ISFS (Information Security Foundation based on ISO/IEC 27002)

Welcome to your ISFS (Information Security Foundation based on ISO/IEC 27002)

1. To which ISO security standard, organizations seek certifications against?
2. At Midwest Insurance, all information is classified. What is the goal of this classification of information?
3. You are the owner of a growing company, SpeeDelivery, which provides courier services. You decide that it is time to draw up a risk analysis for your information system. This includes an inventory of the threats and risks. What is the relation between a threat, risk and risk analysis?
4. The Information Security Officer (ISO) of insurance company Euregio wishes to have a list of security measures put together.
What does she first have to do before security measures can be selected?
5. Which important statutory norm in the area of information security does the government have to meet?
6. In the incident cycle there are four successive steps. What is the order of these steps?
7. Which statement about risk analysis is correct?
8. In most organizations, access to the computer or the network is granted only after the user has entered a correct username and password. This process consists of 3 steps: identification, authentication and authorization. What is the purpose of the second step, authentication?
9. Why is compliance important for the reliability of the information?
10. Our access to information is becoming increasingly easy. Still, information has to be reliable in order to be usable.
What is not a reliability aspect of information?
11. Your organization has an office with space for 25 workstations. These workstations are all fully equipped and in use. Due to a reorganization 10 extra workstations are added, 5 of which are used for a call centre 24 hours per day. Five workstations must always be available. What physical security measures must be taken in order to ensure this?
12. The code of conduct for e-business is based on a number of principles. Which of the following principles do NOT belong?
13. Your company is in the news as a result of an unfortunate action by one of your employees. The phones are ringing off the hook with customers wanting to cancel their contracts. What do we call this type of damage?
14. Which type of malware builds a network of contaminated computers?
15. Some threats are caused directly by people, others have a natural cause. What is an example of an intentional human threat?
16. ”Completeness” is part of which aspect of reliability of information?
17. A non-human threat for computer systems is a flood. In which situation is a flood always a relevant threat?
18. An employee in the administrative department of Smiths Consultants Inc. finds out that the expiry date of a contract with one of the clients is earlier than the start date. What type of measure could prevent this error?
19. Which of the following measures is a preventive measure?
20. Four staff members of the IT department share one pass for the computer room.
What risk does this lead to?
21. The Code for Information Security (ISO/IEC 27002) only applies to large companies. Is this statement correct?
22. Which of the below technologies is malicious?
23. Under which condition is an employer permitted to check if Internet and email services in the workplace are being used for private purposes?
24. Peter works at the company Midwest Insurance. His manager, Linda, asks him to send the terms and conditions for a life insurance policy to Rachel, a client. Who determines the value of the information in the insurance terms and conditions document?
25. What is a human threat to the reliability of the information on your company website?
26. Some security measures are optional. Other security measures must always be implemented.
Which measure(s) must always be implemented?
27. Which of these is not malicious software?
28. You apply for a position in another company and get the job. Along with your contract, you are asked to sign a code of conduct. What is a code of conduct?
29. Midwest Insurance grades the monthly report of all claimed losses per insured as confidential.
What is accomplished if all other reports from this insurance office are also assigned the appropriate grading/classification level?
30. In the organization where you work, information of a very sensitive nature is processed. Management is legally obliged to implement the highest-level (strictest) security measures. What is this kind of risk strategy called?
31. There is a network printer in the hallway of the company where you work. Many employees dont pick up their printouts immediately and leave them in the printer. What are the consequences of this to the reliability of the information?
32. A well executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is NOT one of the four main objectives of a risk analysis?
33. You are a consultant and are regularly hired by the Ministry of Defense to perform analysis.
Since the assignments are irregular, you outsource the administration of your business to temporary workers. You don't want the temporary workers to have access to your reports. Which reliability aspect of the information in your reports must you protect?
34. What is an example of a security incident?
35. What is an example of a non-human threat to the physical environment?
36. Access to the computer room is closed off using a pass reader. Only the System Management department has a pass.
What type of security measure is this?
37. What is the greatest risk for an organization if no information security policy has been defined?
38. What is the objective of classifying information?
39. What is the purpose of classifying information?
40. A worker from insurance company Euregio discovers that the expiration date of a policy has been changed without her knowledge. She is the only person authorized to do this. She reports this security incident to the Helpdesk. The Helpdesk worker records the following information
regarding this incident:
• date and time
• description of the incident
• possible consequences of the incident
What important information about the incident is missing here?