Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system (ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock. Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. does SunDee comply with ISO/IEC 27001 requirements regarding the monitoring and measurement process?

Scenario 8: SunDee is a biopharmaceutical firm headquartered in California, US. Renowned for its pioneering

work in the field of human therapeutics, SunDee places a strong emphasis on addressing critical healthcare

concerns, particularly in the domains of cardiovascular diseases, oncology, bone health, and inflammation.

SunDee has demonstrated its commitment to data security and integrity by maintaining an effective

information security management system (ISMS) based on ISO/IEC 27001 for the past two years.

In preparation for the recertification audit, SunDee conducted an internal audit. The company's top

management appointed Alex, who has actively managed the Compliance Department's day-to-day operations  for the last six months, as the internal auditor. With this dual role assignment, Alex is tasked with conducting

an audit that ensures compliance and provides valuable recommendations to improve operational efficiency.

During the internal audit, a few nonconformities were identified. To address them comprehensively, the

company created action plans for each nonconformity, working closely with the audit team leader.

SunDee's senior management conducted a comprehensive review of the ISMS to evaluate its appropriateness,

sufficiency, and efficiency. This was integrated into their regular management meetings. Essential documents,

including audit reports, action plans, and review outcomes, were distributed to all members before the

meeting. The agenda covered the status of previous review actions, changes affecting the ISMS, feedback,

stakeholder inputs, and opportunities for improvement. Decisions and actions targeting ISMS improvements

were made, with a significant role played by the ISMS coordinator and the internal audit team in preparing

follow-up action plans, which were then approved by top management.

In response to the review outcomes, SunDee promptly implemented corrective actions, strengthening its

information security measures. Additionally, dashboard tools were introduced to provide a high-level

overview of key performance indicators essential for monitoring the organization's information security

management. These indicators included metrics on security incidents, their costs, system vulnerability tests,

nonconformity detection, and resolution times, facilitating effective recording, reporting, and tracking of

monitoring activities. Furthermore, SunDee embarked on a comprehensive measurement process to assess the

progress and outcomes of ongoing projects, implementing extensive measures across all processes. The top

management determined that the individual responsible for the information, aside from owning the data that

contributes to the measures, would also be designated accountable for executing these measurement activities.

Based on the scenario above, answer the following question:

Based on scenario 8, which of the following dashboards did SunDee utilize?

You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called?

Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers. Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart. However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses. The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information. In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security. Based on scenario 2, which information security principle is the IT team aiming to ensure by establishing a user authentication process that requires user identification and password when accessing sensitive information?

What is an example of a non-human threat to the physical environment?