S ertificate in Information Security Management Principles Sample Paper (Only 20 Questions) 2 Hour Examination Record your surname/last/family name and initials on the nswer Sheet, writing in block capitals at the top and marking the relevant letter in each column. ttempt all 100 multiple-choice questions 1 mark awarded to each question. Mark only one answer to each question. There are no trick questions. number of possible answers are given for each question, indicated by either... or. Your answers should be indicated on the nswer Sheet by making a solid pencil mark inside the box representing your chosen answer. These can be found to the right of the question number on your nswer Sheet. If you make a mistake, erase your first mark, and put a mark in your new chosen answer column for that question. Pass mark is 65/100 opying of this paper is expressly forbidden without the direct approval of S, The hartered Institute for IT. opyright S 2012 Sample Paper Version 1.6 ugust 2012 Page 1 of 6
This page is intentionally blank. opyright S 2012 Sample Paper Version 1.6 ugust 2012 Page 2 of 6
1 Quantitative risk assessment is mandatory audit requirement. numerical means to measure comparative risks. emanded by ISO/IE 27001. Only really possible with a computer-based analysis package. 2 The major purpose of information security in an organisation is Implementing controls to reduce risks. Ensuring that confidentiality of information is not breached. Ensuring that computer systems are not hacked. Supporting the effective and efficient achievement of the organisation s business objectives. 3 Most security breaches caused by employees are through Errors. Fraud. Physical damage to equipment. Malicious attacks. 4 Which of the following EST describes business impact? The effect on an organisation of a vulnerability being exploited. The probability of a vulnerability being exploited against an organisation. The effect on an organisation of the controls being adopted. The number of vulnerabilities exploited in a given period. 5 Writing a security policy is important because The ISO/IE 27000 series requires it as part of its set of security documentation. The organisation s oard of irectors knows the issues. It sets out the organisation s formal stance on security for staff and contractors to see. It ensures the security officer knows what they should be doing. opyright S 2012 Sample Paper Version 1.6 ugust 2012 Page 3 of 6
6 What is the name of the scheme that aims to ensure US companies abide by the European Union legislation on the privacy of personal data? Safe Harbor. Madrid Protocol. Wassenaar greement. WIPRO. 7 Information which can be proved true through observation, documents, records, or personal interview is called Objective evidence. orrective action. non-conformity. n opportunity for improvement. 8 The MOST common cause of many internal security incidents is Poor recruitment processes. Lack of security operating procedures. Inadequate network protection measures. Lack of awareness on the part of staff. 9 n example of a control which helps to protect against unintentional disclosure of information is Regular incremental and full backups. formal disciplinary process. lassification labelling of information. Independent review of information security. 10 Useful additions to a security training programme for all staff members are Links to vendor agnostic websites specific to information security. White papers written by subject matter experts in information security. Vendor brochures specific to information security. opies of textbooks specific to information security. opyright S 2012 Sample Paper Version 1.6 ugust 2012 Page 4 of 6
11 omputer viruses are Only a problem with internet connected systems. Potentially very serious. nuisance. Easily detectable. 12 With respect to security, a third part connection contract should specify ll the agreed security requirements of each party. Total compliance with ISO/IE 27000 series. ISO/IE 27000 series certification. common security policy. 13 Non repudiation Protects against the disclosure of information to unauthorised users. Protects against a person denying later that a communication or transaction took place. ssures that a person or system is who or what they claim to be. Protects against unauthorised changes in data whether intentional or accidental. 14 omputer terminals in a stock, shares and bonds dealing room are set up to allow quick acceptance of trades. Which of the following would be the MOST sensible safeguard to limit loss through errors? Thorough staff training in the need to be careful. Separate authorisation of all trades. onfirmation of all trades before committing. onfirmation of trades which are over a set value. 15 Penetration testing is used primarily y hackers. To test physical security. y computer operators. y security specialists. opyright S 2012 Sample Paper Version 1.6 ugust 2012 Page 5 of 6
16 trapdoor is structured programming technique. generally unknown exit out of or entry into a program. network programming technique. programming technique used in real-time systems. 17 What physical control system should be considered to prevent unauthorised access, damage and interference to IT services? losed ircuit TV cameras and alarm systems. efined security procedures. gate access control system requiring a security token. physical security policy. 18 n example of a record of Information Security Management System operation is clear desk policy. formal disciplinary process. usiness continuity plan test results. The procedure for technical conformity checking. 19 Which of the following is a hashing algorithm used for? alculating random numbers. Encrypting emails. Mixing up user names. reating passwords. 20 When setting up a contract with a supplier for hosting cloud services, which of the following safeguards is most important? 1) The ability to recover all information from the cloud if the contract is terminated. 2) The confidentiality and integrity of downloading information from the cloud. 3) The make of hardware used by the hosting supplier. 4) The service level requirement for availability of the information. 1, 2 and 4 only. 2 and 3 only. 1 and 4 only. 1, 3 and 4 only. opyright S 2012 Sample Paper Version 1.6 ugust 2012 -End of Paper- Page 6 of 6