INFORMATION SYSTEMS SECURITY DECEMBER 2022 PAST PAPER

TUESDAY: 6 December 2022. Afternoon Paper. Time Allowed: 2 hours.

Answer ALL questions by indicating the letter (A, B, C or D) that represents the correct answer. The paper is made up of fifty (50) multiple choice questions. Each question is allocated two (2) marks.

1. The type of approach based information technology audit where the auditor is provided with detailed information regarding the organisation that is to be audited is referred to as?

A. Black box audit
B. White box audit
C. Grey box audit
D. Blue box audit

2. IT security audit is important for the following reasons EXCEPT?

A. To keep the organisation updated with security measures
B. To identify physical security vulnerabilities.
C. To identify security opportunities before the hackers
D. To help in formulating new security policies for the organisation

3. Which of the following is the second phase in the penetration testing process of the Information System audit?

A. Gaining system access
B. Scanning
C. Planning and Reconnaissance
D. Persistent Access

4. The type of auditing technique where the auditor verifies accounting transactions with documentary evidence is referred to as?

A. Vouching
B. Confirmation
C. Reconciliation
D. Testing

5. The motivation of internal threat that involves stealing information for another organisation is referred to as?

A. Fraud
B. Sabotage
C. Espionage
D. Revenge

6. The physical control that requires employees to tap their ID pass on a reader that will unlock the gate and allow them to pass through is referred to as?

A. Turnstiles
B. Electronic Doors
C. Mantraps
D. Security Guards

7. Which of the following is NOT a penetration testing method?

A. External testing
B. Triple blind testing
C. Internal testing
D. Blind testing

8. A cyber security attack that involves the creation of a false stream or modification of the data stream is referred to as?

A. Active attack
B. Passive attack
C. Cryptographic attack
D. Encryption

9. A cyber security methodology that combines best practices and technology to prevent the exposure of sensitive information outside of an organisation is referred to as?

A. Email security
B. Sandboxing
C. Intrusion prevention system
D. Data loss prevention

10. Robust network security will protect against all of the following EXCEPT?

A. Worms
B. Viruses
C. Intrusion
D. Spyware

11. A social engineering attack technique where the attacker uses a false promise to lure users into a trap that steals their personal information is referred to as?

A. Baiting
B. Scareware
C. Pretexting
D. Phishing

12. During network security penetration testing, the results of the penetration test are compiled into a report detailing all of the following EXCEPT?

A. None sensitive data that was accessed
B. Specific vulnerabilities that were exploited
C. Sensitive data that was accessed
D. The amount of time the pen tester was able to remain in the system undetected

13. The type of audit report which shows that the company is not compliant with any of the GAAP’s guidelines for financial reporting and thus portrays gross misstatements on their assets and liabilities is referred to as?

A. Disclaimer report
B. Adverse audit report
C. Qualified report
D. Clean report

14. In the structure of the auditor’s report, the auditor’s opinion section will include the following details EXCEPT?

A. Auditing timespan
B. Financial records
C. A statement on the company’s compliance with GAAP guidelines
D. Auditing cost

15. Which of the following is the step that involves prioritizing the incident and providing initial support to incident management?

A. Incident detection
B. Incident starter
C. Prioritisation and support
D. Investigation and diagnosis

16. The area of IT service management where the IT team returns a service to normalcy after disruption as fast as possible is referred to as?

A. IT incident plan
B. IT incident management
C. IT incident control
D. IT incident monitor

17. The information systems security goal which ensures the accuracy and reliability of the information stored on the computer systems is referred to as?

A. Integrity
B. Confidentiality
C. Availability
D. Conformity

18. With reference to the organizational information assets and classification, when the loss of confidentiality, integrity or availability is be expected to have a limited adverse effect on organizational operations, the impact is considered to be?

A. Low
B. Moderate
C. High
D. Average

19. The process of organising data into categories that ensure easy retrieval, sorting and storage of data is referred to as?

A. Data cleansing
B. Data classification
C. Data modification
D. Data preprocessing

20. In order to keep customer dissatisfaction at bay and reduce recovery timescales, every business needs to incorporate the following EXCEPT?

A. Plan an effective response
B. Ensure effective communication
C. Identify potential risks and vulnerabilities
D. Build a data processing structure

21. Which of the following is NOT one of the four P’s of business continuity planning?

A. Providers
B. Plans
C. People
D. Premises

22. Which of the following is the second step in the development of an effective business continuity plan?

A. Identification of threats
B. Adoption of controls for prevention and mitigation
C. Conducting a business impact analysis
D. Identification of risks

23. Which type of backup subscription service will allow a business to recover quickest?

A. A cold site
B. A warm site
C. A hot site
D. A mobile or rolling backup service

24. An activity that can help to examine the impact of different disasters on an organisation’s safety, finances, marketing, business reputation, legal compliance and quality assurance is referred to as?

A. Business impact analysis
B. Risk analysis
C. Business process
D. Disaster recovery

25. Which of the following CANNOT be classified as a component of disaster recovery plan?

A. Policy statement
B. Key personnel and disaster recovery team
C. Directions on how to reach the recovery site
D. A list of hardware and systems that staff will use in the recovery

26. A location that can be used by an organisation to recover and restore its data, technology infrastructure and operations when the primary data centre is unavailable is referred to as?

A. Disaster recovery point
B. Disaster recovery home
C. Disaster recovery site
D. Disaster recovery lab

27. Which of the following is NOT a reason why an organisation should implement a security policy?

A. To set clear expectations
B. To guide in the implementation of user controls
C. To help in meeting the regulatory requirements
D. To improve organisational efficiency and help in meeting business objectives

28. Which of the following can be classified as an issue specific security policy?

A. Bring-your-own-device (BYOD) policy
B. Multimedia policy
C. Software policy
D. Technical policy

29. Which of the following can be classified as controls that include software or hardware mechanisms to protect data?

A. Administrative controls
B. Logical controls
C. Physical controls
D. Environmental controls

30. Which of the following CANNOT be classified as a control function?

A. Detective controls
B. Preventive controls
C. Corrective controls
D. Administrative controls

31. A security function that involves the application of a method of measurement to one or more entities of a system which incorporates an assessable security property to obtain a measured value is referred to as

A. Security measure
B. Security metric
C. Security value
D. Security plan

32. Which of the following describes an intentional and malicious effort by an individual to breach the systems of another individual or organisation over the internet?

A. Cyberattack
B. Cybersecurity
C. Cyber vulnerability
D. Cyberwarfare

33. Which of the following is a type of cybercrime attack initiated by cybercriminals to masquerade as a senior player at an organisation and directly target senior or other important individuals of a given organisation?

A. Whaling
B. Smishing
C. Spear phishing
D. Vishing

34. Which one of the following access controls entails users assigning access rights based on rules user specify?

A. Mandatory access control (MAC)
B. Attribute Based Access Control (ABAC)
C. Role based Access Control (RBAC)
D. Discretionary access control (DAC)

35. Which one of the following does not fall in the category of digital crime?

A. Fraud and identity theft
B. Information warfare
C. Phishing scams
D. Cyber reconnaissance

36. What is the term that relates to a weakness exhibited in a system or a network?

A. Threat
B. Attack
C. Vulnerability
D. Exploit

37. What is the name of a hacking approach used by Cybercriminals to design fake websites purposely meant to manipulate traffic?

A. Pharming
B. Spamming
C. Clone phishing
D. Cross site scripting

38. What is the mechanism of transforming messages to make them secure and immune to attacks?

A. Stenography
B. Obfuscation
C. Cryptography
D. Cryptonalysis

39. Which of the following tricks a web user into clicking on something different from what the user perceives they are clicking on.

A. Likejacking
B. Clickjacking
C. Cursorjacking
D. Filejacking

40. Which of the following is NOT a type of intrusion detection system?

A. Network intrusion detection system
B. DM-based intrusion detection system
C. Host-based intrusion detection system
D. Perimeter intrusion detection system

41. Which of the following is NOT a detection method of intrusion prevention systems?

A. Signature-based
B. Statistical anomaly-based
C. Stateful protocol analysis
D. Stateless protocol analysis

42. Information systems security laws and regulations will govern the following EXCEPT?

A. Acquisition of information
B. Transmission of information
C. Conversion of information
D. Storage of information

43. Which of the following is NOT a guideline for data confidentiality?

A. Encrypt sensitive files
B. Manage data access
C. Logically secure devices and paper documents
D. Securely dispose of data, devices, and paper records

44. The following are key parts of security governance EXCEPT?

A. Organisational structure
B. Organisational culture
C. Roles and responsibilities
D. Strategic planning

45. An information security governance framework helps in the preparation for risks or events before they occur by forcing users to continually reevaluate critical IT and business functions through all of the following EXCEPT?

A. Threat and vulnerability analysis
B. Data governance and threat protection
C. Aligning corporate strategy and IT strategy
D. Integrated risk management functions

46. Which of the following BEST defines the controls over the information technology (IT) environment, computer operations, program development and program changes.

A. IT general controls
B. IT application controls
C. IT environmental controls
D. IT input controls

47. With reference to information system security, which of the following best describes the consequences that a business will face if there is a successful attack?

A. Mitigation
B. Impact
C. Vulnerability
D. Risk

48. Which of the following is the fourth stage of the security risk assessment methodology?

A. Application characterisation
B. Threat analysis
C. Risk likelihood determination
D. Architectural vulnerability assessment

49. Which of the following is NOT a management control?

A. Cybernetic controls
B. Stochastic controls
C. Reward and compensation controls
D. Planning controls

50. Which of the following is NOT a type of Secure Sockets Layer (SSL) certificate?

A. Single domain
B. Wildcard
C. Multi-domain
D. Domain validation

(Visited 76 times, 1 visits today)
Share this:

Written by