HIPS Series > Basics of Being Secure > Quiz

The correct answers, and explanations for why we believe them to be correct, are provided here.

Please note that Better Samaritan Hospital (BSH) and Big State University (BSU) are fictional organizations. Any resemblance to existing institutions or persons is purely coincidental.

•  •  •  •  •

1. You have been appointed the new Director of Information Security for the Big State University - Better Samaritan Hospital (BSU-BSH) medical campus. Congratulations! Which of these physical security problems needs your attention?

A. Workers don't always remember to wear their ID badges, making it difficult for security personnel to identify outsiders.

B. Workers don't always remember to lock doors and turn on alarm systems when closing up facilities at the end of the work day.

B. Workers don't always remember to keep sensitive office equipment secure. Computers, printers, photocopiers, fax machines and cabinets full of paper records are often in unsecured areas.

D. Workers don't always remember to monitor visitors, to be sure unauthorized persons are kept out of restricted areas.

•  •  •  •  •

2. Workers are continually leaving paper copies of sensitive material -- including portions of patients' medical records -- in public places. The chief executive officer of the BSU-BSH campus asks you for a solution. You recommend...

A. ... that all workers be trained about the importance of shredding -- or putting in a secure container for future shredding -- any sensitive paper documents that they no longer need.

B. ... that all workers be trained not to leave sensitive paper documents in public areas, nor on unattended computer printers, fax machines or photocopiers.

C. ... that all workers be trained to keep an eye out for documents that have been left in the wrong places by others.

D. ... that some workers are just stupid and lazy, so there's not much you can do about this sort of thing.

•  •  •  •  •

3. Most of the workers at BSH-BSU have access to a computer/workstation. What do you tell the CEO about security training for those?

A. That all workers should be trained to keep secure their user-IDs, passwords, and anything else they use to access computers.

B. That workers should be trained not to worry about physical security, because computers are inside buildings that have locks, alarms and guards.

C. That workers should be trained in how to practice "safe computing" when they use email or surf the web.

D. That security for computer storage media like CDs, floppies, flash memories -- and secure disposal of them when no longer needed -- is as critical as security for the computer itself.

•  •  •  •  •

4. Many of the workers at BSU-BSH now use laptops, notebooks, palmtops, PDAs and even very smart cell phones that have access to sensitive information. What should security training for these devices include?

A. ... that these devices are the tool of the devil, and should never be used.

B. ... to keep as little sensitive information as possible on these devices, because they are easily lost or stolen.

C. ... to keep these devices physically secure, especially if they decide to keep sensitive information on them anyway.

D. ... to make sure any wireless communications capabilities on these devices are configured in a secure way -- and that if they don't know how to do that, they need to ask someone.

•  •  •  •  •

5. Faxes are still one of the most common ways to exchange information at BSH-BSU. What do you suspect is the biggest security problem with faxes?

A. Getting the fax number wrong -- and thus sending documents to the wrong place.

B. Leaving fax documents on unattended fax machines for long periods after they are sent or received.

C. Interception of faxes by listening device ("bugs") on telephone lines.

D. There are probably no serious security problems with faxes.

•  •  •  •  •

6. Telephones are also commonly used to exchange information, some of it very sensitive. What do you suspect is the biggest security problem with telephones?

A. Getting the number wrong -- or failing to confirm the identity of the person that answers the phone -- and thus leaving information with the wrong person.

B. Leaving too much information on answering machines and voice mail systems -- which are sometimes heard by the wrong person.

C. Having phone conversations in places where they can be overheard.

D. Interception of conversations by listening device ("bugs") on telephone lines.

•  •  •  •  •

7. Electronic mail is a growingly common method to exchange information, replacing faxes and telephone calls. What do you suspect is the biggest security problem with email?

A. Getting the address wrong -- and thus sending information to the wrong person.

B. Putting more sensitive information in an email than is necessary.

C. Interception of email containing sensitive information.

D. There are probably no security problems with email.

•  •  •  •  •

8. Talking remains a common habit for most BSU-BSH workers. What about security problems with that?

A. Having conversations about sensitive subjects in public places, when "quiet areas" are available.

B. When quiet areas aren't possible, having conversations that include more sensitive information than necessary (like patients' names).

C. Talking too darn loud when having conversations that include sensitive information.

D. This is probably the one thing we don't need to worry about.

•  •  •  •  •

9. Now that computers are networked together, the problems of computer security are...

A. The same. Having computers connected together over a network doesn't change anything.

B. Better. Computer networks have lots of security features, that protect all the computers on them.

C. Worse. Computer networks can be vulnerable even if only a single computer on them is compromised.

•  •  •  •  •

10. As part of your new job, you go to various BSU-BSH departments to talk about security. At the end of your presentations, you tell the audience ...

A. ... that good security only happens with good training -- for example, on preventing damage from viruses and other malware, and on safe emailing and web surfing techniques.

B. ... that even with good training, questions will still come up -- and that they should rely on knowledgeable co-workers and the IT department to get answers rather than risking a critical mistake.

C. ... that they should resist the temptation to take short cuts with security, just to save time -- because that's when critical mistakes are made too.

D. ... that some of their co-workers are just stupid and lazy, so there's not much you can do about that.

•  •  •  •  •

The correct answers, and explanations for why we believe them to be correct, are provided here.

•  •  •  •  •

More information