Free PECB ISO-IEC-27001-Lead-Implementer Practice Exam with Questions & Answers | Set: 9

Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.

Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information. Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.

However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.

The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.

In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

Based on scenario 2, Beauty should have implemented (1)_____________________________ to detect (2)_________________________.

What is the main difference between an audit program and an audit plan?

Scenario 2: NyvMarketing is a marketing firm that provides different services to clients across various industries. With expertise in digital marketing. branding, and market research, NyvMarketing has built a solid

reputation for delivering innovative and impactful marketing campaigns. With the growing Significance Of data Security and information protection within the marketing landscape, the company decided to

implement an ISMS based on 27001.

While implementing its ISMS NyvMarketing encountered a significant challenge; the threat of insufficient resources, This challenge posed a risk to effectively executing its ISMS objectives and could potentially

undermine the company'S efforts to safeguard Sensitive information. TO address this threat, NyvMarketing adopted a proactive approach by appointing Michael to manage the risks related to resource Constraints.

Michael was pivotal in identifying and addressing resource gaps. strategizing risk mitigation. and allocating resources effectively for ISMS implementation at NyvMarket•ng, strengthening the company's resilience

against resource challenges.

Furthermore, NyvMarketing prioritized industry standards and best practices in information security, diligently following ISOfIEC 27002 guidelines. This commitment, driven by excellence and ISO/IEC 27001

requirements, underscored NyvMafketinq•s dedication to upholding the h•ghest Standards Of information security governance.

While working on the ISMS implementation, NyvMarketing opted to exclude one Of the requirements related to competence (as stipulated in ISO/IEC 27001, Clause 7.2). The company believed that its existing

workforce possessed the necessary competence to fulfill ISMS•telated tasks_ However, it did not provide a valid justification for this omission. Moreover. when specific controls from Annex A Of ISO/IEC 27001

were not implemented. NyvMarketing neglected to provide an acceptable justification for these exclusions.

During the ISMS implementation, NFMarketing thoroughly assessed vulnerabilities that could affect its information Security These vulnerabilities included insufficient maintenance and faulty installation Of

storage media, insufficient periodic replacement schemes for equipment, Inadequate software testing. and unprotected communication lines. Recognizing that these vulnerabilities could pose risks to its data

security. NBMarketing took steps to address these specific weaknesses by implementing the necessary controls and countermeasures-

Based on the scenario above, answer the following question.

In the scenario 2. NyvMarketing faced the threat of insufficient resources during the ISMS implementation. In which of the following categories does this threat fall?

Which of the following categories of vulnerabilities did NyvMarketing address during its ISMS implementation? Refer to scenario 2.

Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the [^involved parties, including parents, other physicians, and the medical laboratory staff.

Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.

The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.

Based on the scenario above, answer the following question:

According to scenario 1. to detect (1)____________________________, Antiques should have implemented (2)

FinanceX, a well-known financial institution, uses an online banking platform that enables clients to easily and securely access their bank accounts. To log in, clients are required to enter the one-lime authorization code sent to their smartphone. What can be concluded from this scenario?

Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the [^involved parties, including parents, other physicians, and the medical laboratory staff.

Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.

The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.

Based on scenario 1. what is a potential impact of the loss of integrity of information in HealthGenic?

An organization that has an ISMS in place conducts management reviews at planned intervals, but does not retain documented information on the results. Is this in accordance with the requirements of ISO/IEC 27001?