Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevantagreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on scenario 3. which information security control of Annex A of ISO/IEC 27001 did Socket Inc.
implement by establishing a new system to maintain, collect, and analyze information related to information security threats?
A. Annex A 5.5 Contact with authorities
B. Annex A 5.13 Labeling of information
C. Annex A 5 7 Threat Intelligence
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 2:
Org Y. a well-known bank, uses an online banking platform that enables clients to easily and securely access their bank accounts.
To log in. clients are required to enter the one-time authorization code sent to their smartphone.
What can be concluded from this scenario?
A. Org Y has incorrectly implemented a security control that could become a vulnerability
B. Org Y has implemented an integrity control that avoids the involuntary corruption of data
C. Org Y has implemented a security control that ensures the confidentiality of information
正解:C
質問 3:
Which of the following is NOT part of the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected?
A. Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
B. Communicate the details of the nonconformity to every employee of the organization and suspend the employee that caused the nonconformity
C. React to the nonconformity, take action to control and correct it. and deal with its consequences
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off- site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body According to scenario 10, NetworkFuse requested from the certification body to review all the documentation only on-site. Is this acceptable?
A. Yes, only if a confidentiality agreement is formerly signed by the audit team
B. Yes, the auditee may request that the review of the documentation takes place on-site
C. No, the certification body decides whether the documentation review takes place on-site or off-site
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
What supports the continual improvement of an ISMS?
A. The update of action plans
B. The update of eternal audit reports
C. The update of documented information
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
Who should verily the effectiveness of the corrective actions taken by the auditee after an internal audit?
A. The information security manager
B. An Independent auditor should be contracted to perform this evaluation
C. The internal auditor
正解:C
質問 7:
Which approach should organizations use to implement an ISMS based on ISO/IEC 27001?
A. Only the approach provided by the standard
B. An approach that is suitable for organization's scope
C. Any approach that enables the ISMS implementation within the 12month period
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
776 お客様のコメント





浅田** -
友達勧めたISOIEC20000LI学習教材が素晴らしいです。そして、ISO会社のサービスもいいです!本当にありがとうございました。