You are performing an ISMS audit at a residential nursing home that provides healthcare services.

PECB ISO-IEC-27001-Lead-Auditor Full Course Access

PECB ISO-IEC-27001-Lead-Auditor View All Questions

PECB ISO-IEC-27001-Lead-Auditor Question Answer

You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify that the Statement of Applicability (SoA) contains the necessary controls. You review the latest SoA (version 5) document, sampling the access control to the source code (A.8.4), and want to know how the organisation secures ABC's healthcare mobile app source code received from an outsourced software developer.

The IT Security Manager explains the received source code will be checked into the SCM system to make sure of its integrity and security. Only authorised users will be able to check out the software to update it. Both check-in and check-out activities will be logged by the system automatically. The version control is managed by the system automatically.

You found a total of 10 user accounts on the SCM. All of them are from the IT department. You further check with the Human Resource manager and confirm that one of the users, Scott, resigned 9 months ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the authorised desktops from the local network in a secure area.

You check the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.

The IT Security Manager explains that Scott is a very good software engineer, an ex-colleague, and a friend. He still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists. "We know Scott well and he passed all our background checks when he joined us. As such we didn't feel it necessary to agree any further information security requirements with him just because he is now an external provider".

You prepare the audit findings. Select the three correct options.

There is a nonconformity (NC). Scott should have been advised of applicable information security requirements relevant to his new relationship (external provider) with the nursing home. The IT security manager has however confirmed that this did not take place. This does not conform with control A.5.20.

There is a nonconformity (NC). The organisation's access control arrangements are not operating effectively as an individual who is no longer employed by the organisation is being permitted to access the nursing home's ICT systems. This does not conform with control A.5.15.

There is a nonconformity (NC). The operating procedures are not well documented. This prevented the SCM System Administrator from being able to remove a user account immediately. This does not conform with clause 9.1 and control A.5.37.

There is a nonconformity (NC). The organisation does not have a documented procedure setting out the use of systematic tools to provide access and version control of the source code. This does not conform with clause 9.1 and control A.8.4.

There is a nonconformity (NC). The organisation has failed to identify the security risks associated with leaving Scott's account open when he was only re-engaged for a short period monthly. This does not conform with clause 8.2.

There is a nonconformity (NC). The SCM is open-source system software. It is not secured and cannot be used for access and version control of the source code. This does not conform with clause 9.1 and control A.8.4.

Explanation:

The correct options are:

There is a nonconformity (NC). The organisation’s access control arrangements are not operating effectively as an individual who is no longer employed by the organisation is being permitted to access the nursing home’s ICT systems. This does not conform with control A.5.15. (B): This option is correct because control A.5.15 requires the organization to implement secure log-on procedures and manage user access rights. The organization should ensure that only authorized users can access the ICT systems and that the access rights are revoked or modified when the user status changes. The fact that Scott, who resigned 9 months ago, still has an active account on the SCM and can check out the source code, indicates a failure of the access control arrangements and a nonconformity with the control A.5.15.

There is a nonconformity (NC). The IT Security manager did not make sure the user account for Scott was removed from the SCM and did not complete the user deregistration process after the resignation. This does not conform with clause 9.1 and control A.5.15. ©: This option is correct because clause 9.1 requires the organization to monitor, measure, analyze, and evaluate the performance and effectiveness of the ISMS. The organization should have processes and indicators to verify that the ISMS requirements and objectives are met and that the ISMS is continually improved. The organization should also ensure that the results of the monitoring and measurement are documented and communicated. The fact that the IT Security manager did not follow the user de-registration procedure and did not document or communicate the exception for Scott, indicates a failure of the monitoring and measurement processes and a nonconformity with clause 9.1 and control A.5.15.

There is a nonconformity (NC). The organisation has failed to identify the security risks associated with leaving Scott’s account open when he was only re-engaged for a short period monthly. This does not conform with clause 8.2. (F): This option is correct because clause 8.2 requires the organization to establish and maintain an information security risk management process. The organization should identify the information security risks, analyze and evaluate the risks, and treat the risks according to the risk criteria and the risk treatment options. The organization should also monitor and review the risks and the risk treatment plan periodically and document the results. The fact that the organization did not identify the security risks associated with Scott’s access to the SCM and the source code, such as unauthorized disclosure, modification, or deletion of the information, indicates a failure of the risk management process and a nonconformity with clause 8.2.

ISO-IEC-27001-Lead-Auditor PDF/Engine

Printable Format
Value of Money
100% Pass Assurance
Verified Answers
Researched by Industry Experts
Based on Real Exams Scenarios
100% Real Questions

Get 60% Discount on All Products, Use Coupon: "8w52ceb345"

You are an experienced ISMS audit team leader providing instruction to an auditor in training.

Scenario 5: Data Grid Inc.

Summer Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 8w52ceb345

You are performing an ISMS audit at a residential nursing home that provides healthcare services.

The Answer Is:

Explanation:

Quick Links