PECB Lead Implementer (ISO/IEC 27001) — Question 103

Scenario 15: Texas H&H Inc. is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. The company decided to utilize cloud storage services which best suited its needs, due to the large amount of data that the company processes daily. Recently, Texas H&H Inc. learned that the cloud storage provider that it uses has been publicly compromised.

Being aware of the high risk of data exposure, the security administrators of Texas H&H Inc. decided to undertake actions that could prevent a potential attack. In the absence of an information security incident management policy, their response was based on their knowledge gained from previous incidents. They tested their systems for any malicious activity or violation and checked if the cloud-based email settings were changed. By quickly responding to the exploited vulnerability that was found, the team was able to prevent the attack.

Once they made sure that the attackers do not have access in their system, the security administrators decided to proceed with the forensic analysis. They concluded that their access security system was not designed for threat detection, including the detection of malicious files which could be the cause of possible future attacks

Based on these findings, Texas H&H Inc. decided to modify its access security system to avoid future incidents and integrate an incident management policy in their information security policy that could serve as guidance for employees on how to respond to similar incidents.

Based on the scenario above, answer the following question:

Texas H&H Inc. decided to integrate the incident management policy to the existent information security policy. How do you define this situation?

Answer options

• A. Acceptable, the incident management policy may be integrated into the overall information security policy of the organization
• B. Acceptable, but only if the incident management policy addresses environmental, or health and safety issues
• C. Unacceptable, the incident management policy should be drafted as a separate document in order to be clear and effective

Correct answer: A

Explanation

The correct answer is A because integrating the incident management policy into the existing information security policy is a common practice that can streamline processes and ensure that all security protocols are cohesive. Option B is incorrect as it unnecessarily restricts the integration based on unrelated issues. Option C is also wrong since a separate document is not required for effectiveness if the policies are well-defined and understood within the existing framework.