PECB ISO-IEC-27005-Risk-Manager 問題集

質問 1：
Scenario 1
The risk assessment process was led by Henry, Bontton's risk manager. The first step that Henry took was identifying the company's assets. Afterward, Henry created various potential incident scenarios. One of the main concerns regarding the use of the application was the possibility of being targeted by cyber attackers, as a great number of organizations were experiencing cyberattacks during that time. After analyzing the identified risks, Henry evaluated them and concluded that new controls must be implemented if the company wants to use the application. Among others, he stated that training should be provided to personnel regarding the use of the application and that awareness sessions should be conducted regarding the importance of protecting customers' personal data.
Lastly, Henry communicated the risk assessment results to the top management. They decided that the application will be used only after treating the identified risks.
Based on the scenario above, answer the following question:
Bontton established a risk management process based on ISO/IEC 27005, to systematically manage information security threats. Is this a good practice?
A. No, ISO/IEC 27005 cannot be used to manage information security threats in the food sector
B. Yes, ISO/IEC 27005 provides guidelines for information security risk management that enable organizations to systematically manage information security threats
C. Yes, ISO/IEC 27005 provides guidelines to systematically manage all types of threats that organizations may face
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Which statement regarding risks and opportunities is correct?
A. There is no difference between opportunities and risks; these terms can be used interchangeably
B. Risks always have a positive outcome whereas opportunities have an unpredicted outcome
C. Opportunities might have a positive impact, whereas risks might have a negative impact
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 3：
Which of the following statements best defines information security risk?
A. Weakness of an asset or control that can be exploited by one or a group of threats
B. Potential cause of an unwanted incident related to information security that can cause harm to an organization
C. The potential that threats will exploit vulnerabilities of an information asset and cause harm to an organization
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 4：
After creating a plan for outsourcing to a cloud service provider to store their confidential information in cloud, OrgX decided to not pursue this business strategy since the risk of doing so was high. Which risk treatment option did OrgX use?
A. Risk avoidance
B. Risk modification
C. Risk sharing
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 5：
Scenario 7: Adstry is a business growth agency that specializes in digital marketing strategies. Adstry helps organizations redefine the relationships with their customers through innovative solutions. Adstry is headquartered in San Francisco and recently opened two new offices in New York. The structure of the company is organized into teams which are led by project managers. The project manager has the full power in any decision related to projects. The team members, on the other hand, report the project's progress to project managers.
Considering that data breaches and ad fraud are common threats in the current business environment, managing risks is essential for Adstry. When planning new projects, each project manager is responsible for ensuring that risks related to a particular project have been identified, assessed, and mitigated. This means that project managers have also the role of the risk manager in Adstry. Taking into account that Adstry heavily relies on technology to complete their projects, their risk assessment certainly involves identification of risks associated with the use of information technology. At the earliest stages of each project, the project manager communicates the risk assessment results to its team members.
Adstry uses a risk management software which helps the project team to detect new potential risks during each phase of the project. This way, team members are informed in a timely manner for the new potential risks and are able to respond to them accordingly. The project managers are responsible for ensuring that the information provided to the team members is communicated using an appropriate language so it can be understood by all of them.
In addition, the project manager may include external interested parties affected by the project in the risk communication. If the project manager decides to include interested parties, the risk communication is thoroughly prepared. The project manager firstly identifies the interested parties that should be informed and takes into account their concerns and possible conflicts that may arise due to risk communication. The risks are communicated to the identified interested parties while taking into consideration the confidentiality of Adstry's information and determining the level of detail that should be included in the risk communication. The project managers use the same risk management software for risk communication with external interested parties since it provides a consistent view of risks. For each project, the project manager arranges regular meetings with relevant interested parties of the project, they discuss the detected risks, their prioritization, and determine appropriate treatment solutions. The information taken from the risk management software and the results of these meetings are documented and are used for decision-making processes. In addition, the company uses a computerized documented information management system for the acquisition, classification, storage, and archiving of its documents.
Based on scenario 7, Adstry's project managers hold regular meetings with interested parties to discuss risks and risk treatment solutions. According to the guidelines of ISO/IEC 27005, is this in compliance with best practices?
A. Yes, risks can be communicated to and discussed with relevant interested parties only if the project manager decides that it is appropriate to do so
B. Yes, the coordination between project managers and relevant interested parties can be achieved by discussions upon risks and appropriate treatment solutions
C. No, risk owners should not communicate or discuss risk treatment options with external interested parties
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Scenario 3: Printary is an American company that offers digital printing services. Creating cost-effective and creative products, the company has been part of the printing industry for more than 30 years. Three years ago, the company started to operate online, providing greater flexibility for its clients. Through the website, clients could find information about all services offered by Printary and order personalized products. However, operating online increased the risk of cyber threats, consequently, impacting the business functions of the company. Thus, along with the decision of creating an online business, the company focused on managing information security risks. Their risk management program was established based on ISO/IEC 27005 guidelines and industry best practices.
Last year, the company considered the integration of an online payment system on its website in order to provide more flexibility and transparency to customers. Printary analyzed various available solutions and selected Pay0, a payment processing solution that allows any company to easily collect payments on their website. Before making the decision, Printary conducted a risk assessment to identify and analyze information security risks associated with the software. The risk assessment process involved three phases: identification, analysis, and evaluation. During risk identification, the company inspected assets, threats, and vulnerabilities. In addition, to identify the information security risks, Printary used a list of the identified events that could negatively affect the achievement of information security objectives. The risk identification phase highlighted two main threats associated with the online payment system: error in use and data corruption After conducting a gap analysis, the company concluded that the existing security controls were sufficient to mitigate the threat of data corruption. However, the user interface of the payment solution was complicated, which could increase the risk associated with user errors, and, as a result, impact data integrity and confidentiality.
Subsequently, the risk identification results were analyzed. The company conducted risk analysis in order to understand the nature of the identified risks. They decided to use a quantitative risk analysis methodology because it would provide more detailed information. The selected risk analysis methodology was consistent with the risk evaluation criteri a. Firstly, they used a list of potential incident scenarios to assess their potential impact. In addition, the likelihood of incident scenarios was defined and assessed. Finally, the level of risk was defined as low.
In the end, the level of risk was compared to the risk evaluation and acceptance criteria and was prioritized accordingly.
Did Primary perform risk analysis in accordance with the guidelines of ISO/IEC 27005? Refer to scenario 3.
A. No, the gap analysis should have been conducted during risk analysis, as suggested by ISO/IEC 27005
B. No. according to ISO/IEC 27005, the risk level should be determined during risk evaluation
C. Yes, according to ISO/IEC 27005. the consequences, likelihood, and the level of risk should be determined during risk analysis
正解：C
解説: (Topexam メンバーにのみ表示されます)