ISMP Online Practice Questions and Answers

Security monitoring is an important control measure to make sure that the required security level is maintained. In order to realize 24/7 availability of the service, this service is outsourced to a partner in the cloud.

What should be an important control in the contract?

A. The network communication channel is secured by using encryption.

B. The third party is certified against ISO/IEC 27001.

C. The third party is certified for adhering to privacy protection controls.

D. Your IT auditor has the right to audit the external party's service management processes.

Who should be asked to check compliance with the information security policy throughout the company?

A. Internal audit department

B. External forensics investigators

C. The same company that checks the yearly financial statement

An experienced security manager is well aware of the risks related to communication over the internet. She also knows that Public Key Infrastructure (PKI) can be used to keep e- mails between employees confidential.

Which is the main risk of PKI?

A. The Certificate Authority (CA) is hacked.

B. The certificate is invalid because it is on a Certificate Revocation List.

C. The users lose their public keys.

D. The HR department wants to be a Registration Authority (RA).

A protocol to investigate fraud by employees is being designed. Which measure can be part of this protocol?

A. Seize and investigate the private laptop of the employee

B. Investigate the contents of the workstation of the employee

C. Investigate the private mailbox of the employee

D. Put a phone tap on the employee's business phone

Zoning is a security control to separate physical areas with different security levels. Zones with higher security levels can be secured by more controls. The facility manager of a conference center is responsible for security.

What combination of business functions should be combined into one security zone?

A. Boardroom and general office space

B. Computer room and storage facility

C. Lobby and public restaurant

D. Meeting rooms and Human Resource rooms

The Board of Directors of an organization is accountable for obtaining adequate assurance. Who should be responsible for coordinating the information security awareness campaigns?

A. The Board of Directors

B. The operational manager

C. The security manager

D. The user

What is a risk treatment strategy?

A. Mobile updates

B. Risk acceptance

C. Risk exclusion

D. Software installation

In a company a personalized smart card is used for both physical and logical access control. What is the main purpose of the person's picture on the smart card?

A. To authenticate the owner of the card

B. To authorize the owner of the card

C. To identify the role of the card owner

D. To verify the iris of the card owner

The information security manager is writing the Information Security Management System (ISMS) documentation. The controls that are to be implemented must be described in one of the phases of the Plan-Do-Check-Act (PDCA) cycle of the ISMS.

In which phase should these controls be described?

A. Plan

B. Do

C. Check

D. Act

A security manager for a large company has the task to achieve physical protection for corporate data stores.

Through which control can physical protection be achieved?

A. Having visitors sign in and out of the corporate datacenter

B. Using a firewall to prevent access to the network infrastructure

C. Using access control lists to prevent logical access to organizational infrastructure

D. Using key access controls for employees needing access

The handling of security incidents is done by the incident management process under guidelines of information security management. These guidelines call for several types of mitigation plans.

Which mitigation plan covers short-term recovery after a security incident has occurred?

A. The Business Continuity Plan (BCP)

B. The disaster recovery plan

C. The incident response plan

D. The risk treatment plan

A security architect argues with the internal fire prevention team about the statement in the information

security policy, that doors to confidential areas should be locked at all times.

The emergency response team wants to access to those areas in case of fire.

What is the best solution to this dilemma?

A. The security architect will be informed when there is a fire.

B. The doors should stay closed in case of fire to prevent access to confidential areas.

C. The doors will automatically open in case of fire.

A security manager just finished the final copy of a risk assessment. This assessment contains a list of identified risks and she has to determine how to treat these risks.

What is the best option for the treatment of risks?

A. Begin risk remediation immediately as the organization is currently at risk

B. Decide the criteria for determining if the risk can be accepted

C. Design appropriate controls to reduce the risk

D. Remediate the risk regardless of cost

A risk manager is asked to perform a complete risk assessment for a company. What is the best method to identify most of the threats to the company?

A. Have a brainstorm with representatives of all stakeholders

B. Interview top management

C. Send a checklist for threat identification to all staff involved in information security

When should information security controls be considered?

A. After the risk assessment

B. As part of the scoping meeting

C. At the kick-off meeting

D. During the risk assessment work