FORESEC

FORENSIC AND E-BUSINESS SECURITY

REVIEWER FCNS FOR STMIK ATMA LUHUR

FOR AY 2014-2015
1. Security controls that refer to agency facilities (e.g., physical access controls such as locks and
guards, environmental controls for temperature, humidity, lighting, fire, and power) will be
applicable only to those sections of the facilities that directly provide protection to, support for, or
are related to the information system (including its information technology assets such as electronic
mail or web servers, server farms, data centers, networking nodes, controlled interface equipment,
and communications equipment). What are the key consideration factors that best describes this?
a.
b.
c.
d.

Technology Related Consideration

Infrastructure Related Concerns
Common Security Control Consideration
Public Access Related Information Systems Related Consideration

2. In the absence of CISO or CEO, who has the authority of decision making for corporate security
policies?
a.
b.
c.
d.

Human Resource Director

Senior Finance Officers
Department Managers
Vendors

3. What is the most Effective method of identifying new vendor vulnerabilities?

a.
b.
c.
d.

HoneyPots located at DMZ

Intrusion Prevention Software
External Vulnerability Reporting Sources
Periodic Assessment conducted by consultants

4. Which choice below most accurately describes a business continuity?

a. Ongoing process to ensure that the necessary steps are taken to identify the impact of potential
losses and maintain viable recovery
b. A determination of the effects of a disaster on human, physical, economic, and natural resources
c. A standard that allows for rapid recovery during system interruption and data loss
d. A program that implements the mission, vision, and strategic goals of the organization
5. In the corporate structure of organisations, who is held accountable for Information Security
Planning?
a.
b.
c.
d.

CIO - Chief Information Officer

CTO - Chief Technology Officer
CISO - Chief Information Security Officer
CEO - Chief Executive Officer

6. Match the Appropriate B1, B2, B3 and B4 in the Context Of Business Resumption Process.
a. B1 - Contingency Planning B2 - Incident Response B3 - Disaster Recovery B4 - Business
Continuity
b. B1 - Incident Response B2 - Contingency Planning B3 - Business Continuity B4 -Disaster
Recovery
c. B1 - Disaster Recovery B2 - Business Continuity B3 - Incident Response B4 -Contingency
Planning
d. B1 - Business Continuity B2 - Disaster Recovery B3 - Incident Response B4 -Contingency
Planning
Reviewer FCNS AY 2014 - 2015

Page 1

FORESEC
FORENSIC AND E-BUSINESS SECURITY
7. Alan has been deployed to conduct a Risk Assessment to the Department of Defense VPN networks.
While doing so Alan discovered a severe Risk Area on the IT Processing which the management has
no knowledge about. Which of the following should an Information Security manager use to BEST
convey a sense of urgency to the management?
a.
b.
c.
d.

Business Impact Analysis

ROSI - Return of Security Investment Report
Risk Assessment Report
Security Metrics Report

8. Risk Identification is a vital step towards Risk Assessment and Treatment plan. Which of the Activities
below could help an IT organization to detect potential risk before its escalation to exposure? ( Select
the BEST Answer that applies )
a.
b.
c.
d.

Gap Analysis
Forensic Investigation
Penetration Testing
Impact Analysis

9. BMG has a distinctive and advanced Disaster Recovery Solution for its Business. What would be the
primary concern of BMG prior to the design of the Disaster Recovery Site?
a.
b.
c.
d.

Virtualization Technology
Physical Location
Cryptographic Mechanism
Load Balancing

10. Primary role the Information Security Manager in the process of Information Classification denotes
which of the following?
a. Defining and ratifying the classification structure of information assets
b. Checking if Information Assets has been classified properly
c. Securing Information assets in accordance of their classification
d. Deciding the classification levels applied to the organizations information assets
11. Protecting Customers Credit Card Details and other personal information in a public portal is crucial
to the major services provided online. Which of the following would the best compliance regulation
that discusses this factor?
a.
b.
c.
d.

PCI-DSS
TIA942
ISO 9001
ISO 27001

12. What are the objectives of emergency actions taken at the beginning stage of a disaster?
Specifically Preventing injuries and loss of life.
a. mitigating damage
b. relocating operations
c. determining damage
d. protecting evidence
13.

In the corporate structure of organisations, who is held accountable for General Security Planning
a. CIO - Chief Information Officer
b. CISO - Chief Information Security Officer
c. CTO - Chief Technology Officer
d. CEO - Chief Executive Officer

Reviewer FCNS AY 2014 - 2015

Page 2

FORESEC
FORENSIC AND E-BUSINESS SECURITY
14. Making sure that the data is accessible when and where it is needed is which of the following?
a.
b.
c.
d.

Accountability
Integrity
Confidentiality
Availability

15. Who is ultimately responsible for ensuring that information is categorized and that specific
protective measures are taken?
a.
b.
c.
d.

Data Custodian
Data Owner
Data Manager
Data Administrator

16. What is the definition of an pre engaged service for possible operational risk
a. Service Level Management
b. Reciprocal Agreement
c. Operational Agreement
d. Security Agreement
17. Risk Assessment Should be carried out in?
a.
b.
c.
d.

some workplaces
all workplaces
only large workplaces
only high risk workplaces

18. Which of the following is a policy that would force all users to organize their areas as well as help
reducing the risk of possible data theft?
a. Clean Desk Policy
b. Password Behaviors
c. Data Handling
d. Data Disposal
19. Centrally authenticating multiple systems and applications against a federated user database is an
example of?
a. Access Control List
b. Single Sign On
c. Smart Card
d. Common Access Card
20. From the context of Cyber Security Cost, Which among the below are best suited as "Spilt Over Effect".
a. Additional Cost
b. Hidden Cost
c. Capital Investment
d. Cost Benefit
Reviewer FCNS AY 2014 - 2015

Page 3

FORESEC
FORENSIC AND E-BUSINESS SECURITY
21. The deliberate planting of apparent flaws in a system for the purpose of detecting attempted
penetrations or confusing an intruder about which flaws to exploit is called?
a. enticement
b. cracking
c. alteration
d. re-direction
22. It has been discovered that a former member of the IT department who switched to the
development team still has administrative access to many major network infrastructure devices
and servers. Which of the following mitigation techniques should be implemented to help reduce
the risk of this event recurring?
a.
b.
c.
d.

DLP
Change management notifications
Regular user permission and rights reviews
Incident management and response policy

23. Which of the following Security model focuses on mitigation of the treat for the "Confidentiality"
risk?
a. CLARIK WILSON MODEL
b. CHINESE FIREWALL MODEL
c. BIBA
d. BELL LA Padula
24. Which of the security concepts does BIBA compliments?
a. Availability
b. Integrity
c. Authenticity
d. Confidentiality
25. When disposing magnetic storage media, all of the following methods ensure that data is
unreadable, EXCEPT:
a. removing the volume header information
b. writing random data over the old file
c. physical alteration of media
d. degaussing the disk or tape
26. The Following Answers below depict the mitigation strategy of RISK. Which of the answers BEST suit
the RISK TRANSFER category?
a. DRP - Disaster Recovery Plan
b. Total Avoidance
c. Insurance Purchase
d. Outsourcing
Reviewer FCNS AY 2014 - 2015

Page 4

FORESEC
FORENSIC AND E-BUSINESS SECURITY
27. Who authorises the Information Security Governance initiative program in a corporate
organization?
a. CISO - Chief Information Security Officer
b. CIO - Chief Information Officer
c. CTO - Chief Technology Officer
d. CEO - Chief Executive Officer
28. It is MOST important that INFOSEC architecture being aligned with which of the following?
a. IT Plans
b. INFOSEC Best Practices
c. Business Objectives and Goals
d. Industrial Best Practices
29. It is important that information about an ongoing computer crime investigation be: ( Select the
appropriate answer )
a. Replicated to a backup system to ensure availability.
b. Limited to as few people as possible.
c. Destroyed as soon after trial as possible.
d. Reviewed by upper management before being released.
30. Risk "ALE" - Annual Loss Expectancy is best represented in which of the following below?
a. Gross loss expectancy x loss frequency
b. Single loss expectancy x annualized rate of occurrence
c. Asset value x loss expectancy
d. Single loss expectancy x annualized rate of occurrence x gross loss expectancy

Reviewer FCNS AY 2014 - 2015

Page 5