1. Which areas of a company are recovery plans recommended for?

a. The areas that house the critical systems

b. The most important operational and financial areas
c. The areas that the company cannot survive without
d. All areas
2. If an employee is suspected of wrongdoing in a computer crime, what department must be
involved? HUMAN RESOURCES
a. Legal Department
b. HR Department
c. ISMS Audit and Compliance
d. Security Department
3. Which of the following actions is least important when quantifying risks associated with a potential
disaster?
a. Identifying critical systems that support the company’s operations
b. Gathering information from agencies that report the probability of certain natural disasters
taking place in that area
c. Identifying the company’s key functions and business requirements
d. Estimating the potential loss and impact the company would face based on how long the outage
lasted
4. What document guarantees the quality of a service to a subscriber by a network service provider,
setting standards on response times, available bandwidth, and system up times?
a. Business continuity agreement
b. Service agreement
c. Business provider agreement
d. Service-level agreement
5. Which best describes a hot-site facility versus a warm or cold-site facility?
a. A site that has wiring, central air-conditioning, and raised flooring
b. A site that has all necessary PCs, servers, and telecommunications
c. A site that has disk drives, controllers, and tape drives
d. A mobile site that can be brought to the company’s parking lot
6. Risk Assessment Should be carried out in ?
a. only high risk workplaces
b. some workplaces
c. all workplaces
d. only large workplaces
7. BMG has a distinctive and advanced Disaster Recovery Solution for its Business. What would be the
primary concern of BMG prior to the design of the Disaster Recovery Site ?
a. Crytographic Mechanism
b. Virtualization Technology
c. Physical Location
d. Load Balancing
8. Cloud Computing describes which of the Business Resumption Strategy ?
a. Hot Site
b. Warm Site
c. Hybrid DRP
d. Cold Site
 9. What are the objectives of emergency actions taken at the beginning stage of a disaster?
Specifically Preventing injuries and loss of life.
a. determining damage c. protecting evidence
b. relocating operations d. mitigating damage
10. What is Contingency Planning?
a. Developing responses in advance for various situations that might impact a business.
b. Describing the impact of economic changes on a company, and defines how they should react to
a decrease in sales.
c. A plan local governments create that explains what they will do if a business declares
bankruptcy.
d. A plan that describes features a customer may wish to order, and how they impact the price of
the purchase.
11. Which of the following would be the first step in establishing an information security program?
a. Development and implementation of an information security standards manual
b. Development of a security awareness-training program
c. Adoption of a corporate information security policy statement
d. Purchase of security access control software
12. When should the BCP be reviewed?
a. Whenever encountering a disaster
b. At least annually or whenever significant changes occur
c. Whenever the company gets audited
d. Whenever the legal department declares it is time
13. What is the end goal of Disaster Recovery Planning?
a. Preventing business interruption
b. Setting up temporary business operations
c. Restoring normal business activity
d. Minimizing the impact of a disaster
14. When is it acceptable to not take action on an identified risk?
a. When the necessary countermeasure is complex.
b. When political issues prevent this type of risk from being addressed.
c. When the cost of the countermeasure outweighs the value of the asset and potential loss
d. Never. Good security addresses and reduces all risks.
15. Which of the following best describes remote journaling?
a. Send daily tapes containing transactions off-site
b. Real-time capture of transactions to multiple storage devices
c. The electronic forwarding of transactions to an off-site facility
d. Send hourly tapes containing transactions off-site.
16. Most computer attacks result in violation of which of the following security properties?
a. Availability c. Integrity and control
b. All of the choices. D. Confidentiality
17. Data checks and validity checks are examples of what type of application controls?
a. Preventive c. Detective
b. Constructive d. Corrective
18. Which of the following describes elements that create reliability and stability in networks and
systems and which assures that connectivity is accessible when needed?
a. Integrity c. Confidentiality
b. Availability d. Auditability
19. Which of the security concepts does BIBA compliments ?
 a. Authenticity c. Integrity
b. Availability d. Confidentiality
20. Which of the following Security model focuses on mitigation of the treat for the
"Confidentiality"risk?
a. CLARIK WILSON MODEL c. BIBA
b. CHINESE FIREWALL MODEL d. Bell–LaPadula
21. Which of the following is the best way to ensure that the company's backup tapes can be restored
and used at a warm site?
a. Retrieve the tapes from the offsite facility, and verify that the equipment at the original site
can read them.
b. Ask the offsite vendor to test them, and label the ones that were properly read.
c. Test them on the vendor's machine, which won't be used during an emergency.
d. Inventory each tape kept at the vendor's site twice a month.
22. In the security terminology, which factor of e-business ensures all data and electronic are focused
on authenticity and trustworthiness ?
a. Availability c. Authenticity
b. Integrity D. Confidentiality
23. Which of the following is most likely to detect DoS attacks?
a. Host-based IDS c. Vulnerability scanner
b. Network-based IDS d. Penetration testing
24. At what height and form will a fence deter determined intruders?
a. 3- to 4-feet high chain link
b. 6- to 7-feet high wood
c. 8-feet high with 3 strands of barbed wire
d. 4- to 5-feet high concrete
25. A VPN can be established over which of the following?
a. Wireless LAN connection C. WAN link
b. Remote access dial-up connection D. All of the above
26. Which of the following is considered a denial of service attack?
a. Pretending to be a technical manager over the phone and asking a receptionist to change their
password
b. While surfing the Web, sending to a web server a malformed URL that causes the system to use
100 percent of the CPU to process an endless loop
c. Intercepting network traffic by copying the packets as they pass through a specific subnet
d. Sending message packets to a recipient who did not request them simply to be annoying
27. E-mail is the most common delivery vehicle for which of the following?
A. Viruses C. Malicious code
B. Worms D. All of the above
28. During which stage of software development life cycle should security be implemented ?
A. Development C. Deployment
B. Project initiation D.Installation
29. George receives an email that did not come from the individual listed in the email. What is the
process of changing email message names to look as though they came from someone else?
A. Spoofing C. Relaying
B. Masquerading D. Redirecting
30. Cyclic redudancy checks, structured walk-throughs, and hash totals are examples of what type of
application controls?
A. Detective C. Error checking
B. Preventive D. Parity
31. What is Contingency Planning (CP)?
a. The planning for expected event. C. The planning for unexpected event.
b. The planning for the future event. D. The planning for the enterprise.
32. Integrity is protection of data from all of the following EXCEPT:
a. Unauthorized changes C. Data analysis
b. Accidental changes D. Intentional manipulation
33. What are the three dimensions of the McCumber Cube?
a. Desired goals, Information states and security measures
b. Storage, transmission and processed
c. Confidentiality, integrity and availability. D. Technology, policies, people
34. What should management consider the most when classifying data?
a. The type of employees, contractors, and customers who will be accessing the data
b. Assessing the risk level and disabling countermeasures
c. Availability, integrity, and confidentiality
d. The access controls that will be protecting the data
35. Which factor is the most important item when it comes to ensuring security is successful in an
organization?
a. Effective controls and implementation methods
b. Senior management support
c. Security awareness by all employees
d. Updated and relevant security policies and procedures
36. Sam needs to get senior management to assign the responsibility of protecting specific data sets to
the individual business unit managers, thus making them data owners. Which of the following
would be the most important in the criteria the managers would follow in the process of actually
classifying data once this responsibility has been assigned to them?
a. Value of the data
b. Compliance requirements of the data
c. Usefulness of the data
d. Age of the data
37. Who has the primary responsibility of determining the classification level for information?
a. Senior management C. The user
b. The owner D. The functional manager
38. It is MOST important that INFOSEC architecture being aligned with which of the following ?
a. INFOSEC Best Practices C. IT Plans
b. Business Objectives and Goals D. Industrial Best Practices
39. Scamming and Phishers are common methods of credential theft which attackers could use to gain
access to your personal or corporate identity. What would be the best method which organisations
could utilise to circumvent these attacks ?
a. Firing Employees who have been compromized
b. Conducting Impact Analysis
c. Employee Education
d. Installing Firewall & Antivirus could prevent threats
40. Spoofing is primarily used to perform what activity?
a. Send large amounts of data to a victim.
b. Cause a buffer overflow.
c. Hide the identity of an attacker through misdirection.
d. Steal user accounts and passwords.
41. Which of the following is not a valid measure to take to improve protection against brute force and
dictionary attacks?
a. Enforce strong passwords through a security policy.
b. Maintain strict control over physical access.
c. Require all users to log in remotely.
d. Use two-factor authentication.
42. Which of the following is true for a host-based IDS?
a. It monitors an entire network.
b. It monitors a single system.
c. It’s invisible to attackers and authorized users.
d. It’s ineffective on switched networks.
43. In the corporate structure of organisations, who is held accountable for Information Security
Planning ?
a. CEO Chief Execurite Officer C. CTO Chief Technology Officer
b. CISO Cheif Information Security Officer D.CIO Chief Information Officer
44. In the feasibility Analysis Phase , which of the following plays the most important part of decision
making from a senior management point of view ?
a. Practical Feasibility C. Technology Feasbility
b. Manpower Feasibility D. Economic feasibility
45. In the absence of CISO or CEO, who has the authority of decision making for corporate security
policies ?
a. Vendors C. Department Managers
b. Human Resource Director D. Senior Finance Officers
46. Who authorises the Information Security Governance initiative program in a corporate organisation
?
a. CIO - Chief Information Officer
b. CEO - Chief Executive Officer
c. CISO - Chief Information Security Officer
d. CTO - Chief Technology Officer
47. To what time-frame do strategic plans relate?
a. Long-term C. Short-term
b. Medium-term D. Unspecified time it takes to achieve an aim