1

LET’S PLAY

Written InformationSecurity Plan

(not quite) Jeopardy!!!

Rev. 25 May 2010

2

Instructions1. Open another browser tab or window and locate the

Wiki references for “Written Information Security Plan.” Refer to it as you play the game.

2. Keep track of your scores on a scrap of paper or an open copy of Notepad on your computer. This will not be tracked, but it may earn you bragging rights with your coworkers! A. For correct answers you earn the designated

amount for that question.B. For incorrect answers you lose the amount for that

question. So yes, you could have a negative score! 3. Answer as many questions correctly as you can!4. After seeing your results for each question, click the

green home icon to return to the game board. 5. When you are ready, click the green home icon to

begin.

3

Written Information Security Written Information Security PlanPlan

(not quite) Jeopardy(not quite) JeopardyClick on any amount below to begin . . .Click on any amount below to begin . . . True/False WISP Requirements Etcetera

$100$100

$200$200

$300$300

$400$400

$500$500

$100$100 $100$100$100$100

$200$200 $200$200 $200$200

$300$300 $300$300 $300$300

$400$400 $400$400 $400$400

$500$500 $500$500 $500$500

Final QuestionFinal Question

4

$100 Question: True / False

True False

If you have re-usable electronic media that has been erased, you don’t need to worry about risk of recovering data from the media. After all, it’s been erased!

Click your answer below.

5

$100 Answer: True / FalseIf you have re-usable electronic media that has been erased, you don’t need to worry about risk of recovering data from the media. After all, it’s been erased!

FALSEThere are some powerful tools that can recover data from erased media. You should overwrite or re-format the media, or check with an IT professional to dispose of it properly.

TRUE is incorrect. Deduct $100 from your score.

6

$100 Answer: True / FalseIf you have re-usable electronic media that has been erased, you don’t need to worry about risk of recovering data from the media. After all, it’s been erased!

FALSEThere are some powerful tools that can recover data from erased media. You should overwrite or re-format the media, or check with an IT professional to dispose of it properly.

FALSE is correct. Add $100 to your score.

7

$200 Question: True / False

True False

Employees may transmit personal information via unencrypted email.

Click your answer below.

8

$200 Answer: True / FalseEmployees may transmit personal information via unencrypted email.

FALSEPersonal information must always be encrypted, no matter where or how it is transmitted or stored.

TRUE is incorrect. Deduct $200 from your score.

9

$200 Answer: True / False

Employees may transmit personal information via unencrypted email.

FALSEPersonal information must always be encrypted, no matter where or how it is transmitted or stored.

FALSE is correct. Add $200 to your score.

10

$300 Question: True / False

True False

Transmitted electronic files containing personal information do not need to be encrypted as long as access is password-protected.

Click your answer below.

11

$300 Answer: True / FalseTransmitted electronic files containing personal information do not need to be encrypted as long as access is password-protected.

FALSEAll transmitted files containing personal information that will travel across public networks (i.e. the internet) must be encrypted.

TRUE is incorrect. Deduct $300 from your score.

12

$300 Answer: True / FalseTransmitted electronic files containing personal information do not need to be encrypted as long as access is password-protected.

FALSEAll transmitted files containing personal information that will travel across public networks (i.e. the internet) must be encrypted.

FALSE is correct. Add $300 to your score.

13

$400 Question: True / False Daily Double!

False

If email with personal information cannot be encrypted, a secure web site with password protection is an acceptable alternative.

Click your answer below.

True

Daily Double means that you may wager as much or as little as you have already earned. For example, if you have earned $1000 already, you may wager up to $1000, or as little as $1.

You may also play for the set amount of $400 for this question.

After you have decided on an amount. Click this box for your question.

14

$400 Answer: True / FalseIf email with personal information cannot be encrypted, a secure web site with password protection is an acceptable alternative.

TRUEA secure website that requires safeguards including username and password when conducting transactions are an acceptable alternative to using encrypted email.

TRUE is correct. Add $400 or double the amount of your wager

to your score.

15

$400 Answer: True / FalseIf email with personal information cannot be encrypted, a secure web site with password protection is an acceptable alternative.

TRUEA secure website that requires safeguards including username and password when conducting transactions are an acceptable alternative to using encrypted email.

FALSE is incorrect. Deduct $400 or the amount of your wager from

your score.

16

$500 Question: True / False

True False

There is a specific, maximum period of time for which we are required to keep records containing personal information.

Click your answer below.

17

$500 Answer: True / FalseThere is a specific, maximum period of time for which we are required to keep records containing personal information.

FALSEThere is no specific time limit. As a good business practice, we should limit the time we retain personal information to no longer than what is necessary to meet ongoing business requirements.

TRUE is incorrect. Deduct $500 from your score.

18

$500 Answer: True / FalseThere is a specific, maximum period of time for which we are required to keep records containing personal information.

FALSEThere is no specific time limit. As a good business practice, we should limit the time we retain personal information to no longer than what is necessary to meet ongoing business requirements.

FALSE is correct. Add $500 to your score.

19

$100 Question: WISP

WISP is an acronym for:Click your choice

1) Witness Information Security Platform

2) Written Implementation Security Process

3) Written Improvement Security Program

4) Witness Information Security Process

5) Written Information Security Program

20

$100 Answer: WISP

WISP is an acronym for:

5) Written Information Security Program

Your answer is incorrect.

Deduct $100 from your score.

21

$100 Answer: WISP

WISP is an acronym for:

5) Written Information Security Program

Your answer is correct.

Add $100 to your score.

22

$200 Question: WISPSecurity and confidentiality of personal information in the WISP applies to:

Click your choice

1) Corporate and business information

2) Employee and corporate information

3) Consumer and corporate information

4) Consumer and employee information

5) Industry and corporate information

23

$200 Answer: WISP

Security and confidentiality of personal information in the WISP applies to:

4) Consumer and employee information

Your answer is incorrect.

Deduct $200 from your score.

24

$200 Answer: WISP

Security and confidentiality of personal information in the WISP applies to:

4) Consumer and employee information

Your answer is correct. Add $200 to your score.

25

$300 Question: WISPAccording to WISP, if a security breach is discovered, we must:

Click your choice1) flicker our servers and send a public alert to all customers

2) conduct and document a post-incident review of the events and actions taken

3) run a complete virus-scan and diagnostic of every computer in our contact centers

4) remove all laptop/notebook computers from service and run offline virus-scans on them

5) create and execute a corrective action plan that includes all EIG servers and computers

26

$300 Answer: WISP

According to WISP, if a security breach is discovered, we must:

2) conduct and document a post-incident review of the events and actions taken

Your answer is incorrect.

Deduct $300 from your score.

27

$300 Answer: WISP

According to WISP, if a security breach is discovered, we must:

2) conduct and document a post-incident review of the events and actions taken

Your answer is correct.

Add $300 to your score.

28

$400 Question: WISPWhich of the following does NOT apply? According to WISP, when we’ve identified paper records that contain personal information we must:

Click your choice

1) restrict access only to those employees who need the information to perform their employment responsibilities

2) require that terminated employees return copies of any documents containing personal information

3) store it in locked facilities, storage areas or containers

4) develop a security policy for storage, access, and transportation of such records outside of business premises

5) contract with a licensed, external firm to dispose of them properly by both shredding then burning them

29

$400 Answer: WISPWhich of the following does NOT apply? According to WISP, when we’ve identified paper records that contain personal information we must:

5) contract with a licensed, external firm to dispose of them properly by both shredding then burning them

Your answer is incorrect. Deduct $400 from your score.

30

$400 Answer: WISPWhich of the following does NOT apply? According to WISP, when we’ve identified paper records that contain personal information we must:

5) contract with a licensed, external firm to dispose of them properly by both shredding then burning them

Your answer is correct. Add $400 to your score.

31

$500 Question: WISP

1) Firewall protection

2) Security system agent software

3) Ban use of portable disk drives

4) Operating system patches

5) Virus and malware protection

WISP guidelines state that we ensure security of our computer systems by implementing all but one of the following. Which one does NOT apply?

Click your choice

32

$500 Answer: WISPWISP guidelines state that we ensure security of our computer systems by implementing all but one of the following. Which one does NOT apply?

3) Ban use of portable disk drives

Your answer is incorrect. Deduct $500 from your score.

33

$500 Answer: WISPWISP guidelines state that we ensure security of our computer systems by implementing all but one of the following. Which one does NOT apply?

3) Ban use of portable disk drives

Your answer is correct. Add $500 to your score.

34

$100 Question: Requirements Daily Double!

In this context, “personal information” is defined as the first and last name, or first initial and last name of an individual, together with any one of the following EXCEPT:

Click your choice

1) Social Security number

2) Vehicle license number

3) Driver’s license or state-issued identification number

4) Financial account number

5) Credit card number

Daily Double means that you may wager as much or as little as you have already earned. For example, if you have earned $1000 already, you may wager up to $1000, or as little as $1.

You may also play for the set amount of $100 for this question.

After you have decided on an amount. Click this box for your question.

35

$100 Answer: RequirementsIn this context, “personal information” is defined as the first and last name, or first initial and last name of an individual, together with any one of the following EXCEPT:

2) Vehicle license number

Your answer is incorrect. Deduct $100 or the amount of your wager from

your score.

36

$100 Answer: RequirementsIn this context, “personal information” is defined as the first and last name, or first initial and last name of an individual, together with any one of the following EXCEPT:

2) Vehicle license number

Your answer is correct. Add $100 or double the amount of your wager

to your score.

37

$200 Question: Requirements

1) Laptop computers

2) A Personal Digital Assistant (PDA)

3) Mobile telephones

4) Endurance computer systems

5) Portable media: flash drives, CDs, etc.

It is acceptable to store personal information on:

Click your choice

38

$200 Answer: Requirements

It is acceptable to store personal information on:

4) Endurance computer systems

Your answer is incorrect.

Deduct $200 from your score.

39

$200 Answer: Requirements

It is acceptable to store personal information on:

4) Endurance computer systems

Your answer is correct.

Add $200 to your score.

40

$300 Question: Requirements

1) Such that it is reasonably likely to reveal unauthorized access or use

2) Every access to personal information must be monitored every day

3) Access to personal information is routinely and randomly monitored

4) Select days are scheduled when access to personal information will be monitored

5) Monitors are only performed during times of high contact volume

To what extent is Endurance International Group obligated to monitor access to personal information?

Click your choice

41

$300 Answer: RequirementsTo what extent is Endurance International Group obligated to monitor access to personal information?

1) Such that it is reasonably likely to reveal

unauthorized access or use

Your answer is incorrect.

Deduct $300 from your score.

42

$300 Answer: Requirements

To what extent is Endurance International Group obligated to monitor access to personal information?

1) Such that it is reasonably likely to reveal

unauthorized access or use

Your answer is correct.

Add $300 to your score.

43

$400 Question: Requirements

1) prevention of access to either personal information or public data

2) transformation of data into a form in which meaning cannot be assigned

3) transition of information such that using a specific password is the only way to unlock it

4) barrier to the transmission of personal data across a network

5) conversion of personal information into a format that can only be read with a PIN

If data needs to be encrypted, it must bring about a . . .

Click your choice

44

$400 Answer: Requirements

If data needs to be encrypted, it must bring about a . . .

2) transformation of data into a form in which meaning cannot be assigned

Your answer is incorrect.

Deduct $400 from your score.

45

$400 Answer: Requirements

If data needs to be encrypted, it must bring about a . . .

2) transformation of data into a form in which meaning cannot be assigned

Your answer is correct.

Add $400 to your score.

46

$500 Question: Requirements

1) A “nick-name”

2) Billing or residential address

3) An affiliate tax identification number

4) The name of this person’s mother, father, or spouse

5) Vehicle license plate number

For purposes of this information security plan, which of the following is considered “personal information” if combined with a person’s first and last name (surname)?

Click your choice

47

$500 Answer: RequirementsFor purposes of this information security plan, which of the following is considered “personal information” if combined with a person’s first and last name (surname)?

3) An affiliate tax identification number

Your answer is incorrect.

Deduct $500 from your score.

48

$500 Answer: RequirementsFor purposes of this information security plan, which of the following is considered “personal information” if combined with a person’s first and last name (surname)?

3) An affiliate tax identification number

Your answer is correct.

Add $500 to your score.

49

$100 Question: Etcetera

1) Daily

2) Weekly

3) Monthly

4) Quarterly

5) Annually

The scope of our security measures must be reviewed:

Click your choice

50

$100 Answer: Etcetera

The scope of our security measures must be reviewed:

5) Annually

Your answer is incorrect.

Deduct $100 from your score.

51

$100 Answer: Etcetera

The scope of our security measures must be reviewed:

5) Annually

Your answer is correct.

Add $100 to your score.

52

$200 Question: EtceteraDaily Double!

The scope of our security measures must be reviewed more often than the minimum if:

Click your choice

1) business practices change which place access to personal information at risk

2) we hire then terminate anyone who lied during the recruiting process

3) one of our servers goes down for longer than one week

4) a virus or worm infiltrates one customer’s web site

5) the computers used in the training room are replaced or upgraded

Daily Double means that you may wager as much or as little as you have already earned. For example, if you have earned $1000 already, you may wager up to $1000, or as little as $1.

You may also play for the set amount of $200 for this question.

After you have decided on an amount. Click this box for your question.

53

$200 Answer: EtceteraThe scope of our security measures must be reviewed more often than the minimum if:

1) business practices change which place access to personal information at risk

Your answer is incorrect.

Deduct $200 or the amount of your wager from your score.

54

$200 Answer: EtceteraThe scope of our security measures must be reviewed more often than the minimum if:

1) business practices change which place access to personal information at risk

Your answer is correct.

Add $200 or double the amount of your wager to your score.

55

$300 Question: Etcetera

1) immediately terminated

2) removed from the position and retrained for a different job

3) subject to disciplinary measures

4) fined for the equivalent cost of a server virus-scan

5) sent home for the remainder of the scheduled work-shift

If an employee is found violating information security policies and procedures, he or she will be:

Click your choice

56

$300 Answer: EtceteraIf an employee is found violating information security policies and procedures, he or she will be:

3) Subject to disciplinary measures

Your answer is incorrect.

Deduct $300 from your score.

57

$300 Answer: Etcetera

If an employee is found violating information security policies and procedures, he or she will be:

3) Subject to disciplinary measures

Your answer is correct.

Add $300 to your score.

58

Which of the following does NOT apply? When destroying paper documents containing personal information, they must be:

Click your choice

$400 Question: Etcetera

1) Redacted

2) Irradiated

3) Burned

4) Pulverized

5) Shredded

59

$400 Answer: EtceteraWhich of the following does not apply? When destroying paper documents containing personal information, they must be:

2) Irradiated

Your answer is incorrect.

Deduct $400 from your score.

60

$400 Answer: EtceteraWhich of the following does not apply? When destroying paper documents containing personal information, they must be:

2) Irradiated

Your answer is correct.

Add $400 to your score.

61

$500 Question: Etcetera

Access to personal information will be:

Click your choice

1) on a need to know basis only

2) available to every employee of Endurance International Group and its affiliates

3) only available to Human Resources personnel

4) only available to Billing specialists

5) accessible by management staff and select personnel

62

$500 Answer: Etcetera

Access to personal information will be:

1) on a need to know basis only

Your answer is incorrect.

Deduct $500 from your score.

63

$500 Answer: EtceteraAccess to personal information will be:

1) on a need to know basis only

Your answer is correct.

Add $500 to your score.

64

Final Question

For $1000, what is your favorite color?

Click your choice

1) Red

2) Yellow

3) Blue

4) A combination of 2 of the above colors

5) Whatever I happen to be wearing at the moment

65

Final Answer

Any of the above!

• You might have hesitated, but if you answered honestly, your answer is correct! Add $1,000 to your score!

• Alright, that last one was a silly question, but the subject matter of this game is anything but silly.

• Now that you’ve completed this activity you should be familiar with the resource documentation in the Wiki and ready for the post-test.

66

Next Steps

• Take some time to review the Wiki again if you wish

• Complete the post-test listed in the Endurance University menu for this module

Thank you!