1.

Primary role of the Information Security Manager in the process of Information Classification
denotes which of the following ?
a. Deciding the classification levels applied to the organizations information assets
b. Checking if Information Assets has been classified properly
c.

Defining and ratifying the classification structure of information assets

d. Securing Information assets in accordance of their classification

2. Security of an automated information system is most effective and economical if the system is...
a. Optimized prior to addition of security.
b.
c.

Designed originally to meet the information protection needs.

Subjected to intense security testing.

d. Customized to meet the specific security threat.

3. In the security terminology, which factor of ebusiness ensures all data and electronic are focused
on authenticity and trustworthiness ?
a. Availability
b.
c.

Integrity
Authenticity

d. Confidentiality
4. What is the definition of an pre engaged service for possible operational risk ?
a. Operational Agreement
b.
c.

Reciprocal Agreement
Security Agreement

d. Service Level Management

5. In the corporate structure of organisations, who is held accountable for General Security Planning
?
a.

CEO Chief Executive Officer

b. CTO Cheif Technology Officer

c.

CISO Cheif Information Security Officer

d. CIO Cheif Information Officer

Page 1 of 11
FCNS FORESEC For Review

6. What are the objectives of emergency actions taken at the beginning stage of a disaster?
Specifically Preventing injuries and loss of life.
a. relocating operations
b. protecting evidence
c.

mitigating damage

d. determining damage
7. Which of the following is the least important information to record when logging a security
violation?
a. Types of Violation
b.
c.

User Name
User Id

d. Date and time of Violation

8. Corporate Security Laws are generally described as a company law and wouldn't be applicable to
the country law. What is the legal ground that would allow an officer of the law to eavesdrop on
company phone calls without violating the Privacy Act.
a.

Patriot Act

b. GLBA Graham Leech Bliley Act

c.

Eavesdroping Act

d. GAK Goverment Access to Keys

9. Which of the policies below are directed for a dedicated "Unix Host Security" on ACL security
issue?
a. HSSP Host Specific Policies
b. ESP Enterprise Security Policies
c.

SSSP System Specific Policies

d.

ISSP Issue Specific Policies

10. Which of the following is a policy that would force all users to organize their areas as well as help
reducing the risk of possible data theft ?
a. Password Behaviours
b. Data Disposal
c.
d.

Data Handling
Clean Desk Policy

Page 2 of 11
FCNS FORESEC For Review

11. The deliberate planting of apparent flaws in a system for the purpose of detecting attempted
penetrations or confusing an intruder about which flaws to exploit is called ?
a. Redirection.
b. Cracking.
c.

Enticement.

d. Alteration.
12. When disposing magnetic storage media, all of the following methods ensure that data is
unreadable, EXCEPT:
a.

removing the volume header information

b. degaussing the disk or tape

c.

writing random data over the old file

d. physical alteration of media

13. Risk "ALE" Annual Loss Expectancy is best represented in which of the following below ?
a. Gross loss expectancy x loss frequency
b. Single loss expectancy x annualized rate of occurrence x Gross loss expectancy
c.

Single loss expectancy x annualized rate of occurrence

d. Asset value x loss expectancy

14. In the absence of CISO or CEO, who has the authority of decision making for corporate security
policies ?
a. Vendors
b. Department Managers
c.

Human Resource Director

d. Senior Finance Officers

15. Security controls that refer to agency facilities (e.g., physical access controls such as locks and
guards, environmental controls for temperature, humidity, lighting, fire, and power) will be
applicable only to those sections of the facilities that directly provide protection to, support for, or
are related to the information system (including its information technology assets such as
electronic mail or web servers, server farms, data centers, networking nodes, controlled interface
equipment, and communications equipment). What are the key consideration factors that best
describes this ?
a. Technology Related Consideration
b.

Common Security Control Consideration

Page 3 of 11
FCNS FORESEC For Review

c.

Infrastructure Related Concerns

d. Public Access Related Information Systems Related Consideration

16. In the feasibility Analysis Phase , which of the following plays the most important part of decision
making from a senior management point of view ?
a.

Economic feasibility

b. Practical Feasibility
c.

Technology Feasbility

d. Manpower Feasibility
17. In the corporate structure of organisations, who is held accountable for Information Security
Planning ?
a. CEO Chief Execurite Officer
b.
c.

CISO Cheif Information Security Officer

CTO Chief Technology Officer

d. CIO Chief Information Officer

18. From the context of Cyber Security Cost, Which among the below are best suited as "Spilt Over
Effect".
a.

Capital Investment

b. Hidden Cost
c.

Additional Cost

d. Cost Benefit
19. What type of access control where the security clearance of a subject must match the security
classification of an object?
a. Relational
b.
c.

Mandatory
Administrative

d. Discretionary
20. As a part of Security Compliance, Companies are advised to conduct Security Risk Assessment
and Review on a regular Basis. Which of the following is the MAIN reason for performing Risk
assessment on a continuous basis ?
a. Management needs to be continually informed about the emerging risk
b.

The risk environment is constantly changing

Page 4 of 11
FCNS FORESEC For Review

c.

New Vulnerabilities are discovered every day

d. Justification of the security budget must be continually made aware to Board of investments
21. Who is ultimately responsible for ensuring that information is categorized and that specific
protective measures are taken?
a. Data Manager
b.
c.

Data Owner
Data Custodian

d. Data Administrator
22. It is MOST important that INFOSEC architecture being aligned with which of the following ?
a. Industrial Best Practices
b. IT Plans
c.
d.

INFOSEC Best Practices

Business Objectives and Goals

23. Cisco's lawsuit against Hwa Wei has been a common talk among IT companies. Which of the
following is the Cisco's lawsuit primarily filed against ?
a.

Intellectual Property

b. Copyright Issue
c.

Trademark Issue

d. Patent
24. Which of the following attacks manifested as an embedded HTML image object or Javascript
TAG in an email ?
a.

Cross Site Scripting

b. Adware
c.

Exceptional Handling

d. Cross Site Request Forgery

25. Alan has been deployed to conduct a Risk Assessment to the Department of Defence VPN
networks. While doing so Alan discovered a severe Risk Area on the IT Processing which the
management has no knowledge about. Which of the following should an Information Security
manager use to BEST convey a sense of urgency to the management ?
a. Business Impact Analysis
b.

Risk Assesment Report

Page 5 of 11
FCNS FORESEC For Review

c.

ROSI Return of Security Investment Report

d. Security Metrics Report

26. It has been discovered that a former member of the IT department who switched to the
development team still has administrative access to many major network infrastructure devices
and servers. Which of the following mitigation techniques should be implemented to help reduce
the risk of this event recurring?
a. Incident management and response policy
b.
c.

Change management notifications

Regular user permission and rights reviews

d. DLP
27. The Following Answers below depict the mitigation strategy of RISK. Which of the answers BEST
suit the RISK TRANSFER category ?
a. DRP Disaster Recovery Plan
b. Total Avoidance
c.

Insurance Purchase

d. Outsourcing
28. It is important that information about an ongoing computer crime investigation be: ( Select the
appropriate answer )
a. Destroyed as soon after trial as possible.
b. Replicated to a backup system to ensure availability.
c.
d.

Reviewed by upper management before being released.

Limited to as few people as possible.

29. Downloading Pirated Blue Ray Movies from the torrent sites are a direct violation of which Legal
Clause ?
a. FBI Copyright ACT Disclaimer
b.
c.

DMCA Digital Millenium Copyright Act

USC 1030 Computer Crimes Act

d. USC 1029 Fraud Related

30. Scamming and Phishers are common methods of credential theft which attackers could use to
gain access to your personal or corporate identity. What would be the best method which
organisations could utilise to circumvent these attacks ?
a. Installing Firewall & Antivirus could prevent threats

Page 6 of 11
FCNS FORESEC For Review

b. Conducting Impact Analysis

c.
d.

Firing Employees who have been compromized

Employee Education

31. The Chart below explains the common reason of Data Loss Risk. From you understanding what
are the major agents threatening Hardware Malfunction risk area?
Image 1
a. Non Compliance
b.
c.

Lack of Failover
Poor Maintenance Practice

d. Poorly Trained Vendor

32. Match the Appropriate B1,B2,B3 and B4 in the Context Of Business Resumption Process .
Image 1
a. B1 Business Continuity B2 Disaster Recovery B3 Incident Response B4 Contigency
Planning
b. B1 Incident Response B2 Contigency Planning B3 Business Continuity B4 Disaster
Recovery
c.

B1 Contigency Planning B2 Incident Response B3 Disaster Recovery B4 Business

Continuity

d. B1 Disaster Recovery B2 Business Continuity B3 Incidenet Response B4 Contigency

Planning
33. What is the most Effective method of identifying new vendor vulnerabilities ?
a. Intrusion Prevention Software
b. Periodic Assesment conducted by consultants
c.
d.

HoneyPots located at DMZ

External Vulnerability Reporting Sources

34. Cloud Computing describes which of the Business Resumption Strategy ?

Image 1
a. Warm Site
b. Hot Site
c.

Hybrid DRP

Page 7 of 11
FCNS FORESEC For Review

d. Cold Site
35. Risk Identification is a vital step towards Risk Assessment and Treatment plan. Which of the
Activities below could help an IT organization to detect potential risk before its escalation to
exposure ? ( Select the BEST Answer that applies )
a. Gap Analysis
b. Impact Analysis
c.

Forensic Investigation

d.

Penetration Testing

36. Which of the following Security model focuses on mitigation of the treat for the
"Confidentiality"risk?
a. CLARIK WILSON MODEL
b.
c.

BIBA
BELL LA Padula

d. CHINESE FIREWALL MODEL

37. Risk Assessment Should be carried out in ?
a. Some workplaces
b. Only high risk workplaces
c.
d.

Only large workplaces

All workplaces

38. BMG has a distinctive and advanced Disaster Recovery Solution for its Business. What would be
the primary concern of BMG prior to the design of the Disaster Recovery Site ?
Image 1
a. Virtualization Technology
b. Crytographic Mechanism
c.
d.

Load Balancing
Physical Location

39. Making sure that the data is accessible when and where it is needed is which of the following?
a. Confidentiality
b. Integrity
c.

Accountability

Page 8 of 11
FCNS FORESEC For Review

d.

Availability

40. Centrally authenticating multiple systems and applications against a federated user database is
an example of ?
a. Smart Card
b. Access Control List
c.
d.

Common Access Card

Single Sign On

41. The typical POSDC planning phase focuses on the 3 important phase of planning. Select the best
suited answer based on the actual POSDC order ?
a. Organizing > Leading > Controlling > Planning
b.
c.

Planning > Organizing > Leading > Controlling

Do > Check > Plan > Act

d. Plan > Do > Check > Act

42. A timely review of system access records would be an example of what type of basic security
function?
a. System
b. Mandatory
c.
d.

Supplemental
Discretionary

43. Protecting Customers Credit Card Details and oher personal information in a public portal is
crucial to the major services provided online. Which of he following would the best compliance
regulation that discusses this factor ?
a.

PCIDSS

b. TIA942
c.

ISO 9001

d. ISO 27001
44. Which choice below most accurately describes a business continuity ?
a. A program that implements the mission, vision, and strategic goals of the organization
b. A standard that allows for rapid recovery during system interruption and data loss
c.

Ongoing process to ensure that the necessary steps are taken to identify the impact of
potential losses and maintain viable recovery

Page 9 of 11
FCNS FORESEC For Review

d. A determination of the effects of a disaster on human, physical, economic, and natural

resources
45. You have implemented a backup plan for your critical file servers, including proper media rotation,
backup frequency, and offsite storage. Which of the following must be performed on a regular
basis to ensure the validity and integrity of your backup system?
a. Multiple monthly backup media
b. Updating the backup application software
c.

Periodic testing of restores

d. Purchasing of new media

46. What is the common Risk Management Framework used by typical IT organisations to mitigate
the risk ?
a. Cobit 5
b. Sarbanes Oxley
c.
d.

Graham Leech Bliley Act

Val IT

47. Who authorises the Information Security Governance initiative program in a corporate
organisation ?
a.

CEO Chief Executive Officer

b. CTO Chief Technology Officer

c.

CIO Chief Information Officer

d. CISO Chief Information Security Officer

48. Choose the appropriate answers for A1, A2 and A3 based on SDLC lifecycle.
Image 1
a. A1 Planning A2 Verification A3 Audit
b. A1 Technology Feasibility A2 Capacity Planning A3 Service Level Agreement
c.
d.

A1 Scoping A2 Feasibility Analysis A3 Support

A1 Design A2 Implementation A3 Maintenance

49. What are the greater threats to Internal Security of an Organisation ?

a. USB Flash Disk
b. File Sharing

Page 10 of 11
FCNS FORESEC For Review

c.

Mobile Phone

d. Email
50. Which of the security concepts does BIBA compliments ?
a. Availability
b. Authenticity
c.

Integrity

d. Confidentiality

Page 11 of 11
FCNS FORESEC For Review