LESSON 1

Circle Data Governance Council (C-DGC) is headed by

DGM & CFO
GM NETWORK
DGM AND CDO
CIRCLE CGM

Data Governance Policy is applicable to

All employees of the Bank
All employees at Audit departments
All employees at Data Management Office
All employees at Corporate Centre

Master Data Management Process Includes ______

Create
Read
Modify & Delete
All of the Above

Which one of the following does NOT come under People factor in Data Management prctices?
Data Architects
Data Owners
Data Trainers
Data Stewards

Which activity are considered under Data Management?

Handling complete Data of Organisation
Boost up Organisation Performance
Assure Data quality
All of the above

Data Governance Policy is applicable to third parties having access to SBI network and Data.
As per Vendors agreement
FALSE
TRUE
Not declared in policy

Data Protection officer reports to …..

CGM (R&DB Ops)
GM & Chief Data Management Officer
CGM (Compliance)
Chief Vigilance Officer

Which among the following may be held accountable for quality of data?
People
Processes
Practices
Technology

Data Management with lack of easy access to information for important stakeholders may result in just _________
Data Governance Strategy
Big Data Strategy
Narrow Data Strategy
None of the Above

Apex level Data Governance Council (ADGC), is headed by

DMD COO
CHAIRMAN
CDMO
MD (R&DB)

The word “Data” shall collectively refer to the following descriptions:

Data that are stored or held in servers in SBI, Data storage devices and backup media
Data owned by the Bank which are securely stored/ managed by the third party.
Data owned by the Bank which is shared with the third party
All of the above

Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in ________
Incorrect AML/CFT compliance
In-efficient Cross-selling
Improper KYC
None of the Above

____ is DGO of Circle

DGM & CCO
DGM (Vigilance)
DGM & CFO
DGM & CRO

Poor Data Quality may result in ______

Inorganic Growth in Business
Increased Customer stickiness
Incorrect Regulatory Reporting
All of the Above

Capturing of incorrect / incomplete Data adversely affects:

Data Quality
Analytical Models
Both 1 & 2
Neither 1 nor 2

Prime objective of Data governance framework is to ensure-

Compliance with relevant legislation, regulatory requirements, policies, procedures and standards.
To define the roles and responsibilities for Data stakeholders, and to establish clear lines of accountability.
Effective assurance and control of Data management processes.
All of the above

What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Monthly
Quarterly
Half yearly
Bi monthly

Data processes must also put in place ______

Anlytical Processes
Co-ordination Processes
Monitoring Processes
All of the Above

Data Management Office reports to which of the DMDs

DMD & Group Compliance Officer
DMD & Chief Information Officer
DMD & Chief Risk Officer
DMD & Chief Operating Officer

Providing training to staff is one of the responsibilities of Data Privacy Officer

FALSE
TRUE

Administrative office Data Governance Council (A-DGC), is headed by

RM
DGM (B&O)
AGM/CM GB
GM NETWORK

Data processes must Include ____________

Definitions of how data will be stored
Definitions of how data will be analysed
Definitions of how data will be interpreted
All of the Above

Where does Data come from?

External Parties
Magically
Logs and devices
People, Process and Technology

Data processes must Include ____________

Definitions of how data will be reported
Definitions of how data will be accessed
Definitions of how data will be interpreted
All of the Above

Data Governance Policy is formulated by which Department:

Data Management Office
Data Protection Office
Information Security Department
Compliance Department

Who would be held responsible for not feeding all the customer details in CBS, given by customer in AOF.
BM
1& 2
Checker
Maker

Which of the below helps in monitoring Data Governance Activities?

Data Process
Data Quality
Note
Dashboard

Data Governance can NOT be achieved by Technology alone.

TRUE
FALSE

What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical (DGC-BU/V)?
Bi monthly
Quarterly
Half yearly
Monthly

Data Governance process includes activities as:

Establish Data Governance Organisation
Define and Enforce Data Standard and Policies
Audit, Monitor & Control of Data Governance activities
All of the above

Circle Data Governance Council (C-DGC) is headed by

DGM & CFO
GM NETWORK
DGM AND CDO
CIRCLE CGM

Data Governance Policy is applicable to

All employees of the Bank
All employees at Audit departments
All employees at Data Management Office
All employees at Corporate Centre

Master Data Management Process Includes ______

Create
Read
Modify & Delete
All of the Above

Which one of the following does NOT come under People factor in Data Management
prctices?
Data Architects
Data Owners
Data Trainers
Data Stewards
Which activity are considered under Data Management?
Handling complete Data of Organisation
Boost up Organisation Performance
Assure Data quality
All of the above

Data Governance Policy is applicable to third parties having access to SBI network and
Data.
As per Vendors agreement
FALSE
TRUE
Not declared in policy

Data Protection officer reports to …..

CGM (R&DB Ops)
GM & Chief Data Management Officer
CGM (Compliance)
Chief Vigilance Officer

Which among the following may be held accountable for quality of data?
People
Processes
Practices
Technology

Data Management with lack of easy access to information for important stakeholders may
result in just _________
Data Governance Strategy
Big Data Strategy
Narrow Data Strategy
None of the Above

Apex level Data Governance Council (ADGC), is headed by

DMD COO
CHAIRMAN
CDMO
MD (R&DB)

The word “Data” shall collectively refer to the following descriptions:

Data that are stored or held in servers in SBI, Data storage devices and backup media
Data owned by the Bank which are securely stored/ managed by the third party.
Data owned by the Bank which is shared with the third party
All of the above

Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in
________
Incorrect AML/CFT compliance
In-efficient Cross-selling
Improper KYC
None of the Above

____ is DGO of Circle

DGM & CCO
DGM (Vigilance)
DGM & CFO
DGM & CRO
Poor Data Quality may result in ______
Inorganic Growth in Business
Increased Customer stickiness
Incorrect Regulatory Reporting
All of the Above

Capturing of incorrect / incomplete Data adversely affects:

Data Quality
Analytical Models
Both 1 & 2
Neither 1 nor 2

Prime objective of Data governance framework is to ensure#Compliance with relevant

legislation, regulatory requirements, policies, procedures and standards.
To define the roles and responsibilities for Data stakeholders, and to establish clear lines
of accountability.
Effective assurance and control of Data management processes.
All of the above

What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Monthly
Quarterly
Half yearly
Bi monthly

Data processes must also put in place ______

Anlytical Processes
Co-ordination Processes
Monitoring Processes
All of the Above

Data Management Office reports to which of the DMDs

DMD & Group Compliance Officer
DMD & Chief Information Officer
DMD & Chief Risk Officer
DMD & Chief Operating Officer

Providing training to staff is one of the responsibilities of Data Privacy Officer

FALSE
TRUE

Administrative office Data Governance Council (A-DGC), is headed by

RM
DGM (B&O)
AGM/CM GB
GM NETWORK

Data processes must Include ____________

Definitions of how data will be stored
Definitions of how data will be analysed
Definitions of how data will be interpreted
All of the Above
Where does Data come from?
External Parties
Magically
Logs and devices
People, Process and Technology

Data processes must Include ____________

Definitions of how data will be reported
Definitions of how data will be accessed
Definitions of how data will be interpreted
All of the Above

Data Governance Policy is formulated by which Department:

Data Management Office
Data Protection Office
Information Security Department
Compliance Department

Who would be held responsible for not feeding all the customer details in CBS, given by
customer in AOF.
BM
1& 2
Checker
Maker

Which of the below helps in monitoring Data Governance Activities?

Data Process
Data Quality
Note
Dashboard

Data Governance can NOT be achieved by Technology alone.

TRUE
FALSE

What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical
(DGC-BU/V)?
Bi monthly
Quarterly
Half yearly
Monthly

Data Governance process includes activities as:

Establish Data Governance Organisation
Define and Enforce Data Standard and Policies
Audit, Monitor & Control of Data Governance activities
All of the above
LESSON 2

Which of the following is not a type of Data leak

Improper categorization of sensitive Data
Submission of monthly P-report to controller in hard copy
Unauthorized transfer of Data to USB devices
Loss or theft of laptops and mobile devices

Non-sensitive Information includes:

Public Information
Routine Business information
Both 1 & 2
None of the above

Capturing of incorrect interest rate in loan accounts may result in _____________.

Income leakage
Excess Income
Customer Complaints
All of the above

In ________________ Processing, small group of transactions are processed on demand

Virtual Time
System
Batch
Real Time

Which one is NOT an approved way of sharing granular Data/access Data under normal circumstances:
E-mail
Single Sign On (SSO)
Secured File Transfer Protocol (SFTP)
Active Directory login (ADS)

Project Ganga Dashboard include divergences related to:

Key Risk Indicators (KRI) Only
Neither DQ nor KRI
Data Quality (DQ) Only
Both DQ & KRI

What are the different categories of Data Classification

SECRET, CONFIDENTIAL, INTERNAL, GENERAL
SENSITIVE, CONFIDENTIAL, INTERNAL, PUBLIC
SENSITIVE, CONFIDENTIAL, INTERNAL, GENERAL
SENSITIVE, CONFIDENTIAL, INTERNAL, EXTERNAL

Data quality is necessary to fulfil the needs of an organization in terms of

Operations
Planning
Decision-making
All of the above
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers:
All the domestic & foreign offices
All SBI employees
All the third parties having access to SBI network and granular Data
All of the above

Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
FALSE

Some of the key Data Privacy initiatives include:

Wi-Fi encryption
Secure Cloud Data Storage system
Secured Network Access
All of the above

In an Account Opening Form, if Data has been provided by customer in non mandatory field ( like mobile number /ema
Leave the field in CBS blank since it is non mandatory in CBS also
Input the Data exactly as given by the customer
Input partial / any similar Data without matching exactly as it is non mandatory in nature
All of the above

Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Deduction of Excess TDS
Non-reflection of TDS in Form 26 AS
Both 1 & 2
Neither 1 nor 2

Which Portal to be accessed for Data Loss Prevention (DLP) incidents

Data Infringement Portal
Project Ganga Dashboard
DQI Dashboard
MIS Online

“Customer PII Data” is classified as ____________ Data

SENSITIVE
INTERNAL
CONFIDENTIAL
PUBLIC

A staff can be held accountable for Data quality errors.

TRUE
FALSE

What does GDPR stand for-

General Data Priority Regulation
Gross Data Protection Regulation
General Data Privacy Regulation
General Data Protection Regulation
Which of the following is true:
Data Governance is about rules how to build the content
Data Privacy is about the rules how to protect and use the contents
Data Loss Prevention (DLP) tool helps in ensuring Data Privacy
All of the above

A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was found that the age of custom
OVD has to be accepted, as it is a govt. document
OVD can be accepted
if one can vote, he is not a minor. OVD should be accepted
DOB on OVD and AOF, if same, then only account may be opened

If a car dealer asks us for a list of customers having existing car loans, to market loans for new cars for us, shall we shar
May be shared by the Field Officer
May be shared by the Branch Manager
Either 1 or 2
Cannot be shared

Incorrect classification of values like Gender or Customer Type comes under which one of the following Data Quality Di
Accuracy
Validity
Consistency
Completeness

“Internal audit reports” is classified as ____________ Data

SENSITIVE
PUBLIC
CONFIDENTIAL
INTERNAL

“SBI telephone directory” is classified as ____________ Data

SENSITIVE
INTERNAL
PUBLIC
CONFIDENTIAL

Capturing of incorrect CRA rating / ECR in a loan account may result in ______.
Incorrect Interest Rate
Incorrect Risk weight
Both 1 & 2
Neither 1 nor 2

The best principles for improving Data Quality include(s)

Doing the things right at very first instance
Doing the right things every time
Either 1 or 2
Both 1 & 2 above

What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
Customer could not be able to reset his INB password
1& 2
Sharing of Data with exernal agencies is governed by
SOP on Data Loss Prevention
SOP on Data Sharing with External agencies/third parties
SOP on Data Infringement
SOP on Customer Sensitive Granular Data Sharing

What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data Sharing and Access – Within Bank
Regulated & Limited access
Restricted & Registered access
Free & Uncontrolled access
None of the above

In case of demand for customer Data by Regulatory Authority, it be shared as per DG Policy
FALSE
TRUE

Salient features of Project Ganga include:

Customer One view
Business Unit wise error classification
Circle-wise error classification
All of the above

Which of the following is not a type of Data leak

Improper categorization of sensitive Data
Submission of monthly P-report to controller in hard copy
Unauthorized transfer of Data to USB devices
Loss or theft of laptops and mobile devices

Non-sensitive Information includes:

Public Information
Routine Business information
Both 1 & 2
None of the above

Capturing of incorrect interest rate in loan accounts may result in _____________.

Income leakage
Excess Income
Customer Complaints
All of the above

In _______Processing, small group of transactions are processed on demand

Virtual Time
System
Batch
Real Time

Which one is NOT an approved way of sharing granular Data/access Data under normal
circumstances:
E-mail
Single Sign On (SSO)
Secured File Transfer Protocol (SFTP)
Active Directory login (ADS)
Project Ganga Dashboard include divergences related to:
Key Risk Indicators (KRI) Only
Neither DQ nor KRI
Data Quality (DQ) Only
Both DQ & KRI

What are the different categories of Data Classification

SECRET, CONFIDENTIAL, INTERNAL, GENERAL
SENSITIVE, CONFIDENTIAL, INTERNAL, PUBLIC
SENSITIVE, CONFIDENTIAL, INTERNAL, GENERAL
SENSITIVE, CONFIDENTIAL, INTERNAL, EXTERNAL

Data quality is necessary to fulfil the needs of an organization in terms of

Operations
Planning
Decision-making
All of the above

Scope of Customer Sensitive Granular Data Sharing & Access Framework covers:
All the domestic & foreign offices
All SBI employees
All the third parties having access to SBI network and granular Data
All of the above

Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
FALSE

Some of the key Data Privacy initiatives include:

Wi-Fi encryption
Secure Cloud Data Storage system
Secured Network Access
All of the above

In an Account Opening Form, if Data has been provided by customer in non mandatory
field ( like mobile number /email ID ), what should be done while inputting in CBS?
Leave the field in CBS blank since it is non mandatory in CBS also
Input the Data exactly as given by the customer
Input partial / any similar Data without matching exactly as it is non mandatory in nature
All of the above

Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Deduction of Excess TDS
Non-reflection of TDS in Form 26 AS
Both 1 & 2
Neither 1 nor 2

Which Portal to be accessed for Data Loss Prevention (DLP) incidents

Data Infringement Portal
Project Ganga Dashboard
DQI Dashboard
MIS Online
“Customer PII Data” is classified as ____________ Data
SENSITIVE
INTERNAL
CONFIDENTIAL
PUBLIC

A staff can be held accountable for Data quality errors.

TRUE
FALSE

What does GDPR stand for#

General Data Priority Regulation
Gross Data Protection Regulation
General Data Privacy Regulation
General Data Protection Regulation

Which of the following is true:

Data Governance is about rules how to build the content
Data Privacy is about the rules how to protect and use the contents
Data Loss Prevention (DLP) tool helps in ensuring Data Privacy
All of the above

A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was
found that the age of customer is less than 18
OVD has to be accepted, as it is a govt. document
OVD can be accepted
if one can vote, he is not a minor. OVD should be accepted
DOB on OVD and AOF, if same, then only account may be opened

If a car dealer asks us for a list of customers having existing car loans, to market loans for
new cars for us, shall we share the list?
May be shared by the Field Officer
May be shared by the Branch Manager
Either 1 or 2
Cannot be shared

Incorrect classification of values like Gender or Customer Type comes under which one of
the following Data Quality Dimension?
Accuracy
Validity
Consistency
Completeness

“Internal audit reports” is classified as ____________ Data

SENSITIVE
PUBLIC
CONFIDENTIAL
INTERNAL

“SBI telephone directory” is classified as ____________ Data

SENSITIVE
INTERNAL
PUBLIC
CONFIDENTIAL
Capturing of incorrect CRA rating / ECR in a loan account may result in ______.
Incorrect Interest Rate
Incorrect Risk weight
Both 1 & 2
Neither 1 nor 2

The best principles for improving Data Quality include(s)

Doing the things right at very first instance
Doing the right things every time
Either 1 or 2
Both 1 & 2 above

What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
Customer could not be able to reset his INB password
1& 2
No Impact

Sharing of Data with exernal agencies is governed by

SOP on Data Loss Prevention
SOP on Data Sharing with External agencies/third parties
SOP on Data Infringement
SOP on Customer Sensitive Granular Data Sharing

What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data
Sharing and Access – Within Bank’s Environment’:
Regulated & Limited access
Restricted & Registered access
Free & Uncontrolled access
None of the above

In case of demand for customer Data by Regulatory Authority, it be shared as per DG

Policy
FALSE
TRUE

Salient features of Project Ganga include:

Customer One view
Business Unit wise error classification
Circle-wise error classification
All of the above
LESSON 3
What is Denial of Service Attacks?
A type of attack whereby malicious commands are sent to a system/application through unauthorized channels.
It is a malicious attempt to disrupt the normal traffic of a targeted server, service or network with a flood of Internet traff
It is an attack meant to shut down a machine or network, making it inaccessible to its intended users
An attack used to monitor and potentially modify communications between two users.

Which one of the following is a precautions to be taken while operating the ATM?
Taking help from unknown persons if there is a problem with the ATM
Allow another person to watch while entering PIN
Handing of card to other person who offered help to operate ATM
Check if any extra suspicious device is attached to the ATM machine.

Which of the following is not a stage in SIM swapping?

After customer verification, the mobile operator deactivates the old SIM card in customer possession and issues a new SIM
Fraudsters obtain customer’s personal data through phishing or social engineering.
Under the pretext of having lost the phone, fraudsters contact the Mobile operator and create a fake ID.
All the options above are stages of SIM Swapping

Select the correct statement about the impact of Cyber Risks.

The impact on the services or the potential of the attack infecting our customers’ systems.
Loss of Intellectual Property
financial cost in managing a cyber-attack
All are true

__________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile?

Keylogger
Scareware
Fileless
Spyware

Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resource
b.The goal of confidentiality protection is to prevent unauthorized access to the information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
Only a and b
a, b and c
a, c and d
a, b and d

What is not true about SIM Swapping?

SIM Swapping is a fraud that occurs when the fraudsters manage to get a new SIM card issued for a specific registered mo
Phishing or social engineering techniques are used to obtain personal information of the customers/users.
Fraudsters get access to the root of the mobile phone through SIM Swapping
Option b & c

With the enhanced sharing of information over a global network for almost all life functions , which one of the followin
Authentication
Non-repudiation
Authorization
Non-refutation
What is not true about myths associated with Cyber Risk?
Cyber threat always starts externally
IT team is alone not responsible for Cyber Security
Compliance and security are the same
Cyber security is an issue which is related with technology

How does the use of Virtual keyboard protect the customer?

It is a useless feature
It protects against Keylogger malware
It protects against computer Viruses
It protects against computer Worms.

Which one of the following is the leading illicit dark web marketplace which was taken down by the FBI in what was co
Silk Road 2.0
DisrupTor
Tor
Dark Market

The technique for sending SMS that appears to be initiated from the organization for KYC updation, Account credit, Acc
Vishing
Spoofing
Stegnography
Identity theft

The technique used to send the emails to all the employees of the Bank is known as ____________.
Smishing
Vishing
Phishing
Spear Phishing

The Cyber-attacks originate through a third party vendor are also called ________?
Service provider attacks
Supplier attacks
Supply chain attacks
Vendor attacks

What makes SolarWinds attack an unusual hack?

The hackers through one malicious code in the application of SolarWinds vendor’s application gained access to Orion soft
The hackers targeted a government agency like Pantagon
The hackers seriously damaged the energy supply
The hackers through one malicious code in SolarWinds Orion software gained access to thousands of other companies.

Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is a Sunday and Bank is closed.
Change the password
Lock User access using the relevant link
Contact the Branch on Monday to deactivate INB facility
Type an incorrect login password 4 times so that the username gets locked for a day
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential. What is the ne
Audio Captcha in the login screen.
Virtual keyboard in the login screen
OTP has been made mandatory at the time of login
Image based Captcha in the login screen

Which one of the following is NOT a type of MITM attack?

DNS Spoofing
Logic Bomb
IP Spoofing
Wi-fi eavesdropping

Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while protecting against intended a
d.Use of a secure Hashing algorithm for the information ensures Integrity.
Only a and b
a, b and c
a, c and d
a, b and d

Which of the following browsers allows access to the Network which is popular for implementing encrypted routing te
Chrome
Edge
Tor
Firefox

The fraudster gets the personal details of the people through _______technique.
Spoofing
Keylogger malware
Vishing
Social engineering

Which of the following is not the examples of data?

Employees information
Customer Information
Official conversation over phone
All are examples of data

Which one is not an option for disabling UPI services?

YONO Main Screen UPI Enable/Disable UPI
CBS App menu UPI Disable/Re-enable UPI
Contact Centre: 1800112211/18004253800
Branch Interface (Maker-Checker Concept):

Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online payment. He
It should start with https://www.retail.onlinesbi.com
It should start with https://www.merchant.onlinesbi.sbi
It should start with https://www.onlinesbi.com
It should start with https://www.retailmerchant.sbi
If you want to change the username and password for your SBI Internet banking, which of the following statements is c
You cannot change the Username but he/she can change the password at any time
You can change the Username but not the password
You can only interchange the username by the password and vice versa
You can change both the Username and password at any time

Which one of the following statements is false?

Organizations use Bulk SMS service for marketing and communications.
Bulk SMS simply means sending a large volume or quantity of SMS
Bulk SMS is sending SMS from mobile to many people.
The user’s response to bulk SMS can compromise their identities.

A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations and causing information or id
is a targeted assault on the Bank’s cyberspace and its underlying infrastructure systems
option a or b
option a & b

_____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection. Once such a conn
Man in the Middle attack
Bluesnarfing
Steganography
Spoofing

Which one of the following statements is FALSE about APT attacks?

A type of cyberattack where an unauthorized attacker code enters a system and remains there.
APT attacks may help the attacker in stealing information
APT attacks may be identified immediately as it shuts down the whole system
In APT attacks, attacker code may spread into other machines in the victim’s network and compromise them.

SBI internet banking site provides a facility to bypass such keylogger malware. Identify the feature.
Audio Captcha
Image Captcha
Online Virtual Keyboard
Biometric access

What is Denial of Service Attacks?

A type of attack whereby malicious commands are sent to a system/application through
unauthorized channels.
It is a malicious attempt to disrupt the normal traffic of a targeted server, service or network
with a flood of Internet traffic from multiple computers at the same time
It is an attack meant to shut down a machine or network, making it inaccessible to its
intended users
An attack used to monitor and potentially modify communications between two users.

Which one of the following is a precautions to be taken while operating the ATM?
Taking help from unknown persons if there is a problem with the ATM
Allow another person to watch while entering PIN
Handing of card to other person who offered help to operate ATM
Check if any extra suspicious device is attached to the ATM machine.
Which of the following is not a stage in SIM swapping?
After customer verification, the mobile operator deactivates the old SIM card in customer
possession and issues a new SIM card to the fraudster. With the new SIM, fraudsters can
receive authentication codes or OTP for banking transactions.
Fraudsters obtain customer’s personal data through phishing or social engineering.
Under the pretext of having lost the phone, fraudsters contact the Mobile operator and
create a fake ID.
All the options above are stages of SIM Swapping

Select the correct statement about the impact of Cyber Risks.

The impact on the services or the potential of the attack infecting our customers’ systems.
Loss of Intellectual Property
financial cost in managing a cyber-attack
All are true

__________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile?

Keylogger
Scareware
Fileless
Spyware

Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the
secrecy of data, objects, or resources.
b.The goal of confidentiality protection is to prevent unauthorized access to the
information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of
a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
Only a and b
a, b and c
a, c and d
a, b and d

What is not true about SIM Swapping?

SIM Swapping is a fraud that occurs when the fraudsters manage to get a new SIM card
issued for a specific registered mobile number.
Phishing or social engineering techniques are used to obtain personal information of the
customers/users.
Fraudsters get access to the root of the mobile phone through SIM Swapping
Option b & c

With the enhanced sharing of information over a global network for almost all life
functions , which one of the following has become the latest addition to the essential
objectives of Information Security after the CIA Triad?
Authentication
Non-repudiation
Authorization
Non-refutation

What is not true about myths associated with Cyber Risk?

Cyber threat always starts externally
IT team is alone not responsible for Cyber Security
Compliance and security are the same
Cyber security is an issue which is related with technology

How does the use of Virtual keyboard protect the customer?

It is a useless feature
It protects against Keylogger malware
It protects against computer Viruses
It protects against computer Worms.

Which one of the following is the leading illicit dark web marketplace which was taken
down by the FBI in what was considered then as a significant action on the Dark web
market?
Silk Road 2.0
DisrupTor
Tor
Dark Market

The technique for sending SMS that appears to be initiated from the organization for KYC
updation, Account credit, Account suspension, winning lottery, SIM block, eKYC updates
etc. is known as________.
Vishing
Spoofing
Stegnography
Identity theft

The technique used to send the emails to all the employees of the Bank is known as
____________.
Smishing
Vishing
Phishing
Spear Phishing

The Cyber-attacks originate through a third party vendor are also called ________?
Service provider attacks
Supplier attacks
Supply chain attacks
Vendor attacks

What makes SolarWinds attack an unusual hack?

The hackers through one malicious code in the application of SolarWinds vendor’s
application gained access to Orion software
The hackers targeted a government agency like Pantagon
The hackers seriously damaged the energy supply
The hackers through one malicious code in SolarWinds Orion software gained access to
thousands of other companies.

Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is
a Sunday and Bank is closed. What immediate steps would you NOT advise him?
Change the password
Lock User access using the relevant link
Contact the Branch on Monday to deactivate INB facility
Type an incorrect login password 4 times so that the username gets locked for a day
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using
this credential. What is the new security feature in OnlineSBI?
Audio Captcha in the login screen.
Virtual keyboard in the login screen
OTP has been made mandatory at the time of login
Image based Captcha in the login screen

Which one of the following is NOT a type of MITM attack?

DNS Spoofing
Logic Bomb
IP Spoofing
Wi-fi eavesdropping

Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and
processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while
protecting against intended and malicious unauthorized activities (such as viruses and
intrusions) as well as mistakes made by authorized users (by commission or
omission).
d.Use of a secure Hashing algorithm for the information ensures Integrity.
Only a and b
a, b and c
a, c and d
a, b and d

Which of the following browsers allows access to the Network which is popular for
implementing encrypted routing technology and preventing user tracking?
Chrome
Edge
Tor
Firefox

The fraudster gets the personal details of the people through _______technique.
Spoofing
Keylogger malware
Vishing
Social engineering

Which of the following is not the examples of data?

Employees information
Customer Information
Official conversation over phone
All are examples of data

Which one is not an option for disabling UPI services?

YONO Main Screen UPI Enable/Disable UPI
CBS App menu UPI Disable/Re-enable UPI
Contact Centre: 1800112211/18004253800
Branch Interface (Maker-Checker Concept):
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for
making online payment. He is redirected to a site of SBI. Before he logs in what should be
the website address on the screen.
It should start with https://www.retail.onlinesbi.com
It should start with https://www.merchant.onlinesbi.sbi
It should start with https://www.onlinesbi.com
It should start with https://www.retailmerchant.sbi

If you want to change the username and password for your SBI Internet banking, which of
the following statements is correct?
You cannot change the Username but he/she can change the password at any time
You can change the Username but not the password
You can only interchange the username by the password and vice versa
You can change both the Username and password at any time

Which one of the following statements is false?

Organizations use Bulk SMS service for marketing and communications.
Bulk SMS simply means sending a large volume or quantity of SMS
Bulk SMS is sending SMS from mobile to many people.
The user’s response to bulk SMS can compromise their identities.

A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations
and causing information or identity theft.
is a targeted assault on the Bank’s cyberspace and its underlying infrastructure systems
option a or b
option a & b

_____________is used for obtaining unauthorized access to mobile phones via Bluetooth
connection. Once such a connection is established then the attacker will be able to steal
photos, messages and contacts etc.
Man in the Middle attack
Bluesnarfing
Steganography
Spoofing

Which one of the following statements is FALSE about APT attacks?

A type of cyberattack where an unauthorized attacker code enters a system and remains
there.
APT attacks may help the attacker in stealing information
APT attacks may be identified immediately as it shuts down the whole system
In APT attacks, attacker code may spread into other machines in the victim’s network and
compromise them.

SBI internet banking site provides a facility to bypass such keylogger malware. Identify the
feature.
Audio Captcha
Image Captcha
Online Virtual Keyboard
Biometric access
LESSON 4

1
Which one of the following is the most important aspect for an organization as big and global as SBI to protect itself fro
A training program for all the vendors to underscore secure coding practices.
A training and awareness program for all the employees in the Information Security department.
An awareness program among all the customers to provide education and guidance on a range of topics, including email,
A training awareness program that would provide education and guidance on a range of information security topics to all

2
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
ATM Channel Manager
Branch Manager
Regional Manager (RBO)

3
Which one of the following options does not substantiate the Acceptable Usage Policy of our Bank?
We need to protect the data by following acceptable usage policy guidelines of our bank.
All the workstations / devices should be protected by strong passwords.
However, Mobile and laptop given to the staff for personal holding have exceptions to the policy.
Always lock your desktop while leaving your seat.

4
Which of the following statements is NOT correct in the WannaCry case?
A Windows vulnerability discovered by the United States National Security Agency (NSA).
After the system got affected by WannaCry, Microsoft released the patch for the system which has updated security.
The attackers collective called The Lazarus Group.
This was only one month after Windows released patches for the exploit, meaning that computers that had yet to update

5
Identify some of the risks involved in using public free WiFi.
All of the above statements are correct
It can expose the users to Man-in-the-middle attacks
The free WiFi could be a rouge network, harvesting the internet user’s data.
Hackers may be misusing the free Wi-Fi to distribute malware

6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from _______.
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing

7
Which one of the following options is not a concern for password security?
In case of any breach in a Social Media Handle, delete your Social Media Account instead of changing the password.
Password is required to be sufficiently long and secret
Users are responsible for all activities originated from their User credentials
Password should be treated like signature

8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All cyber incidents irrespective of amount of loss
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s) exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT systems
All of the above

9
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets etc. to office for office
Bring Your Own Desktop
Bring Your Own Device
Buy Your Own Device
Budget Your Own Device

10
Can we create the password in other regional language (Other than English and Hindi) in Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
The multilingual image based virtual keyboard is available in 13 languages.
You can use the multilingual image based virtual keyboard in Hindi or Tamil only
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi only

11
Pick the odd one.
Passwords should be complex, sufficiently long and secret.
Passwords must be created using small & upper case, when own name or short form of own name and own initials are us
Users are responsible for all activities originating from their user credentials.
Passwords should not be treated like signatures.

12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
Users should not install any software that is not authorized for the Bank’s business.
Users on whose PC / Server such software runs shall be solely responsible for Copyrights / IPR violation, Legal and Penal a
Successful backup of critical applications or data should be ensured yearly and to be kept offsite.
All are true

13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of our Bank?
Employees, to whom State Bank owned laptops or any other Portable devices are issued, are responsible for its safe custo
Employees who are authorized to access emails and Bank’s data on mobile devices should ensure that MDM application s
Employee’s mobile devices need not have Antivirus software
Loss of portable devices should be reported immediately to the local police and to the appropriate authority.

14
What action will you take, when you are defrauded?
Change the username immediately
Lock the user access immediately
Send a written letter to the branch immediately
Write a letter to the RBI immediately

15
The company asked their employees to use their own devices and internet access while working from home. List some
that authorized antivirus is installed in the devices of the employees (ii) Ensuring that appropriate software patches are
enterprise VPN
Options (i) and (ii) are sufficient
Options (i) alone is sufficient
Options (i) , (ii) and (iii) are necessary
Option (ii) alone is sufficient

16
Which of the following options is NOT the best password security practices?
Enable two-factor authentication
Never completely trust service providers
Change your password, only if you suspect it may have been exposed
Never reuse a password

17
Which one of the following options is not considered as incident for reporting to RBI, NCIIPC and CERT-In?
Frauds/ Customer complaints related to frauds.
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are rectified subsequently.
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the customer service/digital channels even
All of the above

18
Which of the following statements is correct regarding creation of Profile password using the Multilingual Image based
The Profile password should be a combination of alphabets in two of the languages chosen
The Profile password should be a combination of alphabets (in the language chosen), and numerals and special character
The Profile password should be a combination of alphabets (in the language chosen), and numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and numerals

19
Which one of the following applications is not a threat to compromise confidentiality of the data of portable devices?
Facebook
Air watch agent
WhatsApp
True caller

20
What are the ways you can report an unauthorised transaction (ATM) without visiting the branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Call the Branch
Call ATM Channel Manager OR ATM Channel Manager Facilitator linked to the ATM
Option a or c

21
Which of the following steps would not be a part of the planning for Work from home?
Ensuring the physical access to the systems room is restricted and monitored
Providing connectivity through a reputed service provider
Installing Anti-Virus in these systems
Arranging official laptops with proper configuration for the employees

22
Which of the following will not be considered as cyber incidents for reporting to RBI?
Incorrect accounting entries that are rectified subsequently
All the options will not be considered
Customer complaints related to frauds.
Physical tampering of ATMs

23
Select the correct statement in this case.
Ransomware Malware uses simple encryption codes to encrypt a victim’s files.
The patches could not stop the spreading malware
The motive for this Ransomware attack is always monetary
Ransomware Malware affects more devices in less time.

24
Which one of the following options is NOT a violation of acceptable usage policy?
The laptop was not protected by password
The laptop was kept open, and the desktop was not locked
There was a breach of critical and confidential data.
There was a data vulnerability due to lack of Anti-virus

25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities CERT-In & NCIIPC? Who sh
All cyber security incidents should be reported within 24 hours by Incident Response & Management Team
All cyber security incidents should be reported within 12 hours by Incident Response & Management Team
All cyber security incidents should be reported within 2 to 6 hours by Incident Response & Management Team
All cyber security incidents should be reported within 24 to 48 hours by Incident Response & Management Team

26
Which of the following options is an example of inappropriate use of the e-mail service?
Use of other officers' user ids or using a false identity.
Authorized exchange of proprietary information or confidential information
Use the accounts of others with their permission
Creation and exchange of e-mails information or content for official purpose.

27
Cyber security incidents can be reported
by any employee or public
by home branch only
by public
by any employee

28
Method that is NOT suggested to prevent new account fraud.
Ensure ATM Card connected to operational SB Account is blocked
Contact the bank immediately and ensure all the operating accounts are closed
Ensure to lock the internet banking user ID.
Applying the use of end-to-end encryption to protect online transactions.

29
What should be the minimum and maximum length of the login password in Retail Internet Banking?
Minimum length should be 6 characters and maximum length 15 characters
Minimum length should be 8 characters and maximum length 20 characters
Minimum length should be 6 characters and maximum length 20 characters
Minimum length should be 8 characters and maximum length 15 characters

30
Select the wrong statement.
For online meetings, Manage screen sharing options. Change screen sharing to “Host Only.” Avoid file sharing
Do not play online games on company devices as they may download trojans.
Secure your Wi-Fi router connections by enabling WPA2 + AES security
For web security, verify full URL by clicking the link, but do not give any personal/confidential information

Which one of the following is the most important aspect for an organization as big and
global as SBI to protect itself from cyber security attacks and subsequent loss of brand
image?
A training program for all the vendors to underscore secure coding practices.
A training and awareness program for all the employees in the Information Security
department.
An awareness program among all the customers to provide education and guidance on a
range of topics, including email, cloud and mobile security.
A training awareness program that would provide education and guidance on a range of
information security topics to all the internal users of its systems and applications.

2
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
ATM Channel Manager
Branch Manager
Regional Manager (RBO)

3
Which one of the following options does not substantiate the Acceptable Usage Policy of
our Bank?
We need to protect the data by following acceptable usage policy guidelines of our bank.
All the workstations / devices should be protected by strong passwords.
However, Mobile and laptop given to the staff for personal holding have exceptions to the
policy.
Always lock your desktop while leaving your seat.

4
Which of the following statements is NOT correct in the WannaCry case?
A Windows vulnerability discovered by the United States National Security Agency (NSA).
After the system got affected by WannaCry, Microsoft released the patch for the system
which has updated security.
The attackers collective called The Lazarus Group.
This was only one month after Windows released patches for the exploit, meaning that
computers that had yet to update were still left vulnerable.

5
Identify some of the risks involved in using public free WiFi.
All of the above statements are correct
It can expose the users to Man-in-the-middle attacks
The free WiFi could be a rouge network, harvesting the internet user’s data.
Hackers may be misusing the free Wi-Fi to distribute malware
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from
_______.
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing

7
Which one of the following options is not a concern for password security?
In case of any breach in a Social Media Handle, delete your Social Media Account instead
of changing the password.
Password is required to be sufficiently long and secret
Users are responsible for all activities originated from their User credentials
Password should be treated like signature

8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All cyber incidents irrespective of amount of loss
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s)
exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT
systems
All of the above

9
If a Bank always allow some of the employees to bring their own laptops, smart phones,
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand
for?
Bring Your Own Desktop
Bring Your Own Device
Buy Your Own Device
Budget Your Own Device

10
Can we create the password in other regional language (Other than English and Hindi) in
Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
The multilingual image based virtual keyboard is available in 13 languages.
You can use the multilingual image based virtual keyboard in Hindi or Tamil only
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi
only

11
Pick the odd one.
Passwords should be complex, sufficiently long and secret.
Passwords must be created using small & upper case, when own name or short form of
own name and own initials are used.
Users are responsible for all activities originating from their user credentials.
Passwords should not be treated like signatures.
12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
Users should not install any software that is not authorized for the Bank’s business.
Users on whose PC / Server such software runs shall be solely responsible for
Copyrights / IPR violation, Legal and Penal actions as per IT Act
Successful backup of critical applications or data should be ensured yearly and to be kept
offsite.
All are true

13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of
our Bank?
Employees, to whom State Bank owned laptops or any other Portable devices are issued,
are responsible for its safe custody
Employees who are authorized to access emails and Bank’s data on mobile devices
should ensure that MDM application software is installed for on those mobile devices.
Employee’s mobile devices need not have Antivirus software
Loss of portable devices should be reported immediately to the local police and to the
appropriate authority.

14
What action will you take, when you are defrauded?
Change the username immediately
Lock the user access immediately
Send a written letter to the branch immediately
Write a letter to the RBI immediately

15
The company asked their employees to use their own devices and internet access while
working from home. List some precautions that they could have exercised even under
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the
employees (ii) Ensuring that appropriate software patches are updated in the
devices of the employees (iii) Asking the employees to use enterprise VPN
Options (i) and (ii) are sufficient
Options (i) alone is sufficient
Options (i) , (ii) and (iii) are necessary
Option (ii) alone is sufficient

16
Which of the following options is NOT the best password security practices?
Enable two-factor authentication
Never completely trust service providers
Change your password, only if you suspect it may have been exposed
Never reuse a password

17
Which one of the following options is not considered as incident for reporting to RBI,
NCIIPC and CERT-In?
Frauds/ Customer complaints related to frauds.
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are rectified subsequently.
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the
customer service/digital channels even if last beyond 30 minutes.
All of the above
18
Which of the following statements is correct regarding creation of Profile password using
the Multilingual Image based Virtual keyboard?
The Profile password should be a combination of alphabets in two of the languages
chosen
The Profile password should be a combination of alphabets (in the language chosen), and
numerals and special characters
The Profile password should be a combination of alphabets (in the language chosen), and
numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and
numerals

19
Which one of the following applications is not a threat to compromise confidentiality of the
data of portable devices?
Facebook
Air watch agent
WhatsApp
True caller

20
What are the ways you can report an unauthorised transaction (ATM) without visiting the
branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Call the Branch
Call ATM Channel Manager OR ATM Channel Manager Facilitator linked to the ATM
Option a or c

21
Which of the following steps would not be a part of the planning for Work from home?
Ensuring the physical access to the systems room is restricted and monitored
Providing connectivity through a reputed service provider
Installing Anti-Virus in these systems
Arranging official laptops with proper configuration for the employees

22
Which of the following will not be considered as cyber incidents for reporting to RBI?
Incorrect accounting entries that are rectified subsequently
All the options will not be considered
Customer complaints related to frauds.
Physical tampering of ATMs

23. Select the correct statement in this case.

Ransomware Malware uses simple encryption codes to encrypt a victim’s files.
The patches could not stop the spreading malware
The motive for this Ransomware attack is always monetary
Ransomware Malware affects more devices in less time.

24
Which one of the following options is NOT a violation of acceptable usage policy?
The laptop was not protected by password
The laptop was kept open, and the desktop was not locked
There was a breach of critical and confidential data.
There was a data vulnerability due to lack of Anti-virus
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
CERT-In & NCIIPC? Who should report the incident?
All cyber security incidents should be reported within 24 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 12 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 2 to 6 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 24 to 48 hours by Incident Response
& Management Team

26
Which of the following options is an example of inappropriate use of the e-mail service?
Use of other officers' user ids or using a false identity.
Authorized exchange of proprietary information or confidential information
Use the accounts of others with their permission
Creation and exchange of e-mails information or content for official purpose.

27
Cyber security incidents can be reported
by any employee or public
by home branch only
by public
by any employee

28
Method that is NOT suggested to prevent new account fraud.
Ensure ATM Card connected to operational SB Account is blocked
Contact the bank immediately and ensure all the operating accounts are closed
Ensure to lock the internet banking user ID.
Applying the use of end-to-end encryption to protect online transactions.

29
What should be the minimum and maximum length of the login password in Retail Internet
Banking?
Minimum length should be 6 characters and maximum length 15 characters
Minimum length should be 8 characters and maximum length 20 characters
Minimum length should be 6 characters and maximum length 20 characters
Minimum length should be 8 characters and maximum length 15 characters

30
Select the wrong statement.
For online meetings, Manage screen sharing options. Change screen sharing to “Host
Only.” Avoid file sharing
Do not play online games on company devices as they may download trojans.
Secure your Wi-Fi router connections by enabling WPA2 + AES security
For web security, verify full URL by clicking the link, but do not give any
personal/confidential information