New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

BCS CISMP-V9 BCS Foundation Certificate in Information Security Management Principles V9.0 Exam Practice Test

Demo: 30 questions
Total 100 questions

BCS Foundation Certificate in Information Security Management Principles V9.0 Questions and Answers

Question 1

As well as being permitted to access, create, modify and delete information, what right does an Information Owner NORMALLY have in regard to their information?

Options:

A.

To assign access privileges to others.

B.

To modify associated information that may lead to inappropriate disclosure.

C.

To access information held in the same format and file structure.

D.

To delete all indexed data in the dataset.

Question 2

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

Options:

A.

3, 4 and 5.

B.

2, 4 and 5.

C.

1, 2 and 3.

D.

1, 2 and 5.

Question 3

Ensuring the correctness of data inputted to a system is an example of which facet of information security?

Options:

A.

Confidentiality.

B.

Integrity.

C.

Availability.

D.

Authenticity.

Question 4

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

Options:

A.

Personal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

B.

Personal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

C.

Data Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

D.

Data Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Question 5

When considering the disposal of confidential data, equipment and storage devices, what social engineering technique SHOULD always be taken into consideration?

Options:

A.

Spear Phishing.

B.

Shoulder Surfing.

C.

Dumpster Diving.

D.

Tailgating.

Question 6

What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?

Options:

A.

XSS.

B.

Parameter Tampering

C.

SQL Injection.

D.

CSRF.

Question 7

Why should a loading bay NEVER be used as a staff entrance?

Options:

A.

Loading bays are intrinsically vulnerable, so minimising the people traffic makes securing the areas easier and more effective.

B.

Loading bays are often dirty places, and staff could find their clothing damaged or made less appropriate for the office.

C.

Most countries have specific legislation covering loading bays and breaching this could impact on insurance status.

D.

Staff should always enter a facility via a dedicated entrance to ensure smooth access and egress.

Question 8

Which term is used to describe the set of processes that analyses code to ensure defined coding practices are being followed?

Options:

A.

Quality Assurance and Control

B.

Dynamic verification.

C.

Static verification.

D.

Source code analysis.

Question 9

When a digital forensics investigator is conducting art investigation and handling the original data, what KEY principle must they adhere to?

Options:

A.

Ensure they are competent to be able to do so and be able to justify their actions.

B.

Ensure they are being observed by a senior investigator in all actions.

C.

Ensure they do not handle the evidence as that must be done by law enforcement officers.

D.

Ensure the data has been adjusted to meet the investigation requirements.

Question 10

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

Options:

A.

Risk = Likelihood * Impact.

B.

Risk = Likelihood / Impact.

C.

Risk = Vulnerability / Threat.

D.

Risk = Threat * Likelihood.

Question 11

What Is the root cause as to why SMS messages are open to attackers and abuse?

Options:

A.

The store and forward nature of SMS means it is considered a 'fire and forget service'.

B.

SMS technology was never intended to be used to transmit high risk content such as One-time payment codes.

C.

The vast majority of mobile phones globally support the SMS protocol inexpensively.

D.

There are only two mobile phone platforms - Android and iOS - reducing the number of target environments.

Question 12

A security analyst has been asked to provide a triple A service (AAA) for both wireless and remote access network services in an organization and must avoid using proprietary solutions.

What technology SHOULD they adapt?

Options:

A.

TACACS+

B.

RADIUS.

C.

Oauth.

D.

MS Access Database.

Question 13

Which of the following is an asymmetric encryption algorithm?

Options:

A.

DES.

B.

AES.

C.

ATM.

D.

RSA.

Question 14

What are the different methods that can be used as access controls?

1. Detective.

2. Physical.

3. Reactive.

4. Virtual.

5. Preventive.

Options:

A.

1, 2 and 4.

B.

1, 2 and 3.

C.

1, 2 and 5.

D.

3, 4 and 5.

Question 15

Which of the following describes a qualitative risk assessment approach?

Options:

A.

A subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.

B.

The use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.

C.

The use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.

D.

The use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk

Question 16

Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation's information and IT equipment, as well as email, internet and telephony.

Options:

A.

Cryptographic Statement.

B.

Security Policy Framework.

C.

Acceptable Usage Policy.

D.

Business Continuity Plan.

Question 17

Which security framework impacts on organisations that accept credit cards, process credit card transactions, store relevant data or transmit credit card data?

Options:

A.

PCI DSS.

B.

TOGAF.

C.

ENISA NIS.

D.

Sarbanes-Oxiey

Question 18

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

Options:

A.

1, 2 and 3.

B.

2, 4, and 5.

C.

1, 3 and 4.

D.

1, 3 and 5.

Question 19

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

Options:

A.

2 and 3.

B.

3 and 4.

C.

1 and 4.

D.

1 and 2.

Question 20

Why is it prudent for Third Parties to be contracted to meet specific security standards?

Options:

A.

Vulnerabilities in Third Party networks can be malevolently leveraged to gain illicit access into client environments.

B.

It is a legal requirement for Third Party support companies to meet client security standards.

C.

All access to corporate systems must be controlled via a single set of rules if they are to be enforceable.

D.

Third Parties cannot connect to other sites and networks without a contract of similar legal agreement.

Question 21

Which of the following international standards deals with the retention of records?

Options:

A.

PCI DSS.

B.

RFC1918.

C.

IS015489.

D.

ISO/IEC 27002.

Question 22

Which of the following is NOT an information security specific vulnerability?

Options:

A.

Use of HTTP based Apache web server.

B.

Unpatched Windows operating system.

C.

Confidential data stored in a fire safe.

D.

Use of an unlocked filing cabinet.

Question 23

Which of the following statements relating to digital signatures is TRUE?

Options:

A.

Digital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

B.

Digital signatures are valid and enforceable in law in most countries in the world.

C.

Digital signatures are legal unless there is a statutory requirement that predates the digital age.

D.

A digital signature that uses a signer’s private key is illegal.

Question 24

Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?

Options:

A.

TOGAF

B.

SABSA

C.

PCI DSS.

D.

OWASP.

Question 25

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?

Options:

A.

ITIL.

B.

SABSA.

C.

COBIT

D.

ISAGA.

Question 26

Which of the following testing methodologies TYPICALLY involves code analysis in an offline environment without ever actually executing the code?

Options:

A.

Dynamic Testing.

B.

Static Testing.

C.

User Testing.

D.

Penetration Testing.

Question 27

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

Options:

A.

Segregation of Duties.

B.

Non-disclosure.

C.

Acceptable use policy.

D.

Security clearance.

Question 28

Which of the following is NOT considered to be a form of computer misuse?

Options:

A.

Illegal retention of personal data.

B.

Illegal interception of information.

C.

Illegal access to computer systems.

D.

Downloading of pirated software.

Question 29

Which term describes a vulnerability that is unknown and therefore has no mitigating control which is immediately and generally available?

Options:

A.

Advanced Persistent Threat.

B.

Trojan.

C.

Stealthware.

D.

Zero-day.

Question 30

What type of attack could directly affect the confidentiality of an unencrypted VoIP network?

Options:

A.

Packet Sniffing.

B.

Brute Force Attack.

C.

Ransomware.

D.

Vishing Attack

Demo: 30 questions
Total 100 questions