Sample Exam

Information Security Foundation Sample Exam

Sample Exam Information Security Foundation

SECO-Institute issues the official Information Security courseware to accredited training centres where
students are trained by accredited instructors. Students can take their exams at an accredited exam
centre or directly at the SECO-Institute. Attending an official certification course is not a prerequisite
for taking an exam. Upon successful completion of a foundation exam (with a passing score of 60%),
students can claim their digital badge at the SECO-Institute.

This document provides a sample exam for you to familiarise yourself with the structure and topic
areas of the current Data Protection Foundation examination. We strongly recommend you to test
your knowledge before taking the actual assessment. The results of this test do not count towards your
certification assessment.

Examination type

• Computer-based
• 40 Multiple choice: 2,5 points per question

Time allotted for examination

• 60 minutes

Examination details

• Pass mark: 60% (out of 100)

• Open book/notes: no
• Electronic equipment permitted: no
• The Rules and Regulations for SECO-Institute examinations apply to this exam

1
 Information Security Foundation Sample Exam

Questions

Question 1

What type of system ensures a coherent Information Security organisation?

A. Federal Information Security Management Act (FISMA)

B. Information Technology Service Management System (ITSM)
C. Information Security Management System (ISMS)

Question 2

Security organisations strive to be compliant with published requirements. For which type of model
can non-compliance lead to legal consequences?

A. Information security standard

B. Information security framework
C. Information security code of conduct

Question 3

In which order is an Information Security Management System set up?

A. Implementation, operation, maintenance, establishment

B. Implementation, operation, improvement, maintenance
C. Establishment, implementation, operation, maintenance
D. Establishment, operation, monitoring, improvement

Question 4

The DIKW model is often used to talk about information management and knowledge management.
During which stage of this model do we ask ourselves 'What'?"

A. Data
B. Wisdom
C. Information
D. Knowledge

2
 Information Security Foundation Sample Exam

Question 5

How are data and information related?

A. Data is a collection of structured and unstructured information

B. Information consists of facts and statistics collected together for reference or analysis
C. When meaning and value are assigned to data, it becomes information

Question 6

Which of the following factors does NOT contribute to the value of data for an organisation?

A. The correctness of data

B. The indispensability of data
C. The importance of data for processes
D. The content of data

Question 7

A hacker gains access to a web server and reads the credit card numbers stored on that server.
Which security principle is violated?

A. Availability
B. Confidentiality
C. Integrity
D. Authenticity

Question 8

Often, people do not pick up their prints from a shared printer. How can this affect the
confidentiality of information?

A. Confidentiality cannot be guaranteed

B. Integrity cannot be guaranteed
C. Authenticity cannot be guaranteed
D. Availability cannot be guaranteed

Question 9

Which reliability aspect of information is compromised when a staff member denies having sent a
message?

A. Confidentiality
B. Integrity
C. Availability
D. Correctness

3
 Information Security Foundation Sample Exam

Question 10

Which of the following is a possible event that can have a disruptive effect on the reliability of
information?

A. Threat
B. Risk
C. Vulnerability
D. Dependency

Question 11

What is the purpose of risk management?

A. To outline the threats to which IT resources are exposed

B. To determine the damage caused by possible security incidents
C. To implement measures to reduce risks to an acceptable level
D. To determine the probability that a certain risk will occur

Question 12

What is a correct description of qualitative risk analysis?

A. Use of a set of methods, principles, or rules for assessing risks based on the use of numbers
B. Use of a set of methods, principles, or rules for assessing risk based on categories or levels
C. A risk assessment process, together with a risk model, assessment approach, and analysis
approach

Question 13

Backup media is kept in the same secure area as the servers. What risk may the organisation be
exposed to?

A. Unauthorised persons will have access to both the servers and backups
B. Responsibility for the backups is not defined well
C. After a fire, the information systems cannot be restored
D. After a server crash, it will take extra time to bring it back up again

Question 14

Which of the following is a human threat?

A. Use of a jump-drive causes a virus infection

B. The server room contains too much dust
C. Lightning strikes the data centre
D. New legislation means that from now on personal data is compromised

4
 Information Security Foundation Sample Exam

Question 15

Someone from a large tech company calls you on behalf of your company to check the health of your
PC, and therefore needs your user-id and password. What type of threat is this?

A. Social engineering threat

B. Organisational threat
C. Technical threat
D. Malware threat

Question 16

What type of malware results in a network of contaminated internet connected devices?

A. Worm
B. Trojan
C. Spyware
D. Botnet

Question 17

Which of the following is an example of indirect damage caused by fire?

A. Damage caused by the sprinkler installation

B. Burnt computer network equipment
C. Melted backup media
D. Damage caused by the heat of the fire

Question 18

After carrying out risk analysis, you now want to determine your risk strategy. You decide to take
measures for the large risks but not for the small risks. What is this risk strategy called?

A. Risk neutral
B. Risk bearing
C. Risk hungry
D. Risk avoiding

5
 Information Security Foundation Sample Exam

Question 19

What is the purpose of an Information Security policy?

A. An information security policy makes the security plan concrete by providing the necessary
details
B. An information security policy provides insight into threats and the possible consequences
C. An information security policy provides direction and support to the management regarding
information security
D. An information security policy documents the analysis of risks and the search for
countermeasures

Question 20

A security officer finds a virus-infected workstation. The infection was caused by a targeted phishing
mail. How can this type of threat best be avoided in the future?

A. By installing MAC-proofing measures on the network.

B. By updating the firewall software.
C. By introducing a new risk strategy.
D. By starting an awareness campaign

Question 21

A manager discovers that staff regularly use the corporate email system to send personal messages.
How can this type of use best be regulated?

A. Implementing a code of practice

B. Implementing privacy regulations
C. Installing a monitoring system
D. Drafting a code of conduct

Question 22

After a devastating office fire, all staff are moved to other branches of the company. At what
moment in the incident management process is this measure effectuated?

A. Between incident and damage

B. Between detection and classification
C. Between recovery and normal operations
D. Between classification and escalation

6
 Information Security Foundation Sample Exam

Question 23

A member of staff discovers that unauthorised changes were made to her work. She calls the
helpdesk, and is asked to provide the following information: date/time, description of the event,
consequences of the event.
What essential piece of information is still missing to help solve the incident?

A. Name and position

B. Name of caller
C. PC identification tag
D. List of informed people

Question 24

What type of measure involves the stopping of possible consequences of security incidents?

A. Corrective
B. Detective
C. Repressive
D. Preventive

Question 25

What is a reason for the classification of information?

A. To provide clear identification tags

B. To structure the information according to its sensitivity
C. Creating a manual describing the BYOD policy

Question 26

Which role is authorised to change the classification of a document?

A. Author
B. Manager
C. Owner
D. Administrator

Question 27

Which of the following is a preventive security measure?

A. Installing logging and monitoring software

B. Shutting down the Internet connection after an attack
C. Storing sensitive information in a data save

7
 Information Security Foundation Sample Exam

Question 28

After a fire has occurred, what repressive measure can be taken?

A. Extinguishing the fire after the fire alarm sounds

B. Buying in a proper fire insurance policy
C. Repairing all systems after the fire

Question 29

A computer room is protected by a biometric identity system in which only system administrators are
registered. What type of security measure is this?

A. Organisational threat
B. Physical
C. Technical
D. Repressive

Question 30

In physical security, protection rings with dedicated measures (different levels, etc.) can be applied.
Within which ring are the working spaces situated?

A. Internal
B. Public
C. Object
D. Sensitive

Question 31

As a new member of the IT department you have noticed that confidential information has been
leaked several times. This may damage the reputation of the company. You have been asked to
propose an organisational measure to protect laptop computers.
What is the first step in a structured approach to come up with this measure?

A. Appoint security staff

B. Encrypt all sensitive information
C. Formulate a policy
D. Set up an access control procedure

Question 32

Which of the following is a technical security measure?

A. Encryption
B. Security policy
C. Safe storage of backups
D. User role profiles.

8
 Information Security Foundation Sample Exam

Question 33

Which threat could occur if no physical measures are taken?

A. Unauthorised persons viewing sensitive files

B. Confidential prints being left on the printer
C. A server shutting down because of overheating
D. Hackers entering the corporate network

Question 34

In what part of the process to grant access to a system does the user present a token?

A. Authorisation
B. Verification
C. Authentication
D. Identification

Question 35

What is the security management term for establishing whether someone's identity is correct?

A. Identification
B. Authentication
C. Authorisation
D. Verification

Question 36

Why do we need to test a disaster recovery plan regularly, and keep it up to date?

A. Otherwise the measures taken and the incident procedures planned may not be adequate
B. Otherwise it is no longer up to date with the registration of daily occurring faults
C. Otherwise remotely stored backups may no longer be available to the security team

Question 37

What type of compliancy standard, regulation or legislation provides a code of practice for
information security?

A. ISO/IEC 27002
B. Personal data protection act
C. Computer criminality act
D. IT Service Management

9
 Information Security Foundation Sample Exam

Question 38

On the basis of which type of legislation can someone request to inspect the data that has been
registered about them? *

A. Public records act

B. Computer criminality act
C. Personal data protection act
D. Intellectual property act

Question 39

What is a definition of compliance?

A. Laws, considered collectively or the process of making or enacting laws

B. The state or fact of according with or meeting rules or standards
C. An official or authoritative instruction
D. A rule or directive made and maintained by an authority.

Question 40

What type of legislation requires a proper controlled purchase process?

A. Personal data protection act

B. Computer criminality act
C. Government information act
D. Intellectual property rights act

10
 Information Security Foundation Sample Exam

Answers

Question Answer Explanation

1 C The ISMS is described in ISO/IEC 27001. (Chapter 3)

A standard formulates formal requirements which are sometimes enforced
2 A
by laws.
ISMS : Establishing , implementing, operating, monitoring , reviewing,
3 C maintaining and improving a documented ISMS within the context of the
overall business risks to the organization.
4 C Information: Who, what, when, where
Information is data that has a meaning (within a certain context) for its
5 C
receiver.
6 D The content of data does not determine its value.
7 B The hacker was able to read the file (confidentiality)
The information can be read by non-authorised persons, which means that
8 A
the confidentiality is compromised.
Denial of sending a message concerns non-repudiation, this is a threat to
9 B
integrity.
A threat is a possible event that can have a disruptive effect on the
10 A
reliability of information.
11 C The purpose of risk management is to reduce risks to an acceptable level.
12 B The qualitative approach is non-numerical.
The tapes are secure, but can be lost together with the systems leaving no
13 C
backup at all.
14 A Using the jump-drive is a human threat.
15 A
16 D The devices become net-enabled robots, hence botnet.
17 A The sprinkler installation going off is a side effect of the fire.
18 B Certain risks are accepted as a fact of life.
19 C
20 D This problem needs an organisational measure.
A code of conduct is how this can be regulated. E.g. permitting use during
21 D
lunch breaks, or completely banning this type of use.
This measure, stand-by arrangement, is taken to mitigate further damage to
22 A
the organisation. Staff can now continue their work.
Without logging the caller, no follow-up actions can be taken. The name is
23 A connected to other essential information like position, department,
authorisations, etc.
24 C Repressive
25 B Classification is used to define different levels within the group.
26 C Only the owner (asset owner) is allowed to do this.
27 C The other two are detective and repressive respectively.
28 A This repressive measure minimizes the damage caused by the fire.

11
 Information Security Foundation Sample Exam

29 B This is a physical security measure.

30 D Working spaces are situated within the sensitive ring.
Formulating a policy on the correct use of company computer assets is the
31 C
first step.
32 A Encryption is a technical measure.
Physical security includes the protection of equipment through climate
33 C
control.
Identification is the first step in the process to grant access.
34 D In identification, the person or system presents a token, for example a key,
username or password
35 B Authentication is the process of establishing confidence of authenticity.
36 A Major disruptions need an up-to-date and proven plan to be effective.
ISO/IEC 27002; Information technology -- Security techniques -- Code of
37 A
practice for information security controls
38 C Personal data protection act(s).
39 B See: ISF module 06, Section ‘Legislation and Regulations’
IPR controls include:
- Policies
- Controlled purchase process
40 D
- Creating and maintaining awareness
- Asset registers which include IPR information
- Etc.

12
 Information Security Foundation Sample Exam

How to book your exam?

All our exams are delivered through an online examination system called ProctorU. To enrol for an
exam, go to: https://www.seco-institute.org/certification-exams/how-to-book-exam/
Make sure you are fully prepared. Use the ProctorU Preparation checklist to assess whether you are
ready to take the exam.

Review the examination rules at

https://www.seco-institute.org/html/filesystem/storeFolder/10/Rules-and-Regulations-for-SECO-
Institute-Examinations-2017-11.pdf

Digital badges
SECO-Institute and digital badge provider Acclaim have partnered to
provide certification holders with a digital badge of their SECO-
Institute certification. Digital badges can be used in email signatures
as well as on personal websites, social media sites such as LinkedIn
and Twitter, and electronic copies of resumes. Digital badges help
certification holders convey employers, potential employers and
interested parties the skills they have acquired to earn and maintain a
specialised certification.

SECO-Institute doesn’t issue certification titles for Foundation courses.

However, upon successful completion of your Foundation exam, you can claim your digital badge
free of charge at the SECO-Institute.

https://www.seco-institute.org/claim-your-foundation-badge

13
Information Security Foundation Sample Exam

ISF-Sample Exam-EN-v1.0

14