What does the strategic scenario represent?
Answer(s): A
A strategic scenario represents the set of plausible attack paths that a risk origin could use to achieve its objective against a business asset. It captures the attacker's overall strategy and possible approaches at a high level, without detailing the technical execution steps.
SCENARIO - ManageSysManageSys is an outsourcing company that carries out systems administration and maintenance on behalf of its customers. ManageSys' commercial outsourcing offering includes a range of services such as installation, administration, supervision and maintenance of systems and application services. ManageSys does not have its own hosting infrastructure and has a hosting contract with HostServ.ManageSys customers include a number of major international accounts and small and medium-sized enterprises in all sectors of activity in several European countries. ManageSys is ITIL-certified (Information Technology Infrastructure Library) and has technical staff certified by solution providers and security product suppliers.Its main partner, HostServ, is a systems hosting company with a presence at 2 sites (one in France and another one in Germany), providing its infrastructure with a standard level of security. HostServ also uses subcontractors to ensure the smooth running of the various sites, in accordance with established specifications and regular monitoring of services. A security policy is in place and serves as an operating framework for all stakeholdersHostServ is organized as follows:General services are provided directly by the host for the air conditioning, electricity, fire extinguishing and smoke detection systems, etc., as well as for the management of electrical power and back-up power (battery, generator).The management of security services (access control, intrusion, video surveillance, human security) is also handled by HostServ, even though the hardware (cameras and access control equipment) is maintained by suppliers.Guarding (physical security) is provided for each site. These are different guarding companies for each site, subcontracted by the hosting provider.Relations between ManageSys staff and HostServ staff are rather difficult: HostServ's general services management staff refuse to receive orders from customers like ManageSys.Access conditions to HostServ's hosting sites change regularly, often depending on who is on duty on site, making it difficult for ManageSys staff to access the sites.The working conditions of ManageSys staff are sometimes difficult to ensure a good quality of service to its own customers, particularly when maintenance operations are carried out by HostServ staff without notifying ManageSys (which regularly causes power cuts or other malfunctions affecting the servers).Recently, a ManageSys customer wanted to audit all its suppliers, including ManageSys. During this audit, the customer's auditors wanted to check the equipment on HostServ's premises. HostServ refused to carry out this part of the audit, arguing that the audit clause did not apply to it.Under which category of the risk treatment plan does HostServ or ManageSys train staff on the procedures to be applied?
Answer(s): B
Training staff on procedures is part of governance because it concerns defining, communicating, and ensuring the proper application of organizational rules, responsibilities, and processes. In EBIOS Risk Manager, governance measures aim to structure how people act and coordinate, particularly across organizational boundaries such as those between ManageSys and HostServ.
Does an organizations security baseline depend on the level of compliance?
In EBIOS Risk Manager, the security baseline is influenced by the level of compliance with legal, regulatory, and contractual obligations, but it is not determined by compliance alone. It also depends on the organization's available means, resources, and budget, which condition the realistic implementation and maintenance of security measures.
What is the purpose of having business managers define the level of severity for each feared event?
Having business managers define the severity of feared events ensures that impacts are assessed from a business perspective using quantified criteria. This makes the consequences of feared events comparable and allows risks to be prioritized objectively according to their potential impact on the organization's activities.
Does the identification of the threat level only concern external stakeholders?
In EBIOS Risk Manager, the identification of threat levels applies to all stakeholders, whether internal or external. Both categories can represent potential risk origins depending on their position, access, capabilities, and intent within the ecosystem, and must therefore be assessed consistently.
At the end of Workshop 2, what type of mapping is carried out based on the results of the feared events obtained by business managers?
Answer(s): C
At the end of Workshop 2, the method establishes a mapping of risk origins and their associated target objectives. Based on the feared events identified by business managers, this mapping links potential attackers or threat sources to the business assets they may target, preparing the development of strategic scenarios.
With regard to the results of Workshop 4, what factors should be taken into account to protect business assets?
Following Workshop 4, protection priorities focus on vulnerabilities that are most exploitable by an attacker.Those with a high probability of success or low technical difficulty represent the easiest and most realistic attack opportunities, so addressing them first most effectively reduces the risk to business assets.
What is the best practice recommended by the EBIOS Risk Manager method for analyzing the results of feared events?
EBIOS Risk Manager recommends prioritizing the analysis of feared events by starting with those that have the highest severity. Addressing the most severe impacts first ensures that the most critical business consequences are treated as a priority, enabling efficient allocation of resources to what threatens the organization the most.
Share your comments for PECB EBIOS Risk Manager exam with other users:
examination questions seem to be relevant.
planning to take psm test
please allow to download
please provide dumps
is the answer to question 15 correct ? i feel like the answer should be b
its getting more technical
i think these questions are what i need.
helpful assessment
i am confused about the answers to the questions. do you know if the answers are correct?
hi, please make the dumps available for my upcoming examination.
good practice
so far it is really informative
hi i want it please please upload it
am preparing for exam ,just nice questions
please upload c_tadm_23 exam
can we get tdvan4 vantage data engineering pdf?
want to clear the exam.
could you please upload the dumps of sap c_sac_2302
asm management configuration is about storage
kool thumb up
just passed the az-500 exam this last friday. most of the questions in this exam dumps are in the exam. i bought the full version and noticed some of the questions which were answered wrong in the free version are all corrected in the full version. this site is good but i wish the had it in an interactive version like a test engine simulator.
i can practice for exam
please i need this exam.
i need the dump
i want it bad, even if cs6 maybe retired, i want to learn cs6
i hate comptia with all my heart with their "choose the best" answer format as an argument could be made on every question. they say "the "comptia way", lmao no this right here boys is the comptia way 100%. take it from someone whos failed this exam twice but can configure an entire complex network that these are the questions that are on the test 100% no questions asked. the pbqs are dead on! nice work
very good materials
thanks for your support.
iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use.
not bad but you question database from isaca
awesome contents
answer to 134 is casb. while data loss prevention is the goal, in order to implement dlp in cloud applications you need to deploy a casb.
are these brain dumps sufficient enough to go write exam after practicing them? or does one need more material this wont be enough?
i did attend the required cources and i need to be sure that i am ready to take the exam, i would ask you please to share the questions, to be sure that i am fit to proceed with taking the exam.