1. "least privilege" means
a. That a user has at least the same privileges as the owner of the information
b. That a user is given full access rights to all information in an organization
c. That a user is given special privilege to view highly confidential information
d. That a user is given the minimum amount of access rights required to do their job
2. The component that must exist in any contingency plan is:
a. Incident response
b. Crisis management
c. Business continuity
d. None of the above
3. To do a business impact analysis (that is focusing on IT systems) one of the major tasks is
a. To work out how to recover from any incident
b. To list all critical systems and interview the stakeholders of those systems
c. To work out an alert roster in case of problems
d. To work out the replacement cost of all systems
4. According to ISO the ISO27001 standard should be implemented using a Plan-Do-CheckAct cycle. Act means
a. When an issue is noticed corrective action should be taken
b. That every act involving a breach of security should be recorded.
c. Every person in the organization should be involved in implementing the controls of
ISO27001
d. Every person in an organization should provide input to the managers of information
security on how to best plan for security.
5. The security awareness components of SETA program is usually delivered by
a. Posters
b. Workshop sessions
c. Background reading
d. Classroom lectures
6. In incident response which of the following is an example of escalation?
a. An incident such as email disruption affects not only users but top management as
well
b. An incident effects not just our organization bit our customers as well
c. An incident increases in severity so it is declared a disaster
d. An incident is taking too long to resolve so users complain to their bosses.
7. Access control lists and configuration rules are found in
a. Enterprise policies
b. Technical control policies
c. System specific policies
d. Issue specific policies
8. All of the following are activities performed by crisis management team , except
a. Contacting the media and authorities
b. Providing support for employee families
c. Keeping the public informed
d. Containment of malware
9. Which of the following is the most effective delivery method for a training session on an
intrusion detection system (IDS)
a. The trainer, using distance learning, explains the way the IDS works
b. The trainer, in a classroom, focuses on the background knowledge of the IDS
c. The trainer, in a lab equipped with servers running the IDS, guide the audience on
using the IDS
d. The audience, at their own time, runs a hands-on tutorial teaching the IDS
10. Which of the following is a type of information security policy that establishes the
foundation for an organizations overall approach to security…
a. System-specific security policy
b. Company-wide security policy
c. Issue-specific security policy
d. Enterprise information security policy
11. Companies use risk management techniques to differentiate ___ from ____?
a. Costs, benefits
b. Vulnerabilities, threats
c. Vulnerabilities, weaknesses
d. Severe risks, minor risks
12. As an IT security training manager you have been asked by your CIO to give her reasons
why you chose the formal class method training? choose 2 answers
a. Interaction with trainer is possible
b. Synchronous communication mode
c. Self-paced learning method (not sure)
d. Can be schedules to fit the needs of the trainee
13. Internal and external stakeholders of Zayed University, such as students, staff,
management, suppliers, who interact with information in support of their organizations
planning and operation, are known as __________.
a. Data custodians
b. Data generators
c. Data owners
d. Data users
14. Clause A6.1.2 in ISO27001 refers to "segregation of duties. This concerns
a. Ensuring that tasks are split by function area. For example, there should not be an
overlap between finance tasks and human resources tasks
b. Ensuring that information security tasks in an organization are done only by IT and IT
security professionals
c. Ensuring that import tasks are split in such a way that more than one person is
responsible for their completion
d. Ensuring that information security duties are segregated from all other duties and
employees doing information security should not do other work
15. ITIL has five books that provides processes and procedures for IT service, in this respect
under which domain does this activity come under? "the IT service manager decides
that every minor IT issue or complaint must be resolved under 30 minutes"
a. Continual service improvements
b. Service transition
c. Service strategy
d. Service operation
16. Which working in the IT department of a medium sized organization in UAE, you have
been asked to select the two most cost-effective for disseminating security information
and news to employees? Your choice will be… (select two)
a. Employee seminars
b. E-mailed security newsletter
c. Security-themed web site
d. Security poster
17. You have been working in a government organization for the last 3 years as an IT
manager. Currently you do not have certifications, noting your skills and competency in
IT security, your manager asked you to obtain a relevant strategic perspective from an
industry accepted worldwide professional organization/association. Your two choices
would be….
a. CISSP from ISC
b. CRISC from ISACA
c. CISM from ISACA
d. CEH from EC Council
18. What is necessary for a top-down approach to the implementation of infosec to
succeed? (select all correct three answers)
a. For any top-down approach to succeed, high-level management must but into the
efforts and provide its full support to all.
b. The champion will ensure that the InfoSec project is properly managed, and push for
its acceptance throughout the organization
c. The champion will ensure that all grassroot employees have the final say in the final
decision making process of the InfoSec
d. Such an initiative will have a champion who is an executive with sufficient influence
to move the infosec project forward.
19. COBIT had four domains. Please select the correct domain for this activity "the IT staff
configured the newly installed firewall of the LAN"
a. Acquire and implement
b. Deliver and support
c. Plan and organize
d. Monitor and evaluate
20. Organizations like DEWA, ADDC, Dubai Airports, Abu Dhabi airports are recommended
to have _____ side for disaster business continuity
a. Hot site
b. Cloud storage
c. Warm site
d. Cold site.
21. The purpose of SETA is to enhance security in which of the following ways? (select all
three methods).
a. By building in-depth knowledge
b. By improving awareness
c. By developing skills
d. By adding barriers (security_in_depth)
22. Laws, policies, and their associated penalties only provide deterrence if three condition
are present. Which of these? (select all three conditions)
a. Fear of the penalty
b. Probability of being apprehended
c. Probability of prenatally being applied
d. Probability of going unnoticed.
23. An organization wants to ensure the backup of data to an off-site facility in close to real
time bases upon transaction as they occur. which backup strategy would you
recommend?
a. Remote journaling
b. Timesharing
c. Database shadowing
d. Electronic vaulting
24. You are the IT consult for a large private organization, they want to know in which phase
of the development of an infosec policy must a plan to distribute developed? AND why
is this import? Select one correct answer.
a. During the analysis phase. members of the organization must explicitly acknowledge
that they have received and read the policy. Otherwise, an emergency … to have
seen a policy, and unless the manager can produce strong evidence to the contrary,
any enforcement action, such as dismissal for inappropriate dismissal internet, can
be overturned
b. During the implementation phase. members of the organization must explicitly
acknowledge that they have received and read the policy. Otherwise, an emergency
… to have seen a policy, and unless the manager can produce strong evidence to the
contrary, any enforcement action, such as dismissal for inappropriate dismissal
internet, can be overturned
c. During the investigation phase. members of the organization must explicitly
acknowledge that they have received and read the policy. Otherwise, an emergency
… to have seen a policy, and unless the manager can produce strong evidence to the
contrary, any enforcement action, such as dismissal for inappropriate dismissal
internet, can be overturned
d. During the implementation phase. members of the organization must explicitly
acknowledge that they have received and read the policy. Otherwise, an emergency
… to have seen a policy, and unless the manager can produce strong evidence to the
contrary, any enforcement action, such as dismissal for inappropriate dismissal
internet, can be overturned
25. During the interview for the job of an IT security training manager at a government
organization you gave been asked to state advantage of a security program to an
organization, your choices will be… (select three correct answers)
a. Awareness serves to instill a sense of responsibility and purpose in employees who
handle and manage information
b. It helps employees to configure the firewall If the company's server correctly
c. A security awareness program which keeps infosec at the forefront of users minds
on a daily basis.
d. SETA leads employees to care more about their work environment especially when
using company workstations
26. The InfoSec needs of an organization are unique to all of the following organizational
characteristic? (select all correct three responses)
a. Market (industry sector)
b. Culture
c. Budget
d. Size
27. The total amount of time the system owner or authorizing official is willing to accept for
a business process outage or disruption, including .. impact considerations, is known as
___________.
a. Recovery point objective (PRO)
b. Maximum tolerable downtime (MTD)
c. Work recovery time (WRT)
d. Recovery time objective (RTO)
28. The basic outcome of infosec governance should include all but which of the following?
a. Value delivery by optimizing infosec investments in support of organizational
objectives
b. Resource management by utilizing information security knowledge and
infrastructure efficiently and effectively
c. Time management by aligning resource with personnel schedules and organizational
objectives
d. Performance measurement by measurement by measuring, monitoring, and
reporting information security governance metrics to ensure objectives are
achieved.
29. Access controls are built on three key principles. Select all three..
a. The principle by which members of the organization can access the minimum
amount of information for the minimum amount of time necessary to perform their
required duties
b. Limits a user's access to the specific information required to perform the currently
assigned task, and not merely to the category of data required for a general work
function
c. A control requiring that the CIO/IT manager is held accountable for tasks relating to
data breaches in the organization a per the RA…
d. A control requiring that significant tasks be split up in such way that more than one
individual is responsible for their completion
30. Lattice-based access controls use a two-dimensional matric to assign authorization.
Which of the following statement is correct about lattice-based access controls?
a. Lattice-based access controls specify the level of access each subject has to each
object, if any. With this type of control, the attributes associated with a particular
object (such as printer) is referred to as an access control list (ACL). The row with a
particular subject (such as a user) is referred to as a capabilities table.
b. Lattice-based access controls specify the level of access each subject has to each
object, if any. With this type of control, the attributes associated with a particular
object (such as printer) is referred as a read write executable list (rwx). The row
associated with a particular subject (such as a user) is referred to as a capabilities
table.
c. .
d. .
31. Which type of security policy is intended to provide a common understanding of the
purpose for which an employee can and cannot use a resource?
a. User-specific
b. Issue-specific
c. System-specific
d. Enterprise information
32. You are working as a trainee IT manager and have been asked to create a list of the
major components of the ISSP (select three)
a. Violation policy
b. Limitation of liability
c. Prohibited uses
d. Proprietary uses
33. During your internship at an organization, you have been asked to conduct a customized
SETA training for a group of employees, in the … you need to know the two most
relevant profiles of the target group to prepare your training materials, these are ____
(select two )
a. Employee rank
b. Functional background
c. Employee salary
d. Skill level
34. According to NIST SP 800-34, Rev. 1, which of the following three choices are the stages
of the business impact assessment stages
a. Calculate asset valuation and combine with the likelihood and impact of potential
attacks in a TVA worksheet
b. Determine mission/business processes and recovery criticality
c. Identify source requirement
d. Identify recovery priories for system resources.
35. Select the significant guidelines used in the formulation of effective information security
policy. (select the correct three guidelines)
a. Applied and customized to functional departments
b. Developed using industry-accepted practices
c. Distributed or disseminated using all appropriate methods
d. Reviewed, read, understood and aggress by all employees.
36. The crisis management team perform three roles.(select all three roles)
a. Keeping the public informed about the event and the actions being taken to ensure
the recovery of personnel and the enterprise.
b. Keeping the data breach secret from the public, but communicating to the public
regarding the actions being table to ensure the recovery personnel and the
enterprise
c. Communicating with major customers, suppliers, partners, regulatory agencies,
industry organization, the media, and other interesting parties.
d. Supporting personnel and their loved ones during the crisis.
37. Which one of the following is the most effective delivery method for a security
education session for the senior management
a. One trainer to one senior manager
b. The senior management is given access to an online tutorial
c. A group of senior managers meet with the trainer over a video call
d. A group of senior manager takes a formal class
38. Which of the following tasks must be completed in the policy investigation phase
a. Utilization similar policies
b. Ensuring policy readability
c. Receiving support from senior management
d. Reviewing previous lawsuits
39. When dealing with an incident, the last action the IR team takes is to _________.
a. Create the incident damage assessment
b. Conduct an after-action review
c. Restore services and processes In use
d. Restore data from backups
40. To do a business impact analysis (that is focusing on it systems) one of the major tasks is
a. To work out how to recover from any incident
b. To list all critical systems and interview the stakeholders of those systems
c. To work out an alert roster in case of problems
d. To work out the replacement cost of all systems
41. The business continuity plan of an internet service provider would definitely require:
a. A Cool site
b. A Hot site
c. A cold site
d. A warm site
42. A policy that contains sections that provide details on the proper use of email, the
proper use of the web and the proper use of company laptop is
a. A company specific security policy
b. An issue specific security policy
c. A system specific security policy
d. An enterprise specific security policy
43. One section of ISO 27001 deals with compliance. This section is concerned with
a. Ensuring that all employees are familiar with the ISO 27001 standard
b. Ensuring that the company complies with other ISO standards such as ISO 9000
c. Ensuring, for example, that all legal requirement for information security are met
d. Ensuring that the company. Management are committed to information security
44. "best practices" in SETA mean that
a. An organization should conduct a number practice runs of SETA to determine the
best way of doing it
b. An organization should practice the best way of conducting SETA before
implementing it
c. An organization conducts SETA in accordance with instruction from the management
d. An organization conducts SETA in accordance with what is considered the best way
in their industry
45. The recovery time objective is
a. The point in time, prior to a disruption, to which data must be recovered
b. The maximum length of time to complete a mission critical attack
c. The maximum length of time a resource remain unbailable before the impact is
unacceptable
d. The time to recover data from backups
46. A measure or metric is
a. A question that we can ask ourselves about the quality of our infosec program
b. Something that we use to measure the amount of work that needs to be fone tom
comply with ISO 27001
c. Something that can be measured and given a numeric value
d. A best practice that we should strive to follow
47. As a top-level executive at your own company, you are worried that your employees
may steak confidential data too easily by downloading and taking some data onto
thumb drives. Way to prevent this from happening?
a. Instruct higher level employees to inform employees that the use of thumb drive is a
fire-able offence
b. Install a technical control to prevent the use of thumb drives.
c. Hold a seminar that explains to employees why the use of thumb drives in the
workplace is a security hazard.
d. Create and enforce a written company policy against the use if the thumb drives,
and install a technical control on the computers that will prevent the use of thumb
drives.
48. Classification of information means that information is divided into categories.
a. According to whether it can be modified or deleted by users
b. According to different departments in an organization
c. According to the type of information e.g. financial, technical, etc
d. According to who should have access to it
49. "a company wants to try to indemnify itself against liability for an information security
breach" the words in this sentence means that
a. The company wants to disclaim all liability by not taking responsibility for
information security breaches
b. The company wants to pass liability to a third party
c. The company wants to implement an information security program
d. The company wants to secure itself against being sued in a legal action
50. A new company starts up but does not have a lot of revenue for the first year. Installing
anti-virus software on all the company's computers would be very costly purchasing
anti-virus software for the first year of the business. In what domain of typical IT
infrastructure is vulnerability created?
a. Workstation domain
b. LAN domain
c. Malware domain
d. WAN domain