alla

Question 1

1) What is defined as ”a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives”?

Answer 1

ISMS

Question 2

2) Which of the following is not one of the ”fundamental principles” that ”also contribute to the successful implementation of an ISMS”?

Answer 2

d) active prevention and detection of stakeholder deviations

Question 3

3) Information can be stored in many forms. Which forms are mentioned in ISO/IEC 27000?

Answer 3

digital, material and knowledge of the employee

Question 4

4) Which term means ”informed decision to take a particular risk”?

Answer 4

risk acceptance

Question 5

5) The standard ISO/IEC 27003 is concerned with what?

Answer 5

It provides guidance on the requirements of ISO/IEC 27001

Question 6

6) According to ISO/IEC 27001, the management review shall include consideration of feedback on the information security performance, including trends in what?

Answer 6

alla

Question 7

7) Is there a requirement in ISO/IEC 27001 that the information security policy shall be available as documented information?

Answer 7

d) Yes, no matter what

Question 8

8) What is false regarding information security controls according to ISO/IEC 27001?

Answer 8

c) It is mandatory to select at least all the controls listed in the Annex A

Question 9

9) ISO/IEC 27001 mentions a document called a ”statement of applicability”. Why is it called that?

Answer 9

d) The document contains applicable security controls

Question 10

10) Needs and expectations of interested parties may include for example:

Answer 10

legal, regularoty and contract

Question 11

11) What is the relation between ISO/IEC 27001 and ISO/IEC 27002?

Answer 11

27001 refers to the controls in 27002

Question 12

12) What is true regarding ”control objectives” according to ISO/IEC 27002?

Answer 12

They state what should be achieved by one or more controls

Question 13

13) “Segregation of duties” is a method for reducing the risk of accidental or deliberate
misuse of an organization’s assets. What does it mean?

Answer 13

Segregated responsibilities to reduce opportunities to breach security

Question 14

14) Who is responsible for that information assets are appropriately inventoried, classified and protected?

Answer 14

asset owners

Question 15

15) What is the point of “information classification”?

Answer 15

d) To ensure that information receives an appropriate level of protection

Question 16

16) What is true in relation to “tribal governments” use of FIPS 199 security categorization scheme?

Answer 16

Tribal governments may use the scheme

Question 17

17) FIPS 199 establishes security categories for both information and information systems. The security categories are based on the potential … ?

Answer 17

impact on an organization in case of security breach

Question 18

18) Categorise historic public information about Swedish kings in a royal archive, in accordance with the security categorization scheme?

Answer 18

b) SC archive = {(confidentiality, NA), (integrity, HIGH), (availability, LOW)}

Question 19

19) You have found both “contract” and “administrative” information in the same information system, categorised as SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)} and SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. Categorise the information system where both information types reside to ensure proper protection?

Answer 19

a) {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)}.

Question 20

20) Is potential impact of a security breach on individuals considered in FIPS 199?

Answer 20

d) Yes, this is explicitly stated in the text

Question 21

21) What is a low-impact information system according to FIPS 200?

Answer 21

CIA = alla low

Question 22

22) In using FIPS 199 and FIPS 200, which should be done first – determination of information system impact levels or the selection of appropriate security controls?

Question 23

23) How shall organisations meet the stated “minimum security requirements” according to FIPS 200?

Answer 23

) They shall select appropriate controls in another document

Question 24

24) Which term in FIPS 200 means “The official management decision given by a senior agency official to authorize operation of an information system” and to explicitly accept the residual risk?

Answer 24

b) Accreditation

Question 25

25) What is a high-impact system in FIPS 200? It is an information system in which …

Answer 25

a) at least one security objective (i.e., confidentiality, integrity, or availability) is
assigned a FIPS 199 potential impact value of high

Question 26

26) According to SP 800-30, preparing for a risk assessment includes all of the following tasks, except which one?:

Answer 26

d) Identify the requirements and risks associated with the assessment

Question 27

27) SP 800-30 asks us to consider predisposing conditions. What does it mean?

Answer 27

a) Condition that contributes to the likelihood that a threat materialises

Question 28

28) “Tier 1”, “tier 2” and “tier 3” are used to signify what in SP 800-30?

Answer 28

bio

Question 29

29) Adversarial, accidental and environmental are examples of what?

Answer 29

threat sources

Question 30

30) Risk is a ”measure of the extent to which an entity is threatened by a potential circumstance or event”, and is typically a function of …. (what)?:

Answer 30

likelihood and impact

Question 31

31) What is supposed to be able to “continuously deliver its intended outcome despite adverse cyber events”, in a cyber resilience context?

Answer 31

allt (land, info system och business process)

Question 32

32) What is an “adverse cyber event”?

Answer 32

All events that negatively impact the availability, integrity or confidentiality

Question 33

33) What is the general objective of cyber resilience?

Answer 33

ensuring business delivery

Question 34

34) It is said that resilient systems should be designed to be able to fail in a controlled way, rather than being designed to solely protect against failure. What is this design feature called?

Answer 34

safe to fail

Question 35

35) Which of the following is most likely an “unintentional act of man”?

Answer 35

webben down pga failed updated

Question 36

36) Which of these terms refers to “a set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives” is?

Answer 36

mangment system

Question 37

37) Which document makes the ISMS visible?

Answer 37

a)Policy
b) Procedures
c) Guidelines

Question 38

38) In which industry sector is the new regulation GDPR applicable?

Answer 38

alla

Question 39

39) What is the main drawback with letting information classification for a given asset completely determine the selection of information security controls?

Answer 39

d) Important factors, e.g. risks, are overlooked

Question 40

40) What does APT stand for?

Answer 40

advanced persitent threath

Question 41

41) Which of the following may be an example of an adversarial threat source?

Answer 41

insider, hacking group, competitors

Question 42

42) How can we ensure that all potentially relevant risks are analysed in our risk
assessment?

Answer 42

we can not

Question 43

43) What is one major difference between the definitions of ”risk” in ISO/IEC 27001 and NIST SP 800-30?

Answer 43

nist = negative, iso = postiv and negative

Question 44

44) In ISO/IEC 27002, chapter 10 is on “Cryptography”. It contains only two controls, one is about “key management” and the other is about (what)?

Answer 44

policy

Question 45

45) Is network security management covered in ISO/IEC 27002?

Answer 45

yes some controls

Question 46

47) The different classes in the information classification model discussed in the lectures was mainly based on what?

Answer 46

impact

Question 47

48) What is the “gap” in a “GAP-analysis”?

Answer 47

where we are now vs where we want to be

Question 48

49) Which of the following is an example of a tool that can be used for technical vulnerability analysis?

Answer 48

a)Nessus
b) Qualys (QualysGuard)
c) OpenVAS

Question 49

50) Managing information security in organisations is difficult mainly because of (what)? a)

Answer 49

people

Question 50

51) Which of the following is a potential benefit of measuring information security?

Answer 50

a) To prove progress in the work
b) Evidence of meeting requirements
c) To prove to external actors that external requirements are met

Question 51

52) What is usually the meaning of “Asset Management” in information security?

Answer 51

b) It refers to identifying and protecting information- and IT-related assets

Question 52

53) When managing information security in organisations, people should be viewed as (what)?

Answer 52

a)Being assets
b) Being potential threat sources
c) Being part of the Security controls

Question 53

54) Is the ISMS described in ISO/IEC 27001 also intended to be useful in small organisations?

Answer 53

yes

Question 54

54) Which publication, used as reference literature in the course, provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse

Answer 54

NIST 800-53

Question 55

55) Which federal US act (law) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for information and information systems?

Answer 55

fisma

Question 56

56) Why are we interested in business objectives and business strategy when managing information security?

Answer 56

Because information security efforts need to be aligned with business objectives and strategy to support it

Question 57

57) Which publication in the ISO/IEC 27000-series does specifically address the needs and responsibilities of governing bodies, such as board or directors?

Answer 57

d) 27014

Question 58

35) A Data Protection Impact Assessment (DPIA) assesses the impact on what?

Answer 58

freedom

Question 59

38) In which industry sector is HIPAA used?

Answer 59

healthcare

Question 60

40) Which of the following do you need to take into account when selecting appropriate technical and organisational measures to protect personal data in accordance with GDPR (EU General Data Protection Regulation)?

Answer 60

allt