ISO Beingcert ISO/IEC 20000 Lead Implementer 認定 ISOIEC20000LI 試験問題:

1. Upon the risk assessment outcomes. Socket Inc. decided to:
* Require the use of passwords with at least 12 characters containing uppercase and lowercase letters, symbols, and numbers
* Require the change of passwords at least once every 60 days
* Keep backup copies of files on IT-provided network drives
* Assign users to a separate network when they have access to cloud storage files storing customers' personal data.
Based on the scenario above, answer the following question:
Which of the following options indicate that Socket Inc. used risk modification to treat risks?

A) Requiring the change of passwords at least once every 60 days
B) Storing customers' personal data in a cloud-based storage
C) Conducting a risk assessment before deciding to use third-party services

2. Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope.
The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. after migrating to cloud. Operaze's IT team changed the ISMS scope and implemented all the required modifications Is this acceptable?

A) No, because any change in ISMS scope should be accepted by the management
B) No, because the company has already defined the ISMS scope
C) Yes, because the ISMS scope should be changed when there are changes to the external environment

3. Who should be involved, among others, in the draft, review, and validation of information security procedures?

A) An external expert
B) The information security committee
C) The employees in charge of ISMS operation

4. Org Y. a well-known bank, uses an online banking platform that enables clients to easily and securely access their bank accounts.
To log in. clients are required to enter the one-time authorization code sent to their smartphone.
What can be concluded from this scenario?

A) Org Y has implemented a security control that ensures the confidentiality of information
B) Org Y has incorrectly implemented a security control that could become a vulnerability
C) Org Y has implemented an integrity control that avoids the involuntary corruption of data

5. An organization has decided to conduct information security awareness and training sessions on a monthly basis for all employees. Only 45% of employees who attended these sessions were able to pass the exam.
What does the percentage represent?

A) Performance indicator
B) Attribute
C) Measurement objective

質問と回答：