- Email support@dumps4free.com
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products
and services. It uses MongoDB. a document model database that offers high availability,
scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers
compromised its MongoDB database, because the database administrators did not change
its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB
database, so no information was lost during the incident. In addition, a syslog server
allowed Socket Inc. to centralize all logs in one server. The company found out that no
persistent backdoor was placed and that the attack was not initiated from an employee
inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control
system that grants access to authorized personnel only. The company also implemented a
control in order to define and implement rules for the effective use of cryptography,
including cryptographic key management, to protect the database from unauthorized
access The implementation was based on all relevant agreements, legislation, and
regulations, and the information classification scheme. To improve security and reduce the
administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information
related to information security threats, and integrate information security into project
management.
Based on the scenario above, answer the following question:
Which security control does NOT prevent information security incidents from recurring?
A. Segregation of networks
B. Privileged access rights
C. Information backup
Explanation: Information backup is a corrective control that aims to restore the information in case of data loss, corruption, or deletion. It does not prevent information security incidents from recurring, but rather mitigates their impact. The other options are preventive controls that reduce the likelihood of information security incidents by limiting the access to authorized personnel, segregating the networks, and using cryptography. These controls can help Socket Inc. avoid future attacks on its MongoDB database by addressing the vulnerabilities that were exploited by the hackers.
An employee of the organization accidentally deleted customers' data stored in the database. What is the impact of this action?
A. Information is not accessible when required
B. Information is modified in transit
C. Information is not available to only authorized users
Explanation: According to ISO/IEC 27001:2022, availability is one of the three principles of information security, along with confidentiality and integrity1. Availability means that information is accessible and usable by authorized persons whenever it is needed2. If an employee of the organization accidentally deleted customers’ data stored in the database, this would affect the availability of the information, as it would not be accessible when required by the authorized persons, such as the customers themselves, the organization’s staff, or other stakeholders. This could result in loss of trust, reputation, or business opportunities for the organization, as well as dissatisfaction or inconvenience for the customers.
A company decided to use an algorithm that analyzes various attributes of customer behavior, such as browsing patterns and demographics, and groups customers based on their similar characteristics. This way. the company will be able to identify frequent buyers and trend-followers, among others. What type of machine learning this the company using?
A. Decision tree machine learning
B. Supervised machine learning
C. Unsupervised machine learning
Explanation: According to the ISO/IEC 27001 : 2022 Lead Implementer course, one of the objectives of information security incident management is to collect and preserve records that can be used as evidence for disciplinary and legal action, as well as for learning and improvement purposes1. Therefore, Anna should be aware of the collection and preservation of records when gathering data for the forensics team. She should follow the guidelines and procedures specified in the information security incident management policy of InfoSec, which defines the type, format, content, and location of the records to be created and maintained2. The records should be accurate, complete, consistent, and reliable, and should be protected from unauthorized access, modification, or deletion3.
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits
from its clients and offers basic financial services and loans for investments. TradeB has
decided to implement an information security management system (ISMS) based on
ISO/IEC 27001 Having no experience of a management [^system implementation,
TradeB's top management contracted two experts to direct and manage the ISMS
implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only
the security controls deemed applicable to the company and their objectives Based on this
analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk
assessment, during which they identified assets, such as hardware, software, and
networks, as well as threats and vulnerabilities, assessed potential consequences and
likelihood, and determined the level of risks based on three nonnumerical categories (low,
medium, and high). They evaluated the risks based on the risk evaluation criteria and
decided to treat only the high risk category They also decided to focus primarily on the
unauthorized use of administrator rights and system interruptions due to several hardware
failures by establishing a new version of the access control policy, implementing controls to
manage and control user access, and implementing a control for ICT readiness for
business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the
implementation of these security controls the level of risk is below the acceptable level, the
risks will be accepted
Based on the scenario above, answer the following question:
The decision to treat only risks that were classified as high indicates that Trade B has:
A. Evaluated other risk categories based on risk treatment criteria
B. Accepted other risk categories based on risk acceptance criteria
C. Modified other risk categories based on risk evaluation criteria
Explanation: According to ISO/IEC 27001 : 2022, risk acceptance criteria are the criteria used to decide whether a risk can be accepted or not1. Risk acceptance criteria are often based on a maximum level of acceptable risks, on cost-benefits considerations, or on consequences for the organization2. In the scenario, TradeB decided to treat only the high risk category, which implies that.
Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming
consoles, flat-screen TVs. computers, and printers. In order to ensure information security,
the company has decided to implement an information security management system
(ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and
awareness session for the personnel of the company regarding the information security
challenges and other information security-related controls. The session included topics
such as Skyver's information security approaches and techniques for mitigating phishing
and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although
Colin explains the existing Skyver's information security policies and procedures in an
honest and fair manner, she finds some of the issues being discussed too technical and
does not fully understand the session. Therefore, in a lot of cases, she requests additional
help from the trainer and her colleagues.
What is the difference between training and awareness? Refer to scenario 6.
A. Training helps acquire certain skills, whereas awareness develops certain habits and behaviors.
B. Training helps acquire a skill, whereas awareness helps apply it in practice
C. Training helps transfer a message with the intent of informing, whereas awareness helps change the behavior toward the message
Explanation: According to ISO/IEC 27001, training and awareness are two different but
complementary activities that aim to enhance the information security competence and
performance of the organization’s personnel. Training is the process of providing instruction
and guidance to help individuals acquire certain skills, knowledge, or abilities related to
information security. Awareness is the process of raising the level of consciousness and
understanding of the importance and benefits of information security, and developing
certain habits and behaviors that support the information security objectives and
requirements.
In scenario 6, Colin is holding a training and awareness session for the personnel of
Skyver, which means he is combining both activities to achieve a more effective and
comprehensive information security education. The training part of the session covers
topics such as Skyver’s information security policies and procedures, and techniques for
mitigating phishing and malware. The awareness part of the session covers topics such as
Skyver’s information security approaches and challenges, and the benefits of information
security for the organization and its customers. The purpose of the session is to help the
personnel acquire the necessary skills to perform their information security roles and
responsibilities, and to develop the appropriate habits and behaviors to protect the
information assets of the organization.
| Page 1 out of 16 Pages |