The security manager of a global company has decided that a risk assessment needs to be completed across the company.
What is the primary objective of the risk assessment?
A. Identify, quantify and prioritize each of the business-critical assets residing on the corporate infrastructure
B. Identify, quantify and prioritize risks against criteria for risk acceptance
C. Identify, quantify and prioritize the scope of this risk assessment
D. Identify, quantify and prioritize which controls are going to be used to mitigate risk
Security monitoring is an important control measure to make sure that the required security level is maintained. In order to realize 24/7 availability of the service, this service is outsourced to a partner in the cloud.
What should be an important control in the contract?
A. The network communication channel is secured by using encryption.
B. The third party is certified against ISO/IEC 27001.
C. The third party is certified for adhering to privacy protection controls.
D. Your IT auditor has the right to audit the external party's service management processes.
Who should be asked to check compliance with the information security policy throughout the company?
A. Internal audit department
B. External forensics investigators
C. The same company that checks the yearly financial statement
In a company the IT strategy is migrating towards a Service Oriented Architecture (SOA) so that migrating to the cloud is better feasible in the future. The security architect is asked to make a first draft of the security architecture.
Which elements should the security architect draft?
A. Management and control of the security services
B. The information security policy, the risk assessment and the controls in the security services
C. Which security services are provided and in which supporting architectures are they defined
The information security manager is writing the Information Security Management System (ISMS) documentation. The controls that are to be implemented must be described in one of the phases of the Plan-Do-Check-Act (PDCA) cycle of the ISMS.
In which phase should these controls be described?
A. Plan
B. Do
C. Check
D. Act
The information security architect of a large service provider advocates an open design of the security architecture, as opposed to a secret design.
What is her main argument for this choice?
A. Open designs are easily configured.
B. Open designs have more functionality.
C. Open designs are tested extensively.
When should information security controls be considered?
A. After the risk assessment
B. As part of the scoping meeting
C. At the kick-off meeting
D. During the risk assessment work
What is a key item that must be kept in mind when designing an enterprise-wide information security program?
A. When defining controls follow an approach and framework that is consistent with organizational culture
B. Determine controls in the light of specific risks an organization is facing
C. Put an enterprise-wide network and Host-Based Intrusion Detection and Prevention System (Host-Based IDPS) into place as soon as possible
D. Put an incident management and log file analysis program in place immediately
Which security item is designed to take collections of data from multiple computers?
A. Firewall
B. Host-Based Intrusion Detection and Prevention System (Host-Based IDPS)
C. Network-Based Intrusion Detection and Prevention System (Network-Based IDPS)
D. Virtual Private Network (VPN)
The ambition of the security manager is to certify the organization against ISO/IEC 27001. What is an activity in the certification program?
A. Formulate the security requirements in the outsourcing contracts
B. Implement the security baselines in Secure Systems Development Life Cycle (SecSDLC)
C. Perform a risk assessment of the secure internet connectivity architecture of the datacenter
D. Produce a Statement of Applicability based on risk assessments
