Free PECB ISO-IEC-27005-Risk-Manager Exam Questions

Scenario 4: In 2017, seeing that millions of people turned to online shopping, Ed and James Cordon foundedthe online marketplace for footwear called Poshoe. In the past, purchasing pre-owned designer shoes onlinewas not a pleasant experience because of unattractive pictures and an inability to ascertain the products’authenticity. However, after Poshoe’s establishment, each product was well advertised and certified asauthentic before being offered to clients. This increased the customers’ confidence and trust in Poshoe’sproducts and services. Poshoe has approximately four million users and its mission is to dominate the secondhand sneaker market and become a multi-billion dollar company.Due to the significant increase of daily online buyers, Poshoe’s top management decided to adopt a big dataanalytics tool that could help the company effectively handle, store, and analyze data. Before initiating the implementation process, they decided to conduct a risk assessment. Initially, the company identified its assets,threats, and vulnerabilities associated with its information systems. In terms of assets, the company identifiedthe information that was vital to the achievement of the organization’s mission and objectives. During thisphase, the company also detected a rootkit in their software, through which an attacker could remotely accessPoshoe’s systems and acquire sensitive data.The company discovered that the rootkit had been installed by an attacker who had gained administratoraccess. As a result, the attacker was able to obtain the customers’ personal data after they purchased a productfrom Poshoe. Luckily, the company was able to execute some scans from the target device and gain greatervisibility into their software’s settings in order to identify the vulnerability of the system.The company initially used the qualitative risk analysis technique to assess the consequences and thelikelihood and to determine the level of risk. The company defined the likelihood of risk as “a few times intwo years with the probability of 1 to 3 times per year.” Later, it was decided that they would use aquantitative risk analysis methodology since it would provide additional information on this major risk.Lastly, the top management decided to treat the risk immediately as it could expose the company to otherissues. In addition, it was communicated to their employees that they should update, secure, and back upPoshoe’s software in order to protect customers’ personal information and prevent unauthorized access fromattackers.According to scenario 4, which type of assets was identified during the risk identification process?

Scenario 7: Adstry is a business growth agency that specializes in digital marketing strategies. Adstry helpsorganizations redefine the relationships with their customers through innovative solutions. Adstry isheadquartered in San Francisco and recently opened two new offices in New York. The structure of thecompany is organized into teams which are led by project managers. The project manager has the full powerin any decision related to projects. The team members, on the other hand, report the project’s progress toproject managers.Considering that data breaches and ad fraud are common threats in the current business environment,managing risks is essential for Adstry. When planning new projects, each project manager is responsible forensuring that risks related to a particular project have been identified, assessed, and mitigated. This means thatproject managers have also the role of the risk manager in Adstry. Taking into account that Adstry heavilyrelies on technology to complete their projects, their risk assessment certainly involves identification of risksassociated with the use of information technology. At the earliest stages of each project, the project managercommunicates the risk assessment results to its team members.Adstry uses a risk management software which helps the project team to detect new potential risks duringeach phase of the project. This way, team members are informed in a timely manner for the new potentialrisks and are able to respond to them accordingly. The project managers are responsible forensuring that theinformation provided to the team members is communicated using an appropriate language so it can beunderstood by all of them.In addition, the project manager may include external interested parties affected by the project in the riskcommunication. If the project manager decides to include interested parties, the risk communication isthoroughly prepared. The project manager firstly identifies the interested parties that should be informed andtakes into account their concerns and possible conflicts that may arise due to risk communication. The risksare communicated to the identified interested parties while taking into consideration the confidentiality ofAdstry’s information and determining the level of detail that should be included in the risk communication.The project managers use the same risk management software for risk communication with external interestedparties since it provides a consistent view of risks. For each project, the project manager arranges regularmeetings with relevant interested parties of the project, they discuss the detected risks, their prioritization, anddetermine appropriate treatment solutions. The information taken from the risk management software and theresults of these meetings are documented and are used for decision-making processes. In addition, thecompany uses a computerized documented information management system for the acquisition, classification,storage, and archiving of its documents.Based on scenario 7, which principle of efficient communication strategy Adstry’s project managers followwhen communicating risks to team members?

Scenario 4: In 2017, seeing that millions of people turned to online shopping, Ed and James Cordon foundedthe online marketplace for footwear called Poshoe. In the past, purchasing pre-owned designer shoes onlinewas not a pleasant experience because of unattractive pictures and an inability to ascertain the products’authenticity. However, after Poshoe’s establishment, each product was well advertised and certified asauthentic before being offered to clients. This increased the customers’ confidence and trust in Poshoe’sproducts and services. Poshoe has approximately four million users and its mission is to dominate the secondhand sneaker market and become a multi-billion dollar company.Due to the significant increase of daily online buyers, Poshoe’s top management decided to adopt a big dataanalytics tool that could help the company effectively handle, store, and analyze data. Before initiating the implementation process, they decided to conduct a risk assessment. Initially, the company identified its assets,threats, and vulnerabilities associated with its information systems. In terms of assets, the company identifiedthe information that was vital to the achievement of the organization’s mission and objectives. During thisphase, the company also detected a rootkit in their software, through which an attacker could remotely accessPoshoe’s systems and acquire sensitive data.The company discovered that the rootkit had been installed by an attacker who had gained administratoraccess. As a result, the attacker was able to obtain the customers’ personal data after they purchased a productfrom Poshoe. Luckily, the company was able to execute some scans from the target device and gain greatervisibility into their software’s settings in order to identify the vulnerability of the system.The company initially used the qualitative risk analysis technique to assess the consequences and thelikelihood and to determine the level of risk. The company defined the likelihood of risk as “a few times intwo years with the probability of 1 to 3 times per year.” Later, it was decided that they would use aquantitative risk analysis methodology since it would provide additional information on this major risk.Lastly, the top management decided to treat the risk immediately as it could expose the company to otherissues. In addition, it was communicated to their employees that they should update, secure, and back upPoshoe’s software in order to protect customers’ personal information and prevent unauthorized access fromattackers.According to scenario 4, which type of assets was identified during the risk identification process?

Scenario 7: Adstry is a business growth agency that specializes in digital marketing strategies. Adstry helpsorganizations redefine the relationships with their customers through innovative solutions. Adstry isheadquartered in San Francisco and recently opened two new offices in New York. The structure of thecompany is organized into teams which are led by project managers. The project manager has the full powerin any decision related to projects. The team members, on the other hand, report the project’s progress toproject managers.Considering that data breaches and ad fraud are common threats in the current business environment,managing risks is essential for Adstry. When planning new projects, each project manager is responsible forensuring that risks related to a particular project have been identified, assessed, and mitigated. This means thatproject managers have also the role of the risk manager in Adstry. Taking into account that Adstry heavilyrelies on technology to complete their projects, their risk assessment certainly involves identification of risksassociated with the use of information technology. At the earliest stages of each project, the project managercommunicates the risk assessment results to its team members.Adstry uses a risk management software which helps the project team to detect new potential risks duringeach phase of the project. This way, team members are informed in a timely manner for the new potentialrisks and are able to respond to them accordingly. The project managers are responsible forensuring that theinformation provided to the team members is communicated using an appropriate language so it can beunderstood by all of them.In addition, the project manager may include external interested parties affected by the project in the riskcommunication. If the project manager decides to include interested parties, the risk communication isthoroughly prepared. The project manager firstly identifies the interested parties that should be informed andtakes into account their concerns and possible conflicts that may arise due to risk communication. The risksare communicated to the identified interested parties while taking into consideration the confidentiality ofAdstry’s information and determining the level of detail that should be included in the risk communication.The project managers use the same risk management software for risk communication with external interestedparties since it provides a consistent view of risks. For each project, the project manager arranges regularmeetings with relevant interested parties of the project, they discuss the detected risks, their prioritization, anddetermine appropriate treatment solutions. The information taken from the risk management software and theresults of these meetings are documented and are used for decision-making processes. In addition, thecompany uses a computerized documented information management system for the acquisition, classification,storage, and archiving of its documents.Based on scenario 7, which principle of efficient communication strategy Adstry’s project managers followwhen communicating risks to team members?

Which activity below is NOT included in the information security risk assessment process?