The purpose of the Cyber Awareness Challenge is to influence behavior, focusing on actions that authorized users can engage to mitigate threats and vulnerabilities to DoD Information Systems. This training is current, designed to be engaging, and relevant to the user. The Cyber Awareness Challenge is the DoD baseline standard for end user awareness training by providing awareness content that addresses evolving requirements issued by Congress, the Office of Management and Budget (OMB), the Office of the Secretary of Defense, and Component input from the DoD CIO chaired Cyber Workforce Advisory Group (CWAG). This course provides an overview of current cybersecurity threats and best practices to keep information and information systems secure at home and at work. The training also reinforces best practices to protect classified, controlled unclassified information (CUI), and personally identifiable information (PII). A Knowledge Check option is available for users who have successfully completed the previous version of the course. After each selection on the incident board, users are presented one or more questions derived from the previous Cyber Awareness Challenge. If all questions are answered correctly, users will skip to the end of the incident. If any questions are answered incorrectly, users must review and complete all activities contained within the incident. Show
Overview: The Cyber Awareness Challenge serves as an annual refresher of security requirements, security best practices, and your security responsibilities. The answers here are current and are contained within three (3) incidents: spillage, Controlled Unclassified Information (CUI), and malicious codes. Whether you have successfully completed the previous version or starting from scratch, these test answers are for you. SpillageWhich of the following does NOT constitute spillage? NOTE: Spillage occurs when information is “spilled” from a higher classification or protection level to a lower classification or protection level. Spillage can be either inadvertent or intentional. Which of the following is NOT an appropriate way to protect against inadvertent spillage? NOTE: Being cognizant of classification markings and labeling practices are good strategies to avoid inadvertent spillage. While it may seem safer, you should NOT use a classified network for unclassified work. Which of the following should you NOT do if you find classified information on the internet? NOTE: Remember that leaked classified or controlled information is still classified or controlled even if it has already been compromised. Do NOT download it or you may create a new case of spillage. Classified data[Incident]: What level of damage to national security can you reasonably expect Top Secret information to cause if disclosed? NOTE: Top Secret information could be expected to cause exceptionally grave damage to national security if disclosed. [Scene]: Which of the following is true about telework? NOTE: You must have permission from your organization to telework. When teleworking, you should always use authorized equipment and software. Insider threat[Alex’s statement]: In addition to avoiding the temptation of greed to betray his country, what should Alex do differently? NOTE: Don’t talk about work outside of your workspace unless it is a specifically designated public meeting environment and is controlled by the event planners. Be careful not to discuss details of your work with people who do not have a need-to-know. [Ellen’s statement]: How many insider threat indicators does Alex demonstrate? NOTE: Alex demonstrates a lot of potential insider threat indicators, including difficult life circumstances, unexplained affluence, and unusual interest in classified information [Mark’s statement]: What should Alex’s colleagues do? NOTE: By reporting Alex’s potential risk indicators, Alex’s colleagues can protect their organization and potentially get Alex the help he needs to navigate his personal problems. Controlled Unclassified Information (CUI)Which of the following is NOT an example of CUI? NOTE: CUI includes, but is not limited to, Controlled Technical Information (CUI), Personally Identifiable Information (PII), Protected Health Information (PHI), financial information, personal or payroll information, proprietary data, and operational information. Which of the following is NOT a correct way to protect CUI? NOTE: CUI may be stored only on authorized systems or approved devices. Physical security[Incident #1]: What should the employee do differently? NOTE: Always remove your CAC and lock your computer before leaving your workstation. [Incident #2]: What should the employee do differently? NOTE: Don’t allow others access or piggyback into secure areas. Always challenge people without proper badges and report suspicious activity. Identity Management✅ Always take your Common Access Card (CAC) when you leave your workstation. Sensitive Compartmented Information (SCI)[Incident #1]: When is it appropriate to have your security badge visible? NOTE: Badges must be visible and displayed above the waist at all times when in the facility. Badges must be removed when leaving the facility. [Incident #2]: What should the owner of this printed SCI do differently? NOTE: Always mark classified information appropriately and retrieve classified documents promptly from the printer. [Incident #3]: What should the participants in this conversation involving SCI do differently? NOTE: Even within SCIF, you cannot assume that everyone present is cleared and has a need-to-know. Assess your surroundings to be sure no one overhears anything they shouldn’t. Removable Media in a SCIF[Evidence]: What portable electronic devices (PEDs) are permitted in a SCIF? NOTE: No personal PEDs are allowed in a SCIF. Government-owned PEDs must be expressly authorized by your agency. [Incident]: What is the response to an incident such as opening an uncontrolled DVD on a computer in a SCIF? NOTE: Classified DVD distribution should be controlled just like any other classified media. If an incident occurs, you must notify your security POC immediately. Malicious code[Prevalence]: Which of the following is an example of malicious code? NOTE: Malicious code can mask itself as a harmless email attachment, downloadable file, or website. In reality, once you select one of these, it typically installs itself without your knowledge. [Damage]: How can malicious code cause damage? NOTE: Malicious code can cause damage by corrupting files, erasing your hard drive, and/or allowing hackers access. [Spread]: How can you avoid downloading malicious code? NOTE: To avoid downloading malicious code, you should avoid accessing website links, buttons, or graphics in email messages or popups. Website use✅ Cookies may pose a security threat, particularly when they save unencrypted personal information. Travel[Incident]: What should Sara do when using publicly available Internet, such as hotel Wi-Fi? NOTE: Use caution when connecting laptops to hotel Internet connections. Use public for free Wi-Fi only with the Government VPN. [Incident]: What is the danger of using public Wi-Fi connections? NOTE: If you are directed to a login page before you can connect by VPN, the risk of malware loading of data compromise is substantially increased. Mobile devices[Incident]: When is it okay to charge a personal mobile device using government-furnished equipment (GFE)? NOTE: Never charge personal mobile devices using GFE nor connect any other USB devices (like a coffer warmer) to GFE. Which of the following actions is appropriate after finding classified information on the Internet?Which of the following actions is appropriate after finding classified Government information on the internet? Which of the following may help to prevent inadvertent spillage? Label all files, removable media, and subject headers with appropriate classification markings.
Which is a good practice to protect classified information?Which is good practice to protect classified information? Ensure proper labeling by appropriately marking all classified material.
What action should you take if you become aware that sensitive compartmented information SCI has been compromised?Compromised SCI
A compromise occurs when a person who does not have the required clearance or access caveats comes into possession of SCI in any manner (i.e., physically, verbally, electronically, etc.). You are required to contact your security Point of Contact (POC) to report the incident.
Which of the following is a security best practice for protecting personally identifiable information PII )?Secure Sensitive PII in a locked desk drawer, file cabinet, or similar locked enclosure when not in use. When using Sensitive PII, keep it in an area where access is controlled and limited to persons with an official need to know. Avoid faxing Sensitive PII, if at all possible.
|