security & Compliance Quiz - 2015

1. Jennifer and Cindy are both from the Finance Department and both belong to the "ConfidentialAccts" Email Distribution List. Jennifer accidentally shares a file on Google Drive with the "ConfidentialAccts" Distribution List. The file contained billing details of the clients Jennifer exclusively works with. Realizing what happened, what should Cindy do?

Ignore the shared file. She has the same security clearance level so no harm was done.

Try to remove the share. Jennifer doesn’t need to be bothered with a simple mistake like this.

Ask Jennifer to remove the share. Let her revisit how and with whom the file should be shared.

Ask Jennifer to remove the share and report the incident to [email protected].

Cindy should ask Jennifer to remove the share and report the incident to [email protected]. Even though they both have the same security clearance level, the file contained confidential information that should not have been shared with the entire distribution list. It is important to take immediate action to rectify the mistake and report it to the appropriate authorities to ensure that the incident is properly addressed and any potential security risks are mitigated.

Explanation

Cindy should ask Jennifer to remove the share and report the incident to [email protected]. Even though they both have the same security clearance level, the file contained confidential information that should not have been shared with the entire distribution list. It is important to take immediate action to rectify the mistake and report it to the appropriate authorities to ensure that the incident is properly addressed and any potential security risks are mitigated.

2. Not all client information should be secured. Only data classified as protected information should be secured.

True

False

This statement is incorrect. In order to maintain the privacy and security of client information, all client information should be secured, not just the data classified as protected information. Failure to secure any client information could result in breaches of privacy and potential legal consequences. Therefore, the correct answer is False.

Explanation

This statement is incorrect. In order to maintain the privacy and security of client information, all client information should be secured, not just the data classified as protected information. Failure to secure any client information could result in breaches of privacy and potential legal consequences. Therefore, the correct answer is False.

3. You are working on data for your customer that is not covered in the list of Protected Information, can you share that with others?

Yes, it is not considered Protected Information so I'm safe.

No, because Cloud Sherpas considers ALL customer data to be confidential

Yes, as long as I don't copy-and-paste, print screen, or print the data

No, because I need to first submit a form to Security & Compliance about sharing information

The correct answer is "No, because Cloud Sherpas considers ALL customer data to be confidential." This means that regardless of whether the data is listed as Protected Information or not, it is still considered confidential by Cloud Sherpas. Therefore, sharing the data with others without proper authorization would not be allowed.

Explanation

The correct answer is "No, because Cloud Sherpas considers ALL customer data to be confidential." This means that regardless of whether the data is listed as Protected Information or not, it is still considered confidential by Cloud Sherpas. Therefore, sharing the data with others without proper authorization would not be allowed.

4. Who conducts the Risk Assessment for clients of Cloud Sherpas and assigns corresponding Security Tiers for them?

Myself, as a Cloud Sherpas Consultant and Security & Compliance

Security & Compliance and Legal

My managers and Legal

Myself, as a Cloud Sherpas Consultant and Legal

The Risk Assessment for clients of Cloud Sherpas is conducted by the Security & Compliance and Legal teams. These teams work together to assess the potential risks associated with each client and assign them corresponding Security Tiers. This ensures that the clients' security needs are properly evaluated and addressed, while also ensuring compliance with legal requirements.

Explanation

The Risk Assessment for clients of Cloud Sherpas is conducted by the Security & Compliance and Legal teams. These teams work together to assess the potential risks associated with each client and assign them corresponding Security Tiers. This ensures that the clients' security needs are properly evaluated and addressed, while also ensuring compliance with legal requirements.

5. What should you do when you recognize that a protected information is being handled by Cloud Sherpas but is only classified as Security Tier 1?

Change the Security Standard to Tier 2

Nothing, that's not my problem

Contact [email protected] and change the Security Standard to Tier 2

Tell my customer that they are classified as Security Tier 1 and contact [email protected] to change it to Tier 2

When you recognize that a protected information is being handled by Cloud Sherpas but is only classified as Security Tier 1, the appropriate action to take is to contact [email protected] and change the Security Standard to Tier 2. This ensures that the protected information is being handled with a higher level of security and meets the necessary requirements.

Explanation

When you recognize that a protected information is being handled by Cloud Sherpas but is only classified as Security Tier 1, the appropriate action to take is to contact [email protected] and change the Security Standard to Tier 2. This ensures that the protected information is being handled with a higher level of security and meets the necessary requirements.

6. In the videos that you watched, what is considered protected information?(SELECT ALL THAT APPLY)

Customer Contact Numbers (Fax, Telephone, Mobile)

Birth dates, admission dates, discharge dates, dates of death

Email addresses

Account information numbers (Social Security, Health record, licenses)

The videos consider the following information as protected: Customer Contact Numbers (Fax, Telephone, Mobile), Birth dates, admission dates, discharge dates, dates of death, Email addresses, and Account information numbers (Social Security, Health record, licenses).

Explanation

The videos consider the following information as protected: Customer Contact Numbers (Fax, Telephone, Mobile), Birth dates, admission dates, discharge dates, dates of death, Email addresses, and Account information numbers (Social Security, Health record, licenses).

Submit

7. On the training video, Customer Information, Personally Identifiable Information and Personal Data are other terms for:

Protected information

Private information

Confidential information

Transactional information

Customer Information, Personally Identifiable Information, and Personal Data are all terms used interchangeably to refer to protected information. This type of information includes any data that can be used to identify an individual, such as their name, address, social security number, or financial information. It is important to handle this information with care and ensure that it is kept secure and confidential to protect the privacy and security of individuals.

Explanation

Customer Information, Personally Identifiable Information, and Personal Data are all terms used interchangeably to refer to protected information. This type of information includes any data that can be used to identify an individual, such as their name, address, social security number, or financial information. It is important to handle this information with care and ensure that it is kept secure and confidential to protect the privacy and security of individuals.

8. If the company "Sta. Ana Holdings Group" requires additional security measures for their data on top of the protections required by applicable regulations, it will be classified as:

Security Tier 1

Security Tier 2

Security Tier 3

Security Tier 4

If the company "Sta. Ana Holdings Group" requires additional security measures for their data on top of the protections required by applicable regulations, it will be classified as Security Tier 3. This tier indicates that the company has implemented advanced security measures beyond the basic requirements, ensuring a higher level of protection for their data.

Explanation

If the company "Sta. Ana Holdings Group" requires additional security measures for their data on top of the protections required by applicable regulations, it will be classified as Security Tier 3. This tier indicates that the company has implemented advanced security measures beyond the basic requirements, ensuring a higher level of protection for their data.

9. Armand and Jill are working on separate projects for the same client, "Acme Explosives". Jeremy, an "Acme Explosives" representative, needed Jill to analyze a stack of invoice printouts for Jill's project. With Jill on PTO, Jeremy asked Armand to hold-on to the printouts with instructions to forward them to Jill when she gets back.By agreeing with Jeremy, Armand's actions fall under:

A breach in security. He should have declined taking responsibility for documents outside his project.

A security protocol exception. He can receive the documents as long as Jill was informed.

A non-issue. He works with the same client as Jill and so has the same security access.

A breach in security. He should have asked Jeremy to sign a receipt before accepting the documents.

Armand's actions can be considered a breach in security because he agreed to hold onto the invoice printouts that were meant for Jill's project while she was on PTO. As someone working on a separate project, it is not his responsibility to handle documents outside of his own project. He should have declined taking the responsibility and asked Jeremy to find an alternative solution for forwarding the printouts to Jill.

Explanation

Armand's actions can be considered a breach in security because he agreed to hold onto the invoice printouts that were meant for Jill's project while she was on PTO. As someone working on a separate project, it is not his responsibility to handle documents outside of his own project. He should have declined taking the responsibility and asked Jeremy to find an alternative solution for forwarding the printouts to Jill.

10. Where do I find the Security Standard for my Customers in Summit?

Under a section on the Customers' Account Record

Under the Tab Risk Assessment

Beside the Account Name labelled (1, 2 or 3)

Nowhere, it can be found in quality.cloudsherpas.com not Summit

The security standard for customers can be found under a section on the customers' account record. This implies that within the Summit platform, there is a specific section in the customers' account record where the security standard information is located.

Explanation

The security standard for customers can be found under a section on the customers' account record. This implies that within the Summit platform, there is a specific section in the customers' account record where the security standard information is located.

11. As the Project Manager, Joan should create a plan to secure the client's protected information that should include:(SELECT 3)

Where the information will be stored

How files should be named

Who can access the information

Which encoding should be used for files

How the access list can be formatted

How the data should be destroyed

As the project manager, Joan is responsible for ensuring the security of the client's protected information. To do this, she should create a plan that addresses three key aspects: where the information will be stored, who can access the information, and how the data should be destroyed. By determining where the information will be stored, Joan can ensure that it is kept in a secure location. By specifying who can access the information, she can control and limit access to authorized personnel only. Finally, by defining how the data should be destroyed, Joan can ensure that any sensitive information is properly disposed of to prevent unauthorized access.

Explanation

As the project manager, Joan is responsible for ensuring the security of the client's protected information. To do this, she should create a plan that addresses three key aspects: where the information will be stored, who can access the information, and how the data should be destroyed. By determining where the information will be stored, Joan can ensure that it is kept in a secure location. By specifying who can access the information, she can control and limit access to authorized personnel only. Finally, by defining how the data should be destroyed, Joan can ensure that any sensitive information is properly disposed of to prevent unauthorized access.

Submit

12. Francis and Jarred are working on the same project. Jarred was given a copy of a few records from Production to simulate a possible issue experienced by an end-user. Separately, Francis had just finished his implementation and needs to have it tested.Could Francis ask Jarred for a copy of the records to conduct his tests?

Yes, he should have the same security clearance as Jarred.

No, he should create his own data to conduct his tests.

Yes, as long as they both inform their manager first.

No, he has to wait for Jarred to finish his tests first.

Francis should create his own data to conduct his tests because Jarred's records were given to him to simulate a possible issue experienced by an end-user, not for general testing purposes. It is important for each developer to have their own set of data to work with to ensure accurate and independent testing. Sharing data between developers can lead to confusion, dependencies, and potential issues in the testing process. Therefore, it is best practice for Francis to create his own data for testing purposes.

Explanation

Francis should create his own data to conduct his tests because Jarred's records were given to him to simulate a possible issue experienced by an end-user, not for general testing purposes. It is important for each developer to have their own set of data to work with to ensure accurate and independent testing. Sharing data between developers can lead to confusion, dependencies, and potential issues in the testing process. Therefore, it is best practice for Francis to create his own data for testing purposes.

13. Michi was provided with an access to the client's Production environment to deploy updates to the application. Another member of her team, Kevin, was asked to reconfigure a module of the application on Production. The access given to Michi was the last license available and the client informed Kevin that it will take at least 2 weeks to acquire new licenses.Kevin was told to reconfigure the module before the end of the week. How should he proceed?

Ask Michi to share the access to Production with him.

Request from his manager to allow Michi to share the access to Production with him.

Request an exemption from IT Security & Compliance to allow Michi to share the access with him.

Defer the update to the module until a license becomes available.

Escalate the situation to his manager to work it out with the client.

not-available-via-ai

Explanation

not-available-via-ai

14. Who creates the plan for security the protected information of our customer?

The Project Manager

The customer

Myself, as a Cloud Sherpas consultant

Security & Compliance and Legal

The Project Manager creates the plan for securing the protected information of our customers. As the person overseeing the project, the Project Manager is responsible for ensuring that all aspects of the project, including security measures, are properly planned and implemented. They work closely with the Security & Compliance and Legal teams to develop a comprehensive plan that addresses the specific security needs of the customer's information. This includes identifying potential risks and vulnerabilities, implementing appropriate security controls, and regularly monitoring and updating the plan as needed.

Explanation

The Project Manager creates the plan for securing the protected information of our customers. As the person overseeing the project, the Project Manager is responsible for ensuring that all aspects of the project, including security measures, are properly planned and implemented. They work closely with the Security & Compliance and Legal teams to develop a comprehensive plan that addresses the specific security needs of the customer's information. This includes identifying potential risks and vulnerabilities, implementing appropriate security controls, and regularly monitoring and updating the plan as needed.

15. Select 3 examples that on their own, are considered as protected information:

Age

Criminal Record

Country of Residence

Full Name

Gender

Photograph

School Attended

Social Security Number

Workplace

Full Name, Photograph, and Social Security Number are considered as protected information because they are personal identifiers that can be used to uniquely identify individuals. Full Name and Photograph can be used to identify someone visually, while Social Security Number is a unique identifier issued by the government for tax and employment purposes. Revealing these pieces of information without consent can lead to identity theft, fraud, or invasion of privacy.

Explanation

Full Name, Photograph, and Social Security Number are considered as protected information because they are personal identifiers that can be used to uniquely identify individuals. Full Name and Photograph can be used to identify someone visually, while Social Security Number is a unique identifier issued by the government for tax and employment purposes. Revealing these pieces of information without consent can lead to identity theft, fraud, or invasion of privacy.

Submit