You are the owner of the courier company SpeeDelivery. You employ a few people who, while waiting to make a delivery, can carry out other tasks. You notice, however, that they use this time to send and read their private mail and surf the Internet. In legal terms, in which way can the use of the Internet and e-mail facilities be best regulated?

A. Installing an application that makes certain websites no longer accessible and that filters attachments in e-mails

B. Drafting a code of conduct for the use of the Internet and e-mail in which the rights and obligations of both the employer and staff are set down

C. Implementing privacy regulations

D. Installing a virus scanner

Who is authorized to change the classification of a document?

A. The author of the document

B. The administrator of the document

C. The owner of the document

D. The manager of the owner of the document

Why do organizations have an information security policy?

A. In order to demonstrate the operation of the Plan-Do-Check-Act cycle within an organization.

B. In order to ensure that staff do not break any laws.

C. In order to give direction to how information security is set up within an organization.

D. In order to ensure that everyone knows who is responsible for carrying out the backup procedures.

Which of the following measures is a preventive measure?

A. Installing a logging system that enables changes in a system to be recognized

B. Shutting down all internet traffic after a hacker has gained access to the company systems

C. Putting sensitive information in a safe

D. Classifying a risk as acceptable because the cost of addressing the threat is higher than the value of the information at risk

What is a risk analysis used for?

A. A risk analysis is used to express the value of information for an organization in monetary terms.

B. A risk analysis is used to clarify to management their responsibilities.

C. A risk analysis is used in conjunction with security measures to reduce risks to an acceptable level.

D. A risk analysis is used to ensure that security measures are deployed in a cost-effective and timely fashion.

What do employees need to know to report a security incident?

A. How to report an incident and to whom.

B. Whether the incident has occurred before and what was the resulting damage.

C. The measures that should have been taken to prevent the incident in the first place.

D. Who is responsible for the incident and whether it was intentional.

What is the relationship between data and information?

A. Data is structured information.

B. Information is the meaning and value assigned to a collection of data.

There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost for good. What is an example of the indirect damage caused by this fire?

A. Melted backup tapes

B. Burned computer systems

C. Burned documents

D. Water damage due to the fire extinguishers

You are the owner of a growing company, SpeeDelivery, which provides courier services. You decide that it is time to draw up a risk analysis for your information system. This includes an inventory of the threats and risks. What is the relation between a threat, risk and risk analysis?

A. A risk analysis identifies threats from the known risks.

B. A risk analysis is used to clarify which threats are relevant and what risks they involve.

C. A risk analysis is used to remove the risk of a threat.

D. Risk analyses help to find a balance between threats and risks.

Which is a legislative or regulatory act related to information security that can be imposed upon all organizations?

A. ISO/IEC 27001:2005

B. Intellectual Property Rights

C. ISO/IEC 27002:2005

D. Personal data protection legislation