Security Policies and Procedures

Correct Answer: Implement a Network Access Control (NAC) policy.

The optimal security policy the company should implement is a Network Access Control (NAC) policy. As the number of users and devices on the network grows, the risk of unauthorized access increases. A NAC policy restricts the availability of network resources to compliant and trusted devices, denying access to all others. While password expiration policies (second option) enhance security, they do not specifically prevent unauthorized devices from accessing the network. Setting up a guest network (third option) can isolate untrusted users to some degree, but this still doesn't prevent unauthorized devices from accessing the primary network. Lastly, a Bring Your Own Device (BYOD) policy (fourth option) can help manage employee devices, but it doesn't necessarily stop unauthorized devices from gaining access to the network.

Correct Answer: Educate employees on phishing techniques and provide examples

Educating employees on phishing techniques and providing examples is the correct practice for a small business concerned about protecting their sensitive data from phishing attacks. This empowers the employees to identify potential phishing attacks and respond appropriately, thus safeguarding the company's sensitive data. Disabling email filtering is incorrect because email filtering is a necessary security measure. It helps to screen out potential phishing emails, which can help protect the company's sensitive data. Sharing passwords among multiple employees is wrong. Instead of providing additional security, it increases the risk of unauthorized access and potentially data breaches. Installing outdated antivirus software also won't help, as newer threats may not be recognized and neutralized, leaving the company's sensitive data at risk.

Correct Answer: Create a hardware disposal policy with clear procedures and guidelines

The best approach to safely dispose of out-dated hardware containing sensitive data is to 'Create a hardware disposal policy with clear procedures and guidelines'. This policy would outline how to securely erase data from the hardware before disposal and how to dispose of the hardware in a way that prevents further data retrieval. The other options are not viable because simply discarding old hardware in regular trash bins or selling outdated hardware without sanitizing the data would risk exposure of the sensitive information. Also storing obsolete hardware indefinitely is impractical and does not mitigate the risk of data exposure in the long term. A comprehensive disposal policy is the only choice that securely addresses the issue.