HIPS Series > Basics of Being Secure > Quiz + Answers

1. You have been appointed the new Director of Information Security for the Big State University - Better Samaritan Hospital (BSU-BSH) medical campus. Congratulations! Which of these physical security problems needs your attention?

A. Workers don't always remember to wear their ID badges, making it difficult for security personnel to identify outsiders.

B. Workers don't always remember to lock doors and turn on alarm systems when closing up facilities at the end of the work day.

B. Workers don't always remember to keep sensitive office equipment secure. Computers, printers, photocopiers, fax machines and cabinets full of paper records are often in unsecured areas.

D. Workers don't always remember to monitor visitors, to be sure unauthorized persons are kept out of restricted areas.

Actually, all of these require your attention. It would be hard to pick where to begin.

•  •  •  •  •

2. Workers are continually leaving paper copies of sensitive material -- including portions of patients' medical records -- in public places. The chief executive officer of the BSU-BSH campus asks you for a solution. You recommend...

A. ... that all workers be trained about the importance of shredding -- or putting in a secure container for future shredding -- any sensitive paper documents that they no longer need.

B. ... that all workers be trained not to leave sensitive paper documents in public areas, nor on unattended computer printers, fax machines or photocopiers.

C. ... that all workers be trained to keep an eye out for documents that have been left in the wrong places by others.

D. ... that some workers are just stupid and lazy, so there's not much you can do about this sort of thing.

All of these are correct except D. And D is correct too, if you'd like to start collecting unemployment right away.

•  •  •  •  •

3. Most of the workers at BSH-BSU have access to a computer/workstation. What do you tell the CEO about security training for those?

A. That all workers should be trained to keep secure their user-IDs, passwords, and anything else they use to access computers.

B. That workers should be trained not to worry about physical security, because computers are inside buildings that have locks, alarms and guards.

C. That workers should be trained in how to practice "safe computing" when they use email or surf the web.

D. That security for computer storage media like CDs, floppies, flash memories -- and secure disposal of them when no longer needed -- is as critical as security for the computer itself.

Everything here is correct except B.

•  •  •  •  •

4. Many of the workers at BSU-BSH now use laptops, notebooks, palmtops, PDAs and even very smart cell phones that have access to sensitive information. What should security training for these devices include?

A. ... that these devices are the tool of the devil, and should never be used.

B. ... to keep as little sensitive information as possible on these devices, because they are easily lost or stolen.

C. ... to keep these devices physically secure, especially if they decide to keep sensitive information on them anyway.

D. ... to make sure any wireless communications capabilities on these devices are configured in a secure way -- and that if they don't know how to do that, they need to ask someone.

Everything here is correct except A. We realize some people may think A is correct too, but we're not encouraging that kind of attitude.

•  •  •  •  •

5. Faxes are still one of the most common ways to exchange information at BSH-BSU. What do you suspect is the biggest security problem with faxes?

A. Getting the fax number wrong -- and thus sending documents to the wrong place.

B. Leaving fax documents on unattended fax machines for long periods after they are sent or received.

C. Interception of faxes by listening device ("bugs") on telephone lines.

D. There are probably no serious security problems with faxes.

A is probably the biggest problem, because the consequences of a mis-directed fax are potentially large. B could be a problem too. C is generally not true. If you answered D, you should repeat the course.

•  •  •  •  •

6. Telephones are also commonly used to exchange information, some of it very sensitive. What do you suspect is the biggest security problem with telephones?

A. Getting the number wrong -- or failing to confirm the identity of the person that answers the phone -- and thus leaving information with the wrong person.

B. Leaving too much information on answering machines and voice mail systems -- which are sometimes heard by the wrong person.

C. Having phone conversations in places where they can be overheard.

D. Interception of conversations by listening device ("bugs") on telephone lines.

A is probably the biggest problem, because the consequences of a mis-directed telephone call are potentially large. B and C are likely to be problems too. D is generally not an issue, though you can't rule it out entirely.

•  •  •  •  •

7. Electronic mail is a growingly common method to exchange information, replacing faxes and telephone calls. What do you suspect is the biggest security problem with email?

A. Getting the address wrong -- and thus sending information to the wrong person.

B. Putting more sensitive information in an email than is necessary.

C. Interception of email containing sensitive information.

D. There are probably no security problems with email.

A is probably the biggest problem, because the consequences of a mis-directed email are potentially large. B is very likely to be a problem too. C is generally not an issue, though you can't rule it out entirely with unencrypted email. If you answered D, you should repeat the course.

•  •  •  •  •

8. Talking remains a common habit for most BSU-BSH workers. What about security problems with that?

A. Having conversations about sensitive subjects in public places, when "quiet areas" are available.

B. When quiet areas aren't possible, having conversations that include more sensitive information than necessary (like patients' names).

C. Talking too darn loud when having conversations that include sensitive information.

D. This is probably the one thing we don't need to worry about.

A, B and C all describe common problems. If you answered D, you should repeat the course.

•  •  •  •  •

9. Now that computers are networked together, the problems of computer security are...

A. The same. Having computers connected together over a network doesn't change anything.

B. Better. Computer networks have lots of security features, that protect all the computers on them.

C. Worse. Computer networks can be vulnerable even if only a single computer on them is compromised.

Most experts think the answer is C. Security has improved, but it's tough to keep pace with the vulnerabilities of a networked world.

•  •  •  •  •

10. As part of your new job, you go to various BSU-BSH departments to talk about security. At the end of your presentations, you tell the audience ...

A. ... that good security only happens with good training -- for example, on preventing damage from viruses and other malware, and on safe emailing and web surfing techniques.

B. ... that even with good training, questions will still come up -- and that they should rely on knowledgeable co-workers and the IT department to get answers rather than risking a critical mistake.

C. ... that they should resist the temptation to take short cuts with security, just to save time -- because that's when critical mistakes are made too.

D. ... that some of their co-workers are just stupid and lazy, so there's not much you can do about that.

A, B and C are all true, and good wrap-ups for a presentation. D may be tempting as an answer, but it's probably wrong. And in any case, it's probably not something you should say unless you want to change jobs.