Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management [^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity
Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted
Based on scenario 4, what type of assets were identified during risk assessment?
Infralink is a medium-sized IT consultancy firm headquartered in Dublin, Ireland. It specializes in secure cloud infrastructure, software integration, and data analytics, serving a diverse client base in the healthcare, financial services, and legal sectors, including hospitals, insurance providers, and law firms. To safeguard sensitive client data and support business continuity, Infralink has implemented an information security management system (ISMS) aligned with the requirements of ISO/IEC 27001.
In developing its security architecture, the company adopted services to support centralized user identification and shared authentication mechanisms across its departments. These services also governed the creation and management of credentials within the company. Additionally, Infralink deployed solutions to protect sensitive data in transit and at rest, maintaining confidentiality and integrity across its systems.
In preparation for implementing information security controls, the company ensured the availability of necessary resources, personnel competence, and structured planning. It conducted a cost-benefit analysis, scheduled implementation phases, and prepared documentation and activity checklists for each phase. The intended outcomes were clearly defined to align security controls with business objectives.
Infralink started by implementing several controls from Annex A of ISO/IEC 27001. These included regulating physical and logical access to information and assets in accordance with business and information security requirements, managing the identity life cycle, and establishing procedures for providing, reviewing, modifying, and revoking access rights. However, controls related to the secure allocation and management of authentication information, as well as the establishment of rules or agreements for secure information transfer, have not yet been implemented. During the documentation process, the company ensured that all ISMS-related documents supported traceability by including titles, creation or update dates, author names, and unique reference numbers. Based on the scenario above, answer the following question.
Based on scenario -1. which methodology did AegisCure use to implement its ISMS?
Upon the risk assessment outcomes. Socket Inc. decided to:
• Require the use of passwords with at least 12 characters containing uppercase and lowercase letters, symbols, and numbers
• Require the change of passwords at least once every 60 days
• Keep backup copies of files on IT-provided network drives
• Assign users to a separate network when they have access to cloud storage files storing customers' personal data.
Based on scenario 5. Socket Inc. decided to use cloud storage to store customers' personal data considering that the identified risks have low likelihood and high impact, is this acceptable?
During a security audit, security analysts discover that an attacker has been repeatedly querying a black-box machine learning model to infer whether certain sensitive data points were part of the training dataset. By doing so, the attacker was able to determine if a specific individual's data was used in training. What threat does this attack represent?
Copyright © 2021-2026 CertsTopics. All Rights Reserved
