EX0-105 - Information Security Foundation based on ISO/IEC 27002
Go back to EXIN
A couple of years ago you started your company which has now grown from 1 to 20 employees. Your company's information is worth more and more and gone are the days when you could keep it all in hand yourself. You are aware that you have to take measures, but what should they be? You hire a consultant who advises you to start with a qualitative risk analysis. What is a qualitative risk analysis?
This analysis is based on scenarios and situations and produces a subjective view of the possible threats.
Peter works at the company Midwest Insurance. His manager, Linda, asks him to send the terms and conditions for a life insurance policy to Rachel, a client. Who determines the value of the information in the insurance terms and conditions document?
The recipient, Rachel
What is the objective of classifying information?
Defining different levels of sensitivity into which information may be arranged
Which approach does/did the United States take with regard to privacy legislation?
Create legislation as it is needed
Under which condition is an employer permitted to check if Internet and email services in the workplace are being used for private purposes?
The employer is permitted to check this if the employees are aware that this could happen.
What is an example of a security incident?
A member of staff loses a laptop.
You own a store, and money keeps disappearing from the cash register. You want to put an end to this by means of a detective measure. What is an example of a detective measure?
Set up a hidden camera.
The Information Security Manager (ISM) at Smith Consultants Inc. introduces the following measures to assure information security: - The security requirements for the network are specified. - A test environment is set up for the purpose of testing reports coming from the database. - The various employee functions are assigned corresponding access rights. - RFID access passes are introduced for the building. Which one of these measures is not a technical measure?
Introducing RFID access passes
You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called?
What is a potential cause of an unwanted incident, which may result in harm to a system or organization' called?
A well executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is not one of the four main objectives of a risk analysis?
Determining the costs of threats
Why is compliance important for the reliability of the information?
By meeting the legislative requirements and the regulations of both the government and internal management, an organization shows that it manages its information in a sound manner.
There are three types of "human threats". The threat that a user accidentally deletes a document belongs to which category?
Unintentional human threats
Your company has to ensure that it meets the requirements set down in personal data protection legislation. What is the first thing you should do?
Which of the following measures is a preventive measure?
Putting sensitive information in a safe
A non-human threat for computer systems is a flood. In which situation is a flood always a relevant threat?
When computer systems are kept in a cellar below ground level.
What is the goal of an organization's security policy?
To provide direction and support to information security
Which security measure is not an organizational level security measure?
Implementing Role Based Access Control
You work for a flexible employer who doesnt mind if you work from home or on the road. You regularly take copies of documents with you on a USB memory stick that is not secure. What are the consequences for the reliability of the information if you leave your USB memory stick behind on the train?
The confidentiality of the data on the USB memory stick is no longer guaranteed.
You have just started working at a large organization. You have been asked to sign a code of conduct as well as a contract. What does the organization wish to achieve with this?
A code of conduct helps to prevent the misuse of IT facilities.
You work for a large organization. You notice that you have access to confidential information that you should not be able to access in your position. You report this security incident to the helpdesk. The incident cycle is initiated. What are the stages of the security incident cycle?
Threat, Incident, Damage, Recovery
During a risk analysis a system administrator mentions that due to the lack of communication between Human recourses management (HRM) and system administrators, employees can still access the company server from home even if they are no longer employed by the company. Which characteristic of a risk is missing here?
You are the first to arrive at work in the morning and notice that the CD ROM on which you saved contracts yesterday has disappeared. You were the last to leave yesterday. When should you report this information security incident?
This incident should be reported immediately.
Physical security must protect a company for anyone to easily access the company assets. This is illustrated by thinking in terms of series of protection rings. Which protection ring deals with the asset that is to be protected?
You are the owner of the courier company SpeeDelivery. On the basis of your risk analysis you have decided to take a number of measures. You have daily backups made of the server, keep the server room locked and install an intrusion alarm system and a sprinkler system. Which of these measures is a detective measure?
Your organization has an office with space for 25 workstations. These workstations are all fully equipped and in use. Due to a reorganization 10 extra workstations are added, 5 of which are used for a call centre 24 hours per day. Five workstations must always be available. What physical security measures must be taken in order to ensure this?
Obtain an extra office and connect all 10 new workstations to an emergency power supply and UPS (Uninterruptible Power Supply). Adjust the access control system to the working hours of the new staff. Inform the building security personnel that work will also be carried out in the evenings and at night.
What physical security measure is necessary to control access to company information?
The use of break-resistant glass and doors with the right locks, frames and hinges
Why is sensitive information graded?
To determine how the information should be processed
What is a human threat to the reliability of the information on your company website?
One of your employees commits an error in the price of a product on your website.
Two friends want to exchange a confidential document by e-mail. They decide to use cryptography to protect the confidentiality of the document. To be able to encrypt alid decrypt the document they first exchange the key that is both used for encryption and decryption by phone. What type of encryption system is used by the two friends?
Logging in to a computer system is an access-granting process consisting of three steps: identification, authentication and authorization. What occurs during the first step of this process: identification?
The first step consists of checking if the user appears on the list of authorized users.
What is the definition of the Annual Loss Expectancy?
The Annual Loss Expectancy is the amount of damage that can occur as a result of an incident during the year.
What is the relationship between data and information?
Information is the meaning and value assigned to a collection of data.
Someone sends an e-mail. The sender wants the recipient to be able to verify who wrote and sent the email. What does the sender attach to the email?
A digital signature
A company moves into a new building. A few weeks after the move, a visitor appears unannounced in the office of the director. An investigation shows that visitors passes grant the same access as the passes of the companys staff. Which kind of security measure could have prevented this?
A physical security measure
What do employees need to know to report a security incident?
How to report an incident and to whom.
There is a network printer in the hallway of the company where you work. Many employees dont pick up their printouts immediately and leave them in the printer. What are the consequences of this to the reliability of the information?
The confidentiality of the information is no longer guaranteed.
Why is air-conditioning placed in the server room?
In the server room the air has to be cooled and the heat produced by the equipment has to be extracted. The air in the room is also dehumidified and filtered.
Which of the following measures is a corrective measure?
Restoring a backup of the correct database after a corrupt copy of the database was written over the original
You work in the office of a large company. You receive a call from a person claiming to be from the Helpdesk. He asks you for your password. What kind of threat is this?
You are the owner of SpeeDelivery courier service. Because of your companys growth you have to think about information security. You know that you have to start creating a policy. Why is it so important to have an information security policy as a starting point?
The information security policy gives direction to the information security efforts.
An employee detects abnormal behavior of her desktop computer. After reporting to the system administrator and a first investigation, the system administrators decide to get some help from the Computer emergency response Team (CERT). Which type of escalation is described above?
Which regulation is only applicable for United States public companies (e.g. listed on the New York Stock Exchange)?
When we are at our desk, we want the information system and the necessary information to be available. We want to be able to work with the computer and access the network and our files. What is the correct definition of availability?
The degree to which an information system is available for the users
There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost for good. What is an example of the indirect damage caused by this fire?
Water damage due to the fire extinguishers
Which threat can materialize as a result of the absence of physical security?
Systems malfunction due to spikes in the power supply.
You have an office that designs corporate logos. You have been working on a draft for a large client. Just as you are going to press the <save> button, the screen goes blank. The hard disk is damaged and cannot be repaired. You find an early version of the design in your mail folder and you reproduce the draft for the customer. What is such a measure called?
What sort of security does a Public Key Infrastructure (PKI) offer?
By providing agreements, procedures and an organization structure, a PKI defines which person or which system belongs to which specific public key.
What is the best way to comply with legislation and regulations for personal data protection?
Appointing the responsibility to someone
Some threats are caused directly by people, others have a natural cause. What is an example of an intentional human threat?