ITILSC-OSA Latest Exam Braindumps
Question 3: ScenarioNEB is a financial management company that specializes in lendingmoney for substantial property
investments.
They have a large ITdepartment that is currently using the following ITSM processes:
------
Service Level Management
Availability Management
IT Service Continuity Management
Information Security Management
Incident Management
Problem Management.
Each of these processes have been implemented within the plannedtarget time and are working
effectively and efficiently. Staff haveadapted to the changes in a very positive manner and see
thebenefits of using the ITIL framework.
Last Saturday, there was a security breach. A previous member ofstaff, who has left the company and
joined a competitor organization,has been able to gain access to several client lending files.
Afterinitial investigation, it was found that access was not terminated whenthe staff member left the
company - this has highlighted that thereare insufficient processes in place to ensure access rights
areterminated when staff leave the company, change roles etc and thereis ongoing investigation to
see how many other previous staff stillhave access to the system.
The business has requested immediate recommendations from the ITManager, as to what can be
done to ensure this situation does nothappen again and how best to inform clients, with reference to
thesecurity breach.
Refer to the scenario.
Which of the following options is most suitable to deal with thissituation?
A. Your first recommendation is to implement the AccessManagement process as soon as possible.
You suggestthat as the IT organization has already effectively andefficiently implemented six
processes, they will be able tomanage a well executed and fast implementation. Thisprocess will
ensure that access is provided to those whoare authorized to have it and will ensure access
isrestricted to those who are not. With regards to informing clients, you recommend thatclients are
not told of the situation as you feel it will be toodamaging to the NEB reputation and will result in
acatastrophic loss of clientele. You suggest that if clientsare contacted by the competitor
organization, theycannotprove that any information has been obtained via NEB filesand (as there is
now a plan to implement AccessManagement) NEB can confidently reassure clients thatthere is
ample security and access management in placeto ensure this situation could never arise.
B. Your first recommendation is to implement the AccessManagement process as soon as possible.
You suggestthat as the IT organization has already effectively andefficiently implemented six
processes, they will be able tomanage a well executed and fast implementation. AsAccess
Management is the execution of the policies laidout within the Availability and Information
SecurityProcesses, the foundations are already laid. This processwill ensure that access is provided to
those who areauthorized to have it and will ensure access is restricted tothose who are not. To
ensure alignment between theBusiness and IT, there will need to be integration with theHuman
Resources department to ensure there areconsistent communications with regards to staff
identity,start and end dates etc.With regards to informing clients of the breach, yousuggest that the
clients affected by the breach must beinformed ASAP. You recommend a formal letter is sentfrom
senior management to reassure clients that thesituation is being taken seriously and what actions
aretaking place to ensure this never happens again. You areaware that this could damage the
company's reputation,as security is a critical success factor, but feel that thespecific clients must be
informed by NEB ASAP, as thereis a high risk they will be approached by the competitororganization.
C. Your first recommendation is to implement the AccessManagement process as soon as possible.
This processwill ensure that access is provided to those who areauthorized to have it and will ensure
access is restricted tothose who are not. With regards to informing clients of the breach, yousuggest
that only the specifically affected clients areinformed of the breach, via a formal letter sent from
seniormanagement to reassure clients that the situation is beingtaken seriously. You suggest that the
tone and focus ofthe letter should emphasize the following points: There has been a 'minor' security
breach fault of memberof staff, who's employment has now been terminated No data has been 'lost
or changed' Sufficient action has been taken to ensure this situationdoes not happen again and NEB
would like to assure theirclients that there security and continued confidence is ofthe highest
importance.
D. Your first recommendation is to implement the AccessManagement process as soon as possible.
You suggestthat as the IT organization has already effectively andefficiently implemented six
processes, they will be able tomanage a well executed and fast implementation. Thisprocess will
ensure that access is provided to those whoare authorized to have it and will ensure access
isrestricted to those who are not. With regards to informing clients of the breach, yousuggest that all
clients need to be informed of the breachand the action being taken to ensure this does not
happenagain. You are aware that this could damage thecompany's reputation, but are concerned
that if only thespecificallyaffected clients are informed, word will spreadand the entire client base
will feel they have beenkept outof the loop on such an important issue and further damageto NEB's
reputation will befelt.
Correct Answer: B
