BCS CISMP-V9 Exam Practice Test Instant Access

Question 1

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

AA weakness of an asset or group of assets that can be exploited by one or more threats.

BThe impact of a cyber attack on an asset or group of assets.

CThe threat that an asset or group of assets may be damaged by an exploit.

DThe damage that has been caused by a weakness iin a system.

Answer : A

The term 'vulnerability' within the context of ISO/IEC 27000 refers to any weakness present in an asset or group of assets that could potentially be exploited by one or more threats. This definition aligns with the concept of vulnerability as a gap in protection efforts that, if not addressed, could allow a threat to compromise the confidentiality, integrity, or availability of an asset. It is important to note that vulnerabilities can be identified in various components of an organization's infrastructure, including hardware, software, processes, and even personnel. Effective information security management involves identifying these vulnerabilities through risk assessments and implementing appropriate controls to mitigate the risk of exploitation.

Question 2

What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?

AXSS.

BParameter Tampering

CSQL Injection.

DCSRF.

Answer : D

Cross-Site Request Forgery (CSRF) is an attack that exploits the trust relationship between a user's browser and a server-based website. In a CSRF attack, the attacker tricks the authenticated user's browser into sending a request to a third-party site, which the browser is already authenticated with, without the user's knowledge or consent. This can lead to unauthorized actions being performed on the user's behalf, such as changing user settings, posting content, or even initiating financial transactions.The attack leverages the fact that the browser automatically includes credentials like cookies, session tokens, or other authentication information with each request to a site123.

Reflectoring's 'Complete Guide to CSRF/XSRF (Cross-Site Request Forgery)'1.

OWASP Foundation's ''Anti CSRF Tokens ASP.NET'' article2.

Threat Intelligence's blog on 'Cross-Site Request Forgery (CSRF) - What Is It, How to Prevent It'3.

Question 3

Which of the following statements relating to digital signatures is TRUE?

ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.

BDigital signatures are valid and enforceable in law in most countries in the world.

CDigital signatures are legal unless there is a statutory requirement that predates the digital age.

DA digital signature that uses a signer's private key is illegal.

Answer : B

Digital signatures are a form of electronic signature that uses cryptographic techniques to provide secure and verifiable means of signing electronic documents. They are widely recognized and accepted as legally binding in many jurisdictions around the world. The enforceability of digital signatures is backed by various laws and regulations that recognize electronic signatures as equivalent to handwritten signatures, provided they meet certain criteria for authenticity and integrity.For instance, in the United States, the ESIGN Act establishes the legal validity of electronic signatures, including digital signatures1.Similarly, the eIDAS regulation in the European Union provides a legal framework for electronic signatures and trust services, including digital signatures2.

Question 4

What aspect of an employee's contract of employment Is designed to prevent the unauthorised release of confidential data to third parties even after an employee has left their employment?

ASegregation of Duties.

BNon-disclosure.

CAcceptable use policy.

DSecurity clearance.

Answer : B

Non-disclosure agreements (NDAs) are legal contracts that are designed to protect sensitive information. They are a critical part of an employee's contract of employment to ensure that confidential data is not released to unauthorized third parties. NDAs are specifically intended to prevent the disclosure of confidential information both during the period of employment and after the employee has left the organization. This is essential for maintaining the integrity and confidentiality of proprietary information which could include trade secrets, client data, and other types of sensitive information.

Question 5

What does a penetration test do that a Vulnerability Scan does NOT?

AA penetration test seeks to actively exploit any known or discovered vulnerabilities.

BA penetration test looks for known vulnerabilities and reports them without further action.

CA penetration test is always an automated process - a vulnerability scan never is.

DA penetration test never uses common tools such as Nrnap, Nessus and Metasploit.

Answer : A

A penetration test, unlike a vulnerability scan, is an in-depth process where security professionals actively attempt to exploit vulnerabilities in a system. The goal is to simulate a real-world attack to understand how an attacker could exploit vulnerabilities and to determine the potential impact. This involves not just identifying vulnerabilities, as a scan does, but also attempting to exploit them to understand the full extent of the risk. Penetration tests are typically manual or semi-automated and involve a variety of tools and techniques to uncover and exploit security weaknesses, which can include common tools like Nmap, Nessus, and Metasploit.

Question 6

What Is the KEY purpose of appending security classification labels to information?

ATo provide guidance and instruction on implementing appropriate security controls to protect the information.

BTo comply with whatever mandatory security policy framework is in place within the geographical location in question.

CTo ensure that should the information be lost in transit, it can be returned to the originator using the correct protocols.

DTo make sure the correct colour-coding system is used when the information is ready for archive.

Answer : A

The primary purpose of appending security classification labels to information is to guide the implementation of appropriate security controls. These labels indicate the level of sensitivity of the information and determine the extent and nature of the controls that need to be applied to protect it. For example, information classified as 'Confidential' will require stricter access controls compared to information classified as 'Public'. The classification labels help in ensuring that information is handled and protected in accordance with its importance to the organization, and in compliance with relevant legal and regulatory requirements.

Question 7

Which term describes the acknowledgement and acceptance of ownership of actions, decisions, policies and deliverables?

AAccountability.

BResponsibility.

CCredibility.

DConfidentiality.

Answer : A

Accountability is the term that describes the acknowledgement and acceptance of ownership of actions, decisions, policies, and deliverables. It implies that an individual or organization is willing to take responsibility for their actions and the outcomes of those actions, and is answerable to the relevant stakeholders. This concept is fundamental in information security management, as it ensures that individuals and teams are aware of their roles and the expectations placed upon them, particularly in relation to the protection of information assets. Accountability cannot be delegated; while tasks can be assigned to others, the ultimate ownership and obligation to report and justify the outcomes remain with the accountable party.

BCS Foundation Certificate in Information Security Management Principles V9.0 CISMP-V9 Exam Practice Test