New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium BCS CISMP-V9 Dumps Questions Answers

Page: 1 / 8
Total 100 questions

BCS Foundation Certificate in Information Security Management Principles V9.0 Questions and Answers

Question 1

What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigates and threatens?

Options:

A.

Threat trees.

B.

STRIDE charts.

C.

Misuse case diagrams.

D.

DREAD diagrams.

Buy Now
Question 2

Why might the reporting of security incidents that involve personal data differ from other types of security incident?

Options:

A.

Personal data is not highly transient so its 1 investigation rarely involves the preservation of volatile memory and full forensic digital investigation.

B.

Personal data is normally handled on both IT and non-IT systems so such incidents need to be managed in two streams.

C.

Data Protection legislation normally requires the reporting of incidents involving personal data to a Supervisory Authority.

D.

Data Protection legislation is process-oriented and focuses on quality assurance of procedures and governance rather than data-focused event investigation

Question 3

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

Options:

A.

Generating and distributing spam messages.

B.

Conducting DDOS attacks.

C.

Scanning for system & application vulnerabilities.

D.

Undertaking vishing attacks

Question 4

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

Options:

A.

Code of Ethics.

B.

Security Culture.

C.

System Operating Procedures.

D.

Security Policy Framework.

Question 5

One traditional use of a SIEM appliance is to monitor for exceptions received via syslog.

What system from the following does NOT natively support syslog events?

Options:

A.

Enterprise Wireless Access Point.

B.

Windows Desktop Systems.

C.

Linux Web Server Appliances.

D.

Enterprise Stateful Firewall.

Question 6

James is working with a software programme that completely obfuscates the entire source code, often in the form of a binary executable making it difficult to inspect, manipulate or reverse engineer the original source code.

What type of software programme is this?

Options:

A.

Free Source.

B.

Proprietary Source.

C.

Interpreted Source.

D.

Open Source.

Question 7

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

Options:

A.

3, 4 and 5.

B.

2, 4 and 5.

C.

1, 2 and 3.

D.

1, 2 and 5.

Question 8

Which of the following compliance legal requirements are covered by the ISO/IEC 27000 series?

1. Intellectual Property Rights.

2. Protection of Organisational Records

3. Forensic recovery of data.

4. Data Deduplication.

5. Data Protection & Privacy.

Options:

A.

1, 2 and 3

B.

3, 4 and 5

C.

2, 3 and 4

D.

1, 2 and 5

Question 9

What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?

Options:

A.

XSS.

B.

Parameter Tampering

C.

SQL Injection.

D.

CSRF.

Question 10

What type of attack could directly affect the confidentiality of an unencrypted VoIP network?

Options:

A.

Packet Sniffing.

B.

Brute Force Attack.

C.

Ransomware.

D.

Vishing Attack

Question 11

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

Options:

A.

2 and 3.

B.

3 and 4.

C.

1 and 4.

D.

1 and 2.

Question 12

In a virtualised cloud environment, what component is responsible for the secure separation between guest machines?

Options:

A.

Guest Manager

B.

Hypervisor.

C.

Security Engine.

D.

OS Kernal

Question 13

When an organisation decides to operate on the public cloud, what does it lose?

Options:

A.

The right to audit and monitor access to its information.

B.

Control over Intellectual Property Rights relating to its applications.

C.

Physical access to the servers hosting its information.

D.

The ability to determine in which geographies the information is stored.

Question 14

For which security-related reason SHOULD staff monitoring critical CCTV systems be rotated regularly during each work session?

Options:

A.

To reduce the chance of collusion between security staff and those being monitored.

B.

To give experience to monitoring staff across a range of activities for training purposes.

C.

Health and Safety regulations demand that staff are rotated to prevent posture and vision related harm.

D.

The human attention span during intense monitoring sessions is about 20 minutes.

Question 15

When undertaking disaster recovery planning, which of the following would NEVER be considered a "natural" disaster?

Options:

A.

Arson.

B.

Electromagnetic pulse

C.

Tsunami.

D.

Lightning Strike

Question 16

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

Options:

A.

Risk = Likelihood * Impact.

B.

Risk = Likelihood / Impact.

C.

Risk = Vulnerability / Threat.

D.

Risk = Threat * Likelihood.

Question 17

What is the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?

Options:

A.

Whaling.

B.

Spear-phishing.

C.

C-suite spamming.

D.

Trawling.

Question 18

When seeking third party digital forensics services, what two attributes should one seek when making a choice of service provider?

Options:

A.

Appropriate company accreditation and staff certification.

B.

Formal certification to ISO/IEC 27001 and alignment with ISO 17025.

C.

Affiliation with local law enforcement bodies and local government regulations.

D.

Clean credit references as well as international experience.

Question 19

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

Options:

A.

1, 2 and 3.

B.

2, 4, and 5.

C.

1, 3 and 4.

D.

1, 3 and 5.

Question 20

Which term describes a vulnerability that is unknown and therefore has no mitigating control which is immediately and generally available?

Options:

A.

Advanced Persistent Threat.

B.

Trojan.

C.

Stealthware.

D.

Zero-day.

Question 21

Geoff wants to ensure the application of consistent security settings to devices used throughout his organisation whether as part of a mobile computing or a BYOD approach.

What technology would be MOST beneficial to his organisation?

Options:

A.

VPN.

B.

IDS.

C.

MDM.

D.

SIEM.

Question 22

Which type of facility is enabled by a contract with an alternative data processing facility which will provide HVAC, power and communications infrastructure as well computing hardware and a duplication of organisations existing "live" data?

Options:

A.

Cold site.

B.

Warm site.

C.

Hot site.

D.

Spare site

Question 23

Which of the following statements relating to digital signatures is TRUE?

Options:

A.

Digital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

B.

Digital signatures are valid and enforceable in law in most countries in the world.

C.

Digital signatures are legal unless there is a statutory requirement that predates the digital age.

D.

A digital signature that uses a signer’s private key is illegal.

Question 24

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

Options:

A.

Under the European Convention of Human Rights, the interception of telecommunications represents an interference with the right to privacy.

B.

GDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertently break the law.

C.

Police could previously intercept without lawful authority any communications in the course of transmission through a public post or telecoms system.

D.

Surveillance of a conversation or an online message by law enforcement agents was previously illegal due to the 1950 version of the Human Rights Convention.

Question 25

What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?

Options:

A.

ISO/IEC 27001.

B.

Qualitative.

C.

CPNI.

D.

Quantitative

Question 26

Which of the following is NOT an information security specific vulnerability?

Options:

A.

Use of HTTP based Apache web server.

B.

Unpatched Windows operating system.

C.

Confidential data stored in a fire safe.

D.

Use of an unlocked filing cabinet.

Question 27

Which of the following international standards deals with the retention of records?

Options:

A.

PCI DSS.

B.

RFC1918.

C.

IS015489.

D.

ISO/IEC 27002.

Question 28

In business continuity (BC) terms, what is the name of the individual responsible for recording all pertinent information associated with a BC exercise or real plan invocation?

Options:

A.

Recorder.

B.

Desk secretary.

C.

Scribe.

D.

Scrum Master.

Question 29

What Is the PRIMARY reason for organisations obtaining outsourced managed security services?

Options:

A.

Managed security services permit organisations to absolve themselves of responsibility for security.

B.

Managed security services are a de facto requirement for certification to core security standards such as ISG/IEC 27001

C.

Managed security services provide access to specialist security tools and expertise on a shared, cost-effective basis.

D.

Managed security services are a powerful defence against litigation in the event of a security breach or incident

Question 30

Which types of organisations are likely to be the target of DDoS attacks?

Options:

A.

Cloud service providers.

B.

Any financial sector organisations.

C.

Online retail based organisations.

D.

Any organisation with an online presence.

Page: 1 / 8
Total 100 questions