Created
July 3, 2026 11:26
-
-
Save sinansh/9b4390a9205a6fa21a9ef0d768ea26ed to your computer and use it in GitHub Desktop.
CISM Domain 3 mobil tekrar uygulamasi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="tr"> | |
| <head> | |
| <meta charset="utf-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"> | |
| <meta name="apple-mobile-web-app-capable" content="yes"> | |
| <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent"> | |
| <title>CISM D3 — Otobüs Tekrarı</title> | |
| <style> | |
| :root{ | |
| --bg:#0f1419; --panel:#1a212b; --panel2:#222c38; --line:#2d3a49; | |
| --txt:#e6edf3; --muted:#8b98a8; --accent:#4d9fff; --accent2:#2f6fd0; | |
| --ok:#2ea043; --bad:#e5534b; --warn:#d29922; --chip:#283543; --tr:#1e3147; | |
| } | |
| *{box-sizing:border-box; -webkit-tap-highlight-color:transparent} | |
| html,body{margin:0;background:var(--bg);color:var(--txt);font-family:-apple-system,"SF Pro Text",Segoe UI,Roboto,Helvetica,Arial,sans-serif;line-height:1.5; | |
| padding-top:env(safe-area-inset-top); padding-bottom:env(safe-area-inset-bottom);} | |
| .wrap{max-width:720px;margin:0 auto;padding:16px} | |
| header{margin-bottom:12px} | |
| h1{font-size:19px;margin:0 0 2px} | |
| .sub{color:var(--muted);font-size:12.5px} | |
| .bar{height:7px;background:var(--panel);border-radius:6px;overflow:hidden;margin:10px 0} | |
| .bar>div{height:100%;background:linear-gradient(90deg,var(--accent2),var(--accent));width:0%;transition:width .25s} | |
| .card{background:var(--panel);border:1px solid var(--line);border-radius:14px;padding:18px;margin-bottom:14px} | |
| .banner{background:linear-gradient(135deg,#1e3147,#182233);border:1px solid var(--accent2);border-radius:14px;padding:14px 16px;margin-bottom:14px;font-size:13.5px} | |
| .banner b{color:#7cc0ff} | |
| .lesson{font-size:13px;color:#cdd9e5;margin-top:6px} | |
| .meta{display:flex;gap:8px;flex-wrap:wrap;margin-bottom:12px} | |
| .chip{background:var(--chip);color:var(--muted);font-size:11.5px;padding:4px 10px;border-radius:20px;border:1px solid var(--line);white-space:nowrap} | |
| .chip.wrongtag{color:#ffb4ae;border-color:#5c2b28;background:#301a1a} | |
| .qtext{font-size:16.5px;font-weight:600;margin:6px 0 16px} | |
| .opt{display:flex;gap:12px;align-items:flex-start;background:var(--panel2);border:1px solid var(--line);border-radius:12px;padding:14px 15px;margin-bottom:10px;cursor:pointer;transition:.12s;-webkit-user-select:none;user-select:none} | |
| .opt:active{border-color:var(--accent2)} | |
| .opt.sel{border-color:var(--accent);background:#1e3147} | |
| .opt .lab{font-weight:700;color:var(--accent);min-width:20px} | |
| .opt.correct{border-color:var(--ok);background:#15311d} | |
| .opt.wrong{border-color:var(--bad);background:#36181a} | |
| .opt .lab.correct{color:var(--ok)} .opt .lab.wrong{color:var(--bad)} | |
| .opt .txt{font-size:15px} | |
| .btnrow{display:flex;gap:10px;flex-wrap:wrap;margin-top:8px} | |
| button{font-family:inherit;font-size:14.5px;border:1px solid var(--line);background:var(--panel2);color:var(--txt);padding:11px 18px;border-radius:10px;cursor:pointer;transition:.12s;flex:1 1 auto;min-width:44px} | |
| button:active{border-color:var(--accent)} | |
| button.primary{background:var(--accent2);border-color:var(--accent2);color:#fff;font-weight:600} | |
| button.primary:active{background:var(--accent)} | |
| button:disabled{opacity:.35;cursor:not-allowed} | |
| button.ghost{background:transparent} | |
| button.big{padding:16px;font-size:15.5px;font-weight:600} | |
| .explain{margin-top:14px;padding:14px 15px;background:#10171f;border:1px solid var(--line);border-radius:12px;font-size:14px} | |
| .verdict{font-weight:700;margin-bottom:8px;font-size:15px} | |
| .verdict.ok{color:var(--ok)} .verdict.bad{color:var(--bad)} | |
| .tr-box{border-left:3px solid var(--accent);padding:10px 12px;background:var(--tr);border-radius:8px;margin:8px 0;white-space:pre-wrap} | |
| .tr-box .lbl{color:#7cc0ff;font-weight:700;font-size:11.5px;letter-spacing:.03em;text-transform:uppercase;display:block;margin-bottom:4px} | |
| .en-toggle{font-size:12.5px;color:var(--accent);margin-top:10px;cursor:pointer;display:inline-block;-webkit-user-select:none;user-select:none} | |
| .en-box{margin-top:8px;padding:10px 12px;background:#0b1117;border:1px dashed var(--line);border-radius:8px;font-size:13px;color:#b9c6d3;white-space:pre-wrap;display:none} | |
| .en-box.show{display:block} | |
| .stat{display:grid;grid-template-columns:repeat(auto-fit,minmax(90px,1fr));gap:10px;margin:14px 0} | |
| .stat .b{background:var(--panel2);border:1px solid var(--line);border-radius:10px;padding:12px;text-align:center} | |
| .stat .b .n{font-size:22px;font-weight:700} .stat .b .l{font-size:11.5px;color:var(--muted)} | |
| .grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(38px,1fr));gap:6px;margin-top:10px} | |
| .gcell{aspect-ratio:1;border-radius:7px;display:flex;align-items:center;justify-content:center;font-size:11.5px;font-weight:600;border:1px solid var(--line);cursor:pointer;background:var(--panel2)} | |
| .gcell.ok{background:#15311d;border-color:var(--ok)} .gcell.bad{background:#36181a;border-color:var(--bad)} | |
| .hidden{display:none} | |
| .modebtn{display:block;width:100%;text-align:left;background:var(--panel2);border:1px solid var(--line);border-radius:12px;padding:16px;margin-bottom:10px;color:var(--txt);cursor:pointer} | |
| .modebtn .t{font-weight:700;font-size:15px} | |
| .modebtn .d{font-size:12.5px;color:var(--muted);margin-top:3px} | |
| .modebtn.rec{border-color:var(--accent2)} | |
| .catlist{max-height:50vh;overflow:auto;margin-top:6px} | |
| .catrow{display:flex;justify-content:space-between;align-items:center;background:var(--panel2);border:1px solid var(--line);border-radius:10px;padding:12px 14px;margin-bottom:8px;cursor:pointer;font-size:13.5px} | |
| .catrow .n{color:var(--muted);font-size:12px} | |
| .controls{display:flex;gap:14px;flex-wrap:wrap;font-size:12.5px;color:var(--muted);margin-top:6px} | |
| label.tog{display:flex;gap:6px;align-items:center;cursor:pointer} | |
| footer.nav{position:sticky;bottom:0;background:var(--bg);padding-top:8px} | |
| </style> | |
| </head> | |
| <body> | |
| <div class="wrap"> | |
| <header> | |
| <h1>CISM Domain 3 — Otobüs Tekrarı</h1> | |
| <div class="sub">Information Security Program · 98 soru (2 set) · tamamen offline</div> | |
| </header> | |
| <!-- START --> | |
| <div id="start"> | |
| <div class="banner"> | |
| <b>41 / 98 yanlış</b> — son deneme %58.2 (önceki denemeden +11 puan). | |
| <div class="lesson">Ana ders: “align with organizational/business objectives” diyen kökte cevap İŞ hedefidir (legal/gap değil); “multinational + hangi kontrol” diyen kökte cevap LEGAL/yerelleştirme; “yeni durum + ilk adım” diyen kökte cevap RİSK DEĞERLENDİRMESİ. Şıklardan birini seçmeden önce kökteki bu üç kancayı ara.</div> | |
| </div> | |
| <div class="modebtn rec" id="modeWrong"> | |
| <div class="t">🎯 Sadece yanlışlarım (41)</div> | |
| <div class="d">Türkçe kişisel açıklamalı, kategoriye göre gruplu. Bindirmeden önce en verimli 20-30 dk.</div> | |
| </div> | |
| <div class="modebtn" id="modeAll"> | |
| <div class="t">📚 Domain 3'ün tamamı (98)</div> | |
| <div class="d">Doğru yaptıkların dahil tüm sorular, İngilizce (Udemy) açıklamalı.</div> | |
| </div> | |
| <div class="modebtn" id="modeCat"> | |
| <div class="t">🗂️ Kategoriye göre çalış</div> | |
| <div class="d">11 zayıf nokta kümesinden birini seç (örn. Business ↔ Legal ↔ Assess).</div> | |
| </div> | |
| <div class="modebtn" id="modeResume"> | |
| <div class="t">↩️ Kayıttan devam et</div> | |
| <div class="d" id="resumeInfo">Kayıt yok.</div> | |
| </div> | |
| <div id="catPicker" class="card hidden"> | |
| <div class="qtext" style="font-size:14px;margin-bottom:8px">Kategori seç</div> | |
| <div class="catlist" id="catList"></div> | |
| <button class="ghost" id="catBack">← Geri</button> | |
| </div> | |
| <div class="controls"> | |
| <label class="tog"><input type="checkbox" id="shufO" checked> Şıkları karıştır</label> | |
| <label class="tog"><input type="checkbox" id="autoEn"> İngilizceyi otomatik aç</label> | |
| </div> | |
| </div> | |
| <!-- QUIZ --> | |
| <div id="quiz" class="hidden"> | |
| <div class="bar"><div id="prog"></div></div> | |
| <div class="card"> | |
| <div class="meta" id="meta"></div> | |
| <div class="qtext" id="q"></div> | |
| <div id="opts"></div> | |
| <div id="explainBox"></div> | |
| </div> | |
| <footer class="nav"> | |
| <div class="btnrow"> | |
| <button class="ghost" id="prev">← Önceki</button> | |
| <button class="primary" id="next">Sonraki →</button> | |
| </div> | |
| <div class="btnrow"> | |
| <button class="ghost" id="toStart">Menüye dön</button> | |
| <button class="ghost" id="finish">Bitir & özet</button> | |
| </div> | |
| </footer> | |
| </div> | |
| <!-- RESULT --> | |
| <div id="result" class="card hidden"> | |
| <h1 style="font-size:18px">Bu turun özeti</h1> | |
| <div class="stat" id="stat"></div> | |
| <div class="grid" id="resultGrid"></div> | |
| <div class="btnrow" style="margin-top:14px"> | |
| <button class="primary" id="toStart2">Menüye dön</button> | |
| <button class="ghost" id="reviewWrong2">Bu turdaki yanlışları tekrar gör</button> | |
| </div> | |
| </div> | |
| </div> | |
| <script> | |
| const QUESTIONS = [{"id":"s1-q3","set":1,"number":3,"q":"When preparing a new cybersecurity strategy, which factor should be considered most critical in aligning security initiatives with business objectives?","options":[{"l":"A","text":"Impact on user productivity and business processes","correct":true},{"l":"B","text":"Scalability and adaptability of the security measures","correct":false},{"l":"C","text":"Alignment with industry best practices and frameworks","correct":false},{"l":"D","text":"Cost-effectiveness of implemented security solutions","correct":false}],"correct":"A","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nImpact on user productivity and business processes: Aligning security initiatives with business objectives requires ensuring that security measures do not hinder overall business productivity and processes. A strategy that disrupts operations is likely to face resistance or fail. Security must be integrated seamlessly to support and enable business functions.\nThe Incorrect Answers:\nCost-effectiveness of implemented security solutions: While budget considerations are important, they should not override the importance of ensuring security measures support business processes effectively.\nAlignment with industry best practices and frameworks: These provide guidance, yet strict adherence may not always align with unique business needs or objectives, which could compromise effectiveness.\nScalability and adaptability of the security measures: Critical for long-term planning, but immediate alignment with current business objectives and practices is more crucial for initial strategy preparations.","tr":"Kök açıkça “aligning security with BUSINESS OBJECTIVES” diyor → cevap iş süreçlerine/üretkenliğe etki. “Industry best practices” her soruda kulağa doğru gelen genel klişedir; soru iş-hizası isterken kazanmaz.","tag":"Business align","catIndex":0},{"id":"s1-q4","set":1,"number":4,"q":"A multinational corporation experienced a data breach affecting customer information and is now revising its security strategy. What is the essential initial step to ensure an improved security posture?","options":[{"l":"A","text":"Implement enhanced technical security controls","correct":false},{"l":"B","text":"Re-evaluate and update incident response procedures","correct":false},{"l":"C","text":"Engage senior management to emphasize the importance of security","correct":false},{"l":"D","text":"Perform a comprehensive root cause analysis of the breach","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nPerform a comprehensive root cause analysis of the breach: Understanding the specific causes and vectors of the data breach is essential to appropriately address vulnerabilities and prevent future incidents. By identifying root causes, the organization can take targeted actions, optimize its resources, and revise its security strategy more effectively, ensuring any new risks are adequately mitigated.\nThe Incorrect Answers:\nRe-evaluate and update incident response procedures: While important, revising response procedures without first understanding the root cause may not address underlying issues effectively.\nA root cause analysis is critical to informing these updates.\nEngage senior management to emphasize the importance of security: Senior management involvement is vital, but it should be framed around data derived from understanding the breach's causes.\nOrganizational support can be better informed post-analysis.\nImplement enhanced technical security controls: Enhanced controls are part of the solution but should be a result of the root cause analysis.\nImplementing controls prematurely may not address specific vulnerabilities that led to the breach.","tr":"","tag":"","catIndex":99},{"id":"s1-q5","set":1,"number":5,"q":"Which strategic consideration is most critical when selecting corrective controls for mitigating identified vulnerabilities?","options":[{"l":"A","text":"Ensuring alignment with the organization's risk tolerance and incident response capabilities","correct":true},{"l":"B","text":"Selecting controls that can be implemented with the least disruption to current operations","correct":false},{"l":"C","text":"Maximizing the cost-effectiveness and efficiency of control implementation","correct":false},{"l":"D","text":"Prioritizing controls that offer the quickest path to compliance with regulatory requirements","correct":false}],"correct":"A","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nEnsuring alignment with the organization's risk tolerance and incident response capabilities: Corrective controls must align with the organization's risk tolerance and ability to handle incidents effectively, ensuring that they address vulnerabilities without exceeding resource capacities.\nThe Incorrect Answers:\nMaximizing the cost-effectiveness and efficiency of control implementation: While cost-efficiency is important, it should not override the strategic alignment with risk management priorities.\nPrioritizing controls that offer the quickest path to compliance with regulatory requirements: Meeting compliance is important, but corrective controls should be chosen based on their ability to manage risks, not solely on regulatory timelines.\nSelecting controls that can be implemented with the least disruption to current operations: Minimizing disruption is beneficial but should not compromise the effectiveness and strategic fit of the controls in mitigating key vulnerabilities.","tr":"Düzeltici kontrol seçiminde stratejik kriter → risk TOLERANSI + IR kapasitesiyle hizalama. “En az kesinti” (senin şıkkın) bir konfor tercihidir, stratejik ölçüt değil.","tag":"Control/risk-tolerance","catIndex":7},{"id":"s1-q7","set":1,"number":7,"q":"When aiming to improve an organization's security maturity, what should be the primary focus for an information security manager?","options":[{"l":"A","text":"Enhancing compliance with existing regulatory frameworks","correct":false},{"l":"B","text":"Integrating security requirements into the software development lifecycle","correct":true},{"l":"C","text":"Developing a comprehensive security awareness program","correct":false},{"l":"D","text":"Establishing metrics for advanced incident response capabilities","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nIntegrating security requirements into the software development lifecycle: Embedding security within development processes indicates maturity by proactively addressing risks and aligning security with core business functions.\nThe Incorrect Answers:\nEnhancing compliance with existing regulatory frameworks: Compliance is important but merely meeting regulatory requirements does not ensure security maturity.\nDeveloping a comprehensive security awareness program: While vital for reducing human-related risks, awareness programs alone do not signify advanced maturity.\nEstablishing metrics for advanced incident response capabilities: Although important, focusing solely on incident response metrics does not provide a holistic view of maturity.","tr":"","tag":"","catIndex":99},{"id":"s1-q9","set":1,"number":9,"q":"What is the MOST critical factor to consider when establishing a reporting structure for an information security program within a large, decentralized organization?","options":[{"l":"A","text":"Alignment with corporate governance models to ensure oversight","correct":true},{"l":"B","text":"Flexibility to adapt to organizational and regulatory changes","correct":false},{"l":"C","text":"Integration with existing communication channels to enhance efficiency","correct":false},{"l":"D","text":"Direct reporting to senior management to guarantee strategic alignment","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nAlignment with corporate governance models to ensure oversight: In a large, decentralized organization, ensuring that the information security program is aligned with corporate governance models is critical. This alignment guarantees that there is proper oversight, accountability, and strategic direction, which are essential for maintaining consistency in security policies and practices across all branches of the organization. It ensures that the security program is not operating in isolation but as an integral part of the organization's governance framework, addressing business goals and compliance needs.\nThe Incorrect Answers:\nDirect reporting to senior management to guarantee strategic alignment: While direct reporting to senior management can facilitate strategic alignment, it does not ensure the necessary checks, balances, and accountability mechanisms that come with alignment to corporate governance. It's important, but not as comprehensive as governing models that ensure overall alignment.\nIntegration with existing communication channels to enhance efficiency: While integrating with existing communication channels can improve operational efficiency, it does not address the broader need for oversight and strategic alignment that corporate governance models provide. Efficiency is important, but without strategic alignment and oversight, the program's efficacy could be limited.\nFlexibility to adapt to organizational and regulatory changes: Although flexibility is important, especially in a dynamic regulatory environment, it is not as critical as foundational alignment with corporate governance. Without such alignment, the ability to adapt may lead to inconsistent application of security measures across different parts of the organization.","tr":"","tag":"","catIndex":99},{"id":"s1-q10","set":1,"number":10,"q":"How should an information security manager prioritize control objectives to ensure alignment with organizational risk appetite and strategic goals?","options":[{"l":"A","text":"Evaluate the control objectives based on the likelihood and impact of relevant threats and vulnerabilities","correct":true},{"l":"B","text":"Prioritize control objectives that fulfill all regulatory compliance mandates first","correct":false},{"l":"C","text":"Focus on control objectives that are cost-effective and offer the best return on security investment","correct":false},{"l":"D","text":"Select control objectives that provide the greatest reduction in risk across multiple business functions","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nEvaluate the control objectives based on the likelihood and impact of relevant threats and vulnerabilities: Prioritizing control objectives by evaluating the likelihood and impact of threats and vulnerabilities ensures alignment with the organization's risk management goals. This method considers both potential threats and the organization's risk appetite, allowing for informed decision-making that supports strategic organizational objectives. By assessing and addressing the most significant risks, security measures can be more effectively tailored to safeguard assets in a way that aligns with the overall organizational strategy and risk appetite.\nThe Incorrect Answers:\nPrioritize control objectives that fulfill all regulatory compliance mandates first: While regulatory compliance is crucial and necessary to avoid legal consequences, solely focusing on compliance might overlook other critical threats that could have a severe impact. This approach does not directly consider the organization's risk appetite or strategic goals, which are essential for a well-rounded security strategy.\nSelect control objectives that provide the greatest reduction in risk across multiple business functions: Although reducing risk across various business functions is valuable, this option lacks focus on how these risks align with the organization's specific risk appetite and strategic goals. The potential for risk reduction should be considered, but it should be within the context of the likelihood and impact of threats, and not in isolation from the organization's broader objectives.\nFocus on control objectives that are cost-effective and offer the best return on security investment: Even though cost-effectiveness and a good return on investment are important considerations, prioritizing solely on these factors might sideline more critical security needs that are necessary to address based on risk assessments. Control objectives should ensure adequate protection based on the underlying risk profile rather than just financial considerations.","tr":"","tag":"","catIndex":99},{"id":"s1-q15","set":1,"number":15,"q":"What is the most effective method for integrating security risk management into an agile development process?","options":[{"l":"A","text":"Integrate security testing into the continuous integration/continuous delivery (CI/CD) pipeline","correct":true},{"l":"B","text":"Conduct security risk assessments at the end of each sprint review","correct":false},{"l":"C","text":"Train development teams annually on the latest security practices","correct":false},{"l":"D","text":"Require security approval before releasing any new feature","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nIntegrate security testing into the continuous integration/continuous delivery (CI/CD) pipeline: Integrating security testing into CI/CD ensures that vulnerabilities are detected and managed throughout the development lifecycle, fostering early identification and resolution. This approach aligns with agile's emphasis on frequent iterations and continuous delivery, ensuring security is a consistent part of the process rather than a final hurdle. Continuous testing evolves with the code, keeping risks manageable and maintaining the pace of development.\nThe Incorrect Answers:\nConduct security risk assessments at the end of each sprint review: While regular risk assessments are beneficial, conducting them only at the end of sprints could lead to delayed identification of security issues, impacting the agility and responsiveness of the development process.\nIntegrating security considerations throughout, rather than just at sprint reviews, is more effective.\nRequire security approval before releasing any new feature: This approach could introduce bottlenecks and reduce agility, as it places security as a gatekeeper rather than a part of the integrated development process.\nAgile seeks to embed security within development governance to manage risks continuously, rather than as an afterthought or a distinct phase.\nTrain development teams annually on the latest security practices: While training is important, annual sessions are not timely enough for agile environments.\nSecurity knowledge and practices should evolve alongside development practices, necessitating ongoing and embedded training, rather than sporadic, annual updates.","tr":"","tag":"","catIndex":99},{"id":"s1-q18","set":1,"number":18,"q":"A company discovers a significant security vulnerability in one of its legacy systems. What is the most urgent action the Information Security Manager should take?","options":[{"l":"A","text":"Schedule a complete system upgrade","correct":false},{"l":"B","text":"Initiate a full-scale audit of all legacy systems","correct":false},{"l":"C","text":"Immediately apply an interim fix or workaround","correct":true},{"l":"D","text":"Notify upper management about the vulnerability","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nImmediately apply an interim fix or workaround: This option addresses the immediate risk posed by the significant security vulnerability. Applying an interim fix or workaround serves as a preventative measure to mitigate potential exploitation of the vulnerability while a more comprehensive solution is developed. This aligns with risk management principles by providing an immediate response to reduce the immediate threat and protect the organization's assets.\nThe Incorrect Answers:\nNotify upper management about the vulnerability: While it is crucial to keep upper management informed about significant security issues, this action alone does not address or mitigate the vulnerability. Notifying management is part of the communication process but does not contribute immediate operational security improvements.\nSchedule a complete system upgrade: Although upgrading the system might resolve the vulnerability in the long term, it is not an immediate solution. Scheduling a complete upgrade can be time-consuming and may leave the system exposed in the interim, potentially leading to an exploitation of the existing vulnerability.\nInitiate a full-scale audit of all legacy systems: Conducting a full-scale audit can identify additional vulnerabilities and improve overall security posture but is not the most urgent action. This option does not immediately address or mitigate the specific vulnerability recently discovered, leading to continuous exposure and increased risk.","tr":"","tag":"","catIndex":99},{"id":"s1-q23","set":1,"number":23,"q":"Which of the following steps is most critical to ensure the effective integration of information security into the organization's business objectives?","options":[{"l":"A","text":"Involving senior management in security project reviews","correct":false},{"l":"B","text":"Including security metrics in business performance evaluations","correct":false},{"l":"C","text":"Developing a security-aware organizational culture","correct":true},{"l":"D","text":"Aligning security goals with IT capabilities","correct":false}],"correct":"C","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nDeveloping a security-aware organizational culture: Creating a culture that values and prioritizes security within the organization is the most critical step to ensuring the effective integration of information security into business objectives. A security-aware culture involves all employees understanding the importance of security and their roles in protecting the organization's assets. This approach establishes a foundational mindset that supports and enhances all other security initiatives, thereby aligning them with business goals and fostering proactive engagement across all levels of the organization.\nThe Incorrect Answers:\nAligning security goals with IT capabilities: While aligning security goals with IT capabilities is important, it primarily focuses on ensuring technological feasibility rather than fostering organization-wide integration. Without a supportive culture, efforts to align these goals may lack the necessary buy-in from stakeholders beyond the IT department.\nIncluding security metrics in business performance evaluations: Incorporating security metrics into performance evaluations can drive accountability and demonstrate security's impact. However, metrics alone do not guarantee integration with business objectives, as they may be seen as isolated technical indicators instead of an organizational priority.\nInvolving senior management in security project reviews: Engaging senior management is essential for gaining support and resources but does not automatically lead to integration with business objectives. A security-aware culture ensures that management's involvement is part of a broader understanding and commitment to security across the organization.","tr":"Güvenliği iş hedefleriyle ENTEGRE etmenin en kritik adımı → güvenlik-bilinçli kültür (kalıcı, davranışsal). Metriği performansa koymak ölçer ama entegrasyonu sağlamaz. Not: S1Q88’de metrik kazanıyordu — orada soru ‘durum İLETİŞİMİ’, burada ‘ENTEGRASYON’; ayrımı kökten oku.","tag":"Business/Culture","catIndex":0},{"id":"s1-q24","set":1,"number":24,"q":"What is the most effective approach for integrating business objectives with an organization's information security program?","options":[{"l":"A","text":"Developing a risk management framework aligned with business objectives","correct":true},{"l":"B","text":"Aligning information security policies with broader business goals","correct":false},{"l":"C","text":"Conducting regular security awareness training for all employees","correct":false},{"l":"D","text":"Implementing a robust set of security controls across the organization","correct":false}],"correct":"A","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nDeveloping a risk management framework aligned with business objectives: This approach ensures that security efforts are directly tied to the organization's strategic priorities and risk appetite. By focusing on risk, the organization can identify and manage threats and vulnerabilities that specifically impact business goals. This allows security measures to support, rather than impede, business operations and objectives.\nThe Incorrect Answers:\nAligning information security policies with broader business goals: While aligning policies with business goals is important, policies alone may not adequately address the dynamic nature of business risks or priorities.\nA risk management framework aligns security efforts with risk and business strategy, offering a more comprehensive approach.\nImplementing a robust set of security controls across the organization: Implementing strong controls is essential for security; however, it does not ensure that security efforts are prioritized according to business objectives or changing risk landscapes.\nEffective integration requires a nuanced approach to aligning controls with specific business risks.\nConducting regular security awareness training for all employees: While training is vital for maintaining vigilance and ensuring compliance, it does not directly integrate business objectives with security measures.\nAwareness initiatives support overall security culture, but on their own, they do not align strategic security tasks with business goals.","tr":"“İş hedeflerini güvenlik programıyla ENTEGRE et” → iş hedefleriyle hizalı risk yönetimi ÇERÇEVESİ. Kontrol uygulamak (senin şıkkın) çerçeve değil, operasyonel adımdır; entegrasyon çerçeve düzeyinde olur.","tag":"Business align","catIndex":0},{"id":"s1-q26","set":1,"number":26,"q":"Which action should take priority when an organization is defining confidentiality levels for its information assets?","options":[{"l":"A","text":"Aligning them with existing security policies to ensure consistency","correct":false},{"l":"B","text":"Identifying the information lifecycle to establish appropriate controls","correct":true},{"l":"C","text":"Engaging IT personnel to ensure alignment with technical controls","correct":false},{"l":"D","text":"Analyzing how data supports strategic objectives and influences decisions","correct":false}],"correct":"B","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nIdentifying the information lifecycle to establish appropriate controls: Understanding the lifecycle allows for tailored confidentiality measures that address each phase, ensuring comprehensive protection.\nThe Incorrect Answers:\nAligning them with existing security policies to ensure consistency: Policies should support confidentiality definitions, not constrain them, as specific asset needs can vary.\nEngaging IT personnel to ensure alignment with technical controls: Technical controls follow from confidentiality needs, rather than serving as the defining criteria.\nAnalyzing how data supports strategic objectives and influences decisions: Strategic alignment is critical, but lifecycle analysis directly informs effective confidentiality controls.","tr":"Gizlilik seviyesi tanımlamada ÖNCE → bilgi YAŞAM DÖNGÜSÜ (verinin nasıl oluştuğu-işlendiği-silindiği kontrolleri belirler). “Mevcut politikayla hizala” döngüsel ve ikincildir.","tag":"Classification","catIndex":4},{"id":"s1-q29","set":1,"number":29,"q":"In ensuring ongoing relevance and accuracy in asset classification, what is the MOST significant factor to consider?","options":[{"l":"A","text":"Stakeholder involvement in regularly updating classification criteria","correct":true},{"l":"B","text":"Scalability of classification schema to accommodate future expansion","correct":false},{"l":"C","text":"Ability to integrate classification with incident response processes","correct":false},{"l":"D","text":"Compliance with industry-standard classification frameworks","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nStakeholder involvement in regularly updating classification criteria: Engaging stakeholders ensures that classification reflects current business priorities, risks, and operational realities, resulting in more accurate and relevant classifications.\nThe Incorrect Answers:\nScalability of classification schema to accommodate future expansion: While scalability is important for growth, it does not necessarily ensure the classification remains contextually accurate or relevant in the present.\nCompliance with industry-standard classification frameworks: Standards provide a baseline but may not be tailored to the organization's specific needs or current risk landscape, limiting relevance and precision.\nAbility to integrate classification with incident response processes: Integration is beneficial, but without stakeholder updates, classifications may not accurately represent evolving business risks or priorities.","tr":"","tag":"","catIndex":99},{"id":"s1-q32","set":1,"number":32,"q":"In ensuring due care for third-party service management, which is the most effective way to manage security risks associated with fourth parties?","options":[{"l":"A","text":"Implementing a governance framework that includes fourth-party oversight","correct":true},{"l":"B","text":"Establishing direct communication channels with critical fourth parties","correct":false},{"l":"C","text":"Requesting regular compliance reports from fourth parties through third-party intermediaries","correct":false},{"l":"D","text":"Conducting detailed risk assessments of third-party providers","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nImplementing a governance framework that includes fourth-party oversight: A governance framework ensures that there is a structured approach to managing and mitigating risks associated with fourth parties, providing comprehensive oversight and accountability.\nThe Incorrect Answers:\nConducting detailed risk assessments of third-party providers: This focuses on the third party and may overlook specific risks introduced by fourth parties.\nRequesting regular compliance reports from fourth parties through third-party intermediaries: While useful, this reactive approach may not provide timely insights compared to a structured governance framework.\nEstablishing direct communication channels with critical fourth parties: Direct communication is beneficial, but without oversight mechanisms, it may not effectively manage broader security risks.","tr":"","tag":"","catIndex":99},{"id":"s1-q36","set":1,"number":36,"q":"What is the most strategic consideration when selecting vulnerability metrics for an information security program?","options":[{"l":"A","text":"Selecting metrics that effectively communicate risk to stakeholders","correct":true},{"l":"B","text":"Ensuring they demonstrate compliance with regulatory requirements","correct":false},{"l":"C","text":"Focusing on metrics that highlight resource efficiencies","correct":false},{"l":"D","text":"Aligning with industry best practices and benchmarks","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nSelecting metrics that effectively communicate risk to stakeholders: This choice ensures vulnerability metrics are aligned with the strategic goal of effectively informing decision-makers about risk exposure, thereby enabling them to make informed decisions.\nThe Incorrect Answers:\nAligning with industry best practices and benchmarks: While useful, industry best practices may not capture the unique risk posture or priorities of the organization.\nFocusing on metrics that highlight resource efficiencies: Resource efficiency is important, but not as critical as clearly communicating risk levels to enhance decision-making.\nEnsuring they demonstrate compliance with regulatory requirements: Compliance metrics may not reflect actual organizational risk levels or priorities, focusing more on adherence than strategic insight.","tr":"","tag":"","catIndex":99},{"id":"s1-q38","set":1,"number":38,"q":"An organization is preparing to expand its operations into a region with stringent data protection regulations. As the Chief Information Security Officer (CISO), what should be your first course of action to ensure compliance?","options":[{"l":"A","text":"Initiate a data protection impact assessment of current processes.","correct":false},{"l":"B","text":"Integrate compliance monitoring tools into the existing IT infrastructure.","correct":false},{"l":"C","text":"Develop a comprehensive training program for employees on new regulations.","correct":false},{"l":"D","text":"Conduct a gap analysis to identify existing compliance deficiencies.","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nConduct a gap analysis to identify existing compliance deficiencies: Conducting a gap analysis is the best initial step because it provides a clear understanding of current compliance status and identifies areas that need improvement. This step aligns with governance and risk management by ensuring that the organization understands its current position relative to the requirements of the new regulations. It addresses the root cause by highlighting deficiencies that must be rectified to achieve compliance.\nThe Incorrect Answers:\nInitiate a data protection impact assessment of current processes: While a data protection impact assessment is important, it should occur after understanding compliance deficiencies. The gap analysis will reveal areas where the impact assessment should focus. Starting with a gap analysis provides a broader understanding necessary before diving into specific assessments.\nDevelop a comprehensive training program for employees on new regulations: Training is crucial, but without knowing the specific deficiencies through a gap analysis, training may not be targeted or effective. It’s important to first identify gaps, which will help tailor the training program to address specific compliance needs.\nIntegrate compliance monitoring tools into the existing IT infrastructure: Implementing monitoring tools is a later step in the compliance process. First, the organization must understand the gaps and requirements before choosing appropriate tools. Without the insights from a gap analysis, tools might be improperly selected or configured, leading to suboptimal compliance monitoring.","tr":"","tag":"","catIndex":99},{"id":"s1-q39","set":1,"number":39,"q":"In the event of an early-stage merger between two companies, what should be the highest priority for the information security manager to address?","options":[{"l":"A","text":"Ensuring that security policies of both companies are consistent and compatible","correct":false},{"l":"B","text":"Establishing a unified incident response plan across both entities","correct":false},{"l":"C","text":"Performing a risk assessment to identify potential security threats","correct":true},{"l":"D","text":"Conducting a comprehensive vulnerability assessment of both companies","correct":false}],"correct":"C","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nPerforming a risk assessment to identify potential security threats: At the early stage of a merger, there is a great deal of uncertainty, and conducting a risk assessment is crucial to identify potential threats and vulnerabilities that could arise from the integration or differences between the two companies. This prioritizes mitigation efforts and informs subsequent security planning, ensuring that both entities’ security postures can be effectively aligned and fortified.\nThe Incorrect Answers:\nConducting a comprehensive vulnerability assessment of both companies: Although vulnerability assessments are important, conducting them before understanding the broader risk landscape could miss priorities specific to the merger, leading to inefficient resource allocation.\nEstablishing a unified incident response plan across both entities: Integrating incident response plans is important, but doing so before understanding the shared risks might lead to inadequately addressing distinct challenges or postpone more immediate necessary actions.\nEnsuring that security policies of both companies are consistent and compatible: While policy consistency is ultimately necessary, attempting to synchronize policies before identifying the merged entities' risk profiles may lead to gaps or inefficiencies in addressing core security needs.","tr":"Erken birleşme → RISK assessment (tehdit+olasılık+etki, stratejik ve geniş). Sen ‘VULNERABILITY assessment’ seçtin — o sadece teknik açıkları tarar. İki terim FARKLI; birleşmede iş/stratejik risk gerekir. (Terminoloji bölümüne dön.)","tag":"Terminoloji!","catIndex":2},{"id":"s1-q42","set":1,"number":42,"q":"During a merger, the Chief Information Officer (CIO) is tasked with ensuring both companies' information security policies align. What is the first step they should take?","options":[{"l":"A","text":"Harmonize the existing security policies of both companies","correct":false},{"l":"B","text":"Establish a joint security task force comprised of members from both companies","correct":false},{"l":"C","text":"Train employees on the new security policies","correct":false},{"l":"D","text":"Perform a comprehensive risk assessment for the merged entity","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nPerform a comprehensive risk assessment for the merged entity: Identifying and evaluating new risks introduced by the merger is critical before aligning any policies. A risk assessment provides insight into areas where security policies may require adjustments and ensures that any specific vulnerabilities or threats are addressed.\nThe Incorrect Answers:\nHarmonize the existing security policies of both companies: Harmonization should follow an understanding of risks.\nAligning policies without first assessing risks may overlook critical vulnerabilities or areas of conflict between the two original environments.\nTrain employees on the new security policies: Training is necessary for policy adoption but is premature before understanding what the merged company's security landscape and policies entail.\nEstablish a joint security task force comprised of members from both companies: While a collaborative approach is beneficial, this step should follow the risk assessment to focus efforts and create task force priorities based on the identified risks.","tr":"","tag":"","catIndex":99},{"id":"s1-q43","set":1,"number":43,"q":"In implementing a new information security policy across a multinational organization, what factor should be prioritized to ensure global compliance and effectiveness?","options":[{"l":"A","text":"Standardizing security controls across all offices","correct":false},{"l":"B","text":"Implementing centralized policy management","correct":false},{"l":"C","text":"Conducting global security awareness campaigns","correct":false},{"l":"D","text":"Tailoring policy language to local legal requirements","correct":true}],"correct":"D","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nTailoring policy language to local legal requirements: Ensuring that the policy complies with local laws and regulations is critical for global effectiveness. Non-compliance can result in legal liabilities and undermine policy adoption. This prioritization helps gain acceptance and enforceability in different regions, considering legal and cultural variations.\nThe Incorrect Answers:\nStandardizing security controls across all offices: While standardization aids in consistency, it might not address specific legal requirements or cultural differences, risking non-compliance or resistance.\nCustomization for local contexts can be more effective.\nImplementing centralized policy management: Centralized management promotes oversight but might lack local adaptability.\nWithout accommodating local legal nuances, it risks ineffective policy deployment and weaker compliance.\nConducting global security awareness campaigns: Awareness campaigns support policy adoption but cannot compensate for non-compliance with local laws.\nLegal-tailored policy lays a solid foundation to build awareness upon.","tr":"Çok-uluslu politika + “global compliance” → politika dilini YEREL HUKUKA uyarla. “Global awareness kampanyası” çift tuzak: hem eğitim çeldiricisi hem mutlak-‘global’ dili.","tag":"Legal (multinational)","catIndex":1},{"id":"s1-q46","set":1,"number":46,"q":"In an organization undergoing rapid digital transformation, what is the best method to manage security-related risks effectively?","options":[{"l":"A","text":"Implementing advanced technology solutions to detect threats","correct":false},{"l":"B","text":"Outsourcing security management to a third-party provider","correct":false},{"l":"C","text":"Integrating risk management into the business's core processes","correct":true},{"l":"D","text":"Conducting regular security awareness training for employees","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nIntegrating risk management into the business's core processes: To effectively manage security-related risks during digital transformation, it's vital to integrate risk management into the business's core processes. This ensures that risk considerations are part of every business decision and that security is embedded throughout all transformation activities. It allows for proactive identification and mitigation of risks before they can negatively impact business operations, ensuring that security efforts align with organizational goals.\nThe Incorrect Answers:\nOutsourcing security management to a third-party provider: While outsourcing can provide expertise, handing over all security management to a third party without integration into core processes might lead to misalignment with the organization's specific risk profile and objectives, making it less effective.\nConducting regular security awareness training for employees: While important, training alone is not sufficient to manage security-related risks comprehensively.\nTraining ensures that employees are aware of security best practices but doesn't address the broader requirement to integrate risk management.\nImplementing advanced technology solutions to detect threats: Technology can help detect threats, but without a comprehensive risk management strategy, relying solely on technology may lead to a reactive rather than proactive approach, making it an incomplete solution.","tr":"","tag":"","catIndex":99},{"id":"s1-q56","set":1,"number":56,"q":"A Cloud Service Provider (CSP) is developing a new data storage service for clients across various industries, including financial and healthcare sectors. What is the most critical initial step the CSP should undertake to ensure compliance with relevant regulations?","options":[{"l":"A","text":"Conduct a comprehensive risk assessment across all potential jurisdictions","correct":false},{"l":"B","text":"Engage with stakeholders to understand the specific compliance requirements","correct":true},{"l":"C","text":"Investigate similar services to benchmark regulatory compliance strategies","correct":false},{"l":"D","text":"Develop and implement a standardized security framework","correct":false}],"correct":"B","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nEngage with stakeholders to understand the specific compliance requirements: Engaging with stakeholders such as clients, legal counsel, and regulatory experts ensures that the CSP fully understands the specific compliance obligations for each industry and jurisdiction. This understanding forms the foundation for developing a compliant product. Prioritizing stakeholder engagement helps align the service with both business needs and regulatory demands, which is essential for compliance and business success.\nThe Incorrect Answers:\nConduct a comprehensive risk assessment across all potential jurisdictions: While risk assessments are crucial, they should follow an understanding of specific compliance requirements.\nThe assessment will be more effective when informed by direct input from stakeholders about relevant regulations.\nDevelop and implement a standardized security framework: A security framework is essential but must be tailored based on specific compliance requirements of the industries served.\nWithout stakeholder input, a standardized framework might not address all necessary regulatory aspects.\nInvestigate similar services to benchmark regulatory compliance strategies: Benchmarking can offer insights but might not reflect the unique regulatory landscape applicable to the new service.\nEngaging with stakeholders provides direct, focused guidance specific to the service's compliance obligations.","tr":"Farklı ülkelere hizmet veren CSP → önce paydaşlarla her ülkenin SPESİFİK uyum gereksinimini anla. “Standart güvenlik çerçevesi” mutlak-tuzak; her yargı bölgesi farklı olduğundan tek çerçeve yetmez.","tag":"Legal/Stakeholder","catIndex":1},{"id":"s1-q60","set":1,"number":60,"q":"A company is planning to develop a new cloud-based service and is concerned about potential data breaches. What should be the first step to ensure data security?","options":[{"l":"A","text":"Developing a comprehensive incident response plan","correct":false},{"l":"B","text":"Implementing encryption for all data stored in the cloud","correct":false},{"l":"C","text":"Training employees on data security best practices","correct":false},{"l":"D","text":"Conducting a risk assessment to identify potential threats","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nConducting a risk assessment to identify potential threats: The first step in ensuring data security for a new service is to understand the specific risks and threats that it faces. A risk assessment helps to identify vulnerabilities, assess the potential impact of various threats, and prioritize the areas that need attention. This process provides a foundation for making informed decisions about implementing appropriate security measures, including encryption and training programs.\nThe Incorrect Answers:\nImplementing encryption for all data stored in the cloud: While encryption is an important security measure, it should be implemented based on the results of a risk assessment.\nNot all data may require encryption, and its implementation might not address all identified risks without first understanding the potential threats.\nDeveloping a comprehensive incident response plan: An incident response plan is critical for addressing security breaches but should be based on identified risks and organizational needs.\nDeveloping such a plan without a prior risk assessment might result in overlooking specific threats or vulnerabilities.\nTraining employees on data security best practices: Employee training is crucial but should be tailored to address the specific threats identified during a risk assessment.\nWithout understanding the risks, the training might not be targeted enough to mitigate potential data breaches effectively.","tr":"","tag":"","catIndex":99},{"id":"s1-q61","set":1,"number":61,"q":"When architecting technical controls within an organization undergoing rapid digital transformation, what should be prioritized to ensure scalability and future resilience?","options":[{"l":"A","text":"Interoperability with future technologies and platforms","correct":true},{"l":"B","text":"Compliance with current regulatory requirements","correct":false},{"l":"C","text":"Minimal disruption to existing workflows and processes","correct":false},{"l":"D","text":"Immediate cost savings and resource optimization","correct":false}],"correct":"A","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nInteroperability with future technologies and platforms: Prioritizing interoperability ensures that the technical controls remain effective as new technologies are adopted, supporting scalability and resilience in a dynamic environment.\nThe Incorrect Answers:\nCompliance with current regulatory requirements: While essential, regulatory compliance might require updates; long-term interoperability is a higher priority for future-proofing.\nMinimal disruption to existing workflows and processes: Minimizing disruptions is important, but the need for scalable and adaptable controls is more crucial in a rapidly transforming organization.\nImmediate cost savings and resource optimization: While cost savings are beneficial, the focus on future scalability and interoperability is of greater importance for lasting resilience.","tr":"“Ölçeklenebilirlik ve gelecek dayanıklılığı” → gelecek teknolojilerle INTEROPERABILITY. Mevcut regülasyona uyum (senin şıkkın) bugünü çözer; soru açıkça GELECEĞİ soruyor.","tag":"Architecture","catIndex":7},{"id":"s1-q68","set":1,"number":68,"q":"What approach should an information security manager take to justify the investment in a new security technology to senior management?","options":[{"l":"A","text":"Comparing the technology with competitors' implementations","correct":false},{"l":"B","text":"Demonstrating the technology's return on investment (ROI) through cost savings","correct":false},{"l":"C","text":"Linking the technology to compliance with legal requirements","correct":true},{"l":"D","text":"Highlighting the potential reputational damage from not investing","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nLinking the technology to compliance with legal requirements: This is the best choice because compliance and legal obligations are a top priority. By linking the technology investment to legal requirements, an information security manager can emphasize mandatory compliance, reducing legal and financial risk to the organization. This aligns with the guidelines prioritizing compliance and demonstrates a clear, enforced necessity to senior management, making the investment non-negotiable.\nThe Incorrect Answers:\nDemonstrating the technology's return on investment (ROI) through cost savings: While ROI is important, it may not be as compelling to senior management as compliance issues. Cost savings, while beneficial, are not as urgent or legally binding as meeting compliance requirements.\nHighlighting the potential reputational damage from not investing: Although reputational risk is significant, it is often speculative and harder to quantify than compliance-related consequences. Senior management might find direct links to legal requirements more persuasive.\nComparing the technology with competitors' implementations: While benchmarking against competitors is useful, it does not address the organization's specific legal and compliance needs as directly as the chosen answer. Senior management requires justification that directly affects the organization's legal standing and obligations.","tr":"","tag":"","catIndex":99},{"id":"s1-q73","set":1,"number":73,"q":"In a strategic assessment of compliance requirements, how should an information security manager prioritize the integration of security standards with existing organizational processes?","options":[{"l":"A","text":"Develop new organizational processes to fully comply with all standards","correct":false},{"l":"B","text":"Implement the security standard that aligns most closely with industry practices","correct":false},{"l":"C","text":"Evaluate existing processes against security standards for alignment","correct":true},{"l":"D","text":"Prioritize business needs over compliance when conflicts arise","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nEvaluate existing processes against security standards for alignment: Evaluating existing processes helps identify areas of alignment and misalignment, allowing for efficient integration of security standards without unnecessary overhaul of current practices.\nThe Incorrect Answers:\nImplement the security standard that aligns most closely with industry practices: While aligning with industry practices is important, it does not necessarily ensure seamless integration with existing processes.\nDevelop new organizational processes to fully comply with all standards: Developing entirely new processes may lead to inefficiencies and unnecessary disruptions if existing processes can be aligned effectively.\nPrioritize business needs over compliance when conflicts arise: Balancing business needs with compliance is critical, but prioritizing business needs without evaluating alignment could lead to compliance risks.","tr":"","tag":"","catIndex":99},{"id":"s1-q74","set":1,"number":74,"q":"During an annual security review, a multinational corporation finds significant inconsistencies in its security policies across different regions. What is the best approach to address this issue?","options":[{"l":"A","text":"Mandating the adoption of a single global policy suite","correct":false},{"l":"B","text":"Establishing a cross-regional task force to align policies","correct":true},{"l":"C","text":"Centralizing policy creation to ensure uniformity","correct":false},{"l":"D","text":"Conducting a regional needs assessment for tailored policies","correct":false}],"correct":"B","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nEstablishing a cross-regional task force to align policies: A cross-regional task force enables collaboration among different regional representatives, balancing global standards with localized needs. This approach leverages the insights and expertise of stakeholders from all regions, ensuring policies are not only aligned but also pragmatic and compliant with local regulations. The task force can address unique regional challenges while maintaining consistency with the corporation's global security framework.\nThe Incorrect Answers:\nCentralizing policy creation to ensure uniformity: While centralization can ensure uniformity, it risks overlooking regional compliance requirements and specific security threats.\nA one-size-fits-all approach may not be effective in diverse regulatory environments.\nConducting a regional needs assessment for tailored policies: Though understanding regional needs is important, it must be part of a broader strategy that considers both global consistency and local requirements.\nThis option alone doesn't ensure alignment across all regions.\nMandating the adoption of a single global policy suite: Enforcing strict adherence to a global policy without considering regional contexts might lead to compliance issues and challenges in practical application due to local regulations and threats.","tr":"Çok-uluslu politika TUTARSIZLIĞI → bölgeler-arası ORTAK GÖREV GÜCÜ (yapı ile tutarlılık). Bölgesel ihtiyaç değerlendirmesi (senin şıkkın) farkı ölçer ama hizalamayı sağlamaz.","tag":"Governance structure","catIndex":10},{"id":"s1-q75","set":1,"number":75,"q":"What is the primary consideration for an information security manager when initiating the development of new security policies?","options":[{"l":"A","text":"Conducting a gap analysis of current security practices","correct":false},{"l":"B","text":"Benchmarking against industry standards and practices","correct":false},{"l":"C","text":"Assessing the existing business strategy and objectives","correct":true},{"l":"D","text":"Reviewing the current regulatory environment to ensure compliance","correct":false}],"correct":"C","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nAssessing the existing business strategy and objectives: This ensures the policies support and are aligned with higher-level business goals, making them more effective and relevant.\nThe Incorrect Answers:\nReviewing the current regulatory environment to ensure compliance: Compliance is necessary but secondary to ensuring policies are strategically aligned with business goals.\nBenchmarking against industry standards and practices: While useful for context, standards should guide rather than dictate organizational policy priorities.\nConducting a gap analysis of current security practices: Identifies deficiencies but does not ensure alignment with overall business strategy.","tr":"Program geliştirmeye BAŞLARKEN önce mevcut iş stratejisi ve hedeflerini anla — program onlara hizmet edecek. Gap analizi (senin şıkkın) standartlara karşı yapılır ve daha sonra gelir.","tag":"Business/Assess","catIndex":0},{"id":"s1-q79","set":1,"number":79,"q":"What is the most strategic approach when integrating security architecture into an organization's existing infrastructure to ensure adequate scalability and flexibility?","options":[{"l":"A","text":"Implement vendor-specific solutions to streamline compatibility","correct":false},{"l":"B","text":"Integrate ad-hoc solutions to address immediate security gaps","correct":false},{"l":"C","text":"Select a modular architecture that supports incremental upgrades","correct":true},{"l":"D","text":"Adopt a comprehensive, unified security management system","correct":false}],"correct":"C","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nSelect a modular architecture that supports incremental upgrades: A modular approach allows for scalability and flexibility, enabling the organization to adapt and expand as needed without significant disruptions.\nThe Incorrect Answers:\nImplement vendor-specific solutions to streamline compatibility: Vendor-specific solutions may limit flexibility and scalability due to potential lock-in issues.\nAdopt a comprehensive, unified security management system: While unified systems seem advantageous, they may not provide the scalability and flexibility required over time.\nIntegrate ad-hoc solutions to address immediate security gaps: Ad-hoc solutions might solve short-term problems but do not contribute to long-term strategic scaling or adaptability.","tr":"Mimariyi entegre etmede stratejik yaklaşım → MODÜLER, kademeli yükseltilebilir mimari. “Ad-hoc çözümler” (senin şıkkın) mutlak-tuzak: kısa vadeli, teknik borç üretir, stratejik değil.","tag":"Architecture","catIndex":7},{"id":"s1-q80","set":1,"number":80,"q":"What is the most effective way for an organization to ensure that information asset classification aligns with business objectives?","options":[{"l":"A","text":"Conduct regular training sessions for employees on asset classification.","correct":false},{"l":"B","text":"Integrate classification efforts with the business impact analysis process.","correct":true},{"l":"C","text":"Use a data classification tool to automate classification tasks.","correct":false},{"l":"D","text":"Develop detailed classification policies and procedures.","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nIntegrate classification efforts with the business impact analysis process: By linking asset classification with the business impact analysis, an organization ensures that classification is based on actual business needs and objectives. This approach helps prioritize resources and protection levels according to the potential impact on the organization's operations, aligning classification efforts with strategic business goals.\nThe Incorrect Answers:\nDevelop detailed classification policies and procedures: While necessary, having detailed policies does not guarantee alignment with business objectives.\nPolicies provide the framework, but the integration into business processes ensures that classification activities are relevant and practical.\nConduct regular training sessions for employees on asset classification: Training enhances awareness and adherence to classification policies but does not inherently ensure alignment with business objectives.\nIt focuses on proper execution rather than strategic alignment.\nUse a data classification tool to automate classification tasks: Automation can improve efficiency and consistency but may not reflect business priorities or nuances unless properly configured.\nA tool alone cannot ensure alignment with business objectives without strategic input and oversight.","tr":"","tag":"","catIndex":99},{"id":"s1-q86","set":1,"number":86,"q":"When assigning confidentiality levels to information assets, which element should an information security manager consider first to align with emerging threats?","options":[{"l":"A","text":"Industry-specific threat intelligence and assessments","correct":true},{"l":"B","text":"Technological trends influencing data exposure","correct":false},{"l":"C","text":"Current business operations and adaptability","correct":false},{"l":"D","text":"Historical incident reports within the organization","correct":false}],"correct":"A","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nIndustry-specific threat intelligence and assessments: This provides relevant and timely insights into potential threats specific to the industry, enabling proactive classification and protection measures.\nThe Incorrect Answers:\nHistorical incident reports within the organization: While useful for understanding past vulnerabilities, they may not reflect the current or emerging threat landscape.\nTechnological trends influencing data exposure: These trends provide context but should be assessed within the broader threat landscape rather than as an initial focus.\nCurrent business operations and adaptability: Important for implementation, these factors are secondary to understanding the nature and sophistication of emerging threats.","tr":"Gizlilik seviyesi + “emerging threats” anahtarı → sektörel TEHDİT İSTİHBARATI. “Mevcut iş operasyonları” statiktir; ‘emerging/threat’ kelimesi tehdit-odaklı cevabı işaret eder.","tag":"Classification","catIndex":4},{"id":"s1-q88","set":1,"number":88,"q":"How should an organization most effectively communicate the status of its information security program to key stakeholders to ensure transparency and continuous improvement?","options":[{"l":"A","text":"Develop a dashboard with detailed security metrics and share it quarterly","correct":true},{"l":"B","text":"Share urgent security updates through instant messaging channels","correct":false},{"l":"C","text":"Conduct regular briefings with stakeholders focused on strategic objectives","correct":false},{"l":"D","text":"Distribute comprehensive annual reports summarizing security activities","correct":false}],"correct":"A","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nDevelop a dashboard with detailed security metrics and share it quarterly: Developing a dashboard that provides detailed security metrics and sharing it on a quarterly basis is the most effective way to communicate the status of an information security program to key stakeholders. This approach ensures transparency by consistently providing up-to-date, relevant information. Dashboards allow stakeholders to quickly understand the security posture, trends over time, and areas needing improvement, fostering continuous improvement efforts. Such a dashboard aligns with strategic objectives by focusing on metrics that matter to governance, risk management, and compliance.\nThe Incorrect Answers:\nDistribute comprehensive annual reports summarizing security activities: While distributing annual reports can provide an overview and meet regulatory documentation requirements, they lack the timeliness needed for effective decision-making and continuous improvement. Annual summaries may not capture ongoing issues dynamically enough to inform stakeholders for proactive measures.\nConduct regular briefings with stakeholders focused on strategic objectives: Although regular briefings can facilitate strategic alignment and provide personalized engagement, they may not offer the granularity of real-time data needed for transparency regarding the actual security status. Briefings are useful but should supplement rather than fully replace ongoing, detailed reporting like dashboards.\nShare urgent security updates through instant messaging channels: Instant messaging channels are useful for delivering urgent and immediate updates, but they are not suitable for providing a comprehensive and ongoing view of the information security program. This method focuses on reactive, immediate issues rather than a structured, continuous improvement approach.","tr":"Program DURUMUNU şeffaf ve sürekli iletmek → ölçülebilir METRİK dashboard (çeyreklik). Brifing (senin şıkkın) anlatır ama ölçülebilir/sürekli şeffaflık sağlamaz. (Burada metrik kazanır — S1Q23’ün tersi; ayrımı kökten oku.)","tag":"Metrik","catIndex":5},{"id":"s1-q100","set":1,"number":100,"q":"When aligning vendor management with strategic business objectives, what is the MOST IMPORTANT factor an information security manager should prioritize?","options":[{"l":"A","text":"Vendor reputation and industry standing","correct":false},{"l":"B","text":"Cost-effectiveness of vendor services","correct":false},{"l":"C","text":"Regulatory compliance of vendor contracts","correct":false},{"l":"D","text":"Security alignment with organizational risk appetite","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nSecurity alignment with organizational risk appetite: Ensuring that vendor practices align with the organization's risk appetite helps maintain acceptable risk levels while supporting business objectives.\nThe Incorrect Answers:\nCost-effectiveness of vendor services: While cost is important, prioritizing budget over security can lead to increased risks that are misaligned with strategic objectives.\nRegulatory compliance of vendor contracts: Compliance is critical, but focusing solely on compliance may overlook broader strategic risks and security needs.\nVendor reputation and industry standing: Reputation is valuable but does not guarantee alignment with specific security and risk management needs of the organization.","tr":"","tag":"","catIndex":99},{"id":"s1-q104","set":1,"number":104,"q":"Which consideration should an information security manager prioritize when evaluating the integration of new security technologies into an existing program?","options":[{"l":"A","text":"Alignment with current security policies and frameworks","correct":true},{"l":"B","text":"Compatibility with existing systems and infrastructure","correct":false},{"l":"C","text":"The technology's cost-effectiveness relative to its features","correct":false},{"l":"D","text":"Potential for scalability and future-proofing","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nAlignment with current security policies and frameworks: The importance of this option lies in the need to ensure that any new security technology is in harmony with the organization's existing security policies and frameworks. As these policies are the foundation of an organization's security posture, ensuring alignment prevents conflicts and helps maintain compliance with established guidelines and practices. This approach also supports the organization's governance and risk management strategies by making sure that new technologies enhance, rather than disrupt, existing security measures. By doing this, organizations will also be able to look at existing security controls and ensure they still meet the same standards that new technology being implemented has to meet.\nThe Incorrect Answers:\nCompatibility with existing systems and infrastructure: While it is essential for new technology to work with current systems, this consideration is more tactical and technical. It should not overshadow strategic considerations like policy alignment. Focusing solely on compatibility may lead to overlooking critical governance and policy-related issues.\nPotential for scalability and future-proofing: Although scalability is important for the longevity and adaptability of a security technology, prioritizing it without ensuring alignment with security policies could introduce risks. Scalability does not address the holistic integration of the new technology into the current governance framework.\nThe technology's cost-effectiveness relative to its features: Cost-effectiveness is a significant concern, yet it should not be prioritized at the expense of governance and policy alignment. A technology might be cost-effective, but if it does not align with an organization's security framework, it may lead to increased risks and challenges in maintaining regulatory compliance.","tr":"","tag":"","catIndex":99},{"id":"s1-q107","set":1,"number":107,"q":"Which consideration is most critical when developing a framework for identifying information assets within an enterprise?","options":[{"l":"A","text":"Ensuring scalability to accommodate future technological advancements","correct":false},{"l":"B","text":"Developing automated tools for real-time asset monitoring and identification","correct":false},{"l":"C","text":"Establishing a central repository for asset visibility and control","correct":false},{"l":"D","text":"Incorporating stakeholder input to understand asset valuation","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nIncorporating stakeholder input to understand asset valuation: Stakeholder input is pivotal to understanding the true value and criticality of information assets to business operations.\nThe Incorrect Answers:\nEstablishing a central repository for asset visibility and control: Though important for management, it doesn’t directly assess asset valuation.\nEnsuring scalability to accommodate future technological advancements: Scalability impacts framework design but not immediate asset valuation and identification.\nDeveloping automated tools for real-time asset monitoring and identification: While beneficial for ongoing management, the initial critical factor is understanding the business value of assets.","tr":"","tag":"","catIndex":99},{"id":"s1-q108","set":1,"number":108,"q":"What is the MOST important criterion to consider when selecting security controls for a global organization with diverse regulatory requirements?","options":[{"l":"A","text":"Alignment with the organization's existing infrastructure","correct":false},{"l":"B","text":"Comprehensive coverage of all identified threats and vulnerabilities","correct":false},{"l":"C","text":"Compliance with local and international legal obligations","correct":true},{"l":"D","text":"Cost-effectiveness in terms of implementation and maintenance","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nCompliance with local and international legal obligations: Ensuring that security controls meet regulatory requirements is crucial to avoid legal penalties and maintain operations in different jurisdictions.\nThe Incorrect Answers:\nAlignment with the organization's existing infrastructure: While compatibility is important, it should not override legal compliance, which is mandatory.\nComprehensive coverage of all identified threats and vulnerabilities: Comprehensive threat coverage is necessary, but without legal compliance, the organization risks legal repercussions.\nCost-effectiveness in terms of implementation and maintenance: Cost considerations are significant, but they should not compromise adherence to legal obligations.","tr":"","tag":"","catIndex":99},{"id":"s1-q112","set":1,"number":112,"q":"What is the primary consideration for information security management when structuring compliance reporting within an organization?","options":[{"l":"A","text":"Aligning reporting metrics with executive-level decision-making and business objectives","correct":true},{"l":"B","text":"Ensuring that reports are formatted to meet both internal standards and auditor preferences","correct":false},{"l":"C","text":"Prioritizing the integration of industry-standard benchmarks and guidelines in reports","correct":false},{"l":"D","text":"Focusing on enhancing the detail and frequency of reporting to cover all security aspects","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nAligning reporting metrics with executive-level decision-making and business objectives: Effective compliance reporting should support executive management in making informed decisions and ensure alignment with the organization's strategic goals. With effective compliance reporting, organizations will also understand where they may be failing and what risks could be most important to the business specifically.\nThe Incorrect Answers:\nEnsuring that reports are formatted to meet both internal standards and auditor preferences: While important, formatting to meet external standards does not directly impact the strategic alignment or decision-making needs of the organization.\nPrioritizing the integration of industry-standard benchmarks and guidelines in reports: Although industry benchmarks can guide compliance, the primary focus should be on how reports support the organization's strategic objectives.\nFocusing on enhancing the detail and frequency of reporting to cover all security aspects: Overly detailed reports may overwhelm stakeholders, detracting from key insights needed for decision-making.","tr":"","tag":"","catIndex":99},{"id":"s1-q113","set":1,"number":113,"q":"In the context of a risk assessment, what is the most important characteristic of a risk that a security manager should prioritize?","options":[{"l":"A","text":"Ease of mitigation","correct":false},{"l":"B","text":"Likelihood of occurrence","correct":false},{"l":"C","text":"Cost of mitigation","correct":false},{"l":"D","text":"Impact on business objectives","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nImpact on business objectives: Prioritizing risks based on their potential impact on business objectives is crucial, as risks that significantly hinder business goals can have severe repercussions. Even if a risk has a lower likelihood, its high impact warrants prioritizing measures to address it. Focusing on business objectives ensures that risk management aligns with organizational priorities and strategic goals.\nThe Incorrect Answers:\nLikelihood of occurrence: While likelihood is an important factor, it should be evaluated alongside impact.\nRisks with low likelihood but high impact can still be top priorities.\nSolely focusing on likelihood might lead to overlooking severe risks.\nEase of mitigation: While ease of mitigation is relevant, prioritizing based solely on it could lead to addressing low-impact risks at the expense of more critical ones.\nComplex but impactful risks should often be prioritized over easily mitigated low-impact risks.\nCost of mitigation: Although cost management is vital, basing prioritization primarily on cost can lead to neglecting high-impact threats that require resource-intensive solutions.\nCost should be balanced with impact to ensure effective risk management within fiscal constraints.","tr":"","tag":"","catIndex":99},{"id":"s1-q115","set":1,"number":115,"q":"When a multinational organization is evaluating Cloud Service Providers (CSPs), what should be the key consideration to ensure compliance with international data protection regulations?","options":[{"l":"A","text":"Assessing the provider's capability to support data localization requirements","correct":false},{"l":"B","text":"Ensuring the provider has a globally distributed data center network","correct":false},{"l":"C","text":"Verifying the provider’s certifications and compliance with international standards","correct":true},{"l":"D","text":"Selecting a provider with a comprehensive service level agreement (SLA)","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nVerifying the provider’s certifications and compliance with international standards: Verifying that the cloud service provider is certified and in compliance with international standards (like ISO 27001, SOC 2, etc.) is crucial. This ensures that their security practices are recognized globally and align with international data protection regulations. Certifications provide assurance that the provider adheres to industry best practices and can effectively manage the security and privacy of data across different jurisdictions.\nThe Incorrect Answers:\nSelecting a provider with a comprehensive service level agreement (SLA): While a detailed SLA is important for defining service quality and performance expectations, it does not inherently guarantee compliance with international data protection regulations. An SLA focuses on service metrics rather than regulatory compliance.\nEnsuring the provider has a globally distributed data center network: Although a globally distributed network can support performance and redundancy, it doesn't address compliance. In fact, having data in multiple locations could complicate compliance with certain regional data protection laws if those locations are not appropriately regulated.\nAssessing the provider's capability to support data localization requirements: While data localization is important for compliance with specific regional laws, focusing solely on localization does not ensure compliance with all international data protection regulations. Comprehensive compliance involves more than just data localization; it also encompasses data handling practices and protection measures.","tr":"","tag":"","catIndex":99},{"id":"s1-q116","set":1,"number":116,"q":"How can security architecture best support compliance with emerging regulatory requirements?","options":[{"l":"A","text":"Embedding compliance into the architectural design process","correct":true},{"l":"B","text":"Establishing a responsive team for incident management","correct":false},{"l":"C","text":"Focusing on continuous integration of security updates","correct":false},{"l":"D","text":"Implementing a proactive monitoring and alerting system","correct":false}],"correct":"A","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nEmbedding compliance into the architectural design process: Incorporating regulatory requirements at the design stage ensures the architecture remains compliant despite evolving regulations.\nThe Incorrect Answers:\nFocusing on continuous integration of security updates: This ensures current threats are mitigated but doesn’t inherently address compliance requirements.\nEstablishing a responsive team for incident management: Essential for incident response, but not directly linked to compliance with ongoing regulatory changes.\nImplementing a proactive monitoring and alerting system: While it aids in detecting issues, it does not ensure architectural compliance with new regulations.","tr":"Mimari uyumu nasıl DESTEKLER → uyumu tasarıma GÖM (compliance-by-design). IR ekibi (senin şıkkın) olaydan SONRA devreye girer; mimarinin regülasyonla uyumunu sağlamaz.","tag":"Architecture","catIndex":7},{"id":"s1-q118","set":1,"number":118,"q":"In the context of ensuring compliance with regulatory standards, what should be the primary focus of an information security manager when establishing a compliance governance framework?","options":[{"l":"A","text":"Integrating compliance governance into existing risk management processes","correct":true},{"l":"B","text":"Creating a dedicated compliance team within information security","correct":false},{"l":"C","text":"Prioritizing compliance reminders to all staff through regular communications","correct":false},{"l":"D","text":"Allocating resources to compliance-related tools and technologies","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nIntegrating compliance governance into existing risk management processes: This ensures that compliance efforts are aligned with risk management, facilitating a cohesive approach to both risk and compliance.\nThe Incorrect Answers:\nAllocating resources to compliance-related tools and technologies: While useful, resources are best allocated once an integrated process framework is established.\nCreating a dedicated compliance team within information security: A team may be beneficial but should not take precedence over integrated governance frameworks.\nPrioritizing compliance reminders to all staff through regular communications: Communication is important, but integrating compliance into risk management processes is more critical.","tr":"","tag":"","catIndex":99},{"id":"s1-q123","set":1,"number":123,"q":"In managing external service relationships, what is the most crucial action to demonstrate due care in ongoing operations?","options":[{"l":"A","text":"Establishing real-time monitoring for data access and transfers","correct":false},{"l":"B","text":"Implementing comprehensive non-disclosure agreements with all parties","correct":false},{"l":"C","text":"Conducting regular security reviews and audits of third-party services","correct":true},{"l":"D","text":"Mandating annual financial audits of the service provider","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nConducting regular security reviews and audits of third-party services: Regular reviews and audits ensure that the third-party services continually meet security requirements, demonstrating due care in managing external risks.\nThe Incorrect Answers:\nMandating annual financial audits of the service provider: Financial audits focus on financial viability, not directly on security issues or threats related to due care.\nEstablishing real-time monitoring for data access and transfers: Real-time monitoring is important but is a step within broader security oversight and not solely adequate for demonstrating due care.\nImplementing comprehensive non-disclosure agreements with all parties: While essential for confidentiality, NDAs do not encompass the full scope of due care required to manage third-party risks.","tr":"","tag":"","catIndex":99},{"id":"s1-q124","set":1,"number":124,"q":"When integrating regulatory compliance into the information security governance framework, what should be the primary focus for a security manager?","options":[{"l":"A","text":"Embedding compliance controls into the security risk assessment process","correct":true},{"l":"B","text":"Ensuring compliance metrics are reflected in executive reporting","correct":false},{"l":"C","text":"Designing an incident response process tailored to regulatory breaches","correct":false},{"l":"D","text":"Aligning security metrics with organizational business goals","correct":false}],"correct":"A","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nEmbedding compliance controls into the security risk assessment process: Integrating compliance into risk assessments ensures that compliance requirements are considered during the evaluation of security risks.\nThe Incorrect Answers:\nAligning security metrics with organizational business goals: While important for overall governance, this does not directly incorporate compliance into security practices.\nEnsuring compliance metrics are reflected in executive reporting: While reporting is necessary, it does not integrate compliance directly into the security processes.\nDesigning an incident response process tailored to regulatory breaches: Although critical, this action does not incorporate compliance into the overall governance structure.","tr":"Regülasyonu yönetişime GÖMME → uyum kontrollerini RİSK DEĞERLENDİRME sürecine göm (uyum böylece sürekli yönetilir). Metriği hedeflerle hizalamak (senin şıkkın) ayrı bir konudur.","tag":"Compliance","catIndex":8},{"id":"s1-q131","set":1,"number":131,"q":"When implementing a Bring Your Own Device (BYOD) policy, what is the most crucial risk mitigation step that should be taken first?","options":[{"l":"A","text":"Defining a clear BYOD policy with acceptable use guidelines","correct":true},{"l":"B","text":"Conducting an employee awareness and training program","correct":false},{"l":"C","text":"Establishing a procedure for incident response specific to BYOD","correct":false},{"l":"D","text":"Deploying mobile device management (MDM) software","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nDefining a clear BYOD policy with acceptable use guidelines: The first step in mitigating risks associated with a BYOD policy is to define clear policies that include guidelines for acceptable use, security requirements, and privacy expectations. A well-documented policy serves as the foundation for further technological and procedural controls.\nThe Incorrect Answers:\nDeploying mobile device management (MDM) software: While MDM solutions are essential for managing mobile security, they should be implemented after the policy is established.\nThe policy informs the configuration and management of MDM solutions.\nConducting an employee awareness and training program: Training is important and should follow once policies are established.\nIt ensures employees understand and adhere to the BYOD policy but cannot exist without an underlying policy framework.\nEstablishing a procedure for incident response specific to BYOD: Incident response procedures are critical; however, they need to be built upon the baseline of established policies and usage guidelines.\nWithout specific policies, incident response may lack clear direction.","tr":"","tag":"","catIndex":99},{"id":"s1-q135","set":1,"number":135,"q":"Which consideration should be MOST prioritized when developing incident response procedures for a global organization?","options":[{"l":"A","text":"Clearly defining jurisdictional legal requirements across different regions","correct":true},{"l":"B","text":"Incorporating lessons learned from past incidents into the procedure design","correct":false},{"l":"C","text":"Ensuring alignment with the organization's strategic objectives","correct":false},{"l":"D","text":"Designing procedures flexible enough to adapt to various incident types","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nClearly defining jurisdictional legal requirements across different regions: This is the best choice when developing incident response procedures for a global organization. Legal and regulatory compliance is crucial in maintaining a company's operations without facing legal penalties. Different regions have diverse laws concerning data protection, breach notification, and privacy, and failing to comply with these can lead to severe consequences. Therefore, clearly understanding and defining the various jurisdictional legal requirements ensures that the organization remains compliant and can effectively manage incidents on a global scale. While the other options are important when creating an incident response plan, legal requirements must be met to avoid being penalized and should serve as guidance towards fulfilling the needs of the other options while creating a plan. Legal requirements should take the greatest precedence and is the only option that when met, can incorporate the other options with it.\nThe Incorrect Answers:\nEnsuring alignment with the organization's strategic objectives: While alignment with strategic objectives is important, it should not be the primary focus when developing incident response procedures. Strategic alignment enhances cohesion and direction, but without adhering to jurisdictional legal requirements, the organization might incur legal penalties and operational setbacks.\nIncorporating lessons learned from past incidents into the procedure design: Learning from past incidents is a beneficial practice that contributes to continuous improvement of incident response processes. However, it should not take precedence over understanding legal requirements which dictate mandatory compliance and are foundational for effective incident management across multiple regions.\nDesigning procedures flexible enough to adapt to various incident types: Flexibility in incident response procedures is valuable for addressing various threats efficiently. However, this consideration should be secondary to ensuring they comply with legal requirements which can have more significant repercussions if neglected, especially in a global context where laws can vary widely.","tr":"","tag":"","catIndex":99},{"id":"s1-q136","set":1,"number":136,"q":"To improve the accuracy of an organization's asset inventory, information security managers should prioritize which action?","options":[{"l":"A","text":"Updating the inventory based on the frequency of asset utilization audits","correct":false},{"l":"B","text":"Classifying assets based on potential impact to operational continuity","correct":false},{"l":"C","text":"Implementing automated discovery tools to monitor network-connected assets","correct":false},{"l":"D","text":"Involving stakeholders from all business units in the inventory process","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nInvolving stakeholders from all business units in the inventory process: Including diverse stakeholders ensures comprehensive identification and classification of assets based on their unique business contexts and impacts.\nThe Incorrect Answers:\nUpdating the inventory based on the frequency of asset utilization audits: While ensuring updates are regular is good practice, stakeholder involvement captures a more complete asset base.\nImplementing automated discovery tools to monitor network-connected assets: Automation aids in accuracy, but human insights from diverse departments are crucial for comprehensive coverage.\nClassifying assets based on potential impact to operational continuity: Important for classification, but it does not capture all necessary data for inventory accuracy without stakeholder engagement.","tr":"","tag":"","catIndex":99},{"id":"s1-q141","set":1,"number":141,"q":"Which consideration is most crucial when developing a framework for identifying and classifying information assets in a global organization?","options":[{"l":"A","text":"Allocating sufficient resources for continuous monitoring and updating of asset lists","correct":false},{"l":"B","text":"Implementing a standardized classification schema across all departments","correct":false},{"l":"C","text":"Integrating business impact analysis to determine asset criticality and value","correct":false},{"l":"D","text":"Ensuring alignment with local data protection regulations in every relevant jurisdiction","correct":true}],"correct":"D","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nEnsuring alignment with local data protection regulations in every relevant jurisdiction: This is the most crucial consideration because data protection regulations can vary significantly across different countries and regions. Compliance with local laws is essential to avoid legal penalties and ensure proper handling of data. Aligning with local regulations helps manage global compliance risks effectively, which is a priority for an IT Security Manager or CISO. It addresses legal obligations, which take precedence over other considerations when they conflict, according to the ruleset.\nThe Incorrect Answers:\nIntegrating business impact analysis to determine asset criticality and value: While understanding the criticality and value of information assets through business impact analysis is important, it is not as immediately crucial as legal compliance. Business impact analysis offers valuable insights for prioritizing security efforts but does not directly address legal and regulatory obligations, which are more pressing in a global context.\nImplementing a standardized classification schema across all departments: A standardized classification schema helps in maintaining consistency but may not address jurisdiction-specific requirements and legal compliance issues. While beneficial for organizational alignment and efficiency, it lacks the critical focus on adhering to diverse local data protection laws which could result in significant legal risk if neglected.\nAllocating sufficient resources for continuous monitoring and updating of asset lists: Continuously monitoring and updating asset lists is vital for maintaining an accurate understanding of assets over time. However, it does not inherently address the legal complexities involved with differing regulatory requirements across jurisdictions. While resource allocation is beneficial for operational effectiveness, it does not hold the same immediate criticality as ensuring compliance with local data protection regulations in a global organization context.","tr":"Global org’da varlık sınıflama ÇERÇEVESİ → her yargı bölgesinde yerel veri koruma regülasyonu. BIA (senin şıkkın) kritikliği ölçer ama global sınıflamada yasal uyum önce gelir. ‘global/every jurisdiction’ kancası = legal.","tag":"Legal (multinational)","catIndex":1},{"id":"s1-q143","set":1,"number":143,"q":"When an organization experiences repeated security breaches, what should be the immediate focus of the information security manager?","options":[{"l":"A","text":"Conducting a comprehensive risk assessment","correct":true},{"l":"B","text":"Implementing advanced monitoring solutions","correct":false},{"l":"C","text":"Revising incident response procedures","correct":false},{"l":"D","text":"Improving employee security training","correct":false}],"correct":"A","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nConducting a comprehensive risk assessment: Identifying underlying risk factors in security breaches is crucial. The assessment helps determine vulnerabilities, threat vectors, and current control weaknesses. This thorough understanding enables effective resolution strategies, highlighting missing or malfunctioning controls, and directly addressing the root causes of breach incidents.\nThe Incorrect Answers:\nRevising incident response procedures: While important, revising response protocols doesn’t address the root causes of breaches.\nIt’s more important to first identify these causes through risk assessments, ensuring the response framework can address them effectively.\nImplementing advanced monitoring solutions: Improved monitoring might detect incidents sooner but doesn’t proactively prevent breaches.\nMonitoring should build on insights from a risk assessment, which guides where to focus additional resources and defines what to monitor.\nImproving employee security training: Training addresses some risks, specifically human errors, but might not significantly mitigate technical vulnerabilities or systemic flaws causing repeated breaches.\nRisk assessments inform which areas to prioritize in training based on identified vulnerabilities and risks.","tr":"TEKRARLAYAN ihlaller → önce kapsamlı risk değerlendirmesi (neden tekrarlıyor?). IR prosedürünü revize etmek (senin şıkkın) kök nedeni bulmadan yapılan yamadır; tekrar = kök neden ara.","tag":"Assess-first","catIndex":2},{"id":"s1-q144","set":1,"number":144,"q":"Which action should a security manager prioritize to ensure that an information security program aligns with regulatory compliance requirements?","options":[{"l":"A","text":"Regularly updating security policies to reflect best practices regardless of compliance mandates","correct":false},{"l":"B","text":"Conducting a comprehensive gap analysis between existing controls and regulatory requirements","correct":true},{"l":"C","text":"Establishing a communication plan that includes compliance training for all employees","correct":false},{"l":"D","text":"Implementing encryption for all organizational data irrespective of regulatory stipulations","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nConducting a comprehensive gap analysis between existing controls and regulatory requirements: Identifying gaps ensures that all compliance requirements are understood and addressed, aligning the security program with legal mandates.\nThe Incorrect Answers:\nRegularly updating security policies to reflect best practices regardless of compliance mandates: Best practices enhance security but may not fully address specific compliance requirements.\nEstablishing a communication plan that includes compliance training for all employees: While important, training alone does not ensure compliance unless it addresses identified gaps.\nImplementing encryption for all organizational data irrespective of regulatory stipulations: Encryption is beneficial but must be contextually appropriate to the specific regulatory requirements faced by the organization.","tr":"","tag":"","catIndex":99},{"id":"s1-q145","set":1,"number":145,"q":"An organization is preparing to launch a new customer-facing application. To manage the risks associated with this launch, what should the security manager prioritize?","options":[{"l":"A","text":"Implementing robust encryption mechanisms for sensitive data","correct":false},{"l":"B","text":"Assigning responsibility for security to the application developers","correct":false},{"l":"C","text":"Creating a detailed incident response plan for potential breaches","correct":false},{"l":"D","text":"Conducting a threat modeling exercise during the development phase","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nConducting a threat modeling exercise during the development phase: Threat modeling helps identify potential security threats and vulnerabilities early in the application development process. This proactive measure allows the organization to address security issues before they manifest, effectively reducing the risk surface. By prioritizing threat modeling, the security manager ensures that the application's design considers and mitigates potential security issues well before they reach the production environment.\nThe Incorrect Answers:\nImplementing robust encryption mechanisms for sensitive data: While encryption is critical for protecting sensitive data, it is just one component of a comprehensive security approach.\nIt should be identified and implemented as part of a wider process informed by threat modeling, not prioritized on its own without context.\nAssigning responsibility for security to the application developers: Developers play a crucial role in ensuring security, but just assigning responsibility without structured guidance, such as threat modeling and regular oversight, may lead to inconsistent security practices.\nCreating a detailed incident response plan for potential breaches: Incident response planning is necessary for addressing breaches, but it is a reactive measure.\nPrioritizing proactive controls like threat modeling provides a foundation for the incident response plan to be more targeted.","tr":"","tag":"","catIndex":99},{"id":"s1-q148","set":1,"number":148,"q":"When establishing guidelines for data protection, what should an information security manager prioritize to best support the organization's overarching policy framework?","options":[{"l":"A","text":"Focus on core principles rather than detailed procedures","correct":true},{"l":"B","text":"Inclusion of specific vendor-based technology solutions","correct":false},{"l":"C","text":"Emphasis on rigid enforcement mechanisms","correct":false},{"l":"D","text":"Flexibility to accommodate frequent technology updates","correct":false}],"correct":"A","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nFocus on core principles rather than detailed procedures: Guidelines should concentrate on overarching principles to provide consistent direction while allowing flexibility for adaptation within policies and procedures.\nThe Incorrect Answers:\nFlexibility to accommodate frequent technology updates: While adaptation is important, guidelines should prioritize principle consistency over reacting to every technology change.\nInclusion of specific vendor-based technology solutions: Guidelines should remain vendor-neutral, focusing on strategic objectives rather than specific technologies.\nEmphasis on rigid enforcement mechanisms: Guidelines are intended to guide decision-making and behaviors, not dictate enforcement, which is more a function of policies and procedures.","tr":"Veri koruma KILAVUZUNDA → detaylı prosedür yerine TEMEL İLKELERE odaklan (kalıcı, teknolojiden bağımsız). “Teknoloji güncellemelerine esneklik” (senin şıkkın) prosedür-odaklı düşünmenin tuzağı; ilkeler eskimez.","tag":"Policy design","catIndex":10},{"id":"s2-q3","set":2,"number":3,"q":"In implementing security controls within a multinational corporation, what factor is MOST IMPORTANT to ensure the controls are effective across all geographical regions?","options":[{"l":"A","text":"Guaranteeing that controls are technologically advanced and cutting-edge","correct":false},{"l":"B","text":"Implementing uniform controls with centralized oversight","correct":false},{"l":"C","text":"Adhering to the strictest regulatory standards globally","correct":false},{"l":"D","text":"Customizing controls to meet local legal and cultural differences","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nCustomizing controls to meet local legal and cultural differences: Ensuring controls are tailored to address local variations is crucial for effectiveness, acknowledging that regulatory and cultural differences can significantly impact security control implementation.\nThe Incorrect Answers:\nAdhering to the strictest regulatory standards globally: Applying the strictest standards may result in over-complex controls that do not address local nuances effectively.\nImplementing uniform controls with centralized oversight: Centralized controls may overlook regional needs and specific challenges unique to each location.\nGuaranteeing that controls are technologically advanced and cutting-edge: While technology is key, focusing solely on advanced solutions may not adapt to regulatory and cultural requirements effectively.","tr":"","tag":"","catIndex":99},{"id":"s2-q4","set":2,"number":4,"q":"How should an information security manager best address the conflict between organizational security policies and emerging business needs?","options":[{"l":"A","text":"Review and update the policies to integrate a flexible framework for future business needs","correct":true},{"l":"B","text":"Prioritize adapting the security policies to accommodate new business requirements","correct":false},{"l":"C","text":"Enforce existing policies strictly to maintain a uniform security standard","correct":false},{"l":"D","text":"Balance policy enforcement with exceptions for business-critical activities","correct":false}],"correct":"A","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nReview and update the policies to integrate a flexible framework for future business needs: Updating policies to create a balance between security controls and business agility ensures long-term compatibility with organizational growth.\nThe Incorrect Answers:\nPrioritize adapting the security policies to accommodate new business requirements: Adapting for immediate needs may overlook important security risks or strategic goals.\nEnforce existing policies strictly to maintain a uniform security standard: Rigid enforcement might impede essential business growth or innovation.\nBalance policy enforcement with exceptions for business-critical activities: While pragmatic, frequent exceptions may lead to inconsistencies and weaken security standards.","tr":"Politika-iş ihtiyacı ÇATIŞMASI → esnek, geleceğe dönük ÇERÇEVE kur (kalıcı çözüm). “İstisnalarla dengele” (senin şıkkın) anlık yamadır; çatışma tekrar eder.","tag":"Policy","catIndex":8},{"id":"s2-q5","set":2,"number":5,"q":"In establishing new information handling rules, what is the principal factor to prioritize to mitigate risk effectively?","options":[{"l":"A","text":"Educating employees on potential threats","correct":false},{"l":"B","text":"Streamlining procedures for operational efficiency","correct":false},{"l":"C","text":"Ensuring alignment with industry best practices","correct":false},{"l":"D","text":"Assessing the organization's unique risk environment","correct":true}],"correct":"D","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nAssessing the organization's unique risk environment: Understanding the specific risks faced by the organization allows for tailored handling rules that effectively mitigate potential threats.\nThe Incorrect Answers:\nEnsuring alignment with industry best practices: While best practices are useful, they may not address specific organizational risks adequately.\nStreamlining procedures for operational efficiency: Efficiency is important, but it should not compromise risk management effectiveness.\nEducating employees on potential threats: Education is critical, but it should be based on the organization's specific risk environment to be most effective.","tr":"Yeni bilgi işleme kuralları + “riski etkili azalt” → önce kurumun kendine özgü RİSK ORTAMINI değerlendir. “Çalışanları eğit” hem eğitim çeldiricisi hem de risk bilinmeden verilemez.","tag":"Assess-first/Training","catIndex":2},{"id":"s2-q6","set":2,"number":6,"q":"When faced with overlapping regulatory requirements, which strategy should an information security manager prioritize to ensure efficient compliance management?","options":[{"l":"A","text":"Focusing on compliance with industry-specific regulations first","correct":false},{"l":"B","text":"Designing a flexible control framework adaptable to multiple regulations","correct":true},{"l":"C","text":"Prioritizing the most stringent regulation as the baseline for compliance","correct":false},{"l":"D","text":"Implementing a centralized system for managing all regulatory requirements","correct":false}],"correct":"B","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nDesigning a flexible control framework adaptable to multiple regulations: This approach allows the organization to efficiently manage overlapping regulations by using a unified set of controls, avoiding duplication of efforts.\nThe Incorrect Answers:\nImplementing a centralized system for managing all regulatory requirements: Centralization aids in management but does not inherently ensure efficient or effective compliance across differing regulations.\nPrioritizing the most stringent regulation as the baseline for compliance: While this ensures coverage, it may lead to unnecessary strictness where not required, potentially increasing costs without added benefit.\nFocusing on compliance with industry-specific regulations first: This can be essential but may overlook broader regulations applicable across industries, causing gaps in compliance.","tr":"ÇAKIŞAN regülasyonlar → esnek, çoklu-regülasyona uyarlanır kontrol çerçevesi (bir kez kur, hepsini karşıla). Tek sektöre öncelik (senin şıkkın) dağınıklık ve boşluk yaratır.","tag":"Compliance","catIndex":8},{"id":"s2-q8","set":2,"number":8,"q":"Which factor must an information security manager prioritize first during a data categorization initiative to align with the strategic objectives of the organization?","options":[{"l":"A","text":"Evaluating the cost of data categorization initiatives against their benefits","correct":false},{"l":"B","text":"Ensuring compliance with industry-specific data protection standards","correct":true},{"l":"C","text":"Understanding the data flows within the organization's processes","correct":false},{"l":"D","text":"Assessing the impact of data loss on organizational reputation","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nEnsuring compliance with industry-specific data protection standards: Compliance is often the top priority as it directly impacts strategic objectives, helping maintain legal and industry requirements which can have costly repercussions if not adhered to.\nThe Incorrect Answers:\nAssessing the impact of data loss on organizational reputation: While reputation is important, it is an indirect consideration compared to the direct legal mandates of compliance.\nUnderstanding the data flows within the organization's processes: This is an operational concerns addressing how data is used, typically explored during later stages of process optimization rather than initial categorization.\nEvaluating the cost of data categorization initiatives against their benefits: Cost-benefit analysis is a strategic consideration but is typically secondary to ensuring compliance with mandatory data protection standards.","tr":"","tag":"","catIndex":99},{"id":"s2-q9","set":2,"number":9,"q":"When evaluating fourth-party risk, what is the most important consideration for an organization reliant on third-party services?","options":[{"l":"A","text":"The contractual obligations between the third party and fourth-party providers","correct":false},{"l":"B","text":"The alignment of fourth-party providers with the organization's security policies","correct":true},{"l":"C","text":"The cost efficiency of fourth-party services to the third party","correct":false},{"l":"D","text":"The ability of third-party vendors to evaluate their subcontractors","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nThe alignment of fourth-party providers with the organization's security policies: Ensuring that fourth-party providers align with the organization's security policies helps maintain a consistent security posture across the entire supply chain.\nThe Incorrect Answers:\nThe cost efficiency of fourth-party services to the third party: Cost efficiency is less important than ensuring security requirements are met.\nThe ability of third-party vendors to evaluate their subcontractors: While necessary, this relies heavily on the vendors’ own processes, which may not align with the organization's priorities.\nThe contractual obligations between the third party and fourth-party providers: Such obligations do not guarantee the fourth-party providers meet all security needs unless they specifically enforce alignment with your security policies.","tr":"","tag":"","catIndex":99},{"id":"s2-q10","set":2,"number":10,"q":"How should an information security manager prioritize applying security standards across a multinational organization?","options":[{"l":"A","text":"Ensure all regions comply uniformly with the strictest standard","correct":false},{"l":"B","text":"Tailor implementation to each region based on local regulations and risks","correct":true},{"l":"C","text":"Adopt a unified global approach based on headquarters' requirements","correct":false},{"l":"D","text":"Focus on high-risk regions first, applying standards incrementally","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nTailor implementation to each region based on local regulations and risks: This approach allows the organization to address specific legal requirements and risk landscapes effectively, ensuring compliance and realistic risk management.\nThe Incorrect Answers:\nEnsure all regions comply uniformly with the strictest standard: This may lead to unnecessary costs and complications, as different regions have unique compliance needs.\nAdopt a unified global approach based on headquarters' requirements: While simplifying management, it might overlook crucial regional legal mandates and specific risk factors.\nFocus on high-risk regions first, applying standards incrementally: While addressing immediate risks, it may delay comprehensive policy effectiveness and lead to compliance gaps in other regions.","tr":"","tag":"","catIndex":99},{"id":"s2-q19","set":2,"number":19,"q":"When designing a control implementation strategy, which approach ensures alignment with an organization's dynamic risk profile?","options":[{"l":"A","text":"Implement controls based on historical incidents and traditional risk assessments","correct":false},{"l":"B","text":"Adopt standardized controls mandated by industry regulations","correct":false},{"l":"C","text":"Select controls solely on cost-effectiveness and resource availability","correct":false},{"l":"D","text":"Design agile controls adaptable to real-time threat intelligence","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nDesign agile controls adaptable to real-time threat intelligence: This approach enables an organization to respond effectively to evolving threats, ensuring that controls are relevant to the current risk landscape.\nThe Incorrect Answers:\nImplement controls based on historical incidents and traditional risk assessments: This may leave the organization vulnerable to new threats not considered in past scenarios.\nAdopt standardized controls mandated by industry regulations: While important, regulatory controls may not address unique aspects of the organization's risk profile.\nSelect controls solely on cost-effectiveness and resource availability: This can lead to underestimating risks if crucial controls are deemed too costly and not implemented.","tr":"","tag":"","catIndex":99},{"id":"s2-q23","set":2,"number":23,"q":"Your organization is undergoing a digital transformation initiative, including the migration of critical systems to a cloud platform. As the information security manager, what is the most critical factor to consider to ensure data protection during this transition?","options":[{"l":"A","text":"Ensuring that the service-level agreements (SLAs) with the cloud provider include data protection clauses","correct":false},{"l":"B","text":"Training employees on the proper use of cloud resources","correct":false},{"l":"C","text":"Conducting a comprehensive risk assessment of the cloud platform's environment","correct":true},{"l":"D","text":"Implementing advanced encryption techniques for data stored in the cloud","correct":false}],"correct":"C","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nConducting a comprehensive risk assessment of the cloud platform's environment: A risk assessment is essential to understand the specific threats and vulnerabilities associated with migrating to a cloud platform. It helps in identifying potential risks to data protection, such as unauthorized access, data breaches, and compliance issues. By conducting a thorough analysis, an organization can implement appropriate controls tailored to the identified risks, ensuring a more secure transition.\nThe Incorrect Answers:\nEnsuring that the service-level agreements (SLAs) with the cloud provider include data protection clauses: While including data protection clauses in SLAs is important, it addresses only contractual obligations and not the actual assessment of risk.\nWithout understanding the risks, SLAs may be inadequate in covering all data protection issues.\nImplementing advanced encryption techniques for data stored in the cloud: Although encryption is a crucial security control, it is just one part of a comprehensive data protection strategy.\nWithout a proper risk assessment, encryption alone may not address all potential security concerns, like access controls or the cloud provider's security posture.\nTraining employees on the proper use of cloud resources: Employee training is important for reducing human errors but does not directly address data protection during the transition to a cloud platform.\nWithout a risk assessment, training efforts may overlook specific threat vectors unique to the new environment.","tr":"Kritik sistemlerin buluta göçü + “most critical factor for data protection” → önce bulut ortamının kapsamlı risk değerlendirmesi. SLA maddesi (senin şıkkın) bir kontroldür; HANGİ kontrolün gerektiğini risk assessment belirler.","tag":"Assess-first (cloud)","catIndex":2},{"id":"s2-q29","set":2,"number":29,"q":"In a strategic context, what should be considered FIRST when developing a framework for control validation in an evolving threat landscape?","options":[{"l":"A","text":"Evaluating resource availability for implementing advanced validation techniques","correct":false},{"l":"B","text":"Incorporating historical incident data to identify recurring vulnerabilities","correct":false},{"l":"C","text":"Assessing compatibility with current security policies and procedures","correct":false},{"l":"D","text":"Aligning validation processes with the organization's risk tolerance and objectives","correct":true}],"correct":"D","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nAligning validation processes with the organization's risk tolerance and objectives: Aligning validation with risk tolerance and organizational goals ensures that efforts focus on the most relevant threats and vulnerabilities, addressing strategic priorities.\nThe Incorrect Answers:\nIncorporating historical incident data to identify recurring vulnerabilities: While useful for context, historical data must be aligned with an overall strategic approach oriented by current risk tolerance and objectives.\nAssessing compatibility with current security policies and procedures: Compatibility is important, but the priority should be alignment with broader organizational strategy and risk appetite.\nEvaluating resource availability for implementing advanced validation techniques: Resource considerations are critical; however, the foundational alignment with strategic objectives and risk management principles takes precedence.","tr":"“Stratejik bağlam + FIRST” kontrol doğrulama çerçevesi → risk toleransı/hedeflerle hizalama. Geçmiş olay verisi (senin şıkkın) bir GİRDİdir; stratejik çerçeve önce hedefe göre kurulur.","tag":"Control/risk-tolerance","catIndex":7},{"id":"s2-q32","set":2,"number":32,"q":"To ensure that information security practices are aligned with both organizational objectives and regulatory compliance, which approach should be evaluated first?","options":[{"l":"A","text":"Harmonizing security objectives with business goals through stakeholder engagement","correct":true},{"l":"B","text":"Performing a comprehensive gap analysis between current practices and regulations","correct":false},{"l":"C","text":"Implementing security controls primarily driven by regulatory standards","correct":false},{"l":"D","text":"Continuously monitoring regulatory updates and adapting policies accordingly","correct":false}],"correct":"A","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nHarmonizing security objectives with business goals through stakeholder engagement: Aligning security objectives with business goals ensures regulatory compliance efforts are in sync with organizational priorities, promoting both compliance and business success.\nThe Incorrect Answers:\nContinuously monitoring regulatory updates and adapting policies accordingly: This maintains compliance over time but does not guarantee alignment with organizational objectives.\nImplementing security controls primarily driven by regulatory standards: Focusing only on controls for compliance can neglect broader organizational security needs beyond regulatory requirements.\nPerforming a comprehensive gap analysis between current practices and regulations: While crucial, this step addresses specific controls gaps rather than broader alignment with business objectives.","tr":"Kök “hem org hedefleri HEM regülasyon ile hizalı, hangisi FIRST” → önce paydaşlarla hedefleri harmanla. Gap analizi (senin şıkkın) teknik bir sonraki adımdır; ‘first’ insan/hedef hizasıyla başlar.","tag":"Business align","catIndex":0},{"id":"s2-q38","set":2,"number":38,"q":"What critical factor should an information security manager consider when developing a corporate incident response plan?","options":[{"l":"A","text":"The selection of appropriate security technologies","correct":false},{"l":"B","text":"Alignment with the organization’s business objectives","correct":true},{"l":"C","text":"Comprehensive training for all technical staff","correct":false},{"l":"D","text":"Outsourcing incident response to external experts","correct":false}],"correct":"B","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nAlignment with the organization’s business objectives: An effective incident response plan must align with the overarching goals and risk appetite of the organization. This ensures that the response efforts support the protection of critical business functions and processes. By aligning the incident response plan with business objectives, security initiatives remain relevant and prioritized according to their potential impact on business operations.\nThe Incorrect Answers:\nThe selection of appropriate security technologies: While selecting appropriate technologies is part of supporting an incident response plan, it is not the critical factor.\nTechnology choices should be informed by a strategic alignment with business goals and risk management priorities, not the other way around.\nComprehensive training for all technical staff: Training is important for operational readiness, but the incident response plan's strategic effectiveness relies more on aligning with business objectives than solely on comprehensive training.\nWhile necessary, training is a component of operationalizing the plan, not its guiding principle.\nOutsourcing incident response to external experts: Outsourcing can provide expertise, but it is not a critical factor in plan development.\nThe decision to outsource should follow the strategic determination of the organization's goals and capacities in incident response management.\nThe plan should primarily reflect internal objectives and needs before considering external options.","tr":"Kurumsal IR planında KRİTİK FAKTÖR → planın iş hedeflerini koruması (business objectives). “Dış kaynağa ver” sadece bir uygulama tercihidir, kritik faktör değil; üstelik sorumluluğu dışarı atmak yönetici refleksi değildir.","tag":"Business align","catIndex":0},{"id":"s2-q44","set":2,"number":44,"q":"When evaluating potential vendors for implementing an Intrusion Detection System (IDS), which aspect should be prioritized FIRST to ensure effective incident response capabilities?","options":[{"l":"A","text":"The vendor's service level agreements (SLAs) for support and updates","correct":true},{"l":"B","text":"The interoperability of the IDS with the organization's existing tools","correct":false},{"l":"C","text":"The speed of deployment offered by the vendor's solution","correct":false},{"l":"D","text":"The vendor's experience with organizations of a similar size","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nThe vendor's service level agreements (SLAs) for support and updates: Prioritizing SLAs ensures consistent support and timely updates, which are crucial for maintaining effective incident response capabilities.\nThe Incorrect Answers:\nThe speed of deployment offered by the vendor's solution: Rapid deployment is beneficial but not the most important factor for ensuring effective incident response.\nThe vendor's experience with organizations of a similar size: While relevant for understanding context, it does not directly impact incident response capabilities.\nThe interoperability of the IDS with the organization's existing tools: Interoperability is important but secondary to ensuring that support and updates are provided effectively for incident response.","tr":"","tag":"","catIndex":99},{"id":"s2-q45","set":2,"number":45,"q":"When classifying information assets, what factor should be considered first to ensure assets align with organizational security objectives?","options":[{"l":"A","text":"Existing technical vulnerabilities associated with the asset","correct":false},{"l":"B","text":"Alignment to strategic business goals and operations","correct":true},{"l":"C","text":"Compliance with relevant legal and regulatory requirements","correct":false},{"l":"D","text":"Potential financial impact of asset loss","correct":false}],"correct":"B","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nAlignment to strategic business goals and operations: Classifying assets based on their relevance to strategic objectives ensures the security practices support and protect critical business functions.\nThe Incorrect Answers:\nPotential financial impact of asset loss: Financial impact is crucial but should follow the determination of strategic relevance, which is foundational to security priorities.\nCompliance with relevant legal and regulatory requirements: Compliance is critical; however, aligning assets to strategic goals ensures a broader and integrated security approach beyond regulatory needs.\nExisting technical vulnerabilities associated with the asset: Vulnerability assessment is important for risk management, but it should be conducted once the asset's strategic importance is established.","tr":"Soru kökü “align with organizational SECURITY OBJECTIVES” diyor — burada çok-uluslu/regülasyon kancası YOK. Kök “objectives” dediğinde cevap iş hedefleriyle hizalayan şıktır. Legal seçmen tam aşırı-düzeltme örneği: “multinational” görmeden legal’a atladın.","tag":"Business vs Legal","catIndex":0},{"id":"s2-q49","set":2,"number":49,"q":"To enhance the effectiveness of vendor management practices, an information security manager wants to implement proactive measures. Which measure would BEST address potential risks associated with external service providers?","options":[{"l":"A","text":"Requiring continuous security training for vendor personnel","correct":false},{"l":"B","text":"Establishing a predefined incident response plan for vendor-related breaches","correct":false},{"l":"C","text":"Conducting regular security audits and assessments on all vendors","correct":true},{"l":"D","text":"Implementing strict access controls and monitoring vendor access","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nConducting regular security audits and assessments on all vendors: Regular audits and assessments help identify and mitigate potential risks before they materialize, ensuring ongoing vendor security alignment.\nThe Incorrect Answers:\nEstablishing a predefined incident response plan for vendor-related breaches: While important, incident response plans are reactive measures and do not proactively address or prevent risks.\nImplementing strict access controls and monitoring vendor access: Access controls are vital but must be part of a broader risk-based framework informed by regular assessments to be effective.\nRequiring continuous security training for vendor personnel: Training is beneficial for awareness, but it doesn't directly address specific vendor risks; it should complement regular audits and assessments.","tr":"","tag":"","catIndex":99},{"id":"s2-q50","set":2,"number":50,"q":"When faced with a security incident involving data exfiltration, what is the most critical immediate action to take?","options":[{"l":"A","text":"Improve security controls to prevent future incidents","correct":false},{"l":"B","text":"Conduct a forensic analysis to understand the breach","correct":false},{"l":"C","text":"Notify affected stakeholders and data subjects","correct":false},{"l":"D","text":"Contain the breach to prevent further data loss","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nContain the breach to prevent further data loss: The immediate priority during a data exfiltration incident is to contain the breach to minimize its impact and prevent any additional data loss. This step is crucial as it aims to isolate the affected systems and stop the exfiltration process, limiting the breach's scope before addressing other aspects such as notification and analysis. Containment efforts may include disconnecting affected systems from the network or implementing network segmentation.\nThe Incorrect Answers:\nNotify affected stakeholders and data subjects: While notifying stakeholders is essential, it is not the first immediate action during an incident.\nThe primary focus should be on containment to prevent further damage.\nNotification should follow once the breach is under control and its impact assessed, ensuring that the information communicated is accurate and complete.\nConduct a forensic analysis to understand the breach: Forensic analysis is crucial for identifying the root causes and affected data, but it should occur after or concurrently with containment.\nImmediate efforts must focus on preventing further losses rather than understanding the breach details, which can be deduced once the threat is neutralized.\nImprove security controls to prevent future incidents: While implementing stronger security controls is a critical part of post-incident management to prevent recurrence, it is not an immediate action.\nIt should follow containment, investigation, and recovery efforts.\nThe priority during an active incident is to mitigate ongoing risks rather than making changes that could disrupt the response efforts.","tr":"","tag":"","catIndex":99},{"id":"s2-q55","set":2,"number":55,"q":"What approach should a security manager take FIRST to ensure ongoing adherence to updated regulatory compliance requirements within a security program?","options":[{"l":"A","text":"Performing continuous regulation-specific threat assessments and adjustments","correct":false},{"l":"B","text":"Developing new compliance policies that emphasize penalties for non-compliance","correct":false},{"l":"C","text":"Coordinating with legal advisors to interpret regulatory changes accurately","correct":true},{"l":"D","text":"Implementing a compliance audit schedule based on the criticality of controls","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nCoordinating with legal advisors to interpret regulatory changes accurately: Legal experts provide the necessary understanding of regulatory changes, ensuring the security program updates comply with legal requirements.\nThe Incorrect Answers:\nDeveloping new compliance policies that emphasize penalties for non-compliance: Policies should be more about guidance and prevention rather than just penalties, and understanding the requirements first is essential.\nPerforming continuous regulation-specific threat assessments and adjustments: While important, conducting threat assessments without understanding regulatory changes first may result in misalignment.\nImplementing a compliance audit schedule based on the criticality of controls: Establishing audit schedules is important, but interpreting and understanding regulatory changes should come first to guide audit focus.","tr":"","tag":"","catIndex":99},{"id":"s2-q57","set":2,"number":57,"q":"A financial institution is introducing a new mobile application for its customers. Which action should be prioritized during the early stages of app development to ensure data protection?","options":[{"l":"A","text":"Develop a customer data retention policy","correct":false},{"l":"B","text":"Conduct a privacy impact assessment","correct":true},{"l":"C","text":"Incorporate end-to-end encryption for all data transmissions","correct":false},{"l":"D","text":"Ensure compliance with data protection regulations","correct":false}],"correct":"B","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nConduct a privacy impact assessment: Performing a privacy impact assessment (PIA) early in the development phase ensures that privacy risks are identified and mitigated from the outset. This process helps to shape app design and development in a way that prioritizes data protection and addresses regulatory requirements, ultimately reducing the risk of later costly modifications or non-compliance issues.\nThe Incorrect Answers:\nIncorporate end-to-end encryption for all data transmissions: While important for securing data in transit, encryption is a specific technical solution that should be informed by a comprehensive understanding of privacy impacts.\nA PIA would identify precisely when and how encryption should be used.\nEnsure compliance with data protection regulations: While ensuring regulatory compliance is crucial, the PIA informs the compliance strategy by highlighting data protection issues specific to the app.\nCompliance efforts can then be appropriately tailored.\nDevelop a customer data retention policy: Creating a data retention policy is necessary, but should be based on insights gained from a PIA, which informs how data should be handled throughout the app lifecycle to meet privacy and protection standards.","tr":"Yeni mobil uygulama + müşteri verisi, ERKEN aşama → gizlilik risklerini ortaya çıkarmak için Privacy Impact Assessment. “Regülasyona uyum sağla” bir SONUÇTUR; hangi gizlilik risklerinin olduğunu önce PIA belirler. PIA, compliance’ın aracıdır.","tag":"PIA","catIndex":3},{"id":"s2-q58","set":2,"number":58,"q":"What is the most strategic consideration when classifying information assets based on confidentiality levels in a multi-national corporation?","options":[{"l":"A","text":"Sensitivity of data concerning the global threat landscape","correct":false},{"l":"B","text":"Consistency across all regional offices to ensure uniformity","correct":false},{"l":"C","text":"Alignment with the corporation's global data protection policy","correct":false},{"l":"D","text":"Variation in local legal requirements and cultural sensitivities","correct":true}],"correct":"D","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nVariation in local legal requirements and cultural sensitivities: This option highlights the need to respect and comply with different local laws and cultural norms that may affect how information is classified regarding confidentiality. In a multinational corporation, legal and regulatory compliance is crucial because discrepancies can lead to legal challenges, fines, or reputational damage. Considering local variations ensures the corporation adheres to all applicable laws while respecting the cultural context, which is a strategic priority.\nThe Incorrect Answers:\nConsistency across all regional offices to ensure uniformity: While uniformity is valuable, it may be unrealistic and legally perilous in a multinational context where regional offices must comply with specific local laws. Prioritizing uniformity over compliance could lead to violations of local regulations, which are more pressing in this context.\nSensitivity of data concerning the global threat landscape: While understanding the global threat landscape is essential for data protection, it doesn't address the strategic need to classify data in line with distinct legal obligations and cultural considerations across different regions, which could have more immediate legal repercussions.\nAlignment with the corporation's global data protection policy: While aligning with a global data protection policy is vital, such a policy must be flexible enough to accommodate local legal and cultural differences. Giving precedence to local variation over a rigid global policy is more strategically sound.","tr":"Çok-uluslu gizlilik sınıflaması → yerel yasal + kültürel FARKLILIK. Senin seçtiğin ‘consistency/uniformity’ mutlak-dil tuzağıdır (Kural 6): tek-tip yaklaşım yerel hukuku ihlal eder.","tag":"Legal (multinational)","catIndex":1},{"id":"s2-q64","set":2,"number":64,"q":"When integrating a newly acquired company, what should be the information security manager's first priority to secure the new IT environment?","options":[{"l":"A","text":"Conducting a thorough security audit of the acquired company","correct":true},{"l":"B","text":"Deploying immediate security controls on critical assets","correct":false},{"l":"C","text":"Training the acquired company’s employees on security best practices","correct":false},{"l":"D","text":"Aligning security policies and procedures with the parent company","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nConducting a thorough security audit of the acquired company: The first step in securing a newly acquired IT environment is a comprehensive security audit. This audit identifies current security postures, vulnerabilities, and compliance gaps. The insights gained are essential for developing an integration plan that aligns security measures with organizational standards and objectives, ensuring seamless and secure integration.\nThe Incorrect Answers:\nAligning security policies and procedures with the parent company: While alignment is crucial, it should occur after assessing the acquired company’s current security posture.\nAn audit provides the necessary information to adjust and implement aligned policies effectively.\nDeploying immediate security controls on critical assets: Deploying controls without first understanding the current security state might overlook existing vulnerabilities or create redundancies.\nAn initial audit ensures that controls are both appropriate and strategic.\nTraining the acquired company’s employees on security best practices: Training is essential for long-term security, but initial efforts should focus on understanding and addressing current vulnerabilities to establish a solid foundation for secure operations.","tr":"","tag":"","catIndex":99},{"id":"s2-q66","set":2,"number":66,"q":"What should be the primary focus for an information security manager when integrating cloud services into a traditional IT environment?","options":[{"l":"A","text":"Developing a comprehensive cloud exit strategy in case of vendor failure","correct":false},{"l":"B","text":"Assessing and managing the configurations of cloud security controls","correct":false},{"l":"C","text":"Evaluating the legal and regulatory implications of cloud data storage","correct":false},{"l":"D","text":"Ensuring that cloud service providers adhere to organizational security policies","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The correct answer: Ensuring that cloud service providers adhere to organizational security policies. When integrating cloud services into a traditional IT environment, the primary focus should be maintaining consistent security standards across both environments. The information security manager must ensure that the cloud provider’s controls, processes, and technologies meet the organization’s existing security policies and governance framework. This alignment minimizes gaps, prevents inconsistent protections, and maintains compliance with internal security requirements during integration. The incorrect answers: Evaluating the legal and regulatory implications of cloud data storage: Important, but this evaluation typically happens before integration begins. At the integration stage, the focus shifts to enforcing internal security requirements rather than identifying external legal obligations. Developing a comprehensive cloud exit strategy in case of vendor failure: Necessary for long-term risk management, but not the immediate focus during integration. It addresses potential future risks rather than ensuring secure implementation in the present. Assessing and managing the configurations of cloud security controls: A vital technical step that follows policy alignment. Cloud configurations should be based on established organizational policies and standards, which must first be verified and enforced with the provider.","tr":"","tag":"","catIndex":99},{"id":"s2-q67","set":2,"number":67,"q":"What is the most effective way to ensure continuous alignment of the information security program with business objectives?","options":[{"l":"A","text":"Schedule annual reviews of security policies and procedures","correct":false},{"l":"B","text":"Implement key performance indicators tied to business goals","correct":true},{"l":"C","text":"Conduct regular risk assessments to identify new threats","correct":false},{"l":"D","text":"Establish a dedicated team for information security governance","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nImplement key performance indicators tied to business goals: The most effective way to ensure continuous alignment with business objectives is to establish key performance indicators (KPIs) that directly relate to those objectives. This approach allows organizations to continuously measure the effectiveness of their information security program in terms of its contribution to business goals. By tying security metrics to business outcomes, organizations can ensure that resources are allocated effectively and that security efforts support overall business success.\nThe Incorrect Answers:\nConduct regular risk assessments to identify new threats: While important for maintaining security posture, regular risk assessments focus primarily on identifying and mitigating threats rather than aligning security efforts with business objectives.\nWithout the context of business goals, risk assessments alone may not ensure alignment.\nEstablish a dedicated team for information security governance: Having a dedicated team can help manage security governance but does not necessarily ensure alignment with business objectives.\nThe team must incorporate business goals into their processes, which having KPIs can directly facilitate.\nSchedule annual reviews of security policies and procedures: Annual reviews are essential for keeping policies up-to-date, but they are not frequent or detailed enough to ensure continuous alignment with evolving business objectives.\nMore dynamic and consistent alignment mechanisms, like KPIs, better support ongoing alignment throughout the year.","tr":"","tag":"","catIndex":99},{"id":"s2-q70","set":2,"number":70,"q":"What is the most critical consideration when aligning an organization's information security program with industry standards to ensure compliance with regulatory requirements?","options":[{"l":"A","text":"Ensuring that information security policies are updated to reflect the latest industry standards","correct":false},{"l":"B","text":"Maintaining a balance between security measures and operational efficiency","correct":false},{"l":"C","text":"Establishing robust documentation and auditing processes to verify compliance","correct":true},{"l":"D","text":"Developing a comprehensive risk assessment strategy tailored to specific industry threats","correct":false}],"correct":"C","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nEstablishing robust documentation and auditing processes to verify compliance: Regulatory compliance requires clear evidence of adherence to standards, making documentation and auditing vital for proving compliance and identifying gaps.\nThe Incorrect Answers:\nDeveloping a comprehensive risk assessment strategy tailored to specific industry threats: While crucial for understanding risks, risk assessments do not directly ensure compliance with regulatory requirements.\nEnsuring that information security policies are updated to reflect the latest industry standards: Although important, policy updates alone do not provide documentation or proof of regulatory compliance.\nMaintaining a balance between security measures and operational efficiency: This is important for overall security effectiveness, but it does not directly address regulatory compliance mandates.","tr":"Uyumu DOĞRULAMAK → sağlam dokümantasyon + denetim süreçleri (kanıt üretir). Politikayı en son standartlara güncellemek (senin şıkkın) uyumu doğrulamaz, sadece hedefler.","tag":"Compliance","catIndex":8},{"id":"s2-q74","set":2,"number":74,"q":"When updating security architecture, what is the MOST important factor for ensuring its effectiveness in the face of evolving threats?","options":[{"l":"A","text":"Investing in cutting-edge cybersecurity tools","correct":false},{"l":"B","text":"Regularly reviewing and updating architectural principles","correct":true},{"l":"C","text":"Conducting quarterly vulnerability assessments","correct":false},{"l":"D","text":"Enhancing perimeter defenses beyond industry standards","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nRegularly reviewing and updating architectural principles: The continuous evolution of security architecture principles ensures adaptability and effectiveness against evolving threats.\nThe Incorrect Answers:\nInvesting in cutting-edge cybersecurity tools: These tools help but without updated principles guiding their integration, they may not offer optimum effectiveness.\nConducting quarterly vulnerability assessments: Valuable for pinpointing vulnerabilities, but not as comprehensive as addressing architectural principles.\nEnhancing perimeter defenses beyond industry standards: While beneficial, perimeter defenses alone do not ensure overall architectural effectiveness against all threat vectors.","tr":"","tag":"","catIndex":99},{"id":"s2-q84","set":2,"number":84,"q":"An organization is planning a significant shift to cloud-based services to enhance scalability and flexibility. As part of this transition, what is the most critical initial step to ensure effective information security management?","options":[{"l":"A","text":"Conducting a comprehensive risk assessment aligned with cloud migration","correct":true},{"l":"B","text":"Negotiating strong service level agreements (SLAs) with cloud providers","correct":false},{"l":"C","text":"Developing a cloud-specific incident response plan","correct":false},{"l":"D","text":"Implementing encryption for all data stored in the cloud","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nConducting a comprehensive risk assessment aligned with cloud migration: The most critical initial step in transitioning to cloud-based services is understanding the risks associated with this move. A risk assessment helps identify potential vulnerabilities and threats unique to the cloud environment. It provides insight into areas that require enhanced security measures and influences decisions such as choosing a cloud provider and determining appropriate controls. Without this foundational step, other actions like developing incident response plans or negotiating SLAs may not address the right risks.\nThe Incorrect Answers:\nDeveloping a cloud-specific incident response plan: While necessary, creating an incident response plan specific to cloud environments is secondary.\nIt should be based on risks identified in the initial assessment.\nRisk assessment informs the incidents most likely to occur and the response strategies that will be effective in a cloud setting.\nImplementing encryption for all data stored in the cloud: Encrypting data is an important security control, but it should be dictated by the risks identified in the assessment.\nEncryption alone does not guarantee comprehensive security; understanding and mitigating the broader landscape of risks is crucial before selecting specific controls.\nNegotiating strong service level agreements (SLAs) with cloud providers: SLAs ensure that expectations concerning performance and security are clear, but they depend on a thorough understanding of organizational needs and risks.\nA risk assessment informs these needs and ensures SLA terms effectively mitigate potential risks involved in cloud services.","tr":"","tag":"","catIndex":99},{"id":"s2-q86","set":2,"number":86,"q":"What is the most critical consideration for an information security manager when deploying new security controls in a multinational organization?","options":[{"l":"A","text":"Cultural differences in security perceptions across different regions","correct":false},{"l":"B","text":"Alignment of controls with the organization’s strategic objectives","correct":false},{"l":"C","text":"Technical compatibility of new controls with existing systems","correct":false},{"l":"D","text":"Ensuring the controls meet global regulatory requirements","correct":true}],"correct":"D","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nEnsuring the controls meet global regulatory requirements: In a multinational organization, compliance with global regulatory requirements is critical. Different regions can have varying laws and regulations concerning data protection, privacy, and information security. An information security manager must ensure that new controls meet these diverse legislative requirements to avoid penalties and legal issues. This approach aligns with your roles priorities around compliance and mitigating legal liabilities.\nThe Incorrect Answers:\nCultural differences in security perceptions across different regions: While considering cultural differences can aid in the implementation and adoption of security controls, it is not the primary concern when deploying them. The primary focus should be on compliance and regulations, as failing to meet these can have more immediate and severe consequences than cultural misalignments.\nAlignment of controls with the organization’s strategic objectives: Aligning controls with strategic objectives is important for ensuring that security initiatives support broader business goals. However, regulatory compliance typically takes precedence over strategic alignment since non-compliance can lead to significant legal challenges and financial penalties, outweighing strategic considerations.\nTechnical compatibility of new controls with existing systems: Ensuring technical compatibility is necessary to achieve seamless integration and functionality, but it is secondary to meeting regulatory requirements. Compliance remains a higher priority due to the potential risks and ramifications of regulatory violations, which can impact the organization at a global level.","tr":"Çok-uluslu KONTROL dağıtımında en kritik → global regülatif gereklilikler. Kültürel farklar (senin şıkkın) ilginç ama yasal zorunluluk her zaman kazanır; regülasyona uymayan kontrol geçersizdir.","tag":"Legal (multinational)","catIndex":1},{"id":"s2-q90","set":2,"number":90,"q":"How can an information security manager best utilize COBIT to align IT processes with organizational objectives?","options":[{"l":"A","text":"Utilize COBIT to evaluate the efficiency of existing security technologies","correct":false},{"l":"B","text":"Employ COBIT to benchmark against industry-specific practices","correct":false},{"l":"C","text":"Define key performance indicators based on COBIT’s maturity models","correct":true},{"l":"D","text":"Map COBIT processes directly to regulatory requirements","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nDefine key performance indicators based on COBIT’s maturity models: COBIT provides a framework for aligning IT processes with organizational goals through maturity models, which help in setting and measuring performance indicators effectively.\nThe Incorrect Answers:\nMap COBIT processes directly to regulatory requirements: Although COBIT can aid in aligning IT with compliance needs, directly mapping processes might overlook alignment with broader organizational objectives.\nUtilize COBIT to evaluate the efficiency of existing security technologies: Evaluating technology efficiency with COBIT is possible, but the framework is primarily for governance and alignment.\nEmploy COBIT to benchmark against industry-specific practices: While useful, COBIT’s main advantage is not industry-specific benchmarking but alignment with organizational strategy and goals.","tr":"","tag":"","catIndex":99},{"id":"s2-q91","set":2,"number":91,"q":"An organization is developing a new information security policy to address emerging threats. What should be the primary consideration to ensure effective policy implementation?","options":[{"l":"A","text":"Comprehensive employee training programs","correct":false},{"l":"B","text":"Incorporation of the latest security technologies","correct":false},{"l":"C","text":"Benchmarking against industry standards","correct":false},{"l":"D","text":"Alignment with existing business objectives","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nAlignment with existing business objectives: The primary consideration for effective policy implementation is ensuring that the policy aligns with the organization’s business objectives. This alignment ensures that the policy is relevant and supported by senior management, increasing the likelihood of successful implementation. When policies are seen as supporting business goals, they are more likely to receive the necessary resources and buy-in from all levels of the organization.\nThe Incorrect Answers:\nIncorporation of the latest security technologies: While using the latest technologies can enhance security, it is not the primary consideration for policy implementation.\nTechnology should support the policy, but successful implementation depends more on strategic alignment with business objectives.\nComprehensive employee training programs: Training is crucial for policy effectiveness, but it is a supporting activity rather than the primary consideration.\nTraining ensures that employees understand and can comply with policies, but the policy itself must first be aligned with business objectives.\nBenchmarking against industry standards: Although benchmarking is useful for ensuring best practices, it should not be the primary consideration for implementation.\nThese standards may not fully address the unique objectives and risk landscape of an organization, whereas alignment with business goals ensures that policies are directly relevant.","tr":"","tag":"","catIndex":99},{"id":"s2-q92","set":2,"number":92,"q":"When planning for incident response, what is the most critical factor for ensuring timely and effective response to security incidents?","options":[{"l":"A","text":"Well-documented incident response procedures","correct":false},{"l":"B","text":"Clear communication protocols within the incident response team","correct":false},{"l":"C","text":"Real-time monitoring and alerting systems","correct":false},{"l":"D","text":"Regular testing and exercising of the incident response plan","correct":true}],"correct":"D","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nRegular testing and exercising of the incident response plan: Testing and exercises are crucial for ensuring an incident response plan's effectiveness. They identify gaps or weaknesses in procedures, familiarize the response team with their roles, and improve coordination. Regular testing ensures readiness and resilience during actual incidents by refining the plan based on lessons learned.\nThe Incorrect Answers:\nWell-documented incident response procedures: While vital for setting the framework and guidelines, documentation alone does not guarantee readiness.\nWithout practical application and testing, procedures may become outdated or impractical during a real incident.\nReal-time monitoring and alerting systems: These systems are crucial for detecting incidents promptly, but without an effective response plan that has been tested and honed, identifying issues quickly is of limited value.\nClear communication protocols within the incident response team: Clear communication is essential, but it relies heavily on established procedures and regular exercises for effectiveness during an incident.\nWithout testing and practice, communication protocols might not function as intended under pressure.","tr":"“Zamanında ve etkili müdahale” → planın DÜZENLİ TEST/tatbikatı. İletişim protokolü (senin şıkkın) planın parçasıdır ama test edilmemiş plan gerçek olayda çöker.","tag":"IR","catIndex":6},{"id":"s2-q96","set":2,"number":96,"q":"An organization recently experienced a data breach exposing sensitive customer information. To restore stakeholder confidence, what should be the information security manager’s first priority?","options":[{"l":"A","text":"Communicate the breach and ongoing efforts to stakeholders","correct":false},{"l":"B","text":"Evaluate and update data protection policies and procedures","correct":false},{"l":"C","text":"Enhance the incident response plan to prevent future breaches","correct":false},{"l":"D","text":"Conduct a comprehensive impact analysis of the data breach","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nConduct a comprehensive impact analysis of the data breach: To effectively manage a data breach, the information security manager must first understand the extent and impact of the breach. This involves assessing the scale of the compromise, identifying affected assets, and evaluating the potential damage to the business and stakeholders. Performing an impact analysis is critical as it provides the necessary context for developing a response strategy, informing stakeholders accurately, and prioritizing subsequent actions like policy updates or incident response enhancements.\nThe Incorrect Answers:\nEnhance the incident response plan to prevent future breaches: While improving the incident response plan is important, it should not be the immediate focus post-breach.\nWithout understanding the breach's impact, any enhancements may lack relevance or effectiveness.\nThe initial data from the impact analysis will guide how the incident response plan should be modified.\nCommunicate the breach and ongoing efforts to stakeholders: Transparent communication is crucial but should be informed by a thorough understanding of the breach's impact.\nPremature communication without complete information could lead to misinformation or a lack of confidence in the organization's management of the situation.\nAn impact analysis helps ensure that the communications are accurate and comprehensive.\nEvaluate and update data protection policies and procedures: Reviewing and updating data protection practices can help prevent future incidents, but like enhancing the incident response plan, these actions should be informed by the impact analysis.\nWithout understanding what went wrong and the scope of the breach, updates to policies and procedures may be misguided or insufficient.","tr":"","tag":"","catIndex":99},{"id":"s2-q101","set":2,"number":101,"q":"A company is in the process of implementing a new data classification scheme to enhance information security. What is the most critical factor to consider during this implementation to ensure its success and effectiveness?","options":[{"l":"A","text":"Integrating classification with existing technical controls","correct":false},{"l":"B","text":"Training employees on data handling practices","correct":false},{"l":"C","text":"Engaging business units in the classification process","correct":true},{"l":"D","text":"Identifying the sensitivity levels for data categories","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nEngaging business units in the classification process: To ensure the effectiveness of a data classification scheme, active participation from business units is crucial. Business units are directly involved with the data and understand its criticality and business impact. Their input is essential for correctly identifying data sensitivity, relevance, and appropriate handling requirements. By engaging them, the classification scheme is more likely to be comprehensive and accurately reflect the organization's information management needs.\nThe Incorrect Answers:\nIdentifying the sensitivity levels for data categories: While identifying sensitivity levels is important, it is a step within the classification process.\nWithout engaging business units, the sensitivity levels might not be aligned with actual business needs or risk expectations, potentially leading to ineffective classification.\nTraining employees on data handling practices: Training is crucial but comes after establishing a successful classification scheme.\nTraining on an improperly developed classification will be ineffective.\nFirst, the classification process must reflect accurate business requirements.\nIntegrating classification with existing technical controls: Integration is key for operationalizing classification, but if the classification does not accurately reflect the data's business value and sensitivity, integration efforts may not yield effective security benefits.\nBusiness unit involvement ensures that data is classified accurately before integration occurs.","tr":"","tag":"","catIndex":99},{"id":"s2-q102","set":2,"number":102,"q":"What is the MOST IMPORTANT consideration when selecting a security standard for a multinational organization?","options":[{"l":"A","text":"Alignment with global regulatory requirements","correct":true},{"l":"B","text":"Support from industry peers and competitors","correct":false},{"l":"C","text":"Comprehensive security control coverage","correct":false},{"l":"D","text":"Compatibility with existing internal processes","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nAlignment with global regulatory requirements: Ensuring compliance with international regulations is crucial for avoiding legal penalties and maintaining operations across multiple jurisdictions.\nThe Incorrect Answers:\nCompatibility with existing internal processes: While beneficial, it is secondary to ensuring regulatory compliance, which often dictates the selection of security frameworks.\nComprehensive security control coverage: Having extensive coverage is valuable, but aligning with legal and regulatory requirements takes precedence in a global context.\nSupport from industry peers and competitors: While beneficial for collaboration and influence, peer adoption should not overshadow the need for regulatory compliance.","tr":"","tag":"","catIndex":99},{"id":"s2-q104","set":2,"number":104,"q":"When developing an incident response plan, what is the most critical component to ensure rapid recovery from security incidents?","options":[{"l":"A","text":"Conducting penetration testing to evaluate vulnerabilities","correct":false},{"l":"B","text":"Defining roles and responsibilities within the response team","correct":true},{"l":"C","text":"Establishing a clear communication protocol","correct":false},{"l":"D","text":"Implementing automated logging and monitoring systems","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nDefining roles and responsibilities within the response team: Defining clear roles and responsibilities is crucial for efficient and effective incident response. It ensures that each team member knows their specific tasks and areas of responsibility during an incident, minimizing confusion and delays. This organizational clarity facilitates coordinated efforts, enabling rapid recovery and keeping the response process streamlined. Ultimately, having well-defined roles contributes to a more structured and effective incident response, addressing the incident quickly and minimizing impact.\nThe Incorrect Answers:\nEstablishing a clear communication protocol: While communication is essential during incident response, it is a component of an effective response plan rather than the most critical element. Without clearly defined roles, even well-structured communication can lead to confusion and misallocation of efforts. Prioritizing roles and responsibilities ensures that relevant and timely communication can flow appropriately in the context of coordinated response actions.\nConducting penetration testing to evaluate vulnerabilities: Penetration testing is a proactive security measure meant to identify and address vulnerabilities before an incident occurs. While valuable for preventing incidents, it does not directly contribute to recovery from active security incidents. The primary focus during an incident should be on effective response and management, not on testing defenses.\nImplementing automated logging and monitoring systems: Although logging and monitoring are crucial for detecting and understanding incidents, they do not directly contribute to the recovery process. Their role is more in the detection, analysis, and post-incident review phases. Recovery requires organized response efforts which are best facilitated by a well-structured team with defined roles and responsibilities.","tr":"","tag":"","catIndex":99},{"id":"s2-q105","set":2,"number":105,"q":"To effectively implement an advanced information security program, which factor is the most critical for ensuring the program aligns with organizational objectives?","options":[{"l":"A","text":"Fostering a continuous learning environment for security teams","correct":true},{"l":"B","text":"Developing detailed technical specifications for monitoring tools","correct":false},{"l":"C","text":"Establishing strict adherence to regulatory frameworks","correct":false},{"l":"D","text":"Ensuring adequate budget allocation for new technology initiatives","correct":false}],"correct":"A","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nFostering a continuous learning environment for security teams: Continuous learning allows security experts to keep up with evolving threats and technologies, ensuring the program remains effective and aligned with organizational objectives.\nThe Incorrect Answers:\nEnsuring adequate budget allocation for new technology initiatives: While budget allocation is important, without the expertise to leverage these technologies, alignment with organizational objectives is not guaranteed.\nDeveloping detailed technical specifications for monitoring tools: Detailed specifications are useful, but without skilled personnel to interpret and act on data, they do not ensure alignment with broader goals.\nEstablishing strict adherence to regulatory frameworks: Compliance is necessary but does not guarantee alignment with internal objectives; expertise ensures both compliance and strategic alignment.","tr":"Kök “program organizasyonel hedeflerle hizalı” + ‘advanced program’ → sürekli öğrenen kültür (insan tarafı kalıcı hizayı sağlar). “Katı regülasyon uyumu” senin aşırı-düzeltme tuzağın; regülasyon programın amacı değil, sınırıdır.","tag":"Business/Culture","catIndex":0},{"id":"s2-q111","set":2,"number":111,"q":"A global retail company is planning to expand its online presence significantly. What should be the first step in developing a robust information security program to support this expansion?","options":[{"l":"A","text":"Implement advanced authentication mechanisms for user access","correct":false},{"l":"B","text":"Assess the cyber threat landscape specific to the retail sector","correct":false},{"l":"C","text":"Identify and categorize sensitive customer data collected online","correct":false},{"l":"D","text":"Align the information security program with business objectives","correct":true}],"correct":"D","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nAlign the information security program with business objectives: Aligning the information security program with the company's business objectives ensures that security initiatives support the organization's growth and strategic goals. This alignment helps prioritize resources and focuses on security measures that enable business activities while managing risks effectively. It is crucial for developing a security program that complements the expansion efforts and secures the online presence in a manner that supports business growth.\nThe Incorrect Answers:\nIdentify and categorize sensitive customer data collected online: This is an important task for protecting customer data but should be done once the security program goals are aligned with business objectives.\nData classification can be guided more effectively when there is a clear understanding of what security must achieve from a business perspective.\nAssess the cyber threat landscape specific to the retail sector: Understanding the threat landscape is necessary to build a robust security posture, but it should be done after aligning the security program with business goals.\nThreat assessment helps tailor controls but must be prioritized by business-driven security objectives.\nImplement advanced authentication mechanisms for user access: Implementing authentication controls is a tactical decision that should follow strategic planning, where the security program's alignment with business objectives will guide the choice and implementation of such mechanisms.","tr":"Online genişleme + “ne önceliklendirilmeli” → programı iş hedefleriyle hizala (genişleme bir İŞ kararıdır). Veriyi kategorize etmek (senin şıkkın) doğru ama sonraki operasyonel adım; öncelik hizalama.","tag":"Business align","catIndex":0},{"id":"s2-q113","set":2,"number":113,"q":"A company wants to improve its incident detection capabilities. What is the most effective method to achieve this?","options":[{"l":"A","text":"Increasing the frequency of security audits and assessments","correct":false},{"l":"B","text":"Implementing a Security Information and Event Management (SIEM) system","correct":true},{"l":"C","text":"Conducting regular penetration testing exercises","correct":false},{"l":"D","text":"Hiring additional security analysts for 24/7 surveillance","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nImplementing a Security Information and Event Management (SIEM) system: A SIEM system enhances incident detection by aggregating data from various sources and using advanced analytics to identify potential threats in real time. It provides centralized visibility across the environment, enabling faster detection and prioritization of incidents, which is critical in improving overall incident response capabilities.\nThe Incorrect Answers:\nIncreasing the frequency of security audits and assessments: While useful for evaluating controls and identifying vulnerabilities, audits are periodic and not designed for real-time incident detection.\nA SIEM system provides ongoing monitoring, which is essential for timely detection.\nHiring additional security analysts for 24/7 surveillance: Although beneficial, manual monitoring is less efficient than automated systems like SIEM, which can process vast amounts of data rapidly and highlight patterns that might be missed by human analysts alone.\nConducting regular penetration testing exercises: Penetration testing identifies vulnerabilities but does not focus on detection capabilities.\nWhile testing improves security posture, it is not a continuous process and doesn't directly enhance real-time detection abilities.","tr":"","tag":"","catIndex":99},{"id":"s2-q114","set":2,"number":114,"q":"Considering the challenge of aligning information security policies with organizational goals, what should be the primary focus of an information security manager when revising the information security policy framework?","options":[{"l":"A","text":"Incorporating recent security incidents and lessons learned","correct":false},{"l":"B","text":"Gaining executive buy-in and approval for the policy changes","correct":true},{"l":"C","text":"Ensuring alignment with current industry best practices and standards","correct":false},{"l":"D","text":"Evaluating the impact of policy changes on business operations","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nGaining executive buy-in and approval for the policy changes: The primary focus should be on securing executive buy-in and approval for policy changes when revising the information security policy framework. Executive support is crucial for successful implementation since it ensures that the policies align with the organization's strategic goals and receive the necessary resources and attention. As IT security initiatives often require cross-departmental collaboration and budget allocations, having the backing of executive leadership is essential to resolve conflicts and prioritize security in line with business objectives. Moreover, executive buy-in plays a pivotal role in fostering an organizational culture that values security, thereby enhancing compliance and overall security posture.\nThe Incorrect Answers:\nEnsuring alignment with current industry best practices and standards: While it's important to align policies with industry standards, focusing solely on this aspect without executive support might jeopardize the implementation. Standards and best practices should guide the framework, but executive buy-in ensures resources and organizational alignment necessary for practical adoption.\nIncorporating recent security incidents and lessons learned: Although incorporating lessons from recent incidents enhances security policies by addressing specific vulnerabilities, it should not be the primary focus. Without executive approval and support, these insights may not translate into actionable policies or garner the necessary importance at the organizational level.\nEvaluating the impact of policy changes on business operations: Understanding the operational impact is essential to prevent disruptions; however, it should follow once executive buy-in is secured. Policies with executive backing will more likely receive comprehensive evaluation and adjustment to align with business operations, ensuring that security does not hinder productivity excessively.","tr":"","tag":"","catIndex":99},{"id":"s2-q117","set":2,"number":117,"q":"What is the primary challenge an information security manager faces when implementing an information security framework to achieve regulatory compliance?","options":[{"l":"A","text":"Aligning organizational objectives with security framework goals","correct":true},{"l":"B","text":"Integrating legacy systems into the new security framework","correct":false},{"l":"C","text":"Achieving stakeholder buy-in for security investments","correct":false},{"l":"D","text":"Balancing between framework flexibility and regulatory strictness","correct":false}],"correct":"A","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nAligning organizational objectives with security framework goals: Aligning organizational objectives with security framework goals is the primary challenge because it involves ensuring that the framework not only complies with regulatory requirements but also supports the strategic objectives and culture of the organization. This requires a nuanced understanding of both the business goals and the security landscape, emphasizing governance and strategic alignment, which are core concepts for an IT Security Manager or CISO.\nThe Incorrect Answers:\nBalancing between framework flexibility and regulatory strictness: While maintaining flexibility within a regulatory framework is important, it is more of a technical challenge rather than a strategic one. The objective is to comply with regulations while adapting to business needs, but this doesn't encompass the broader challenge of aligning security goals with business objectives.\nAchieving stakeholder buy-in for security investments: Gaining stakeholder buy-in is crucial for implementing an information security framework, but it is not as fundamental as aligning the framework with organizational objectives. Without alignment, even with stakeholder support, the framework may not truly benefit the organization.\nIntegrating legacy systems into the new security framework: Integrating legacy systems is a significant technical challenge, often seen in implementing new frameworks. However, this is a tactical concern rather than a strategic challenge. The core issue remains ensuring that the security framework aligns with and supports the broader organizational goals.","tr":"Çerçeve uygulamada ASIL ZORLUK teknik değil, org hedeflerini çerçeve hedefleriyle hizalamaktır. Sen “regülatif katılık vs esneklik”e takıldın — bu da aşırı-düzeltme: soru ‘challenge’ diyor, cevap hizalama.","tag":"Business align","catIndex":0},{"id":"s2-q118","set":2,"number":118,"q":"Your organization is transitioning to a cloud-based infrastructure and is concerned about maintaining security. What is the best initial step to ensure compliance with regulatory requirements?","options":[{"l":"A","text":"Negotiate and establish a clear service level agreement (SLA) with the cloud provider","correct":false},{"l":"B","text":"Audit the cloud provider’s security controls annually","correct":false},{"l":"C","text":"Conduct a risk assessment to identify potential security gaps","correct":true},{"l":"D","text":"Train staff on the use and management of the new cloud environment","correct":false}],"correct":"C","userPrev":"B","wrongPrev":true,"en":"The Correct Answer:\nConduct a risk assessment to identify potential security gaps: Conducting a risk assessment is the best initial step when transitioning to a cloud-based infrastructure. It allows the organization to identify and understand potential security gaps and regulatory compliance issues relevant to the new environment. This assessment provides the foundational understanding necessary to make informed decisions about mitigating risks and ensuring compliance with regulatory requirements.\nThe Incorrect Answers:\nNegotiate and establish a clear service level agreement (SLA) with the cloud provider: While essential, this is better done after understanding the specific security needs and risks.\nAn SLA should reflect the outcomes of a risk assessment rather than precede it.\nTrain staff on the use and management of the new cloud environment: Staff training is crucial but comes after understanding security requirements and risks related to the cloud environment.\nWithout a risk assessment, training may not focus on the most pertinent security issues.\nAudit the cloud provider’s security controls annually: Auditing is a valuable ongoing process but does not serve as the initial step for ensuring compliance.\nIt’s based on an understanding of specific security requirements and risks identified in the risk assessment.","tr":"Buluta geçiş + “best INITIAL step” → risk değerlendirmesiyle güvenlik boşluklarını belirle. Yıllık audit (senin şıkkın) sürekli bir kontroldür, başlangıç adımı değil — daha neyi denetleyeceğini risk assessment söyler.","tag":"Assess-first (cloud)","catIndex":2},{"id":"s2-q119","set":2,"number":119,"q":"An information security manager needs to develop guidelines to address the risk of insider threats. Which consideration should take precedence to ensure effective implementation and adherence across the organization?","options":[{"l":"A","text":"Balancing comprehensive coverage with usability","correct":true},{"l":"B","text":"Providing detailed step-by-step processes for mitigation","correct":false},{"l":"C","text":"Incorporating the latest detection and monitoring technologies","correct":false},{"l":"D","text":"Ensuring alignment with competitive business strategies","correct":false}],"correct":"A","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nBalancing comprehensive coverage with usability: Effective guidelines need to be thorough yet practical, ensuring they are adhered to without overwhelming users with complexity.\nThe Incorrect Answers:\nEnsuring alignment with competitive business strategies: While aligning with business goals is critical, guidelines should primarily address security concerns rather than competitive strategies.\nIncorporating the latest detection and monitoring technologies: Technology specifics should be covered in procedures; guidelines should focus on strategic risk management approaches, not technology specifics.\nProviding detailed step-by-step processes for mitigation: Such details belong to procedures, whereas guidelines should focus on high-level direction and principles.","tr":"İçeriden tehdit KILAVUZU + “benimsenme/adherence” → kapsam-KULLANILABİLİRLİK dengesi (kullanılmayan kılavuz işe yaramaz). En yeni tespit teknolojisi (senin şıkkın) kılavuzun konusu bile değil.","tag":"Adoption","catIndex":10},{"id":"s2-q122","set":2,"number":122,"q":"In prioritizing actions to fulfill due care requirements when utilizing external service providers, what should be considered most important for an information security manager?","options":[{"l":"A","text":"Regularly updating contracts to include new security clauses","correct":false},{"l":"B","text":"Implementing a mutual incident response plan with the provider","correct":false},{"l":"C","text":"Continuously monitoring the provider’s compliance with security policies","correct":true},{"l":"D","text":"Ensuring the external service provider aligns with the organization's culture","correct":false}],"correct":"C","userPrev":"C","wrongPrev":false,"en":"The Correct Answer:\nContinuously monitoring the provider’s compliance with security policies: Ongoing compliance monitoring ensures that the service provider maintains security standards and fulfills due care requirements over time.\nThe Incorrect Answers:\nRegularly updating contracts to include new security clauses: Contractual clauses are important but do not ensure ongoing compliance or security practice adherence.\nEnsuring the external service provider aligns with the organization's culture: Cultural alignment is secondary to ensuring that security policies and standards are consistently followed.\nImplementing a mutual incident response plan with the provider: An incident response plan is necessary but should be part of a broader, ongoing compliance strategy.","tr":"","tag":"","catIndex":99},{"id":"s2-q125","set":2,"number":125,"q":"Which factor should an information security manager prioritize FIRST when redesigning the security architecture to accommodate a new business initiative focusing on rapid digital transformation?","options":[{"l":"A","text":"Establishing a robust incident response plan for any digital disruptions","correct":false},{"l":"B","text":"Aligning security measures with business objectives from the outset","correct":true},{"l":"C","text":"Ensuring all tools are compatible with current legacy systems","correct":false},{"l":"D","text":"Evaluating how resiliency and redundancy will support business continuity","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nAligning security measures with business objectives from the outset: Ensuring that security measures are in harmony with business objectives from the start facilitates a smoother integration and supports strategic alignment.\nThe Incorrect Answers:\nEnsuring all tools are compatible with current legacy systems: Compatibility with legacy systems is important, but strategic alignment with business goals takes precedence to ensure overall success.\nEstablishing a robust incident response plan for any digital disruptions: While important, this is a reactive measure and does not align security with proactive security architecture redesign.\nEvaluating how resiliency and redundancy will support business continuity: This is crucial for long-term planning, but initial alignment with business objectives sets the foundation for architecture redesign.","tr":"","tag":"","catIndex":99},{"id":"s2-q126","set":2,"number":126,"q":"What is the most strategic method for an information security manager to ensure third-party compliance with new data protection regulations?","options":[{"l":"A","text":"Relying on external data protection assessments for validation","correct":false},{"l":"B","text":"Updating third-party service level agreements to reflect changes","correct":true},{"l":"C","text":"Mandating comprehensive self-assessments from third parties","correct":false},{"l":"D","text":"Implementing a shared compliance dashboard with third parties","correct":false}],"correct":"B","userPrev":"D","wrongPrev":true,"en":"The Correct Answer:\nUpdating third-party service level agreements to reflect changes: Reassessing and revising service level agreements to incorporate new data protection measures ensures that third parties are contractually obligated to adhere to updated compliance requirements.\nThe Incorrect Answers:\nMandating comprehensive self-assessments from third parties: While useful, self-assessments alone do not have legal binding power or accountability without updated contractual terms.\nRelying on external data protection assessments for validation: External validations can inform compliance status but do not replace the need for clear contractual specifications that bind third parties to compliance.\nImplementing a shared compliance dashboard with third parties: Although it can facilitate ongoing oversight, without formal contractual changes, a dashboard lacks enforceability concerning new regulatory obligations.","tr":"Yeni regülasyona 3. taraf uyumu için EN STRATEJİK → SLA’yı güncelle (sözleşmesel bağlayıcılık). Paylaşımlı dashboard (senin şıkkın) görünürlük verir ama uyumu ZORUNLU kılmaz.","tag":"3rd party","catIndex":9},{"id":"s2-q127","set":2,"number":127,"q":"To verify the effectiveness of implemented security controls, which method provides the most comprehensive assessment?","options":[{"l":"A","text":"Conducting regular internal audits with predefined checklists","correct":false},{"l":"B","text":"Automated security scanning tools","correct":false},{"l":"C","text":"Reviewing audit logs for past security incidents","correct":false},{"l":"D","text":"Penetration testing simulating advanced threat scenarios","correct":true}],"correct":"D","userPrev":"D","wrongPrev":false,"en":"The Correct Answer:\nPenetration testing simulating advanced threat scenarios: This approach provides a thorough examination of controls under real-world conditions, highlighting potential vulnerabilities and ensuring that controls are effective against skilled attackers.\nThe Incorrect Answers:\nAutomated security scanning tools: While useful for identifying known vulnerabilities, they do not emulate the creativity and persistence of human attackers.\nReviewing audit logs for past security incidents: This retrospective method identifies past issues but does not test current control effectiveness proactively.\nConducting regular internal audits with predefined checklists: Although systematic, this method may overlook novel or complex threats due to its structured nature and lack of adaptability to new threat landscapes.","tr":"","tag":"","catIndex":99},{"id":"s2-q128","set":2,"number":128,"q":"How should an information security manager prioritize investment in security architecture to align with an evolving threat landscape?","options":[{"l":"A","text":"Allocate resources to enhance the adaptability of current systems based on recent threats","correct":true},{"l":"B","text":"Invest in technologies that offer the broadest coverage against known threats","correct":false},{"l":"C","text":"Direct efforts towards integrating systems that demonstrate the highest performance in threat detection","correct":false},{"l":"D","text":"Focus on acquiring the latest security frameworks with comprehensive industry compliance capabilities","correct":false}],"correct":"A","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nAllocate resources to enhance the adaptability of current systems based on recent threats: Prioritizing adaptability ensures that the security architecture can continually respond to new and evolving threats, maintaining resilience over time.\nThe Incorrect Answers:\nInvest in technologies that offer the broadest coverage against known threats: While broad coverage is beneficial, it may not directly address the adaptability required to respond to new and unforeseen threats.\nFocus on acquiring the latest security frameworks with comprehensive industry compliance capabilities: Compliance frameworks do not necessarily address adaptability to rapidly evolving threats.\nDirect efforts towards integrating systems that demonstrate the highest performance in threat detection: High-performance systems in detection do not ensure adaptability or preparedness for future, unknown threats.","tr":"“Değişen tehdit ortamı” → mevcut sistemlerin ADAPTASYON yeteneğini artır. En yüksek performanslı tek araç (senin şıkkın) statik kalır; evrilen tehdide uyum yeteneği daha stratejiktir.","tag":"Architecture","catIndex":7},{"id":"s2-q132","set":2,"number":132,"q":"When integrating ITIL's service management approach, what should be prioritized FIRST to enhance an organization's security posture?","options":[{"l":"A","text":"Establishing clear communication channels between IT and business units","correct":false},{"l":"B","text":"Defining security roles and responsibilities within the ITIL framework","correct":true},{"l":"C","text":"Aligning security processes with the service strategy stage","correct":false},{"l":"D","text":"Creating comprehensive documentation for ITIL processes","correct":false}],"correct":"B","userPrev":"C","wrongPrev":true,"en":"The Correct Answer:\nDefining security roles and responsibilities within the ITIL framework: Establishing clear security roles and responsibilities is crucial in enhancing an organization's security posture. By integrating these roles within the ITIL framework, it ensures that security is embedded at every stage of the IT service lifecycle. This approach aligns with the emphasis on governance and strategic decision-making, as it provides a foundation for accountability and clear delineation of duties, thereby reducing the risk of security incidents due to role ambiguity or conflicts.\nThe Incorrect Answers:\nEstablishing clear communication channels between IT and business units: While communication between IT and business units is important, without defined security roles and responsibilities, communication may lack direction and effectiveness. Role clarity ensures that communication is relevant and purposeful, rather than just procedural.\nAligning security processes with the service strategy stage: Although aligning security processes with the service strategy is vital for integrating security into the organization's long-term plans, it presupposes that security roles and responsibilities are already established. Without clear roles, alignment efforts might be superficial and lack actionable implementation.\nCreating comprehensive documentation for ITIL processes: Comprehensive documentation is important for clarity and consistency in process implementation. However, it should come after defining security roles and responsibilities, as it relies on the clear understanding of who is accountable for each process. Documentation without defined roles might result in ambiguity and inefficiency in applying security within ITIL processes.","tr":"ITIL entegrasyonunda FIRST → güvenlik ROL ve SORUMLULUKLARINI tanımla (yönetişim temeli). Servis stratejisi aşamasıyla hizalama (senin şıkkın) sonraki adımdır; önce kim-ne-yapar netleşir.","tag":"ITIL/Roles","catIndex":10},{"id":"s2-q133","set":2,"number":133,"q":"An organization has implemented new technologies to enhance data protection. What is the most critical action the Information Security Manager should take to ensure the technologies align with the organization's security policies?","options":[{"l":"A","text":"Conduct an immediate audit of the new technologies to ensure compliance.","correct":false},{"l":"B","text":"Assess the risk associated with the new technologies and their integration.","correct":true},{"l":"C","text":"Review and update the organization's security policies based on the new technologies.","correct":false},{"l":"D","text":"Ensure comprehensive training for all employees on the new technologies.","correct":false}],"correct":"B","userPrev":"B","wrongPrev":false,"en":"The Correct Answer:\nAssess the risk associated with the new technologies and their integration: The most critical action for the Information Security Manager is to assess the risk associated with the new technologies and their integration into the existing environment. Risk assessment helps identify any potential threats or vulnerabilities introduced by the new technologies, ensuring they align with the organization's security policies and risk appetite. This step is crucial before updating policies, conducting audits, or providing training, as it provides a baseline understanding of the security impact.\nThe Incorrect Answers:\nConduct an immediate audit of the new technologies to ensure compliance: While auditing is an important step, it is premature without first understanding the risk associated with the new technologies.\nAn audit should follow rather than precede risk assessment and policy alignment to ensure that compliance evaluations are based on a full understanding of potential risks.\nEnsure comprehensive training for all employees on the new technologies: Training is important for user awareness and adoption, but it should not be prioritized until the technologies are assessed for risk and properly aligned with security policies.\nTraining without understanding risks could lead to false confidence and potential security gaps.\nReview and update the organization's security policies based on the new technologies: Updating security policies is necessary, but it should be based on a comprehensive risk assessment.\nPolicies must be informed by the risks identified and understood through assessment to ensure they are relevant and effective in mitigating identified threats.","tr":"","tag":"","catIndex":99},{"id":"s2-q141","set":2,"number":141,"q":"Which metric provides the most strategic insight when evaluating the effectiveness of an organization's incident tracking system?","options":[{"l":"A","text":"Percentage of incidents resolved within SLA requirements","correct":false},{"l":"B","text":"Number of incidents detected over a specified period","correct":false},{"l":"C","text":"Average time taken to resolve each incident","correct":false},{"l":"D","text":"Trend analysis of incident recurrence rates over time","correct":true}],"correct":"D","userPrev":"A","wrongPrev":true,"en":"The Correct Answer:\nTrend analysis of incident recurrence rates over time: This metric provides strategic insight by revealing patterns and persistent vulnerabilities, enabling management to address underlying issues and improve long-term security posture.\nThe Incorrect Answers:\nNumber of incidents detected over a specified period: While informative, it does not provide strategic insight into the effectiveness of resolution processes or recurring issues.\nAverage time taken to resolve each incident: This can reflect efficiency but lacks a strategic perspective on long-term improvement.\nPercentage of incidents resolved within SLA requirements: Although important, meeting SLAs does not necessarily indicate resolution of root causes or strategic improvements.","tr":"“En STRATEJİK içgörü” → zaman içinde tekrarlama TREND analizi (kök sorun düzeliyor mu?). SLA içinde çözülen % (senin şıkkın) anlık/operasyoneldir; strateji trend ister.","tag":"Metrik","catIndex":5},{"id":"s2-q143","set":2,"number":143,"q":"An organization is considering transitioning its IT infrastructure to a cloud service provider. What is the most critical information security activity that must be undertaken before making this transition?","options":[{"l":"A","text":"Performing a risk assessment of the cloud service provider","correct":true},{"l":"B","text":"Conducting a vulnerability assessment of the current infrastructure","correct":false},{"l":"C","text":"Obtaining legal approval from the organization's counsel","correct":false},{"l":"D","text":"Developing a comprehensive incident response plan","correct":false}],"correct":"A","userPrev":"A","wrongPrev":false,"en":"The Correct Answer:\nPerforming a risk assessment of the cloud service provider: Before transitioning to a cloud service provider, it is crucial to perform a risk assessment to evaluate the security risks associated with the provider and their services. This assessment helps identify potential vulnerabilities and ensures that the provider's security measures align with the organization's risk tolerance and compliance requirements. Understanding these risks enables informed decision-making and helps ensure data protection once the transition is complete.\nThe Incorrect Answers:\nConducting a vulnerability assessment of the current infrastructure: While assessing the current infrastructure is important, it does not address the potential risks associated with transitioning to the cloud environment.\nA risk assessment of the cloud service provider is more critical at this stage.\nObtaining legal approval from the organization's counsel: Legal approval is important, but it does not directly assess the security risks related to the cloud transition.\nLegal counsel can provide advice on compliance and contractual matters, but a risk assessment ensures the provider's security posture is suitable.\nDeveloping a comprehensive incident response plan: An incident response plan is necessary, but it should be tailored to the environment being used.\nDeveloping this plan should follow the risk assessment, ensuring it addresses the identified risks of the cloud service provider specifically.","tr":"","tag":"","catIndex":99}]; | |
| const CATS = [{"title":"1 · Ana kavşak: Business ↔ Legal ↔ Assess (en çok buradan kaybediyorsun)","ids":["s2-q45","s1-q3","s2-q38","s1-q24","s2-q117","s2-q32","s2-q105","s2-q111","s1-q75","s1-q23"]},{"title":"2 · Legal / çok-uluslu (burada yasal kazanır)","ids":["s1-q43","s1-q141","s2-q86","s2-q58","s1-q56"]},{"title":"3 · Assess-first (önce değerlendir)","ids":["s2-q118","s2-q23","s1-q143","s1-q39","s2-q5"]},{"title":"4 · PIA & gizlilik","ids":["s2-q57"]},{"title":"5 · Varlık sınıflama","ids":["s1-q86","s1-q26"]},{"title":"6 · Metrik & raporlama","ids":["s2-q141","s1-q88"]},{"title":"7 · Olay müdahale (IR)","ids":["s2-q92"]},{"title":"8 · Mimari & kontrol seçimi","ids":["s1-q116","s1-q61","s2-q128","s1-q79","s1-q5","s2-q29"]},{"title":"9 · Uyum programı & çerçeve","ids":["s2-q70","s1-q124","s2-q6","s2-q4"]},{"title":"10 · Üçüncü / dördüncü taraf","ids":["s2-q126"]},{"title":"11 · Yönetişim yapısı & politika tasarımı","ids":["s1-q74","s2-q132","s1-q148","s2-q119"]}]; | |
| const SUMMARY = {"set":"domain3","source":"domain3_practice.html","total":98,"right":57,"wrong":41,"pct":58.2,"generatedAt":"2026-07-01T19:35:22.605Z"}; | |
| const LSKEY = "cism_d3_mobile_review_v1"; | |
| let activeSet = []; // array of indices into QUESTIONS for current session | |
| let optOrder = {}; // qIndex -> display order (array of original option idx) | |
| let answers = {}; // qIndex -> chosen label | |
| let revealed = {}; // qIndex -> bool | |
| let enOpen = {}; // qIndex -> bool | |
| let pos = 0; | |
| let curLabel = ""; // label of current session, for resume info | |
| const $ = id => document.getElementById(id); | |
| const shuffle = a => { for(let i=a.length-1;i>0;i--){const j=Math.floor(Math.random()*(i+1));[a[i],a[j]]=[a[j],a[i]];} return a; }; | |
| const esc = s => { const d=document.createElement('div'); d.textContent=s||""; return d.innerHTML; }; | |
| function saveState(){ | |
| localStorage.setItem(LSKEY, JSON.stringify({activeSet,optOrder,answers,pos,revealed,enOpen,curLabel, | |
| opts:{shufO:$("shufO").checked, autoEn:$("autoEn").checked}, ts:Date.now()})); | |
| } | |
| function loadState(){ try{return JSON.parse(localStorage.getItem(LSKEY));}catch(e){return null;} } | |
| function buildSession(indices, label){ | |
| curLabel = label; | |
| activeSet = indices.slice(); | |
| optOrder = {}; answers = {}; revealed = {}; enOpen = {}; pos = 0; | |
| activeSet.forEach(qi=>{ | |
| let oo = QUESTIONS[qi].options.map((_,i)=>i); | |
| if($("shufO").checked) shuffle(oo); | |
| optOrder[qi] = oo; | |
| }); | |
| saveState(); | |
| } | |
| function showScreen(id){ | |
| ["start","quiz","result"].forEach(s=>$(s).classList.toggle("hidden", s!==id)); | |
| } | |
| function startSession(indices, label){ | |
| buildSession(indices, label); | |
| showScreen("quiz"); | |
| render(); | |
| } | |
| // ---- mode wiring ---- | |
| $("modeWrong").onclick = ()=>{ | |
| const idx = QUESTIONS.map((q,i)=>i).filter(i=>QUESTIONS[i].wrongPrev) | |
| .sort((a,b)=> QUESTIONS[a].catIndex - QUESTIONS[b].catIndex); | |
| startSession(idx, "Yanlışlarım"); | |
| }; | |
| $("modeAll").onclick = ()=>{ | |
| const idx = QUESTIONS.map((q,i)=>i); | |
| startSession(idx, "Tümü"); | |
| }; | |
| $("modeCat").onclick = ()=>{ | |
| $("catPicker").classList.remove("hidden"); | |
| const box = $("catList"); box.innerHTML=""; | |
| CATS.forEach((c,ci)=>{ | |
| const n = QUESTIONS.filter(q=>q.catIndex===ci).length; | |
| if(!n) return; | |
| const row = document.createElement("div"); | |
| row.className="catrow"; | |
| row.innerHTML = `<span>${esc(c.title)}</span><span class="n">${n}</span>`; | |
| row.onclick = ()=>{ | |
| const idx = QUESTIONS.map((q,i)=>i).filter(i=>QUESTIONS[i].catIndex===ci); | |
| startSession(idx, c.title); | |
| }; | |
| box.appendChild(row); | |
| }); | |
| }; | |
| $("catBack").onclick = ()=> $("catPicker").classList.add("hidden"); | |
| $("modeResume").onclick = ()=>{ | |
| const s = loadState(); | |
| if(!s || !s.activeSet || !s.activeSet.length){ alert("Kayıtlı oturum yok."); return; } | |
| activeSet=s.activeSet; optOrder=s.optOrder; answers=s.answers; pos=s.pos||0; | |
| revealed=s.revealed||{}; enOpen=s.enOpen||{}; curLabel=s.curLabel||""; | |
| if(s.opts){ $("shufO").checked=s.opts.shufO; $("autoEn").checked=s.opts.autoEn; } | |
| showScreen("quiz"); render(); | |
| }; | |
| function render(){ | |
| const qi = activeSet[pos]; | |
| const Q = QUESTIONS[qi]; | |
| const chips = [`<span class="chip">${pos+1} / ${activeSet.length}</span>`, | |
| `<span class="chip">Set ${Q.set} · Soru ${Q.number}</span>`]; | |
| if(Q.tag) chips.push(`<span class="chip${Q.wrongPrev?' wrongtag':''}">${esc(Q.tag)}</span>`); | |
| $("meta").innerHTML = chips.join(""); | |
| $("q").textContent = Q.q; | |
| const oo = optOrder[qi]; | |
| const chosen = answers[qi]; | |
| const showAns = !!revealed[qi]; | |
| const optsEl = $("opts"); optsEl.innerHTML = ""; | |
| oo.forEach((origIdx,dispIdx)=>{ | |
| const o = Q.options[origIdx]; | |
| const dispLab = String.fromCharCode(65+dispIdx); | |
| const div = document.createElement("div"); | |
| div.className = "opt"; | |
| let labCls = "lab"; | |
| if(chosen===o.l) div.classList.add("sel"); | |
| if(showAns){ | |
| if(o.correct){ div.classList.add("correct"); labCls+=" correct"; } | |
| else if(chosen===o.l){ div.classList.add("wrong"); labCls+=" wrong"; } | |
| } | |
| div.innerHTML = `<span class="${labCls}">${dispLab}</span><span class="txt">${esc(o.text)}</span>`; | |
| div.onclick = ()=>{ | |
| if(revealed[qi]) return; | |
| answers[qi]=o.l; revealed[qi]=true; | |
| if($("autoEn").checked) enOpen[qi]=true; | |
| saveState(); render(); | |
| }; | |
| optsEl.appendChild(div); | |
| }); | |
| const eb = $("explainBox"); | |
| if(showAns){ | |
| const correct = Q.options.find(o=>o.correct); | |
| const ok = chosen===correct.l; | |
| let html = `<div class="explain"><div class="verdict ${ok?'ok':'bad'}">${ok?'✓ Doğru':'✗ Yanlış'} — Doğru cevap: ${correct.l}) ${esc(correct.text)}</div>`; | |
| if(Q.tr){ | |
| html += `<div class="tr-box"><span class="lbl">Türkçe — kişisel not</span>${esc(Q.tr)}</div>`; | |
| } | |
| if(Q.en){ | |
| const open = !!enOpen[qi]; | |
| html += `<div class="en-toggle" id="enToggle">${open?'▾':'▸'} İngilizce (Udemy) açıklamayı ${open?'gizle':'göster'}</div>`; | |
| html += `<div class="en-box${open?' show':''}" id="enBox">${esc(Q.en)}</div>`; | |
| } | |
| html += `</div>`; | |
| eb.innerHTML = html; | |
| if(Q.en){ | |
| $("enToggle").onclick = ()=>{ enOpen[qi]=!enOpen[qi]; saveState(); render(); }; | |
| } | |
| } else { | |
| eb.innerHTML = ""; | |
| } | |
| $("prev").disabled = pos===0; | |
| $("next").textContent = pos===activeSet.length-1 ? "Bitir & özet" : "Sonraki →"; | |
| $("prog").style.width = (Object.keys(answers).length/activeSet.length*100)+"%"; | |
| } | |
| function go(d){ | |
| if(d>0 && pos===activeSet.length-1){ finish(); return; } | |
| pos=Math.max(0,Math.min(activeSet.length-1,pos+d)); | |
| render(); saveState(); | |
| } | |
| function finish(){ | |
| showScreen("result"); | |
| let right=0, ans=0; | |
| activeSet.forEach(qi=>{ | |
| const ch=answers[qi]; if(ch!=null) ans++; | |
| const c=QUESTIONS[qi].options.find(o=>o.correct); | |
| if(ch===c.l) right++; | |
| }); | |
| $("stat").innerHTML = | |
| `<div class="b"><div class="n">${right}</div><div class="l">Doğru</div></div>`+ | |
| `<div class="b"><div class="n">${ans-right}</div><div class="l">Yanlış</div></div>`+ | |
| `<div class="b"><div class="n">${activeSet.length-ans}</div><div class="l">Boş</div></div>`+ | |
| `<div class="b"><div class="n">%${ans?Math.round(right/activeSet.length*100):0}</div><div class="l">Skor</div></div>`; | |
| const grid = $("resultGrid"); grid.innerHTML=""; | |
| activeSet.forEach((qi,i)=>{ | |
| const ch=answers[qi]; | |
| const c=QUESTIONS[qi].options.find(o=>o.correct); | |
| const cell=document.createElement("div"); | |
| cell.className="gcell "+(ch==null?"":(ch===c.l?"ok":"bad")); | |
| cell.textContent=i+1; | |
| cell.onclick=()=>{ pos=i; revealed[qi]=true; showScreen("quiz"); render(); }; | |
| grid.appendChild(cell); | |
| }); | |
| saveState(); | |
| } | |
| $("prev").onclick=()=>go(-1); | |
| $("next").onclick=()=>go(1); | |
| $("finish").onclick=finish; | |
| $("toStart").onclick=()=>showScreen("start"); | |
| $("toStart2").onclick=()=>showScreen("start"); | |
| $("reviewWrong2").onclick=()=>{ | |
| const wrong = activeSet.filter(qi=>{ | |
| const c=QUESTIONS[qi].options.find(o=>o.correct).l; | |
| return answers[qi] && answers[qi]!==c; | |
| }); | |
| if(!wrong.length){ alert("Bu turda yanlış yok 🎉"); return; } | |
| activeSet = wrong; pos = 0; | |
| wrong.forEach(qi=>revealed[qi]=true); | |
| showScreen("quiz"); render(); | |
| }; | |
| // resume info on load | |
| (function(){ | |
| const s = loadState(); | |
| if(s && s.activeSet && s.activeSet.length){ | |
| const done = Object.keys(s.answers||{}).length; | |
| $("resumeInfo").textContent = `${s.curLabel||'Oturum'}: ${done}/${s.activeSet.length} cevaplanmış (${new Date(s.ts).toLocaleString('tr-TR')}).`; | |
| } | |
| })(); | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment