ISFS - Information Security Foundation based on ISO/IEC 27002 exam
Go back to EXIN
Why is compliance important for the reliability of the information?
By meeting the legislative requirements and the regulations of both the government and internal management, an organization shows that it manages its information in a sound manner.
Logging in to a computer system is an access-granting process consisting of three steps: identification, authentication and authorization. What occurs during the first step of this process: identification?
The first step consists of checking if the user appears on the list of authorized users.
You work for a flexible employer who doesnt mind if you work from home or on the road. You regularly take copies of documents with you on a USB memory stick that is not secure. What are the consequences for the reliability of the information if you leave your USB memory stick behind on the train?
The confidentiality of the data on the USB memory stick is no longer guaranteed.
You have an office that designs corporate logos. You have been working on a draft for a large client. Just as you are going to press the <save> button, the screen goes blank. The hard disk is damaged and cannot be repaired. You find an early version of the design in your mail folder and you reproduce the draft for the customer. What is such a measure called?
You work for a large organization. You notice that you have access to confidential information that you should not be able to access in your position. You report this security incident to the helpdesk. The incident cycle isinitiated. What are the stages of the security incident cycle?
Threat, Incident, Damage, Recovery
A non-human threat for computer systems is a flood. In which situation is a flood always a relevant threat?
When computer systems are kept in a cellar below ground level.
Why is air-conditioning placed in the server room?
In the server room the air has to be cooled and the heat produced by the equipment has to be extracted. The air in the room is also dehumidified and filtered.
What is the greatest risk for an organization if no information security policy has been defined?
It is not possible for an organization to implement information security in a consistent manner.
Midwest Insurance controls access to its offices with a passkey system. We call this a preventive measure. What are some other measures?
Detective, repressive and corrective measures
You are the owner of SpeeDelivery courier service. Because of your companys growth you have to think about information security. You know that you have to start creating a policy. Why is it so important to have an information security policy as a starting point?
The information security policy gives direction to the information security efforts.
You are the owner of the SpeeDelivery courier service. Last year you had a firewall installed. You now discover that no maintenance has been performed since the installation. What is the biggest risk because of this?
The risk that hackers can do as they wish on the network without detection
Which of the following measures is a corrective measure?
Restoring a backup of the correct database after a corrupt copy of the database was written over the original
What is an example of a physical security measure?
Special fire extinguishers with inert gas, such as Argon
What is the goal of an organization's security policy?
To provide direction and support to information security
There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost for good. What is an example of the indirect damage caused by this fire?
Water damage due to the fire extinguishers
At Midwest Insurance, all information is classified. What is the goal of this classification of information?
Structuring information according to its sensitivity
What is the most important reason for applying segregation of duties?
Tasks and responsibilities must be separated in order to minimize the opportunities for business assets to be misused or changed, whether the change be unauthorized or unintentional.
My user profile specifies which network drives I can read and write to. What is the name of the type of logical access management wherein my access and rights are determined centrally?
Mandatory Access Control (MAC)
The company Midwest Insurance has taken many measures to protect its information. It uses an Information Security Management System, the input and output of data in applications is validated, confidential documents are sent in encrypted form and staff use tokens to access information systems. Which of these is not a technical measure?
Information Security Management System
What is an example of a good physical security measure?
All employees and visitors carry an access pass.
Which is a legislative or regulatory act related to information security that can be imposed upon all organizations?
Personal data protection legislation
What physical security measure is necessary to control access to company information?
The use of break-resistant glass and doors with the right locks, frames and hinges
An employee in the administrative department of Smiths Consultants Inc. finds out that the expiry date of a contract with one of the clients is earlier than the start date. What type of measure could prevent this error?
A Dutch company requests to be listed on the American Stock Exchange. Which legislation within the scope of information security is relevant in this case?
You have just started working at a large organization. You have been asked to sign a code of conduct as well as a contract. What does the organization wish to achieve with this?
A code of conduct helps to prevent the misuse of IT facilities.
We can acquire and supply information in various ways. The value of the information depends on whether it is reliable. What are the reliability aspects of information?
Availability, Integrity and Confidentiality
What sort of security does a Public Key Infrastructure (PKI) offer?
By providing agreements, procedures and an organization structure, a PKI defines which person or which system belongs to which specific public key.
Susan sends an email to Paul. Who determines the meaning and the value of information in this email?
Paul, the recipient of the information.
What is an example of a non-human threat to the physical environment?
What is the best way to comply with legislation and regulations for personal data protection?
Appointing the responsibility to someone
What is a risk analysis used for?
A risk analysis is used to ensure that security measures are deployed in a cost-effective and timely fashion.
What is the relationship between data and information?
Information is the meaning and value assigned to a collection of data.
Some security measures are optional. Other security measures must always be implemented. Which measure(s) must always be implemented?
Measures required by laws and regulations
The Information Security Manager (ISM) at Smith Consultants Inc. introduces the following measures to assure information security: - The security requirements for the network are specified. - A test environment is set up for the purpose of testing reports coming from the database. - The various employee functions are assigned corresponding access rights. - RFID access passes are introduced for the building. Which one of these measures is not a technical measure?
Introducing RFID access passes
Three characteristics determine the reliability of information. Which characteristics are these?
Availability, Integrity and Confidentiality
You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called?
A couple of years ago you started your company which has now grown from 1 to 20 employees. Your companys information is worth more and more and gone are the days when you could keep it all in hand yourself. You are aware that you have to take measures, but what should they be? You hire a consultant who advises you to start with a qualitative risk analysis. What is a qualitative risk analysis?
This analysis is based on scenarios and situations and produces a subjective view of the possible threats.
You own a small company in a remote industrial areA. Lately, the alarm regularly goes off in the middle of the night. It takes quite a bit of time to respond to it and it seems to be a false alarm every time. You decide to set up a hidden camerA. What is such a measure called?
You are the first to arrive at work in the morning and notice that the CD ROM on which you saved contracts yesterday has disappeared. You were the last to leave yesterday. When should you report this information security incident?
This incident should be reported immediately.
What is a human threat to the reliability of the information on your company website?
One of your employees commits an error in the price of a product on your website.
You work in the IT department of a medium-sized company. Confidential information has got into the wrong hands several times. This has hurt the image of the company. You have been asked to propose organizational security measures for laptops at your company. What is the first step that you should take?
Formulate a policy regarding mobile media (PDAs, laptops, smartphones, USB sticks)
There is a network printer in the hallway of the company where you work. Many employees dont pick up their printouts immediately and leave them in the printer. What are the consequences of this to the reliability of the information?
The confidentiality of the information is no longer guaranteed.
What is the objective of classifying information?
Defining different levels of sensitivity into which information may be arranged
An airline company employee notices that she has access to one of the company's applications that she has not used before. Is this an information security incident?
Some threats are caused directly by people, others have a natural cause. What is an example of an intentional human threat?
What do employees need to know to report a security incident?
How to report an incident and to whom.
Which type of malware builds a network of contaminated computers?
Storm Worm or Botnet
Which measure assures that valuable information is not left out available for the taking?
Clear desk policy
In most organizations, access to the computer or the network is granted only after the user has entered a correct username and password. This process consists of 3 steps: identification, authentication and authorization. What is the purpose of the second step, authentication?
The system determines whether access may be granted by determining whether the token used is authentic.
Who is authorized to change the classification of a document?
The owner of the document