The security manager of a global company has decided that a risk assessment needs to be completed across the company.

What is the primary objective of the risk assessment?

A. Identify, quantify and prioritize each of the business-critical assets residing on the corporate infrastructure

B. Identify, quantify and prioritize risks against criteria for risk acceptance

C. Identify, quantify and prioritize the scope of this risk assessment

D. Identify, quantify and prioritize which controls are going to be used to mitigate risk

Who should be asked to check compliance with the information security policy throughout the company?

A. Internal audit department

B. External forensics investigators

C. The same company that checks the yearly financial statement

A company's webshop offers prospects and customers the possibility to search the catalog and place orders around the clock. In order to satisfy the needs of both customer and business several requirements have to be met. One of the criteria is data classification.

What is the most important classification aspect of the unit price of an object in a 24h webshop?

A. Confidentiality

B. Integrity

C. Availability

An experienced security manager is well aware of the risks related to communication over the internet. She also knows that Public Key Infrastructure (PKI) can be used to keep e- mails between employees confidential.

Which is the main risk of PKI?

A. The Certificate Authority (CA) is hacked.

B. The certificate is invalid because it is on a Certificate Revocation List.

C. The users lose their public keys.

D. The HR department wants to be a Registration Authority (RA).

The information security manager is writing the Information Security Management System (ISMS) documentation. The controls that are to be implemented must be described in one of the phases of the Plan-Do-Check-Act (PDCA) cycle of the ISMS.

In which phase should these controls be described?

A. Plan

B. Do

C. Check

D. Act

The handling of security incidents is done by the incident management process under guidelines of information security management. These guidelines call for several types of mitigation plans.

Which mitigation plan covers short-term recovery after a security incident has occurred?

A. The Business Continuity Plan (BCP)

B. The disaster recovery plan

C. The incident response plan

D. The risk treatment plan

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are key terms in business continuity management (BCM). Reducing loss of data is one of the focus areas of a BCM policy.

What requirement is in the data recovery policy to realize minimal data loss?

A. Maximize RPO

B. Reduce RPO

C. Reduce RTO

D. Reduce the time between RTO and RPO

What is a key item that must be kept in mind when designing an enterprise-wide information security program?

A. When defining controls follow an approach and framework that is consistent with organizational culture

B. Determine controls in the light of specific risks an organization is facing

C. Put an enterprise-wide network and Host-Based Intrusion Detection and Prevention System (Host-Based IDPS) into place as soon as possible

D. Put an incident management and log file analysis program in place immediately

The ambition of the security manager is to certify the organization against ISO/IEC 27001. What is an activity in the certification program?

A. Formulate the security requirements in the outsourcing contracts

B. Implement the security baselines in Secure Systems Development Life Cycle (SecSDLC)

C. Perform a risk assessment of the secure internet connectivity architecture of the datacenter

D. Produce a Statement of Applicability based on risk assessments

It is important that an organization is able to prove compliance with information standards and legislation. One of the most important areas is documentation concerning access management. This process contains a number of activities including granting rights, monitoring identity status, logging, tracking access and removing rights. Part of these controls are audit trail records which may be used as evidence for both internal and external audits.

What component of the audit trail is the most important for an external auditor?

A. Access criteria and access control mechanisms

B. Log review, consolidation and management

C. System-specific policies for business systems