Following a recent network intrusion, a company wants to determine the current security awareness of all of its employees. Which of the following is the BEST way to test awareness?
A. Conduct a series of security training events with comprehensive tests at the end
B. Hire an external company to provide an independent audit of the network security posture
C. Review the social media of all employees to see how much proprietary information is shared
D. Send an email from a corporate account, requesting users to log onto a website with their enterprise account
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
I think D. is the only answer that tests employees current security awareness. A. provides training so it’s not testing CURRENT awareness, B. audits the network security posture not employee security awareness, and C. is just not realistic. Sending a simulated phishing email from a corporate account is the best option. Even if the email is validated, employees shouldn’t be receiving surprise emails asking for their credentials to be entered into a site.
B.
The question asks for current overall security awareness.
A – This would be the awareness after all the training.
B – This security assessment would test the whole security posture including staff awareness, not just any one part.
C – Just wrong.
D – While if the question is referring to an internal white hat phishing test, that is only one attack and not overall security awareness. (What if they want to know about other social engineering methods.)
B cannot be cause question states a company wants to determine the current security awareness of ALL of its employees. So B only covers network security posture and not ALL EMPLOYEES. Not in love with this question but I would go with D.
Question is asking about the BEST way to “determine the CURRENT security awareness”.
A. Wrong. If you train before testing, it is not measuring your current status
B. Correct.
C. Not the best way, it may be intrusive and you would not measure employees that are not on social media.
D. If the company sends me a VALID and authenticated email, users are directed to follow instructions. I don’t think it could be a good measure to security awareness.
D. If the company sends a VALID and authenticated email, users are normally directed to follow instructions. I don’t think it could be a good measure to evaluate security awareness.
D
Both A and D are listed in the link at: http://www.cio.com/article/2378559/how-to-test-the-security-savvy-of-your-staff.html
I didn’t choose A, because the question asks for best TEST for awareness. White Hat Fishing emails within your own organization is quite common. Takes them to a page and logs those who actually followed the link. I like D over the other options.