Feb 28 2021 |
Logged in as : candidate
本试卷是EXIN Information Security Foundation based on ISO/IEC 27001 (ISFS.CH)模拟考试。 EXIN考试准则适用于该考试。
Copyright © EXIN Holding B.V. 2021. All rights reserved.
EXIN® is a registered trademark.
1 of 40
In order to take out a fire insurance, an organization must determine the value of the data that it manages.
Which factor is
important for determining the value of data for an organization?
The amount of storage required for the data
The degree to which missing data can be recovered
The indispensability of data for the business processes
The importance of the processes that use the data
2 of 40
Besides integrity and confidentiality, what is the third reliability aspect of information?
3 of 40
An organization has a network printer in the hallway of the company. Many employees do not pick up their printouts immediately and leave them on the printer.
What is the consequence of this to the reliability of the information?
The availability of the information is no longer guaranteed.
The confidentiality of the information is no longer guaranteed.
The integrity of the information is no longer guaranteed.
4 of 40
A database contains a few million transactions of a phone company. An invoice for a customer has been generated and sent.
What does this invoice contain for the customer?
Data and information
5 of 40
What is the
description of the focus of information management?
Allowing business activities and processes to continue without interruption
Ensuring that the value of information is identified and exploited
Preventing unauthorized persons from having access to automated systems
Understanding how information flows through an organization
6 of 40
A database system has not had the latest security patches applied to it and was hacked. The hackers were able to access the data and delete it.
What information security concept describes the lack of security patching?
7 of 40
An administration office is determining the dangers to which it is exposed.
What is a possible event that can have a disruptive effect on the reliability of information called?
8 of 40
What is a purpose of risk management?
To determine the probability that a certain risk will occur
To direct and control an organization with regard to risk
To investigate the damage caused by possible security incidents
To outline the threats to which IT resources are exposed
9 of 40
Which is a human threat?
A leak causes a failure of the electricity supply.
A USB stick passes on a virus to a network.
There is too much dust in the server room.
10 of 40
A well-executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives.
one of the four main objectives of a risk analysis?
Determine relevant vulnerabilities and threats
Establish a balance between the costs of an incident and the costs of a measure
Identify assets and their value
Implement measures and controls
11 of 40
There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost.
damage is caused by this fire?
Burned computer systems
Melted back-up tapes
12 of 40
An office is situated in an industrial area. The company next to the office works with flammable materials.
What is the relationship between the threat of fire and the risk of fire?
The threat of fire comes from the company next to the office, which poses a risk of fire by working with flammable materials in a vulnerable industrial area.
The threat of fire comes from the flammable materials, which poses a risk of fire to the office if the office has the vulnerability of not being fire-proof.
The threat of fire comes from the probability that the office will suffer damage because of the risk of fire the flammable materials pose.
The threat of fire comes from the vulnerable office in the industrial area, which is working close to a company that poses a risk of fire.
13 of 40
A fire breaks out in a branch office of a health insurance company. The employees are transferred to neighboring branches to continue their work.
Where in the incident cycle is moving to a stand-by arrangement found?
Between the damage and recovery stages
Between the incident and damage stages
Between the recovery and threat stages
Between the threat and incident stages
14 of 40
How is the purpose of information security policy
An information security policy documents the analysis of risks and the search for countermeasures.
An information security policy gives direction and support to the organization regarding information security.
An information security policy makes the security plan concrete by providing it with the necessary details.
An information security policy provides insight into threats and the possible consequences.
15 of 40
An employee from an insurance company discovers that the expiration date of a policy has been changed without his knowledge. He is the only person authorized to do this. He reports this security incident to the helpdesk. The helpdesk worker records the following information regarding this incident:
- date and time
- description of the incident
- possible consequences of the incident
What important information about the incident is missing here?
The name of the person reporting the incident
The name of the software package
The names of the informed people
The PC number
16 of 40
Juliana is the owner of a courier company. She employs a few people who, while waiting to make a delivery, can carry out other tasks. She notices, however, that they use this time to send and read their private e-mail and surf the internet.
In legal terms, in which way can the use of the internet and e-mail
By blocking all websites
By drafting a code of conduct
By implementing privacy regulations
By installing a virus scanner
17 of 40
Which system guarantees the coherence of information security in the organization?
Information Security Management System (ISMS)
Intrusion detection system (IDS)
Security regulations for special information
18 of 40
A security incident regarding a webserver is reported to a help desk employee. His colleague has more experience with webservers, so he transfers the case to her.
Which term describes this transfer?
19 of 40
Who is responsible for the translation of the business strategy and objectives to security strategy and objectives?
Chief information security officer (CISO)
Information security officer (ISO)
Information security policy officer
20 of 40
What is a repressive measure in case of a fire?
Putting out a fire after it has been detected
Repairing damage caused by the fire
Taking out a fire insurance
21 of 40
What is the goal of classification of information?
Applying labels to make the information easier to recognize
Creating a manual on how to handle mobile devices
Structuring information according to its sensitivity
22 of 40
Which threat can occur as a result of the absence of a physical measure?
A confidential document is left in the printer.
A server shuts down because of overheating.
A user can view the files belonging to another user.
Hackers can freely enter the computer network.
23 of 40
A computer room is protected by a pass reader. Only the system management department has a pass.
What type of security measure is this?
A corrective security measure
A physical security measure
A logical security measure
A repressive security measure
24 of 40
The back-ups of the central server are kept in the same locked room as the server.
What risk does the organization
If the server crashes, it will take a long time before the server is operational again.
In the event of a fire, it is impossible to get the system back to its former state.
No one is responsible for these back-ups.
Unauthorized persons have easy access to the back-ups.
25 of 40
What is 'establishing whether someone’s identity is correct' called?
26 of 40
What sort of security does a public key infrastructure (PKI) offer?
A PKI verifies which person or system belongs to a specific public key.
A PKI ensures that backups of company data are made on a regular basis.
A PKI shows customers that a web-based business is secure.
27 of 40
In the IT department of a medium-sized company, confidential information has come into the wrong hands several times. This has hurt the image of the company. Therefore, the company is looking into organizational security measures to protect laptops at the company.
What is the
step that should be taken?
Appoint additional security employees
Encrypt storage devices and hard disks of laptops
Formulate a policy regarding mobile devices
Set up an access control policy
28 of 40
What is the
important reason for applying segregation of duties?
To create joint responsibility by all employees for the mistakes they make
To ensure that employees do the same work at the same time
To make clear who is responsible for what tasks and activities
To minimize the misuse of business assets or the chance of unauthorized or unintended changes
29 of 40
Which measure is a preventive measure?
Installing a logging system that enables changes in a system to be recognized
Putting all sensitive information in a safe after working hours
Shutting down all internet traffic after a hacker has gained access to the company systems
30 of 40
Which type of malware builds a network of contaminated computers?
31 of 40
Within an organization the security officer detects that a workstation of an employee is infected with malicious software. The malicious software was installed due to a targeted phishing attack.
Which action is the
beneficial to prevent such incidents in the future?
Implement mandatory access control (MAC) technology
Start a security awareness program
Update the firewall rules
Update the signatures of the spam filter
32 of 40
What is the purpose of a disaster recovery plan (DRP)?
To identify the vulnerability underlying a disaster
To minimize the consequences in case of a disaster
To reduce the possibility of a disaster to occur
To restore the situation back to how this was before the disaster
33 of 40
In physical security, multiple protection rings can be applied in which different measures can be taken.
a protection ring?
34 of 40
Measures taken to safeguard an information system from attacks.
Of which concept is this the definition?
35 of 40
What is a characteristic of a security measure?
It describes a process for handling incidents.
It exposes an organization to possible damage.
It is put in place to mitigate against a potential risk.
It indicates the effect of uncertainty on objectives.
36 of 40
A data center uses an uninterruptible power supply (UPS) but has no power generator.
What is the risk associated with this setup for the availability of the data center?
The main power may not come up again automatically when restored, because this needs a power generator.
The main power outage may last for longer than a few minutes or hours, which will cause unavailability of power.
The UPS may run out of diesel and stop functioning after a couple of days, so its lifespan is limited.
The UPS must be powered by the power generator after a few hours, so only provides limited protection.
37 of 40
Under which condition is an employer permitted to check if internet and e-mail services in the workplace are being used for private purposes?
If a firewall is also installed
If the employee is informed after each instance of checking
If the employee is aware that this could happen
38 of 40
Which standard or regulation is also known as the ’code of practice for information security controls’?
Payment Card Industry (PCI) compliance
39 of 40
Legislation and regulations are important for the reliability of the information used within the organization.
What is the
step that an organization must take to become compliant?
Conducting a risk analysis to find out which legislation and regulations apply
Creating an acceptable use policy to make personnel aware of what they must do
Planning the compliance audits in advance in accordance with the PDCA cycle
Writing a policy that indicates which local laws and regulations must be followed
40 of 40
Which legislation may have an impact on information security requirements for all companies dealing with European Union (EU) residents?
European Convention on Human Rights (ECHR)
NIST Cybersecurity Framework
Payment Card Industry Data Security Standard (PCI-DSS)
Perception license for EXIN Holding