ISO-IEC-27005 Risk Manager Dumps Questions

Text Material Preview

<p>ISO-IEC-27005 Risk Manager PECB Certified ISO/IEC 27005 Risk Manager</p><p>exam dumps questions are the best material for you to test all the related PECB</p><p>exam topics. By using the ISO-IEC-27005 Risk Manager exam dumps questions</p><p>and practicing your skills, you can increase your confidence and chances of</p><p>passing the ISO-IEC-27005 Risk Manager exam.</p><p>Features of Dumpsinfo’s products</p><p>Instant Download</p><p>Free Update in 3 Months</p><p>Money back guarantee</p><p>PDF and Software</p><p>24/7 Customer Support</p><p>Besides, Dumpsinfo also provides unlimited access. You can get all</p><p>Dumpsinfo files at lowest price.</p><p>PECB Certified ISO/IEC 27005 Risk Manager ISO-IEC-27005 Risk Manager</p><p>exam free dumps questions are available below for you to study.</p><p>Full version: ISO-IEC-27005 Risk Manager Exam Dumps Questions</p><p>1. A cyber attacker exploits a security misconfiguration vulnerability of Productscape’s website to</p><p>launch an attack, which, in turn, could make the website unavailable to users.</p><p>2. An internal employee clicks on a link embedded in an email that redirects them to an unsecured</p><p>website, installing a malware on the device.</p><p>The likelihood of occurrence for the first risk scenario was determined as “medium.” One of the main</p><p>reasons that such a risk could occur was the usage of default accounts and password. Attackers</p><p>could exploit this vulnerability and launch a brute-force attack. Therefore, Productscape decided to</p><p>start using an automated “build and deploy” process which would test the software on deploy and</p><p>minimize the likelihood of such an incident from happening. However, the team made it clear that the</p><p>implementation of this process would not eliminate the risk completely and that there was still a low</p><p>possibility for this risk to occur. Productscape documented the remaining risk and decided to monitor</p><p>1 / 11</p><p>https://www.dumpsinfo.com/unlimited-access/</p><p>https://www.dumpsinfo.com/exam/iso-iec-27005-risk-manager</p><p>it for changes.</p><p>The likelihood of occurrence for the second risk scenario was determined as “medium.”</p><p>Productscape decided to contract an IT company that would provide technical assistance and monitor</p><p>the company’s systems and networks in order to prevent such incidents from happening. The</p><p>likelihood of occurrence for the third risk scenario was determined as “high.” Thus, Productscape</p><p>decided to include phishing as a topic on their information security training sessions. In addition, Alex</p><p>reviewed the controls of Annex A of ISO/IEC 27001 in order to determine the necessary controls for</p><p>treating this risk. Alex decided to implement control A.8.23 Web filtering which would help the</p><p>company to reduce the risk of accessing unsecure websites. Although security controls were</p><p>implemented to treat the risk, the level of the residual risk still did not meet the risk acceptance criteria</p><p>defined in the beginning of the risk assessment process. Since the cost of implementing additional</p><p>controls was too high for the company, Productscape decided to accept the residual risk. Therefore,</p><p>risk owners were assigned the responsibility of managing the residual risk.</p><p>Based on scenario 6, Alex reviewed the controls of Annex A of ISO/IEC 27001 to determine the</p><p>necessary controls for treating the risk described in the third risk scenario.</p><p>According to the guidelines of ISO/IEC 27005, is this acceptable?</p><p>A. No, Annex A controls should be used as a control set only if the organization seeks compliance to</p><p>ISO/IEC 27001</p><p>B. No, organizations should define custom controls that accurately reflect the selected information</p><p>security risk treatment options</p><p>C. Yes. organizations should select all controls from a chosen control set that are necessary for</p><p>treating the risks</p><p>Answer: C</p><p>Explanation:</p><p>According to ISO/IEC 27005, organizations can use any set of controls to treat identified risks as long</p><p>as they are appropriate and necessary for managing those risks. Annex A of ISO/IEC 27001 provides</p><p>a comprehensive set of controls that can be used to mitigate various information security risks. In this</p><p>scenario, Alex reviewed the controls from Annex A of ISO/IEC 27001 and selected control A.8.23</p><p>(Web filtering) to treat the risk associated with phishing and accessing unsecured websites. This</p><p>approach aligns with ISO/IEC 27005, which allows selecting relevant controls from any set to</p><p>effectively manage risks. Therefore, option C is the correct answer.</p><p>Reference: ISO/IEC 27005:2018, Clause 8.6, "Risk Treatment," which allows for selecting controls</p><p>from a set, such as Annex A of ISO/IEC 27001, to treat risks appropriately.</p><p>4 1. Scenario 6: Productscape is a market research company headquartered in Brussels, Belgium. It</p><p>helps organizations understand the needs and expectations of their customers and identify new</p><p>business opportunities. Productscape’s teams have extensive experience in marketing and business</p><p>strategy and work with some of the best-known organizations in Europe. The industry in which</p><p>Productscape operates requires effective risk management. Considering that Productscape has</p><p>access to clients’ confidential information, it is responsible for ensuring its security. As such, the</p><p>company conducts regular risk assessments. The top management appointed Alex as the risk</p><p>manager, who is responsible for monitoring the risk management process and treating information</p><p>security risks. The last risk assessment conducted was focused on information assets. The purpose</p><p>of this risk assessment was to identify information security risks, understand their level, and take</p><p>appropriate action to treat them in order to ensure the security of their systems. Alex established a</p><p>team of three members to perform the risk assessment activities. Each team member was</p><p>responsible for specific departments included in the risk assessment scope. The risk assessment</p><p>provided valuable information to identify, understand, and mitigate the risks that Productscape faces.</p><p>Initially, the team identified potential risks based on the risk identification results. Prior to analyzing</p><p>the identified risks, the risk acceptance criteria were established. The criteria for accepting the risks</p><p>were determined based on Productscape’s objectives, operations, and technology. The team created</p><p>various risk scenarios and determined the likelihood of occurrence as “low,” “medium,” or “high.”</p><p>2 / 11</p><p>https://www.dumpsinfo.com/</p><p>They decided that if the likelihood of occurrence for a risk scenario is determined as “low,” no further</p><p>action would be taken. On the other hand, if the likelihood of occurrence for a risk scenario is</p><p>determined as “high” or “medium,” additional controls will be implemented.</p><p>Some information security risk scenarios defined by Productscape’s team were as follows:</p><p>3. Activity area 3: The organization identifies the areas of concern which initiates the risk identification</p><p>process. In addition, the organization analyzes and determines the probability of the occurrence of</p><p>possible threat scenarios.</p><p>4. According to ISO/IEC 27005, what is the output of the documentation of risk management</p><p>processes?</p><p>A. Knowledge on the information security risk assessment and treatment processes in accordance</p><p>with clauses 7 and 8 of the standard</p><p>B. Documented information about the information security risk assessment and treatment results</p><p>C. Documented information that is necessary for the effectiveness of the information security risk</p><p>assessment or risk treatment processes</p><p>Answer: B</p><p>Explanation:</p><p>According to ISO/IEC 27005, the output of the documentation of risk management processes should</p><p>include detailed information about the results of the risk assessment and the chosen risk treatment</p><p>options. This ensures transparency and provides a clear record of the decision-making process</p><p>related to information security risk management. Therefore, option B is the correct answer.</p><p>5. Scenario 1</p><p>The risk assessment process was led by Henry, Bontton’s risk manager. The first step that Henry</p><p>took was identifying the company’s assets. Afterward, Henry created</p><p>various potential incident</p><p>scenarios. One of the main concerns regarding the use of the application was the possibility of being</p><p>targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks</p><p>during that time. After analyzing the identified risks, Henry evaluated them and concluded that new</p><p>controls must be implemented if the company wants to use the application. Among others, he stated</p><p>that training should be provided to personnel regarding the use of the application and that awareness</p><p>sessions should be conducted regarding the importance of protecting customers’ personal data.</p><p>Lastly, Henry communicated the risk assessment results to the top management. They decided that</p><p>the application will be used only after treating the identified risks. Based on the scenario above,</p><p>answer the following question:</p><p>Bontton established a risk management process based on ISO/IEC 27005, to systematically manage</p><p>information security threats.</p><p>Is this a good practice?</p><p>A. Yes, ISO/IEC 27005 provides guidelines for information security risk management that enable</p><p>organizations to systematically manage information security threats</p><p>B. Yes, ISO/IEC 27005 provides guidelines to systematically manage all types of threats that</p><p>organizations may face</p><p>C. No, ISO/IEC 27005 cannot be used to manage information security threats in the food sector</p><p>Answer: A</p><p>Explanation:</p><p>ISO/IEC 27005 is the standard that provides guidelines for information security risk management,</p><p>which supports the requirements of an Information Security Management System (ISMS) as specified</p><p>in ISO/IEC 2700 1. In the scenario provided, Bontton established a risk management process to</p><p>3 / 11</p><p>https://www.dumpsinfo.com/</p><p>identify, analyze, evaluate, and treat information security risks, which is in alignment with the</p><p>guidelines set out in ISO/IEC 27005. The standard emphasizes a systematic approach to identifying</p><p>assets, identifying threats and vulnerabilities, assessing risks, and implementing appropriate risk</p><p>treatment measures, such as training and awareness sessions. Thus, option A is correct, as it</p><p>accurately reflects the purpose and application of ISO/IEC 27005 in managing information security</p><p>threats. Option B is incorrect because ISO/IEC 27005 specifically addresses information security</p><p>threats, not all types of threats, and option C is incorrect because ISO/IEC 27005 is applicable to any</p><p>sector, including the food industry, as long as it concerns information security risks.</p><p>6. An internal employee clicks on a link embedded in an email that redirects them to an unsecured</p><p>website, installing a malware on the device.</p><p>The likelihood of occurrence for the first risk scenario was determined as “medium.” One of the main</p><p>reasons that such a risk could occur was the usage of default accounts and password. Attackers</p><p>could exploit this vulnerability and launch a brute-force attack. Therefore, Productscape decided to</p><p>start using an automated “build and deploy” process which would test the software on deploy and</p><p>minimize the likelihood of such an incident from happening. However, the team made it clear that the</p><p>implementation of this process would not eliminate the risk completely and that there was still a low</p><p>possibility for this risk to occur. Productscape documented the remaining risk and decided to monitor</p><p>it for changes.</p><p>The likelihood of occurrence for the second risk scenario was determined as “medium.”</p><p>Productscape decided to contract an IT company that would provide technical assistance and monitor</p><p>the company’s systems and networks in order to prevent such incidents from happening. The</p><p>likelihood of occurrence for the third risk scenario was determined as “high.” Thus, Productscape</p><p>decided to include phishing as a topic on their information security training sessions. In addition, Alex</p><p>reviewed the controls of Annex A of ISO/IEC 27001 in order to determine the necessary controls for</p><p>treating this risk. Alex decided to implement control A.8.23 Web filtering which would help the</p><p>company to reduce the risk of accessing unsecure websites. Although security controls were</p><p>implemented to treat the risk, the level of the residual risk still did not meet the risk acceptance criteria</p><p>defined in the beginning of the risk assessment process. Since the cost of implementing additional</p><p>controls was too high for the company, Productscape decided to accept the residual risk. Therefore,</p><p>risk owners were assigned the responsibility of managing the residual risk.</p><p>Based on scenario 6, Productscape decided to monitor the remaining risk after risk treatment. Is this</p><p>necessary?</p><p>A. No, there is no need to monitor risks that meet the risk acceptance criteria</p><p>B. No, unless the risk has a severe impact if it occurs, there is no need to monitor the risk</p><p>C. Yes, the remaining risk after risk treatment should be monitored and reviewed</p><p>Answer: C</p><p>Explanation:</p><p>ISO/IEC 27005 advises that even after risks have been treated, any residual risks should be</p><p>continuously monitored and reviewed. This is necessary to ensure that they remain within acceptable</p><p>levels and that any changes in the internal or external environment do not escalate the risk beyond</p><p>acceptable thresholds. Monitoring also ensures that the effectiveness of the controls remains</p><p>adequate over time. Option A is incorrect because all risks, including those meeting the risk</p><p>acceptance criteria, should be monitored. Option B is incorrect because monitoring is necessary</p><p>regardless of the perceived severity if it occurs, to detect changes early.</p><p>7. Activity area 3: The organization identifies the areas of concern which initiates the risk identification</p><p>process. In addition, the organization analyzes and determines the probability of the occurrence of</p><p>possible threat scenarios.</p><p>4 / 11</p><p>https://www.dumpsinfo.com/</p><p>8. Scenario 3: Printary is an American company that offers digital printing services. Creating cost-</p><p>effective and creative products, the company has been part of the printing industry for more than 30</p><p>years. Three years ago, the company started to operate online, providing greater flexibility for its</p><p>clients. Through the website, clients could find information about all services offered by Printary and</p><p>order personalized products. However, operating online increased the risk of cyber threats,</p><p>consequently, impacting the business functions of the company. Thus, along with the decision of</p><p>creating an online business, the company focused on managing information security risks. Their risk</p><p>management program was established based on ISO/IEC 27005 guidelines and industry best</p><p>practices.</p><p>Last year, the company considered the integration of an online payment system on its website in</p><p>order to provide more flexibility and transparency to customers. Printary analyzed various available</p><p>solutions and selected Pay0, a payment processing solution that allows any company to easily collect</p><p>payments on their website. Before making the decision, Printary conducted a risk assessment to</p><p>identify and analyze information security risks associated with the software. The risk assessment</p><p>process involved three phases: identification, analysis, and evaluation. During risk identification, the</p><p>company inspected assets, threats, and vulnerabilities. In addition, to identify the information security</p><p>risks, Printary used a list of the identified events that could negatively affect the achievement of</p><p>information security objectives. The risk identification phase highlighted two main threats associated</p><p>with the online payment system: error in use and data corruption After conducting a gap analysis, the</p><p>company concluded that the existing security controls were sufficient to mitigate the threat of data</p><p>corruption. However, the user interface of the payment solution was complicated, which could</p><p>increase the risk associated with user errors, and, as a result, impact data integrity and confidentiality.</p><p>Subsequently, the risk identification results were analyzed. The company</p><p>conducted risk analysis in</p><p>order to understand the nature of the identified risks. They decided to use a quantitative risk analysis</p><p>methodology because it would provide more detailed information. The selected risk analysis</p><p>methodology was consistent with the risk evaluation criteria. Firstly, they used a list of potential</p><p>incident scenarios to assess their potential impact. In addition, the likelihood of incident scenarios was</p><p>defined and assessed. Finally, the level of risk was defined as low.</p><p>In the end, the level of risk was compared to the risk evaluation and acceptance criteria and was</p><p>prioritized accordingly.</p><p>Based on scenario 3, Printary used a list of identified events that could negatively influence the</p><p>achievement of its information security objectives to identify information security risks.</p><p>Is this in compliance with the guidelines of ISO/IEC 27005?</p><p>A. No, a list of risk scenarios with their consequences related to assets or events and their likelihood</p><p>should be used to identity information security risks</p><p>B. Yes, a list of events that can negatively influence the achievement of information security</p><p>objectives in the company should be used to identity information security risks</p><p>C. No. a list of risk sources, business processes. and business objectives should be used to identify</p><p>information security risks</p><p>Answer: B</p><p>Explanation:</p><p>According to ISO/IEC 27005, identifying risks to information security involves recognizing events that</p><p>could adversely affect the achievement of information security objectives. Using a list of events that</p><p>could negatively impact these objectives is consistent with the risk identification process as outlined in</p><p>ISO/IEC 27005. This approach focuses on identifying specific incidents or events that could result in</p><p>security breaches or compromises, providing a clear understanding of the potential risks to the</p><p>organization. Thus, Printary's use of a list of such events to identify information security risks complies</p><p>with the standard's guidelines, making option B the correct answer.</p><p>Reference: ISO/IEC 27005:2018, Clause 8.2, "Risk Identification," which states that the organization</p><p>should identify the events that could compromise information security objectives.</p><p>5 / 11</p><p>https://www.dumpsinfo.com/</p><p>9. Scenario 1</p><p>The risk assessment process was led by Henry, Bontton’s risk manager. The first step that Henry</p><p>took was identifying the company’s assets. Afterward, Henry created various potential incident</p><p>scenarios. One of the main concerns regarding the use of the application was the possibility of being</p><p>targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks</p><p>during that time. After analyzing the identified risks, Henry evaluated them and concluded that new</p><p>controls must be implemented if the company wants to use the application. Among others, he stated</p><p>that training should be provided to personnel regarding the use of the application and that awareness</p><p>sessions should be conducted regarding the importance of protecting customers’ personal data.</p><p>Lastly, Henry communicated the risk assessment results to the top management. They decided that</p><p>the application will be used only after treating the identified risks.</p><p>According to scenario 1, Bontton wanted to use an application that ensures only authorized users</p><p>have access to customers’ personal data .</p><p>Which information security principle does Bontton want to ensure in this case?</p><p>A. Integrity</p><p>B. Availability</p><p>C. Confidentiality</p><p>Answer: C</p><p>Explanation:</p><p>In the context of information security, confidentiality refers to ensuring that information is accessible</p><p>only to those who are authorized to have access. According to scenario 1, Bontton wanted to use an</p><p>application that ensures only authorized users have access to customers' personal data. This directly</p><p>aligns with the principle of confidentiality, as Bontton aims to protect personal data from unauthorized</p><p>access or disclosure. This focus on restricting access to sensitive data to authorized personnel clearly</p><p>indicates that the confidentiality of information is the primary concern in this case. Thus, the correct</p><p>answer is C.</p><p>10. A cyber attacker gains access to confidential information of clients and may threaten to make the</p><p>information publicly available unless a ransom is paid.</p><p>11. Activity area 4: The organization identifies and evaluates the risks. In addition, the criteria</p><p>specified in activity area 1 is reviewed and the consequences of the areas of concerns are evaluated.</p><p>Lastly, the level of identified risks is determined.</p><p>The table below provides an example of how Biotide assesses the risks related to its information</p><p>assets following this methodology:</p><p>Based on the scenario above, answer the following question:</p><p>6 / 11</p><p>https://www.dumpsinfo.com/</p><p>Which risk assessment methodology does Biotide use?</p><p>A. OCTAVE Allegro</p><p>B. OCTAVE-S</p><p>C. MEHARI</p><p>Answer: A</p><p>Explanation:</p><p>Biotide uses the OCTAVE Allegro methodology for risk assessment. This is determined based on the</p><p>description of the activities mentioned in the scenario. OCTAVE Allegro is a streamlined approach</p><p>specifically designed to help organizations perform risk assessments that are efficient and effective,</p><p>particularly when handling information assets. The methodology focuses on a thorough examination</p><p>of information assets, the threats they face, and the impact of those threats.</p><p>Activity Area 1: OCTAVE Allegro defines the criteria for evaluating the impact of risks, which is</p><p>consistent with determining the risk effects' evaluation criteria in the scenario.</p><p>Activity Area 2: In OCTAVE Allegro, a critical step is creating profiles for information assets,</p><p>identifying their owners, and determining security requirements. This aligns with the activity in which</p><p>Biotide identifies critical assets, their owners, and their security needs.</p><p>Activity Area 3: Identifying areas of concern that initiate risk identification and analyzing threat</p><p>scenarios is central to OCTAVE Allegro. This is reflected in the activity of identifying areas of concern</p><p>and determining the likelihood of threats.</p><p>Activity Area 4: Evaluating the risks, reviewing criteria, and determining risk levels corresponds to the</p><p>latter stages of OCTAVE Allegro, where risks are prioritized based on the likelihood and impact, and</p><p>risk management strategies are formulated accordingly.</p><p>The steps outlined align with the OCTAVE Allegro approach, which focuses on understanding and</p><p>addressing information security risks comprehensively and in line with organizational objectives.</p><p>Hence, option A, OCTAVE Allegro, is the correct answer.</p><p>ISO/IEC 27005:2018 emphasizes the importance of using structured methodologies for information</p><p>security risk management, like OCTAVE Allegro, to ensure that risks are consistently identified,</p><p>assessed, and managed in accordance with organizational risk tolerance and objectives.</p><p>5 1. Scenario 8: Biotide is a pharmaceutical company that produces medication for treating different</p><p>kinds of diseases. The company was founded in 1997, and since then it has contributed in solving</p><p>7 / 11</p><p>https://www.dumpsinfo.com/</p><p>some of the most challenging healthcare issues.</p><p>As a pharmaceutical company, Biotide operates in an environment associated with complex risks. As</p><p>such, the company focuses on risk management strategies that ensure the effective management of</p><p>risks to develop high-quality medication. With the large amount of sensitive information generated</p><p>from the company, managing information security risks is certainly an important part of the overall risk</p><p>management process. Biotide utilizes a publicly available methodology for conducting risk</p><p>assessment related to information assets. This methodology helps Biotide to perform risk assessment</p><p>by taking into account its objectives and mission.</p><p>Following this method, the risk management process is organized into four activity areas, each of</p><p>them involving a set of activities, as provided below.</p><p>12. Scenario 2: Travivve is a travel agency that operates in more than 100 countries. Headquartered</p><p>in San Francisco, the US, the agency is known for its personalized vacation packages and travel</p><p>services. Travivve aims to deliver reliable services that meet its clients’ needs. Considering the</p><p>impact of information security in its reputation, Travivve decided to implement an information security</p><p>management system (ISMS) based on ISO/IEC 2700 1. In addition, they decided to establish and</p><p>implement an information security risk management program. Based on the priority of specific</p><p>departments in Travivve, the top management decided to initially apply the risk management process</p><p>only in the Sales Management Department. The process would be applicable for other departments</p><p>only when introducing new technology.</p><p>Travivve’s top management wanted to make sure that the risk management program is established</p><p>based on the industry best practices. Therefore, they created a team of three members that would be</p><p>responsible for establishing and implementing it. One of the team members was Travivve’s risk</p><p>manager who was responsible for supervising the team and planning all risk management activities.</p><p>In addition, the risk manager was responsible for monitoring the program and reporting the monitoring</p><p>results to the top management.</p><p>Initially, the team decided to analyze the internal and external context of Travivve. As part of the</p><p>process of understanding the organization and its context, the team identified key processes and</p><p>activities. Then, the team identified the interested parties and their basic requirements and</p><p>determined the status of compliance with these requirements. In addition, the team identified all the</p><p>reference documents that applied to the defined scope of the risk management process, which mainly</p><p>included the Annex A of ISO/IEC 27001 and the internal security rules established by Travivve.</p><p>Lastly, the team analyzed both reference documents and justified a few noncompliances with those</p><p>requirements.</p><p>The risk manager selected the information security risk management method which was aligned with</p><p>other approaches used by the company to manage other risks. The team also communicated the risk</p><p>management process to all interested parties through previously established communication</p><p>mechanisms. In addition, they made sure to inform all interested parties about their roles and</p><p>responsibilities regarding risk management. Travivve also decided to involve interested parties in its</p><p>risk management activities since, according to the top management, this process required their active</p><p>participation.</p><p>Lastly, Travivve’s risk management team decided to conduct the initial information security risk</p><p>assessment process. As such, the team established the criteria for performing the information</p><p>security risk assessment which included the consequence criteria and likelihood criteria.</p><p>Based on scenario 2, the team decided to involve interested parties in risk management activities. Is</p><p>this a good practice?</p><p>A. No. only internal interested parties should be involved in risk management activities</p><p>B. Yes, relevant interested parties should be involved in risk management activities to ensure the</p><p>successful completion of the risk assessment</p><p>C. No, only the risk management team should be involved in risk management activities</p><p>Answer: B</p><p>Explanation:</p><p>8 / 11</p><p>https://www.dumpsinfo.com/</p><p>According to ISO/IEC 27005, involving relevant interested parties in the risk management process is</p><p>considered a best practice. This approach ensures that all perspectives are considered, and relevant</p><p>knowledge is leveraged, which helps in comprehensively identifying, analyzing, and managing risks.</p><p>Interested parties, such as stakeholders, can provide valuable insights and information regarding the</p><p>organization's assets, processes, threats, and vulnerabilities, contributing to a more accurate and</p><p>effective risk assessment. Therefore, option B is correct because it supports the principle that</p><p>involving relevant parties leads to a more successful risk assessment process. Options A and C are</p><p>incorrect because excluding either external interested parties or restricting involvement only to the</p><p>risk management team would limit the effectiveness of the risk management process.</p><p>13. A cyber attacker gains access to confidential information of clients and may threaten to make the</p><p>information publicly available unless a ransom is paid.</p><p>14. Scenario 4: In 2017, seeing that millions of people turned to online shopping, Ed and James</p><p>Cordon founded the online marketplace for footwear called Poshoe. In the past, purchasing pre-</p><p>owned designer shoes online was not a pleasant experience because of unattractive pictures and an</p><p>inability to ascertain the products’ authenticity. However, after Poshoe’s establishment, each product</p><p>was well advertised and certified as authentic before being offered to clients. This increased the</p><p>customers’ confidence and trust in Poshoe’s products and services. Poshoe has approximately four</p><p>million users and its mission is to dominate the second-hand sneaker market and become a multi-</p><p>billion dollar company.</p><p>Due to the significant increase of daily online buyers, Poshoe’s top management decided to adopt a</p><p>big data analytics tool that could help the company effectively handle, store, and analyze data. Before</p><p>initiating the implementation process, they decided to conduct a risk assessment. Initially, the</p><p>company identified its assets, threats, and vulnerabilities associated with its information systems. In</p><p>terms of assets, the company identified the information that was vital to the achievement of the</p><p>organization’s mission and objectives. During this phase, the company also detected a rootkit in their</p><p>software, through which an attacker could remotely access Poshoe’s systems and acquire sensitive</p><p>data.</p><p>The company discovered that the rootkit had been installed by an attacker who had gained</p><p>administrator access. As a result, the attacker was able to obtain the customers’ personal data after</p><p>they purchased a product from Poshoe. Luckily, the company was able to execute some scans from</p><p>the target device and gain greater visibility into their software’s settings in order to identify the</p><p>vulnerability of the system.</p><p>The company initially used the qualitative risk analysis technique to assess the consequences and</p><p>the likelihood and to determine the level of risk. The company defined the likelihood of risk as “a few</p><p>times in two years with the probability of 1 to 3 times per year.” Later, it was decided that they would</p><p>use a quantitative risk analysis methodology since it would provide additional information on this</p><p>major risk. Lastly, the top management decided to treat the risk immediately as it could expose the</p><p>company to other issues. In addition, it was communicated to their employees that they should</p><p>update, secure, and back up Poshoe’s software in order to protect customers’ personal information</p><p>and prevent unauthorized access from attackers.</p><p>Based on scenario 4, which scanning tool did Poshoe use to detect the vulnerability in their software?</p><p>A. Network-based scanning tool</p><p>B. Host-based scanning tool</p><p>C. Penetration testing tool</p><p>Answer: B</p><p>Explanation:</p><p>Poshoe used scans from the target device to gain greater visibility into their software’s settings and</p><p>identify vulnerabilities, which indicates the use of a host-based scanning tool. Host-based scanning</p><p>tools are used to examine the internal state of a system, such as installed software, configurations,</p><p>9 / 11</p><p>https://www.dumpsinfo.com/</p><p>and files, to detect vulnerabilities or malicious software like rootkits. Option A (Network-based</p><p>scanning tool) would be used to scan network traffic and identify vulnerabilities in network devices,</p><p>which does not match the context. Option C (Penetration testing tool) involves simulating an attack to</p><p>test system defenses, which is more intrusive than the scanning described in the scenario.</p><p>3 1. Scenario 4: In 2017, seeing that millions of people turned to online shopping, Ed and James</p><p>Cordon founded the online marketplace for footwear called Poshoe. In the past, purchasing pre-</p><p>owned designer shoes online was not a pleasant experience because of unattractive pictures and an</p><p>inability to ascertain the products’ authenticity. However, after Poshoe’s establishment, each product</p><p>was well advertised and certified as authentic before being offered to clients. This increased the</p><p>customers’ confidence and trust in Poshoe’s products and services. Poshoe has approximately four</p><p>million users and its mission is to dominate the second-hand sneaker market and become a multi-</p><p>billion dollar company.</p><p>Due to the significant increase of daily online buyers, Poshoe’s top management decided to adopt a</p><p>big data analytics tool that could help the company effectively handle, store, and analyze data. Before</p><p>initiating the implementation process, they decided to conduct a risk assessment. Initially, the</p><p>company identified its assets, threats, and vulnerabilities associated with its information systems. In</p><p>terms of assets, the company identified the information that was vital to the achievement of the</p><p>organization’s mission and objectives. During this phase, the company also detected a rootkit in their</p><p>software, through which an attacker could remotely access Poshoe’s systems and acquire sensitive</p><p>data.</p><p>The company discovered that the rootkit had been installed by an attacker who had gained</p><p>administrator access. As a result, the attacker was able to obtain the customers’ personal data after</p><p>they purchased a product from Poshoe. Luckily, the company was able to execute some scans from</p><p>the target device and gain greater visibility into their software’s settings in order to identify the</p><p>vulnerability of the system.</p><p>The company initially used the qualitative risk analysis technique to assess the consequences and</p><p>the likelihood and to determine the level of risk. The company defined the likelihood of risk as “a few</p><p>times in two years with the probability of 1 to 3 times per year.” Later, it was decided that they would</p><p>use a quantitative risk analysis methodology since it would provide additional information on this</p><p>major risk. Lastly, the top management decided to treat the risk immediately as it could expose the</p><p>company to other issues. In addition, it was communicated to their employees that they should</p><p>update, secure, and back up Poshoe’s software in order to protect customers’ personal information</p><p>and prevent unauthorized access from attackers.</p><p>According to scenario 4, the top management of Poshoe decided to treat the risk immediately after</p><p>conducting the risk analysis.</p><p>Is this in compliance with risk management best practices?</p><p>A. No, risk evaluation should be performed before making any decision regarding risk treatment</p><p>B. Yes. risk treatment options should be implemented immediately after analyzing the risk, as the risk</p><p>could expose the company to other security threats</p><p>C. No, the risk should be communicated to all the interested parties before making any decision</p><p>regarding risk treatment</p><p>Answer: A</p><p>Explanation:</p><p>According to ISO/IEC 27005, after conducting risk analysis, the next step in the risk management</p><p>process should be risk evaluation. Risk evaluation involves comparing the estimated level of risk</p><p>against risk criteria established by the organization to determine the significance of the risk and</p><p>decide whether it is acceptable or needs treatment. Only after evaluating the risk should an</p><p>organization decide on the appropriate risk treatment options. Therefore, in the scenario, deciding to</p><p>treat the risk immediately after conducting the risk analysis, without first performing a risk evaluation,</p><p>is not in compliance with risk management best practices. Option A is the correct answer.</p><p>Reference: ISO/IEC 27005:2018, Clause 8.5, "Risk Evaluation," which describes the process of</p><p>10 / 11</p><p>https://www.dumpsinfo.com/</p><p>evaluating risks after analysis to determine if they require treatment.</p><p>Powered by TCPDF (www.tcpdf.org)</p><p>11 / 11</p><p>https://www.dumpsinfo.com/</p><p>http://www.tcpdf.org</p>