PECB
LEAD-AUDITOR · Question #243
LEAD-AUDITOR Question #243: Real Exam Question with Answer & Explanation
Sign in or unlock LEAD-AUDITOR to reveal the answer and full explanation for question #243. The question stem and answer options stay visible for context.
Question
You are performing an ISMS audit at a residential nursing home called ABC that provides healthcare services. The next step in your audit plan is to verify the information security on ABC's healthcare mobile app development, support, and lifecycle process. During the audit, you learned the organization outsourced the mobile app development to a professional software development company with CMMI Level 5, ITSM (ISO/IEC 20000-1), BCMS (ISO 22301) and ISMS (ISO/IEC 27001) certified. The IT Manager presented the software security management procedure and summarised the process as follows: The mobile app development shall adopt "security-by-design" and "security-by-default" principles, as a minimum. The following security functions for personal data protection shall be available: Access control. Personal data encryption, i.e., Advanced Encryption Standard (AES) algorithm, key lengths: 256 bits; and Personal data pseudonymization. Vulnerability checked and no security backdoor You sample the latest Mobile App Test report - details as follows: You ask the IT Manager why the organisation still uses the mobile app while personal data encryption and pseudonymization tests failed. Also, whether the Service Manager is authorized to approve the test. The IT Manager explains the test results should be approved by him according to the software security management procedure. The reason why the encryption and pseudonymization functions failed is that these functions heavily slowed down the system and service performance. An extra 150% of resources are needed to cover this. The Service Manager agreed that access control is good enough and acceptable. That's why the Service Manager signed the approval. You sample one of the medical staff's mobile and found that ABC's healthcare mobile app, version 1.01 is installed. You found that version 1.01 has no test record. The IT Manager explains that because of frequent ransomware attacks, the outsourced mobile app development company gave a free minor update on the tested software, performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions. Based on his 20 years of information security experience, there is no need to re-test. You are preparing the audit findings Select two options that are correct.
Exhibit
Options
- AThere is a nonconformity (NC). The IT. Manager does not comply with the software security
- BThere is a nonconformity (NC). The organisation does not control planned changes and review the
- CThere is an opportunity for improvement (OI). The IT Manager should make the decision to
- DThere is an opportunity for improvement (OI). The organisation selects an external service provider
- EThere is NO nonconformity (NC). The IT Manager demonstrates good leadership. (Relevant to
- FThere is NO nonconformity (NC). The IT Manager demonstrates he is fully competent. (Relevant to
Unlock LEAD-AUDITOR to see the answer
You've previewed enough free LEAD-AUDITOR questions. Unlock LEAD-AUDITOR for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.