Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers ' information. Beauty ' s employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers ' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Which statement below suggests that Beauty has implemented a managerial control that helps avoid the occurrence of incidents? Refer to scenario 2.
Scenario 5: Bytes iS a dynamic and innovative Company specializing in the design, manufacturing. and distribution Of hardware and software, with a focus On providing comprehensive network and supporting
services. It is headquartered in the vibrant tech hub of Lagos, Nigeria. It has a diverse and dedicated team, boasting a workforce of over 800 employees who are passionate about delivering cutting-edge solutions
to their Clients. Given the nati-jte Of its business. Bytes frequently handles sensitive data both internally and When collaborating With Clients and partners.
Recognizing the Challenges inherent in securely sharing data with clients. partners, and within its own internal operations. Bytes has implemented robust information security measures, They utilize a defined risk
assessment process, which enables them to assess and address potential threats and information security risks. This process ensures compliance with ISOflEC 27001 requirements, a critical aspect of Bytes '
operations.
Initially. Bytes identified both external and internal issues that are relevant to its purpose and that impact its ability to achieve the intended information security management System Outcomes, External issues
beyond the company ' S control include factors Such as social and Cultural dynamics, political. legal. normative, and regulatory environments, financial and macroeconomic conditions. technological developments,
natural factors, and competitive pressures. Internal issues, which are within the organization ' s control, encompass aspects like the company ' s culture. its policies, objectives, and strategies; govetnance structures.
roles, and responsibilities: adopted standards and guidelines; contractual relationships that influence processes within the ISMS scope: processes and procedures resources and knowledge capabilities; physical
infrastructure information systems. information flows. and decisiorwnaking processes; as well as the results of previous audits and risk assessments. Bytes also focused on identifying the interested parties
relevant to the ISMS understanding their requirements, and determining which Of those requirements will be addressed by the ISMS
In pursuing a secure digital environment, Bytes leverages the latest technology, utilizing automated vulnerability scanning tools to identify known vulnerable services in their ICT systems. This proactive approach
ensures that potential weaknesses are swiftly addressed. bolstering their overall information security posture. In their comprehensive approach to information security, Bytes has identified and assessed various
risks. During this process, despite implementing the security controls, Bytes ' expert team identified unacceptable residual risks, and the team Currently faces uncertainty regarding which specific options to for
addressing these identified and unacceptable residual risks.
According to Scenario 5, which type of policy did Bytes formulate?
TradeB communicated the information security processes and procedures to employees. Which principle of efficient communication strategy did they use?
Upon the risk assessment outcomes. Socket Inc. decided to:
• Require the use of passwords with at least 12 characters containing uppercase and lowercase letters, symbols, and numbers
• Require the change of passwords at least once every 60 days
• Keep backup copies of files on IT-provided network drives
• Assign users to a separate network when they have access to cloud storage files storing customers ' personal data.
What is the most important asset to Socket Inc. associated with the use of cloud storage? Refer to scenario 5.
Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department
The approved action plan was implemented and all actions described in the plan were documented.
Based on this scenario, answer the following question:
OpenTech has decided to establish a new version of its access control policy. What should the company do when such changes occur?
Scenario 9: CoreBit Systems
CoreBit Systems, with its headquarters m San Francisco, specializes in information and communication technology (ICT) solutions, its clientele primarily includes data communication enterprises and network operators. The company ' s core objective is to enable its clients a smooth transition into multi-service providers, aligning their operations with the complex demands of the digital landscape.
Recently. John, the internal auditor of CoreBit Systems, conducted an internal audit which uncovered nonconformities related to their monitoring procedures and system vulnerabilities, in response to the identified nonconformities. CoreBit Systems decided to employ a comprehensive problem-solving approach to solve these issues systematically. The method encompasses a team-oriented approach, aiming to identify, correct, and eliminate the root causes of issues. This approach involves several steps. First, establish a group of experts with deep knowledge of processes and controls. Next, break down the nonconformity into measurable components and implement interim containment measures. Then, identify potential root causes and select and verify permanent corrective actions. Finally, put those actions into practice, validate them, take steps to prevent recurrence, and recognize and acknowledge the team ' s efforts.
Following the analysis of the root cause of the nonconformities, CoreBit Systems ' s ISMS project manager. Julia, developed a list of potential actions to address the identified nonconformities. Julia carefully evaluated the list to ensure that each action would effectively eliminate the root cause of the respective nonconformity. While assessing potential corrective action for addressing a nonconformity, Julia identified the issue as significant and assessed a high likelihood of its reoccurrence Consequently, she chose to implement temporary corrective actions. Afterward. Julia combined all the nonconformities Into a single action plan and sought approval from the top management.
The submitted action plan was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department.
However. Julia ' s submitted action plan was not approved by top management The reason cited was that a general action plan meant to address all nonconformities was deemed unacceptable. Consequently, Julia revised the action plan and submitted separate ones for approval Unfortunately, Julia did not adhere to the organization ' s specified deadline for submission, resulting in a delay in the corrective action process, and notably, the revised action plans lacked a defined schedule for execution.
Julia, the ISMS project manager, developed a combined action plan for all nonconformities. However, it was rejected, revised, and resubmitted late—without defined execution schedules.
Question:
Did CoreBit Systems have a plan in place to implement permanent corrective action to address the identified nonconformities?
Scenario 2:
Beauty is a well-established cosmetics company in the beauty industry. The company was founded several decades ago with a passion for creating high-quality skincare, makeup, and personal care products that enhance natural beauty. Over the years, Beauty has built a strong reputation for its innovative product offerings, commitment to customer satisfaction, and dedication to ethical and sustainable business practices.
In response to the rapidly evolving landscape of consumer shopping habits, Beauty transitioned from traditional retail to an e-commerce model. To initiate this strategy, Beauty conducted a comprehensive information security risk assessment, analyzing potential threats and vulnerabilities associated with its new e-commerce venture, aligned with its business strategy and objectives.
Concerning the identified risks, the company implemented several information security controls. All employees were required to sign confidentiality agreements to emphasize the importance of protecting sensitive customer data. The company thoroughly reviewed user access rights, ensuring only authorized personnel could access sensitive information. In addition, since the company stores valuable products and unique formulas in the warehouse, it installed alarm systems and surveillance cameras with real-time alerts to prevent any potential act of vandalism.
After a while, the information security team analyzed the audit logs to monitor and track activities across the newly implemented security controls. Upon investigating and analyzing the audit logs, it was discovered that an attacker had accessed the system due to out-of-date anti-malware software, exposing customers ' sensitive information, including names and home addresses. Following this, the IT team replaced the anti-malware software with a new one capable of automatically removing malicious code in case of similar incidents. The new software was installed on all workstations and regularly updated with the latest malware definitions, with an automatic update feature enabled. An authentication process requiring user identification and a password was also implemented to access sensitive information.
During the investigation, Maya, the information security manager of Beauty, found that information security responsibilities in job descriptions were not clearly defined, for which the company took immediate action. Recognizing that their e-commerce operations would have a global reach, Beauty diligently researched and complied with the industry ' s legal, statutory, regulatory, and contractual requirements. It considered international and local regulations, including data privacy laws, consumer protection acts, and global trade agreements.
To meet these requirements, Beauty invested in legal counsel and compliance experts who continuously monitored and ensured the company ' s compliance with legal standards in every market they operated in. Additionally, Beauty conducted multiple information security awareness sessions for the IT team and other employees with access to confidential information, emphasizing the importance of system and network security.
What type of assets were compromised in Beauty’s incident?
Which factor should be considered when estimating the consequences of a security event?
What risk treatment option has Company A implemented if it has required from its employees the change of email passwords at least once every 60 days?
The IRT has been notified of a potential compromise in the organization’s network. Which type of services would be most appropriate for the IRT to provide in this situation?
