BCS Foundation Certificate in Information Security Management Principles V9.0 CISMP-V9 Exam Practice Test

Page: 1 / 14
Total 100 questions

Want more questions? Get Premium Access.
()

Question 1

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

When outsourcing data processing, the original data owner has a legal duty of care to ensure that the third party is competent to process the data securely (1) and observes the same high standards as the data owner (2). This means that the third party must have the necessary skills, knowledge, and security measures in place to protect the data, and they must adhere to the same level of data protection and privacy standards as the original owner. Processing the data wherever it can be transferred (3) and archiving the data for the third party's own long-term usage (4) are not primary legal considerations and may, in fact, contravene data protection laws if done without proper safeguards and compliance with regulations.

Question 2

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

APassword is better encrypted for system authentication.

BAccess control logs are centrally located.

CHelps prevent the likelihood of users writing down passwords.

DDecreases the complexity of passwords users have to remember.

Answer : C

Single sign-on (SSO) is an access control policy that allows users to authenticate with multiple applications and services by logging in only once. This approach improves security by reducing the number of credentials users must manage, which in turn decreases the likelihood of users writing down passwords. When users have to remember multiple complex passwords, they are more likely to write them down, use simple passwords, or repeat the same password across different services, all of which are security risks. SSO simplifies the login process, which can lead to stronger, unique passwords and reduce the risk of password-related breaches.

Question 3

Which of the following is often the final stage in the information management lifecycle?

ADisposal.

BCreation.

CUse.

DPublication.

Answer : A

The final stage in the information management lifecycle is often disposal. This stage involves the secure deletion or destruction of information that is no longer needed or has reached the end of its retention period. Proper disposal is crucial to prevent unauthorized access or recovery of sensitive data. It ensures compliance with data protection regulations and organizational policies regarding the retention and destruction of data.

Question 4

Why is it prudent for Third Parties to be contracted to meet specific security standards?

AVulnerabilities in Third Party networks can be malevolently leveraged to gain illicit access into client environments.

BIt is a legal requirement for Third Party support companies to meet client security standards.

CAll access to corporate systems must be controlled via a single set of rules if they are to be enforceable.

DThird Parties cannot connect to other sites and networks without a contract of similar legal agreement.

Answer : A

Contracting third parties to meet specific security standards is prudent because vulnerabilities within their networks can be exploited to gain unauthorized access to a client's environment. Third-party vendors often have access to an organization's sensitive data and systems, which can become a potential entry point for cyber attackers. By ensuring that third parties adhere to stringent security standards, an organization can better protect itself against the risk of data breaches and cyber attacks that may originate from less secure third-party networks. This proactive approach to third-party security helps maintain the integrity and confidentiality of the organization's data and systems.

Question 5

When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?

ADigital evidence must not be altered unless absolutely necessary.

BAcquiring digital evidence cart only be carried on digital devices which have been turned off.

CDigital evidence can only be handled by a member of law enforcement.

DDigital devices must be forensically 'clean' before investigation.

Answer : D

The best practice when handling and investigating digital evidence for use in a criminal cybercrime investigation is to ensure that digital devices are forensically ''clean'' before any investigation takes place. This means that the devices should be free from any potential contamination that could compromise the integrity of the evidence. It's crucial to maintain the original state of digital evidence as much as possible to ensure its admissibility in court. Altering digital evidence should be avoided unless it's absolutely necessary for the investigation, and even then, it should be done following strict protocols to document the changes made. While law enforcement often handles digital evidence, the principle of maintaining a forensically clean state applies universally to ensure the evidence remains untainted and reliable.

Question 6

In a security governance framework, which of the following publications would be at the HIGHEST level?

AProcedures.

BStandards

CPolicy.

DGuidelines

Answer : C

In a security governance framework, the policy is typically at the highest level because it defines the overall direction and principles that govern the security posture of an organization. Policies are high-level statements that provide guidance to all members of an organization and form the foundation upon which standards, procedures, and guidelines are built. They are approved by the highest levels of management and are meant to be more stable over time, providing a consistent framework for security across the organization.

Question 7

Which of the following is NOT an information security specific vulnerability?

AUse of HTTP based Apache web server.

BUnpatched Windows operating system.

CConfidential data stored in a fire safe.

DUse of an unlocked filing cabinet.

Answer : C

In the context of information security vulnerabilities, we are typically referring to weaknesses that can be exploited by threats to compromise the confidentiality, integrity, or availability of an information system. Options A, B, and D all represent potential vulnerabilities:

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Option C, however, refers to the storage of confidential data in a fire safe, which is a protective measure rather than a vulnerability. A fire safe is designed to protect physical assets from damage or destruction, particularly in the event of a fire, and does not inherently contain a weakness that could be exploited by a cyber threat. Therefore, it is not considered an information security specific vulnerability.

Question 8

Which algorithm is a current specification for the encryption of electronic data established by NIST?

ARSA.

BAES.

CDES.

DPGP.

Answer : B

The Advanced Encryption Standard (AES) is the current specification for the encryption of electronic data established by the National Institute of Standards and Technology (NIST). AES is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information, converting data to an unintelligible form called ciphertext and back to its original form, plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.It was selected by NIST as a Federal Information Processing Standard (FIPS) to protect electronic data and is widely recognized and used for secure data encryption1.

Question 9

Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?

ASystem Integrity.

BSandboxing.

CIntrusion Prevention System.

DDefence in depth.

Answer : D

Defence in depth is a security concept that involves implementing multiple layers of security controls throughout an information system. The idea is that if one control fails or a vulnerability is exploited, other controls will provide redundancy and continue to protect the system. This approach is analogous to a physical fortress with multiple walls; if an attacker breaches one wall, additional barriers exist to stop them from progressing further. In the context of information security, this could include a combination of firewalls, intrusion detection systems, antivirus software, and strict access controls, among others. Defence in depth is designed to address security vulnerabilities not only in technology but also in processes and people, acknowledging that human error or negligence can often lead to security breaches.

Online retailers are the most at risk for the theft of electronic-based credit card data due to the nature of their business, which involves processing a large volume of transactions over the internet. This exposes them to various cyber threats, including hacking, phishing, and other forms of cyber-attacks that can compromise credit card information. Traditional market traders, mail delivery businesses, and agricultural producers typically do not handle credit card transactions to the same extent or in the same electronic manner as online retailers, making them less likely targets for this specific type of data theft.

The principles of Information Security Management emphasize the importance of protecting sensitive data, such as credit card information, through technical security controls and risk management practices.Online retailers must implement robust security measures, including encryption, secure payment gateways, and regular security audits, to mitigate the risks associated with electronic transactions12.

BCS Information Security Management Principles, particularly the sections on Technical Security Controls and Information Risk, provide guidance on protecting electronic data and managing the associated risks1.

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 10

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Access controls are essential in information security for ensuring that resources are available to authorized users and protected from unauthorized access. The methods of access control can be categorized as follows:

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

The combination of detective, physical, and preventive controls provides a robust framework for managing access to sensitive information and systems. Reactive controls are not typically classified as access controls since they deal with responding to incidents after they occur, and virtual controls are not a recognized category in this context.

Question 11

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

A qualitative risk assessment approach is characterized by the subjective analysis of the likelihood of a risk occurring and its potential impact. This method relies on the judgment and experience of the assessor to estimate the severity of a risk. It does not use numerical data or statistical methods, which are typical of quantitative assessments. Instead, it may use descriptors like 'low', 'medium', or 'high' to rate both the likelihood of occurrence and the potential impact. This approach is useful when precise data is unavailable or when assessing complex, multifaceted risks where human insight is valuable.

Question 12

Once data has been created In a standard information lifecycle, what step TYPICALLY happens next?

AData Deletion.

BData Archiving.

CData Storage.

DData Publication

Answer : C

After data creation, the typical next step in the standard information lifecycle is data storage. This phase involves securing the data in a storage solution where it can be accessed, managed, and protected effectively. Proper data storage ensures that data remains intact and available for future processing and analysis.It is a critical step before data can be used for any operational or analytical purposes, and precedes other stages such as archiving or deletion, which occur later in the lifecycle123.

Question 13

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

The General Data Protection Regulation (GDPR) is a regulation that applies to all organizations operating within the EU and also to organizations outside of the EU that offer goods or services to, or monitor the behavior of, EU data subjects. It is designed to harmonize data privacy laws across Europe and to protect and empower all EU citizens' data privacy. The GDPR's relevance extends beyond geographical and sector-specific boundaries because it applies to any organization that processes the personal data of individuals within the EU, making it a global standard for data protection.

While other options like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) have significant impacts on specific sectors or regions, GDPR's broad scope makes it relevant to a wide range of organizations worldwide. It sets a precedent for data protection laws globally, influencing other regulations and becoming a de facto standard for many companies, even in countries without similar laws.

Question 14

Which of the following is MOST LIKELY to be described as a consequential loss?

AReputation damage.

BMonetary theft.

CService disruption.

DProcessing errors.

Answer : A

Consequential loss in the context of information security refers to secondary or indirect damage that occurs as a result of a primary event or incident. It is not the immediate direct loss, such as theft of money or service disruption, but rather the subsequent impact that may not be immediately apparent. Reputation damage is a prime example of consequential loss because it is a secondary effect that can occur after a security breach or incident. The loss of trust by customers, partners, and stakeholders can have long-term negative effects on a business's financial health and market position. This type of loss is often more significant and lasting than the immediate direct costs associated with an incident.

Question 15

James is working with a software programme that completely obfuscates the entire source code, often in the form of a binary executable making it difficult to inspect, manipulate or reverse engineer the original source code.

What type of software programme is this?

AFree Source.

BProprietary Source.

CInterpreted Source.

DOpen Source.

Answer : B

The software program described is one that obfuscates the source code, making it difficult to inspect, manipulate, or reverse engineer. This is characteristic of proprietary source software, where the source code is not openly shared or available for public viewing or modification. Proprietary software companies often obfuscate their code to protect intellectual property and prevent unauthorized use or reproduction of their software. Unlike open-source software, where the source code is available for anyone to view, modify, and distribute, proprietary software keeps its source code a secret to maintain control over the software's functions and distribution.

Question 16

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

The method used to target senior individuals in an organization for coercing them into actions like misdirected high-value payments is known as awhaling attack. This type of attack is a more targeted version of phishing, aimed specifically at high-ranking executives or important individuals within an organization. The attackers masquerade as a senior player at the organization and use social engineering techniques to trick the target into performing actions such as transferring money or revealing sensitive information. Whaling attacks are highly personalized and often involve extensive research on the target to make the fraudulent requests seem legitimate and convincing.The term ''whaling'' is used because it refers to going after the ''big fish'' or ''whales'' of an organization, such as CEOs or CFOs, who have access to significant resources and sensitive information.Reference: Based on the information provided by Kaspersky's resource center on whaling attacks1.

Question 17

What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?

AXSS.

BParameter Tampering

CSQL Injection.

DCSRF.

Answer : D

Cross-Site Request Forgery (CSRF) is an attack that exploits the trust relationship between a user's browser and a server-based website. In a CSRF attack, the attacker tricks the authenticated user's browser into sending a request to a third-party site, which the browser is already authenticated with, without the user's knowledge or consent. This can lead to unauthorized actions being performed on the user's behalf, such as changing user settings, posting content, or even initiating financial transactions.The attack leverages the fact that the browser automatically includes credentials like cookies, session tokens, or other authentication information with each request to a site123.

Reflectoring's 'Complete Guide to CSRF/XSRF (Cross-Site Request Forgery)'1.

OWASP Foundation's ''Anti CSRF Tokens ASP.NET'' article2.

Threat Intelligence's blog on 'Cross-Site Request Forgery (CSRF) - What Is It, How to Prevent It'3.

Question 18

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Developers should undergo Awareness Training to understand the security of the code they have written and how it can improve security defense while being attacked. This type of training educates developers on the importance of security considerations throughout the software development lifecycle (SDLC). It covers best practices for secure coding, common vulnerabilities and how to avoid them, and the impact of code security on the overall security posture of an application. By being aware of security principles and the potential threats, developers can write more secure code, which is crucial for defending against attacks.

Question 19

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

RSA (Rivest-Shamir-Adleman) is a widely accepted asymmetric encryption algorithm. Unlike symmetric algorithms, which use the same key for both encryption and decryption, asymmetric algorithms use a pair of keys -- a public key for encryption and a private key for decryption. This method allows for secure key exchange over an insecure channel without the need to share the private key. RSA operates on the principle that it is easy to multiply large prime numbers together to create a product, but it is hard to reverse the process, i.e., to factorize the product back into the original primes. This one-way function underpins the security of RSA.

Question 20

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

AGenerating and distributing spam messages.

BConducting DDOS attacks.

CScanning for system & application vulnerabilities.

DUndertaking vishing attacks

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

However,vishing attacks, which involve voice phishing through phone calls, are not commonly associated with the use of botnets.Vishing typically involves direct voice communication to trick individuals into divulging sensitive information and does not leverage the distributed computing power of botnets, which is central to their usual applications such as spam distribution, DDoS attacks, and vulnerability scanning123.

Question 21

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology specifically designed for Enterprise Security Architecture and Service Management. It provides a layered approach to security architecture, ensuring that security is aligned with business goals and is driven by risk management principles.SABSA's methodology integrates with business and IT management processes, focusing on the design, delivery, and support of security services within the enterprise environment1.

TOGAF (The Open Group Architecture Framework) is also used in the context of enterprise architecture but is not solely focused on security.It provides a comprehensive approach to the design, planning, implementation, and governance of an enterprise information architecture2.

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment2.

OWASP (Open Web Application Security Project) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security2.

Question 22

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

A3, 4 and 5.

B2, 4 and 5.

C1, 2 and 3.

D1, 2 and 5.

Answer : D

The effectiveness of a security awareness program can be measured through various methods that assess both the knowledge and behavior of employees regarding security practices.

Online multiple choice exam on security principles: This method evaluates the employees' understanding of the security principles they have been taught. It's a direct measure of their knowledge and retention.

Testing with social engineering techniques by an approved penetration tester: This practical approach tests employees' reactions to real-life security threats, such as phishing or pretexting, which can indicate the effectiveness of the training in changing behavior.

Open source intelligence gathering on staff social media profiles: This method can reveal whether employees are adhering to security policies by not disclosing sensitive information publicly.

Option 3 is not a direct measure of a security awareness program's effectiveness, as practicing ethical hacking techniques is more about skills development rather than assessing awareness. Option 4, while important, does not directly measure the effectiveness of the security awareness program but rather the overall security posture of the organization.

Question 23

Which of the following acronyms covers the real-time analysis of security alerts generated by applications and network hardware?

ACERT

BSIEM.

CCISM.

DDDoS.

Answer : B

SIEM, which stands for Security Information and Event Management, is the correct acronym that covers the real-time analysis of security alerts generated by applications and network hardware. SIEM systems aggregate and analyze activity data from various resources across the IT infrastructure, such as network devices, servers, and domain controllers. They operate on rules-based and statistical correlation algorithms to establish relationships between log entries, providing reports on security-related incidents and events, and sending alerts if the analysis indicates a potential security issue.This enables organizations to gain insights into their security posture, identify trends, and detect threats or anomalies that could indicate a security incident1.

Question 24

When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?

ADigital evidence must not be altered unless absolutely necessary.

BAcquiring digital evidence cart only be carried on digital devices which have been turned off.

CDigital evidence can only be handled by a member of law enforcement.

DDigital devices must be forensically 'clean' before investigation.

Answer : D

Question 25

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

Question 26

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Digital signatures are a form of electronic signature that uses cryptographic techniques to provide secure and verifiable means of signing electronic documents. They are widely recognized and accepted as legally binding in many jurisdictions around the world. The enforceability of digital signatures is backed by various laws and regulations that recognize electronic signatures as equivalent to handwritten signatures, provided they meet certain criteria for authenticity and integrity.For instance, in the United States, the ESIGN Act establishes the legal validity of electronic signatures, including digital signatures1.Similarly, the eIDAS regulation in the European Union provides a legal framework for electronic signatures and trust services, including digital signatures2.

Question 27

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

APersonal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

BPersonal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

CData Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

DData Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Answer : C

The reporting of security incidents involving personal data is distinct from other types of incidents primarily due to the legal obligations imposed by data protection legislation. Such laws typically mandate that organizations report certain types of breaches involving personal data to a Supervisory Authority within a specified timeframe. This requirement is in place to ensure prompt and appropriate response to potential privacy risks affecting individuals' rights and freedoms. Failure to comply can result in significant penalties for the organization.The reporting process also often includes notifying affected individuals, especially if there is a high risk of adverse effects on their rights and freedoms12.

The UK GDPR and the Data Protection Act 2018 outline the duty of organizations to report certain personal data breaches to the relevant supervisory authority, such as the ICO, within 72 hours of becoming aware of the breach1.

The ICO's guide on personal data breaches provides detailed instructions on how to recognize a breach, the reporting process, and the importance of having robust breach detection, investigation, and internal reporting procedures12.

Question 28

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

The term ''Break Glass'' refers to an emergency access procedure that allows users to bypass normal security controls to gain access to a system or service during a critical situation. This method is analogous to breaking the glass of a fire alarm to handle an emergency. In the context of information security management, it is a controlled process that is typically documented, monitored, and audited to ensure it is used only during genuine emergencies.It is a part of an organization's disaster recovery and business continuity planning, ensuring that critical systems can still be accessed when standard authentication methods fail or are unavailable due to various reasons such as service outages, DDoS attacks, or loss of access by the primary administrator12.

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 29

Which of the following is NOT a valid statement to include in an organisation's security policy?

AThe policy has the support of Board and the Chief Executive.

BThe policy has been agreed and amended to suit all third party contractors.

CHow the organisation will manage information assurance.

DThe compliance with legal and regulatory obligations.

Answer : B

An organization's security policy should be a reflection of its own security stance and principles, not tailored to third parties. While it may be informed by third-party requirements, the policy itself should not be amended to suit all third-party contractors. This is because the security policy is meant to establish a clear set of rules and expectations for the organization's members to maintain the confidentiality, integrity, and availability of its data. It should be defined, approved by management, and communicated to employees and relevant external parties. Amending the policy to suit all third-party contractors could lead to a dilution of the security standards and potentially compromise the organization's security posture.

Question 30

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

An Information Owner is typically responsible for determining the classification of the information and for ensuring that it is handled and protected in accordance with its classification. This includes the right to assign access privileges to others, which allows the Information Owner to control who can access the information and what level of access they have. This right is essential for maintaining the confidentiality, integrity, and availability of the information, which are core principles of information security management.The Information Owner's role is to ensure that only authorized individuals have access to the information and that they have the appropriate level of access based on their role and need to know.Reference: BCS Foundation Certificate in Information Security Management Principles1.

Question 31

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 32

Which membership based organisation produces international standards, which cover good practice for information assurance?

ABSI.

BIETF.

COWASP.

DISF.

Answer : A

The British Standards Institution (BSI) is known for producing standards that cover good practices in various domains, including information assurance. BSI is the UK's national standards body and a founding member of the International Organization for Standardization (ISO). It contributes to the development of international standards through ISO, which provides frameworks and best practices for information security management systems (ISMS), such as the ISO/IEC 27000 series. These standards are designed to help organizations manage the security of assets such as financial information, intellectual property, employee details, and information entrusted by third parties.

Question 33

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

The access control method described is Role-Based Access Control (RBAC). In RBAC, access permissions are based on the roles within an organization, and users are assigned to these roles based on their responsibilities and qualifications. Each role has a defined set of access permissions to perform certain operations. This method simplifies management and ensures that only authorized users can perform actions relevant to their role. For instance, 'Developers' can create and update files, 'Reviewers' can upload and update files, and 'Administrators' have the rights to upload, delete, and update files. This aligns with the RBAC model where permissions are grouped by role rather than by individual user, making it easier to manage and audit.

Question 34

Which of the following is LEASTLIKELY to be the result of a global pandemic impacting on information security?

AA large increase in remote workers operating in insecure premises.

BAdditional physical security requirements at data centres and corporate headquarters.

CIncreased demand on service desks as users need additional tools such as VPNs.

DAn upsurge in activity by attackers seeking vulnerabilities caused by operational changes.

Answer : B

The global pandemic has accelerated the trend of remote work, which inherently increases the risk of information security breaches due to insecure premises (A) and the need for additional tools like VPNs . There's also a higher likelihood of attackers exploiting vulnerabilities during such operational changes (D). However, the need for additional physical security at data centres and corporate headquarters (B) is less likely to be a direct result of a pandemic since the focus shifts to remote work and digital security rather than physical premises that are less occupied.

Question 35

In a security governance framework, which of the following publications would be at the HIGHEST level?

AProcedures.

BStandards

CPolicy.

DGuidelines

Answer : C

Question 36

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

The term that refers to the shared set of values within an organization that determines how people are expected to behave in regard to information security is known asSecurity Culture. This encompasses the attitudes, beliefs, and behaviors of individuals within the organization towards the protection of data and information assets. A strong security culture is vital for the effective implementation of security policies and controls, as it influences how employees interact with the organization's information systems and handle sensitive information.It's the collective mindset that prioritizes security as a fundamental aspect of all business operations and decisions1.

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

System Operating Proceduresare detailed written instructions to achieve uniformity of the performance of a specific function, which is more about the operational aspect rather than the underlying values or behaviors.

ASecurity Policy Frameworkprovides a structured set of policies that dictate the security measures and controls that are to be applied across the organization.While it sets the formal requirements for security, it does not inherently define the cultural aspect of how individuals within the organization value and engage with these requirements1.

Question 37

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 38

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

Question 39

When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?

ADigital evidence must not be altered unless absolutely necessary.

BAcquiring digital evidence cart only be carried on digital devices which have been turned off.

CDigital evidence can only be handled by a member of law enforcement.

DDigital devices must be forensically 'clean' before investigation.

Answer : D

Question 40

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

The AAA Triad in Information Security stands for Authentication, Authorization (also known as Authorisation), and Accounting. These three components are fundamental to ensuring that access to systems is controlled and monitored:

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Accountingkeeps track of user activities. This includes logging when users log in and out, what actions they perform, and what resources they access. It's essential for auditing purposes and can also be used for billing or analyzing resource usage.

These principles are designed to protect information by managing potential risks and controlling access to data. They are part of a broader framework that includes physical, technical, and procedural controls to safeguard information assets.

Question 41

In order to better improve the security culture within an organisation with a top down approach, which of the following actions at board level is the MOST effective?

AAppointment of a Chief Information Security Officer (CISO).

BPurchasing all senior executives personal firewalls.

CAdopting an organisation wide 'clear desk' policy.

DDeveloping a security awareness e-learning course.

Answer : A

Appointing a Chief Information Security Officer (CISO) is the most effective action at the board level to improve the security culture within an organization using a top-down approach. The CISO plays a critical role in establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO is responsible for leading the development and implementation of a security program across all aspects of the organization, which includes aligning security initiatives with business objectives, managing risk, and ensuring compliance with relevant laws and regulations. This strategic role not only helps in creating a robust security posture but also promotes a culture of security awareness throughout the organization. By having a dedicated executive responsible for security, it sends a clear message that the organization prioritizes information security and is committed to protecting its assets and stakeholders.

Question 42

Which of the following is the MOST important reason for undertaking Continual Professional Development (CPD) within the Information Security sphere?

AProfessional qualification bodies demand CPD.

BInformation Security changes constantly and at speed.

CIT certifications require CPD and Security needs to remain credible.

DCPD is a prerequisite of any Chartered Institution qualification.

Answer : B

The field of Information Security is dynamic and evolves rapidly, with new threats and technologies emerging regularly. Continual Professional Development (CPD) is crucial in this sphere to ensure that professionals stay up-to-date with the latest security trends, practices, and technologies. CPD enables information security professionals to maintain and enhance their knowledge and skills, which is vital for effectively protecting organizations against the ever-changing threat landscape. This ongoing learning process is not just about retaining credibility or meeting the requirements of professional bodies; it's about ensuring that professionals can respond to new challenges and remain effective in their roles.

Question 43

Which of the following is an accepted strategic option for dealing with risk?

ACorrection.

BDetection.

CForbearance.

DAcceptance

Answer : D

In the context of Information Security Management Principles, risk acceptance is a strategic option where an organization decides to accept the potential cost of a risk without taking any actions to mitigate it. This decision is typically made when the cost of mitigating the risk exceeds the cost of the risk's potential impact. Acceptance is part of the risk management process, which also includes risk identification, assessment, and treatment. When accepting a risk, it is crucial to document the decision and the rationale behind it, ensuring that it aligns with the organization's risk appetite and overall security policy.

Question 44

A security analyst has been asked to provide a triple A service (AAA) for both wireless and remote access network services in an organization and must avoid using proprietary solutions.

What technology SHOULD they adapt?

ATACACS+

BRADIUS.

COauth.

DMS Access Database.

Answer : B

The AAA service, which stands for Authentication, Authorization, and Accounting, is essential for managing user access to network resources. When it comes to providing AAA services for both wireless and remote access network services in a non-proprietary manner, RADIUS (Remote Authentication Dial-In User Service) is the most suitable technology.

RADIUS is an open standard protocol widely used for network access authentication and accounting. It is supported by a variety of network vendors and devices, making it a non-proprietary solution that can be easily integrated into different network environments.RADIUS provides a centralized way to authenticate users, authorize their access levels, and keep track of their activity on the network1.

TACACS+is a Cisco proprietary protocol and therefore does not meet the requirement of avoiding proprietary solutions.

OAuthis a framework for authorization and is not typically used for network access control in the same way that RADIUS is.

MS Access Databaseis not a network authentication protocol and would not provide the necessary AAA services for network security.

Question 45

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

The term 'vulnerability' within the context of ISO/IEC 27000 refers to any weakness present in an asset or group of assets that could potentially be exploited by one or more threats. This definition aligns with the concept of vulnerability as a gap in protection efforts that, if not addressed, could allow a threat to compromise the confidentiality, integrity, or availability of an asset. It is important to note that vulnerabilities can be identified in various components of an organization's infrastructure, including hardware, software, processes, and even personnel. Effective information security management involves identifying these vulnerabilities through risk assessments and implementing appropriate controls to mitigate the risk of exploitation.

Question 46

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 47

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Question 48

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

The Acceptable Usage Policy (AUP) is the document most likely to contain directives on the security and utilization of an organization's information and IT equipment, including email, internet, and telephony. An AUP outlines the acceptable and unacceptable behaviors for users of the organization's IT systems and services. It typically includes rules and guidelines on the proper use of IT resources, security practices, and the consequences of non-compliance.The AUP is designed to protect both the organization and its users by mitigating risks associated with the misuse of IT resources and ensuring that the use of these resources aligns with the organization's security policies and objectives123.

Question 49

Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?

AUse of 'cheap' microcontroller based sensors.

BMuch larger attack surface than traditional IT systems.

CUse of proprietary networking protocols between nodes.

DUse of cloud based systems to collect loT data.

Answer : B

The deployment of end-to-end Internet of Things (IoT) solutions significantly increases the attack surface compared to traditional IT systems. This is due to the vast number of connected devices, each potentially introducing new vulnerabilities. The heterogeneity of these devices, often with varying levels of security, can lead to more entry points for cyberattacks. Additionally, the complexity of managing and securing these numerous devices, especially when they use different communication protocols and standards, exacerbates the risk. Therefore, the expansion of the attack surface is considered the greatest risk because it amplifies the potential for unauthorized access and compromises the integrity, availability, and confidentiality of information systems.

Question 50

When seeking third party digital forensics services, what two attributes should one seek when making a choice of service provider?

AAppropriate company accreditation and staff certification.

BFormal certification to ISO/IEC 27001 and alignment with ISO 17025.

CAffiliation with local law enforcement bodies and local government regulations.

DClean credit references as well as international experience.

Answer : A

When selecting a third-party digital forensics service provider, it is crucial to ensure that the company has the appropriate accreditations and the staff hold relevant certifications. This ensures that the service provider adheres to recognized standards and best practices in digital forensics, which is essential for the integrity and admissibility of evidence. Company accreditation provides assurance that the organization follows industry-recognized quality standards, while staff certification demonstrates that the individuals handling the forensic process are qualified and competent. This combination is vital for maintaining the credibility of the forensic investigation and the security of the data handled.

Question 51

Which algorithm is a current specification for the encryption of electronic data established by NIST?

ARSA.

BAES.

CDES.

DPGP.

Answer : B

Question 52

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

APassword is better encrypted for system authentication.

BAccess control logs are centrally located.

CHelps prevent the likelihood of users writing down passwords.

DDecreases the complexity of passwords users have to remember.

Answer : C

Question 53

Which of the following is NOT an information security specific vulnerability?

AUse of HTTP based Apache web server.

BUnpatched Windows operating system.

CConfidential data stored in a fire safe.

DUse of an unlocked filing cabinet.

Answer : C

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Question 54

Which of the following is MOST LIKELY to be described as a consequential loss?

AReputation damage.

BMonetary theft.

CService disruption.

DProcessing errors.

Answer : A

Question 55

What Is the KEY purpose of appending security classification labels to information?

ATo provide guidance and instruction on implementing appropriate security controls to protect the information.

BTo comply with whatever mandatory security policy framework is in place within the geographical location in question.

CTo ensure that should the information be lost in transit, it can be returned to the originator using the correct protocols.

DTo make sure the correct colour-coding system is used when the information is ready for archive.

Answer : A

The primary purpose of appending security classification labels to information is to guide the implementation of appropriate security controls. These labels indicate the level of sensitivity of the information and determine the extent and nature of the controls that need to be applied to protect it. For example, information classified as 'Confidential' will require stricter access controls compared to information classified as 'Public'. The classification labels help in ensuring that information is handled and protected in accordance with its importance to the organization, and in compliance with relevant legal and regulatory requirements.

Question 56

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

Question 57

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 58

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 59

In a security governance framework, which of the following publications would be at the HIGHEST level?

AProcedures.

BStandards

CPolicy.

DGuidelines

Answer : C

Question 60

What Is the PRIMARY difference between DevOps and DevSecOps?

AWithin DevSecOps security is introduced at the end of development immediately prior to deployment.

BDevSecOps focuses solely on iterative development cycles.

CDevSecOps includes security on the same level as continuous integration and delivery.

DDevOps mandates that security is integrated at the beginning of the development lifecycle.

Answer : C

The primary difference between DevOps and DevSecOps lies in the integration of security practices. DevOps is a methodology that emphasizes collaboration between development and operations teams to automate the software development process, including continuous integration (CI) and continuous delivery (CD). However, DevOps does not inherently prioritize security as part of the development process.

DevSecOps, on the other hand, extends the DevOps principles by integrating security into every aspect of the software development lifecycle. This approach is often summarized by the term ''shift-left,'' which means incorporating security from the beginning and throughout the development process, rather than treating it as an afterthought or a final step before deployment. In DevSecOps, security is considered a shared responsibility among all team members, and it is addressed through continuous security processes that are as integral as CI/CD in the DevOps culture.

Question 61

What form of attack against an employee has the MOST impact on their compliance with the organisation's "code of conduct"?

ABrute Force Attack.

BSocial Engineering.

CRansomware.

DDenial of Service.

Answer : B

Social engineering attacks are designed to exploit human psychology and manipulate individuals into breaking normal security procedures and best practices. These attacks have the most impact on an employee's compliance with an organization's code of conduct because they directly target the employee's behavior and decision-making process. By using deception, persuasion, or influence, attackers can coerce employees into divulging confidential information, providing access to restricted areas, or performing actions that go against the company's policies and ethical standards. This form of attack can lead to violations of the code of conduct, as employees may unknowingly or unwillingly engage in activities that compromise the organization's values and principles.

Question 62

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 63

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

Question 64

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

The concept of a security culture within an organization emphasizes that security is not solely a technical issue but also a behavioral one. Appropriate behaviors are essential because they embody the organization's values and beliefs about security. These behaviors ensure that all members of the organization understand and adhere to security policies and procedures, thereby reducing risk and reinforcing the security regime. This includes following the 'need to know' principle, verifying IDs, and implementing access denial measures, but it is the appropriate behaviors that integrate these actions into a coherent and effective security culture.

Question 65

Which of the following is MOST LIKELY to be described as a consequential loss?

AReputation damage.

BMonetary theft.

CService disruption.

DProcessing errors.

Answer : A

Question 66

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 67

Which of the following is an accepted strategic option for dealing with risk?

ACorrection.

BDetection.

CForbearance.

DAcceptance

Answer : D

Question 68

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

A1, 2 and 3

B3, 4 and 5

C2, 3 and 4

D1, 2 and 5

Answer : D

The ISO/IEC 27000 series, particularly ISO/IEC 27001, provides a framework for information security management systems (ISMS) that helps organizations secure their information assets. This series covers various aspects of information security, including the protection of organizational records and data protection & privacy, which are legal compliance requirements in many jurisdictions. Intellectual Property Rights (IPR) are also considered within the scope of information security as they pertain to the protection of proprietary information and assets. Forensic recovery of data and data deduplication are technical and operational considerations but are not directly addressed as compliance legal requirements within the ISO/IEC 27000 series.

Question 69

Which cryptographic protocol preceded Transport Layer Security (TLS)?

APublic Key Infrastructure (PKI).

BSimple Network Management Protocol (SNMP).

CSecure Sockets Layer (SSL).

DHypertext Transfer Protocol Secure (HTTPS)

Answer : C

The cryptographic protocol that preceded Transport Layer Security (TLS) is Secure Sockets Layer (SSL). SSL was the standard security protocol designed to provide communications security over a computer network before TLS was introduced. TLS evolved from SSL, with the first version of TLS (1.0) being developed as SSL version 3.1.However, the name was changed to TLS to indicate that it was no longer associated with Netscape, the company that developed SSL123.

SSL was used from 1994 until it was deprecated in 2015 by the Internet Engineering Task Force (IETF) due to security vulnerabilities.Before its deprecation, TLS was already being used as a backup protocol for SSL 3.0 and quickly became the successor to SSL3. This transition highlights the continuous effort to improve cryptographic protocols to ensure secure communications over the internet.

Question 70

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

Question 71

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

Question 72

The policies, processes, practices, and tools used to align the business value of information with the most appropriate and cost-effective infrastructure from the time information is conceived through its final disposition.

Which of the below business practices does this statement define?

AInformation Lifecycle Management.

BInformation Quality Management.

CTotal Quality Management.

DBusiness Continuity Management.

Answer : A

The statement defines Information Lifecycle Management (ILM), which is a set of policies, processes, practices, and tools that manage the flow of an organization's information throughout its life cycle. ILM is concerned with aligning the business value of information with the most appropriate and cost-effective infrastructure from the moment the information is created until its final disposition. This includes how information is created, stored, used, archived, and eventually disposed of. An effective ILM strategy helps organizations manage their data in compliance with business requirements, regulatory obligations, and cost constraints.

Question 73

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

AUnder the European Convention of Human Rights, the interception of telecommunications represents an interference with the right to privacy.

BGDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertently break the law.

CPolice could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system.

DSurveillance of a conversation or an online message by law enforcement agents was previously illegal due to the 1950 version of the Human Rights Convention.

Answer : A

The European Convention on Human Rights (ECHR) protects the right to privacy, which includes the security of personal data and protection against surveillance1. This right is not absolute and can be limited under certain conditions, such as for the protection of national security or public safety. Most European countries have developed specific legislation that allows police and security services to monitor communications traffic, but this must be done within the boundaries set by the ECHR and subsequent legislation like the GDPR.The GDPR itself does not override the ECHR but complements it by providing detailed regulations on the processing of personal data, including provisions for law enforcement authorities to process data for criminal investigations in a way that respects fundamental rights23.

Question 74

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

AGenerating and distributing spam messages.

BConducting DDOS attacks.

CScanning for system & application vulnerabilities.

DUndertaking vishing attacks

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

Question 75

Which algorithm is a current specification for the encryption of electronic data established by NIST?

ARSA.

BAES.

CDES.

DPGP.

Answer : B

Question 76

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

APassword is better encrypted for system authentication.

BAccess control logs are centrally located.

CHelps prevent the likelihood of users writing down passwords.

DDecreases the complexity of passwords users have to remember.

Answer : C

Question 77

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 78

Which of the following is NOT an accepted classification of security controls?

ANominative.

BPreventive.

CDetective.

DCorrective.

Answer : A

Security controls are measures taken to safeguard an information system from attacks or to mitigate the impact of a breach. They are commonly classified into three main categories: preventive, detective, and corrective. Preventive controls aim to prevent incidents before they occur, detective controls are designed to discover and detect security events, and corrective controls are intended to restore systems to normal operation after an incident. The term ''nominative'' is not recognized as a standard classification of security controls within the principles of information security management.Instead, the accepted classifications align with the objectives of protecting the confidentiality, integrity, and availability of information.Reference: The BCS Foundation Certificate in Information Security Management Principles outlines the categorization, operation, and effectiveness of controls of different types and characteristics, which does not include ''nominative'' as a classification1.

Question 79

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

A3, 4 and 5.

B2, 4 and 5.

C1, 2 and 3.

D1, 2 and 5.

Answer : D

The effectiveness of a security awareness program can be measured through various methods that assess both the knowledge and behavior of employees regarding security practices.

Open source intelligence gathering on staff social media profiles: This method can reveal whether employees are adhering to security policies by not disclosing sensitive information publicly.

Question 80

Which term is used to describe the set of processes that analyses code to ensure defined coding practices are being followed?

AQuality Assurance and Control

BDynamic verification.

CStatic verification.

DSource code analysis.

Answer : C

Static verification refers to the set of processes that analyze code without executing it to ensure that defined coding practices are being followed. This method involves reviewing the code to detect errors, enforce coding standards, and identify security vulnerabilities. It is a crucial part of the software development lifecycle and helps maintain code quality and reliability. Static verification can be performed manually through code reviews or automatically using static analysis tools.

Question 81

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Non-disclosure agreements (NDAs) are legal contracts that are designed to protect sensitive information. They are a critical part of an employee's contract of employment to ensure that confidential data is not released to unauthorized third parties. NDAs are specifically intended to prevent the disclosure of confidential information both during the period of employment and after the employee has left the organization. This is essential for maintaining the integrity and confidentiality of proprietary information which could include trade secrets, client data, and other types of sensitive information.

Question 82

What Is the KEY purpose of appending security classification labels to information?

ATo provide guidance and instruction on implementing appropriate security controls to protect the information.

BTo comply with whatever mandatory security policy framework is in place within the geographical location in question.

CTo ensure that should the information be lost in transit, it can be returned to the originator using the correct protocols.

DTo make sure the correct colour-coding system is used when the information is ready for archive.

Answer : A

Question 83

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 84

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

Question 85

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Question 86

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

APersonal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

BPersonal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

CData Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

DData Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Answer : C

Question 87

What does a penetration test do that a Vulnerability Scan does NOT?

AA penetration test seeks to actively exploit any known or discovered vulnerabilities.

BA penetration test looks for known vulnerabilities and reports them without further action.

CA penetration test is always an automated process - a vulnerability scan never is.

DA penetration test never uses common tools such as Nrnap, Nessus and Metasploit.

Answer : A

A penetration test, unlike a vulnerability scan, is an in-depth process where security professionals actively attempt to exploit vulnerabilities in a system. The goal is to simulate a real-world attack to understand how an attacker could exploit vulnerabilities and to determine the potential impact. This involves not just identifying vulnerabilities, as a scan does, but also attempting to exploit them to understand the full extent of the risk. Penetration tests are typically manual or semi-automated and involve a variety of tools and techniques to uncover and exploit security weaknesses, which can include common tools like Nmap, Nessus, and Metasploit.

Question 88

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 89

What Is the PRIMARY security concern associated with the practice known as Bring Your Own Device (BYOD) that might affect a large organisation?

AMost BYOD involves the use of non-Windows hardware which is intrinsically insecure and open to abuse.

BThe organisation has significantly less control over the device than over a corporately provided and managed device.

CPrivately owned end user devices are not provided with the same volume nor frequency of security patch updates as a corporation.

DUnder GDPR it is illegal for an individual to use a personal device when handling personal information under corporate control.

Answer : B

The primary security concern with BYOD is the reduced level of control an organization has over employees' personal devices compared to corporately owned and managed devices. This lack of control can lead to inconsistent security practices, such as irregular updates, lack of standardized security software, and potential for data leakage if the device is lost or compromised.BYOD policies must address these challenges by implementing security measures that protect corporate data while respecting users' privacy on their personal devices123.

The BCS Foundation Certificate in Information Security Management Principles outlines the importance of managing information risk and implementing comprehensive security controls, which are particularly relevant for BYOD policies1.

Literature on BYOD security risks and mitigation strategies provides insights into the challenges and best practices for managing personal devices in a corporate environment2.

Reviews of security access control policies and techniques based on privacy requirements in a BYOD environment offer a systematic approach to addressing BYOD security concerns3.

Question 90

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

Question 91

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 92

Which term describes the acknowledgement and acceptance of ownership of actions, decisions, policies and deliverables?

AAccountability.

BResponsibility.

CCredibility.

DConfidentiality.

Answer : A

Accountability is the term that describes the acknowledgement and acceptance of ownership of actions, decisions, policies, and deliverables. It implies that an individual or organization is willing to take responsibility for their actions and the outcomes of those actions, and is answerable to the relevant stakeholders. This concept is fundamental in information security management, as it ensures that individuals and teams are aware of their roles and the expectations placed upon them, particularly in relation to the protection of information assets. Accountability cannot be delegated; while tasks can be assigned to others, the ultimate ownership and obligation to report and justify the outcomes remain with the accountable party.

Question 93

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 94

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 95

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

A1, 2 and 3

B3, 4 and 5

C2, 3 and 4

D1, 2 and 5

Answer : D

Question 96

Which of the below business practices does this statement define?

AInformation Lifecycle Management.

BInformation Quality Management.

CTotal Quality Management.

DBusiness Continuity Management.

Answer : A

Question 97

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

ITIL (Information Technology Infrastructure Library) is a widely recognized framework that offers a comprehensive set of best practices for IT Service Management (ITSM). It assists organizations in aligning IT services with business goals, including security objectives. ITIL provides guidance on the entire service lifecycle, from service strategy and design to service transition, operation, and continual service improvement. By following ITIL's structured approach, organizations can enhance the quality of IT services, manage risk effectively, improve customer satisfaction, and ensure that IT and business strategies are in sync.

Question 98

Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?

AUse of 'cheap' microcontroller based sensors.

BMuch larger attack surface than traditional IT systems.

CUse of proprietary networking protocols between nodes.

DUse of cloud based systems to collect loT data.

Answer : B

Question 99

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

Question 100

Which standard deals with the implementation of business continuity?

AISO/IEC 27001

BCOBIT

CIS0223G1.

DBS5750.

Answer : C

The standard that deals specifically with the implementation of business continuity is ISO 22301, which is internationally recognized. It outlines the requirements for a business continuity management system (BCMS), which provides a framework for organizations to update, control, and deploy an effective BCMS that helps them to be prepared and respond effectively to disruptions. ISO/IEC 27001 is related to information security management systems (ISMS) and while it includes aspects of business continuity, it is not solely focused on it. COBIT is a framework for developing, implementing, monitoring, and improving IT governance and management practices, and BS5750 is a standard for quality management systems, now superseded by ISO 9000 series.

Question 101

Which of the following is MOST LIKELY to be described as a consequential loss?

AReputation damage.

BMonetary theft.

CService disruption.

DProcessing errors.

Answer : A

Question 102

In a security governance framework, which of the following publications would be at the HIGHEST level?

AProcedures.

BStandards

CPolicy.

DGuidelines

Answer : C

Question 103

Which of the following is often the final stage in the information management lifecycle?

ADisposal.

BCreation.

CUse.

DPublication.

Answer : A

Question 104

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 105

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

Question 106

Which of the following is an accepted strategic option for dealing with risk?

ACorrection.

BDetection.

CForbearance.

DAcceptance

Answer : D

Question 107

Which term is used to describe the set of processes that analyses code to ensure defined coding practices are being followed?

AQuality Assurance and Control

BDynamic verification.

CStatic verification.

DSource code analysis.

Answer : C

Question 108

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 109

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

Question 110

You are undertaking a qualitative risk assessment of a likely security threat to an information system.

What is the MAIN issue with this type of risk assessment?

AThese risk assessments are largely subjective and require agreement on rankings beforehand.

BDealing with statistical and other numeric data can often be hard to interpret.

CThere needs to be a large amount of previous data to 'train' a qualitative risk methodology.

DIt requires the use of complex software tools to undertake this risk assessment.

Answer : A

The main issue with qualitative risk assessments is their inherent subjectivity. Unlike quantitative assessments that use numerical data, qualitative assessments rely on the judgment and experience of the assessors to estimate risks. This can lead to inconsistencies if the criteria for ranking and categorizing risks are not clearly defined and agreed upon by all stakeholders involved in the assessment process. The subjective nature of this method can also influence the prioritization of risks, potentially affecting the decision-making process regarding which security controls to implement.

Question 111

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 112

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

The term 'computer misuse' typically refers to activities that are illegal or unauthorized and involve a computer system. This includes illegal interception of information, illegal access to computer systems, and downloading of pirated software, as these actions are unauthorized and often involve breaching security measures. However, the illegal retention of personal data, while a serious privacy concern and potentially a legal issue, is not typically classified under the scope of 'computer misuse'. Instead, it falls under data protection and privacy regulations, which deal with the proper handling and storage of personal information.

Question 113

Which of the following types of organisation could be considered the MOST at risk from the theft of electronic based credit card data?

AOnline retailer.

BTraditional market trader.

CMail delivery business.

DAgricultural producer.

Answer : A

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 114

Which of the following is NOT a valid statement to include in an organisation's security policy?

AThe policy has the support of Board and the Chief Executive.

BThe policy has been agreed and amended to suit all third party contractors.

CHow the organisation will manage information assurance.

DThe compliance with legal and regulatory obligations.

Answer : B

Question 115

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 116

Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?

ASystem Integrity.

BSandboxing.

CIntrusion Prevention System.

DDefence in depth.

Answer : D

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 117

In order to better improve the security culture within an organisation with a top down approach, which of the following actions at board level is the MOST effective?

AAppointment of a Chief Information Security Officer (CISO).

BPurchasing all senior executives personal firewalls.

CAdopting an organisation wide 'clear desk' policy.

DDeveloping a security awareness e-learning course.

Answer : A

Question 118

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

Question 119

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 120

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 121

Which of the following is LEASTLIKELY to be the result of a global pandemic impacting on information security?

AA large increase in remote workers operating in insecure premises.

BAdditional physical security requirements at data centres and corporate headquarters.

CIncreased demand on service desks as users need additional tools such as VPNs.

DAn upsurge in activity by attackers seeking vulnerabilities caused by operational changes.

Answer : B

Question 122

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 123

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 124

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Security by Design' in software engineering refers to the practice of integrating security measures into the software development process from the very beginning. This approach ensures that security is not an afterthought but a fundamental component of the system's architecture and design.It involves continuous testing, authentication safeguards, and adherence to best programming practices to make systems as free of vulnerabilities and impervious to attack as possible1.By incorporating security early in the design process, potential flaws can be identified and mitigated early on, significantly reducing the cost and complexity of addressing security issues later in the development lifecycle23.

Question 125

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

Question 126

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 127

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 128

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

A1, 2 and 3

B3, 4 and 5

C2, 3 and 4

D1, 2 and 5

Answer : D

Question 129

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

APersonal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

BPersonal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

CData Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

DData Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Answer : C

Question 130

Which of the following is NOT a valid statement to include in an organisation's security policy?

AThe policy has the support of Board and the Chief Executive.

BThe policy has been agreed and amended to suit all third party contractors.

CHow the organisation will manage information assurance.

DThe compliance with legal and regulatory obligations.

Answer : B

Question 131

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 132

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 133

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Question 134

Which membership based organisation produces international standards, which cover good practice for information assurance?

ABSI.

BIETF.

COWASP.

DISF.

Answer : A

Question 135

What Is the KEY purpose of appending security classification labels to information?

ATo provide guidance and instruction on implementing appropriate security controls to protect the information.

BTo comply with whatever mandatory security policy framework is in place within the geographical location in question.

CTo ensure that should the information be lost in transit, it can be returned to the originator using the correct protocols.

DTo make sure the correct colour-coding system is used when the information is ready for archive.

Answer : A

Question 136

What Is the PRIMARY security concern associated with the practice known as Bring Your Own Device (BYOD) that might affect a large organisation?

AMost BYOD involves the use of non-Windows hardware which is intrinsically insecure and open to abuse.

BThe organisation has significantly less control over the device than over a corporately provided and managed device.

CPrivately owned end user devices are not provided with the same volume nor frequency of security patch updates as a corporation.

DUnder GDPR it is illegal for an individual to use a personal device when handling personal information under corporate control.

Answer : B

Literature on BYOD security risks and mitigation strategies provides insights into the challenges and best practices for managing personal devices in a corporate environment2.

Reviews of security access control policies and techniques based on privacy requirements in a BYOD environment offer a systematic approach to addressing BYOD security concerns3.

Question 137

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

Question 138

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 139

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Turning on SSID broadcasts is not considered a best practice for securing a wireless network. SSID broadcasts make the network name publicly visible, which can be an invitation for unauthorized users to attempt to access the network. Best practices suggest disabling SSID broadcasts to make the network less visible and thus less likely to be targeted by malicious actors.While using WPA encryption, MAC filtering, and dedicating an access point on a VLAN connected to a firewall are all recommended security measures, advertising the network's presence via SSID broadcasts does not enhance security and could potentially compromise it12.

Question 140

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

Question 141

A security analyst has been asked to provide a triple A service (AAA) for both wireless and remote access network services in an organization and must avoid using proprietary solutions.

What technology SHOULD they adapt?

ATACACS+

BRADIUS.

COauth.

DMS Access Database.

Answer : B

TACACS+is a Cisco proprietary protocol and therefore does not meet the requirement of avoiding proprietary solutions.

OAuthis a framework for authorization and is not typically used for network access control in the same way that RADIUS is.

MS Access Databaseis not a network authentication protocol and would not provide the necessary AAA services for network security.

Question 142

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 143

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 144

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 145

Which of the following is LEASTLIKELY to be the result of a global pandemic impacting on information security?

AA large increase in remote workers operating in insecure premises.

BAdditional physical security requirements at data centres and corporate headquarters.

CIncreased demand on service desks as users need additional tools such as VPNs.

DAn upsurge in activity by attackers seeking vulnerabilities caused by operational changes.

Answer : B

Question 146

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Question 147

When seeking third party digital forensics services, what two attributes should one seek when making a choice of service provider?

AAppropriate company accreditation and staff certification.

BFormal certification to ISO/IEC 27001 and alignment with ISO 17025.

CAffiliation with local law enforcement bodies and local government regulations.

DClean credit references as well as international experience.

Answer : A

Question 148

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 149

What form of attack against an employee has the MOST impact on their compliance with the organisation's "code of conduct"?

ABrute Force Attack.

BSocial Engineering.

CRansomware.

DDenial of Service.

Answer : B

Question 150

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 151

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

Question 152

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 153

Which of the below business practices does this statement define?

AInformation Lifecycle Management.

BInformation Quality Management.

CTotal Quality Management.

DBusiness Continuity Management.

Answer : A

Question 154

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

Question 155

What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?

AISO/IEC 27001.

BQualitative.

CCPNI.

DQuantitative

Answer : D

Quantitative risk assessment is the process of objectively measuring risk by assigning numerical values to the probability of an event occurring and its potential impact. This method is most likely to provide objective support for a security Return on Investment (ROI) case because it allows for the calculation of potential losses in monetary terms, which can be directly compared to the cost of implementing security measures. By quantifying risks and their financial implications, organizations can make informed decisions about where to allocate resources and how to prioritize security investments to maximize ROI. This approach is particularly useful when making a business case to stakeholders who require clear, financial justification for security expenditures.

Question 156

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 157

A security analyst has been asked to provide a triple A service (AAA) for both wireless and remote access network services in an organization and must avoid using proprietary solutions.

What technology SHOULD they adapt?

ATACACS+

BRADIUS.

COauth.

DMS Access Database.

Answer : B

TACACS+is a Cisco proprietary protocol and therefore does not meet the requirement of avoiding proprietary solutions.

OAuthis a framework for authorization and is not typically used for network access control in the same way that RADIUS is.

MS Access Databaseis not a network authentication protocol and would not provide the necessary AAA services for network security.

Question 158

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 159

What does a penetration test do that a Vulnerability Scan does NOT?

AA penetration test seeks to actively exploit any known or discovered vulnerabilities.

BA penetration test looks for known vulnerabilities and reports them without further action.

CA penetration test is always an automated process - a vulnerability scan never is.

DA penetration test never uses common tools such as Nrnap, Nessus and Metasploit.

Answer : A

Question 160

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 161

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

ARisk = Likelihood * Impact.

BRisk = Likelihood / Impact.

CRisk = Vulnerability / Threat.

DRisk = Threat * Likelihood.

Answer : A

In the context of information security, risk is typically calculated as the product of likelihood and impact. This formula encapsulates the probability of a vulnerability being exploited (likelihood) and the potential damage or loss that could result from such an event (impact). The goal is to quantify the level of risk in order to prioritize mitigation efforts effectively. Options B, C, and D do not represent standard risk calculation formulas in information security management.

Question 162

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 163

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 164

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

APersonal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

BPersonal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

CData Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

DData Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Answer : C

Question 165

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Question 166

Which of the following is NOT an information security specific vulnerability?

AUse of HTTP based Apache web server.

BUnpatched Windows operating system.

CConfidential data stored in a fire safe.

DUse of an unlocked filing cabinet.

Answer : C

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Question 167

What Is the PRIMARY difference between DevOps and DevSecOps?

AWithin DevSecOps security is introduced at the end of development immediately prior to deployment.

BDevSecOps focuses solely on iterative development cycles.

CDevSecOps includes security on the same level as continuous integration and delivery.

DDevOps mandates that security is integrated at the beginning of the development lifecycle.

Answer : C

Question 168

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

APassword is better encrypted for system authentication.

BAccess control logs are centrally located.

CHelps prevent the likelihood of users writing down passwords.

DDecreases the complexity of passwords users have to remember.

Answer : C

Question 169

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

AUnder the European Convention of Human Rights, the interception of telecommunications represents an interference with the right to privacy.

BGDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertently break the law.

CPolice could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system.

DSurveillance of a conversation or an online message by law enforcement agents was previously illegal due to the 1950 version of the Human Rights Convention.

Answer : A

Question 170

What Is the PRIMARY security concern associated with the practice known as Bring Your Own Device (BYOD) that might affect a large organisation?

AMost BYOD involves the use of non-Windows hardware which is intrinsically insecure and open to abuse.

BThe organisation has significantly less control over the device than over a corporately provided and managed device.

CPrivately owned end user devices are not provided with the same volume nor frequency of security patch updates as a corporation.

DUnder GDPR it is illegal for an individual to use a personal device when handling personal information under corporate control.

Answer : B

Literature on BYOD security risks and mitigation strategies provides insights into the challenges and best practices for managing personal devices in a corporate environment2.

Reviews of security access control policies and techniques based on privacy requirements in a BYOD environment offer a systematic approach to addressing BYOD security concerns3.

Question 171

Which of the following acronyms covers the real-time analysis of security alerts generated by applications and network hardware?

ACERT

BSIEM.

CCISM.

DDDoS.

Answer : B

Question 172

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 173

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

A1, 2 and 3

B3, 4 and 5

C2, 3 and 4

D1, 2 and 5

Answer : D

Question 174

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 175

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 176

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

A3, 4 and 5.

B2, 4 and 5.

C1, 2 and 3.

D1, 2 and 5.

Answer : D

The effectiveness of a security awareness program can be measured through various methods that assess both the knowledge and behavior of employees regarding security practices.

Open source intelligence gathering on staff social media profiles: This method can reveal whether employees are adhering to security policies by not disclosing sensitive information publicly.

Question 177

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

Question 178

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 179

Which of the following is NOT an information security specific vulnerability?

AUse of HTTP based Apache web server.

BUnpatched Windows operating system.

CConfidential data stored in a fire safe.

DUse of an unlocked filing cabinet.

Answer : C

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Question 180

You are undertaking a qualitative risk assessment of a likely security threat to an information system.

What is the MAIN issue with this type of risk assessment?

AThese risk assessments are largely subjective and require agreement on rankings beforehand.

BDealing with statistical and other numeric data can often be hard to interpret.

CThere needs to be a large amount of previous data to 'train' a qualitative risk methodology.

DIt requires the use of complex software tools to undertake this risk assessment.

Answer : A

Question 181

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 182

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

Question 183

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Question 184

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

Question 185

Which of the following is LEASTLIKELY to be the result of a global pandemic impacting on information security?

AA large increase in remote workers operating in insecure premises.

BAdditional physical security requirements at data centres and corporate headquarters.

CIncreased demand on service desks as users need additional tools such as VPNs.

DAn upsurge in activity by attackers seeking vulnerabilities caused by operational changes.

Answer : B

Question 186

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Question 187

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 188

Which of the following acronyms covers the real-time analysis of security alerts generated by applications and network hardware?

ACERT

BSIEM.

CCISM.

DDDoS.

Answer : B

Question 189

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Question 190

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

Question 191

Which algorithm is a current specification for the encryption of electronic data established by NIST?

ARSA.

BAES.

CDES.

DPGP.

Answer : B

Question 192

Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?

AUse of 'cheap' microcontroller based sensors.

BMuch larger attack surface than traditional IT systems.

CUse of proprietary networking protocols between nodes.

DUse of cloud based systems to collect loT data.

Answer : B

Question 193

What form of attack against an employee has the MOST impact on their compliance with the organisation's "code of conduct"?

ABrute Force Attack.

BSocial Engineering.

CRansomware.

DDenial of Service.

Answer : B

Question 194

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 195

Which of the following is an accepted strategic option for dealing with risk?

ACorrection.

BDetection.

CForbearance.

DAcceptance

Answer : D

Question 196

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

Question 197

What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?

AISO/IEC 27001.

BQualitative.

CCPNI.

DQuantitative

Answer : D

Question 198

Which of the following is often the final stage in the information management lifecycle?

ADisposal.

BCreation.

CUse.

DPublication.

Answer : A

Question 199

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 200

Which types of organisations are likely to be the target of DDoS attacks?

ACloud service providers.

BAny financial sector organisations.

COnline retail based organisations.

DAny organisation with an online presence.

Answer : D

Distributed Denial of Service (DDoS) attacks are a threat to any organization that maintains an online presence. This is because DDoS attacks are designed to overwhelm an organization's network with traffic, rendering it inaccessible to legitimate users. While cloud service providers, financial sector organizations, and online retail companies can be attractive targets due to their high-profile nature and the critical nature of their services, the reality is that any organization with an online presence can be targeted. This includes small businesses, educational institutions, government agencies, and non-profits. The motivation behind such attacks can vary from financial gain, to disruption of service, to political statements. Therefore, it's crucial for all organizations to implement robust security measures to mitigate the risk of DDoS attacks.

Question 201

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

ARisk = Likelihood * Impact.

BRisk = Likelihood / Impact.

CRisk = Vulnerability / Threat.

DRisk = Threat * Likelihood.

Answer : A

Question 202

In order to better improve the security culture within an organisation with a top down approach, which of the following actions at board level is the MOST effective?

AAppointment of a Chief Information Security Officer (CISO).

BPurchasing all senior executives personal firewalls.

CAdopting an organisation wide 'clear desk' policy.

DDeveloping a security awareness e-learning course.

Answer : A

Question 203

Which standard deals with the implementation of business continuity?

AISO/IEC 27001

BCOBIT

CIS0223G1.

DBS5750.

Answer : C

Question 204

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 205

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 206

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 207

Which of the following is NOT a valid statement to include in an organisation's security policy?

AThe policy has the support of Board and the Chief Executive.

BThe policy has been agreed and amended to suit all third party contractors.

CHow the organisation will manage information assurance.

DThe compliance with legal and regulatory obligations.

Answer : B

Question 208

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

Question 209

Which membership based organisation produces international standards, which cover good practice for information assurance?

ABSI.

BIETF.

COWASP.

DISF.

Answer : A

Question 210

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

AUnder the European Convention of Human Rights, the interception of telecommunications represents an interference with the right to privacy.

BGDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertently break the law.

CPolice could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system.

DSurveillance of a conversation or an online message by law enforcement agents was previously illegal due to the 1950 version of the Human Rights Convention.

Answer : A

Question 211

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 212

What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?

AISO/IEC 27001.

BQualitative.

CCPNI.

DQuantitative

Answer : D

Question 213

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 214

Which algorithm is a current specification for the encryption of electronic data established by NIST?

ARSA.

BAES.

CDES.

DPGP.

Answer : B

Question 215

Which types of organisations are likely to be the target of DDoS attacks?

ACloud service providers.

BAny financial sector organisations.

COnline retail based organisations.

DAny organisation with an online presence.

Answer : D

Question 216

Which of the following is LEASTLIKELY to be the result of a global pandemic impacting on information security?

AA large increase in remote workers operating in insecure premises.

BAdditional physical security requirements at data centres and corporate headquarters.

CIncreased demand on service desks as users need additional tools such as VPNs.

DAn upsurge in activity by attackers seeking vulnerabilities caused by operational changes.

Answer : B

Question 217

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 218

What form of attack against an employee has the MOST impact on their compliance with the organisation's "code of conduct"?

ABrute Force Attack.

BSocial Engineering.

CRansomware.

DDenial of Service.

Answer : B

Question 219

Once data has been created In a standard information lifecycle, what step TYPICALLY happens next?

AData Deletion.

BData Archiving.

CData Storage.

DData Publication

Answer : C

Question 220

When seeking third party digital forensics services, what two attributes should one seek when making a choice of service provider?

AAppropriate company accreditation and staff certification.

BFormal certification to ISO/IEC 27001 and alignment with ISO 17025.

CAffiliation with local law enforcement bodies and local government regulations.

DClean credit references as well as international experience.

Answer : A

Question 221

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 222

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

Question 223

In order to better improve the security culture within an organisation with a top down approach, which of the following actions at board level is the MOST effective?

AAppointment of a Chief Information Security Officer (CISO).

BPurchasing all senior executives personal firewalls.

CAdopting an organisation wide 'clear desk' policy.

DDeveloping a security awareness e-learning course.

Answer : A

Question 224

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

APersonal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

BPersonal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

CData Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

DData Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Answer : C

Question 225

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 226

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Question 227

Which of the following types of organisation could be considered the MOST at risk from the theft of electronic based credit card data?

AOnline retailer.

BTraditional market trader.

CMail delivery business.

DAgricultural producer.

Answer : A

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 228

Which term is used to describe the set of processes that analyses code to ensure defined coding practices are being followed?

AQuality Assurance and Control

BDynamic verification.

CStatic verification.

DSource code analysis.

Answer : C

Question 229

Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?

ASystem Integrity.

BSandboxing.

CIntrusion Prevention System.

DDefence in depth.

Answer : D

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 230

What type of software programme is this?

AFree Source.

BProprietary Source.

CInterpreted Source.

DOpen Source.

Answer : B

Question 231

Which of the following acronyms covers the real-time analysis of security alerts generated by applications and network hardware?

ACERT

BSIEM.

CCISM.

DDDoS.

Answer : B

Question 232

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

Question 233

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 234

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 235

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 236

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

APassword is better encrypted for system authentication.

BAccess control logs are centrally located.

CHelps prevent the likelihood of users writing down passwords.

DDecreases the complexity of passwords users have to remember.

Answer : C

Question 237

When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?

ADigital evidence must not be altered unless absolutely necessary.

BAcquiring digital evidence cart only be carried on digital devices which have been turned off.

CDigital evidence can only be handled by a member of law enforcement.

DDigital devices must be forensically 'clean' before investigation.

Answer : D

Question 238

Once data has been created In a standard information lifecycle, what step TYPICALLY happens next?

AData Deletion.

BData Archiving.

CData Storage.

DData Publication

Answer : C

Question 239

In order to better improve the security culture within an organisation with a top down approach, which of the following actions at board level is the MOST effective?

AAppointment of a Chief Information Security Officer (CISO).

BPurchasing all senior executives personal firewalls.

CAdopting an organisation wide 'clear desk' policy.

DDeveloping a security awareness e-learning course.

Answer : A

Question 240

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 241

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

AUnder the European Convention of Human Rights, the interception of telecommunications represents an interference with the right to privacy.

BGDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertently break the law.

CPolice could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system.

DSurveillance of a conversation or an online message by law enforcement agents was previously illegal due to the 1950 version of the Human Rights Convention.

Answer : A

Question 242

Which of the following is MOST LIKELY to be described as a consequential loss?

AReputation damage.

BMonetary theft.

CService disruption.

DProcessing errors.

Answer : A

Question 243

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 244

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

AGenerating and distributing spam messages.

BConducting DDOS attacks.

CScanning for system & application vulnerabilities.

DUndertaking vishing attacks

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

Question 245

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

Question 246

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

APrivileged User Gateway

BEnterprise Security Management

CMulti Factor Authentication.

DBreak Glass

Answer : D

Microsoft Entra ID documentation on managing emergency access admin accounts3.

StrongDM's blog explaining the need for ''Break Glass'' accounts for privileged access1.

SSH Academy's definition of ''Break Glass'' access2.

Question 247

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

Question 248

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 249

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

Question 250

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 251

When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?

ADigital evidence must not be altered unless absolutely necessary.

BAcquiring digital evidence cart only be carried on digital devices which have been turned off.

CDigital evidence can only be handled by a member of law enforcement.

DDigital devices must be forensically 'clean' before investigation.

Answer : D

Question 252

What Is the PRIMARY difference between DevOps and DevSecOps?

AWithin DevSecOps security is introduced at the end of development immediately prior to deployment.

BDevSecOps focuses solely on iterative development cycles.

CDevSecOps includes security on the same level as continuous integration and delivery.

DDevOps mandates that security is integrated at the beginning of the development lifecycle.

Answer : C

Question 253

Which standard deals with the implementation of business continuity?

AISO/IEC 27001

BCOBIT

CIS0223G1.

DBS5750.

Answer : C

Question 254

Which types of organisations are likely to be the target of DDoS attacks?

ACloud service providers.

BAny financial sector organisations.

COnline retail based organisations.

DAny organisation with an online presence.

Answer : D

Question 255

Which algorithm is a current specification for the encryption of electronic data established by NIST?

ARSA.

BAES.

CDES.

DPGP.

Answer : B

Question 256

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

Question 257

You are undertaking a qualitative risk assessment of a likely security threat to an information system.

What is the MAIN issue with this type of risk assessment?

AThese risk assessments are largely subjective and require agreement on rankings beforehand.

BDealing with statistical and other numeric data can often be hard to interpret.

CThere needs to be a large amount of previous data to 'train' a qualitative risk methodology.

DIt requires the use of complex software tools to undertake this risk assessment.

Answer : A

Question 258

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

A1, 2 and 3

B3, 4 and 5

C2, 3 and 4

D1, 2 and 5

Answer : D

Question 259

Which cryptographic protocol preceded Transport Layer Security (TLS)?

APublic Key Infrastructure (PKI).

BSimple Network Management Protocol (SNMP).

CSecure Sockets Layer (SSL).

DHypertext Transfer Protocol Secure (HTTPS)

Answer : C

Question 260

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Question 261

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

Question 262

Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?

AUse of 'cheap' microcontroller based sensors.

BMuch larger attack surface than traditional IT systems.

CUse of proprietary networking protocols between nodes.

DUse of cloud based systems to collect loT data.

Answer : B

Question 263

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 264

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

AGenerating and distributing spam messages.

BConducting DDOS attacks.

CScanning for system & application vulnerabilities.

DUndertaking vishing attacks

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

Question 265

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

Question 266

Which of the following types of organisation could be considered the MOST at risk from the theft of electronic based credit card data?

AOnline retailer.

BTraditional market trader.

CMail delivery business.

DAgricultural producer.

Answer : A

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 267

When seeking third party digital forensics services, what two attributes should one seek when making a choice of service provider?

AAppropriate company accreditation and staff certification.

BFormal certification to ISO/IEC 27001 and alignment with ISO 17025.

CAffiliation with local law enforcement bodies and local government regulations.

DClean credit references as well as international experience.

Answer : A

Question 268

Which of the following acronyms covers the real-time analysis of security alerts generated by applications and network hardware?

ACERT

BSIEM.

CCISM.

DDDoS.

Answer : B

Question 269

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

A3, 4 and 5.

B2, 4 and 5.

C1, 2 and 3.

D1, 2 and 5.

Answer : D

The effectiveness of a security awareness program can be measured through various methods that assess both the knowledge and behavior of employees regarding security practices.

Open source intelligence gathering on staff social media profiles: This method can reveal whether employees are adhering to security policies by not disclosing sensitive information publicly.

Question 270

Which of the following is NOT a valid statement to include in an organisation's security policy?

AThe policy has the support of Board and the Chief Executive.

BThe policy has been agreed and amended to suit all third party contractors.

CHow the organisation will manage information assurance.

DThe compliance with legal and regulatory obligations.

Answer : B

Question 271

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 272

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 273

Which of the following is MOST LIKELY to be described as a consequential loss?

AReputation damage.

BMonetary theft.

CService disruption.

DProcessing errors.

Answer : A

Question 274

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

A1, 2 and 3

B3, 4 and 5

C2, 3 and 4

D1, 2 and 5

Answer : D

Question 275

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

AGenerating and distributing spam messages.

BConducting DDOS attacks.

CScanning for system & application vulnerabilities.

DUndertaking vishing attacks

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

Question 276

Which standard deals with the implementation of business continuity?

AISO/IEC 27001

BCOBIT

CIS0223G1.

DBS5750.

Answer : C

Question 277

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

APassword is better encrypted for system authentication.

BAccess control logs are centrally located.

CHelps prevent the likelihood of users writing down passwords.

DDecreases the complexity of passwords users have to remember.

Answer : C

Question 278

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Question 279

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 280

Which membership based organisation produces international standards, which cover good practice for information assurance?

ABSI.

BIETF.

COWASP.

DISF.

Answer : A

Question 281

Which of the following is NOT an information security specific vulnerability?

AUse of HTTP based Apache web server.

BUnpatched Windows operating system.

CConfidential data stored in a fire safe.

DUse of an unlocked filing cabinet.

Answer : C

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Question 282

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Question 283

Which of the following is the MOST important reason for undertaking Continual Professional Development (CPD) within the Information Security sphere?

AProfessional qualification bodies demand CPD.

BInformation Security changes constantly and at speed.

CIT certifications require CPD and Security needs to remain credible.

DCPD is a prerequisite of any Chartered Institution qualification.

Answer : B

Question 284

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Question 285

What Is the KEY purpose of appending security classification labels to information?

ATo provide guidance and instruction on implementing appropriate security controls to protect the information.

BTo comply with whatever mandatory security policy framework is in place within the geographical location in question.

CTo ensure that should the information be lost in transit, it can be returned to the originator using the correct protocols.

DTo make sure the correct colour-coding system is used when the information is ready for archive.

Answer : A

Question 286

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 287

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Question 288

Which term describes the acknowledgement and acceptance of ownership of actions, decisions, policies and deliverables?

AAccountability.

BResponsibility.

CCredibility.

DConfidentiality.

Answer : A

Question 289

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 290

Which algorithm is a current specification for the encryption of electronic data established by NIST?

ARSA.

BAES.

CDES.

DPGP.

Answer : B

Question 291

What form of attack against an employee has the MOST impact on their compliance with the organisation's "code of conduct"?

ABrute Force Attack.

BSocial Engineering.

CRansomware.

DDenial of Service.

Answer : B

Question 292

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

ARisk = Likelihood * Impact.

BRisk = Likelihood / Impact.

CRisk = Vulnerability / Threat.

DRisk = Threat * Likelihood.

Answer : A

Question 293

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

Question 294

When seeking third party digital forensics services, what two attributes should one seek when making a choice of service provider?

AAppropriate company accreditation and staff certification.

BFormal certification to ISO/IEC 27001 and alignment with ISO 17025.

CAffiliation with local law enforcement bodies and local government regulations.

DClean credit references as well as international experience.

Answer : A

Question 295

Which of the following is often the final stage in the information management lifecycle?

ADisposal.

BCreation.

CUse.

DPublication.

Answer : A

Question 296

Once data has been created In a standard information lifecycle, what step TYPICALLY happens next?

AData Deletion.

BData Archiving.

CData Storage.

DData Publication

Answer : C

Question 297

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 298

What Is the PRIMARY difference between DevOps and DevSecOps?

AWithin DevSecOps security is introduced at the end of development immediately prior to deployment.

BDevSecOps focuses solely on iterative development cycles.

CDevSecOps includes security on the same level as continuous integration and delivery.

DDevOps mandates that security is integrated at the beginning of the development lifecycle.

Answer : C

Question 299

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

Question 300

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

Question 301

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 302

Which of the following acronyms covers the real-time analysis of security alerts generated by applications and network hardware?

ACERT

BSIEM.

CCISM.

DDDoS.

Answer : B

Question 303

Which of the following is the MOST important reason for undertaking Continual Professional Development (CPD) within the Information Security sphere?

AProfessional qualification bodies demand CPD.

BInformation Security changes constantly and at speed.

CIT certifications require CPD and Security needs to remain credible.

DCPD is a prerequisite of any Chartered Institution qualification.

Answer : B

Question 304

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Question 305

Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?

AUse of 'cheap' microcontroller based sensors.

BMuch larger attack surface than traditional IT systems.

CUse of proprietary networking protocols between nodes.

DUse of cloud based systems to collect loT data.

Answer : B

Question 306

Which types of organisations are likely to be the target of DDoS attacks?

ACloud service providers.

BAny financial sector organisations.

COnline retail based organisations.

DAny organisation with an online presence.

Answer : D

Question 307

Why is it prudent for Third Parties to be contracted to meet specific security standards?

AVulnerabilities in Third Party networks can be malevolently leveraged to gain illicit access into client environments.

BIt is a legal requirement for Third Party support companies to meet client security standards.

CAll access to corporate systems must be controlled via a single set of rules if they are to be enforceable.

DThird Parties cannot connect to other sites and networks without a contract of similar legal agreement.

Answer : A

Question 308

You are undertaking a qualitative risk assessment of a likely security threat to an information system.

What is the MAIN issue with this type of risk assessment?

AThese risk assessments are largely subjective and require agreement on rankings beforehand.

BDealing with statistical and other numeric data can often be hard to interpret.

CThere needs to be a large amount of previous data to 'train' a qualitative risk methodology.

DIt requires the use of complex software tools to undertake this risk assessment.

Answer : A

Question 309

Which standard deals with the implementation of business continuity?

AISO/IEC 27001

BCOBIT

CIS0223G1.

DBS5750.

Answer : C

Question 310

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Question 311

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

Question 312

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

Question 313

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 314

What does a penetration test do that a Vulnerability Scan does NOT?

AA penetration test seeks to actively exploit any known or discovered vulnerabilities.

BA penetration test looks for known vulnerabilities and reports them without further action.

CA penetration test is always an automated process - a vulnerability scan never is.

DA penetration test never uses common tools such as Nrnap, Nessus and Metasploit.

Answer : A

Question 315

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 316

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

ATask based access control.

BRole based access control.

CRule based access control.

DMandatory access control.

Answer : B

Question 317

You are undertaking a qualitative risk assessment of a likely security threat to an information system.

What is the MAIN issue with this type of risk assessment?

AThese risk assessments are largely subjective and require agreement on rankings beforehand.

BDealing with statistical and other numeric data can often be hard to interpret.

CThere needs to be a large amount of previous data to 'train' a qualitative risk methodology.

DIt requires the use of complex software tools to undertake this risk assessment.

Answer : A

Question 318

In order to better improve the security culture within an organisation with a top down approach, which of the following actions at board level is the MOST effective?

AAppointment of a Chief Information Security Officer (CISO).

BPurchasing all senior executives personal firewalls.

CAdopting an organisation wide 'clear desk' policy.

DDeveloping a security awareness e-learning course.

Answer : A

Question 319

What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?

AISO/IEC 27001.

BQualitative.

CCPNI.

DQuantitative

Answer : D

Question 320

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 321

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

ATOGAF

BSABSA

CPCI DSS.

DOWASP.

Answer : B

Question 322

Which of the following is LEASTLIKELY to be the result of a global pandemic impacting on information security?

AA large increase in remote workers operating in insecure premises.

BAdditional physical security requirements at data centres and corporate headquarters.

CIncreased demand on service desks as users need additional tools such as VPNs.

DAn upsurge in activity by attackers seeking vulnerabilities caused by operational changes.

Answer : B

Question 323

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

A3, 4 and 5.

B2, 4 and 5.

C1, 2 and 3.

D1, 2 and 5.

Answer : D

The effectiveness of a security awareness program can be measured through various methods that assess both the knowledge and behavior of employees regarding security practices.

Open source intelligence gathering on staff social media profiles: This method can reveal whether employees are adhering to security policies by not disclosing sensitive information publicly.

Question 324

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

Question 325

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 326

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

ACode of Ethics.

BSecurity Culture.

CSystem Operating Procedures.

DSecurity Policy Framework.

Answer : B

ACode of Ethicstypically outlines the principles and moral values that guide the behavior of individuals within an organization but does not specifically address information security behaviors.

Question 327

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 328

Which of the following is an accepted strategic option for dealing with risk?

ACorrection.

BDetection.

CForbearance.

DAcceptance

Answer : D

Question 329

Which of the following is NOT a valid statement to include in an organisation's security policy?

AThe policy has the support of Board and the Chief Executive.

BThe policy has been agreed and amended to suit all third party contractors.

CHow the organisation will manage information assurance.

DThe compliance with legal and regulatory obligations.

Answer : B

Question 330

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 331

Which of the following is NOT an information security specific vulnerability?

AUse of HTTP based Apache web server.

BUnpatched Windows operating system.

CConfidential data stored in a fire safe.

DUse of an unlocked filing cabinet.

Answer : C

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Question 332

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

Question 333

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Question 334

Which of the below business practices does this statement define?

AInformation Lifecycle Management.

BInformation Quality Management.

CTotal Quality Management.

DBusiness Continuity Management.

Answer : A

Question 335

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Question 336

What Is the KEY purpose of appending security classification labels to information?

ATo provide guidance and instruction on implementing appropriate security controls to protect the information.

BTo comply with whatever mandatory security policy framework is in place within the geographical location in question.

CTo ensure that should the information be lost in transit, it can be returned to the originator using the correct protocols.

DTo make sure the correct colour-coding system is used when the information is ready for archive.

Answer : A

Question 337

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Question 338

Which term is used to describe the set of processes that analyses code to ensure defined coding practices are being followed?

AQuality Assurance and Control

BDynamic verification.

CStatic verification.

DSource code analysis.

Answer : C

Question 339

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

ARisk = Likelihood * Impact.

BRisk = Likelihood / Impact.

CRisk = Vulnerability / Threat.

DRisk = Threat * Likelihood.

Answer : A

Question 340

In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?

AThe 'need to known principle.

BVerification of visitor's ID

CAppropriate behaviours.

DAccess denial measures

Answer : C

Question 341

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

A1, 2 and 3.

B2, 4, and 5.

C1, 3 and 4.

D1, 3 and 5.

Answer : D

Authenticationis the process of verifying the identity of a user or entity. It ensures that individuals are who they claim to be. This can involve methods such as passwords, biometrics, or tokens.

Authorizationdetermines what an authenticated user is allowed to do. It involves granting or denying rights to access resources and perform actions within a system based on the user's identity.

Question 342

Once data has been created In a standard information lifecycle, what step TYPICALLY happens next?

AData Deletion.

BData Archiving.

CData Storage.

DData Publication

Answer : C

Question 343

In order to better improve the security culture within an organisation with a top down approach, which of the following actions at board level is the MOST effective?

AAppointment of a Chief Information Security Officer (CISO).

BPurchasing all senior executives personal firewalls.

CAdopting an organisation wide 'clear desk' policy.

DDeveloping a security awareness e-learning course.

Answer : A

Question 344

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

AUnder the European Convention of Human Rights, the interception of telecommunications represents an interference with the right to privacy.

BGDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertently break the law.

CPolice could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system.

DSurveillance of a conversation or an online message by law enforcement agents was previously illegal due to the 1950 version of the Human Rights Convention.

Answer : A

Question 345

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 346

Which of the following types of organisation could be considered the MOST at risk from the theft of electronic based credit card data?

AOnline retailer.

BTraditional market trader.

CMail delivery business.

DAgricultural producer.

Answer : A

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 347

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

A3, 4 and 5.

B2, 4 and 5.

C1, 2 and 3.

D1, 2 and 5.

Answer : D

The effectiveness of a security awareness program can be measured through various methods that assess both the knowledge and behavior of employees regarding security practices.

Open source intelligence gathering on staff social media profiles: This method can reveal whether employees are adhering to security policies by not disclosing sensitive information publicly.

Question 348

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

Question 349

Which cryptographic protocol preceded Transport Layer Security (TLS)?

APublic Key Infrastructure (PKI).

BSimple Network Management Protocol (SNMP).

CSecure Sockets Layer (SSL).

DHypertext Transfer Protocol Secure (HTTPS)

Answer : C

Question 350

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

AGenerating and distributing spam messages.

BConducting DDOS attacks.

CScanning for system & application vulnerabilities.

DUndertaking vishing attacks

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

Question 351

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Question 352

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Question 353

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

APersonal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

BPersonal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

CData Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

DData Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Answer : C

Question 354

Which of the following is NOT a valid statement to include in an organisation's security policy?

AThe policy has the support of Board and the Chief Executive.

BThe policy has been agreed and amended to suit all third party contractors.

CHow the organisation will manage information assurance.

DThe compliance with legal and regulatory obligations.

Answer : B

Question 355

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 356

Which of the following is MOST LIKELY to be described as a consequential loss?

AReputation damage.

BMonetary theft.

CService disruption.

DProcessing errors.

Answer : A

Question 357

What Is the KEY purpose of appending security classification labels to information?

ATo provide guidance and instruction on implementing appropriate security controls to protect the information.

BTo comply with whatever mandatory security policy framework is in place within the geographical location in question.

CTo ensure that should the information be lost in transit, it can be returned to the originator using the correct protocols.

DTo make sure the correct colour-coding system is used when the information is ready for archive.

Answer : A

Question 358

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 359

In a security governance framework, which of the following publications would be at the HIGHEST level?

AProcedures.

BStandards

CPolicy.

DGuidelines

Answer : C

Question 360

You are undertaking a qualitative risk assessment of a likely security threat to an information system.

What is the MAIN issue with this type of risk assessment?

AThese risk assessments are largely subjective and require agreement on rankings beforehand.

BDealing with statistical and other numeric data can often be hard to interpret.

CThere needs to be a large amount of previous data to 'train' a qualitative risk methodology.

DIt requires the use of complex software tools to undertake this risk assessment.

Answer : A

Question 361

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

A2 and 3.

B3 and 4.

C1 and 4.

D1 and 2.

Answer : D

Question 362

Which types of organisations are likely to be the target of DDoS attacks?

ACloud service providers.

BAny financial sector organisations.

COnline retail based organisations.

DAny organisation with an online presence.

Answer : D

Question 363

What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?

AISO/IEC 27001.

BQualitative.

CCPNI.

DQuantitative

Answer : D

Question 364

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

Question 365

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

ARisk = Likelihood * Impact.

BRisk = Likelihood / Impact.

CRisk = Vulnerability / Threat.

DRisk = Threat * Likelihood.

Answer : A

Question 366

Which of the following is NOT an information security specific vulnerability?

AUse of HTTP based Apache web server.

BUnpatched Windows operating system.

CConfidential data stored in a fire safe.

DUse of an unlocked filing cabinet.

Answer : C

A: Use of HTTP for an Apache web server could allow for interception of data due to lack of encryption.

B: An unpatched Windows operating system could have known security flaws that can be exploited.

D: An unlocked filing cabinet could lead to unauthorized physical access to sensitive documents.

Question 367

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

AGenerating and distributing spam messages.

BConducting DDOS attacks.

CScanning for system & application vulnerabilities.

DUndertaking vishing attacks

Answer : D

Botnets are typically used by attackers for a variety of malicious activities, most commonly for:

Generating and distributing spam messages: Botnets can send out large volumes of spam emails to promote products or services, or to distribute malware.

Conducting DDoS attacks: Distributed Denial of Service (DDoS) attacks are often carried out using botnets to overwhelm a target's servers with traffic.

Scanning for system & application vulnerabilities: Botnets can be used to scan a large number of systems for vulnerabilities that can be exploited in further attacks.

Question 368

Which of the following describes a qualitative risk assessment approach?

AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Answer : A

Question 369

When securing a wireless network, which of the following is NOT best practice?

AUsing WPA encryption on the wireless network.

BUse MAC tittering on a SOHO network with a smart group of clients.

CDedicating an access point on a dedicated VLAN connected to a firewall.

DTurning on SSID broadcasts to advertise security levels.

Answer : D

Question 370

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 371

What does a penetration test do that a Vulnerability Scan does NOT?

AA penetration test seeks to actively exploit any known or discovered vulnerabilities.

BA penetration test looks for known vulnerabilities and reports them without further action.

CA penetration test is always an automated process - a vulnerability scan never is.

DA penetration test never uses common tools such as Nrnap, Nessus and Metasploit.

Answer : A

Question 372

Which membership based organisation produces international standards, which cover good practice for information assurance?

ABSI.

BIETF.

COWASP.

DISF.

Answer : A

Question 373

When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?

ADigital evidence must not be altered unless absolutely necessary.

BAcquiring digital evidence cart only be carried on digital devices which have been turned off.

CDigital evidence can only be handled by a member of law enforcement.

DDigital devices must be forensically 'clean' before investigation.

Answer : D

Question 374

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 375

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

ATo assign access privileges to others.

BTo modify associated information that may lead to inappropriate disclosure.

CTo access information held in the same format and file structure.

DTo delete all indexed data in the dataset.

Answer : A

Question 376

Which types of organisations are likely to be the target of DDoS attacks?

ACloud service providers.

BAny financial sector organisations.

COnline retail based organisations.

DAny organisation with an online presence.

Answer : D

Question 377

Once data has been created In a standard information lifecycle, what step TYPICALLY happens next?

AData Deletion.

BData Archiving.

CData Storage.

DData Publication

Answer : C

Question 378

What Is the PRIMARY security concern associated with the practice known as Bring Your Own Device (BYOD) that might affect a large organisation?

AMost BYOD involves the use of non-Windows hardware which is intrinsically insecure and open to abuse.

BThe organisation has significantly less control over the device than over a corporately provided and managed device.

CPrivately owned end user devices are not provided with the same volume nor frequency of security patch updates as a corporation.

DUnder GDPR it is illegal for an individual to use a personal device when handling personal information under corporate control.

Answer : B

Literature on BYOD security risks and mitigation strategies provides insights into the challenges and best practices for managing personal devices in a corporate environment2.

Reviews of security access control policies and techniques based on privacy requirements in a BYOD environment offer a systematic approach to addressing BYOD security concerns3.

Question 379

Which standard deals with the implementation of business continuity?

AISO/IEC 27001

BCOBIT

CIS0223G1.

DBS5750.

Answer : C

Question 380

Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?

ASystem Integrity.

BSandboxing.

CIntrusion Prevention System.

DDefence in depth.

Answer : D

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 381

Which of the following is an accepted strategic option for dealing with risk?

ACorrection.

BDetection.

CForbearance.

DAcceptance

Answer : D

Question 382

Which of the following is NOT an accepted classification of security controls?

ANominative.

BPreventive.

CDetective.

DCorrective.

Answer : A

Question 383

Which of the following is often the final stage in the information management lifecycle?

ADisposal.

BCreation.

CUse.

DPublication.

Answer : A

Question 384

What form of attack against an employee has the MOST impact on their compliance with the organisation's "code of conduct"?

ABrute Force Attack.

BSocial Engineering.

CRansomware.

DDenial of Service.

Answer : B

Question 385

Which of the following is NOT considered to be a form of computer misuse?

AIllegal retention of personal data.

BIllegal interception of information.

CIllegal access to computer systems.

DDownloading of pirated software.

Answer : A

Question 386

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

AITIL.

BSABSA.

CCOBIT

DISAGA.

Answer : A

Question 387

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

ARed Team Training.

BBlue Team Training.

CBlack Hat Training.

DAwareness Training.

Answer : D

Question 388

In a security governance framework, which of the following publications would be at the HIGHEST level?

AProcedures.

BStandards

CPolicy.

DGuidelines

Answer : C

Question 389

Which types of organisations are likely to be the target of DDoS attacks?

ACloud service providers.

BAny financial sector organisations.

COnline retail based organisations.

DAny organisation with an online presence.

Answer : D

Question 390

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

Question 391

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

APersonal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

BPersonal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

CData Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

DData Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Answer : C

Question 392

What Is the PRIMARY difference between DevOps and DevSecOps?

AWithin DevSecOps security is introduced at the end of development immediately prior to deployment.

BDevSecOps focuses solely on iterative development cycles.

CDevSecOps includes security on the same level as continuous integration and delivery.

DDevOps mandates that security is integrated at the beginning of the development lifecycle.

Answer : C

Question 393

Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?

AUse of 'cheap' microcontroller based sensors.

BMuch larger attack surface than traditional IT systems.

CUse of proprietary networking protocols between nodes.

DUse of cloud based systems to collect loT data.

Answer : B

Question 394

Which membership based organisation produces international standards, which cover good practice for information assurance?

ABSI.

BIETF.

COWASP.

DISF.

Answer : A

Question 395

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Question 396

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

AWhaling.

BSpear-phishing.

CC-suite spamming.

DTrawling.

Answer : A

Question 397

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 398

Which of the following is often the final stage in the information management lifecycle?

ADisposal.

BCreation.

CUse.

DPublication.

Answer : A

Question 399

Which standard deals with the implementation of business continuity?

AISO/IEC 27001

BCOBIT

CIS0223G1.

DBS5750.

Answer : C

Question 400

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

AUnder the European Convention of Human Rights, the interception of telecommunications represents an interference with the right to privacy.

BGDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertently break the law.

CPolice could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system.

DSurveillance of a conversation or an online message by law enforcement agents was previously illegal due to the 1950 version of the Human Rights Convention.

Answer : A

Question 401

Once data has been created In a standard information lifecycle, what step TYPICALLY happens next?

AData Deletion.

BData Archiving.

CData Storage.

DData Publication

Answer : C

Question 402

In software engineering, what does 'Security by Design'' mean?

ALow Level and High Level Security Designs are restricted in distribution.

BAll security software artefacts are subject to a code-checking regime.

CThe software has been designed from its inception to be secure.

DAll code meets the technical requirements of GDPR.

Answer : C

Question 403

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

ACryptographic Statement.

BSecurity Policy Framework.

CAcceptable Usage Policy.

DBusiness Continuity Plan.

Answer : C

Question 404

Which of the following types of organisation could be considered the MOST at risk from the theft of electronic based credit card data?

AOnline retailer.

BTraditional market trader.

CMail delivery business.

DAgricultural producer.

Answer : A

Additional insights can be found in the Information Security Management Principles, 3rd Edition by Andy Taylor, David Alexander, Amanda Finch, David Sutton2.

Question 405

What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?

AXSS.

BParameter Tampering

CSQL Injection.

DCSRF.

Answer : D

Reflectoring's 'Complete Guide to CSRF/XSRF (Cross-Site Request Forgery)'1.

OWASP Foundation's ''Anti CSRF Tokens ASP.NET'' article2.

Threat Intelligence's blog on 'Cross-Site Request Forgery (CSRF) - What Is It, How to Prevent It'3.

Question 406

Which of the following is the MOST important reason for undertaking Continual Professional Development (CPD) within the Information Security sphere?

AProfessional qualification bodies demand CPD.

BInformation Security changes constantly and at speed.

CIT certifications require CPD and Security needs to remain credible.

DCPD is a prerequisite of any Chartered Institution qualification.

Answer : B

Question 407

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

A1, 2 and 4.

B1, 2 and 3.

C1, 2 and 5.

D3, 4 and 5.

Answer : C

Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.

Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.

Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.

Question 408

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Question 409

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

Question 410

Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?

ASarbanes-Oxley.

BGDPR.

CHIPAA.

DFSA.

Answer : B

Question 411

Which of the following is an asymmetric encryption algorithm?

ADES.

BAES.

CATM.

DRSA.

Answer : D

Question 412

What advantage does the delivery of online security training material have over the distribution of printed media?

AUpdating online material requires a single edit. Printed material needs to be distributed physically.

BOnline training material is intrinsically more accurate than printed material.

CPrinted material is a 'discoverable record' and could expose the organisation to litigation in the event of an incident.

DOnline material is protected by international digital copyright legislation across most territories.

Answer : A

The delivery of online security training material offers several advantages over printed media. One of the key benefits is the ease of updating content. When updates are required, online materials can be edited quickly and efficiently, with changes being immediately available to all users.This contrasts with printed materials, which would require a new physical version to be produced and distributed, a process that is both time-consuming and resource-intensive1.

Furthermore, online training materials can be accessed from anywhere at any time, providing flexibility and convenience for learners.They also allow for interactive elements, such as quizzes and simulations, which can enhance the learning experience1.Additionally, online materials can be tracked for usage and completion, enabling organizations to monitor compliance with training requirements2.

While option C mentions a 'discoverable record,' this refers to the legal concept that materials may be used as evidence in litigation. However, this is not an advantage of online over printed media, as both can be discoverable. Option B's claim that online materials are intrinsically more accurate is not necessarily true, as accuracy depends on the content's quality, not the delivery method. Option D is incorrect because while online materials are protected by copyright laws, this is not an exclusive benefit over printed materials, which are also protected.

Question 413

Which of the following is LEASTLIKELY to be the result of a global pandemic impacting on information security?

AA large increase in remote workers operating in insecure premises.

BAdditional physical security requirements at data centres and corporate headquarters.

CIncreased demand on service desks as users need additional tools such as VPNs.

DAn upsurge in activity by attackers seeking vulnerabilities caused by operational changes.

Answer : B