Higher Test Marks with Free Online ISO-IEC-27005-Risk-Manager Exam Practice

Which activity below is NOT included in the information security risk assessment process? 

Scenario 5: Detika is a private cardiology clinic in Pennsylvania, the US. Detika has one of the most advanced

healthcare systems for treating heart diseases. The clinic uses sophisticated apparatus that detects heart

diseases in early stages. Since 2010, medical information of Detika’s patients is stored on the organization’s

digital systems. Electronic health records (EHR), among others, include patients’ diagnosis, treatment plan,

and laboratory results.

Storing and accessing patient and other medical data digitally was a huge and a risky step for Detika.

Considering the sensitivity of information stored in their systems, Detika conducts regular risk assessments to

ensure that all information security risks are identified and managed. Last month, Detika conducted a risk

assessment which was focused on the EHR system. During risk identification, the IT team found out that

some employees were not updating the operating systems regularly. This could cause major problems such as

a data breach or loss of software compatibility. In addition, the IT team tested the software and detected a

flaw in one of the software modules used. Both issues were reported to the top management and they decided

to implement appropriate controls for treating the identified risks. They decided to organize training sessions

for all employees in order to make them aware of the importance of the system updates. In addition, the

manager of the IT Department was appointed as the person responsible for ensuring that the software is

regularly tested.

Another risk identified during the risk assessment was the risk of a potential ransomware attack. This risk was

defined as low because all their data was backed up daily. The IT team decided to accept the actual risk of

ransomware attacks and concluded that additional measures were not required. This decision was documented

in the risk treatment plan and communicated to the risk owner. The risk owner approved the risk treatment

plan and documented the risk assessment results.

Following that, Detika initiated the implementation of new controls. In addition, one of the employees of the

IT Department was assigned the responsibility for monitoring the implementation process and ensure the

effectiveness of the security controls. The IT team, on the other hand, was responsible for allocating the

resources needed to effectively implement the new controls.

How should Detika define which of the identified risks should be treated first? Refer to scenario 5

Scenario 4: In 2017, seeing that millions of people turned to online shopping, Ed and James Cordon founded

the online marketplace for footwear called Poshoe. In the past, purchasing pre-owned designer shoes online

was not a pleasant experience because of unattractive pictures and an inability to ascertain the products’

authenticity. However, after Poshoe’s establishment, each product was well advertised and certified as

authentic before being offered to clients. This increased the customers’ confidence and trust in Poshoe’s

products and services. Poshoe has approximately four million users and its mission is to dominate the secondhand sneaker market and become a multi-billion dollar company.

Due to the significant increase of daily online buyers, Poshoe’s top management decided to adopt a big data

analytics tool that could help the company effectively handle, store, and analyze data. Before initiating the implementation process, they decided to conduct a risk assessment. Initially, the company identified its assets,

threats, and vulnerabilities associated with its information systems. In terms of assets, the company identified

the information that was vital to the achievement of the organization’s mission and objectives. During this

phase, the company also detected a rootkit in their software, through which an attacker could remotely access

Poshoe’s systems and acquire sensitive data.

The company discovered that the rootkit had been installed by an attacker who had gained administrator

access. As a result, the attacker was able to obtain the customers’ personal data after they purchased a product

from Poshoe. Luckily, the company was able to execute some scans from the target device and gain greater

visibility into their software’s settings in order to identify the vulnerability of the system.

The company initially used the qualitative risk analysis technique to assess the consequences and the

likelihood and to determine the level of risk. The company defined the likelihood of risk as “a few times in

two years with the probability of 1 to 3 times per year.” Later, it was decided that they would use a

quantitative risk analysis methodology since it would provide additional information on this major risk.

Lastly, the top management decided to treat the risk immediately as it could expose the company to other

issues. In addition, it was communicated to their employees that they should update, secure, and back up

Poshoe’s software in order to protect customers’ personal information and prevent unauthorized access from

attackers.

According to scenario 4, which type of assets was identified during the risk identification process?

Scenario 7: Adstry is a business growth agency that specializes in digital marketing strategies. Adstry helps

organizations redefine the relationships with their customers through innovative solutions. Adstry is

headquartered in San Francisco and recently opened two new offices in New York. The structure of the

company is organized into teams which are led by project managers. The project manager has the full power

in any decision related to projects. The team members, on the other hand, report the project’s progress to

project managers.

Considering that data breaches and ad fraud are common threats in the current business environment,

managing risks is essential for Adstry. When planning new projects, each project manager is responsible for

ensuring that risks related to a particular project have been identified, assessed, and mitigated. This means that

project managers have also the role of the risk manager in Adstry. Taking into account that Adstry heavily

relies on technology to complete their projects, their risk assessment certainly involves identification of risks

associated with the use of information technology. At the earliest stages of each project, the project manager

communicates the risk assessment results to its team members.

Adstry uses a risk management software which helps the project team to detect new potential risks during

each phase of the project. This way, team members are informed in a timely manner for the new potential

risks and are able to respond to them accordingly. The project managers are responsible forensuring that the

information provided to the team members is communicated using an appropriate language so it can be

understood by all of them.

In addition, the project manager may include external interested parties affected by the project in the risk

communication. If the project manager decides to include interested parties, the risk communication is

thoroughly prepared. The project manager firstly identifies the interested parties that should be informed and

takes into account their concerns and possible conflicts that may arise due to risk communication. The risks

are communicated to the identified interested parties while taking into consideration the confidentiality of

Adstry’s information and determining the level of detail that should be included in the risk communication.

The project managers use the same risk management software for risk communication with external interested

parties since it provides a consistent view of risks. For each project, the project manager arranges regular

meetings with relevant interested parties of the project, they discuss the detected risks, their prioritization, and

determine appropriate treatment solutions. The information taken from the risk management software and the

results of these meetings are documented and are used for decision-making processes. In addition, the

company uses a computerized documented information management system for the acquisition, classification,

storage, and archiving of its documents.

Based on scenario 7, which principle of efficient communication strategy Adstry’s project managers follow

when communicating risks to team members?

Which statement regarding information gathering techniques is correct?