TUESDAY: 6 December 2022. Afternoon Paper. Time Allowed: 2 hours.
Answer ALL questions by indicating the letter (A, B, C or D) that represents the correct answer. The paper is made up of fifty (50) multiple choice questions. Each question is allocated two (2) marks.
1. The type of approach based information technology audit where the auditor is provided with detailed information regarding the organisation that is to be audited is referred to as?
A. Black box audit
B. White box audit
C. Grey box audit
D. Blue box audit
2. IT security audit is important for the following reasons EXCEPT?
A. To keep the organisation updated with security measures
B. To identify physical security vulnerabilities.
C. To identify security opportunities before the hackers
D. To help in formulating new security policies for the organisation
3. Which of the following is the second phase in the penetration testing process of the Information System audit?
A. Gaining system access
B. Scanning
C. Planning and Reconnaissance
D. Persistent Access
4. The type of auditing technique where the auditor verifies accounting transactions with documentary evidence is referred to as?
A. Vouching
B. Confirmation
C. Reconciliation
D. Testing
5. The motivation of internal threat that involves stealing information for another organisation is referred to as?
A. Fraud
B. Sabotage
C. Espionage
D. Revenge
6. The physical control that requires employees to tap their ID pass on a reader that will unlock the gate and allow them to pass through is referred to as?
A. Turnstiles
B. Electronic Doors
C. Mantraps
D. Security Guards
7. Which of the following is NOT a penetration testing method?
A. External testing
B. Triple blind testing
C. Internal testing
D. Blind testing
8. A cyber security attack that involves the creation of a false stream or modification of the data stream is referred to as?
A. Active attack
B. Passive attack
C. Cryptographic attack
D. Encryption
9. A cyber security methodology that combines best practices and technology to prevent the exposure of sensitive information outside of an organisation is referred to as?
A. Email security
B. Sandboxing
C. Intrusion prevention system
D. Data loss prevention
10. Robust network security will protect against all of the following EXCEPT?
A. Worms
B. Viruses
C. Intrusion
D. Spyware
11. A social engineering attack technique where the attacker uses a false promise to lure users into a trap that steals their personal information is referred to as?
A. Baiting
B. Scareware
C. Pretexting
D. Phishing
12. During network security penetration testing, the results of the penetration test are compiled into a report detailing all of the following EXCEPT?
A. None sensitive data that was accessed
B. Specific vulnerabilities that were exploited
C. Sensitive data that was accessed
D. The amount of time the pen tester was able to remain in the system undetected
13. The type of audit report which shows that the company is not compliant with any of the GAAP’s guidelines for financial reporting and thus portrays gross misstatements on their assets and liabilities is referred to as?
A. Disclaimer report
B. Adverse audit report
C. Qualified report
D. Clean report
14. In the structure of the auditor’s report, the auditor’s opinion section will include the following details EXCEPT?
A. Auditing timespan
B. Financial records
C. A statement on the company’s compliance with GAAP guidelines
D. Auditing cost
15. Which of the following is the step that involves prioritizing the incident and providing initial support to incident management?
A. Incident detection
B. Incident starter
C. Prioritisation and support
D. Investigation and diagnosis
16. The area of IT service management where the IT team returns a service to normalcy after disruption as fast as possible is referred to as?
A. IT incident plan
B. IT incident management
C. IT incident control
D. IT incident monitor
17. The information systems security goal which ensures the accuracy and reliability of the information stored on the computer systems is referred to as?
A. Integrity
B. Confidentiality
C. Availability
D. Conformity
18. With reference to the organizational information assets and classification, when the loss of confidentiality, integrity or availability is be expected to have a limited adverse effect on organizational operations, the impact is considered to be?
A. Low
B. Moderate
C. High
D. Average
19. The process of organising data into categories that ensure easy retrieval, sorting and storage of data is referred to as?
A. Data cleansing
B. Data classification
C. Data modification
D. Data preprocessing
20. In order to keep customer dissatisfaction at bay and reduce recovery timescales, every business needs to incorporate the following EXCEPT?
A. Plan an effective response
B. Ensure effective communication
C. Identify potential risks and vulnerabilities
D. Build a data processing structure
21. Which of the following is NOT one of the four P’s of business continuity planning?
A. Providers
B. Plans
C. People
D. Premises
22. Which of the following is the second step in the development of an effective business continuity plan?
A. Identification of threats
B. Adoption of controls for prevention and mitigation
C. Conducting a business impact analysis
D. Identification of risks
23. Which type of backup subscription service will allow a business to recover quickest?
A. A cold site
B. A warm site
C. A hot site
D. A mobile or rolling backup service
24. An activity that can help to examine the impact of different disasters on an organisation’s safety, finances, marketing, business reputation, legal compliance and quality assurance is referred to as?
A. Business impact analysis
B. Risk analysis
C. Business process
D. Disaster recovery
25. Which of the following CANNOT be classified as a component of disaster recovery plan?
A. Policy statement
B. Key personnel and disaster recovery team
C. Directions on how to reach the recovery site
D. A list of hardware and systems that staff will use in the recovery
26. A location that can be used by an organisation to recover and restore its data, technology infrastructure and operations when the primary data centre is unavailable is referred to as?
A. Disaster recovery point
B. Disaster recovery home
C. Disaster recovery site
D. Disaster recovery lab
27. Which of the following is NOT a reason why an organisation should implement a security policy?
A. To set clear expectations
B. To guide in the implementation of user controls
C. To help in meeting the regulatory requirements
D. To improve organisational efficiency and help in meeting business objectives
28. Which of the following can be classified as an issue specific security policy?
A. Bring-your-own-device (BYOD) policy
B. Multimedia policy
C. Software policy
D. Technical policy
29. Which of the following can be classified as controls that include software or hardware mechanisms to protect data?
A. Administrative controls
B. Logical controls
C. Physical controls
D. Environmental controls
30. Which of the following CANNOT be classified as a control function?
A. Detective controls
B. Preventive controls
C. Corrective controls
D. Administrative controls
31. A security function that involves the application of a method of measurement to one or more entities of a system which incorporates an assessable security property to obtain a measured value is referred to as
A. Security measure
B. Security metric
C. Security value
D. Security plan
32. Which of the following describes an intentional and malicious effort by an individual to breach the systems of another individual or organisation over the internet?
A. Cyberattack
B. Cybersecurity
C. Cyber vulnerability
D. Cyberwarfare
33. Which of the following is a type of cybercrime attack initiated by cybercriminals to masquerade as a senior player at an organisation and directly target senior or other important individuals of a given organisation?
A. Whaling
B. Smishing
C. Spear phishing
D. Vishing
34. Which one of the following access controls entails users assigning access rights based on rules user specify?
A. Mandatory access control (MAC)
B. Attribute Based Access Control (ABAC)
C. Role based Access Control (RBAC)
D. Discretionary access control (DAC)
35. Which one of the following does not fall in the category of digital crime?
A. Fraud and identity theft
B. Information warfare
C. Phishing scams
D. Cyber reconnaissance
36. What is the term that relates to a weakness exhibited in a system or a network?
A. Threat
B. Attack
C. Vulnerability
D. Exploit
37. What is the name of a hacking approach used by Cybercriminals to design fake websites purposely meant to manipulate traffic?
A. Pharming
B. Spamming
C. Clone phishing
D. Cross site scripting
38. What is the mechanism of transforming messages to make them secure and immune to attacks?
A. Stenography
B. Obfuscation
C. Cryptography
D. Cryptonalysis
39. Which of the following tricks a web user into clicking on something different from what the user perceives they are clicking on.
A. Likejacking
B. Clickjacking
C. Cursorjacking
D. Filejacking
40. Which of the following is NOT a type of intrusion detection system?
A. Network intrusion detection system
B. DM-based intrusion detection system
C. Host-based intrusion detection system
D. Perimeter intrusion detection system
41. Which of the following is NOT a detection method of intrusion prevention systems?
A. Signature-based
B. Statistical anomaly-based
C. Stateful protocol analysis
D. Stateless protocol analysis
42. Information systems security laws and regulations will govern the following EXCEPT?
A. Acquisition of information
B. Transmission of information
C. Conversion of information
D. Storage of information
43. Which of the following is NOT a guideline for data confidentiality?
A. Encrypt sensitive files
B. Manage data access
C. Logically secure devices and paper documents
D. Securely dispose of data, devices, and paper records
44. The following are key parts of security governance EXCEPT?
A. Organisational structure
B. Organisational culture
C. Roles and responsibilities
D. Strategic planning
45. An information security governance framework helps in the preparation for risks or events before they occur by forcing users to continually reevaluate critical IT and business functions through all of the following EXCEPT?
A. Threat and vulnerability analysis
B. Data governance and threat protection
C. Aligning corporate strategy and IT strategy
D. Integrated risk management functions
46. Which of the following BEST defines the controls over the information technology (IT) environment, computer operations, program development and program changes.
A. IT general controls
B. IT application controls
C. IT environmental controls
D. IT input controls
47. With reference to information system security, which of the following best describes the consequences that a business will face if there is a successful attack?
A. Mitigation
B. Impact
C. Vulnerability
D. Risk
48. Which of the following is the fourth stage of the security risk assessment methodology?
A. Application characterisation
B. Threat analysis
C. Risk likelihood determination
D. Architectural vulnerability assessment
49. Which of the following is NOT a management control?
A. Cybernetic controls
B. Stochastic controls
C. Reward and compensation controls
D. Planning controls
50. Which of the following is NOT a type of Secure Sockets Layer (SSL) certificate?
A. Single domain
B. Wildcard
C. Multi-domain
D. Domain validation