CISMP Questions Flashcards
Which of the following provides an incorrect characteristic of a memory leak?
A. Common programming error
B. Common when languages that have no built-in automatic
garbage collection are used
C. Common in applications written in Java
D. Common in applications written in C++
Option C. provides an incorrect characteristic of a memory leak.
Memory leaks are common programming errors that occur when dynamic memory allocation is not managed properly, especially in languages that have no built-in automatic garbage collection, such as C and C++. Java, on the other hand, has built-in automatic garbage collection, which can help prevent memory leaks. Therefore, Option C is incorrect.
Which of the following is the best description of the security kernel and the reference monitor?
A. The reference monitor is a piece of software that runs on top of the security kernel. The reference monitor is accessed by every security call of the security kernel. The security kernel is too large to test and verify.
B. The reference monitor concept is a small program that is not related to the security kernel. It will enforce access rules upon subjects who attempt to access specific objects. This program is regularly used with modern operating systems.
C. The reference monitor concept is used strictly for database access control and is one of the key components in maintaining referential integrity within the system. It is impossible for the user to circumvent the reference monitor.
D. The reference monitor and security kernel are core components of modern operating systems. They work together to mediate all access between subjects and objects. They should not be able to be circumvented and must be called upon for every access attempt.
D. The reference monitor and security kernel are core components of modern operating systems. They work together to mediate all access between subjects and objects. They should not be able to be circumvented and must be called upon for every access attempt.
Which of the following statements describes the concept of non-repudiation?
A The ability to prove that an event occurred.
B The use of public key cryptography to prevent the republishing of keys.
C A technology-based non-disclosure agreement.
D Cyber security insurance to help reduce reputational harm.
A The ability to prove that an event occurred.
Non-repudiation is the concept in cybersecurity that ensures that the parties involved in a transaction or communication cannot deny their involvement in the exchange and cannot refute the authenticity of the message or action. It provides a way to prove the integrity of the transaction or communication and that it occurred as intended, without the possibility of one party later denying their involvement. This is typically achieved through the use of digital signatures or other cryptographic methods to create a tamper-evident record of the exchange. Option A, “the ability to prove that an event occurred,” accurately describes the concept of non-repudiation.
Which term describes the concept used in information security in which multiple layers of security controls are placed within a system?
A Defence in depth.
B Honeypot.
C Fail safe.
D Anti-malware.
A. Defence in depth
Defence in depth is a concept used in information security in which multiple layers of security controls are placed throughout an information technology system.
Which two terms are used in combination to define levels of risk?
A Threat and Impact.
B Threat and Vulnerability.
C Impact and Likelihood.
D Likelihood and Vulnerability.
C Impact and Likelihood.
The level of risk is determined by evaluating the potential impact of a threat and the likelihood of that threat occurring. Impact refers to the potential harm that could result from a threat, while likelihood refers to the probability of that threat occurring. By considering both factors together, an organization can determine the level of risk associated with a particular threat and take appropriate measures to manage or mitigate that risk.
Which of the following is NOT a principle of information security management?
a) Confidentiality
b) Integrity
c) Availability
d) Accountability
D. Accountability
The CIA principles consist of:
Confidentiality
Integrity
Availability
Ursula recently discovered that a group of developers are sharing information over a messaging tool provided by a cloud vendor but not sanctioned by her organisation. What term best describes this use of technology?
A) Shadow IT
B) System integration
C) Vendor management
D) Data exfiltration
A) Shadow IT
The term that best describes this use of technology is “Shadow IT.” Shadow IT refers to the use of technology, such as applications or services, by employees within an organization without the knowledge, approval, or oversight of the IT department or organization’s management. In this case, the developers are using a messaging tool provided by a cloud vendor that is not sanctioned or approved by Ursula’s organization. This unauthorized use of technology falls under the category of Shadow IT.
Adam is conducting software testing by reviewing the source code of the application. What type is code testing is Adam conducting?
A) Mutation testing
B) Static code analysis
C) Dynamic code analysis
D) Fuzzing
B) Static Code Analysis
The type of code testing that Adam is conducting by reviewing the source code of the application is “Static code analysis.” Static code analysis is a type of code testing that involves analysing the source code without actually executing it. It aims to identify potential coding issues, security vulnerabilities, coding standards violations, and other defects in the codebase. By reviewing the source code, Adam is performing a static analysis to identify any potential issues or areas that require improvement in the code.
Which of the following code testing techniques involves analysing the behaviour of a software application during its execution?
A) Mutation testing
B) Static code analysis
C) Dynamic code analysis
D) Fuzzing
C) Dynamic code analysis
Explanation: Dynamic code analysis, also known as runtime analysis, focuses on analysing the behaviour of a software application during its execution. It involves monitoring the application’s runtime characteristics, such as input data, function calls, and interactions with external systems, to detect runtime errors, performance issues, and security vulnerabilities. This technique provides insights into the application’s behaviour that may not be apparent from static code analysis or other testing techniques.
Which of the following best describes the purpose of fuzzing in software testing?
A) Verifying code syntax and formatting.
B) Assessing the performance and scalability of an application.
C) Identifying vulnerabilities and defects through unexpected input.
D) Evaluating user experience and interface design.
C) Identifying vulnerabilities and defects through unexpected input.
Fuzzing is a software testing technique that involves sending random or malformed data as input to an application to discover potential vulnerabilities or weaknesses in its handling of such input. By subjecting the application to unexpected or invalid input, fuzzing helps identify bugs, crashes, or security vulnerabilities that may not have been discovered through traditional testing methods. Well done!
What is the primary objective of mutation testing?
A) To identify defects in the source code
B) To generate random test cases for the application
C) To evaluate the effectiveness of the test suite
D) To measure the performance of the application
C) To evaluate the effectiveness of the test suite.
Mutation testing is specifically designed to assess the quality of the test suite by introducing small changes or mutations to the code and checking if the existing test cases can detect these mutations. It helps identify weaknesses in the test suite and improve its ability to catch potential defects in the code.
Wendy is scanning cloud based repositories for sensitive information. Which one of the following should concern her most if discovered in a public repository?
A) Product manuals
B) Secure code
C) API keys
D) Open source data
C) API (application programming interface) keys
If Wendy discovers API keys in a public repository, it should be a significant concern. API keys are sensitive credentials that provide access to various services and resources in an application or system. If exposed to the public, malicious actors could potentially misuse these API keys to gain unauthorized access, manipulate data, or launch attacks.
API keys are typically used for authentication and authorization purposes, allowing applications to interact securely with APIs and services. Exposing API keys in a public repository increases the risk of unauthorized access and potential data breaches.
It is important to protect API keys and keep them confidential. Best practices include storing them securely, using encryption, and restricting access to authorized individuals or systems.
What is a repository in the context of software development?
A) A secure storage facility for physical documents
B) A web-based platform for hosting and sharing code
C) A tool for tracking and managing project tasks
D) A programming language used for software development
B) A web-based platform for hosting and sharing code.
A repository in software development is a centralized location where developers can store, manage, and collaborate on code, making it easier to track changes, review code, and ensure version control. Examples of popular repositories include GitHub, Bitbucket, and GitLab.
What type of malware connects to a command and control system allowing attackers to manage, control and update it remotely?
A) Bot
B) Drone
C) Vampire
D) Worm
A) Bot.
A bot is a type of malware that connects to a command and control (C&C) system, allowing attackers to remotely manage, control, and update the infected device or network of devices. Bots can be used for various malicious activities, such as launching distributed denial-of-service (DDoS) attacks, stealing sensitive information, or spreading malware to other systems.
Which of the following metrics describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability?
A) Integrity
B) Availability
C) Scope
D) Confidentiality
D) Confidentiality
Confidentiality, in the context of information security, refers to the property of ensuring that data is accessible only to authorized individuals or entities. It involves protecting sensitive or classified information from unauthorized disclosure or access.
When an attacker successfully exploits a vulnerability, the type of information disclosure that occurs typically relates to confidentiality. It means that the attacker gains unauthorized access to sensitive information, such as personal data, financial records, intellectual property, or any other confidential information that should be protected.
Maintaining confidentiality is crucial to prevent unauthorized disclosure and protect the privacy and confidentiality of sensitive information. Organizations implement various security measures such as encryption, access controls, data classification, and secure communication protocols to ensure the confidentiality of their data.
Which of the following is a malicious program that self-copies and self-replicates?
A) Spyware
B) Bot
C) Virus
D) Rootkit
C) Virus
A virus is a type of malicious program that has the ability to self-copy and self-replicate by inserting its code into other legitimate programs or files. It spreads from one system to another by attaching itself to executable files, documents, or other data files. When the infected file is executed, the virus code is activated, allowing it to reproduce and infect other files or systems.
Viruses can cause various types of harm, such as data corruption, system instability, unauthorized access, and spreading to other connected devices or networks. They often have malicious payloads that can perform actions like deleting files, stealing information, or disrupting system operations.
To prevent virus infections, it is important to have up-to-date antivirus software, regularly scan systems and files for viruses, avoid downloading files from untrusted sources, and exercise caution when opening email attachments or clicking on suspicious links.
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
A) Domain administrator
B) Local administrator
C) Root
D) Read-only
D) Read-only
Credentialed scans only require read-only access to target servers. Using a local administrator account would have similar issues but the problems caused by the scanner would be limited to the local system. The root account is just another name for the local administrator account. Renee should follow the principle of least privilege and limit the access available to the scanner by using a read-only account. Using a domain administrator account would provide far more privileges than necessary, allowing the scanner to potentially disrupt almost any device on the network.
Which role in the organisational structure is responsible for developing and implementing an information security program and providing guidance on cyber strategy at a strategic level?
A) CFO (Chief Financial Officer)
B) CIO (Chief Information Officer)
C) COO (Chief Operating Officer)
D) CISO (Chief Information Security Officer)
D) CISO (Chief Information Security Officer).
The CISO is responsible for developing and implementing an information security program and providing guidance on cyber strategy at a strategic level. This role ensures that information assurance is prioritized and accounted for within the organization’s structure.
Which senior leadership role is responsible for managing the finances and records of the company, ensuring financial reporting, and making business decisions based on sound financial criteria?
A) CEO (Chief Executive Officer)
B) CFO (Chief Financial Officer)
C) CIO (Chief Information Officer)
D) COO (Chief Operating Officer)
B) CFO (Chief Financial Officer)
The senior leadership role responsible for managing the finances and records of the company, ensuring financial reporting, and making business decisions based on sound financial criteria is the CFO (Chief Financial Officer).
In an organizational structure, which senior leadership role is responsible for managing the day-to-day operations of the company?
a) CEO (Chief Executive Officer)
b) CFO (Chief Financial Officer)
c) COO (Chief Operating Officer)
d) CISO (Chief Information Security Officer)
C) COO (Chief Operating Officer)
The senior leadership role responsible for managing the day-to-day operations of the company is the COO (Chief Operating Officer).
Which roles in the organizational structure are typically responsible for information security at a strategic level? Select two.
A) CEO (Chief Executive Officer)
B) CIO (Chief Information Officer)
C) CISO (Chief Information Security Officer)
D) CFO (Chief Financial Officer)
Please select two options from the provided choices.
B and C
The roles of CIO (Chief Information Officer) and CISO (Chief Information Security Officer) are typically responsible for information security at a strategic level. Well done!
Which roles are responsible for managing the financial aspects of a company? Select two options.
A) CEO (Chief Executive Officer)
B) CFO (Chief Financial Officer)
C) CIO (Chief Information Officer)
D) CISO (Chief Information Security Officer)
A) CEO (Chief Executive Officer)
B) CFO (Chief Financial Officer)
- CEO (Chief Executive Officer): The CEO is the head of the company or organization and is responsible for overall management and decision-making. While the CEO may not directly handle financial matters on a day-to-day basis, they have the ultimate responsibility for financial performance and strategic financial decision-making.
- CFO (Chief Financial Officer): The CFO is specifically responsible for managing the financial aspects of the company. This includes overseeing financial planning, budgeting, financial reporting, and ensuring compliance with financial regulations. The CFO plays a key role in making financial decisions that impact the organization’s operations and long-term financial health.
Both the CEO and CFO have important roles in managing the financial aspects of a company, with the CFO specifically focusing on financial management and reporting while the CEO holds the overall responsibility for the organization’s financial performance.
Which of the following responsibilities is typically assigned to an Information Security Manager (ISM)? (Select 2 possible answers)
A) Developing business strategies and financial planning
B) Conducting vulnerability assessments and penetration testing
C) Managing the organization’s human resources and personnel
D) Establishing and maintaining physical security controls
Remember, we are looking for the responsibility typically assigned to an Information Security Manager.
B) Conducting vulnerability assessments and penetration testing.
D) Establishing and maintaining physical security controls
The responsibility of an Information Security Manager typically involves overseeing the implementation of security controls and practices, including conducting assessments to identify vulnerabilities and performing penetration testing to assess the effectiveness of security measures. This helps ensure the organization’s systems and data are adequately protected against potential threats.
Establishing and maintaining physical security controls (option D) may fall under the responsibility of a different role, such as a Facilities Manager or a Physical Security Manager.
Which of the following responsibilities is typically associated with an Information Security Manager?
A) Designing network architectures and infrastructure
B) Developing and implementing security policies and procedures
C) Managing software development projects
D) Conducting forensic investigations
B) Developing and implementing security policies and procedures.
An Information Security Manager is primarily responsible for overseeing the development and implementation of security policies and procedures within an organization. This includes creating and enforcing security standards, guidelines, and best practices to protect the organization’s information assets. While network architecture and infrastructure (option A) may fall under the purview of an IT or network specialist, managing software development projects (option C) typically belongs to a software development or project management role. Conducting forensic investigations (option D) is often handled by a dedicated forensic analyst or incident response team.
Who typically chairs the Security Steering Committee within an organization?
A) Chief Executive Officer (CEO)
B) Chief Information Security Officer (CISO)
C) Chief Financial Officer (CFO)
D) Chief Operating Officer (COO)
Answer: B
The Security Steering Committee is usually chaired by the Chief Information Security Officer (CISO). This committee serves as a high-level forum to discuss security matters and support the security function within the organization. While other roles such as CEO, CFO, and COO may have involvement or participation in security-related decisions, the CISO is typically responsible for leading the Security Steering Committee.
What is one of the main functions of a Security Steering Committee within an organization?
A) Managing day-to-day security operations
B) Developing information security policies
C) Conducting security awareness training for employees
D) Implementing technical security controls
Answer: B
One of the main functions of a Security Steering Committee is to develop information security policies. This committee serves as a forum to discuss and approve documentation such as policies, standards, and procedures related to information security. While the committee may have oversight and involvement in various security-related activities, its primary role is to ensure the development and approval of effective policies that guide security practices within the organization.
Which of the following statements best describes the role of a Security Steering Committee in the context of information security governance?
A) The committee is responsible for performing daily security operations and incident response.
B) The committee serves as a centralized authority for approving and overseeing security projects and initiatives.
C) The committee is tasked with conducting vulnerability assessments and penetration testing.
D) The committee focuses on providing technical support for implementing security controls.
Answer: B
The role of a Security Steering Committee in information security governance is primarily focused on serving as a centralized authority for approving and overseeing security projects and initiatives. This committee ensures that security efforts align with the organization’s objectives, reviews and approves security-related documentation, and provides guidance and direction for security initiatives. While the committee may have oversight and involvement in other security-related activities, its primary responsibility lies in strategic decision-making and governance rather than daily operational tasks or technical support.
Which of the following is an essential element of a security awareness training program?
A) Limited to specific job roles within the organization
B) Outdated and irrelevant content
C) Tailored to senior management only
D) Promotes a security culture and behaviour change
D) Promotes a security culture and behaviour change.
Explanation: A security awareness training program should aim to create a security culture within the organization. It should not be limited to specific job roles but should be organization-wide. The content should be up to date, relevant, and tailored to the audience, including all staff members. The main objective of the program is to promote a change in behaviour, encouraging individuals to think before they act and to be more vigilant about security risks. By promoting a security culture, organizations can create a collective responsibility for security and improve their overall security posture.
What is an important aspect of a security awareness training program?
A) It should only be mandatory for employees in high-risk roles.
B) It should be a one-time event without any follow-up sessions.
C) It should be tailored to the specific needs and roles of individuals.
D) It should focus solely on compliance requirements.
C) It should be tailored to the specific needs and roles of individuals.
Explanation: Security awareness training programs should be designed to address the unique needs and roles of individuals within an organization. Different employees have varying levels of access to information assets and face different security risks based on their job responsibilities. Tailoring the training ensures that employees receive relevant and applicable knowledge to their specific roles, increasing the effectiveness of the program. It helps employees understand their personal responsibilities, recognize security threats relevant to their work, and adopt appropriate security behaviours.
Which of the following are important considerations when implementing a security awareness training program? (Select two.)
A) Making the training mandatory for all employees
B) Customizing the training content for different departments
C) Conducting periodic assessments to measure training effectiveness
D) Providing rewards and incentives for completing the training
E) Including technical jargon and complex concepts in the training materials
A) Making the training mandatory for all employees
C) Conducting periodic assessments to measure training effectiveness
When implementing a security awareness training program, it is important to make the training mandatory for all employees to ensure widespread participation and consistent knowledge. Additionally, conducting periodic assessments helps measure the effectiveness of the training program and identifies areas that may require further attention or improvement. Customizing the training content for different departments can also be beneficial, but it is not one of the required considerations mentioned in the question. Providing rewards and incentives can be helpful in motivating employees to complete the training, but it is not a universal requirement. Including technical jargon and complex concepts in the training materials may hinder understanding and should be avoided to ensure clear communication.
Which of the following best describes statutory requirements in information security?
A) Voluntary guidelines recommended for good security practices.
B) Best practices issued by industry associations.
C) Mandatory requirements imposed by governments or the legal system.
D) Standards developed by international organizations.
C) Mandatory requirements imposed by governments or the legal system.
Statutory requirements in information security refer to legal obligations that organizations must adhere to as prescribed by laws or regulations set by governments or the legal system. These requirements are not voluntary or optional, but rather mandatory for compliance. Well done!
Which of the following is an example of a statutory requirement in information security?
A) Best practice guidelines suggested by industry associations.
B) Recommendations from cybersecurity experts.
C) Data protection laws imposed by the government.
D) Internal policies and procedures developed by the organization.
C) Data protection laws imposed by the government.
Statutory requirements in information security refer to legal obligations imposed by government entities or the legal system. Data protection laws, such as the General Data Protection Regulation (GDPR), mandate how organizations should handle and protect personal data. Compliance with these laws is necessary to ensure the organization operates within the legal framework and protects individuals’ privacy rights. Well done!
Which of the following is an example of a jurisdictional statutory requirement in information security?
A) ISO 27001 certification
B) Payment Card Industry Data Security Standard (PCI DSS)
C) Health Insurance Portability and Accountability Act (HIPAA)
D) International Organization for Standardization (ISO) guidelines
C) Health Insurance Portability and Accountability Act (HIPAA).
HIPAA is a statutory requirement in the United States that sets standards for the protection of sensitive patient health information. It specifically applies to the healthcare industry and mandates the secure handling and storage of protected health information (PHI). Compliance with HIPAA is legally required for healthcare organizations and their business associates to ensure the privacy and security of patient data.
The other options listed in the question are not jurisdictional statutory requirements. Therefore, the correct answer is C) Health Insurance Portability and Accountability Act (HIPAA) as it represents a jurisdictional statutory requirement in information security.
(In the context of information security, jurisdictional statutory requirements may include laws, regulations, or acts that organizations must comply with to ensure the security and protection of data within a specific region. These requirements are legally enforceable and may cover various aspects such as data privacy, data protection, incident reporting, or specific industry regulations.)
Which of the following regulatory standards is specifically designed to govern the handling of payment card transactions?
A) HIPAA
B) FCA
C) GDPR
D) PCI-DSS
D)PCI-DSS
PCI-DSS specifically focuses on the security measures for handling payment card transactions.
Which regulatory standard is primarily concerned with safeguarding the privacy and security of individuals’ healthcare information in the United States?
A) FCA
B) PCI-DSS
C) GDPR
D) HIPAA
D) HIPAA,
HIPAA is the regulatory standard that governs the protection of healthcare records and ensures the privacy and security of individuals’ health information in the United States.
Which of the following is true about Advisory Requirements?
A) They are legally binding and enforceable by regulatory bodies.
B) They offer advice and suggested practices but are not legally binding.
C) They are issued by the government to penalize non-compliant companies.
D) They provide mandatory guidelines that businesses must adhere to.
B) They offer advice and suggested practices but are not legally binding.
Advisory Requirements provide recommendations and guidance to businesses but do not carry legal obligations or enforceability. They serve as valuable sources of information and best practices for organizations to enhance their security measures.
Which organization is known for providing advisory requirements and guidance on cybersecurity best practices in the United Kingdom?
A) National Cyber Security Centre (NCSC)
B) International Organization for Standardization (ISO)
C) Federal Trade Commission (FTC)
D) Health Insurance Portability and Accountability Act (HIPAA)
A) National Cyber Security Centre (NCSC).
The NCSC is known for providing advisory requirements and guidance on cybersecurity best practices in the United Kingdom. They act as a computer security incident response team (CSIRT) and provide support to businesses, disseminate information, conduct threat assessments, and offer general technical support in the field of cybersecurity.
Which of the following bodies serves as a computer security incident response team (CSIRT) and provides early warnings of threats, threat assessments, and technical support to various entities?
A) National Cyber Security Centre (NCSC)
B) Payment Card Industry Security Standards Council (PCI SSC)
C) Financial Conduct Authority (FCA)
D) International Organization for Standardization (ISO)
A) National Cyber Security Centre (NCSC)
The National Cyber Security Centre (NCSC) serves as a CSIRT and provides early warnings of threats, threat assessments, and technical support, making it the most suitable answer.
Which source provides guidance on best practices for implementing security measures and supports businesses in dealing with certain events?
A) Government agencies
B) Industry trade bodies
C) Vendors
D) All of the above
D) All of the above
Government agencies, industry trade bodies, and vendors frequently issue guidance and advice on implementing security measures and dealing with specific events, making all the options correct.
Which professional body is known for its focus on IT governance and offers certifications in audit, risk management, privacy, and information security?
A) ISSA
B) ISACA
C) ISC2
D) IISP
B) ISACA.
ISACA stands for Information Systems Audit and Control Association
ISACA is an international professional association focused on IT governance and offers certifications in various areas including audit, risk management, privacy, and information security.
Which professional organization specializes in training and certification for cybersecurity professionals, and is best known for the CISSP certification?
A) ISSA - International Systems Security Association
B) ISACA - Information Systems Audit and Control Association
C) ISC2 - International Information Systems Security Certification Consortium
D) IISP - Institute of Information Security Professionals
C) ISC2 - International Information Systems Security Certification Consortium.
ISC2 specializes in training and certification for cybersecurity professionals, and they are well-known for offering the CISSP (Certified Information Systems Security Professional) certification.
Which document provides step-by-step instructions for performing specific tasks related to information security?
A) Policies
B) Standards
C) Procedures
D) Guidelines
C) Procedures
Procedures are the documents that outline detailed instructions or steps to be followed when carrying out specific tasks related to information security. They provide specific guidance on how to perform actions in a consistent and secure manner.
Which document sets the overarching principles and expectations for information security within an organization?
A) Policies
B) Standards
C) Procedures
D) Guidelines
A) Policies
Policies are high-level documents that establish the overall principles, rules, and expectations for information security within an organization. They outline the goals, objectives, and acceptable behaviours related to information security and serve as a foundation for developing more detailed standards, procedures, and guidelines.
Which of the following characteristics should an Information Security Policy possess?
A) Detailed instructions on implementing security controls
B) A statement of intent and high-level guidance
C) Technical specifications for network infrastructure
D) Guidelines for incident response procedures
B) A statement of intent and high-level guidance.
The Information Security Policy is designed to provide a broad overview and direction for information security within an organization, outlining the business objectives and demonstrating senior management commitment to security. It provides high-level guidance rather than detailed instructions or technical specifications.
Which type of policy specifically outlines the rules and guidelines for the appropriate use of organization’s computer systems and networks?
A) Information Security Policy
B) Acceptable Use Policy
C) Password Policy
D) Privacy Policy
B) Acceptable Use Policy.
It specifically focuses on defining the acceptable and unacceptable use of an organization’s computer systems and networks by its employees and other authorized users. Well done!
Which of the following statements about standards is true?
A) Internal standards are derived from external organizations.
B) External standards require internal audits for verification.
C) ISO 27001 is an example of an internal standard.
D) Compliance with external standards promotes information security commitment.
D) Compliance with external standards promotes information security commitment.
External standards, such as ISO 27001, provide a recognized framework for information security management and demonstrate a commitment to maintaining a robust security posture.
Which of the following statements is true regarding procedures in an organization’s information security framework?
A) Procedures are optional and can be bypassed if needed.
B) Procedures provide high-level guidance and are not mandatory.
C) Procedures outline step-by-step instructions for carrying out processes.
D) Procedures are only applicable to technical aspects of information security.
C) Procedures outline step-by-step instructions for carrying out processes.
Procedures provide detailed instructions on how to perform specific tasks or processes within an organization, ensuring that they are carried out consistently and in the correct manner.
Which of the following characteristics best describes guidelines in the context of information security documentation?
A) Mandatory and must be followed strictly.
B) Prescriptive controls derived from industry best practice.
C) Step-by-step instructions for carrying out processes.
D) Discretionary information on how something could be achieved.
D) Discretionary information on how something could be achieved.
Guidelines in the context of information security documentation provide recommendations or suggestions on how to achieve certain goals or objectives, but they are not mandatory like policies, standards, and procedures.
Which of the following statements accurately describes the role of guidelines in information security documentation?
A) Guidelines are mandatory documents that must be followed by all employees.
B) Guidelines provide step-by-step instructions on how to carry out specific processes.
C) Guidelines are prescriptive controls that must be implemented to ensure compliance.
D) Guidelines offer discretionary information on how something could be achieved.
D) Guidelines offer discretionary information on how something could be achieved.
Guidelines provide suggestions, recommendations, or best practices on how to accomplish a task or objective, but they are not mandatory and allow for flexibility in implementation. Well done!
Which of the following best describes the purpose of an end user code of practice and acceptable use policy?
A) To establish guidelines for senior management’s ethical behaviour
.
B) To outline the responsibilities of employees in managing company resources.
C) To define the requirements for network infrastructure and security measures.
D) To provide training programs for end users on IT best practices.
B) To outline the responsibilities of employees in managing company resources.
The end user code of practice and acceptable use policy define the expected behaviour and guidelines for employees, contractors, and visitors when using company assets and resources. It helps ensure responsible and secure use of these resources. Well done!
Which of the following is a key purpose of an Acceptable Use Policy (AUP)?
A) Providing guidelines for senior management’s ethical behaviour
B) Defining the acceptable standards of conduct for end users
C) Outlining the technical specifications for company resources
D) Establishing the network infrastructure for remote access
B) Defining the acceptable standards of conduct for end users
An Acceptable Use Policy (AUP) is a document that defines the acceptable standards of conduct for end users when using company assets and resources. It outlines the rules and guidelines for appropriate and responsible use of technology within the organization. Well done!
What is an essential aspect of handling policy violations in an organization?
A) Granting exceptions to employees based on their position within the organization.
B) Consistently enforcing policies regardless of an employee’s position.
C) Ignoring policy violations if they occur at the C-level executive level.
D) Dealing with policy violations informally without involving legal and HR departments.
B) Consistently enforcing policies regardless of an employee’s position.
Policies should apply to all members of staff, regardless of their position within the organization, and the process for dealing with policy violations should be applied equally across the board.
What are some important considerations when dealing with policy violations within an organization?
A) Granting exceptions based on employee seniority
B) Applying consistent enforcement regardless of employee position
C) Ignoring minor policy violations to maintain employee morale
D) Allowing policy violations for employees with high performance
B) Applying consistent enforcement regardless of employee position.
It is essential to ensure that policy violations are dealt with consistently and fairly across all levels of the organization, from C-level executives to regular employees. This helps maintain a strong culture of compliance and reinforces the importance of adhering to organizational policies.
When should policies be reviewed?
A) Only when there are changes to systems and technologies.
B) After a defined time through periodic reviews.
C) Only in response to audits or incidents/breaches.
D) When there is a lack of compliance with policies.
B) After a defined time through periodic reviews.
Policies should be reviewed after a defined time through periodic reviews to ensure they remain current, relevant, and effective. Well done!
When should policies be reviewed in response to changes in working processes, systems, or legal requirements?
A) Only after a defined time through periodic reviews.
B) Only when there is a notification of new threats and vulnerabilities.
C) Only as a result of an incident or breach.
D) When there are changes to working processes, systems, or legal requirements.
D) When there are changes to working processes, systems, or legal requirements.
Policies should be reviewed and updated to reflect any changes that may impact their effectiveness or compliance. Well done!
What is the main purpose of security governance in an organization?
A) Enforcing compliance with internal policies
B) Reviewing and updating security documentation
C) Monitoring and responding to security incidents
D) Ensuring alignment with government regulations
D) Ensuring alignment with government regulations.
Security governance involves ensuring that the organization follows all relevant government regulations, in addition to compliance with internal policies and standards. It includes monitoring and oversight to validate compliance and may involve external accreditation bodies to verify the organization’s adherence to security measures.
Which of the following is a key aspect of security governance that ensures compliance with legal and regulatory requirements?
A) Incident response planning
B) Security awareness training
C) Risk assessment and management
D) Monitoring and oversight
D) Monitoring and oversight.
Monitoring and oversight are essential components of security governance to ensure compliance with legal and regulatory requirements.
Which of the following statements accurately describes the purpose of an audit in the context of governance and information security?
A) Audits ensure that policies and standards are created and documented.
B) Audits focus primarily on technology infrastructure and hardware.
C) Audits are conducted solely by internal personnel to maintain confidentiality.
D) Audits assess the compliance, effectiveness, and efficiency of security activities and processes.
D) Audits assess the compliance, effectiveness, and efficiency of security activities and processes.
Which of the following is a key characteristic of an effective audit process?
A) Conducted by internal stakeholders only
B) Biased towards specific departments or individuals
C) Limited to technological aspects of security
D) Independent and impartial evaluation of all aspects including technology, processes, and people
D) Independent and impartial evaluation of all aspects including technology, processes, and people.
An effective audit process should be conducted by an independent entity and cover all relevant aspects of security, including technology, processes, and people, without bias or favouritism.
Which of the following standards specifically focuses on privacy and the transfer of privacy data to third parties or other jurisdictions?
A) ISO 27000 series
B) GDPR
C) PCI-DSS
D) SOX
B) GDPR.
GDPR stands for General Data Protection Regulation and it specifically addresses privacy and the transfer of personal data to third parties or other jurisdictions. Well done!
Which industry standard deals with the financial oversight of publicly listed corporations?
A) ISO 27001
B) GDPR
C) PCI-DSS
D) SOX
D) SOX.
Sarbanes Oxley (SOX) is an industry standard that deals with the financial oversight of publicly listed corporations. It focuses on ensuring the accuracy and reliability of financial reporting and includes provisions for internal controls and audit requirements.
Which step of the PDCA cycle involves studying the results and comparing them with the expected outcomes?
A) Plan
B) Do
C) Check
D) Act
C) Check.
In the PDCA cycle, the Check step involves studying the results and comparing them with the expected outcomes to assess whether the objectives and processes are being achieved as planned. Well done!
Which step of the PDCA cycle involves establishing the objectives and processes necessary to deliver the expected results?
A) Plan
B) Do
C) Check
D) Act
A) Plan.
In the PDCA cycle, the “Plan” step involves establishing the objectives and processes necessary to deliver the expected results. Well done!
Which of the following is a key step in implementing an information security framework?
A) Conducting a one-time risk assessment
B) Implementing security controls without monitoring their effectiveness
C) Setting short-term goals for immediate results
D) Periodically re-evaluating risk and continually improving the process
D) Periodically re-evaluating risk and continually improving the process
Periodically re-evaluating risk and continually improving the process is a key step in implementing an information security framework. It ensures that the framework remains effective and aligned with the changing risk landscape and business requirements.
Which of the following is an important step in implementing an information security framework?
A) Conducting a one-time risk assessment and control implementation.
B) Developing a short-term tactical plan without considering long-term goals.
C) Implementing security controls without monitoring their effectiveness.
D) Identifying controls for reducing risk to acceptable levels.
D) Identifying controls for reducing risk to acceptable levels.
Implementing an information security framework involves identifying and implementing appropriate controls to mitigate risks and ensure the security of the organization’s information assets.
What is the purpose of conducting a gap analysis during the implementation of an information security framework?
A) To analyse the gaps between the current state and the desired state.
B) To identify the stakeholders involved in the project.
C) To evaluate the effectiveness of the implemented framework.
D) To determine the budget required for implementation.
A) To analyse the gaps between the current state and the desired state.
During the gap analysis stage of implementation, the focus is on identifying the gaps or discrepancies between the current state of the organization’s security practices and the desired state as defined by the information security framework. This analysis helps in understanding what needs to be done to bridge those gaps and align the organization with the desired security objectives.
What are the characteristics of a successful plan for information assurance?
A) Rigid and inflexible, focusing solely on immediate objectives.
B) Ignores the needs of the business and stakeholders.
C) Provides no return on investment or value for money.
D) Realistic and achievable, addresses business needs, reaches objectives within agreed timescales, and provides a return on investment.
D) Realistic and achievable, addresses business needs, reaches objectives within agreed timescales, and provides a return on investment.
A successful plan for information assurance is realistic and achievable, addresses the needs of the business, reaches its objectives within agreed timescales, and provides a return on investment. Well done!
Which of the following is an important factor when selling the benefits of a security program to stakeholders?
A) Technical jargon and complex terminology
B) Tailoring benefits to individual stakeholder requirements
C) Focusing solely on the security function
D) Ignoring the negative aspects of the program
B) Tailoring benefits to individual stakeholder requirements.
When selling the benefits of a security program, it is important to understand the needs and expectations of different stakeholders and communicate the advantages of the program in a way that resonates with them individually. This approach increases the chances of gaining their support and buy-in.
Which of the following best describes an incident in the context of information security?
A) A planned event that enhances business operations.
B) A routine occurrence with no adverse impact on the business.
C) An event that disrupts the normal functioning of the business.
D) A proactive measure to prevent security breaches.
C) An event that disrupts the normal functioning of the business.
In the context of information security, an incident refers to an event that has an adverse impact on the operation of the business, such as a security breach, data breach, physical security breach, or denial of service attack. These incidents disrupt the normal functioning of the business and require appropriate management and response.
Which of the following is an essential component of incident management in an information security framework?
A) Preventing all incidents from occurring
B) Ignoring minor incidents and focusing only on major ones
C) Planning and preparing for incidents in advance
D) Reacting to incidents without any predefined procedures
C) Planning and preparing for incidents in advance.
Incident management involves having predefined procedures, protocols, and plans in place to effectively respond to and manage incidents when they occur. By planning and preparing in advance, organizations can minimize the impact of incidents and mitigate risks effectively.
Which of the following is NOT a step in the incident management process according to the BCS?
A) Reporting
B) Investigation
C) Containment
D) Resolution
C) Containment
The BCS (British Computer Society) highlights the following steps: Reporting, Investigation, Assessment, Corrective Action, and Review.
During the incident management process, what is the purpose of the “Review” stage?
A) To identify the root cause of the incident
B) To implement corrective actions and resolve the incident
C) To gather evidence for potential legal proceedings
D) To evaluate the effectiveness of the incident response and identify areas for improvement
D) To evaluate the effectiveness of the incident response and identify areas for improvement
The purpose of the “Review” stage in the incident management process is to evaluate the effectiveness of the incident response and identify areas for improvement. It involves analysing the incident, assessing the response actions taken, and determining if any changes or enhancements are needed to prevent similar incidents in the future.
Which of the following issues may vary according to jurisdiction when it comes to maintaining legal compliance in information security?
A) Employee training requirements
B) Incident response procedures
C) Privacy issues with personal data
D) Password complexity requirements
C) Privacy issues with personal data.
Privacy regulations and requirements can vary from one jurisdiction to another, so organizations need to ensure they comply with the specific privacy laws and regulations applicable in the regions where they operate. Well done!
Which of the following is an example of intellectual property governed by legal frameworks?
A) Employee rights
B) Retention of data
C) Collection of forensic evidence
D) Trademarks and patents
D) Trademarks and patents.
Intellectual property refers to creations of the mind, such as inventions, artistic works, designs, symbols, and names used in commerce. Trademarks and patents are specific types of intellectual property that are protected by legal frameworks to prevent unauthorized use or copying.
Which legal system is predominantly jury-based and based on the law of precedence?
A) Civil law
B) Regulatory law
C) Common law
D) Codified law
C) Common law
In the context of UK and international law, common law refers to a legal system based on the law of precedence. It is predominantly a jury-based system, where decisions and interpretations of the law are influenced by previous court rulings. Under common law, judges have the authority to make legal decisions and set legal precedents that other courts can follow in similar cases.
Which regulation governs data protection in the European Union?
A) HIPAA (Health Insurance Portability and Accountability Act)
B) CCPA (California Consumer Privacy Act)
C) GDPR (General Data Protection Regulation)
D) FERPA (Family Educational Rights and Privacy Act)
C) GDPR (General Data Protection Regulation).
GDPR is a regulation that was implemented by the European Union to protect the personal data and privacy of individuals within the EU. It establishes guidelines for the collection, processing, and storage of personal data by organizations. GDPR imposes strict requirements on organizations, including the need to obtain explicit consent for data processing, the right to access and delete personal data, and the obligation to implement appropriate security measures. It applies to all EU member states and has extraterritorial reach, meaning that it also applies to organizations outside the EU that handle the personal data of EU citizens.
Which of the following regulations is specifically designed to protect medical information and ensure its privacy and security in the United States?
A) GDPR (General Data Protection Regulation)
B) HIPAA (Health Insurance Portability and Accountability Act)
C) CCPA (California Consumer Privacy Act)
D) FISMA (Federal Information Security Management Act)
B) HIPAA (Health Insurance Portability and Accountability Act).
HIPAA is a regulation in the United States that sets standards for protecting sensitive patient health information, ensuring its privacy and security. It applies to entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. The primary goal of HIPAA is to safeguard the confidentiality, integrity, and availability of protected health information (PHI) while allowing for the necessary exchange of healthcare data.
Which principle of privacy states that personal data should be processed in a manner that ensures its integrity and confidentiality?
A) Security
B) Data minimization
C) Purpose limitation
D) Accountability
A) Security.
The principle of security states that personal data should be processed in a manner that ensures appropriate security, integrity, and confidentiality of the data. This means implementing measures to protect the data from unauthorized access, disclosure, alteration, or destruction. Security measures may include encryption, access controls, secure storage, and regular security assessments.
Which principle of privacy ensures that personal data should be collected for a specific and legitimate purpose and not further processed in a manner that is incompatible with those purposes?
A) Lawfulness, fairness, and transparency
B) Purpose limitation
C) Data minimization
D) Accountability
B) Purpose limitation.
The principle of purpose limitation states that personal data should be collected for a specific and legitimate purpose and should not be further processed in a manner that is incompatible with those purposes. Data minimization (option C) refers to collecting only the necessary and relevant data, while purpose limitation specifically focuses on the purposes of data processing.
Which principle of privacy emphasizes the importance of handling personal data securely and implementing appropriate technical measures?
A) Lawfulness, fairness, and transparency
B) Data minimization
C) Security
D) Accountability
C) Security
The principle that emphasizes the importance of handling personal data securely and implementing appropriate technical measures is the principle of “Security.” Well done!
Which of the following actions would be considered a violation of the Computer Misuse Act 1990 in the UK?
A) Using authorized credentials to access a company database for work-related tasks.
B) Installing security patches and updates on a computer system to enhance its protection.
C) Gaining unauthorized access to a computer system with the intention to steal sensitive data.
D) Modifying computer material to correct errors and improve data accuracy.
C) Gaining unauthorized access to a computer system with the intention to steal sensitive data.
Gaining unauthorized access to a computer system with the intention to steal sensitive data is considered a violation of the Computer Misuse Act 1990 in the UK. This act prohibits unauthorized access, hacking, and misuse of computer systems without authority
Which of the following is an example of computer-based crime covered by computer misuse legislation?
A) Identity theft
B) Embezzlement
C) Money laundering
D) Insider trading
A) Identity theft
Which of the following is considered an offense under computer misuse legislation?
A) Unauthorized access to a computer system
B) Installing software updates
C) Creating a strong password
D) Conducting regular data backups
A) Unauthorized access to a computer system.
This is considered an offense under computer misuse legislation, as it involves accessing a computer system without proper authorization or permission.
Which of the following factors should be considered when defining a data retention policy?
A) The company’s financial performance
B) The preferences of individual employees
C) Legal requirements and industry regulations
D) Current market trends
C) Legal requirements and industry regulations.
When defining a data retention policy, it is crucial to consider the legal requirements and regulations specific to the industry in which the company operates. Compliance with applicable laws ensures that the company retains data for the required duration and avoids any legal consequences.
Which of the following is an important consideration when implementing a data retention policy?
A) The color-coding system for organizing data.
B) The number of employees in the company.
C) The storage capacity of the server.
D) The sensitivity and classification of the data.
D) The sensitivity and classification of the data.
When implementing a data retention policy, it is important to consider the sensitivity and classification of the data. Different types of data may have different retention requirements based on their sensitivity and the legal or regulatory obligations associated with them. By considering the sensitivity and classification of the data, organizations can ensure that appropriate retention periods and security measures are applied to protect the data effectively.
Which form of intellectual property protects confidential information that provides a competitive advantage to a business?
A) Copyright
B) Trademark
C) Trade secrets
D) Patents
C) Trade secrets.
Trade secrets protect confidential information that gives a business a competitive edge, such as formulas, processes, customer lists, or other valuable proprietary information. Well done!
Which form of intellectual property protection is specifically designed to protect the visual identification of a product or organization?
A) Copyright
B) Trademark
C) Trade secrets
D) Patents
B) Trademark.
Trademarks are specifically designed to protect the visual identification of a product or organization, such as logos, symbols, or specific designs that help distinguish a brand from others in the market.
Which of the following elements is typically included in a robust Service Level Agreement (SLA) between a customer and a supplier?
A) Job description and responsibilities of the supplier’s employees.
B) Duration of the contract and payment terms.
C) Background checks and vetting requirements for customer staff.
D) Procedures for handling disputes and conflict resolution.
B) Duration of the contract and payment terms.
What is the purpose of including a confidentiality clause in a contract?
A) To specify the payment terms between the parties.
B) To outline the legal jurisdiction governing the contract.
C) To ensure that sensitive information shared between the parties remains confidential.
D) To establish the duration of the contract.
C) To ensure that sensitive information shared between the parties remains confidential.
Including a confidentiality clause in a contract helps protect the sensitive information exchanged between the parties involved. It establishes the obligation for both parties to maintain the confidentiality of any proprietary or confidential information disclosed during the course of their business relationship. This clause helps safeguard trade secrets, customer data, intellectual property, and other confidential information from unauthorized disclosure or misuse.
Which international organization is responsible for developing a wide range of standards, including ISO 27001 for Information Security Management System?
A) IEC (International Electrotechnical Commission)
B) IEEE (Institute of Electrical and Electronics Engineers)
C) ISO (International Organisation for Standardisation)
D) ITU (International Telecommunication Union)
C) ISO (International Organisation for Standardisation).
ISO is responsible for developing a wide range of standards, including ISO 27001 for Information Security Management System.
Which international organization provides a standard on good practice for information security and risk management?
A) ISF (Information Security Forum)
B) ITIL (Information Technology Infrastructure Library)
C) COBIT (Control Objectives for Information and Related Technologies)
D) ISO (International Organisation for Standardisation)
D) ISO (International Organisation for Standardisation)
ISO, specifically ISO/IEC 27001 and ISO/IEC 27002, provides internationally recognized standards and guidelines for information security management systems (ISMS) and best practices for information security and risk management. These standards provide organizations with a framework to establish, implement, maintain, and continually improve their information security controls and processes. ISO/IEC 27001 is focused on the requirements for establishing an ISMS, while ISO/IEC 27002 provides guidance on implementing specific information security controls.
Which of the following represents the highest level of evaluation in the Common Criteria for product certification?
A) EAL 7
B) EAL 1
C) EAL 4
D) ISO 15408
A) EAL 7.
EAL 7 represents the highest level of evaluation in the Common Criteria for product certification. It involves formal design review and testing, indicating a more thorough evaluation process. EAL 1 represents the lowest level, focusing on pure functionality, while EAL 4 is a commonly accredited level for modern operating systems and firewalls. ISO 15408 is the standard that embodies the Common Criteria.
Which EAL level involves formal design verification and testing?
A) EAL 1
B) EAL 3
C) EAL 5
D) EAL 7
D) EAL 7.
EAL 7 involves formally verified design and testing.
Which EAL level involves methodical design, testing, and review?
A) EAL 1
B) EAL 3
C) EAL 5
D) EAL 4
D) EAL 4
EAL 4 involves methodical design, testing, and review of the product. EAL 1 is functionally tested, EAL 3 is methodically tested and checked, and EAL 5 is semi-formally designed and tested. EAL 4 is a higher level that includes comprehensive design, testing, and review processes.
Which EAL level involves methodical tested and checked?
A) EAL 1
B) EAL 3
C) EAL 5
D) EAL 4
B) EAL 3
EAL 3: Methodically tested and checked.
Which international body is responsible for developing and promoting standards for the Internet?
A) IETF (Internet Engineering Task Force)
B) ITU (International Telecommunications Union)
C) NIST (National Institute of Standards and Technology)
D) ENISA (European Union Agency for Network and Information Security)
A) IETF (Internet Engineering Task Force)
-IETF (Internet Engineering Task Force): Develops and promotes standards for the Internet. The standards are documented in RFCs (Request for Comment), which cover various aspects of Internet protocols and technologies.
Which organization is responsible for providing technical specifications within information and communications technologies?
A) ITU (International Telecommunications Union)
B) NIST (National Institute of Standards and Technology)
C) IETF (Internet Engineering Task Force)
D) ENISA (European Union Agency for Network and Information Security)
A) ITU (International Telecommunications Union)
ITU (International Telecommunications Union): Responsible for technical specifications in information and communications technologies. ITU-T deals with telecommunications and defines standards using numerical titles, such as X.500 for Directory Services and X.509 for Digital Certificates.
Which organization is known for providing guidance and best practices for American commercial organizations?
A) IETF
B) ITU
C) NIST
D) ENISA
C) NIST.
The National Institute of Standards and Technology (NIST) is an American non-regulatory body that provides guidance and best practices for American commercial organizations.
Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?
A. Gamification
B. Computer-based training
C. Content reviews
D. Live training
C. Content reviews
Alyssa can put in place content reviews (option C) as a control to protect against the risk of outdated security awareness program content. Content reviews involve regularly evaluating and updating the program’s materials, resources, and training materials to ensure they remain relevant and aligned with current technology trends and security practices. This control allows Alyssa to identify any outdated or inaccurate information and make necessary updates to keep the security awareness program up to date.
While options A, B, and D (gamification, computer-based training, and live training) are methods or approaches that can be used within a security awareness program, they do not directly address the specific risk of content becoming outdated. Content reviews are specifically focused on evaluating and updating the content itself to ensure its accuracy and relevance.
Gavin is creating a report to management on his most recent risk assessment results. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?
A. Inherent risk
B. Residual risk
C. Control risk
D. Mitigated risk
B. Residual risk
Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made. Residual risk is important for several reasons. First to consider is that residual risk is the risk “left over” after security controls and process improvements have been applied.
When choosing a technical product to protect classified information it is BEST to select one which has been
A. Fully guaranteed
B. Highly rated by industry journals
C. Certified against ISO27000 standards
D. Recommended by IT
E. Evaluated against the Common Criteria
E. Evaluated against the Common Criteria
When choosing a technical product to protect classified information, it is best to select one that has been evaluated against the Common Criteria. The Common Criteria is an internationally recognized standard for evaluating the security capabilities of information technology products. It provides a framework for assessing the security features and assurance levels of these products.
While other options mentioned in the question may also be important considerations, such as industry ratings, ISO27000 certification, recommendations by IT professionals, or guarantees, the Common Criteria evaluation holds particular significance when it comes to security products for classified information. It ensures that the product has undergone rigorous testing and evaluation to meet specific security requirements and standards.
A Hash may be defined as
A. A message digest calculated from a set of data
B. An encryption technique
C. A type of malicious software
D. A digital signature
E. An encrypted image
A. A message digest calculated from a set of data
A hash function is a mathematical algorithm that takes an input (data) and produces a fixed-size string of characters, which is often referred to as a “hash” or “message digest.” The purpose of a hash function is to provide a unique representation of the input data. Even a small change in the input will produce a significantly different hash value. Hash functions are commonly used in various areas, such as data integrity checks, password storage, digital signatures, and data indexing.
Bob needs to send an email to Alice and be confident that it will arrive unaltered. Alice needs to ensure that the email has come from Bob. Which would be used?
A. Bobs Private Key
B. Alice’s Public Key
C. Alice’s Private Key and Public Key
D. Bobs Public Key
E. Pre Shared Key
A. Bobs Private Key
Bob can use his private key to digitally sign the email, which creates a digital signature unique to him. The digital signature ensures the integrity of the email, as any modifications to the email would invalidate the signature.
A Trojan Horse is
A. A boot sector virus
B. Code which is maliciously introduced into executable code
C. Code triggered by certain times or events
D. A virus which moves autonomously across a system
E. A backdoor into a system
B) Code which is maliciously introduced into executable code.
A Trojan Horse refers to malicious software that appears to be legitimate or harmless but contains hidden malicious code or functionality. It is named after the ancient Greek story of the Trojan Horse, where a deceptive wooden horse was used to gain access to the city of Troy.
Trojans are typically disguised as legitimate files or programs and are often spread through social engineering techniques, such as email attachments, software downloads, or deceptive links. Once the Trojan is executed, it can perform various malicious activities, such as stealing sensitive information, modifying or deleting files, providing unauthorized access to the system, or facilitating further attacks.
Option B accurately describes the nature of a Trojan Horse, as it involves the malicious introduction of code into executable files or programs. The other options, such as a boot sector virus (A), code triggered by certain times or events (C), a virus that moves autonomously across a system (D), or a backdoor into a system (E), do not specifically capture the characteristics of a Trojan Horse.
Which of the following would be a principle element of the BCP process?
A. Locating a hot site
B. Testing the BCP
C. Documenting agreed procedures
D. Identification and Prioritisation of critical business processes
E. Configuring redundancy
D) Identification and Prioritization of critical business processes.
In the BCP (Business continuity planning) process, it is crucial to identify and prioritize the critical business processes within an organization. This involves analysing and understanding the dependencies, interconnections, and impact of each process on the overall functioning of the business. By identifying critical processes, organizations can allocate appropriate resources, develop strategies for their continuity, and prioritize recovery efforts in case of disruptions or disasters.
When implementing Information Security Standards, it is crucial to gain support from:
A) External accreditors
B) Customers
C) Senior Executives
D) Heads of Department
E) Shop floor staff
C) Senior Executives.
Gaining support from senior executives is essential for the successful implementation of Information Security Standards within an organization. Senior executives hold the authority and influence to allocate resources, set priorities, and make decisions that impact the organization as a whole. Their support is vital in establishing a culture of security, ensuring the necessary budget and resources are allocated, and driving the implementation of security standards throughout the organization.
When would there be a requirement to report a security incident to law enforcement agencies?
A) When local legislation determines it as a requirement
B) When approved by senior management
C) Only when child pornography is discovered
D) When the CISO has considered all other options
E) When the press or media get involved
A) When local legislation determines it as a requirement.
The reporting of security incidents to law enforcement agencies is typically determined by local legislation and regulations. Many countries have laws that mandate the reporting of certain types of security incidents, especially those involving significant breaches, data theft, cyberattacks, or illegal activities.
It is important for organizations to be aware of and comply with applicable laws and regulations regarding incident reporting. Failure to report incidents as required by law may result in legal consequences, penalties, or other adverse outcomes.
In the given scenario, where Bob, an employee, has developed an application during company working hours that is relevant to the business but not directly related to Bob’s employment, the question is: Who owns the intellectual property rights?
A) Bob
B) The Employer
C) They both have equal rights
D) Neither
E) Bob’s Line Manager
B) The Employer.
In general, when an employee develops an application during company working hours, even if it is relevant to the business but not directly related to their employment, the intellectual property rights are often assigned to the employer. This is because the work was created within the scope of employment and is considered a “work made for hire.” As such, the employer typically holds the rights to any intellectual property created by employees as part of their job responsibilities or during company time.
It’s important to note that intellectual property laws and employment agreements can vary, so it is always advisable for employees and employers to refer to specific contracts, policies, and local laws to determine the ownership of intellectual property rights in such situations. Consulting with legal professionals is recommended to ensure a clear understanding of rights and obligations related to intellectual property ownership.
Which of the following is most likely to cause a threat to be treated with a higher priority?
A) Lack of Security Department funding
B) Availability of controls to reduce the risk
C) Cost of implementing controls
D) Business Impact Analysis
E) Effect it has had on other companies
D) Business Impact Analysis.
A Business Impact Analysis (BIA) assesses the potential impact of a threat or incident on critical business operations, processes, and objectives. By evaluating the potential consequences, such as financial losses, operational disruptions, reputational damage, regulatory non-compliance, or harm to human safety, a BIA helps prioritize threats based on their potential impact.
The severity of the threat’s potential impact on the organization’s ability to function and achieve its goals will often determine the priority given to addressing it. Threats that pose a higher risk to critical business functions or have the potential for significant negative consequences will typically be treated with a higher priority.
In order to gain access to a computer operating system, the computer system must:
A) End the active session if unacceptable activity is encountered.
B) Request a User ID and Password to enable logon rights.
C) Require the user to confirm that they are authorized to access the system.
D) Audit logon events and alert the system administrator of each event.
E) Terminate the user account if 3 failed attempts occur.
B) Request a User ID and Password to enable logon rights.
Requiring a user to provide a valid User ID and Password is a common method for authenticating users and granting access to a computer operating system. The user is prompted to enter their unique User ID (username) and a corresponding password that verifies their identity. If the provided credentials match the authorized user’s information stored in the system, access is granted.
System Security Test and Evaluation Plans SHOULD be set out by:
A) The system developers
B) An external accreditation test team
C) The operational authority
D) Chief Information Security Officer
E) Information Security Team, System Developers, and relevant Operational Staff
E) Information Security Team, System Developers, and relevant Operational Staff.
The development of System Security Test and Evaluation Plans typically involves collaboration between multiple stakeholders to ensure comprehensive coverage and effective evaluation of the system’s security. The Information Security Team, System Developers, and relevant Operational Staff all play important roles in this process.
The Information Security Team is responsible for assessing and managing the security risks associated with the system. They have the expertise to identify the necessary security controls, define testing requirements, and ensure that the system meets the desired security objectives.
The System Developers are responsible for designing and implementing the system. They have in-depth knowledge of the system architecture, functionality, and potential vulnerabilities. Their input is crucial in identifying the areas that require testing and evaluation.
The relevant Operational Staff, such as system administrators or end-users, have operational insights and understand the practical aspects of using the system. Their involvement ensures that the test and evaluation plans align with the system’s operational requirements and real-world scenarios.
Why would a document be classified as Top Secret? (Select 3 Answers)
A) So that users understand the level of Confidentiality
B) So that users understand how to use the document
C) So that users understand how to dispose of the document
D) So that users understand the worth of the document
E) So that users understand the contents of the document
A) So that users understand the level of Confidentiality
C) So that users understand how to dispose of the document
E) So that users understand the contents of the document
Which concept describes the amount of confidence that an organization has that its controls satisfy the necessary security requirements?
A) Assurance
B) Governance
C) Non-repudiation
D) Trust
A) Assurance.
Assurance is the concept that describes the amount of confidence an organization has in the effectiveness and adequacy of its security controls to meet the necessary security requirements. It is about having trust and belief that the implemented controls are operating as intended and providing the desired level of security.
Assurance is achieved through various activities such as security testing, audits, assessments, and evaluations. These processes help evaluate the effectiveness of controls, identify any vulnerabilities or weaknesses, and ensure that the organization’s security requirements are being met.
By having assurance in the security controls, organizations can have greater confidence in the protection of their assets, data, and systems, reducing the risk of security breaches and maintaining the desired security posture.
Which information security principle requires that an organization SHOULD implement overlapping security controls wherever feasibly possible?
A) Separation of Duties
B) Fail Safe Configuration
C) Defence in Depth
D) Web of Trust
C) Defence in Depth.
Defence in Depth is the information security principle that requires an organization to implement overlapping security controls wherever feasibly possible. This principle emphasizes the use of multiple layers of security controls to provide a more robust and effective defence against potential threats and attacks.
By implementing overlapping security controls, an organization adds redundancy and diversity to its security measures. This approach ensures that even if one control fails or is bypassed, there are additional layers of defence in place to mitigate risks and protect the organization’s assets and information.
Defence in Depth helps to minimize the likelihood of a single point of failure and provides a comprehensive security strategy that addresses various attack vectors and vulnerabilities. It involves a combination of technical controls, policies, procedures, and awareness programs to create a layered defence approach.
Overall, implementing overlapping security controls based on the principle of Defence in Depth enhances the organization’s overall security posture and increases the difficulty for adversaries to breach the system or gain unauthorized access.
With the increasing global operation of many corporate organizations, which of the following is LIKELY to be the more important consideration with respect to information security?
A) Understanding that different countries have differing legislation with respect to how information can be handled
B) Ensuring that for all countries that an organization has an office in, they all operate in the same time zone
C) Ensuring that regional preferences for security-related hardware and software are adhered to
D) Storing all corporate data only in one country where an organization’s central office is located
A) Understanding that different countries have differing legislation with respect to how information can be handled
With the increasing global operation of corporate organizations, understanding the differing legislation in different countries regarding information handling is likely to be the more important consideration for information security. This is because each country may have its own specific laws and regulations regarding data protection, privacy, and security.
By understanding and complying with the applicable legislation in each country of operation, organizations can ensure that they handle information in a manner that is legally compliant and aligned with the specific requirements of each jurisdiction. This may include considerations such as data storage, data transfer, consent requirements, breach notification, and other relevant aspects.
Failure to comply with the applicable legislation in any country can lead to legal and regulatory consequences, reputational damage, and loss of customer trust. Therefore, understanding and adhering to different countries’ legislation is crucial for maintaining strong information security practices and ensuring compliance in the global operating environment of corporate organizations.
Whilst drafting a company’s information security policy, what would be an important consideration?
A) The policy should be a standalone document
B) The policy must be integral to all areas of an organization
C) The policy should only be visible to senior management
D) The policy only applies to staff handling confidential information
B) The policy must be integral to all areas of an organization
When drafting a company’s information security policy, an important consideration is that the policy should be integral to all areas of the organization. Information security is a collective responsibility that involves all employees, departments, and functions within the organization. Therefore, the policy should reflect this by being inclusive and applicable to everyone.
Having the information security policy integrated throughout the organization helps to create a culture of security awareness and promotes consistent implementation of security practices. It ensures that all employees understand their roles and responsibilities in protecting the organization’s information assets and helps to establish a strong security posture across the board.
By making the policy integral to all areas of the organization, it becomes a guiding framework for decision-making, risk management, and day-to-day operations related to information security. This helps to minimize security vulnerabilities, maintain compliance with relevant standards and regulations, and protect the organization’s valuable data and resources.
Why could an organization’s “clear desk” policy be seen as a good example of “security as an enabler”?
A) Clear desks allow staff to “hot desk,” making them less likely static “sitting” targets for cyber-attacks.
B) Conformance to data protection laws will be enhanced by not using paper files.
C) Staff no longer need physical desks as they can work remotely, and data theft is no longer a problem.
D) The removal of confidential information from desks reduces the chances of opportunistic theft and keeps it available to the business.
D) The removal of confidential information from desks reduces the chances of opportunistic theft and keeps it available to the business.
An organization’s “clear desk” policy can be seen as a good example of “security as an enabler” because it enhances security while enabling the smooth functioning of the business. By implementing a clear desk policy, confidential information and sensitive documents are removed from desks when not in use, reducing the chances of opportunistic theft.
This security measure ensures that sensitive information remains protected and confidential, mitigating the risk of unauthorized access and data breaches. It also contributes to maintaining compliance with data protection regulations and standards.
Furthermore, by keeping desks clear of confidential information, it becomes readily available to the business and authorized individuals who require access to it. This promotes efficiency, productivity, and collaboration within the organization.
Overall, the “clear desk” policy not only improves security but also enables the organization to maintain a well-organized work environment, enhances compliance with data protection laws, and supports the smooth operation of day-to-day activities.
Legislation in individual countries, such as the Sarbanes-Oxley Act in the USA and the Companies Act in the UK, has had the effect of strengthening corporate responsibility for risk management. The question is: Who now has this ultimate responsibility?
A) IT Manager
B) IT Security Team
C) All Supervisory Roles
D) Corporate Board
D) Corporate Board
The ultimate responsibility for risk management, as strengthened by legislation such as the Sarbanes-Oxley Act and the Companies Act, lies with the Corporate Board. The board of directors of an organization holds the highest level of responsibility for overseeing and managing risk-related matters within the company. They are accountable for establishing risk management strategies, setting risk appetite, ensuring compliance with applicable laws and regulations, and making critical decisions regarding risk mitigation and governance.
While other roles, such as IT managers, IT security teams, and supervisors, may play important roles in implementing and supporting risk management initiatives, the ultimate responsibility rests with the Corporate Board as they have the authority and fiduciary duty to protect the organization’s interests and ensure sound risk management practices are in place.
Within any organization, from both an information assurance and “security culture” perspective, whose responsibility is information security?
A) All staff
B) IT Department
C) Chief Executive Officer
D) Data Protection Officer
A) All staff
From an information assurance perspective, ensuring the security of information is not solely the responsibility of a specific department or role. It is a collective responsibility that extends to all staff members within the organization. Every individual, regardless of their position or role, has a role to play in protecting information assets, following security policies and procedures, and being vigilant against potential security risks.
Regarding the “security culture” perspective, fostering a culture of security within the organization is a shared responsibility among all staff members. This involves promoting security awareness, training employees on security best practices, encouraging reporting of security incidents, and actively participating in maintaining a secure work environment.
While roles such as the IT department, Chief Executive Officer (CEO), and Data Protection Officer (DPO) may have specific responsibilities related to information security, the overall responsibility for information security is shared by all staff members to ensure a comprehensive and effective security posture throughout the organization.
Which of the following is NOT considered an “accidental threat” to information systems?
A) An unexpected flood due to abnormal rainfall
B) A building fire in Corporate Data Centre
C) A person clicking the wrong button
D) A disgruntled employee destroying backup files
D) A disgruntled employee destroying backup files
Anyone deliberately destroying property or data is never an accident.
Which of the following relationships BEST describes how a risk is determined?
A) Risk = Threat * Vulnerability
B) Risk = Asset * Vulnerability
C) Risk = Impact * Likelihood
D) Risk = Exploit * Likelihood
C) Risk = Impact * Likelihood
The relationship that best describes how a risk is determined is that the risk is equal to the impact multiplied by the likelihood. In risk assessment and management, the impact refers to the potential harm or damage that could result from a threat exploiting a vulnerability, while the likelihood represents the probability or chance of the threat actually occurring. Multiplying these two factors together provides a measure of the overall risk associated with a specific threat scenario. By considering both the potential impact and the likelihood, organizations can prioritize and allocate resources to effectively manage and mitigate risks.
Which of the following can be considered an “internal threat”?
A) Cybercriminal blackmailing a service provider with a denial of service attack
B) Compromised supplier connected to an organization’s order system
C) Employee’s laptop compromised by a malicious drive-by infection from a website
D) Theft of login credentials from a restaurant’s free Wi-Fi hotspot
B) Compromised supplier connected to an organization’s order system
When customer PII (Personal Identifiable Information) has been stolen from an organization’s online store using SQL Injection, where can the vulnerability that led to this exploit usually be found?
A) In the organization’s firewall rules
B) In an employee’s laptop connected to Wi-Fi
C) In the database connected to the organization’s ecommerce website
D) In the organization’s internal email server
C) In the database connected to the organization’s ecommerce website
When customer PII has been stolen from an organization’s online store using SQL Injection, the vulnerability that led to this exploit is typically found in the database connected to the organization’s ecommerce website. SQL Injection is a type of attack that exploits vulnerabilities in the way user inputs are handled in SQL queries. Attackers can inject malicious SQL code through user inputs, tricking the application into executing unintended database commands. If the website’s database is not properly secured or does not have sufficient input validation and sanitization mechanisms in place, it becomes susceptible to SQL Injection attacks, leading to unauthorized access and theft of sensitive information such as customer PII.
When a financial institution has been the victim of a sophisticated cyberattack, which of the following is the MOST LIKELY outcome of an impact assessment of typical realized threats?
A) Loss of confidence by financial investors
B) Increased business opportunity for attracting more investment
C) New intrusion detection software purchased
D) Increased bonus for the financial institution’s CEO
A) Loss of confidence by financial investors
When a financial institution experiences a cyberattack, it can result in a loss of confidence by financial investors. Cyberattacks can undermine trust in the institution’s security and ability to protect sensitive financial information. Investors may become concerned about the potential risks and vulnerabilities associated with the institution’s systems and operations. This loss of confidence can have significant impacts on the institution’s reputation, financial stability, and future investment prospects.
What are the four main components of a risk management process used in the CORRECT life-cycle order?
A) Identify, Analyse, Treat, and Monitor
B) Assess, Verify, Treat, and Maintain
C) Identify, Quantify, Validate, and Monitor
D) Monitor, Analyse, Assess, and Treat
A) Identify, Analyse, Treat, and Monitor
The four main components of a risk management process, in the correct life-cycle order, are:
Identify: This involves identifying and recognizing potential risks and threats to the organization.
Analyse: Once risks are identified, they need to be analysed to understand their likelihood, potential impacts, and vulnerabilities.
Treat: After analysis, appropriate risk treatment strategies are implemented to mitigate or manage the identified risks.
Monitor: The risk management process should include ongoing monitoring and evaluation of the effectiveness of the implemented risk treatments, as well as the identification of new risks that may emerge.
This life-cycle order ensures a systematic and proactive approach to risk management, starting from risk identification, moving to analysis and treatment, and finally incorporating continuous monitoring to adapt and respond to changing risk landscapes.
When undertaking a quantitative risk assessment of an ongoing denial of service threat to an information system, what type of evidence is LIKELY to form part of that assessment?
A) Descriptive analysis of the system’s capabilities
B) Closed questionnaire for the system administrator
C) Statistical chance of another attack recurring
D) Firewall rule documentation protecting the information system
C) Statistical chance of another attack recurring
In a quantitative risk assessment, various factors are considered to determine the likelihood and impact of a denial of service threat to an information system. One of the important pieces of evidence in this assessment is the statistical chance of another attack recurring. This involves analysing historical data and trends related to denial of service attacks to assess the probability of a similar attack happening again. By examining past occurrences and patterns, organizations can gain insights into the likelihood of future attacks and incorporate this information into their risk assessment process.
A financial institution is concerned that it may be at risk of cybercriminals stealing PII (personal Identifiable Information) stored on the organisation’s web server. To address this issue they have adopted a risk mitigation strategy.
Which of the following would support this strategy?
A) Delete the Data
B) Do Nothing
C) Encrypting the data
D) Remove Cyber insurance
C) Encrypting the data
Encrypting the data strongly enough means that even if the data is lost it is potentially impossible to actually understand it.
(Risk Mitigation: The act of applying controls to reduce risk, sometimes called modification or risk reduction.)
Which risk assessment approach uses a risk matrix that maps risk likelihood against impact, and is usually represented as a 2x2, 3x3, or up to 5x5 sectors representing low, medium, or high risk levels?
A) Quantitative
B) Qualitative
C) Survey-based
D) Cost-based
B) Qualitative
The risk assessment approach that uses a risk matrix mapping risk likelihood against impact, typically represented as a 2x2, 3x3, or up to 5x5 sectors representing low, medium, or high risk levels, is the qualitative risk assessment. In qualitative risk assessment, risks are assessed based on subjective judgments rather than precise numerical values. The risk matrix provides a visual representation of the risk levels, allowing for a quick and intuitive understanding of the overall risk profile. The likelihood and impact of each risk are typically categorized into qualitative descriptors, such as low, medium, or high, and are then mapped onto the risk matrix to determine the risk level. This approach is useful for organizations that prioritize risk management based on general risk levels and do not require precise quantitative measurements.
Qualitative Risk Assessment: A subjective form of risk assessment that does not use specific values. May use words such as low, medium, high.
Quantitative Risk Assessment: an objective form of risk assessment based upon numerical values.
A qualitative risk assessment is being undertaken for an organization.
The two most important risk elements which should form the most major part of the analysis of risk are likelihood and which other element?
A) Threat
B) Vulnerability
C) Impact
D) Cost
C) Impact
When conducting a qualitative risk assessment, the two most important risk elements that should form a major part of the analysis are likelihood and impact. Likelihood refers to the probability or chance of a risk event occurring, while impact refers to the potential consequences or severity of that event if it were to occur.
Assessing the likelihood and impact of risks allows organizations to prioritize and focus their efforts on addressing the most significant and potentially harmful risks. By understanding the likelihood of a risk event happening and the potential impact it could have on the organization, appropriate risk management strategies can be developed to mitigate or minimize the negative effects.
What is one of the key reasons for appointing a Chief Information Security Officer (CISO) at Boardroom level?
A) Single Point of Responsibility for Information Assurance
B) A typical CIO cannot be trusted with security
C) To ensure a bottom-up security culture
D) To ensure compliance with data protection regulations
A) Single Point of Responsibility for Information Assurance
One of the key reasons for appointing a Chief Information Security Officer (CISO) at the Boardroom level is to establish a single point of responsibility for information assurance. The CISO is responsible for overseeing the organization’s information security program, including the development and implementation of policies, procedures, and controls to protect the organization’s information assets. By having a dedicated CISO at the Boardroom level, there is clear accountability and authority for information security matters. This helps ensure that information security is given the necessary attention and priority at the highest level of the organization and that it is integrated into strategic decision-making processes. The CISO’s role is crucial in managing and mitigating information security risks and aligning security initiatives with business objectives.
An e-commerce company has been the victim of a data breach on its credit card payment systems and will need to report on its regulatory compliance.
Which of the following standards or laws would the company be auditing against as a first priority?
A) PCI-DSS
B) GDPR
C) Sarbanes Oxley
D) NIS Directive
A) PCI-DSS
In the given scenario, where the e-commerce company has experienced a data breach on its credit card payment systems, the first priority for the company’s compliance audit would likely be the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS is a set of security standards established by major credit card companies to ensure the protection of cardholder data. It outlines specific requirements for organizations that handle credit card transactions, including measures for securing payment systems, protecting customer data, and maintaining a secure network infrastructure. Given the nature of the data breach in the scenario, ensuring compliance with PCI-DSS would be crucial to address any vulnerabilities, protect customer information, and demonstrate adherence to industry security standards.
For an organization looking to develop an information assurance strategy, which of the following is the main difference between a security policy and a standard?
A) A standard only offers guidance while a policy is obligatory
B) A policy contains implementation-specific detail and a standard offers only generic detail
C) A policy sets out what needs to be done - a standard sets out how the policy should be implemented
D) A policy details specific work instructions and a standard offers only high-level objectives
C) A policy sets out what needs to be done - a standard sets out how the policy should be implemented
The main difference between a security policy and a standard is that a policy outlines the objectives, goals, and requirements for information security within an organization, specifying what needs to be done to achieve a secure environment. On the other hand, a standard provides more specific and detailed guidance on how the policy should be implemented. Standards define the specific technical and operational measures, procedures, and controls that need to be followed to meet the requirements outlined in the policy. In summary, the policy sets the “what” of information security, while the standard defines the “how.”
In order to prevent the reoccurrence of a previous incident, which phase of an incident response process would involve a security administrator designing new security controls?
A) Reporting
B) Responding
C) Investigation
D) Corrective Action
D) Corrective Action
In the incident response process, the phase that involves designing new security controls to prevent the reoccurrence of a previous incident is the Corrective Action phase. This phase focuses on addressing the root causes and vulnerabilities that led to the incident. The security administrator, along with relevant stakeholders, will analyse the incident, identify the weaknesses in the existing security measures, and develop and implement corrective actions to mitigate those vulnerabilities. This may involve designing and implementing new security controls, updating policies and procedures, enhancing training programs, or implementing technical solutions to strengthen the overall security posture of the organization. The goal is to prevent similar incidents from happening in the future by addressing the underlying issues and improving the organization’s overall security resilience.
When developing an information security strategy, which of the following would NOT be a consideration?
A) Expected developments in software and hardware
B) Legal, compliance and audit requirements
C) Trends in threats and vulnerabilities
D) Log of recent security incidents
D) Log of recent security incidents
When developing an information security strategy, a log of recent security incidents would not typically be a direct consideration. While the organization can learn from past incidents to improve security measures, the focus of developing a strategy is on proactive planning and prevention rather than reacting to specific incidents. The strategy would typically address preventive measures, risk assessment, compliance requirements, emerging threats, and other proactive considerations rather than being solely based on the log of recent security incidents.
From a legal perspective, which of the following is considered to be misuse of a computer?
A) Theft of a computer laptop from the boot of a car
B) Illegal interception of information
C) Use of one’s own computer for cryptomining
D) Using a computer to access the Dark Web
B) Illegal interception of information
From a legal perspective, illegal interception of information is considered to be a misuse of a computer. This refers to unauthorized access to someone else’s data or communications without their consent or lawful authority. It is a violation of privacy and often a criminal offense, as it involves unauthorized access and potential misuse of sensitive information. The specific laws and regulations regarding illegal interception may vary by jurisdiction.
Under what circumstances might it be legal for an employer to monitor an employee’s online communication?
A) When a statement is included in the organisation’s information assurance policy or employee’s contract of employment
B) An employer can monitor communications whenever or however they want without ever informing the employee
C) The use of Data Protection (e.g., GDPR) laws allows the employer to monitor communications whenever they like
D) When an employee is using online communications outside of normal office hours
A) When a statement is included in the organization’s information assurance policy or employee’s contract of employment
Under certain circumstances, it may be legal for an employer to monitor an employee’s online communication if there is a clear statement in the organization’s information assurance policy or the employee’s contract of employment explicitly stating that such monitoring may occur. This ensures that employees are aware of the possibility of monitoring and provides a legal basis for the employer to conduct such monitoring. It is important for organizations to follow applicable laws and regulations regarding employee privacy and data protection when implementing monitoring practices.
When collecting digital evidence that may be required for use in a court of law, which of the following principles is considered best practice?
A) Digital evidence can only be handled by a member of law enforcement
B) Any digital forensics investigator handling digital evidence must be competent to do so
C) Digital evidence may be altered under supervision by another investigator
D) Acquiring digital evidence can only be carried out on digital devices that have been turned off
B) Any digital forensics investigator handling digital evidence must be competent to do so
The principle that any digital forensics investigator handling digital evidence must be competent to do so is considered best practice for several reasons:
Preservation of integrity: Digital evidence is often fragile and susceptible to alteration or damage. Competent investigators are trained to handle and preserve digital evidence without compromising its integrity. They understand the proper procedures for acquiring, documenting, and analysing digital evidence while minimizing the risk of unintentional changes or tampering.
Admissibility in court: In legal proceedings, digital evidence must meet certain standards of admissibility. Courts require that evidence is collected and handled by qualified individuals who can demonstrate their expertise and adherence to recognized forensic practices. Having competent investigators ensures that the evidence can withstand scrutiny in court and increases the likelihood of its acceptance as valid and reliable.
Accuracy and reliability: Competent investigators possess the necessary knowledge and skills to perform thorough and accurate examinations of digital evidence. They understand the technical aspects involved in data recovery, analysis, and interpretation. Their expertise helps ensure that the evidence is properly understood, evaluated, and presented, enhancing its reliability and credibility.
Chain of custody: Competent investigators are well-versed in maintaining a proper chain of custody for digital evidence. They document each step of the handling process, including its collection, storage, and transportation, to ensure its integrity and prevent any claims of tampering or mishandling. A reliable chain of custody strengthens the evidentiary value of the digital evidence and maintains its credibility in court.
By adhering to the principle that only competent digital forensics investigators should handle digital evidence, organizations and legal authorities can ensure the preservation, reliability, and admissibility of the evidence in legal proceedings.
When transferring encrypted information or cryptography-based tools between legal jurisdictions, according to the ISO/IEC 27000 series, which of the following is NOT a factor that should be considered?
A) Restrictions on import and export of computer hardware and software for performing cryptographic functions
B) Restrictions on the transmission of symmetric and/or asymmetric keys over communication networks
C) Restrictions on import and export of computer hardware and software that is designed to have cryptographic functions added to it
D) Mandatory or discretionary methods of access by the countries’ authorities to information encrypted by computer hardware or software to provide confidentiality of content
B) Restrictions on the transmission of symmetric and/or asymmetric keys over communication networks
When transferring encrypted information or cryptography-based tools between legal jurisdictions, it is essential to consider various factors to ensure compliance with regulations and legal requirements. Restrictions on the transmission of encryption keys over communication networks are a critical factor to be considered.
Encryption keys are crucial for decrypting encrypted information, and their transmission can pose security risks if not properly regulated. Many countries have specific laws and regulations governing the transmission of encryption keys to prevent unauthorized access to sensitive information. Therefore, understanding and complying with the restrictions related to the transmission of encryption keys is an important consideration during the transfer process.
By adhering to these regulations, organizations can ensure the secure transfer of encrypted information and cryptography-based tools while complying with the legal requirements of different jurisdictions.
When attempting to safeguard the source code of information security-related software from piracy, which of the following legal protections would be most effective?
A) Data Protection law
B) Computer Misuse law
C) Copyright law
D) Patents
C) Copyright law.
Copyright law grants exclusive rights to the creator or owner of the software, including the right to reproduce, distribute, and control derivative works. By obtaining copyright protection, the software’s source code is legally protected, and unauthorized copying or use can be addressed through legal action.
Which of the following standards bodies produces international standards that cover information security management systems?
A) BSI
B) ETSI
C) ISO
D) PCI
C) ISO.
ISO (International Organization for Standardization) is a standards body that develops and publishes international standards. ISO 27001 is the standard specifically related to information security management systems (ISMS).
Which body is responsible for publishing technical standards for interoperability of internet protocols and applications?
A) IEEE
B) ENISA
C) ISO
D) IETF
D) IETF (Internet Engineering Task Force)
Internet Engineering Task Force produce standards called RFC’s on IP and associated applications.
The Internet Engineering Task Force (IETF) is responsible for publishing technical standards and protocols that ensure interoperability of internet protocols and applications. It is a global community of network designers, operators, vendors, and researchers who work together to develop and evolve internet standards. The standards produced by the IETF play a crucial role in enabling different devices, networks, and applications to communicate and function effectively on the internet. These standards are open and freely available, allowing for widespread adoption and implementation across various platforms and systems.
Which internationally recognized standard was created to evaluate if security functions of IT products are appropriately designed and implemented in order to sufficiently counter threats?
A) ISO27001
B) ISO15408
C) PCIDSS
D) ENISA NIS
B) ISO15408
ISO15408 in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
ISO15408, commonly referred to as Common Criteria, is an internationally recognized standard for evaluating the security functions of IT products. It provides a framework for assessing the security features and capabilities of various software and hardware components. The goal of Common Criteria is to ensure that IT products meet specific security requirements and offer sufficient protection against potential threats.
Common Criteria employs a rigorous evaluation process that involves testing and analysis to determine if the security mechanisms implemented in the product are reliable and effective. It considers various aspects such as access control, authentication, data protection, and secure communication. The evaluation is performed by independent and accredited evaluation laboratories.
By adhering to the Common Criteria standard, organizations can have confidence in the security of the IT products they procure. It helps ensure that the products meet specific security requirements and can be trusted to handle sensitive information securely. Common Criteria provides a consistent and internationally recognized approach to assessing the security of IT products, making it an essential framework for evaluating the design and implementation of security functions.
Which international standard deals with the management of IT security, focusing on the technical security control measures?
A) ISO/22301:2019
B) ISO/IEC13335
C) BS 7799 Part 2
D) EIA-232
B) ISO/IEC13335
ISO/IEC 13335 covers the concepts and models fundamental to a basic understanding of IT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of IT security.
ISO/IEC 13335 is an international standard that specifically deals with the management of IT security, focusing on the technical security control measures. It provides guidance on the implementation of security controls, risk assessment, and security incident management. This standard helps organizations establish and maintain effective security practices to protect their information assets. It covers a wide range of topics related to IT security, including network security, system security, application security, and security operations. ISO/IEC 13335 is widely recognized and used by organizations worldwide as a reference for implementing effective IT security measures.
Which of the following frameworks focuses on IT Service Management (including areas such as configuration management, change control, and service level agreements)?
A) ITIL
B) PCIDSS
C) TOGAF
D) ISO27002
A) ITIL
ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
ITIL (Information Technology Infrastructure Library) is a widely recognized framework for IT Service Management. It provides guidance and best practices for managing IT services, including processes such as configuration management, change control, and service level agreements.
The TYPICAL stages of an information lifecycle are:
A) Create, Clone, Copy, Print, File
B) Create, Store, Retrieve, Use, Remove
C) Create, Use, Store, Retrieve, Delete
D) Copy, Store, Use, Print, Delete
B) Create, Store, Retrieve, Use, Remove
The life span of data/information expressed in the five phases of creation, storage, retrieval, use and final disposition.
CSUSAD:
Create – just another word for acquisition
Store – stored upon a disk or other persistent medium
Use – we use it, process it as part of our job
Share – we may share it with others -securely
Archive – a different one, at the end of its working life we may need to retain the data so we store it in archive where we can retrieve it when necessary
Destroy – this can be at end of life or after the retention period in the archive has expired
Which of the following is NOT a legitimate form of generating or acquiring information as part of the information lifecycle?
A) Typed Letter in the Post
B) Phone call
C) Through an email
D) Printing a document
D) Printing a document
To print a document, the information has already been created.
Printing a document is not a form of generating or acquiring information as part of the information lifecycle. It is a process of producing a physical copy of existing digital or physical information. In the context of the information lifecycle, the stages typically involve creating or generating information, storing or capturing it, retrieving or accessing it, and using or processing it. Printing a document is a means of output or dissemination rather than a method of generating or acquiring new information.
Which of the following actions occurs within the “publishing” or use of information stage of the information lifecycle?
A) Locking an “actioned” letter in a filing cabinet
B) Moving an email to a folder
C) Sending a tweet advertising an event
D) Deleting a voicemail
C) Sending a tweet advertising an event
Tweeting information is publishing the data to a wider audience.
Which of the following options BEST represents the main components of the DevOps model?
A) Software Development, Quality Assurance, and Operations
B) Hardware Development, Product Management, and Operations
C) Brand Development, Testing, and Security Operations
D) Software Development, Change Management, and Security Operations
A) Software Development, Quality Assurance, and Operations
The DevOps model emphasizes collaboration and integration between software development teams, quality assurance teams, and operations teams.
Software Development involves the creation and coding of software applications and systems.
Quality Assurance (QA) focuses on testing and ensuring the quality and functionality of the software.
Operations involve the deployment, monitoring, and maintenance of the software in production environments.
By combining these three components, the DevOps model aims to streamline the software development lifecycle, improve communication and collaboration, and enhance the overall efficiency and reliability of software delivery.
Which four architecture domains are commonly accepted as the subsets of an overall enterprise architecture supported by TOGAF?
A) Business, information, technology, and application
B) Application, data, infrastructure, and business
C) Technology, application, integration, and business
D) Technology, data, application, and business
D) Technology, data, application, and business
The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture. It is typically modelled at four levels: Business, Application, Data, and Technology.
The four architecture domains commonly accepted in the overall enterprise architecture supported by TOGAF are:
Technology: This domain focuses on the hardware, software, and technology infrastructure required to support the organization’s operations. It includes defining technology standards, platforms, and infrastructure components.
Data: This domain deals with the management and governance of data within the organization. It includes data modelling, data architecture, data governance, and data management practices.
Application: This domain addresses the design, development, and management of software applications that support the organization’s business processes. It includes application architecture, application portfolio management, and application integration.
Business: This domain focuses on understanding the organization’s business strategy, goals, processes, and organizational structure. It includes defining business functions, business capabilities, and business processes.
These four domains provide a holistic approach to enterprise architecture, covering technology, data, applications, and business aspects. They help organizations align their IT systems with business objectives, ensure efficient data management, enable effective application development, and support overall business operations.
The security team at a cloud service provider are continually updating the firewall rules on the Internet facing firewall to meet customer demands but each new set rules causes additional access problems for different customers.
What process SHOULD the organisation adopt to ensure that the firewall rules are thoroughly tested before deployment on a production system?
A) Configuration Management
B) Change Control
C) Unit Testing
D) Release Control
B) Change Control
Change control is a process used to manage and control changes to a system or environment. In the given scenario, the organization should adopt the change control process to ensure that the firewall rules are thoroughly tested before deployment on a production system.
Change control involves a systematic approach to reviewing, approving, and implementing changes. It typically includes steps such as documenting the proposed changes, assessing the potential impact of the changes, obtaining approvals from relevant stakeholders, testing the changes in a controlled environment, and implementing the changes in a controlled manner.
By following the change control process, the organization can ensure that any new firewall rules are properly tested before being deployed in a production system. This helps identify and address any access problems or compatibility issues that may arise due to the changes. It also helps maintain the stability and security of the system by ensuring that changes are properly reviewed and controlled.
When a network administrator needs insight into remote console connection events occurring on switches and routers within an organization’s infrastructure, which of the following logging forms is the most appropriate to use?
A) Audit Logging
B) Flow Logging
C) Route Logging
D) Trace Logging
A) Audit Logging
Audit logging is a logging mechanism that captures and records security-related events and actions, providing a detailed record of activities for review and analysis. It helps track and monitor user activities, system changes, and access attempts, allowing administrators to investigate and analyse events related to remote console connections.
By enabling audit logging, the administrator can track and review information such as who accessed the console, when the access occurred, and any actions performed during the session. This information can be crucial for security analysis, troubleshooting, compliance, and forensic purposes.
Other logging forms mentioned in the options, such as flow logging, route logging, and trace logging, are more focused on specific network operations or data flow analysis and may not provide the detailed information required for monitoring remote console connections. Audit logging, on the other hand, is specifically designed for capturing security-related events and is well-suited for monitoring and analysing console connection activities.
What type of software program makes the entire source code available to any person who wishes to inspect, manipulate, or otherwise redistribute for no cost?
A) Open source
B) Proprietary source
C) Closed source
D) Free source
A) Open source
Open source software refers to software programs that provide the complete source code to the public, allowing anyone to view, modify, and distribute it freely. Open source software is typically developed in a collaborative manner by a community of developers who contribute to its improvement. This openness encourages transparency, innovation, and collaboration among developers. Users have the freedom to inspect, modify, and distribute the software according to their needs. Examples of popular open source software include Linux operating system, Apache web server, and the Firefox web browser.
Which of the following testing methodologies TYPICALLY involves conducting tests without any knowledge of the underlying source code or the vulnerabilities it may contain?
A) Static Testing
B) User Testing
C) Dynamic Testing
D) Code Review
C) Dynamic Testing
Dynamic Testing is a methodology that involves testing an application or system by executing it and observing its behaviour in real-time. It focuses on evaluating the system’s response to inputs and interactions, without requiring knowledge of the underlying source code or vulnerabilities. This type of testing simulates real-world usage scenarios to identify issues such as functional errors, performance bottlenecks, security vulnerabilities, and other behaviour-related problems. It is particularly effective in uncovering runtime issues that may not be apparent during static analysis or code review.
Which of the following risks is NOT associated with using third-party libraries when developing software applications?
A) Risk that malware toolkits can be written into untrusted libraries
B) Risk that common cryptographic routines may reveal secure data
C) Risk that software libraries have not been tested by the user community
D) Risk that in-house development routines have not been patched
D) Risk that in-house development routines have not been patched
When using third-party libraries in software development, there are several risks associated with them. Let’s analyse each option:
A) Risk that malware toolkits can be written into untrusted libraries: Third-party libraries may contain malicious code or vulnerabilities that can introduce malware into the application.
B) Risk that common cryptographic routines may reveal secure data: Third-party libraries may implement cryptographic algorithms incorrectly, leading to security vulnerabilities that could compromise the confidentiality of sensitive data.
C) Risk that software libraries have not been tested by the user community: Third-party libraries may lack proper testing and validation, increasing the likelihood of undiscovered bugs or vulnerabilities.
D) Risk that in-house development routines have not been patched: This option does not directly relate to the use of third-party libraries. It refers to the organization’s internal development routines and the need to keep them up to date with necessary patches and updates.
Therefore, option D is the one that is NOT specifically associated with using third-party libraries.
What process SHOULD be adopted when an employer wants a high degree of confidence in the trust for an individual who will be handling confidential data?
A) Security clearance and vetting
B) Psychometric testing
C) DNA testing
D) Personal reference checking
A) Security clearance and vetting.
Explanation: When an employer wants a high degree of confidence in the trustworthiness of an individual who will be handling confidential data, the process of security clearance and vetting is typically adopted. This involves conducting background checks, verifying credentials, and assessing the individual’s trustworthiness, integrity, and reliability. Security clearance may involve various levels depending on the sensitivity of the data being handled. By implementing security clearance and vetting procedures, employers can mitigate the risk of unauthorized access, data breaches, and insider threats.
When considering an employee’s personal responsibility for information security, which legal document should be the final arbitrator?
A) Contract of Employment
B) Annual Tax Return
C) Service Level Agreement
D) Acceptable Use Policy
A) Contract of Employment.
The contract of employment is a legal document that outlines the terms and conditions of employment between the employer and the employee. It typically includes clauses related to the employee’s responsibilities, including their responsibilities regarding information security. The contract of employment sets the expectations and obligations of both parties and serves as a legally binding agreement. Therefore, it is the document that should be the final arbitrator when considering an employee’s personal responsibility for information security. The other options, such as the annual tax return, service level agreement, and acceptable use policy, may be relevant in certain contexts but do not have the same legal weight and authority as the contract of employment.
What type of internal control is achieved by disseminating common IT administrative tasks/processes and associated privileges amongst multiple system administrators?
A) Task Independence
B) Segregation of Duties
C) Role Redundancy
D) Fail Safe Operation
B) Segregation of Duties.
Segregation of Duties is a principle in information security and internal control that aims to prevent conflicts of interest and ensure accountability. It involves distributing tasks and associated privileges among multiple individuals to create a system of checks and balances. By separating key administrative tasks and responsibilities, no single individual has complete control or authority over critical functions, reducing the risk of fraud, errors, and unauthorized activities. This helps to ensure that no single person can abuse their privileges or manipulate systems for malicious purposes.
Which of the following topics is NOT suitable for inclusion in an organization’s End User Code of Practice?
A) When work computers can be used for browsing the web
B) The use of personal devices such as smartphones within the organization
C) An employee’s individual contractual hours
D) The need to report all security-based incidents
C) An employee’s individual contractual hours.
The End User Code of Practice typically focuses on guidelines and expectations related to the use of technology, security practices, and acceptable behaviour within the organization. It is not directly related to an employee’s contractual hours, which are usually governed by employment contracts or policies separate from the code of practice. The other options (A, B, and D) are all relevant topics for inclusion in an End User Code of Practice as they pertain to the appropriate use of technology resources, security measures, and reporting obligations.
Which of the following factors should a business consider when managing the risks of third-party suppliers’ information security?
A) Ability to audit a third-party supplier complying with contractual security requirements
B) Ability to undertake a random vulnerability assessment of third-party systems
C) Ability to undertake the security vetting of key employees
D) Ability to demand the declaration of third-party suppliers’ private keys
A) Ability to audit a third-party supplier complying with contractual security requirements.
When managing the risks associated with third-party suppliers’ information security, it is important for a business to have the ability to audit the supplier’s compliance with contractual security requirements. This ensures that the supplier is adhering to the agreed-upon security measures and protocols, reducing the risk of data breaches or other security incidents. By conducting audits, the business can assess the supplier’s security practices and identify any potential vulnerabilities or areas for improvement. This helps in maintaining a higher level of information security within the business’s supply chain.
Which of the following multi-factor authentication techniques provides a combination of both flexibility and low management overhead?
A) Synchronous Hardware Tokens.
B) Biometrics.
C) Asynchronous Hardware Tokens.
D) Software Tokens.
D) Software Tokens.
Software tokens are a type of multi-factor authentication technique that provides a combination of flexibility and low management overhead. Software tokens are typically implemented as mobile apps or software applications installed on a user’s device. They generate one-time passwords (OTPs) that can be used for authentication.
Compared to other options listed, such as synchronous and asynchronous hardware tokens or biometrics, software tokens offer greater flexibility as they can be easily deployed and managed without the need for physical tokens or specialized hardware. They can be installed on a wide range of devices, including smartphones and computers, making them convenient for users. Additionally, software tokens can be easily updated or revoked by the administrator, reducing management overhead.
Overall, software tokens strike a balance between security and convenience, making them a suitable choice for organizations seeking multi-factor authentication with flexibility and minimal management requirements.
For an organisation with a set of dispersed international offices and poor Internet connectivity between the offices, what choice of access control system would allow the MOST flexibility?
A) Mandatory access control
B) Centralised access control
C) Decentralised access control
D) Role-based access control
C) Decentralised access control.
Decentralised access control refers to a model where access control decisions and enforcement are distributed across multiple locations or entities. In this system, each office or location has its own access control mechanisms and is responsible for managing access to its resources independently. This approach allows each office to have more control over its own access control policies and decisions, making it suitable for organizations with dispersed offices and limited connectivity between them.
Decentralised access control offers flexibility because it allows local administrators or office managers to adapt access control policies to their specific needs and requirements. It does not rely heavily on centralized infrastructure or constant connectivity between offices, which can be challenging in situations with poor Internet connectivity.
By implementing decentralised access control, each office can independently manage access to its resources, reducing dependence on central systems and providing greater flexibility in adapting to local conditions and requirements.
What do the different combinations of “rwx” represent when displayed as attributes on a Linux file system during a directory listing?
A) Identification Profiles
B) Authorization Permissions
C) Authentication Identities
D) Accounting Settings
B) Authorization Permissions.
In the context of a Linux file system, the combinations of “rwx” represent the authorization permissions associated with each file and directory. Each character in the combination represents a specific permission:
- “r” stands for read permission, allowing the user to view the contents of a file or list the contents of a directory.
- “w” stands for write permission, allowing the user to modify or delete a file or create, delete, or rename files within a directory.
- “x” stands for execute permission, allowing the user to execute a file (if it is a program or script) or access a directory and its contents.
These permissions can be assigned to three categories of users: the owner of the file, the group that the file belongs to, and others (all users not falling into the previous two categories). The combinations of “rwx” are displayed in sequence for each category, indicating the respective permissions for each.
For example, “rwxr-xr–” indicates that the owner has read, write, and execute permissions, the group has read and execute permissions, and others have only read permission.
By examining these permission combinations, users can determine who has what level of access to a particular file or directory and can manage access control accordingly.
Which of the following should NOT be considered best practice for employee passwords when determining an organization’s password policy?
A) Use password managers to manage complex passwords
B) Use additional forms of authentication alongside passwords
C) Use well-remembered names or phrases from a social media profile
D) Use three random words to form a password
C) Use well-remembered names or phrases from a social media profile.
Using well-remembered names or phrases from a social media profile can make passwords more vulnerable to guessing or dictionary attacks. It is generally recommended to use complex and unique passwords that are not easily guessable or associated with personal information.
When an organization labels its media based on the classification of the data it contains, which of the following typical rules is applied to those labels?
A) Data is labelled as to the integrity of the information it contains
B) Media is labelled at the highest level of classification of the information it contains
C) Media is labelled at the lowest level of classification of the information it contains
D) Data is labelled with all levels that apply to the information it contains
B) Media is labelled at the highest level of classification of the information it contains.
Media might contain many different data objects so must be treated as its highest classification.
When an organization labels its media based on the classification of the data it contains, the typical practice is to assign the label at the highest level of classification. This ensures that the media is appropriately marked with the highest level of sensitivity associated with the information it holds. By labelling at the highest level, it helps enforce access controls and security measures that are appropriate for handling and protecting the classified information.
Which type of penetration testing technique can be used to help inform an organization about its security training and awareness response?
A) Enumeration
B) Reconnaissance
C) Social Engineering
D) Vulnerability Scanning
C) Social Engineering.
Penetration Testing: The process of evaluating the security footprint of computer systems by simulating the methods of a hacker.
Social engineering is a penetration testing technique that involves manipulating individuals through psychological manipulation or deception to gain unauthorized access to information systems. In the context of security training and awareness, social engineering tests the organization’s employees’ ability to identify and respond appropriately to social engineering attacks, such as phishing emails, phone scams, or impersonation attempts. By simulating these attacks, an organization can assess the effectiveness of its security training programs and identify areas for improvement in employee awareness and response to potential threats.