BCS CISMP-V9 Exam Practice Test Instant Access

Question 1

Which of the following is an accepted strategic option for dealing with risk?

ACorrection.

BDetection.

CForbearance.

DAcceptance

Answer : D

In the context of Information Security Management Principles, risk acceptance is a strategic option where an organization decides to accept the potential cost of a risk without taking any actions to mitigate it. This decision is typically made when the cost of mitigating the risk exceeds the cost of the risk's potential impact. Acceptance is part of the risk management process, which also includes risk identification, assessment, and treatment. When accepting a risk, it is crucial to document the decision and the rationale behind it, ensuring that it aligns with the organization's risk appetite and overall security policy.

Question 2

Which security framework impacts on organisations that accept credit cards, process credit card transactions, store relevant data or transmit credit card data?

APCI DSS.

BTOGAF.

CENISA NIS.

DSarbanes-Oxiey

Answer : A

The Payment Card Industry Data Security Standard (PCI DSS) is a security framework that impacts organizations involved with credit card transactions. It sets the requirements for ensuring the security of cardholder data, which is crucial for businesses that accept credit cards, process credit card transactions, store cardholder data, or transmit it. PCI DSS compliance is mandatory for these entities to help prevent credit card fraud, hacking, and various other security vulnerabilities. The standard requires organizations to maintain a secure network, protect cardholder data, manage vulnerabilities, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.

Question 3

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Non-disclosure agreements (NDAs) are legal contracts that are designed to protect sensitive information. They are a critical part of an employee's contract of employment to ensure that confidential data is not released to unauthorized third parties. NDAs are specifically intended to prevent the disclosure of confidential information both during the period of employment and after the employee has left the organization. This is essential for maintaining the integrity and confidentiality of proprietary information which could include trade secrets, client data, and other types of sensitive information.

Question 4

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Security by Design' in software engineering refers to the practice of integrating security measures into the software development process from the very beginning. This approach ensures that security is not an afterthought but a fundamental component of the system's architecture and design.It involves continuous testing, authentication safeguards, and adherence to best programming practices to make systems as free of vulnerabilities and impervious to attack as possible1.By incorporating security early in the design process, potential flaws can be identified and mitigated early on, significantly reducing the cost and complexity of addressing security issues later in the development lifecycle23.

Question 5

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

The term 'computer misuse' typically refers to activities that are illegal or unauthorized and involve a computer system. This includes illegal interception of information, illegal access to computer systems, and downloading of pirated software, as these actions are unauthorized and often involve breaching security measures. However, the illegal retention of personal data, while a serious privacy concern and potentially a legal issue, is not typically classified under the scope of 'computer misuse'. Instead, it falls under data protection and privacy regulations, which deal with the proper handling and storage of personal information.

Question 6

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

A qualitative risk assessment approach is characterized by the subjective analysis of the likelihood of a risk occurring and its potential impact. This method relies on the judgment and experience of the assessor to estimate the severity of a risk. It does not use numerical data or statistical methods, which are typical of quantitative assessments. Instead, it may use descriptors like 'low', 'medium', or 'high' to rate both the likelihood of occurrence and the potential impact. This approach is useful when precise data is unavailable or when assessing complex, multifaceted risks where human insight is valuable.

Question 7

What advantage does the delivery of online security training material have over the distribution of printed media?

AUpdating online material requires a single edit. Printed material needs to be distributed physically.

BOnline training material is intrinsically more accurate than printed material.

CPrinted material is a 'discoverable record' and could expose the organisation to litigation in the event of an incident.

DOnline material is protected by international digital copyright legislation across most territories.

Answer : A

The delivery of online security training material offers several advantages over printed media. One of the key benefits is the ease of updating content. When updates are required, online materials can be edited quickly and efficiently, with changes being immediately available to all users.This contrasts with printed materials, which would require a new physical version to be produced and distributed, a process that is both time-consuming and resource-intensive1.

Furthermore, online training materials can be accessed from anywhere at any time, providing flexibility and convenience for learners.They also allow for interactive elements, such as quizzes and simulations, which can enhance the learning experience1.Additionally, online materials can be tracked for usage and completion, enabling organizations to monitor compliance with training requirements2.

While option C mentions a 'discoverable record,' this refers to the legal concept that materials may be used as evidence in litigation. However, this is not an advantage of online over printed media, as both can be discoverable. Option B's claim that online materials are intrinsically more accurate is not necessarily true, as accuracy depends on the content's quality, not the delivery method. Option D is incorrect because while online materials are protected by copyright laws, this is not an exclusive benefit over printed materials, which are also protected.

BCS CISMP-V9 BCS Foundation Certificate in Information Security Management Principles V9.0 Exam Practice Test