Organizational
What is the main purpose of an information security policy?
To set management direction and support for security.
Why is security awareness training important?
Reduces human error and insider risks.
Name one basic physical control for information security.
Locking doors, visitor badges, CCTV.
Why are strong passwords or MFA important?
Prevent unauthorized access to systems.
Name one way an organization can show top management commitment to ISMS.
By providing resources, setting objectives, or communicating importance of ISMS.
Give an example of a common human-related security risk.
Weak passwords, phishing, negligence.
Why is secure disposal of paper records important?
To prevent data leakage from discarded documents.
Give one example of logging and monitoring in ISMS.
Collecting admin login logs in SIEM.
Why must roles and responsibilities for information security be clearly defined?
To avoid gaps or overlaps in accountability.
What should be done when an employee leaves the organization?
Access rights must be revoked immediately.
Give an example of protecting equipment against environmental threats.
Fire suppression, climate control, surge protectors.
Why should software be patched regularly?
To close known vulnerabilities.
What is the benefit of including security in supplier contracts?
Ensures outsourced services meet the same security standards.
Why should disciplinary processes be linked to information security breaches?
To enforce accountability and discourage negligence.
Why is clear desk and clear screen policy important?
Prevents unauthorized access to sensitive data.
What is the role of backup and restore procedures in ISMS?
Ensure data availability after incidents.
Give an example of a positive issue (opportunity) that can strengthen ISMS.
Strong customer trust / growing cloud adoption in Indonesia.
How can organizations measure the effectiveness of awareness programs?
By testing staff (quizzes, phishing simulations, KPI tracking).
How would you protect a data center against tailgating?
Mantraps, access cards, security guards.
How can organizations reduce risk of misconfiguration in cloud services?
Apply secure baseline, automated compliance checks, IaC security.