Set D Digital Ecosystem and Controls Key & Notes - Mcqs
Set D Digital Ecosystem and Controls Key & Notes - Mcqs
PAPER-4 : DIGITAL
ECOSYSTEM AND
CONTROLS
KEY NOTES
& MCQS
Prepared by:
Pradeep Kumar M
LinkedIn: https://www.linkedin.com/in/pradeepkumar-m12
SET – D PAPER-4: DIGITAL ECOSYSTEM AND CONTROLS
INDEX
Sl No. Contents Page number
1. Key Notes 2 – 19
3. Mock Test – 1 55 – 71
5. Mock Test – 2 73 – 88
• Focuses on aligning IT strategy with enterprise strategy, ensuring IT contributes to value generation.
1.5 Business and IT Strategy
Objective of IT Strategy
• Provides a comprehensive view of the IT landscape and aligns IT with business strategies.
IT Steering Committee
• Composed of senior management to oversee IT deployment, resolve conflicts, and align IT with business
goals.
IT Strategic Planning
• Must remain dynamic, aligning long- and short-term plans with enterprise strategies.
Classification of Strategic Planning
1. Enterprise Strategic Plan: Defines long-term goals.
2. Information Systems Strategic Plan: Optimizes IT opportunities and addresses business requirements.
3. Information Systems Requirements Plan: Focuses on information architecture.
4. Information Systems Applications and Facilities Plan: Specifies application systems, hardware, and
infrastructure.
Key Management Practices for Aligning IT Strategy with Enterprise Strategy
1. Understanding enterprise direction.
2. Assessing current IT capabilities.
3. Defining target IT capabilities.
4. Conducting gap analysis.
Business Value from Use of IT
• Optimizes IT investments and aligns them with enterprise goals to deliver value.
1.6 Frameworks to Support Effective IT Governance
COBIT as an IT Governance Framework
• COBIT defines processes and objectives for IT management and governance.
COBIT Principles
1. Stakeholder value delivery.
2. Holistic governance approach.
3. Distinction between governance and management.
4. End-to-end enterprise focus.
Governance and Management Objectives
• COBIT 2019 organizes 40 objectives into five domains:
o EDM (Evaluate, Direct, Monitor).
o APO (Align, Plan, Organize).
o BAI (Build, Acquire, Implement).
o DSS (Deliver, Service, Support).
o MEA (Monitor, Evaluate, Assess).
Components of the Governance System
1. Processes.
2. Organizational structures.
3. Principles, policies, and procedures.
• Procurement Options:
o In-House Development: Tailored to meet specific organizational needs but requires significant
resources.
o Procurement from External Sources: Ready-made software solutions that reduce development
time.
o Hybrid Approach: Combines internal and external solutions to balance customization and effi-
ciency.
• Evaluation of Proposals:
o Functional and non-functional requirements.
o Vendor reputation, technical capabilities, and financial stability.
o Cost-benefit analysis and alignment with organizational goals.
7.3 Information System Development Methodologies
• Waterfall Model:
o Sequential development process with distinct phases: Analysis, Design, Implementation, Testing,
Deployment, Maintenance.
o Advantages: Simple and structured.
o Disadvantages: Rigid and unsuitable for dynamic requirements.
• Prototyping Model:
o Development of a working model for iterative refinement based on user feedback.
o Advantages: Enhances user involvement and satisfaction.
o Disadvantages: Risk of scope creep and incomplete analysis.
• Agile Methodology:
o Emphasizes iterative progress through small, incremental sprints with customer collaboration.
o Advantages: Highly flexible and adaptive.
o Disadvantages: Requires skilled teams and close communication.
• V-Model:
o Extends the Waterfall Model with a parallel emphasis on verification and validation.
o Advantages: Focuses on quality assurance.
o Disadvantages: Rigid and less flexible.
• RAD (Rapid Application Development):
o Prioritizes quick delivery using prototyping and iterative refinement.
o Advantages: Accelerates development and improves user involvement.
o Disadvantages: High dependency on user feedback and skilled developers.
11.1 Introduction
1. Business Intelligence (BI) transforms raw data into actionable insights for decision-making.
2. BI uses tools, software, or services to create dashboards, graphs, charts, and reports that guide organiza-
tions in making informed choices.
3. Modern BI tools enable businesses to identify market trends, monitor financial performance, understand
customer behaviour, and capitalize on opportunities.
1. Analytics: Uses techniques like seasonal analysis, "what-if" scenarios, and data modelling to identify
trends.
2. Dashboards: Provides visual collections of KPIs, metrics, and data for quick insights.
3. Data Mining: Leverages machine learning and statistical methods to uncover patterns in datasets.
4. ETL (Extract, Transform, Load): Extracts data, cleans it, and loads it into data warehouses for analysis.
5. Model Visualization: Converts raw data into visual formats like charts and histograms for better under-
standing.
6. OLAP (Online Analytical Processing): Performs multidimensional analyses for CRM, forecasting, and
budgeting.
10. Real-Time Monitoring: Enables immediate decision-making by analysing operational data in real-time.
11. Collaborative BI: Shares insights with stakeholders inside and outside the organization.
12. Mobile BI: Allows access to BI tools on mobile devices for convenience.
1. Analyse Business Requirements: Identify the business goals and necessary analysis.
2. Design Data Model: Develop logical models that showcase relationships in the data.
3. Design Physical Schema: Structure the data warehouse by building schemas based on models.
4. Build the Data Warehouse: Populate the warehouse with data from source systems.
5. Create BI Project Structure: Define metadata and organize the project for data mapping.
6. Develop BI Objects: Create reports, dashboards, metrics, and charts for analysis.
7. Administer and Maintain: Regularly monitor and update the BI system to ensure functionality and secu-
rity.
1. Popular Tools:
o Microsoft Power BI: Offers real-time analytics, AI-driven insights, and integration with multiple
data sources.
2. Additional BI Tools: Zoho Analytics, Oracle BI, SAS Visual Analytics, and others.
3. Key Benefits:
2. Bar Charts: Represent absolute values, including positive and negative data.
5. Funnel Charts: Show data progression through stages (e.g., recruitment processes).
2. Data Analytics:
12.1 Introduction
1. FinTech leverages technology to revolutionize financial services, including lending, payments, insurance,
and asset management.
2. Categories:
o B2C (Business-to-Consumer): Direct solutions like mobile payments and digital banking.
3. Core Technologies: Artificial Intelligence (AI), Blockchain, Cloud Computing, and Big Data (ABCD).
o Classification:
▪ Capabilities:
▪ Functionalities:
2. Blockchain:
3. Cloud Computing:
4. Big Data:
o Drives insights for fraud detection, customer behaviour analysis, and real-time decision-making.
1. Trends:
2. Benefits:
1. Mobile Payments: Secure transactions through apps like Apple Pay and Google Pay.
3. Blockchain and Cryptocurrency: Enables secure, decentralized financial platforms (e.g., Bitcoin).
1. Importance of data protection laws (e.g., India’s IT Act Sections 43A and 72A).
Illustrations
2. Starbucks: Employs predictive analytics for personalized recommendations and seamless ordering.
17
• Emerging technologies are innovations that have the potential to significantly impact industries and rede-
fine business processes.
• They are often disruptive and create new opportunities and challenges.
• Definition: IoT refers to a network of interconnected devices that communicate and exchange data in real-
time.
• Key Features:
o Automation of processes.
• Applications:
2. Industrial Automation:
3. Healthcare:
• Definition: Quantum computing leverages quantum mechanics principles like superposition and entangle-
ment to perform computations at unprecedented speeds.
• Key Features:
• Applications:
1. Drug Discovery:
2. Optimization Problems:
3. Cryptography:
13.2.3 Regtech
• Definition: Regtech, or Regulatory Technology, involves the use of technology to simplify regulatory com-
pliance.
• Key Features:
• Applications:
1. Compliance Reporting:
2. Fraud Detection:
▪ Ensures compliance with laws like GDPR (General Data Protection Regulation) and DPDP
(Digital Personal Data Protection Act).
• Efficiency:
• Real-time Insights:
• Cost Reduction:
o Deployment of technologies like IoT and quantum computing requires significant upfront costs.
• Skill Gaps:
o Compliance with data protection laws and ethical implications of automation and AI.
• Growth of Regtech:
o Increased reliance on technology for regulatory adherence in fintech and healthcare sectors.
• Sustainability Focus:
20
MCQs
Chapter 1: Concepts of Governance and IT Strategy
d) BAI
Answer: a) MEA
10. Which COBIT domain deals with solution acquisition and implementation?
a) DSS
b) BAI
c) APO
d) EDM
Answer: b) BAI
d) End-to-end governance
Answer: c) IT-centric framework only
b) Risk Analysis
c) Risk Identification
d) Risk Communication
Answer: c) Risk Identification
10. Which term refers to the rules for how risks are handled?
a) Risk Analysis
b) Risk Mitigation
c) Risk Policy
d) Risk Scoring
Answer: c) Risk Policy
b) ISO 9001
c) ITIL
d) PCI-DSS
Answer: a) COSO ERM
14. Which element of ERM involves reviewing the effectiveness of risk measures?
a) Risk Identification
b) Risk Monitoring
c) Risk Response
d) Risk Appetite
Answer: b) Risk Monitoring
17. Which principle of ERM emphasizes aligning risks with the organization's strategy?
a) Risk Identification
b) Strategic Integration
c) Performance Management
d) Compliance Alignment
Answer: b) Strategic Integration
20. Which role is primarily responsible for ensuring ERM is implemented effectively?
a) IT Administrator
b) Risk Manager
c) Financial Analyst
d) HR Manager
Answer: b) Risk Manager
13. Which type of security ensures that data is accurate and complete?
a) Integrity
b) Confidentiality
c) Availability
d) Accessibility
Answer: a) Integrity
I’ll continue creating 20 MCQs for each remaining chapter. Let’s proceed with Chapter 5 and beyond:
2. Which of the following is NOT a phase in the Business Continuity Management (BCM) process?
a) Risk Assessment
b) Incident Response
c) Financial Reporting
d) Testing and Maintenance
Answer: c) Financial Reporting
4. Which backup type ensures a copy of all data is made, regardless of previous backups?
a) Differential Backup
b) Full Backup
c) Incremental Backup
d) Selective Backup
Answer: b) Full Backup
6. Which type of site is fully equipped and ready to take over operations immediately in case of a dis-
aster?
a) Cold Site
b) Hot Site
c) Warm Site
d) Hybrid Site
Answer: b) Hot Site
8. Which document outlines how to handle unexpected incidents that disrupt operations?
a) Financial Report
b) Incident Management Plan
c) Compliance Audit Report
d) Employee Handbook
Answer: b) Incident Management Plan
11. Which phase in BCM involves testing the effectiveness of the BCP?
a) Development
b) Implementation
c) Maintenance and Testing
d) Risk Assessment
Answer: c) Maintenance and Testing
12. What does the term 'Recovery Point Objective' (RPO) signify?
a) The maximum amount of data loss acceptable
b) The time taken to create a backup
c) The cost of implementing disaster recovery solutions
d) The time to achieve compliance certification
Answer: a) The maximum amount of data loss acceptable
15. Which type of backup only stores changes made since the last backup?
a) Differential Backup
b) Incremental Backup
c) Full Backup
d) Selective Backup
Answer: b) Incremental Backup
17. Which of the following is a key benefit of having a Business Continuity Plan?
a) Increased compliance fines
b) Reduction in IT investments
c) Improved organizational resilience
d) Enhanced marketing capabilities
Answer: c) Improved organizational resilience
31
1. What is the primary objective of the System Development Life Cycle (SDLC)?
a) To optimize business processes
b) To manage financial risks
c) To guide the development and maintenance of information systems
d) To create organizational policies
Answer: c) To guide the development and maintenance of information systems
4. Which phase in SDLC involves creating detailed specifications for system components?
a) Implementation
b) Testing
c) System Design
d) Maintenance
Answer: c) System Design
8. Which SDLC model is best suited for projects with clear and unchanging requirements?
a) Waterfall
b) Agile
c) Spiral
d) Prototype
Answer: a) Waterfall
11. Which SDLC phase involves training users and deploying the system into production?
a) Implementation
b) Requirement Analysis
c) Testing
d) Feasibility Study
Answer: a) Implementation
18. Which model is best suited for projects with evolving requirements?
a) Agile
b) Waterfall
c) V-Model
d) Prototype Model
Answer: a) Agile
8. What type of software is used to verify the integrity of data during audits?
a) Compression Software
b) Data Validation Tools
c) Network Monitors
d) File Sharing Systems
Answer: b) Data Validation Tools
15. Which IT audit tool compares expected vs. actual outcomes of transactions?
a) Integrated Test Facility
b) Re-performance
c) Control Flowchart
d) Audit Hook
Answer: b) Re-performance
15. Which term describes the process of cleaning and organizing raw data?
a) Data Preprocessing
b) Data Mining
c) Data Encryption
d) Data Archiving
Answer: a) Data Preprocessing
8. What type of software is used to verify the integrity of data during audits?
a) Compression Software
b) Data Validation Tools
c) Network Monitors
d) File Sharing Systems
Answer: b) Data Validation Tools
15. Which IT audit tool compares expected vs. actual outcomes of transactions?
a) Integrated Test Facility
b) Re-performance
c) Control Flowchart
d) Audit Hook
Answer: b) Re-performance
15. Which term describes the process of cleaning and organizing raw data?
a) Data Preprocessing
b) Data Mining
c) Data Encryption
d) Data Archiving
Answer: a) Data Preprocessing
a) Financial Technology
b) Financial Terminal
c) Financial Transactions
d) Financial Test
a) Artificial Intelligence
b) Blockchain
c) Big Data
d) All of the above
a) P2P Lending
b) Robo Advisors
c) Fixed Deposits
d) Distributed Ledger Technology
a) Decentralization
b) Central Authority Control
c) High Latency Transactions
d) Absence of Cryptography
Answer: a) Decentralization
a) Blockchain
b) Crowd Funding
c) Robo Advisors
d) UPI
Answer: a) Blockchain
a) Reactive AI
b) Deep Learning
c) General AI
d) Blockchain
a) Restricted access
b) Open participation with native tokens
c) Limited scalability
d) Higher fees for transactions
17. Which financial tool allows digital transactions without government intermediaries?
Answer: b) Cryptocurrency
a) Data accessibility
b) Dependence on Internet connectivity
c) Cost-efficiency
d) Broad network access
a) Insurance
b) Supply Chain Management
c) Mobile Payments
d) Real Estate
a) Blockchain verification
b) Automated algorithms
c) Crowd-based insights
d) Human interaction
(b) USSD
(c) Mobile Wallet
(d) IMPS
Answer: (b) USSD
4. What is the primary purpose of the AEPS (Aadhaar Enabled Payment System)?
(a) Fund Transfer
(b) Cash Withdrawal
(c) Cash Deposit
(d) All of the above
Answer: (d) All of the above
7. Which IoT application assists in monitoring customer visits and queue times in banks?
(a) Fraud prevention
(b) Capacity building
(c) Personalized rewards
(d) Remote monitoring
Answer: (b) Capacity building
14. What is the primary risk associated with quantum computing in finance?
(a) Speed of transactions
(b) Breaking cryptographic algorithms
(c) Increased processing power
(d) Operational inefficiency
Answer: (b) Breaking cryptographic algorithms
15. Which type of digital payment allows bill sharing among friends?
(a) UPI
(b) AEPS
(c) Mobile Wallet
(d) BHIM
Answer: (a) UPI
19. What factor is crucial for IoT success in the financial industry?
(a) Legacy system usage
(b) Accurate problem statements
(c) High sensor costs
55
56
MOCK MCQ -1
SET D: PAPER-4: DIGITAL ECOSYSTEM AND CONTROLS
(Mixed 1-mark and 2-mark questions)
(1 mark)
2. Case-based Question:
A logistics company uses IoT devices to monitor the temperature of goods in transit. Recently, several temperature
sensors malfunctioned, leading to product spoilage. As part of its risk management framework, what immediate ac-
tion should the company take?
a) Ignore the issue and compensate customers
b) Conduct a root cause analysis and replace faulty sensors
c) Stop using IoT devices entirely
d) Focus only on maintaining customer relationships
(2 marks)
(1 mark)
4. Case-based Question:
A retail chain implemented a disaster recovery plan but failed to restore its systems within the agreed recovery time
after a cyberattack. What critical aspect might the company have overlooked in its disaster recovery planning?
a) Implementation of incident response measures
b) Regular testing of recovery procedures
c) Automation of backup systems
d) Hiring more IT staff
(2 marks)
(1 mark)
57
6. Case-based Question:
A bank’s IT steering committee has identified a need to align IT initiatives with business objectives. However, the
committee lacks clarity on prioritizing investments. What is the most effective approach they should adopt?
a) Focus solely on cost reduction
b) Develop a portfolio management process
c) Use trial-and-error for decision-making
d) Allocate resources equally to all projects
(2 marks)
(1 mark)
8. Case-based Question:
An e-commerce company collects personal data from users for customized marketing campaigns. However, during
an audit, it was flagged for non-compliance with the Digital Personal Data Protection Act, 2023. What should the
company immediately implement to avoid legal penalties?
a) Discontinue all marketing campaigns
b) Ensure consent is obtained before using personal data
c) Reduce the volume of customer data collected
d) Focus only on anonymized data
(2 marks)
(1 mark)
(2 marks)
58
11. Which of the following is NOT a stage in the System Development Life Cycle (SDLC)?
a) System Design
b) Implementation
c) Maintenance
d) Resource Redistribution
(1 mark)
(2 marks)
(1 mark)
(2 marks)
(1 mark)
16. Which of the following is NOT an emerging technology discussed in the Digital Ecosystem?
a) Artificial Intelligence
b) Blockchain
c) Vacuum Tubes
d) Quantum Computing
59
(1 mark)
(2 marks)
18. What is the purpose of the Digital Personal Data Protection Act, 2023?
a) To promote data sharing between businesses
b) To ensure accountability in processing personal data
c) To eliminate all data collection activities
d) To restrict the use of encryption
(1 mark)
(2 marks)
(1 mark)
(2 marks)
60
22. Which of the following is NOT a component of an Enterprise Risk Management (ERM) framework?
a) Risk Identification
b) Risk Monitoring
c) Risk Elimination
d) Risk Mitigation
(1 mark)
(2 marks)
24. What does the "A" in the ABCD of Fintech stand for?
a) Accountability
b) Artificial Intelligence
c) Automation
d) Authorization
(1 mark)
(2 marks)
(1 mark)
(2 marks)
28. What does a Governance, Risk, and Compliance (GRC) framework primarily focus on?
a) Improving operational efficiency
b) Managing governance, risks, and regulatory compliance
c) Automating business processes
d) Increasing employee productivity
(1 mark)
(2 marks)
(1 mark)
(1 mark)
(2 marks)
62
(1 mark)
(2 marks)
35. What is the purpose of COBIT’s Evaluate, Direct, and Monitor (EDM) domain?
a) To manage day-to-day IT operations
b) To provide strategic direction and monitor performance
c) To automate IT processes
d) To develop technical solutions for business issues
(1 mark)
(2 marks)
(1 mark)
(2 marks)
(1 mark)
(2 marks)
(1 mark)
(2 marks)
(1 mark)
64
(2 marks)
(1 mark)
(2 marks)
47. Which of the following best describes the purpose of a risk classification system?
a) To prioritize risks based on their impact and likelihood
b) To eliminate all risks in an organization
c) To focus solely on financial risks
d) To increase the complexity of risk management
(1 mark)
(2 marks)
(1 mark)
(1 mark)
(2 marks)
(1 mark)
(2 marks)
(1 mark)
66
(2 marks)
(1 mark)
(2 marks)
(1 mark)
(2 marks)
60. What is the main focus of the GRC (Governance, Risk, and Compliance) framework?
a) Reducing operational costs
b) Managing enterprise governance, risks, and compliance obligations
67
(1 mark)
(2 marks)
62. What does the term “Digital Economy” primarily refer to?
a) The use of digital technologies to enhance traditional business models
b) A fully automated economy
c) An economy based solely on cryptocurrency
d) A system where no human intervention is required
(1 mark)
(2 marks)
64. What is the key objective of the Digital Personal Data Protection Act, 2023?
a) To protect and regulate the processing of personal data
b) To enable unrestricted access to personal data for businesses
c) To enforce mandatory cloud storage for data
d) To replace all other privacy laws globally
(1 mark)
(2 marks)
68
66. What does “Big Data” primarily refer to in the context of fintech?
a) Large datasets that require specialized tools for analysis
b) Data used only for financial transactions
c) Manual methods of analyzing business information
d) Small datasets with minimal complexity
(1 mark)
(2 marks)
(1 mark)
(2 marks)
(1 mark)
(2 marks)
72. Which of the following is a key feature of the System Development Life Cycle (SDLC)?
a) It provides a phased approach to system development
b) It eliminates the need for user involvement
c) It focuses solely on software coding
d) It replaces all manual processes
(1 mark)
(2 marks)
74. What is the purpose of the Digital Data Protection Act, 2023?
a) To regulate the collection and processing of personal data
b) To enforce mandatory use of blockchain for data storage
c) To remove data protection requirements for businesses
d) To allow unrestricted sharing of user data
(1 mark)
(2 marks)
76. What is the main benefit of aligning IT strategy with business objectives?
a) Improved IT resource utilization and business value delivery
b) Complete elimination of IT-related risks
c) Increased IT budgets for all departments
d) Independent operation of IT from business units
(1 mark)
70
(2 marks)
(1 mark)
(2 marks)
(1 mark)
71
1 b 21 a 41 a 61 a
2 b 22 c 42 a 62 A
3 b 23 a 43 a 63 A
4 b 24 b 44 a 64 A
5 d 25 a 45 d 65 A
6 b 26 b 46 a 66 A
7 b 27 a 47 a 67 A
8 b 28 b 48 a 68 B
9 a 29 b 49 a 69 A
10 b 30 b 50 c 70 B
11 d 31 b 51 a 71 A
12 b 32 a 52 b 72 A
13 b 33 b 53 a 73 A
14 b 34 a 54 b 74 A
15 b 35 b 55 a 75 A
16 c 36 a 56 b 76 A
17 a 37 b 57 a 77 A
18 b 38 a 58 d 78 A
19 b 39 b 59 a 79 A
20 a 40 a 60 b 80 A
72
a) COBIT
b) ITIL
c) NIST
d) ISO 27001
(1 mark)
2. Case-based Question:
A financial institution implemented multi-factor authentication (MFA) to enhance security. However, many users by-
pass MFA by using weak recovery questions. What should the institution implement to mitigate this risk?
a) Enforce biometric authentication
b) Implement hardware-based authentication tokens
c) Disable account recovery features
d) Use CAPTCHA to verify user identity
(2 marks)
3. Which phase in the System Development Life Cycle (SDLC) ensures the system meets business needs
before deployment?
a) Implementation
b) Testing
c) Planning
d) Maintenance
(1 mark)
(1 mark)
5. Case-based Question:
A manufacturing company faced a ransomware attack where attackers encrypted all customer orders. The com-
pany lacked a structured incident response plan. What should be the first response to such an attack?
a) Pay the ransom to recover data
b) Shut down affected systems and notify cybersecurity teams
73
(2 marks)
a) Symmetric Encryption
b) Hashing
c) Digital Signatures
d) Tokenization
(1 mark)
a) Hashing
b) Proof of Work (PoW)
c) Digital Certificate
d) Cryptanalysis
(1 mark)
8. Case-based Question:
An e-commerce platform suffered a data breach due to weak API security, exposing customer payment details.
What action should be taken immediately?
a) Disable the API service
b) Implement OAuth authentication and secure API endpoints
c) Inform customers after fixing the vulnerability
d) Ignore minor breaches if no financial loss occurs
(2 marks)
(1 mark)
(1 mark)
74
A healthcare provider uses cloud storage for patient records. Due to poor access controls, unauthorized employees
accessed confidential patient data. What security measure should be implemented?
a) Role-based access control (RBAC)
b) Disable cloud storage for patient records
c) Allow access to all employees for operational efficiency
d) Use open Wi-Fi networks for secure access
(2 marks)
12. Which cloud model offers complete control over infrastructure but requires in-house maintenance?
a) Public Cloud
b) Private Cloud
c) Hybrid Cloud
d) Community Cloud
(1 mark)
A global consulting firm stores sensitive client data in multiple locations. During a recent audit, it was flagged for
non-compliance with regional data privacy laws. What should the firm prioritize to address this issue?
a) Implement a centralized data governance framework
b) Avoid storing client data digitally
c) Focus only on data protection for high-value clients
d) Reduce the number of locations storing client data
(2 marks)
(1 mark)
a) Phishing
b) DDoS
c) Ransomware
d) Man-in-the-Middle
(1 mark)
A bank was fined for not detecting insider threats despite having a robust IT security policy. What additional meas-
ure should the bank adopt to prevent such incidents?
a) Implement continuous monitoring and user behavior analytics
b) Outsource all IT security activities
c) Stop granting high-level system access to employees
d) Focus only on external threat prevention
(2 marks)
a) Bell-LaPadula Model
b) Biba Model
c) Clark-Wilson Model
d) Brewer-Nash Model
(1 mark)
A fintech company is integrating blockchain technology to improve security in financial transactions. However,
transactions are taking longer to validate due to high processing power requirements. What should the company
consider implementing?
a) Shift from Proof of Work (PoW) to Proof of Stake (PoS)
b) Increase block size to include more transactions
c) Remove cryptographic hashing to speed up processing
d) Use centralized ledger instead of blockchain
(2 marks)
(1 mark)
An organization using cloud services experienced a data breach due to an employee mistakenly sharing an access
key in a public forum. What security control should be strengthened to prevent such incidents?
a) Implement Key Management System (KMS) with automatic rotation
b) Reduce cloud usage to essential employees only
c) Avoid using access keys for authentication
d) Disable cloud-based authentication services
(2 marks)
a) Holistic approach
b) End-to-end coverage
c) Strict manual control requirements
d) Governance distinct from management
(1 mark)
A multinational corporation faced challenges in meeting GDPR compliance due to data stored across multiple cloud
providers. What should the company do to ensure data protection compliance?
a) Implement a unified data governance framework
b) Encrypt all data and disable compliance monitoring
c) Store data only in high-security countries
d) Reduce data collection activities
(2 marks)
a) Budgeting
b) Blockchain
c) Benchmarking
d) Business Intelligence
(1 mark)
A retail company adopted AI-powered chatbots for customer service. However, customers reported incorrect re-
sponses to their queries. What should the company prioritize to improve chatbot accuracy?
a) Train AI models using diverse datasets
b) Restrict chatbots to predefined queries only
c) Reduce chatbot availability during peak hours
d) Remove AI-based automation from customer service
(2 marks)
25. Which attack involves attackers modifying ARP cache entries to redirect network traffic?
a) SQL Injection
b) ARP Spoofing
c) DNS Tunneling
d) Cross-site Scripting
(1 mark)
A smart home device manufacturer is facing security concerns as its IoT devices are vulnerable to unauthorized
remote access. What action should the company take to secure its devices?
a) Implement strong authentication and encryption protocols
77
(2 marks)
27. Which of the following cloud deployment models allows multiple organizations to share a cloud infra-
structure?
a) Private Cloud
b) Public Cloud
c) Hybrid Cloud
d) Community Cloud
(1 mark)
An IT firm noticed that employees were frequently using unauthorized USB drives, leading to potential malware in-
fections. What security measure should be enforced to mitigate this risk?
a) Implement endpoint security solutions with device control
b) Block all USB ports on employee computers
c) Ban employees from using any external devices
d) Allow only company-approved USB drives without encryption
(2 marks)
(1 mark)
A large e-commerce company suffered a major DDoS attack during its Black Friday sale. What solution should the
company implement to prevent such attacks in the future?
a) Deploy Web Application Firewall (WAF) and traffic filtering
b) Shut down website access during high-traffic periods
c) Avoid promotional campaigns to reduce attack incentives
d) Rely solely on antivirus software for security
(2 marks)
31. Which type of attack involves an attacker intercepting and modifying communications between two par-
ties without their knowledge?
a) Phishing
b) Man-in-the-Middle (MITM)
78
c) SQL Injection
d) Brute Force
(1 mark)
A global company recently faced a major data breach due to an insider threat where an employee leaked confiden-
tial customer data. What should the company implement to prevent such incidents?
a) Deploy User Behavior Analytics (UBA) for anomaly detection
b) Remove employee access to sensitive data entirely
c) Implement a zero-password policy
d) Outsource data security to third parties
(2 marks)
a) ISO 31000
b) ISO 27001
c) GDPR
d) NIST 800-53
(1 mark)
A financial institution wants to improve its risk assessment strategy for IT governance. Which framework should it
primarily adopt?
a) COBIT
b) ITIL
c) Six Sigma
d) Agile
(2 marks)
(1 mark)
An organization is experiencing frequent phishing attacks leading to compromised employee credentials. What
should be the first step in mitigating this issue?
a) Conduct cybersecurity awareness training for employees
b) Remove email access for all employees
79
(2 marks)
37. What is the main purpose of a Security Information and Event Management (SIEM) system?
(1 mark)
A hospital recently migrated patient records to a cloud-based storage system but is now facing compliance chal-
lenges under HIPAA regulations. What should the hospital prioritize?
a) Implement strict access controls and encryption mechanisms
b) Store all records in a physical format instead
c) Disable all cloud services
d) Remove patient records older than five years
(2 marks)
39. Which of the following techniques is used in digital forensics to recover deleted files?
a) Data masking
b) Disk imaging
c) Tokenization
d) Firewall logging
(1 mark)
A manufacturing company relies on Industrial IoT (IIoT) devices for production monitoring. Recently, several de-
vices were compromised due to weak passwords. What should be the best approach to securing IIoT devices?
a) Enforce strong authentication and regular firmware updates
b) Disconnect IIoT devices from the internet
c) Replace IIoT devices with manual monitoring systems
d) Use the same password for all devices for easy management
(2 marks)
(1 mark)
A company offering cloud-based digital payment solutions faced a significant outage during peak hours. Which
cloud strategy should be adopted to ensure high availability?
a) Deploying multi-region redundancy and load balancing
b) Restricting transactions during peak hours
c) Reducing server capacity to cut costs
d) Using a single data center for all transactions
(2 marks)
43. What is the primary function of an Endpoint Detection and Response (EDR) solution?
(1 mark)
An e-commerce company uses AI-driven recommendation engines for customer purchases. However, the AI model
has started showing biases against certain demographics. What should the company do?
a) Improve dataset diversity and retrain the AI model
b) Remove AI from the recommendation system
c) Stop collecting customer preference data
d) Use only rule-based recommendations
(2 marks)
(1 mark)
A law firm handling highly confidential client documents wants to implement a secure collaboration system. What is
the most effective security measure?
a) Implementing end-to-end encryption with role-based access
b) Using personal email accounts for communication
c) Allowing employees to access files without authentication
d) Storing all documents in local hard drives without backups
(2 marks)
81
47. Which of the following security principles ensures that system actions are traceable to a specific user?
a) Integrity
b) Non-repudiation
c) Confidentiality
d) Availability
(1 mark)
A bank suffered from credential stuffing attacks where hackers used previously leaked passwords to access user
accounts. What measure should the bank implement to mitigate this risk?
a) Enforce Multi-Factor Authentication (MFA)
b) Disable password expiry policies
c) Encourage users to use weak passwords for easy recall
d) Remove login restrictions to allow smoother access
(2 marks)
49. What is the purpose of Identity and Access Management (IAM) in cybersecurity?
(1 mark)
A logistics company uses GPS tracking in its fleet management system. Recently, attackers tampered with location
data, causing operational disruptions. What countermeasure should be implemented?
a) Use encrypted GPS signals and anomaly detection
b) Remove GPS tracking from vehicles
c) Allow drivers to manually update locations
d) Store location data without security controls
(2 marks)
51. Which attack exploits vulnerabilities in poorly sanitized user input fields?
(1 mark)
A multinational company is concerned about unauthorized data transfers via removable media. What security con-
trol should be implemented?
a) Restrict USB access with endpoint security controls
b) Ban employees from using computers
c) Use external hard drives for data storage instead
d) Allow unrestricted use of removable devices
(2 marks)
(1 mark)
A social media platform noticed increased account takeovers due to phishing attacks. What security measure
should be prioritized?
a) Implement domain-based email authentication (DMARC)
b) Disable user logins temporarily
c) Remove two-factor authentication (2FA)
d) Allow users to share login credentials
(2 marks)
(1 mark)
A healthcare provider handling sensitive patient records wants to comply with HIPAA regulations. What security
measure is essential?
a) Implement strong encryption and audit controls
b) Store patient data on personal devices
c) Allow public access to patient records
d) Use third-party cloud storage without access control
(2 marks)
57. Which security mechanism ensures that only authorized users can modify data?
83
a) Availability
b) Authentication
c) Integrity
d) Non-repudiation
(1 mark)
A company using Software-as-a-Service (SaaS) platforms is worried about unauthorized API access. What security
approach should be taken?
a) Use API gateway with strong authentication controls
b) Disable API usage completely
c) Avoid using encryption for API requests
d) Share API keys publicly for easier access
(2 marks)
(1 mark)
A digital payment company is expanding to multiple countries, but different regions have varied data privacy laws.
What should the company do to ensure compliance?
a) Implement a global data protection framework based on regulatory requirements
b) Store all customer data in a single country
c) Avoid implementing data privacy policies
d) Use the same data handling approach for all regions
(2 marks)
a) RSA
b) AES
c) ECC
d) SHA-256
(1 mark)
A government agency wants to implement a secure voting system using blockchain. What advantage does block-
chain provide in this case?
a) Immutable audit trail and transparent transactions
84
(2 marks)
(1 mark)
A company deployed a new AI-driven threat detection system but is facing too many false positives. What should
be done to improve accuracy?
a) Retrain the AI model with diverse datasets
b) Disable threat detection for non-critical events
c) Allow employees to manually review every alert
d) Reduce logging to avoid processing large datasets
(2 marks)
(1 mark)
a) Retina scanning
b) SQL injection
c) Packet filtering
d) DDoS mitigation
(1 mark)
A multinational bank recently suffered a data breach when an employee unintentionally sent confidential customer
records via an unsecured email. What security control should the bank implement to prevent such incidents?
a) Data Loss Prevention (DLP) with content filtering
b) Use only printed copies for confidential data
c) Allow employees unrestricted access to all files
d) Remove encryption for easier access
85
(2 marks)
68. Which cybersecurity concept ensures that users are granted the minimum level of access needed to
perform their tasks?
(1 mark)
A hospital adopted cloud-based medical records but faced regulatory issues regarding patient data storage across
multiple locations. What should the hospital do to ensure compliance?
a) Implement geo-fencing to restrict data storage locations
b) Store patient records on personal devices
c) Disable encryption to improve processing speed
d) Allow unrestricted access to all employees
(2 marks)
(1 mark)
A retail company’s website was frequently targeted by credential stuffing attacks, where attackers used stolen
username-password combinations. What should the company implement to prevent such attacks?
a) Implement login throttling and Multi-Factor Authentication (MFA)
b) Remove password authentication entirely
c) Allow unlimited login attempts
d) Use the same passwords for all users
(2 marks)
72. What is the primary advantage of using a Security Information and Event Management (SIEM) system?
(1 mark)
86
An e-commerce company noticed an increase in fake product reviews being submitted automatically by bots. What
is the best security measure to prevent this issue?
a) Implement CAPTCHA and bot detection techniques
b) Allow only verified users to submit reviews
c) Disable product reviews entirely
d) Require every user to submit a security deposit
(2 marks)
(1 mark)
A government agency is concerned about securing classified data from unauthorized external access. What cyber-
security measure should be prioritized?
a) Air-gapped networks with controlled physical access
b) Use cloud storage for classified data without encryption
c) Allow open internet access to all classified systems
d) Implement shared passwords for convenience
(2 marks)
76. What does the principle of "Segregation of Duties" in IT security aim to prevent?
(1 mark)
A cryptocurrency exchange suffered a major breach when attackers exploited weak API security controls. What
should the exchange do to mitigate such risks?
a) Implement strong authentication and API access controls
b) Remove API security to allow faster transactions
c) Allow anonymous access to all transactions
d) Store API keys in publicly accessible locations
(2 marks)
87
(1 mark)
A financial services company detected an ongoing ransomware attack encrypting files on multiple systems. What
should the company do immediately?
a) Isolate affected systems and activate the incident response plan
b) Pay the ransom to recover the encrypted files
c) Shut down all IT systems to prevent further encryption
d) Wait for the attackers to stop the attack on their own
(2 marks)
(1 mark)
88
Answers
1 b 2 b 3 b 4 b
5 b 6 c 7 b 8 b
9 b 10 c 11 a 12 b
13 b 14 b 15 a 16 a
17 a 18 a 19 c 20 a
21 c 22 a 23 b 24 a
25 b 26 a 27 d 28 a
29 b 30 a 31 b 32 a
33 a 34 a 35 b 36 a
37 a 38 a 39 b 40 a
41 a 42 a 43 a 44 a
45 a 46 a 47 b 48 a
49 a 50 a 51 a 52 a
53 b 54 a 55 a 56 a
57 c 58 a 59 a 60 a
61 b 62 a 63 a 64 a
65 a 66 a 67 a 68 a
69 a 70 a 71 a 72 a
73 a 74 a 75 a 76 a
77 a 78 a 79 a 80 a
89