ISFS (Information Security Foundation based on ISO/IEC 27002)

Welcome to your ISFS (Information Security Foundation based on ISO/IEC 27002)

1. What is the relationship between data and information?
2. A non-human threat for computer systems is a flood. In which situation is a flood always a relevant threat?
3. A couple of years ago you started your company which has now grown from 1 to 20 employees.
Your companys information is worth more and more and gone are the days when you could keep it all in hand yourself. You are aware that you have to take measures, but what should they be? You hire a consultant who advises you to start with a qualitative risk analysis. What is a qualitative risk analysis?
4. Peter works at the company Midwest Insurance. His manager, Linda, asks him to send the terms and conditions for a life insurance policy to Rachel, a client. Who determines the value of the information in the insurance terms and conditions document?
5. What is an example of a non-human threat to the physical environment?
6. Identification is establishing whether someone’s identity is correct. Is this statement correct?
7. A well executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is NOT one of the four main objectives of a risk analysis?
8. You have just started working at a large organization. You have been asked to sign a code of conduct as well as a contract. What does the organization wish to achieve with this?
9. Under which condition is an employer permitted to check if Internet and email services in the workplace are being used for private purposes?
10. The company XYZ seeks certification for its information security management system (ISMS). After carrying out the assets inventory and a risk analysis, the information security officer prepares to issue a list of security measures/controls from good practice, best suited to respond to identified risks. Which standard would she probably use?
11. What is the most important reason for applying Segregation of Duties (SoD)?
12. What is the purpose of ISO/CEI 27002 security code of practice (previously BS7799-1) ?
13. Some security measures are optional. Other security measures must always be implemented.
Which measure(s) must always be implemented?
14. In most organizations, access to the computer or the network is granted only after the user has entered a correct username and password. This process consists of 3 steps: identification, authentication and authorization. What is the purpose of the second step, authentication?
15. You work for a flexible employer who doesnt mind if you work from home or on the road. You regularly take copies of documents with you on a USB memory stick that is not secure. What are the consequences for the reliability of the information if you leave your USB memory stick behind on the train?
16. Information has a number of reliability aspects. Reliability is constantly being threatened. Examples of threats are: a cable becomes loose, someone alters information by accident, data is used privately or is falsified.
Which of these examples is the BEST example of a threat to confidentiality?
17. What physical security measure is necessary to control access to company information?
18. Which measure does not help against malicious software?
19. What is a human threat to the reliability of the information on your company website?
20. You are the owner of the SpeeDelivery courier service. Last year you had a firewall installed. You now discover that no maintenance has been performed since the installation. What is the biggest risk because of this?
21. To which ISO security standard, organizations seek certifications against?
22. What is the best description of a risk analysis?
23. An administration office is going to determine the dangers to which it is exposed.
What do we call a possible event that can have a disruptive effect on the reliability of information?
24. In the organization where you work, information of a very sensitive nature is processed. Management is legally obliged to implement the highest-level (strictest) security measures. What is this kind of risk strategy called?
25. Why is it necessary to keep a disaster recovery plan up to date and to test it regularly?
26. Logging in to a computer system is an access-granting process consisting of three steps: identification, authentication and authorization.
What occurs during the first step of this process: identification?
27. We can acquire and supply information in various ways. The value of the information depends on whether it is reliable. What are the reliability aspects of information?
28. An airline company employee notices that she has access to one of the company's applications that she has not used before. Is this an information security incident?
29. Which important statutory norm in the area of information security does the government have to meet?
30. The company Midwest Insurance has taken many measures to protect its information. It uses an Information Security Management System, the input and output of data in applications is validated, confidential documents are sent in encrypted form and staff use tokens to access information systems. Which of these is not a technical measure?
31. In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages.
Which factor is not important for determining the value of data for an organization?
32. In order to reduce risks, a company decides to opt for a strategy of a mix of measures. One of the measures is that a stand-by arrangement is organized for the company. To which category of measures does a stand-by arrangement belong?
33. Which of these is not malicious software?
34. What sort of security does a Public Key Infrastructure (PKI) offer?
35. How is the purpose of information security policy best described?
36. A company experiences the following incidents. Which of these incidents is NOT a security incident?
37. What is the purpose of risk management?
38. You are the owner of SpeeDelivery courier service. Because of your companys growth you have to think about information security. You know that you have to start creating a policy. Why is it so important to have an information security policy as a starting point?
39. Which is a legislative or regulatory act related to information security that can be imposed upon all organizations?
40. The backups of the central server are kept locked in the same enclosed room as the server.
What risk does the organization face?