ISFS (Information Security Foundation based on ISO/IEC 27002) Welcome to your ISFS (Information Security Foundation based on ISO/IEC 27002) Email 1. What is the relationship between data and information?Data is the digital representation of informationThey are two words for the same realityData is structured information. Information is the meaning and value assigned to a collection of data.2. A non-human threat for computer systems is a flood. In which situation is a flood always a relevant threat?When the computer systems are not insured. When computer systems are kept in a cellar below ground level. When the organization is located near a river.If the risk analysis has not been carried out.3. A couple of years ago you started your company which has now grown from 1 to 20 employees. Your companys information is worth more and more and gone are the days when you could keep it all in hand yourself. You are aware that you have to take measures, but what should they be? You hire a consultant who advises you to start with a qualitative risk analysis. What is a qualitative risk analysis?This analysis is based on scenarios and situations and produces a subjective view of the possible threats.This analysis follows a precise statistical probability calculation in order to calculate exact loss caused by damage.4. Peter works at the company Midwest Insurance. His manager, Linda, asks him to send the terms and conditions for a life insurance policy to Rachel, a client. Who determines the value of the information in the insurance terms and conditions document?The sender, Peter The manager, Linda The person who drafted the insurance terms and conditions The recipient, Rachel 5. What is an example of a non-human threat to the physical environment?Fraudulent transaction Corrupted file Virus Storm 6. Identification is establishing whether someone’s identity is correct. Is this statement correct?NoYes7. A well executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is NOT one of the four main objectives of a risk analysis?Determining relevant vulnerabilities and threatsDetermining the costs of threats Establishing a balance between the costs of an incident and the costs of a security measure Identifying assets and their value 8. You have just started working at a large organization. You have been asked to sign a code of conduct as well as a contract. What does the organization wish to achieve with this?A code of conduct helps to prevent the misuse of IT facilities.A code of conduct gives staff guidance on how to report suspected misuses of IT facilities.A code of conduct is a legal obligation that organizations have to meetA code of conduct prevents a virus outbreak.9. Under which condition is an employer permitted to check if Internet and email services in the workplace are being used for private purposes?The employer is permitted to check this if a firewall is also installed. The employer is permitted to check this if the employees are aware that this could happen.The employer is permitted to check this if the employee is informed after each instance of checking. The employer is in no way permitted to check the use of IT services by employees.10. The company XYZ seeks certification for its information security management system (ISMS). After carrying out the assets inventory and a risk analysis, the information security officer prepares to issue a list of security measures/controls from good practice, best suited to respond to identified risks. Which standard would she probably use?Cobit frameworkISO 27005NIST SP800-37ISO 2700211. What is the most important reason for applying Segregation of Duties (SoD)?Segregation of duties ensures that, when a person is absent, it can be investigated whether he or she has been committing fraud.Segregation of duties makes it easier for a person who is ready with his or her part of the work to take time off or to take over the work of another person.Segregation of duties makes it clear who is responsible for what.Tasks and responsibilities must be separated in order to minimize the opportunities for business assets to be misused or changed, whether the change be unauthorized or unintentional.12. What is the purpose of ISO/CEI 27002 security code of practice (previously BS7799-1) ?Managing risk in a consistent mannerProviding measurement and metrics of a security programEstablishing guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organizationProvide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)13. Some security measures are optional. Other security measures must always be implemented. Which measure(s) must always be implemented?Physical security measuresInternal audit recommendationsMeasures required by laws and regulationsOrganizational security measures14. In most organizations, access to the computer or the network is granted only after the user has entered a correct username and password. This process consists of 3 steps: identification, authentication and authorization. What is the purpose of the second step, authentication?The authentication step checks the username against a list of users who have access to the system.The system determines whether access may be granted by determining whether the token used is authentic.During the authentication step, the system gives you the rights that you need, such as being able to read the data in the system.In the second step, you make your identity known, which means you are given access to the system.15. You work for a flexible employer who doesnt mind if you work from home or on the road. You regularly take copies of documents with you on a USB memory stick that is not secure. What are the consequences for the reliability of the information if you leave your USB memory stick behind on the train?The confidentiality of the data on the USB memory stick is no longer guaranteed.The integrity of the data on the USB memory stick is no longer guaranteed. The availability of the data on the USB memory stick is no longer guaranteed.16. Information has a number of reliability aspects. Reliability is constantly being threatened. Examples of threats are: a cable becomes loose, someone alters information by accident, data is used privately or is falsified. Which of these examples is the BEST example of a threat to confidentiality?Accidental deletion of dataFalsifying dataPrivate use of dataA loose cable17. What physical security measure is necessary to control access to company information?Username and passwordAir-conditioning Prohibiting the use of USB sticks The use of break-resistant glass and doors with the right locks, frames and hinges (charnières)18. Which measure does not help against malicious software?A passwordAn active patch policyA spam filterAn anti-spyware program19. What is a human threat to the reliability of the information on your company website?The computer hosting your website is overloaded and crashes. Your website is offline; with noone to answer the phone for disgruntled customersBecause of a lack of maintenance, a fire hydrant springs a leak and floods the premises. Your employees cannot come into the office and therefore can not keep the information on the website up to date.One of your employees commits an error in the price of a product on your website.20. You are the owner of the SpeeDelivery courier service. Last year you had a firewall installed. You now discover that no maintenance has been performed since the installation. What is the biggest risk because of this?The risk that fire may break out in the server room The risk of a virus outbreak The risk that hackers can do as they wish on the network without detection The risk of undesired e-mails21. To which ISO security standard, organizations seek certifications against?ISO 27001ISO 27015ISO 27002ISO 2700022. What is the best description of a risk analysis?A risk analysis helps to estimate the risks and develop the appropriate security measures.A risk analysis estimates the maximum impact of business disruptionA risk analysis calculates the exact financial consequences of damages. A risk analysis is a method of mapping risks without looking at company processes.23. An administration office is going to determine the dangers to which it is exposed. What do we call a possible event that can have a disruptive effect on the reliability of information?DependencyVulnerabilityThreatRisk24. In the organization where you work, information of a very sensitive nature is processed. Management is legally obliged to implement the highest-level (strictest) security measures. What is this kind of risk strategy called?Risk bearing/takingRisk avoiding/averseRisk neutral25. Why is it necessary to keep a disaster recovery plan up to date and to test it regularly?Because otherwise, in the event of a far-reaching disruption, the measures taken and the incident procedures planned may not be adequate or may be outdated.In order to be able to cope with daily occurring faults.Because this is required by the Personal Data Protection Act.In order always to have access to recent backups that are located outside the office.26. Logging in to a computer system is an access-granting process consisting of three steps: identification, authentication and authorization. What occurs during the first step of this process: identification?The first step consists of comparing the password with the registered password.The first step consists of checking if the user is using the correct certificate. The first step consists of granting access to the information to which the user is authorized.The first step consists of checking if the user is known and appears on the list of authorized users. 27. We can acquire and supply information in various ways. The value of the information depends on whether it is reliable. What are the reliability aspects of information?Timeliness, Accuracy and CompletenessAvailability, Integrity and CompletenessAvailability, Information Value and ConfidentialityAvailability, Integrity and Confidentiality 28. An airline company employee notices that she has access to one of the company's applications that she has not used before. Is this an information security incident?NoYes29. Which important statutory norm in the area of information security does the government have to meet?ISO/IEC 27002National information security legislation or regulationsISO/IEC 20000Dependency & Vulnerability analysis30. The company Midwest Insurance has taken many measures to protect its information. It uses an Information Security Management System, the input and output of data in applications is validated, confidential documents are sent in encrypted form and staff use tokens to access information systems. Which of these is not a technical measure?Encryption of information Validation of input and output data in applicationsThe use of tokens to gain access to information systems Information Security Management Program31. In order to take out a fire insurance policy, an administration office must determine the value of the data that it manages. Which factor is not important for determining the value of data for an organization?The content of data.The indispensability of data for the business processes.The importance of the business processes that make use of the data.The degree to which missing, incomplete or incorrect data can be recovered.32. In order to reduce risks, a company decides to opt for a strategy of a mix of measures. One of the measures is that a stand-by arrangement is organized for the company. To which category of measures does a stand-by arrangement belong?Repressive measuresPreventive measuresCorrective measuresDetective measures33. Which of these is not malicious software?VirusPhishingTrojanWorm34. What sort of security does a Public Key Infrastructure (PKI) offer?By providing agreements, procedures and an organization structure, a PKI defines which person or which system belongs to which specific public key.A PKI ensures that backups of company data are made on a regular basis. It provides digital certificates which can be used to digitally sign documents. Such signatures irrefutably determine from whom a document was sent.Having a PKI shows customers that a web-based business is secure.35. How is the purpose of information security policy best described?Policy provides insight into threats and the possible consequences.Policy makes the security plan concrete by providing it with the necessary details.Policy documents the analysis of risks and the search for countermeasures.Policy provides direction and support to the management regarding information security.36. A company experiences the following incidents. Which of these incidents is NOT a security incident?The network is hacked into.A file on the computer cannot be converted into a PDF file.A smoke alarm does not work.Someone pretends to be a member of staff.37. What is the purpose of risk management?To outline the threats to which IT resources are exposed.To determine the probability that a certain risk will occur.To determine the damage caused by possible security incidents.To use measures to reduce risks to an acceptable level.38. You are the owner of SpeeDelivery courier service. Because of your companys growth you have to think about information security. You know that you have to start creating a policy. Why is it so important to have an information security policy as a starting point?The information security policy gives direction to the information security efforts and investment.The information security policy establishes who is responsible for which area of information security.The information security policy establishes which devices will be protected. The information security policy supplies instructions for the daily practice of information security. 39. Which is a legislative or regulatory act related to information security that can be imposed upon all organizations?Personal data protection legislationISO/IEC 27001PCI-DSSIntellectual Property Rights 40. The backups of the central server are kept locked in the same enclosed room as the server. What risk does the organization face?In the event of fire it is impossible to get the system back to its former state.No one is responsible for the backups.If the server crashes, it will take a long time before the server is again operational.Unauthorized persons have easy access to the backups.