nerdexam
CompTIA

CAS-002 · Question #42

The new security policy states that only authorized software will be allowed on the corporate network and all personally owned equipment needs to be configured by the IT security staff before being al

The correct answer is C. An employee using a corporate FTP application to transfer customer lists and other. The policy addresses unauthorized software (B), device hygiene/virus protection (D), and limits what can be installed (A). However, it does NOT address insider threats from employees misusing authorized corporate applications. Option C describes an employee deliberately using a l

Enterprise Security

Question

The new security policy states that only authorized software will be allowed on the corporate network and all personally owned equipment needs to be configured by the IT security staff before being allowed on the network. The security administrator creates standard images with all the required software and proper security controls. These images are required to be loaded on all personally owned equipment prior to connecting to the corporate network. These measures ensure compliance with the new security policy. Which of the following security risks still needs to be addressed in this scenario?

Options

  • AAn employee copying gigabytes of personal video files from the employee's personal laptop
  • BAn employee connecting their personal laptop to use a non-company endorsed accounting
  • CAn employee using a corporate FTP application to transfer customer lists and other
  • DAn employee accidentally infecting the network with a virus by connecting a USB drive to the

How the community answered

(30 responses)
  • A
    17% (5)
  • B
    30% (9)
  • C
    47% (14)
  • D
    7% (2)

Explanation

The policy addresses unauthorized software (B), device hygiene/virus protection (D), and limits what can be installed (A). However, it does NOT address insider threats from employees misusing authorized corporate applications. Option C describes an employee deliberately using a legitimate corporate FTP application to exfiltrate sensitive data such as customer lists. Standard images with approved software cannot prevent an authorized user from abusing those approved tools for malicious or unauthorized purposes. This represents a data loss/exfiltration risk that technical controls on the image alone cannot mitigate - it requires additional controls like DLP (Data Loss Prevention), user activity monitoring, or strict egress filtering.

Topics

#BYOD#data exfiltration#security policy#DLP

Community Discussion

No community discussion yet for this question.

Full CAS-002 Practice