PECB Lead Implementer (ISO/IEC 27001) — Question 98

Scenario 11: Antiques is the biggest online antique shop in Scotland. Their products include jewelry, clothing, furniture, and technology. They decided to build their own custom platform in-house and outsource the payment process to PayPal, a company operating online payment systems that supports online money transfers.

Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information, employees of Antiques had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.

However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e-commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gained access to their files and exposed customers' information, including their names and home addresses.

The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.

In addition, Antiques conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.

Based on this scenario, answer the following question:

Which of the following statements below indicates that Antiques has implemented a managerial control to help avoid the occurrence of incidents?

Answer options

Correct answer: C

Explanation

The correct answer is C, as conducting information security awareness sessions is a managerial control aimed at educating employees about security risks and best practices, which helps prevent incidents. Options A and B, while important, are more about establishing policies and roles rather than actively addressing employee awareness regarding security.