1. What should you do to the user accounts as soon as employment is terminated?

Disable the user accounts and have the data kept for a specified period of time.

Explanation: A record of user logins with time and date stamps must be kept to ensure that any unauthorized access that occurs can be detected (although possibly after the fact). User accounts shall be disabled and data kept for a specified period of time as soon as employment is terminated.

2. A type of attack that could be the most successful when the security technology is properly implemented and configured is social engineering .

Explanation: Social Engineering attacks - In computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes.

3. In order to avoid mishandling of media or information, you should consider using labeling .

Explanation: In order to avoid mishandling of media or information, proper labeling must be used.

• All tape, floppy disks, and other computer storage media containing sensitive information must be externally marked with the appropriate sensitivity classification.
  
  
• All tape, floppy disks, and other computer storage media containing unrestricted information must be externally marked as such.
  
  
• All printed copies, printouts, etc., from a computer system must be clearly labeled with the proper classification.

Labeling is a physical measure which can prevent accidental misuse of media which could occur if the media does not contain specific indications of its nature.

4. A counter measure to data aggregation is separation of duties .

Explanation: Data Aggregation occurs when smaller pieces of information are assembled together to provide the "big picture". The risk is that through data collection techniques, a person who is authorized to have some of much of the information may be able to discern more than what they should from the information. A good countermeasure is to maintain strong separation of duties and a "need to know" approach. Job rotation can be beneficial.

5. A high-level statement belief, goals and objectives and the general means for their attainment for a specific subject area is called a policy .

Explanation: A Policy is a high-level statement belief, goal and objective with the general means for the attainment of a specific subject area. A Procedure spells out the specific steps of how the policy and supporting standards and how guidelines will be implemented. A procedure is a description of tasks that must be executed in a specific order. A Standard is a mandatory activity, action, rule or regulation designed to provide policies with the support structure and specific direction they require to be effective. They are often expensive to administer and therefore should be used judiciously. A Guideline is a more general statement of how to achieve the policies objectives by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations.