CPIT (InfoSec) Sample Questions 1. When there is a breach of ...

CPIT (InfoSec) Sample Questions
1. When there is a breach of privacy it is necessary to inform the affected parties.
Which of the following methods is not the best choice to use:
A. Written notice
B. Telephone notice
C. Email notice
D. Posting in your web site
Answer: (C)
2. For most IDEAL situation, the Information Security Organisation should report
directly to:
A. CEO (Chief Executive Officer)
B. CIO (Chief Information Officer)
C. CFO (Chief Financial Officer)
D. Department head
Answer: (A)
3. The followings are mandatory elements in a Corporate Information Security
Policy except:
A. Define information as an asset of the business unit
B. Declare who are the owners of information
C. Establish Information Systems as the custodian of corporate information
D. Training requirements for new data owners
Answer: (D)
4. Which of the following issues is NOT a usual Information Classification Criteria?
A. Internal Use Only
B. External Use Only
C. Public
D. Company Confidential
Answer: (B)
5. The ISO standard titled Information technology - Security techniques - Code of
practice for information security management is:
A. ISO/IEC 27000
B. ISO/IEC 27001
C. ISO/IEC 27002
D. ISO/IEC 27003
Answer: (C)

6. Which of the following core principles of information security pertains to the
request that Data cannot be modified without proper authorization?
A. Integrity
B. Confidentiality
C. Non-repudiation
D. Data Protection
Answer: (A)
7. To perform a successful information system security audit, the following areas of
computer activity should be monitored on a regular basis except:
A. Virus Scanning
B. User Access Control
C. System Activities
D. Audit Trail
Answer: (A)
8. Which of the following steps is usually mandatory in the information system
security audit process?
A. Provide a system performance report
B. Provide an audit report
C. Provide a ROI (Return on Investment) report
D. Provide a security report
Answer: (B)
9. Computer "security" is a conceptual idea attained by the use of three processes,
but not including which of the followings?
A. Prevention
B. Dectection
C. Backup
D. Response
Answer: (C)
10. In the case of computer security audit on network vulnerabilities, the followings
are the three main areas of control except:
A. Interception Controls
B. Availability Controls
C. Access / entry point Controls
D. Encryption Controls
Answer: (D)

11. During the BCP process, which of the following parties is responsible for granting
final approval and providing ongoing support?
A. Functional Business Units
B. BCP Committee
C. Chief Information Officer
D. Executive Management
Answer: (D)
12. Which of the following is the top priority of disaster response?
A. Ensuring all personnel safety
B. Protecting all data
C. Resuming all business functions
D. Protecting all networking equipment
Answer: (A)
13. Which of the following areas of enterprise requires business continuity plan?
A. Marketing area of the enterprise.
B. Operating area of the enterprise
C. Financial area of the enterprise
D. All area of the enterprise
Answer: (D)
14. Which of the following is NOT identified by a Business Impact Analysis?
A. The name of individuals to be contacted during a disasters
B. Areas that would suffer the greatest financial or operational loss in
disasters
C. The outage time that can be tolerated as a result of disasters
D. Systems critical to the survival of the enterprise
Answer: (C)
15. Which of the following is a hot-site facility?
A. A site with pre-installed computers, raised floor, air conditioning,
telecommunications and networking equipment, and UPS
B. A site with ready made work space with telecommunication equipment,
LANs, PCs, and terminals for work groups.
C. A site in which space is reserved with pre-installed wiring and raised
floors
D. A site with raised floors, air conditioning, telecommunications and
networking equipment and UPS
Answer: (A)

16. Which one of the following represents transference of risk?
A. Reduce the probability of a risk occurring
B. Lower the impact of a risk if materialized
C. Purchase insurance coverage for the risk
D. Eliminate the threat completely
Answer: (C)
17. The annualized rate of occurrence (ARO) is a value that represents:
A. The estimated frequency of a specific threat taking place within a one-year
time frame
B. The estimated loss in dollar amount resulting from a specific threat within
a one-year time frame
C. The estimated costs in dollar amount incurred in protection from a specific
threat within a one-year time frame
D. The estimated probability of a specific threat taking place within a oneyear
time frame
Answer: (A)
18. An action to determine the sequence of events is known as:
A. Sequential Analysis
B. Timeline Analysis
C. Event Analysis
D. Priority Analysis
Answer: (B)
19. All of the followings are layers described in TCP/IP model except:
A. Application Layer
B. Internet Layer
C. Link Layer
D. Physical Layer
Answer: (D)
20. All of the following are valid form of announcement used in the computer
security incident response management except:
A. Testimony
B. Advisory
C. Alert
D. Heads-up Note
Answer: (A)