nerdexam
CompTIA

CAS-003 · Question #941

A company has experienced negative publicity associated with users giving out their credentials accidentally or sharing intellectual secrets that were not property defined. The company recently implem

The correct answer is B. A policy outlining what is and is not acceptable on social media. The existing controls address phishing (training reduced victims from 100 to 2), data exfiltration (DLP), and hardware-based leakage (USB and personal email blocked). The remaining gap is social media: employees could still inadvertently or deliberately share credentials or intel

Risk Management

Question

A company has experienced negative publicity associated with users giving out their credentials accidentally or sharing intellectual secrets that were not property defined. The company recently implemented some new process and is now testing their effectiveness. Over the last three months the number of phishing victims dropped from 100 to only two in the last test. The DLP solution that was implemented catches potential material leaks and the user responsible is retrained Personal email accounts and USB drives are restricted from the corporate network. Given the improvements which of the following would a security engineer identify as being needed n a gap analysis?

Options

  • AAdditional corporate-wide training on phishing
  • BA policy outlining what is and is not acceptable on social media
  • CNotifications when a user falls victim to a phishing attack
  • DPositive DLP preventions with stronger enforcement

How the community answered

(54 responses)
  • A
    4% (2)
  • B
    69% (37)
  • C
    20% (11)
  • D
    7% (4)

Explanation

The existing controls address phishing (training reduced victims from 100 to 2), data exfiltration (DLP), and hardware-based leakage (USB and personal email blocked). The remaining gap is social media: employees could still inadvertently or deliberately share credentials or intellectual property on platforms like LinkedIn, Twitter, or Facebook - none of which the described controls restrict. A formal social media policy would define what information is and is not acceptable to post publicly. Option A is unnecessary since phishing training is already highly effective. Option C (notifications after a phishing victim is identified) is reactive and does not address the gap. Option D suggests stronger DLP enforcement, but the DLP is already catching leaks and triggering retraining.

Topics

#social media policy#data loss prevention#security awareness#information disclosure

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice