Who should be involved, among others, in the draft, review, and validation of information security procedures?
An organization has implemented a control that enables the company to manage storage media through their life cycle of use, acquisition, transportation and disposal. Which control category does this control belong to?
Scenario 4: TradeB, a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001. Having no experience of a management system implementation, TradeB’s top management contracted two experts to direct and manage the ISMS implementation project.First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives. Based on this analysis, they drafted the Statement of Applicability Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high-risk category. They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity.Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted.Based on the scenario above, answer the following question:The decision to treat only risks that were classified as high indicates that TradeB has:
Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that:
Based on scenario 4, what type of assets were identified during risk assessment?
Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients’ data and medical history, and communicate with all the involved parties, including parents, other physicians, and the medical laboratory staff.Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software. Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic’s patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients’ privacy.Based on the scenario above, answer the following question:Which of the following indicates that the confidentiality of information was compromised?
