Oct 28 2021 |
Logged in as : candidate
本试卷是EXIN Information Security Management Professional based on ISO/IEC 27001 (ISMP.CH)模拟考试。 EXIN考试准则适用于该考试。
Copyright © EXIN Holding B.V. 2021. All rights reserved.
EXIN® is a registered trademark.
1 of 30
Which is a
element of security strategy development?
Description of how the services are being supported
Policy should not conflict with the law of the country it is being implemented in
Relevant control objectives
Return on Investment (ROI)
2 of 30
One of the challenges of the IT security manager for a rather conservative organization is to teach IT management that in order to provide an effective information security program for the organization a change in thought as to what IT security is and what it encompasses is necessary.
What is the IT security manager trying to teach management?
By focusing on the protection of the IT infrastructure and not getting sidetracked, it can ensure that proper focus is given where it is most critical.
Information security increasingly requires attention from more than just IT as not only the technology matters but also public acceptance of the use of technology.
Information security needs to operate within the bounds of the organizational IT group and limit their interaction with other organizational groups.
3 of 30
One of the business managers is really concerned that any sort of IT security program is going to be too intrusive for the business to continue to thrive and be innovative.
describes what should be told to the manager?
Information security exists to serve the interests of the organization and only the level of security that is appropriate for the value of the information is implemented.
Information security is a means to safeguard information and mitigate all the data risks within the organization.
While information security can be a bit intrusive it is for the best of the organization and all corporate information needs to be locked down tight or dire consequences can be faced.
4 of 30
The security manager is responsible for defining the security controls for a company. The company is selecting a supplier to host the web-facing ordering system.
What should be the
important aspect the security manager looks for?
A standard for due care
A standard for due diligence
Best security practices
5 of 30
Security controls are defined based on the security classification of a data element.
Who is responsible for the security classification of a data element?
The board of directors, that runs the company
The data custodian, who manages the use of the data
The process owner, who governs the process
The system owner, who safeguards the information system
6 of 30
Which risk assessment approach uses categories instead of actual numbers to determine risks?
7 of 30
Information security management is currently being implemented in the company “Internet Booksellers”. The project leader for the information security project understands that the risk identification process requires him to list organizational assets arranged in order of importance and he is working with the financial manager to develop this list. The weight of importance is based on the following criteria: impact on revenue (30%), impact on profitability (40%) and impact on public image (30%).
The Financial manager has come up with four important information assets:
- Supplier orders (outbound)
- Customer order via SSL (inbound)
- Supplier fulfillment advice (inbound)
- Customer service request via e-mail (inbound)
What asset ranks the highest based on the impact criteria?
Supplier orders (outbound)
Customer order via SSL (inbound)
Supplier fulfillment advice (inbound)
Customer service request via e-mail (inbound)
8 of 30
What needs to be decided prior to considering the treatment of risks?
How to apply appropriate controls to reduce the risks
Operational requirements and constraints
Requirements and constraints of national and international legislation and regulations
9 of 30
A large transportation company has adopted the standard for information security (ISO/IEC 27001:2013) and needs to set up controls for its software development department which they will outsource. An external consultant has been appointed to make sure that security controls consistent with the code of practice will be implemented over the complete supply chain for software development in the new outsourced situation.
What control should be put in place to guarantee availability of the source code should one of the partners in the supply chain go out of business?
10 of 30
The security manager for a company has just been tasked with leading the organization’s first ever risk assessment effort. The security manager is in the process of implementing controls to mitigate the identified risks. She has taken into account the organizational feasibility and the political feasibility using the organizational objectives and applicable legislation and regulations.
Which item also needs to be accounted for when taking into account the operational feasibility?
Prioritization of risks
Transfer of risks
11 of 30
The scope of risk management is not limited to the organizational processes alone. It should also be embedded in the project management methodology. An information security risk assessment, for example, should be conducted at an early stage of each project. When implementing project risk management, it is necessary to consider the scope of this project.
What should be included in the scope of project risk management for standard projects?
Because a project organization is only a small part of the organization, it is only necessary to include a simple identification and rating mechanism for the threats and risks specifically related to the project.
It is should include processes necessary to assess, manage and reduce the impact of occurrences as it would be with an information security project.
It is necessary to prepare for the maximum risk level and therefore implement important sub-processes like risk identification, quantification, response development and response control.
12 of 30
ISO/IEC 15408 安全架构模型的俗称是什么？
What is the popular name of the ISO/IEC 15408 about security architecture models?
Rainbow series – the “orange book”
13 of 30
An operations manager wants some advice about opening a second datacenter as a hot standby location.
What would the information security officer advise her to do?
Make sure that the location has a different physical risk profile than the primary location (airplanes, water)
Make sure that network and power supply are made redundant and, preferable, from different providers
Make sure that physical access is only granted to specific operators
Make sure that the company will not be a victim of the Patriot Act legislation
14 of 30
A security team has just finished an organizational risk assessment and is now discussing controls to mitigate the risks. As part of that effort, programs and technical controls have been considered.
What is the third category of access controls that needs to be considered?
15 of 30
After doing a risk assessment and establishing a proper set of controls that comply with an organization’s risk appetite, a consultant's job is just about complete. The consultant understands that the reality is that no set of controls can achieve complete security.
What needs to be completed in order to strengthen security even more?
An internal audit needs to take place in order to provide assurance that the right risk decisions have been made.
Management action should be implemented to monitor, evaluate and improve the effectiveness of the security policies and controls to support the organization’s aims.
The business units must continue to perform risk self-assessments annually.
Transference of the residual risks must take place.
16 of 30
The information security officer of the company has just been notified of a pending management review of the information security policy.
What is an input to this management review?
Improvement of control objectives and controls
Improvement of the management approach to information security
17 of 30
The information security officer for a global company has just received a management review of the information security policy.
What should this output include?
Feedback from interested parties
Improvement of control objectives and controls
Status of preventive and corrective actions
18 of 30
The maintenance of an information security program requires a continuous process. This requires inputs from the many different factors that will influence its success.
Which is an input influence that would require the process to change?
19 of 30
A large part of an information security team’s responsibility is to monitor and detect incidents.
What is the
indicator of an incident?
Activities at unexpected times
Activities by dormant accounts
Notification from Intrusion Detection System (IDS)
The presence of new accounts
20 of 30
Whose responsibility is it to coordinate an organization’s security awareness campaign?
Everyone in the organization
Information security management
The secretary of the chief information officer
21 of 30
Last year an organization became stricter regarding security controls for its employees. Before implementing additional controls, the information security officer wants to know the mindset of the employees towards information security controls.
How does she get an impression quickly?
She checks the internet data stream.
She checks to determine if there are viruses on the network.
She walks about the office after normal business hours.
22 of 30
What is the
advantage of using an open design of the security architecture?
Open designs are easy to set up.
Open designs are tested a lot.
Open designs have a lot of extra features.
23 of 30
Which security item is designed to take large collections of network-related traffic that can indicate a denial-of-service attack?
Host-Based Intrusion Detection and Prevention System (Host-Based IDPS)
Network-Based Intrusion Detection and Prevention System (Network-Based IDPS)
Virtual Private Network (VPN)
24 of 30
The CEO of a company started using her tablet pc and wants the security manager to facilitate her in using business mail and calendar on the tablet. The security manager understands this desire to allow the possibility to Bring Your Own Device (BYOD).
What controls (besides an awareness training) should the security manager propose to prevent data loss in case of theft or loss of the personal device?
Encrypt the local storage and network connections
Implement strong authentication using tokens with one-time passwords
Investigate her requirements and do not grant the wish until stable integration of business functions on private devices is possible
Install anti-malware and a firewall to prevent infection
25 of 30
Which statement about security architecture is
Security architecture follows strategy.
Security architecture is secondary.
Security architecture completely defines implementation rules.
26 of 30
Zoning is a security control to separate physical areas with different security levels. Zones with higher security levels can be secured by more controls. The security manager of a hotel is responsible for security and is considering different zones for the hotel.
What combination of business functions should be combined into one security zone?
Boardroom and general office space
Fitness area and storage facility
Hotel rooms and public bar
Public restaurant and lobby
27 of 30
Knowing that physical security controls are a very important part of an information security program, the information security team is asked to design and then implement a security perimeter for a department that is setting up some new data systems.
According to ISO/IEC 27001, which is the
important guideline that needs to be considered when establishing this perimeter?
A two-person support model
Cameras and alarms must be installed
System logging and monitoring
The strength of the perimeter should depend on the classification of the data being protected
28 of 30
The human resource manager for an organization asked what she could do as a quick win in the area of employment and hiring to help strengthen the organization’s data security program according to ISO/IEC 27001.
What should the advice be?
Do background checks
Implement security policy
Place revolving gates at the entrance
29 of 30
The business continuity manager asks for input for the contingency plan.
Which should be his
Define the scope
Identify critical business functions
Test the plan
30 of 30
One key component to integrate into an organization’s information security program is a robust business continuity program. In support of this, a security consultant has been asked to list out the key information security requirements for such a program.
What is his
concern in business continuity management (BCM) from an information security point of view?
Ensuring the safety of personnel and the protection of information processing facilities
Identifying events that can cause interruptions to the organization’s finances, followed by a risk assessment
Linking the different risk aspects together into a holistic plan to be endorsed by management to implement the strategy
Identifying the consequences of disasters, system down time, security failures, loss of service and inclusive risks to ensure that business systems are available
Perception license for EXIN Holding