Professional Documents
Culture Documents
nominated/designated at -
Data Processes especially for compliance reasons does NOT include which one of the
following?
Interpretation Processes
Item 15
What is/are the responsibility(ies) of the Apex level Data Governance Council (ADGC)
Intended
Item 27
Data Custodians are responsible for the safe custody, transport, storage of the data and
implementation of business rules. Which of the following is Data Custodian?
Respective IT Department
Item 6
Robust Data Management practices does NOT involve which one of the following?
Punishment
Item 11
Customer sensitive Granular Data can be copied and stored without any approval
FALSE
Item 6
Both 1 & 2
Item 10
FALSE
18
Which of the following may not be the signs that the Mobile Phone (Android/iOS) is hacked?
The objective of setting up a wide network of ATMs across the country resembles which of the
following triad of CIA?
Availability
Item 20
Which of the following best describes the Supply chain attack?
Supply chain attack occurs when hackers infiltrates systems through an outside partner or
provider who has access to the target systems and data
Item 25
While doing an ATM transaction, a customer is required to use a physical card provided to him
by the Bank and also a PIN code to authenticate the transaction. This practice ensures which of
the following triad of Information Security?
Confidentiality
Item 4
Option a & b
Browse the Internet on company devices using system admin credentials only
Item 30
The time at which the cyber incident is brought to the knowledge of any official of __________
shall be treated as time of detection of incident.
What are the parameters on which compensation to customer will depend for resolution of
unauthorised transactions complaints?
Data Governance Policy is applicable to all the domestic offices of SBI including:
Good Data Governance practices are also applicable to third parties having access to SBI
network and Data.
TRUE
Item 4
While creating new CIF, customer has given marital status, but as it is not mandatory in CBS:
As the customer has given the details in AOF, teller should fill the same in CBS
Where does Data come from?
FALSE
Item 8
Consistent
DMD
Item 10
(i) Data Governance is about the rules how to manage the data
(ii) Data Privacy is about the rules how to protect and use the data
GM & CDMO
Item 12
As per the Bank's Data Governance structure, presently which is the Apex body for Data
Governance?
Who would be held responsible for not feeding all the customer details in CBS, given by
customer in AOF.
1& 2
Item 14
Data Quality
Item 16
Which among the following play major role in support of company-wide Data quality initiatives?
Regulators
Item 18
Data processes must also put in place ______
_________________is ultimately accountable with regard to Data quality and value of Data in a
given subject area.
.
DMO
Item 20
Capturing of correct & complete data at the ____ time and ____ time should be the Mantra for
quality data
first,every
Item 22
FALSE
Item 23
Data Quality Tools and Applications come under which one the following factors of Data
Management Practices?
Process
Item 25
As per its objective, minimizing data errors trough Data governance bring in overall _______ in
the organization
CGM (ESS)
Item 29
Who can be called Data Stakeholders
CIRCLE CGM
Structured
Item 3
Data Governance Council (DGC) as per the approved interim arrangement is headed by:
Consistent em 22
What is the frequency of the meeting for Apex level Data Governance Council (ADGC) as per
the interim arrangement?
Quarterly
Item 21
TRUE
Item 25
Data-driven business decisions are possible when _____ is involved in the Data Governance.
Business Unit
Item 17
FALSE
Item 23
Select the wrong statement in case of transaction through Retail Internet Banking.
Bank sends SMS after every transaction, when the Profile section is accessed, a third party /
beneficiary is added
Item 6
It is an attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or
network with a flood of Internet traffic from multiple computers at the same time
Item 9
An unauthorized attacker code enters a system and remains there for an extended period of
time
Item 12
Sending SMS messages to many people with bad intentions may be termed as __________.
Smishing
Item 15
Which of the following channels is not available for blocking the UPI services for unauthorized
transactions?
YONO
Item 13
_______ is a type of attack in which malicious scripts are injected into websites and web
applications for the purpose of running on the end user's device.
After completion of a Cash withdrawal transaction at an ATM, the system ensures to update the
customer’s balance with the withdrawal transaction before displaying it on the screen or printing
the receipt. This process is similar to which of the following triad of CIA?
Confidentiality
Item 6
You need special software to access this part of the Web because a lot of it is encrypted, and
most of the pages are hosted anonymously". Which of the following the statement refers
to?
Dark Web
Item 11
Steganography
Customer has given a written standing instruction to debit ₹ 20,000 every month from his salary
account as EMI payment to his Home loan account. To cover the property insurance amount,
the Loan officer has changed the amount to ₹ 20,500. Which one of the following is violated?
Integrity
Item 21
For online meetings, share a link to a meeting on an unrestricted publicly available social media
post, only with password
If a customer reports an unauthorised transaction of Rs.6000/- (ATM) on the 5th working day. It
is a case of third party negligence. As per Limiting Liability of customer, what will be the liability
of customer in this case?
Rs.6000/-
Item 8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
It is not necessary to inform your organization always, if you come across any discrepancies.
Item 12
Which of the following options is not the best password security practices?
Do not share passwords with anyone other than IT staff and only at the time of
troubleshooting/maintenance of systems/software.
Item 16
How many times can you can change the username in Retail Internet Banking?
After how many days of customer complaint, shadow reversal given to customer account in our
Bank?
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets
I
etc. to office for office work. This policy is called BYOD. What does BYOD stand for?
Ransomware
Anyone
Item 3
Which one of the following options is not a violation of acceptable usage policy?
Which one of the following applications is not a threat to compromise confidentiality of the data
of portable devices?
If you have a Facebook account and you came to know about a breach in the Facebook server,
what will be your action?
Change the password of Facebook and all the services/apps offered by Facebook.
As part of IS awareness and commemoration of Computer Security Day, SBI did NOT organize
which one of the following activities?
Apex level Data Governance Council (ADGC) as per the approved interim arrangement is
headed by ____
MD (R&DB)
Item 4
MODULE 1
QUESTIONS ANSWER
(i) Data Governance is about the rules how to build the content.(ii) Data Privacy is about
Both (i) & (ii) are incorrect
the rules how to protect and use the content.
_________________is ultimately accountable with regard to the definition, Data quality
Data Custodian
and value of Data in a given subject area.
________shall ensure that there is commensurate adherence,management and periodic
upkeep/review for Data in their respective custodies, asprescribed by Data Governance Data Owners
Policy
Administrative office Data Governance Council (A-DGC), is headed by DGM (B&O)
Against availability of sizeable number of eligible customers only few confirmed leads could
Poor Data Quality
be generated for an Analytics based product. What could be the underlying reason?
Incorect handling of data may result in exposing an organization to significant liabilities. TRUE
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)? Quarterly
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical
Quarterly
(DGC-BU/V)?
What is/are the responsibility(ies) of the Data Governance Council (DGC) All of the above
Where does Data come from? People, Process and Technology
Which among the following may be held accountable for quality of data? Practices
Which among the following play major role in support of company-wide Data quality
People
initiatives?
Which among the following play major role in support of company-wide Data quality
Procedures
initiatives?
Which of the below helps in monitoring Data Governance Activities? Data Quality
Which of the below helps in monitoring Data Governance Activities? Data Process
Which of the following is/are a Key Data Quality Dimension? Accuracy
Which one of the following does NOT come under People factor in Data Management
Data Trainers
prctices?
While creating new CIF, customer has given marital status, but as it is not mandatory in As the customer has given the details in
CBS: AOF, teller should fill the same in CBS
While creating new CIF, customer has given marital status, but as it is not mandatory in As it is non- mandatory, teller should not fill in
CBS: the details in CBS
Who among the following has a role to ensure that data governance initiatives are aligned
Business Units
with business needs
Apex Data Governance Council / Data
Who Provides directions in Data Governance Organisation
Governance Executive Council
MODULE 2
QUESTIONS ANSWER
“Card Holder Details, CIF, Account Information (credentials, balance, transactions,
SENSITIVE
premiums, dividends, etc.)” are classified as
“Internal audit reports” is classified as ____________ Data CONFIDENTIAL
“SBI telephone directory” is classified as ____________ Data PUBLIC
“SOP on Data Sharing with External agencies/ Third Parties” rests on four pillars, which
one of the following is NOT one of these four pillars:
“Training materials and manuals” are classified as ____________ Data INTERNAL
DOB on OVD and AOF to be checked, even
A customer has submitted Driving License as OVD, along with AOF. During the scrutiny, it
then he is less than 18 yrs, OVD not to be
was found that the age of customer is less than 18
accepted
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was DOB on OVD and AOF, if same, then only
found that the age of customer is less than 18 account may be opened
A staff can be held accountable for Data quality errors. TRUE
An SBI Card employee sitting in an branch asks for list of high value customers along with
Mobile numbers for telecalling to sell SBI cards for the Branch. Branch may share the list TRUE
with SBI Card employee.
As per Data Protection Bill (Draft) PII stands for Personally Identifiable Information
Branch has sanctioned a Car loan to one of his staff, but the loan instalment was not fed in Recovery to staff loan should be through
HRMS. The staff paid the instalment through his account and informed the BM that a SI HRMS only, so recovery details in HRMS
has been registered for the same. needs to be updated
Can we store customer data on our Desktop ? NO
Capturing of incorrect security in secured loan accounts may result in _____________. Both 1 & 2
Customer Sensitive Granular Data made available through SSO to ensure an audit trail
Need to Know
comes under which one of the following?
Data Quality Index (DQI) dashboard measures the Data Quality for- CIFs & Loans
Data quality is necessary to fulfil the needs of an organization in terms of All of the above
DQI dashboard displays errors All of the above
DQI Index has been included as one of the Key Responsibility Areas (KRAs) in Career
Development System (CDS TRUE
Error categories in DQI for CIF related errors are: A. Risk categorization B. Personal Profile
A, B, C, D & E
C. PAN Related D. Gender Related E. Age Related
For official communication , we can use our personal email IDs TRUE
For personal communication, we can use our official email IDs FALSE
If a car dealer asks us for a list of customers having existing car loans, to market loans for
Cannot be shared
new cars for us, shall we share the list?
Impact of poor Data Quality on a Branch include ____ Both 1 & 2 above
In ________________ Processing, small group of transactions are processed on demand Batch
In an Account Opening Form, if Data has been provided by customer in non mandatory Input the Data exactly as given by the
field ( like mobile number /email ID ), what should be done while inputting in CBS? customer
In the Data Infringement portal, unattended infringements on Data Loss Prevention (DLP) Penal Score (1 to 4 marks) in RFIA of the
may result in_____ Branch
Incorrect spelling of Customer name comes under which one of the following Data Quality
Accuracy
Dimension?
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________. Both 1 & 2
Non-sensitive Information includes: Public Information
Restricted access to Data means: Both 1 & 2
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers: All of the above
Sharing of customer sensitive granular Data is governed by which Policy : Data Governance Policy
SOP on Data Sharing with External
Sharing of Data with exernal agencies is governed by
agencies/third parties
Some of the key Data Privacy initiatives include: All of the above
Some of the key Data Privacy initiatives include: Secure Cloud Data Storage system
The access to Customer Sensitive Granular Data to the users should be made strictly on
Both 1 & 2
the basis of-
To boost the housing loan business of the branch , list of HNIs can be shared with HLCs
Not to be shared
through:
SENSITIVE, CONFIDENTIAL, INTERNAL,
What are the different categories of Data Classification
PUBLIC
What are the impacts of feeding incorrect date of birth of a customer in CBS 1& 2
What are the impacts of not verifying the pop-up name of PAN holder, while fetching PAN
1& 2
details
What are the possible means by which Customer Sensitive Granular Data can get divulged
All of the above
or leaked to any unrelated person / third party like vendors, dealers etc:
What does GDPR stand for- General Data Protection Regulation
What is needed to create Data Quality Index? Dashboards and scorecards.
What is/are the possible consequences of Data Leakage: All the above
Which of the following is NOT a type of Customer Sensitive Data List of Top Management of the Bank
Which of the following is not a type of Data leak Improper categorization of sensitive Data
Which of the following is true: All of the above
Which one is NOT an approved way of sharing granular Data/access Data under normal
E-mail
circumstances:
Which Portal to be accessed for Data Loss Prevention (DLP) incidents Data Infringement Portal
"From & To" date in the temporary screen
While inputting temporary address of a customer in CBS, it should be taken care that needs to be filled in as declared by the
customer
While verifying the pop-up name of PAN holder in CIF creation screen 1&3
MODULE 3
QUESTIONS ANSWER
__________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile? Scareware
_____________ is a technique used by the fraudsters, wherein they penetrate a system
Steganography
where the program/script/files will be hidden within another file.
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth
connection. Once such a connection is established then the attacker will be able to steal Bluesnarfing
photos, messages and contacts etc.
“You need special software to access this part of the Web because a lot of it is encrypted,
and most of the pages are hosted anonymously”. Which of the following the statement Dark Web
refers to?
Social engineering uses Human traits,
A fraudster may use Social engineering techniques to steal critical information of a user.
Curiosity, Concern around and technical
Which of the following options is not true in case of social engineering?
hacking techniques
After completion of a Cash withdrawal transaction at an ATM, the system ensures to
update the customer’s balance with the withdrawal transaction before displaying it on the Availability
screen or printing the receipt. This process is similar to which of the following triad of CIA?
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for
making online payment. He is redirected to a site of SBI. Before he logs in what should be It should start with https://www.onlinesbi.com
the website address on the screen.
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using OTP has been made mandatory at the time
this credential. What is the new security feature in OnlineSBI? of login
If a Cyber attack is carried out by sending to SBI's customers an email that claims to be
Phishing Attack
from SBI but it's not, then what kind of cyber attack technique is it?
If a hacker manages to exploit the vulnerability before software developers can find a fix,
Zero day attack
that exploit becomes known as a _______.
If you click on the padlock sign in the Address bar. Which of the following information will You will get information on who owns the site
be available to you? and who has verified the site
In Social engineering attacks, the fraudsters lure/appeal the potential victims to gain
confidence to reveal confidential information and use the same for fraud and system APT attacks may be identified immediately as
access. it shuts down the whole system
After 3 invalid attempts, the user id is
Mr. Ajay had tried to login to Mr. Deepak's SBI net banking. He tried thrice but failed. Now
automatically locked for one day. Thereafter
when Mr. Deepak tries to login with his correct password will he be able to do so?
Mr. Deepak can login.
Non-repudiation is carried out through the services of authentication, authorization,
Secure encryption of the information
confidentiality, and integrity. Confidentiality ensures which one of the following?
Pretending to be an Airtel customer service executive and contacting the victim is
Vishing
called____________.
Select the correct statement about the impact of Cyber Risks. All are true
Deep Web - Research Papers & Medical
Select the incorrect option.
Records
Select the wrong statement. Option a & b
Cyber Security primarily focuses on
Select the wrong statement. protecting employees information on
computers
Sending SMS messages to many people with bad intentions may be termed as
Smishing
__________.
Social Engineering Attacks does not include ________________. Denial of Service attack
The data loss or compromise while charging the mobile is called________. Juice Jacking
The fraudster gets the personal details of the people through _______technique. Social engineering
The malware, which can record the keystrokes on a keyboard in order to gain access to
Keylogger
sensitive information is known as________________malware.
The objective of setting up a wide network of ATMs across the country resembles which of
Availability
the following triad of CIA?
The technique used to send the emails to all the employees of the Bank is known as
Spear Phishing
____________.
Third party systems have less robust security
Third party attacks are attractive to hackers, because ____________.
controls
What is a “Collect Request” in a UPI transaction? It is a feature available in BHIM SBI Pay
It is a surveillance software that records
What is a keylogger? every keystroke made in the system, creates
a file and sends it to a specified server.
It is a malicious attempt to disrupt the normal
traffic of a targeted server, service or network
What is Denial of Service Attacks?
with a flood of Internet traffic from multiple
computers at the same time
It is an attack which is a malicious attempt to
disrupt the normal traffic of a targeted server,
What is Distributed Denial of Service Attacks? service or network with a flood of Internet
traffic from multiple computers at the same
time
Disabling data transfer mode in Settings will
What is not true about Juice-jacking?
not help in this case
What is not true about myths associated with Cyber Risk? Cyber threat always starts externally
What is not true about SIM Swapping? SIM Swapping is also known as SIM cloning
Fraudsters get access to the root of the
What is not true about SIM Swapping?
mobile phone through SIM Swapping
The hackers through one malicious code in
What makes SolarWinds attack an unusual hack? SolarWinds Orion software gained access to
thousands of other companies.
This attack was designed to impact one
What makes SolarWinds hack one of the biggest and the most dangerous Cyber attack?
vendor and subsequently all their clients
Lock User access option is available in the
Where is the option to lock user access in SBI Retail Internet Banking?
login page of Retail INB
Which of the following attacks is not categorised under Exploit based attacks? Distributed Denial of Service attacks
Supply chain attack occurs when hackers
infiltrates systems through an outside partner
Which of the following best describes the Supply chain attack?
or provider who has access to the target
systems and data
Which of the following browsers allows access to the Network which is popular for
Tor
implementing encrypted routing technology and preventing user tracking?
Which of the following channels is NOT available for blocking the UPI services for
YONO
unauthorized transactions?
It offers a high level of assurance that the
information, objects and resources are
Which of the following is NOT an objective of Non-repudiation?
accessible to authorized subjects within the
promised timeframe.
Which of the following is not the examples of data? All are examples of data
Which of the following may not be the signs that the Mobile Phone (Android/iOS) is All statements are signs that the Mobile
hacked? phone is hacked
Which of the following Mobile Apps may be suggested to resolve the issues related to non-
SBI Secure OTP
receipt of OTP (Through SMS) for their transaction?
Check your physical hardware, keep your
Which of the following options is not to protect yourself from keyloggers? system locked and protect from unauthorised
access.
Which of the following principles of the second of CIA Triad Integrity is/are
Correct?a.Integrity is the concept of protecting the accuracy and completeness of
information and processing methods. b.Integrity protection prevents any kind of alteration
of the information. c.Properly implemented integrity protection provides a means for
authorized changes while protecting against intended and malicious unauthorized activities a, c and d
(such as viruses and intrusions) as well as mistakes made by authorized users (by
commission or omission). d.Use of a secure Hashing algorithm for the information ensures
Integrity.
Which one is not an option for disabling UPI services? YONO Main Screen UPI Enable/Disable UPI
The website address should start with https
Which one of the following is a good safety measure, while using www.onlinesbi.com?
and there should be a padlock sign
Check if any extra suspicious device is
Which one of the following is a precautions to be taken while operating the ATM? attached to the ATM machine
An unauthorized attacker code enters a
Which one of the following is a unique feature of APT attacks? system and remains there for an extended
period of time
Which one of the following is the leading illicit dark web marketplace which was taken down
Silk Road 2.0
by the FBI in what was considered then as a significant action on the Dark web market?
Which one of the following risks is not considered while evaluating a third party vendor for
Market Risk
risk assessment?
A type of cyberattack where an unauthorized
Which one of the following statements is FALSE about APT attacks? attacker code enters a system and remains
there.
The user’s response to bulk SMS can
Which one of the following statements is false?
compromise their identities.
Continuous assessment of Vendor security
Which one of the following statements is more appropriate in terms of Vendor risk
practices need to be done throughout the
assessment?
Contract life cycle.
With the enhanced sharing of information over a global network for almost all life functions
, which one of the following has become the latest addition to the essential objectives of Non-repudiation
Information Security after the CIA Triad?
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is Contact the Branch on Monday to deactivate
a Sunday and Bank is closed. What immediate steps would you NOT advise him? INB facility
MODULE 4
QUESTIONS ANSWER
“Ransomware” can be spread through_____________? Option 1 and 2
After how many days of customer complaint, shadow reversal given to customer account in On 8th working day from date of customer
our Bank? complaint
As part of IS awareness and commemoration of Computer Security Day, SBI did NOT
Cold calling all the employees
organize which one of the following activities?
As part of IS awareness, SBI observes Computer Security Day on which of the following
30th November
day?
Creating IS awareness is important at all levels in the Bank. But the initiation should start
Branch staff
from _______________.
Customer reported an unauthorised UPI transaction of Rs.72,000/- in his account. He
reported the incident on the same day to the bank. The bank is not able to establish
customer negligence even after completion of 90 days from the date of complaint. As per Rs.72,000/-
Limiting Liability of customer guidelines, how much amount does the Bank needs to pay to
the customer in this situation?
The free WiFi could be a rouge network,
Identify some of the risks involved in using public free WiFi.
harvesting the internet user’s data.
If a Bank always allow some of the employees to bring their own laptops, smart phones,
Bring Your Own Device
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand for?
If a customer reports an unauthorised transaction of Rs.6000/- (ATM) on the 5th working
day. It is a case of third party negligence. As per Limiting Liability of customer, what will be Nil
the liability of customer in this case?
If ATM Skimming happens at an ATM, who can report to IT Team? Anyone
If you have a Facebook account and you came to know about a breach in the Facebook Change the password of Facebook and all
server, what will be your action? the services/apps offered by Facebook.
Impact of Cyber risks are_________________. All of the above
Many websites use CAPTCHA to avoid password guessing by automated tools called
Dictionary Attack
____________.
Passwords must be created using small &
Pick the odd one. upper case, when own name or short form of
own name and own initials are used.
Anti-virus is crucial for safety of data. While
Select the correct statement about Desktop / Laptops /Workstations Usage? leaving the room user is supposed to put the
laptop for scanning.
The motive for this Ransomware attack is
Select the correct statement in this case always monetary
Unauthorized personnel can access and
Select the wrong statement about Desktop / Laptops /Workstations Usage?
exploit your system
Create a shortcut of a document/file instead
Select the wrong statement about Desktop / Laptops /Workstations Usage?
of copying it on the desktop
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank? All are true
Select the wrong statement from the below statements.(i) Lock your phone with mPIN or
password OR biometric when not in use. Always keep your mobile device in a safe
location.(ii) Download the Mobile Banking application only from the Bank’s site –
www.sbi.co.in. For using Mobile Banking service over insecure Wi-Fi, never click on any
links. Always type the URL http://mobile.prepaidsbi.com/sbiwap/ in your mobile browser(iii) All are correct
Check your linked accounts on a regular basis. Once your transaction is over, logout of the
mobile banking website and then close the browser. (iv) Delete any SMS from the Bank
that might contain your personal information like user Id, mPIN received at the time of
registration, or details sent to you. Do not part with your ATM card and PIN as this may be
misused for Mobile banking registration.
Password need not be necessarily be
Select the wrong statement.
complex but easy to remember.
You can restrict the use of ATM card details
Select the wrong statement. for online transactions in Corporate Internet
banking
For web security, verify full URL by clicking
Select the wrong statement. the link, but do not give any
personal/confidential information
It is not necessary to inform your
Select the wrong statement. organization always, if you come across any
discrepancies.
For online meetings, share a link to a
Select the wrong statement. meeting on an unrestricted publicly available
social media post, only with password
The company asked their employees to use their own devices and internet access while
working from home. List some precautions that they could have exercised even under
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the Options (i) , (ii) and (iii) are necessary
employees (ii) Ensuring that appropriate software patches are updated in the devices of
the employees (iii) Asking the employees to use enterprise VPN
WannaCry was ____________ attack. Ransomware
Negligence that causes the unauthorized
What are the parameters on which compensation to customer will depend for resolution of
transaction & Reporting time about
unauthorised transactions complaints?
unauthorized transaction to his/her Bank/FIs
What are the ways you can report an unauthorised transaction (ATM) without visiting the Call dedicated number 1800 1111 09 also
branch? Can raise through https://crcf.sbi.co.in
Time at which, the incident is brought to the
What is the “Time of detection of incident” for reporting the purpose of a cyber incident to
knowledge of any official of ISD, including
RBI, CERT-In & NCIIPC?
CGM & Group CISO
Reversal of loss amount to customer account
if Bank fails to establish customer negligence
What is the meaning of Shadow Reversal?
within 10 days, but it is allowed to withdraw
by customer
All cyber security incidents should be
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
reported within 2 to 6 hours by Incident
CERT-In & NCIIPC? Who should report the incident?
Response & Management Team
What should be the minimum and maximum length of the login password in Retail Internet Minimum length should be 8 characters and
Banking? maximum length 20 characters
Option to change login password is in the
Where is the option to change the Login password in Retail Internet Banking?
Profile section, post login
Phishing / Vishing attacks on customers
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC? resulting cumulative loss for the customer(s)
exceeding ₹ 50 lakh
Confidential or secret information with a
Which of the following is NOT inappropriate content of email? password protection when transmitted over
email.
Which of the following is NOT one of the best practices to maintain your password? Only difficult dictionary words should be used
Use of other officers' user ids or using a false
Which of the following options is an example of inappropriate use of the e-mail service?
identity.
Which of the following options is crucial in any UPI fraud related to Collect request? option a & b
You can use unsecure or open Wi-Fi for
Which of the following options is NOT a good wi-fi security practice?
official purposes in case of emergency
The User is responsible for any e-mail that is
Which of the following options is not a violation of acceptable usage policy?
transmitted using the e-mail
The Profile password should be a
Which of the following statements is correct regarding creation of Profile password using
combination of alphabets (in the language
the Multilingual Image based Virtual keyboard?
chosen), and numerals and images
Which of the following statements is not true about Acceptable usage policy (IS Policy) of Employee’s mobile devices need not have
our Bank? Antivirus software
Ensuring the physical access to the systems
Which of the following steps would not be a part of the planning for Work from home?
room is restricted and monitored
Which of the following will not be considered as cyber incidents for reporting to RBI? All the options will not be considered
A training awareness program that would
Which one of the following is the most important aspect for an organization as big and
provide education and guidance on a range
global as SBI to protect itself from cyber security attacks and subsequent loss of brand
of information security topics to all the
image?
internal users of its systems and applications.
However, Mobile and laptop given to the staff
Which one of the following options does not substantiate the Acceptable Usage Policy of for personal holding have exceptions to the
our Bank? policy.
Users are responsible for all activities
Which one of the following options is not a concern for password security?
originated from their User credentials
Which one of the following options is not a violation of acceptable usage policy? Receiving mails from his batchmate
Which one of the following options is not doable as per user acceptance policy?
The updates in the operating systems (say
Android, iOS etc.) and installed applications
might compromise the security of these
Which one of the following statements is not a threat to mobile and portable devices? devices.
Anyone who knows about cyber incidents
Who can report cyber incidents to Information Security Department (ISD)? including general public
Who is primarily responsible for reporting cyber security incidents ? Deputy General Manager (AC) at LHO
With every data breach or phishing attack, cybercriminals gain access to more data. Users
Change the password
should ___________________ after knowing about such attacks.
LESSON 1
Which one of the following does NOT come under People factor in Data Management prctices?
Data Architects
Data Owners
Data Trainers
Data Stewards
Data Governance Policy is applicable to third parties having access to SBI network and Data.
As per Vendors agreement
FALSE
TRUE
Not declared in policy
Which among the following may be held accountable for quality of data?
People
Processes
Practices
Technology
Data Management with lack of easy access to information for important stakeholders may result in just _________
Data Governance Strategy
Big Data Strategy
Narrow Data Strategy
None of the Above
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in ________
Incorrect AML/CFT compliance
In-efficient Cross-selling
Improper KYC
None of the Above
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Monthly
Quarterly
Half yearly
Bi monthly
Who would be held responsible for not feeding all the customer details in CBS, given by customer in AOF.
BM
1& 2
Checker
Maker
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical (DGC-BU/V)?
Bi monthly
Quarterly
Half yearly
Monthly
Which one of the following does NOT come under People factor in Data Management
prctices?
Data Architects
Data Owners
Data Trainers
Data Stewards
Which activity are considered under Data Management?
Handling complete Data of Organisation
Boost up Organisation Performance
Assure Data quality
All of the above
Data Governance Policy is applicable to third parties having access to SBI network and
Data.
As per Vendors agreement
FALSE
TRUE
Not declared in policy
Which among the following may be held accountable for quality of data?
People
Processes
Practices
Technology
Data Management with lack of easy access to information for important stakeholders may
result in just _________
Data Governance Strategy
Big Data Strategy
Narrow Data Strategy
None of the Above
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in
________
Incorrect AML/CFT compliance
In-efficient Cross-selling
Improper KYC
None of the Above
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Monthly
Quarterly
Half yearly
Bi monthly
Who would be held responsible for not feeding all the customer details in CBS, given by
customer in AOF.
BM
1& 2
Checker
Maker
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical
(DGC-BU/V)?
Bi monthly
Quarterly
Half yearly
Monthly
Which one is NOT an approved way of sharing granular Data/access Data under normal circumstances:
E-mail
Single Sign On (SSO)
Secured File Transfer Protocol (SFTP)
Active Directory login (ADS)
Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
FALSE
In an Account Opening Form, if Data has been provided by customer in non mandatory field ( like mobile number /ema
Leave the field in CBS blank since it is non mandatory in CBS also
Input the Data exactly as given by the customer
Input partial / any similar Data without matching exactly as it is non mandatory in nature
All of the above
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Deduction of Excess TDS
Non-reflection of TDS in Form 26 AS
Both 1 & 2
Neither 1 nor 2
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was found that the age of custom
OVD has to be accepted, as it is a govt. document
OVD can be accepted
if one can vote, he is not a minor. OVD should be accepted
DOB on OVD and AOF, if same, then only account may be opened
If a car dealer asks us for a list of customers having existing car loans, to market loans for new cars for us, shall we shar
May be shared by the Field Officer
May be shared by the Branch Manager
Either 1 or 2
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of the following Data Quality Di
Accuracy
Validity
Consistency
Completeness
Capturing of incorrect CRA rating / ECR in a loan account may result in ______.
Incorrect Interest Rate
Incorrect Risk weight
Both 1 & 2
Neither 1 nor 2
What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
Customer could not be able to reset his INB password
1& 2
Sharing of Data with exernal agencies is governed by
SOP on Data Loss Prevention
SOP on Data Sharing with External agencies/third parties
SOP on Data Infringement
SOP on Customer Sensitive Granular Data Sharing
What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data Sharing and Access – Within Bank
Regulated & Limited access
Restricted & Registered access
Free & Uncontrolled access
None of the above
In case of demand for customer Data by Regulatory Authority, it be shared as per DG Policy
FALSE
TRUE
Which one is NOT an approved way of sharing granular Data/access Data under normal
circumstances:
E-mail
Single Sign On (SSO)
Secured File Transfer Protocol (SFTP)
Active Directory login (ADS)
Project Ganga Dashboard include divergences related to:
Key Risk Indicators (KRI) Only
Neither DQ nor KRI
Data Quality (DQ) Only
Both DQ & KRI
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers:
All the domestic & foreign offices
All SBI employees
All the third parties having access to SBI network and granular Data
All of the above
Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
FALSE
In an Account Opening Form, if Data has been provided by customer in non mandatory
field ( like mobile number /email ID ), what should be done while inputting in CBS?
Leave the field in CBS blank since it is non mandatory in CBS also
Input the Data exactly as given by the customer
Input partial / any similar Data without matching exactly as it is non mandatory in nature
All of the above
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Deduction of Excess TDS
Non-reflection of TDS in Form 26 AS
Both 1 & 2
Neither 1 nor 2
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was
found that the age of customer is less than 18
OVD has to be accepted, as it is a govt. document
OVD can be accepted
if one can vote, he is not a minor. OVD should be accepted
DOB on OVD and AOF, if same, then only account may be opened
If a car dealer asks us for a list of customers having existing car loans, to market loans for
new cars for us, shall we share the list?
May be shared by the Field Officer
May be shared by the Branch Manager
Either 1 or 2
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of
the following Data Quality Dimension?
Accuracy
Validity
Consistency
Completeness
What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
Customer could not be able to reset his INB password
1& 2
No Impact
What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data
Sharing and Access – Within Bank’s Environment’:
Regulated & Limited access
Restricted & Registered access
Free & Uncontrolled access
None of the above
Which one of the following is a precautions to be taken while operating the ATM?
Taking help from unknown persons if there is a problem with the ATM
Allow another person to watch while entering PIN
Handing of card to other person who offered help to operate ATM
Check if any extra suspicious device is attached to the ATM machine.
Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resource
b.The goal of confidentiality protection is to prevent unauthorized access to the information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
Only a and b
a, b and c
a, c and d
a, b and d
With the enhanced sharing of information over a global network for almost all life functions , which one of the followin
Authentication
Non-repudiation
Authorization
Non-refutation
What is not true about myths associated with Cyber Risk?
Cyber threat always starts externally
IT team is alone not responsible for Cyber Security
Compliance and security are the same
Cyber security is an issue which is related with technology
Which one of the following is the leading illicit dark web marketplace which was taken down by the FBI in what was co
Silk Road 2.0
DisrupTor
Tor
Dark Market
The technique for sending SMS that appears to be initiated from the organization for KYC updation, Account credit, Acc
Vishing
Spoofing
Stegnography
Identity theft
The technique used to send the emails to all the employees of the Bank is known as ____________.
Smishing
Vishing
Phishing
Spear Phishing
The Cyber-attacks originate through a third party vendor are also called ________?
Service provider attacks
Supplier attacks
Supply chain attacks
Vendor attacks
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is a Sunday and Bank is closed.
Change the password
Lock User access using the relevant link
Contact the Branch on Monday to deactivate INB facility
Type an incorrect login password 4 times so that the username gets locked for a day
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential. What is the ne
Audio Captcha in the login screen.
Virtual keyboard in the login screen
OTP has been made mandatory at the time of login
Image based Captcha in the login screen
Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while protecting against intended a
d.Use of a secure Hashing algorithm for the information ensures Integrity.
Only a and b
a, b and c
a, c and d
a, b and d
Which of the following browsers allows access to the Network which is popular for implementing encrypted routing te
Chrome
Edge
Tor
Firefox
The fraudster gets the personal details of the people through _______technique.
Spoofing
Keylogger malware
Vishing
Social engineering
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online payment. He
It should start with https://www.retail.onlinesbi.com
It should start with https://www.merchant.onlinesbi.sbi
It should start with https://www.onlinesbi.com
It should start with https://www.retailmerchant.sbi
If you want to change the username and password for your SBI Internet banking, which of the following statements is c
You cannot change the Username but he/she can change the password at any time
You can change the Username but not the password
You can only interchange the username by the password and vice versa
You can change both the Username and password at any time
A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations and causing information or id
is a targeted assault on the Bank’s cyberspace and its underlying infrastructure systems
option a or b
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection. Once such a conn
Man in the Middle attack
Bluesnarfing
Steganography
Spoofing
SBI internet banking site provides a facility to bypass such keylogger malware. Identify the feature.
Audio Captcha
Image Captcha
Online Virtual Keyboard
Biometric access
Which one of the following is a precautions to be taken while operating the ATM?
Taking help from unknown persons if there is a problem with the ATM
Allow another person to watch while entering PIN
Handing of card to other person who offered help to operate ATM
Check if any extra suspicious device is attached to the ATM machine.
Which of the following is not a stage in SIM swapping?
After customer verification, the mobile operator deactivates the old SIM card in customer
possession and issues a new SIM card to the fraudster. With the new SIM, fraudsters can
receive authentication codes or OTP for banking transactions.
Fraudsters obtain customer’s personal data through phishing or social engineering.
Under the pretext of having lost the phone, fraudsters contact the Mobile operator and
create a fake ID.
All the options above are stages of SIM Swapping
Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the
secrecy of data, objects, or resources.
b.The goal of confidentiality protection is to prevent unauthorized access to the
information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of
a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
Only a and b
a, b and c
a, c and d
a, b and d
With the enhanced sharing of information over a global network for almost all life
functions , which one of the following has become the latest addition to the essential
objectives of Information Security after the CIA Triad?
Authentication
Non-repudiation
Authorization
Non-refutation
Which one of the following is the leading illicit dark web marketplace which was taken
down by the FBI in what was considered then as a significant action on the Dark web
market?
Silk Road 2.0
DisrupTor
Tor
Dark Market
The technique for sending SMS that appears to be initiated from the organization for KYC
updation, Account credit, Account suspension, winning lottery, SIM block, eKYC updates
etc. is known as________.
Vishing
Spoofing
Stegnography
Identity theft
The technique used to send the emails to all the employees of the Bank is known as
____________.
Smishing
Vishing
Phishing
Spear Phishing
The Cyber-attacks originate through a third party vendor are also called ________?
Service provider attacks
Supplier attacks
Supply chain attacks
Vendor attacks
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is
a Sunday and Bank is closed. What immediate steps would you NOT advise him?
Change the password
Lock User access using the relevant link
Contact the Branch on Monday to deactivate INB facility
Type an incorrect login password 4 times so that the username gets locked for a day
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using
this credential. What is the new security feature in OnlineSBI?
Audio Captcha in the login screen.
Virtual keyboard in the login screen
OTP has been made mandatory at the time of login
Image based Captcha in the login screen
Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and
processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while
protecting against intended and malicious unauthorized activities (such as viruses and
intrusions) as well as mistakes made by authorized users (by commission or
omission).
d.Use of a secure Hashing algorithm for the information ensures Integrity.
Only a and b
a, b and c
a, c and d
a, b and d
Which of the following browsers allows access to the Network which is popular for
implementing encrypted routing technology and preventing user tracking?
Chrome
Edge
Tor
Firefox
The fraudster gets the personal details of the people through _______technique.
Spoofing
Keylogger malware
Vishing
Social engineering
If you want to change the username and password for your SBI Internet banking, which of
the following statements is correct?
You cannot change the Username but he/she can change the password at any time
You can change the Username but not the password
You can only interchange the username by the password and vice versa
You can change both the Username and password at any time
A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations
and causing information or identity theft.
is a targeted assault on the Bank’s cyberspace and its underlying infrastructure systems
option a or b
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth
connection. Once such a connection is established then the attacker will be able to steal
photos, messages and contacts etc.
Man in the Middle attack
Bluesnarfing
Steganography
Spoofing
SBI internet banking site provides a facility to bypass such keylogger malware. Identify the
feature.
Audio Captcha
Image Captcha
Online Virtual Keyboard
Biometric access
LESSON 4
1
Which one of the following is the most important aspect for an organization as big and global as SBI to protect itself fro
A training program for all the vendors to underscore secure coding practices.
A training and awareness program for all the employees in the Information Security department.
An awareness program among all the customers to provide education and guidance on a range of topics, including email,
A training awareness program that would provide education and guidance on a range of information security topics to all
2
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
ATM Channel Manager
Branch Manager
Regional Manager (RBO)
3
Which one of the following options does not substantiate the Acceptable Usage Policy of our Bank?
We need to protect the data by following acceptable usage policy guidelines of our bank.
All the workstations / devices should be protected by strong passwords.
However, Mobile and laptop given to the staff for personal holding have exceptions to the policy.
Always lock your desktop while leaving your seat.
4
Which of the following statements is NOT correct in the WannaCry case?
A Windows vulnerability discovered by the United States National Security Agency (NSA).
After the system got affected by WannaCry, Microsoft released the patch for the system which has updated security.
The attackers collective called The Lazarus Group.
This was only one month after Windows released patches for the exploit, meaning that computers that had yet to update
5
Identify some of the risks involved in using public free WiFi.
All of the above statements are correct
It can expose the users to Man-in-the-middle attacks
The free WiFi could be a rouge network, harvesting the internet user’s data.
Hackers may be misusing the free Wi-Fi to distribute malware
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from _______.
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing
7
Which one of the following options is not a concern for password security?
In case of any breach in a Social Media Handle, delete your Social Media Account instead of changing the password.
Password is required to be sufficiently long and secret
Users are responsible for all activities originated from their User credentials
Password should be treated like signature
8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All cyber incidents irrespective of amount of loss
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s) exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT systems
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets etc. to office for office
Bring Your Own Desktop
Bring Your Own Device
Buy Your Own Device
Budget Your Own Device
10
Can we create the password in other regional language (Other than English and Hindi) in Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
The multilingual image based virtual keyboard is available in 13 languages.
You can use the multilingual image based virtual keyboard in Hindi or Tamil only
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi only
11
Pick the odd one.
Passwords should be complex, sufficiently long and secret.
Passwords must be created using small & upper case, when own name or short form of own name and own initials are us
Users are responsible for all activities originating from their user credentials.
Passwords should not be treated like signatures.
12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
Users should not install any software that is not authorized for the Bank’s business.
Users on whose PC / Server such software runs shall be solely responsible for Copyrights / IPR violation, Legal and Penal a
Successful backup of critical applications or data should be ensured yearly and to be kept offsite.
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of our Bank?
Employees, to whom State Bank owned laptops or any other Portable devices are issued, are responsible for its safe custo
Employees who are authorized to access emails and Bank’s data on mobile devices should ensure that MDM application s
Employee’s mobile devices need not have Antivirus software
Loss of portable devices should be reported immediately to the local police and to the appropriate authority.
14
What action will you take, when you are defrauded?
Change the username immediately
Lock the user access immediately
Send a written letter to the branch immediately
Write a letter to the RBI immediately
15
The company asked their employees to use their own devices and internet access while working from home. List some
that authorized antivirus is installed in the devices of the employees (ii) Ensuring that appropriate software patches are
enterprise VPN
Options (i) and (ii) are sufficient
Options (i) alone is sufficient
Options (i) , (ii) and (iii) are necessary
Option (ii) alone is sufficient
16
Which of the following options is NOT the best password security practices?
Enable two-factor authentication
Never completely trust service providers
Change your password, only if you suspect it may have been exposed
Never reuse a password
17
Which one of the following options is not considered as incident for reporting to RBI, NCIIPC and CERT-In?
Frauds/ Customer complaints related to frauds.
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are rectified subsequently.
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the customer service/digital channels even
All of the above
18
Which of the following statements is correct regarding creation of Profile password using the Multilingual Image based
The Profile password should be a combination of alphabets in two of the languages chosen
The Profile password should be a combination of alphabets (in the language chosen), and numerals and special character
The Profile password should be a combination of alphabets (in the language chosen), and numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and numerals
19
Which one of the following applications is not a threat to compromise confidentiality of the data of portable devices?
Facebook
Air watch agent
WhatsApp
True caller
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Call the Branch
Call ATM Channel Manager OR ATM Channel Manager Facilitator linked to the ATM
Option a or c
21
Which of the following steps would not be a part of the planning for Work from home?
Ensuring the physical access to the systems room is restricted and monitored
Providing connectivity through a reputed service provider
Installing Anti-Virus in these systems
Arranging official laptops with proper configuration for the employees
22
Which of the following will not be considered as cyber incidents for reporting to RBI?
Incorrect accounting entries that are rectified subsequently
All the options will not be considered
Customer complaints related to frauds.
Physical tampering of ATMs
23
Select the correct statement in this case.
Ransomware Malware uses simple encryption codes to encrypt a victim’s files.
The patches could not stop the spreading malware
The motive for this Ransomware attack is always monetary
Ransomware Malware affects more devices in less time.
24
Which one of the following options is NOT a violation of acceptable usage policy?
The laptop was not protected by password
The laptop was kept open, and the desktop was not locked
There was a breach of critical and confidential data.
There was a data vulnerability due to lack of Anti-virus
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities CERT-In & NCIIPC? Who sh
All cyber security incidents should be reported within 24 hours by Incident Response & Management Team
All cyber security incidents should be reported within 12 hours by Incident Response & Management Team
All cyber security incidents should be reported within 2 to 6 hours by Incident Response & Management Team
All cyber security incidents should be reported within 24 to 48 hours by Incident Response & Management Team
26
Which of the following options is an example of inappropriate use of the e-mail service?
Use of other officers' user ids or using a false identity.
Authorized exchange of proprietary information or confidential information
Use the accounts of others with their permission
Creation and exchange of e-mails information or content for official purpose.
27
Cyber security incidents can be reported
by any employee or public
by home branch only
by public
by any employee
28
Method that is NOT suggested to prevent new account fraud.
Ensure ATM Card connected to operational SB Account is blocked
Contact the bank immediately and ensure all the operating accounts are closed
Ensure to lock the internet banking user ID.
Applying the use of end-to-end encryption to protect online transactions.
29
What should be the minimum and maximum length of the login password in Retail Internet Banking?
Minimum length should be 6 characters and maximum length 15 characters
Minimum length should be 8 characters and maximum length 20 characters
Minimum length should be 6 characters and maximum length 20 characters
Minimum length should be 8 characters and maximum length 15 characters
30
Select the wrong statement.
For online meetings, Manage screen sharing options. Change screen sharing to “Host Only.” Avoid file sharing
Do not play online games on company devices as they may download trojans.
Secure your Wi-Fi router connections by enabling WPA2 + AES security
For web security, verify full URL by clicking the link, but do not give any personal/confidential information
Which one of the following is the most important aspect for an organization as big and
global as SBI to protect itself from cyber security attacks and subsequent loss of brand
image?
A training program for all the vendors to underscore secure coding practices.
A training and awareness program for all the employees in the Information Security
department.
An awareness program among all the customers to provide education and guidance on a
range of topics, including email, cloud and mobile security.
A training awareness program that would provide education and guidance on a range of
information security topics to all the internal users of its systems and applications.
2
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
ATM Channel Manager
Branch Manager
Regional Manager (RBO)
3
Which one of the following options does not substantiate the Acceptable Usage Policy of
our Bank?
We need to protect the data by following acceptable usage policy guidelines of our bank.
All the workstations / devices should be protected by strong passwords.
However, Mobile and laptop given to the staff for personal holding have exceptions to the
policy.
Always lock your desktop while leaving your seat.
4
Which of the following statements is NOT correct in the WannaCry case?
A Windows vulnerability discovered by the United States National Security Agency (NSA).
After the system got affected by WannaCry, Microsoft released the patch for the system
which has updated security.
The attackers collective called The Lazarus Group.
This was only one month after Windows released patches for the exploit, meaning that
computers that had yet to update were still left vulnerable.
5
Identify some of the risks involved in using public free WiFi.
All of the above statements are correct
It can expose the users to Man-in-the-middle attacks
The free WiFi could be a rouge network, harvesting the internet user’s data.
Hackers may be misusing the free Wi-Fi to distribute malware
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from
_______.
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing
7
Which one of the following options is not a concern for password security?
In case of any breach in a Social Media Handle, delete your Social Media Account instead
of changing the password.
Password is required to be sufficiently long and secret
Users are responsible for all activities originated from their User credentials
Password should be treated like signature
8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All cyber incidents irrespective of amount of loss
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s)
exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT
systems
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones,
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand
for?
Bring Your Own Desktop
Bring Your Own Device
Buy Your Own Device
Budget Your Own Device
10
Can we create the password in other regional language (Other than English and Hindi) in
Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
The multilingual image based virtual keyboard is available in 13 languages.
You can use the multilingual image based virtual keyboard in Hindi or Tamil only
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi
only
11
Pick the odd one.
Passwords should be complex, sufficiently long and secret.
Passwords must be created using small & upper case, when own name or short form of
own name and own initials are used.
Users are responsible for all activities originating from their user credentials.
Passwords should not be treated like signatures.
12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
Users should not install any software that is not authorized for the Bank’s business.
Users on whose PC / Server such software runs shall be solely responsible for
Copyrights / IPR violation, Legal and Penal actions as per IT Act
Successful backup of critical applications or data should be ensured yearly and to be kept
offsite.
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of
our Bank?
Employees, to whom State Bank owned laptops or any other Portable devices are issued,
are responsible for its safe custody
Employees who are authorized to access emails and Bank’s data on mobile devices
should ensure that MDM application software is installed for on those mobile devices.
Employee’s mobile devices need not have Antivirus software
Loss of portable devices should be reported immediately to the local police and to the
appropriate authority.
14
What action will you take, when you are defrauded?
Change the username immediately
Lock the user access immediately
Send a written letter to the branch immediately
Write a letter to the RBI immediately
15
The company asked their employees to use their own devices and internet access while
working from home. List some precautions that they could have exercised even under
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the
employees (ii) Ensuring that appropriate software patches are updated in the
devices of the employees (iii) Asking the employees to use enterprise VPN
Options (i) and (ii) are sufficient
Options (i) alone is sufficient
Options (i) , (ii) and (iii) are necessary
Option (ii) alone is sufficient
16
Which of the following options is NOT the best password security practices?
Enable two-factor authentication
Never completely trust service providers
Change your password, only if you suspect it may have been exposed
Never reuse a password
17
Which one of the following options is not considered as incident for reporting to RBI,
NCIIPC and CERT-In?
Frauds/ Customer complaints related to frauds.
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are rectified subsequently.
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the
customer service/digital channels even if last beyond 30 minutes.
All of the above
18
Which of the following statements is correct regarding creation of Profile password using
the Multilingual Image based Virtual keyboard?
The Profile password should be a combination of alphabets in two of the languages
chosen
The Profile password should be a combination of alphabets (in the language chosen), and
numerals and special characters
The Profile password should be a combination of alphabets (in the language chosen), and
numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and
numerals
19
Which one of the following applications is not a threat to compromise confidentiality of the
data of portable devices?
Facebook
Air watch agent
WhatsApp
True caller
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the
branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Call the Branch
Call ATM Channel Manager OR ATM Channel Manager Facilitator linked to the ATM
Option a or c
21
Which of the following steps would not be a part of the planning for Work from home?
Ensuring the physical access to the systems room is restricted and monitored
Providing connectivity through a reputed service provider
Installing Anti-Virus in these systems
Arranging official laptops with proper configuration for the employees
22
Which of the following will not be considered as cyber incidents for reporting to RBI?
Incorrect accounting entries that are rectified subsequently
All the options will not be considered
Customer complaints related to frauds.
Physical tampering of ATMs
24
Which one of the following options is NOT a violation of acceptable usage policy?
The laptop was not protected by password
The laptop was kept open, and the desktop was not locked
There was a breach of critical and confidential data.
There was a data vulnerability due to lack of Anti-virus
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
CERT-In & NCIIPC? Who should report the incident?
All cyber security incidents should be reported within 24 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 12 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 2 to 6 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 24 to 48 hours by Incident Response
& Management Team
26
Which of the following options is an example of inappropriate use of the e-mail service?
Use of other officers' user ids or using a false identity.
Authorized exchange of proprietary information or confidential information
Use the accounts of others with their permission
Creation and exchange of e-mails information or content for official purpose.
27
Cyber security incidents can be reported
by any employee or public
by home branch only
by public
by any employee
28
Method that is NOT suggested to prevent new account fraud.
Ensure ATM Card connected to operational SB Account is blocked
Contact the bank immediately and ensure all the operating accounts are closed
Ensure to lock the internet banking user ID.
Applying the use of end-to-end encryption to protect online transactions.
29
What should be the minimum and maximum length of the login password in Retail Internet
Banking?
Minimum length should be 6 characters and maximum length 15 characters
Minimum length should be 8 characters and maximum length 20 characters
Minimum length should be 6 characters and maximum length 20 characters
Minimum length should be 8 characters and maximum length 15 characters
30
Select the wrong statement.
For online meetings, Manage screen sharing options. Change screen sharing to “Host
Only.” Avoid file sharing
Do not play online games on company devices as they may download trojans.
Secure your Wi-Fi router connections by enabling WPA2 + AES security
For web security, verify full URL by clicking the link, but do not give any
personal/confidential information
LESSON 1
Which one of the following does NOT come under People factor in Data Management prctices?
Data Trainers
Data Governance Policy is applicable to third parties having access to SBI network and Data.
As per Vendors agreement
Which among the following may be held accountable for quality of data?
People
Data Management with lack of easy access to information for important stakeholders may result in just _________
Data Governance Strategy
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in ________
Incorrect AML/CFT compliance
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Quarterly
Who would be held responsible for not feeding all the customer details in CBS, given by customer in AOF.
Maker
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical (DGC-BU/V)?
Monthly
Data Governance Policy is applicable to third parties having access to SBI network and
Data.
As per Vendors agreement
Data Protection officer reports to …..
CGM (R&DB Ops)
GM & Chief Data Management Officer
Which among the following may be held accountable for quality of data?
People
Data Management with lack of easy access to information for important stakeholders may
result in just _________
Data Governance Strategy
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in
________
Incorrect AML/CFT compliance
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Quarterly
Who would be held responsible for not feeding all the customer details in CBS, given by
customer in AOF.
Maker
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical
(DGC-BU/V)?
Monthly
Q: Data Governance Policy is applicable to all the domestic offices of SBI including:
A: All of the above
Q: What is the frequency of the meeting for Data Governance Council-Business Unit/
Vertical (DGC-BU/V)?
A: Monthly
Q: At the time of account opening, it was found that Educational Qualification was not
mentioned by the customer in AOF, but it is a mandatory filed in CBS
A: Teller should contact, the customer and get the required details and then fill in CBS
Q: Data Management Officer is accountable for all Data Governance related activities of
their respective department
A: FALSE
Q: Data Governance Policy is applicable to third parties having access to SBI network
and Data
A: TRUE
Q: Which among the following play major role in support of company-wide Data quality
initiatives?
A: People
Q: (i) Data Governance is about the rules how to build the content.
(ii) Data Privacy is about the rules how to protect and use the content.
A: Only (ii) is correct
Q: Against availability of sizeable number of eligible customers only few confirmed leads
could be generated for an Analytics based product. What could be the underlying
reason?
A: Poor Data Quality
Q: What is the frequency of the meeting for Data Governance Council-Business Unit/
Vertical (DGC-BU/V)?
A: Quarterly
Q: Who among the following has a role to ensure that data governance initiatives are
aligned with business needs
A: Data Team
Q: Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result
in ________
A: Incorrect AML/CFT compliance
Q: Data Governance Policy is applicable to third parties having access to SBI network and
Data.
A: TRUE
Q: Against availability of sizeable number of eligible customers only few confirmed leads
could be generated for an Analytics based product. What could be the underlying reason?
A: Poor Data Quality
Q: As per the Bank's Data Governance structure, presently which is the Apex body for
Data Governance?
A: Apex level Data Governance Council (ADGC)
Q: Which among the following play major role in support of company-wide Data quality
initiatives?
A: Regulators
Q: Data-driven business decisions are possible when _____ is involved in the Data
Governance.
A: Business Unit
Which one is NOT an approved way of sharing granular Data/access Data under normal circumstances:
E-mail
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers:
All of the above
Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
In an Account Opening Form, if Data has been provided by customer in non mandatory field+
( like mobile number /email ID ), what should be done while inputting in CBS?
Input the Data exactly as given by the customer
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Both 1 & 2
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was found that the
age of customer is less than 18
DOB on OVD and AOF, if same, then only account may be opened
If a car dealer asks us for a list of customers having existing car loans, to market loans for new cars for us,
shall we share the list?
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of the following Data
Quality Dimension?
Validity
Capturing of incorrect CRA rating / ECR in a loan account may result in ______.
Both 1 & 2
What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data Sharing and Access – Within Bank
Restricted & Registered access
In case of demand for customer Data by Regulatory Authority, it be shared as per DG Policy
TRUE
Which one is NOT an approved way of sharing granular Data/access Data under normal
circumstances:
E-mail
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers:
All of the above
Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
FALSE
In an Account Opening Form, if Data has been provided by customer in non mandatory
field ( like mobile number /email ID ), what should be done while inputting in CBS?
Input the Data exactly as given by the customer
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Both 1 & 2
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was
found that the age of customer is less than 18
DOB on OVD and AOF, if same, then only account may be opened
Incorrect classification of values like Gender or Customer Type comes under which one of
the following Data Quality Dimension?
Validity
“Internal audit reports” is classified as ____________ Data
CONFIDENTIAL
Capturing of incorrect CRA rating / ECR in a loan account may result in ______.
Both 1 & 2
What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data
Sharing and Access – Within Bank’s Environment’:
Restricted & Registered access
Q: An SBI Card employee sitting in an branch asks for list of high value customers
along with Mobile numbers for telecalling to sell SBI cards for the Branch. Branch
may share the list with SBI Card employee.
A: FALSE
Q: While verifying the pop-up name of PAN holder in CIF creation screen
A: 1 & 3
Q: To boost the housing loan business of the branch , list of HNIs can be shared with
HLCs through:
A: Not to be shared
Q: India is coming with its own Bill on Data Protection which is called ___
A: Personal Data Protection Bill
Q: Branch has sanctioned a Car loan to one of his staff, but the loan instalment was
not fed in HRMS. The staff paid the instalment through his account and informed the
BM that a SI has been registered for the same.
A: Recovery to staff loan should be through HRMS only, so recovery details in
HRMS needs to be updated
Q: What are the impacts of feeding incorrect date of birth of a customer in CBS
A: 1& 2
Q: DQI Index has been included as one of the Key Responsibility Areas (KRAs) in
Career Development System (CDS)
A: TRUE
Q: As per the Bank‟s approved “SOP on Data Sharing with External Agencies/ Third
Parties” which of the following is to be considered as “Third Party”
A: All the above are to be treated as Third Parties
Q: Data Quality Index (DQI) dashboard measures the Data Quality for#
A: CIFs & Loans
Q: Customer sensitive Granular Data can be copied and stored without any approval
A: FALSE
Q: What are the two important pillars of the SOP on „Customer Sensitive Granular A:
Data Sharing and Access – Within Bank‟s Environment‟:
A: Regulated & Limited access
Q: Which of the following is not one of the functions of an effective Data Loss
Prevention (DLP) program
A: Follow-up with Data users for Data Quality enhancement
Q: For official purpose, if we are required to share customer sensitive data, then we
should:
A: Delete the data after use
Q: Which one is NOT an approved way of sharing granular Data/access Data under
normal circumstances:
A: E-mail
Q: What are the impacts of not verifying the pop-up name of PAN holder, while
fetching PAN details
A: 1& 2
Q: Incorrect spelling of Customer name comes under which one of the following Data
Quality Dimension?
A: Accuracy
Q: What is needed to create Data Quality Index?
A: Data quality rule and profiling results.
Q: What are the impacts of feeding incorrect date of birth of a customer in CBS
A: 1& 2
Q: A customer has submitted Voter Card as OVD, along with AOF. During the
scrutiny, it was found that the age of customer is less than 18
A: DOB on OVD and AOF, if same, then only account may be opened
Q: Capturing of incorrect CRA rating / ECR in a loan account may result in _____
A: Both 1 & 2
Q: Non capturing of PAN in CIF, even if furnished in the AOF, may result in ___
A: Both 1 & 2
Q: If a car dealer asks us for a list of customers having existing car loans, to market
loans for new cars for us, shall we share the list?
A: Cannot be shared
Q: The access to Customer Sensitive Granular Data to the users should be made
strictly on the basis of#
A: Both 1 & 2
Q: As per the Bank‟s approved “SOP on Data Sharing with External Agencies/ Third
Parties” which of the following is to be considered as “Third Party”
A: All the above are to be treated as Third Parties
Q: What are the possible means by which Customer Sensitive Granular Data can get
divulged or leaked to any unrelated person / third party like vendors, dealers etc:
A: All of the above
LESSON 3
What is Denial of Service Attacks?
It is an attack meant to shut down a machine or network, making it inaccessible to its intended users
Which one of the following is a precautions to be taken while operating the ATM?
Check if any extra suspicious device is attached to the ATM machine.
Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects,
or resources.
b.The goal of confidentiality protection is to prevent unauthorized access to the information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
a, b and d
With the enhanced sharing of information over a global network for almost all life functions , which one of the
following has become the latest addition to the essential objectives of Information Security after the CIA Triad?
Non-repudiation
Which one of the following is the leading illicit dark web marketplace which was taken down by the FBI in what
was considered then as a significant action on the Dark web market?
Silk Road 2.0
The technique for sending SMS that appears to be initiated from the organization for KYC updation, Account credit,
Account suspension, winning lottery, SIM block, eKYC updates etc. is known as________.
Spoofing
The technique used to send the emails to all the employees of the Bank is known as ____________.
Spear Phishing
The Cyber-attacks originate through a third party vendor are also called ________?
Supply chain attacks
What makes SolarWinds attack an unusual hack?
The hackers through one malicious code in the application of SolarWinds vendor’s application gained access to
Orion software
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger.
It is a Sunday and Bank is closed. What immediate steps would you NOT advise him?
Change the password
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential.
What is the new security feature in OnlineSBI?
OTP has been made mandatory at the time of login
Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while protecting against
intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by
authorized users (by commission or omission).
d.Use of a secure Hashing algorithm for the information ensures Integrity.
a, c and d
Which of the following browsers allows access to the Network which is popular for implementing encrypted
routing technology and preventing user tracking?
Tor
The fraudster gets the personal details of the people through _______technique.
Social engineering
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online payment.
He is redirected to a site of SBI. Before he logs in what should be the website address on the screen.
It should start with https://www.onlinesbi.com
If you want to change the username and password for your SBI Internet banking,
which of the following statements is correct?
You cannot change the Username but he/she can change the password at any time
A Cyber-Attack
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection.
Once such a connection is established then the attacker will be able to steal photos, messages and contacts etc.
Bluesnarfing
Which one of the following statements is FALSE about APT attacks?
APT attacks may be identified immediately as it shuts down the whole system
SBI internet banking site provides a facility to bypass such keylogger malware. Identify the feature.
Online Virtual Keyboard
Which one of the following is a precautions to be taken while operating the ATM?
Check if any extra suspicious device is attached to the ATM machine.
Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the
secrecy of data, objects, or resources.
b.The goal of confidentiality protection is to prevent unauthorized access to the
information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of
a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
a, b and d
With the enhanced sharing of information over a global network for almost all life
functions , which one of the following has become the latest addition to the essential
objectives of Information Security after the CIA Triad?
Non-repudiation
Which one of the following is the leading illicit dark web marketplace which was taken
down by the FBI in what was considered then as a significant action on the Dark web
market?
Silk Road 2.0
The technique for sending SMS that appears to be initiated from the organization for KYC
updation, Account credit, Account suspension, winning lottery, SIM block, eKYC updates
etc. is known as________.
Spoofing
The technique used to send the emails to all the employees of the Bank is known as
____________.
Spear Phishing
The Cyber-attacks originate through a third party vendor are also called ________?
Supply chain attacks
Vendor attacks
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is
a Sunday and Bank is closed. What immediate steps would you NOT advise him?
Change the password
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using
this credential. What is the new security feature in OnlineSBI?
OTP has been made mandatory at the time of login
Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and
processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while
protecting against intended and malicious unauthorized activities (such as viruses and
intrusions) as well as mistakes made by authorized users (by commission or
omission).
d.Use of a secure Hashing algorithm for the information ensures Integrity.
a, c and d
Which of the following browsers allows access to the Network which is popular for
implementing encrypted routing technology and preventing user tracking?
Tor
The fraudster gets the personal details of the people through _______technique.
Social engineering
If you want to change the username and password for your SBI Internet banking, which of
the following statements is correct?
You cannot change the Username but he/she can change the password at any time
A Cyber-Attack
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth
connection. Once such a connection is established then the attacker will be able to steal
photos, messages and contacts etc.
Bluesnarfing
SBI internet banking site provides a facility to bypass such keylogger malware. Identify the
feature.
Online Virtual Keyboard
Q: Which one of the following risks is not considered while evaluating a third party
vendor for risk assessment?
A: Market Risk
Q: Which one of the following best describes a Man in the Middle (MITM) attack?
A: An attack used to monitor and potentially modify communications between two users
Q: Which of the following principles of the first of the CIA Triad Confidentiality is/are
Correct?
A: a, c and d
Q: Which of the following attacks is not categorised under Exploit based attacks?
A: Email hijacking
Q: If you click on the padlock sign in the Address bar. Which of the following information
will be available to you?
A: You will get information on who owns the site and who has verified the site
Q: Which one of the following statements is more appropriate in terms of Vendor risk
assessment?
A: Continuous assessment of Vendor security practices need to be done throughout the
Contract life cycle.
Q: The Cyber-attacks originate through a third party vendor are also called ________?
A: Supply chain attacks
Q: Which of the following may not be the signs that the Mobile Phone (Android/iOS) is
hacked?
A: All statements are signs that the Mobile phone is hacked
Q: Even if a user compromises his/her login credentials of OnlineSBI, no one can login
using this credential. What is the new security feature in OnlineSBI?
A: OTP has been made mandatory at the time of login
Q: Which of the following principles of the second of CIA Triad Integrity is/are Correct?
A: Use of a secure Hashing algorithm for the information ensures Integrity.
Q: Which one of the following is a precautions to be taken while operating the ATM?
A: Check if any extra suspicious device is attached to the ATM machine.
Q: Which of the following principles of the first of the CIA Triad Confidentiality is/are
Correct?
A: a, b and d
Q: With the enhanced sharing of information over a global network for almost all life
functions , which one of the following
A: Non-repudiation
Q: The technique for sending SMS that appears to be initiated from the organization for
KYC updation, Account credit, Account
A: Spoofing
Q: The technique used to send the emails to all the employees of the Bank is known as
____________.
A: Spear Phishing
Q: The Cyber-attacks originate through a third party vendor are also called ________?
A: Supply chain attacks
Q: What makes SolarWinds attack an unusual hack?
A: The hackers through one malicious code in the application of SolarWinds vendor’s
application gained access to Orion software
Q: Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It
is a Sunday and Bank is closed.
A: Change the password
Q: Even if a user compromises his/her login credentials of OnlineSBI, no one can login
using this credential. What is the
A: OTP has been made mandatory at the time of login
Q: Which of the following principles of the second of CIA Triad Integrity is/are Correct?
A: a, c and d
Q: Which of the following browsers allows access to the Network which is popular for
implementing encrypted routing
A: Tor
Q: The fraudster gets the personal details of the people through _______technique.
A: Social engineering
Q: Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI
for making online payment. He
A: It should start with https://www.onlinesbi.com
Q: If you want to change the username and password for your SBI Internet banking, which
of the following statements is
A: You cannot change the Username but he/she can change the password at any time
Q: SBI internet banking site provides a facility to bypass such keylogger malware. Identify
the feature.
A: Online Virtual Keyboard
LESSON 4
1
Which one of the following is the most important aspect for an organization as big and global as SBI to
protect itself from cyber security attacks and subsequent loss of brand image?
A training awareness program that would provide education and guidance on a range of information security topics
to all the internal users of its systems and applications.
2
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
3
Which one of the following options does not substantiate the Acceptable Usage Policy of our Bank?
However, Mobile and laptop given to the staff for personal holding have exceptions to the policy.
4
Which of the following statements is NOT correct in the WannaCry case?
The attackers collective called The Lazarus Group.
5
Identify some of the risks involved in using public free WiFi.
All of the above statements are correct
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from _______.
Dictionary Attack
7
Which one of the following options is not a concern for password security?
In case of any breach in a Social Media Handle, delete your Social Media Account instead of changing the password.
8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets etc. to office for office
Bring Your Own Device
10
Can we create the password in other regional language (Other than English and Hindi) in Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
11
Pick the odd one.
Passwords should not be treated like signatures.
12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of our Bank?
Employee’s mobile devices need not have Antivirus software
14
What action will you take, when you are defrauded?
Lock the user access immediately
15
The company asked their employees to use their own devices and internet access while working from home.
List some precautions that they could have exercised even under these conditions: (i) Ensuring that authorized
antivirus is installed in the devices of the employees (ii) Ensuring that appropriate software patches are updated
in the devices of the employees (iii) Asking the employees to use enterprise VPN
Options (i) , (ii) and (iii) are necessary
16
Which of the following options is NOT the best password security practices?
Change your password, only if you suspect it may have been exposed
17
Which one of the following options is not considered as incident for reporting to RBI, NCIIPC and CERT-In?
All of the above
18
Which of the following statements is correct regarding creation of Profile password using the Multilingual Image
based Virtual keyboard?
The Profile password should be a combination of alphabets (in the language chosen), and numerals and special
characters
19
Which one of the following applications is not a threat to compromise confidentiality of the data of portable devices?
Air watch agent
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
21
Which of the following steps would not be a part of the planning for Work from home?
Ensuring the physical access to the systems room is restricted and monitored
22
Which of the following will not be considered as cyber incidents for reporting to RBI?
All the options will not be considered
23
Select the correct statement in this case.
Ransomware Malware uses simple encryption codes to encrypt a victim’s files.
24
Which one of the following options is NOT a violation of acceptable usage policy?
There was a data vulnerability due to lack of Anti-virus
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities CERT-In & NCIIPC?
Who should report the incident?
All cyber security incidents should be reported within 2 to 6 hours by Incident Response & Management Team
26
Which of the following options is an example of inappropriate use of the e-mail service?
Use of other officers' user ids or using a false identity.
27
Cyber security incidents can be reported
by any employee or public
28
Method that is NOT suggested to prevent new account fraud.
Contact the bank immediately and ensure all the operating accounts are closed
29
What should be the minimum and maximum length of the login password in Retail Internet Banking?
Minimum length should be 8 characters and maximum length 20 characters
30
Select the wrong statement.
For web security, verify full URL by clicking the link, but do not give any personal/confidential information
Which one of the following is the most important aspect for an organization as big and
global as SBI to protect itself from cyber security attacks and subsequent loss of brand
image?
A training awareness program that would provide education and guidance on a range of
information security topics to all the internal users of its systems and applications.
2
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
3
Which one of the following options does not substantiate the Acceptable Usage Policy of
our Bank?
However, Mobile and laptop given to the staff for personal holding have exceptions to the
policy.
4
Which of the following statements is NOT correct in the WannaCry case?
The attackers collective called The Lazarus Group.
5
Identify some of the risks involved in using public free WiFi.
All of the above statements are correct
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from
_______.
Dictionary Attack
7
Which one of the following options is not a concern for password security?
In case of any breach in a Social Media Handle, delete your Social Media Account instead
of changing the password.
8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones,
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand
for?
Bring Your Own Device
10
Can we create the password in other regional language (Other than English and Hindi) in
Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
11
Pick the odd one.
Passwords should not be treated like signatures
12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of
our Bank?
Employee’s mobile devices need not have Antivirus software
14
What action will you take, when you are defrauded?
Lock the user access immediately
15
The company asked their employees to use their own devices and internet access while
working from home. List some precautions that they could have exercised even under
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the
employees (ii) Ensuring that appropriate software patches are updated in the
devices of the employees (iii) Asking the employees to use enterprise VPN
Options (i) , (ii) and (iii) are necessary
16
Which of the following options is NOT the best password security practices?
Change your password, only if you suspect it may have been exposed
17
Which one of the following options is not considered as incident for reporting to RBI,
NCIIPC and CERT-In?
All of the above
18
Which of the following statements is correct regarding creation of Profile password using
the Multilingual Image based Virtual keyboard?
The Profile password should be a combination of alphabets (in the language chosen), and
numerals and special characters
19
Which one of the following applications is not a threat to compromise confidentiality of the
data of portable devices?
Air watch agent
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the
branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
21
Which of the following steps would not be a part of the planning for Work from home?
Ensuring the physical access to the systems room is restricted and monitored
22
Which of the following will not be considered as cyber incidents for reporting to RBI?
All the options will not be considered
24
Which one of the following options is NOT a violation of acceptable usage policy?
There was a data vulnerability due to lack of Anti-virus
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
CERT-In & NCIIPC? Who should report the incident?
All cyber security incidents should be reported within 2 to 6 hours by Incident Response &
Management Team
26
Which of the following options is an example of inappropriate use of the e-mail service?
Use of other officers' user ids or using a false identity.
27
Cyber security incidents can be reported
by any employee or public
28
Method that is NOT suggested to prevent new account fraud.
Contact the bank immediately and ensure all the operating accounts are closed
29
What should be the minimum and maximum length of the login password in Retail Internet
Banking?
Minimum length should be 8 characters and maximum length 20 characters
30
Select the wrong statement.
For web security, verify full URL by clicking the link, but do not give any
personal/confidential information
Q: Can we create the password in other regional language (Other than English and
Hindi) in Retail Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English
only.
Q: Which one of the following options is not a violation of acceptable usage policy?
A: Receiving mails from his batchmate
Q: What is the “Time of detection of incident” for reporting the purpose of a cyber
incident to RBI, CERT-In & NCIIPC?
A: Time at which, the incident is brought to the knowledge of any official of AO,
including DGM & Module CISO
Q: Which of the following is NOT one of the best practices to maintain your
password?
A: Only difficult dictionary words should be used
Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our
Bank?
A: Successful backup of critical applications or data should be ensured yearly and to
be kept offsite.
Q: The time at which the cyber incident is brought to the knowledge of any official of
__________ shall be treated as time of detection of incident.
A: Information Security Dept. CC Mumbai
Q: Which of the following options is crucial in any UPI fraud related to Collect
request?
A: option a & b
Q: Which of the following options is NOT the best password security practices?
A: Change your password, only if you suspect it may have been exposed
Q: Which one of the following is the most important aspect for an organization as big
and global as SBI to protect itself from cyber security attacks and subsequent loss of
brand image?
A: A training awareness program that would provide education and guidance on a
range of information security topics to all the internal users of its systems and
applications.
Q: Which one of the following options does not substantiate the Acceptable Usage Policy
of our Bank?
A: However, Mobile and laptop given to the staff for personal holding have exceptions to
the policy.
Q: Which one of the following options is not a concern for password security?
A: In case of any breach in a Social Media Handle, delete your Social Media Account
instead of changing the password.
Q: Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
A: All of the above
Q: If a Bank always allow some of the employees to bring their own laptops, smart phones,
tablets etc. to office for office use
A: Bring Your Own Device
Q: Can we create the password in other regional language (Other than English and Hindi)
in Retail Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English only.
Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
A: All are true
Q: Which of the following statements is not true about Acceptable usage policy (IS Policy)
of our Bank?
A: Employee’s mobile devices need not have Antivirus software
Q: The company asked their employees to use their own devices and internet access
while working from home. List some devices of the employees (iii) Asking the employees
to use enterprise VPN
A: Options (i) , (ii) and (iii) are necessary
Q: Which of the following options is NOT the best password security practices?
A: Change your password, only if you suspect it may have been exposed
Q: Which one of the following options is not considered as incident for reporting to RBI,
NCIIPC and CERT-In?
A: All of the above
Q: Which of the following steps would not be a part of the planning for Work from home?
A: Ensuring the physical access to the systems room is restricted and monitored
Q: Which one of the following options is NOT a violation of acceptable usage policy?
A: There was a data vulnerability due to lack of Anti-virus
Q: What is the timelines for reporting of cyber incidents to RBI and other Statutory
Authorities CERT-In & NCIIPC? Who
A: All cyber security incidents should be reported within 2 to 6 hours by Incident Response
& Management Team
Q: Which of the following options is an example of inappropriate use of the e-mail service?
A: Use of other officers' user ids or using a false identity.
2|Page
42.Against availability of sizeable number of eligible customers only few
confirmed leads could be generated for an Analytics based product. What
could be the underlying reason? Poor Data Quality
43.Data Governance process includes activities as: Audit, Monitor & Control
of Data Governance activities: All of the above
44.Data Governance Policy is applicable to: All employees of the Bank
45.Prime objective of Data governance framework is to ensure- All of the
above
46.Data Management Office reports to which of the DMDs: DMD & Chief
Information Officer
47.Data Governance can NOT be achieved by Technology alone: TRUE
48.As per the Bank's Data Governance structure, presently which is the Apex
body for Data Governance?: Apex level Data Governance Council (ADGC)
49.Which of the following is/are a Key Data Quality Dimension? All of the
above
50.The primary priority of Data Processes must be _____ Business Needs
51.________shall ensure that there is commensurate adherence,
management and periodic upkeep/review for Data in their respective
custodies, as prescribed by Data Governance Policy: Data custodians
52.Which among the following play major role in support of company-wide
Data quality initiatives? Regulators
53.Data Governance Policy is formulated by which Department: Data
Management Office
54.Data-driven business decisions are possible when _____ is involved in the
Data Governance.: Business Unit
55.____ is DGO of Circle: DGM & CRO
56.Data governance processes primarily must focus on __________: Business
Needs
57.Data processes must Include ____________: Definitions of how data will
be moved and changed
58.Data processes must also put in place ______: All of the Above
59.The word “Data” shall collectively refer to the following descriptions: All
of the above
60.Analytics refers to the process of using Data in order to: All of the above
3|Page
Module 2:
Data Quality and Data Divergence (Score 29/30)
1. India is coming with its own Bill on Data Protection which is called ___:
Personal Data Protection Bill
2. In case of demand for customer Data by Regulatory Authority, it be shared
as per DG Policy: True
3. Sharing of customer sensitive granular Data is governed by which Policy :
Data Governance Policy
4. A staff can be held accountable for Data quality errors.: True
5. Capturing of incorrect security in secured loan accounts may result in
_____________.: Both 1 and 2
6. While inputting temporary address of a customer in CBS, it should be
taken care that: Form & To date in the temp screen needs to be filled as
declared by the customer.
7. In an Account Opening Form, if Data has been provided by customer in
non mandatory field ( like mobile number /email ID ), what should be
done while inputting in CBS?: input the data exactly as entered by the
customer
8. Which of the following is not a type of Data leak: Submission of P report
in Hard copy to controller.
9. Business Leads from Analytics comes under Customer Sensitive Granular
Data: True
10.What are the impacts of not verifying the pop-up name of PAN holder,
while fetching PAN details: Both 1 & 2
11.If a car dealer asks us for a list of customers having existing car loans, to
market loans for new cars for us, shall we share the list?: Cannot be shared
12.Salient features of Project Ganga include: All of the above
13.Which of the following is not one of the functions of an effective Data Loss
Prevention (DLP) program: Follow up with data users
14.What is/are the possible consequences of Data Leakage: All of the above
15.Project Ganga Dashboard include divergences related to:: Both DQ and
KRI
16.Which of the following documents should be referred for operational
details while handling requests for sharing Customer Sensitive Granular
Data within Bank’s environment: SOP on Customer
17.A customer has submitted Voter Card as OVD, along with AOF. During the
scrutiny, it was found that the age of customer is less than 18: DOB on
OVD and AOF
18.Objectives of Data Quality are:
i. Accuracy, validity
4|Page
ii.timeliness, completeness
iii.uniqueness, consistency
None of the above
19.Main Pillars of Data Quality Management are
A) Data Profiling
B) Defining Data Quality
C) Data Reporting
D) Data Repair
A, B,C,D
20.DQI dashboard displays errors: All of the above
21.As per Data Protection Bill (Draft) PII stands for: Personally, identifiable
Information
22.“Internal audit reports” is classified as ____________ Data: Confidential
23.A customer has submitted Driving License as OVD, along with AOF. During
the scrutiny, it was found that the age of customer is less than 18: DOB
and AOF to be checked… to be accepted.
24.Government provided IDs (PAN, License, Passport, etc.), Customer age,
Customer's gender, Customer phone number, Customer address,
Customer occupation are classified as: Sensitive
25.Which of the following are examples of Sensitive Information:: All of the
above
26.“Training materials and manuals” are classified as ____________ Data:
Internal
27.While verifying the pop-up name of PAN holder in CIF creation screen: 1
&3
28.Capturing of incorrect interest rate in loan accounts may result in
_____________.: All of the above
29.Non-sensitive Information includes: Both 1 and 2
30.An SBI Card employee sitting in an branch asks for list of high value
customers along with Mobile numbers for telecalling to sell SBI cards for
the Branch. Branch may share the list with SBI Card employee.: False
31.Which of the following is not one of the functions of an effective Data Loss
Prevention (DLP) program
Follow-up with Data users for Data Quality enhancement
32.As per Data Protection Bill (Draft) PII stands for: Personally Identifiable
Information
33.Branch has sanctioned a Car loan to one of his staff, but the loan
instalment was not fed in HRMS. The staff paid the instalment through his
account and informed the BM that a SI has been registered for the same:
5|Page
Recovery to staff loan should be through HRMS only, so recovery details
in HRMS needs to be updated
34.Customer Sensitive Granular Data made available through SSO to ensure
an audit trail comes under which one of the following? Need to Access
35.In ________________ Processing, small group of transactions are
processed on demand: Batch
36.Updated policies or SOPs on Data Governance can be accessed through?
>>SBI Times>>MIS Online >>SOPs>>Data Analytics
37.“Card Holder Details, CIF, Account Information (credentials, balance,
transactions, premiums, dividends, etc.)” are classified as: SENSITIVE
38.Salient features of Project Ganga include: All of the above
39.Impact of poor Data Quality on a Branch include ____: Both 1 & 2 above
40.Data quality is necessary to fulfil the needs of an organization in terms of
: All of the above
41.While inputting temporary address of a customer in CBS, it should be
taken care that:
"From & To" date in the temporary screen needs to be filled in as declared
by the customer
42.If, there is slight mis-match in Customer name in OVD and AOF, customer
name as in AOF has to be fed in CBS, as it is declared by the customer:
Customer needs to be advised for rectification of name in OVD, and then
open account
43.A customer has submitted Driving License as OVD, along with AOF. During
the scrutiny, it was found that the age of customer is less than 18: DOB on
OVD and AOF to be checked, even then he is less than 18 yrs, OVD not to
be accepted
44.A staff can be held accountable for Data quality errors. : TRUE
45.What does GDPR stand for- General Data Protection Regulation
46.Responsibilities of the Customer Sensitive Granular Data User include the
following, except
:Customer Sensitive Granular Data can be copied, stored, processed or
altered by the user and no specific approval required.
47.Customer sensitive Granular Data can be copied and stored without any
approval: FALSE
48.Some of the key Data Privacy initiatives include: All of the above
49.As per the Bank’s approved “SOP on Data Sharing with External Agencies/
Third Parties” which of the following is NOT to be considered as “Third
Party”: Internal Auditors
50.“Customer PII Data” is classified as ____________ Data: SENSITIVE
6|Page
51.Which of the following is not a type of Data leak: Submission of monthly
P-report to controller in hard copy
7|Page
Module 3 (23/30)
1. What is a keylogger?
a) Itis a facility that saves the users password so that he need not enter it
every time.
b) Itis a software that facilitates the user to discontinue the use of the
mouse.
c) tis a facility to the user so that he need not type the same keys every time.
d) tis a surveillance software that records every keystroke made in the
system, creates a file and sends it to a specified server
2. Which one of the following statements is more appropriate in terms of
Vendor risk assessment?
a) Vendor risk assessment is not required when the sourced service does not
directly impact company's core operations
b) Vendor security practices need to be assessed before awarding the
contract
a. Vendor software coding practices need not be assessed
c) Continuous assessment of Vendor security practices need to be done
throughout the Contract life cycle.
3 The Cyber-attacks originate through a third party vendor are also called
a) Vendor attacks
b) Supply chain attacks
c) Supplier attacks
d) Service provider attacks
4. How does the use of Virtual keyboard protect the customer?
a) It protects against computer Worms.
b) lt protects against computer Viruses
c) lt is a useless feature
d) It protects against Keylogger malware
5 What is not true about SIM Swapping?
a) SIM Swapping is a fraud that occurs when the fraudsters manage to get a
new SIM card issued for a specific registered mobile numbe-
b) Phishing or social engineering techniques are used to obtain personal
information of the customers/users.
8|Page
c) Fraudsters get access to the root of the mobile phone through SIM
Swapping
d) Option b & c
6 The fraudster gets the personal details of the people through
a) Social engineering8
b) Spoofing
c) Keylo Eger malware
d) Vishing
9|Page
a) In APT attacks, attacker code may spread into other machines in the
victim's network and compromise then.
b) A type of cyberattack where an unauthorized attacker code enters a
system and remains there.
c) APT attacks may help the attacker in stealing information
d) APT attacks may be identified immediately as it shuts down the whole
system
12 If you click on the padlock sign in the Address bar. Which of the following
information will be available to you?
a) You will get information on who has created the site
b) You will get information on the IT company that maintains the site
c) You will get information on who owns the site and who has verified the
site
d) You will get information on Reserve Bank of India
13 What makes SolarWinds attack an unusual hack?
a) The hackers seriously damaged the energy supply
b) The hackers through one malicious code in the application of SolarWinds
vendor's application gained access to Orion softw.
c) The hackers targeted a government agency like Pantagon
d) The hackers through one malicious code in SolarWinds Orion software
gained access to thousands of other companies.
14 What is Denial of Service Attacks?
a) It is a malicious attempt to disrupt the normal traffic of a targeted server,
service or network with a flood of lnternet traffic from multiple computers
at the same time
b) It is an attack meant to shut down a machine or network, making it
inaccessible to its intended users
c) A type of attack whereby malicious commands are sent to a
system/application through unauthorized channels.
d) An attack used to monitor and potentially modify communications
between two users.
15 Pretending to be an Airtel customer service executive and contacting the
victim is called
a) Phishing
10 | P a g e
b) Spoofing
c) Smishing
d) Vishing
16 A Cyber-Attack
a) is not limited to, stealing, altering or destroying the systems/network,
disrupting operations and causing information or identity theft
b) is a targeted assault on the Bank's cyberspace and its underlying
infrastructure systems
c) option a or b
d) option a & b
17. SBI internet banking site provides a facility to bypass such keylogger
malware. Identify the feature.
a) Image Captcha
b) Online Virtual Keyboard
c) Audio Captcha
d) Biometric access
18 Which of the following Mobile Apps may be suggested to resolve the issues
related to non-receipt of OTP (Through SMS) for their transaction?
a) SBI Secure OTP
b) SBI Quick
c) YONO Lite
d) BHIM SBI Pay
19 A fraudster may use Social engineering techniques to steal critical
information of a user. Which of the following options is not true in case of social
engineering?
a) Utilizing manipulative methods to obtain (confidential) information
through unauthorized methods
b) Social engineering uses Human traits, Curiosity, Concern around and
technical hacking techniques
c) In Social engineeringattacks, the fraudsters lure/appealthe potential
victims to gain confidence to reveal confidential information and use the
same for fraud and system access.
d) Social engineering is to gain access to sensitive information, systems or
data by using human psychology
11 | P a g e
20 Which of the following options is not to protect yourself from keyloggers?
a) Check your physical hardware, keep your system locked
b) Antivirus and protect from unauthorised access. companies keep their
records of the most common malware keyloggers and will flag them as
dangerouS.
c) Use a reputable antivirus software to scan your computer on a regular
basis.
d) Regularly inspect your computer and the surrounding area to make sure
you know each piece of hardware.
21 Select the incorrect option.
a) Dark Web -llegal Information & Private forums
b) Deep Web Internet Banking & Hidden wiki
c) Surface Web Facebook & Wikipedia
d) Deep Web Research Papers & Medical Records
22 What is not true about SIM Swapping?
a) SIM Swapping is also known as SIM Jacking
b) SIM Swapping is also known as SIM cloning
c) SIM Swapping is also khown as port out scamming
d) All are true
23 The malware, which can record the keystrokes on a keyboard in order to gain
access to sensitive information is known as malware.
a) Keylogger
b) Scareware
c) Spyware
d) Fileless
24 Even if a user compromises his/her login credentials of OnlinesB!, no one can
login using this credential. What is the new security feature in OnlineSB1?
a) Audio Captcha in the login screen.
b) Virtual keyboard in the login screen
c) OTP has been made mandatory at the time of login
d) Image based Captcha in the login screen
12 | P a g e
25 is a technique used by the fraudsters, wherein they penetrate a system where
the program/script/files will be hidden within another file.
a) Man in the Middle attack
b) Steganography
c) Phishing
d) Spoofing
26. If a Cyber attack is carried out by sending to SBI' customers an email that
claims to be from SBI but it's not, then what kind of cyber attack technique is it?
a) DOS Attack
b) State Sponsored attacks
c) Phishing Attack
d) Web defacing
27 Which of the following principles of the first of the CIA Triad Confidentiality
is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the
protection of the secrecy of data, objects, or resources.
b.The goal of confidentiality protection is to prevent unauthorized access
to the information.
c .Confidentiality focuses security measures on ensuring that none other
than the sender of a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
a) Only a and b
b) a, b and c
c) a, cand d
d) a, b and d
28 Your friend fears that he has shared the user credentials of OnlineSBI with a
stranger. It is a Sunday and Bank is closed. What immediate steps would you
NOT advise him?
a) Type an incorrect login password 4 times so that the username gets
locked for a day
b) Change the password
13 | P a g e
c) Contact the Brarnch on Monday to deactivate INB facility
d) Lock User access using the relevant link
29 Which of the following principles of the second of CIA Triad Integrity is/are
Correct?
a.Integrity is the concept of protecting the accuracy and completeness of
information and processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c. Properly implemented integrity protection provides a means for authorized
changes while protecting against intended and malicious unauthorized activities
(such as viruses and intrusions) as well as mistakes made by authorized users (by
commission or ormission).
d. Use of a secure Hashing algorithm for the information ensures Integrity.
a) Only a and b
b) a,b and c
c) a, cand d
d) a, b and d
30. Which one is not an option for disabling UPI services?
a) YONO Main Screen UPI Enable/DisableUPI
b) CBS App menu UPI Disable/Re-enable UPI
c) Branch Interface (Maker-Checker Concept):
d) Contact Centre: 1800112211/18004253800
31.What is not true about Juice-jacking? Disabling data transfer mode in
Settings will not help in this case
32.The data loss or compromise while charging the mobile is
called________.: Juice Jacking
33.Even if a user compromises his/her login credentials of OnlineSBI, no one
can login using this credential. What is the new security feature in
OnlineSBI?: OTP has been made mandatory at the time of login
34._____________is used for obtaining unauthorized access to mobile
phones via Bluetooth connection. Once such a connection is established
then the attacker will be able to steal photos, messages and contacts etc.
: Bluesnarfing
14 | P a g e
35.Your friend fears that he has shared the user credentials of OnlineSBI with
a stranger. It is a Sunday and Bank is closed. What immediate steps would
you NOT advise him?
Contact the Branch on Monday to deactivate INB facility
36.Which of the following is NOT an objective of Non-repudiation?
It offers a high level of assurance that the information, objects and
resources are accessible to authorized subjects within the promised
timeframe.
37.Which of the following is not the examples of data?
All are examples of data
38.Which one of the following statements is more appropriate in terms of
Vendor risk assessment? Continuous assessment of Vendor security
practices need to be done throughout the Contract life cycle.
39.What makes SolarWinds attack an unusual hack?
The hackers through one malicious code in the application of SolarWinds
vendor’s application gained access to Orion software
40.Non-repudiation is carried out through the services of authentication,
authorization, confidentiality, and integrity. Confidentiality ensures which
one of the following?
Secure encryption of the information
41.Select the wrong statement.: Option a & b
42.Pretending to be an Airtel customer service executive and contacting the
victim is called____________.: Vishing
43.Which one of the following is the leading illicit dark web marketplace
which was taken down by the FBI in what was considered then as a
significant action on the Dark web market?
Silk Road 2.0
44.A fraudster may use Social engineering techniques to steal critical
information of a user. Which of the following options is not true in case of
social engineering?
Social engineering uses Human traits, Curiosity, Concern around and
technical hacking techniques
45.Which one of the following statements is false?
Bulk SMS is sending SMS from mobile to many people.
46.What is not true about SIM Swapping?
SIM Swapping is also known as SIM cloning
15 | P a g e
47.Which of the following attacks is not categorised under Exploit based
attacks?
Distributed Denial of Service attacks
48.If a Cyber attack is carried out by sending to SBI's customers an email that
claims to be from SBI but it's not, then what kind of cyber attack technique
is it?
Phishing Attack
49.Mr. Ajay had tried to login to Mr. Deepak's SBI net banking. He tried thrice
but failed. Now when Mr. Deepak tries to login with his correct password
will he be able to do so?
After 3 invalid attempts, the user id is automatically locked for one day.
Thereafter Mr. Deepak can login.
50.What is a “Collect Request” in a UPI transaction?
It is a feature available in BHIM SBI Pay
51.If you want to change the username and password for your SBI Internet
banking, which of the following statements is correct?
You cannot change the Username but he/she can change the password at
any time
52._____________ is a technique used by the fraudsters, wherein they
penetrate a system where the program/script/files will be hidden within
another file.
Steganography
53.The technique used to send the emails to all the employees of the Bank is
known as ____________.
Spear Phishing
54.If a hacker manages to exploit the vulnerability before software
developers can find a fix, that exploit becomes known as a _______.
Zero day attack
55.Third party attacks are attractive to hackers, because ____________.
Third party systems have less robust security controls
56.What makes SolarWinds hack one of the biggest and the most dangerous
Cyber attack?
This attack was designed to impact one vendor and subsequently all their
clients
57.Where is the option to lock user access in SBI Retail Internet Banking?
Lock User access option is available in the login page of Retail INB
16 | P a g e
58.__________ malware is a warning-like popup or reminder in a
Laptop/PC/Mobile?
Scareware
59.Social Engineering Attacks does not include ________________.
Denial of Service attack
60.Which one of the following statements is FALSE about APT attacks?
APT attacks may be identified immediately as it shuts down the whole
system Submit
17 | P a g e
DGCS: Module 4 (24/30)
1. Which of the following steps would not be a part of the planning for Work
from home?
a) Arranging official laptops with proper configuration for the employees
b) Providing connectivity through a reputed service provider
c) Ensuring the physical access to the systems room is restricted and
monitored
d) Installing Anti-Virus in these systems
5. Which of the following options is crucial in any UPI fraud related to Collect
request?
a) QR Code of your Virtual Payment Address
b) Your Virtual Payment Address
c) Your Account no.
d) option a & b
18 | P a g e
6. As part of IS awareness, SBI observes Computer Security Day on which of the
following day?
a) 01st April
b) 01st October
c) 30th November
d) 30th September
7.What is the meaning of Shadow Reversal?
a) Reversal of loss amount to customer account if Bank fails to resolve the
customer complaint within 90 days and it is allowed to withdraw by
customer
b) Reversal of loss amount to customer account if Bank fails to establish
customer negligence within 10 days, but it is not allowed to withdraw by
customer
c) Reversal of loss amount to customer account if Bank fails to resolve the
customer complaint within 90 days, but it is not allowed to withdraw by
customer
d) Reversal of loss amount to customer account if Bank fails to establish
customer negligence within 10 days, but it is allowed to withdraw by
customer
8. What action will you take, when you are defrauded?
a) Change the username immediately
b) Write a letter to the RBI immediately
c) Lock the user access immediately
d) Send a written letter to the branch immediately
9. Select the wrong statement about the Acceptable usage policy (IS Policy) of
our Bank?
a) Users should not install any software that is not authorized for the Bank’s
business.
b) Users on whose PC / Server such software runs shall be solely responsible
for Copyrights / IPR violation, Legal and Penal actions as per IT Act
c) Successful backup of critical applications or data should be ensured yearly
and to be kept offsite.
d) All are true
19 | P a g e
10. Which of the following options is an example of inappropriate use of the e-
mail service?
a) Use the accounts of others with their permission
b) Authorized exchange of proprietary information or confidential
information
c) Use of other officers' user ids or using a false identity.
d) Creation and exchange of e-mails information or content for official
purpose.
11. Select the wrong statement about Desktop / Laptops /Workstations Usage?
a) Lock your PC by pressing Windows key + L
b) There is nothing important on my computer is a myth
c) Create a shortcut of a document/file instead of copying it on the desktop
d) Always lock your desktop, when you are away from it.
12. Which one of the following options does not substantiate the Acceptable
Usage Policy of our Bank?
a) Always lock your desktop while leaving your seat.
b) We need to protect the data by following acceptable usage policy
guidelines of our bank.
c) However, Mobile and laptop given to the staff for personal holding have
exceptions to the policy.
d) All the workstations / devices should be protected by strong passwords.
13. Which of the following options is not a violation of acceptable usage policy?
a) Users shall be responsible for the activities carried out on their client
systems, using the accounts assigned to them.
b) The User is responsible for any e-mail that is transmitted using the e-mail
c) Use of personal mail of Bank’s official for his personal purposes is
acceptable.
d) All e-mails sent through the mail server are the sole responsibility of the
user owning the account
14. Which of the following is NOT inappropriate content of email?
a) Sending absence unsolicited emails and links.
b) Sending mail that damages the reputation of the Bank, contains viruses,
worms, or malware
20 | P a g e
c) Confidential or secret information with a password protection when
transmitted over email.
d) Using email systems to copy and transmit any document, software or
other information protected by copyright or any other law.
15. If ATM Skimming happens at an ATM, who can report to IT Team?
a) ATM Channel Manager
b) Anyone
c) Branch Manager
d) option a & b
16. Select the correct statement about Desktop / Laptops /Workstations Usage?
a) Creation of email shortcut on the home screen of desktop
b) Anti-virus is crucial for safety of data. While leaving the room user is
supposed to put the laptop for scanning.
c) Locking by pressing Windows key and L key simultaneously.
d) Shutting down the laptop
17. Which one of the following options is not a concern for password security?
a) Password should be treated like signature
b) Users are responsible for all activities originated from their User
credentials
c) In case of any breach in a Social Media Handle, delete your Social Media
Account instead of changing the password.
d) Password is required to be sufficiently long and secret
18. Cyber security incidents can be reported
a) by home branch only
b) by any employee
c) by public
d) by any employee or public
22 | P a g e
24. Pick the odd one.
a) Passwords should be complex, sufficiently long and secret.
b) Passwords should not be treated like signatures.
c) Passwords must be created using small & upper case, when own name or
short form of own name and own initials are used.
d) Users are responsible for all activities originating from their user
credentials.
25. Which of the following options is NOT a good wi-fi security practice?
a) Secure your Wi-Fi router connections by enabling WPA2 + AES security
b) Change the default network name and password of your router used for
login
c) Connect to office network strictly through company provided means
d) You can use unsecure or open Wi-Fi for official purposes in case of
emergency
26. Which one of the following is the most important aspect for an organization
as big and global as SBI to protect itself from cyber security attacks and
subsequent loss of brand image?
a) An awareness program among all the customers to provide education and
guidance on a range of topics, including email, cloud and mobile security.
b) A training and awareness program for all the employees in the
Information Security department.
c) A training awareness program that would provide education and guidance
on a range of information security topics to all the internal users of its
systems and applications.
d) A training program for all the vendors to underscore secure coding
practices.
27. Select the wrong statement.
a) EMV chip cards are vulnerable to Skimming
b) Using EMV chip cards rather than Magstripe cards in ATM is more secure
c) End-to-End encryption in the communication between the 'ATM
Terminal' and the 'ATM Switch' may prevent breaches
d) Using Tamper proof keypads and anti-skimming devices in the ATM
23 | P a g e
28. In order to report an incident if you are asked to forward the SMS received
from the Bank to a certain mobile number given in the SMS. Which of the
following SMSs is to be forwarded?
a) SMS containing the OTP for the transaction
b) SMS alert received after the transaction containing the details of the
transaction
c) either of the above
d) Neither of the above.
29. Creating IS awareness is important at all levels in the Bank. But the initiation
should start from _______________.
a) Circle Management
b) Board of Directors
c) Middle Management
d) Branch staff
30. Which of the following options is not related to ATM fraud?
a) Phishing, Vishing
b) ATM hacking, password stealing
c) Card swapping, ATM Jackpotting
d) Skimming, Cloning
24 | P a g e
Profile password should be a combination of alphabets (in the language
chosen), and numerals and special characters
Passwords must be created using small & upper case, when own name or
short form of own name and own initials are used.
37.In order to report an incident if you are asked to forward the SMS received
from the Bank to a certain mobile number given in the SMS. Which of the
following SMSs is to be forwarded?
SMS alert received after the transaction containing the details of the
transaction
The updates in the operating systems (say Android, iOS etc.) and installed
applications might compromise the security of these devices.
25 | P a g e
All of the above statements are correct
44.Which one of the following options does not substantiate the Acceptable
Usage Policy of our Bank?
However, Mobile and laptop given to the staff for personal holding have
exceptions to the policy.
45.Which of the following statements is not true about Acceptable usage
policy (IS Policy) of our Bank?
Employee’s mobile devices need not have Antivirus software
46.What is the timelines for reporting of cyber incidents to RBI and other
Statutory Authorities CERT-In & NCIIPC? Who should report the incident?
All cyber security incidents should be reported within 24 hours by Incident
Response & Management Team
26 | P a g e
52.Many websites use CAPTCHA to avoid password guessing by automated
tools called ____________.
Dictionary Attack
53.What should be the minimum and maximum length of the login password
in Retail Internet Banking?
Minimum length should be 8 characters and maximum length 20
characters
54.Which one of the following options is not a concern for password
security?
Password is required to be sufficiently long and secret
55.Which of the following options is not related to ATM fraud?
Phishing, Vishing
56.Which of the following is NOT one of the best practices to maintain your
password?
Only difficult dictionary words should be used
57.Which one of the following options is not considered as incident for
reporting to RBI, NCIIPC and CERT-In?
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are
rectified subsequently.
58.Which of the following steps would not be a part of the planning for Work
from home?
Providing connectivity through a reputed service provider
59.Which one of the following is the most important aspect for an
organization as big and global as SBI to protect itself from cyber security
attacks and subsequent loss of brand image?
An awareness program among all the customers to provide education and
guidance on a range of topics, including email, cloud and mobile security.
60.“Ransomware” can be spread through_____________?
Option 1 and 2
********
27 | P a g e
LESSON 1
Which one of the following does NOT come under People factor in Data Management prctices?
Data Architects
Data Owners
Data Trainers
Data Stewards
Data Governance Policy is applicable to third parties having access to SBI network and Data.
As per Vendors agreement
FALSE
TRUE
Not declared in policy
Which among the following may be held accountable for quality of data?
People
Processes
Practices
Technology
Data Management with lack of easy access to information for important stakeholders may result in just _________
Data Governance Strategy
Big Data Strategy
Narrow Data Strategy
None of the Above
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in ________
Incorrect AML/CFT compliance
In-efficient Cross-selling
Improper KYC
None of the Above
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Monthly
Quarterly
Half yearly
Bi monthly
Who would be held responsible for not feeding all the customer details in CBS, given by customer in AOF.
BM
1& 2
Checker
Maker
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical (DGC-BU/V)?
Bi monthly
Quarterly
Half yearly
Monthly
LESSON 2
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers:
All the domestic & foreign offices
All SBI employees
All the third parties having access to SBI network and granular Data
All of the above
Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
FALSE
In an Account Opening Form, if Data has been provided by customer in non mandatory field ( like mobile number /em
Leave the field in CBS blank since it is non mandatory in CBS also
Input the Data exactly as given by the customer
Input partial / any similar Data without matching exactly as it is non mandatory in nature
All of the above
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Deduction of Excess TDS
Non-reflection of TDS in Form 26 AS
Both 1 & 2
Neither 1 nor 2
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was found that the age of custo
OVD has to be accepted, as it is a govt. document
OVD can be accepted
if one can vote, he is not a minor. OVD should be accepted
DOB on OVD and AOF, if same, then only account may be opened
If a car dealer asks us for a list of customers having existing car loans, to market loans for new cars for us, shall we sh
May be shared by the Field Officer
May be shared by the Branch Manager
Either 1 or 2
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of the following Data Quality
Accuracy
Validity
Consistency
Completeness
Capturing of incorrect CRA rating / ECR in a loan account may result in ______.
Incorrect Interest Rate
Incorrect Risk weight
Both 1 & 2
Neither 1 nor 2
What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
Customer could not be able to reset his INB password
1& 2
No Impact
Sharing of Data with exernal agencies is governed by
SOP on Data Loss Prevention
SOP on Data Sharing with External agencies/third parties
SOP on Data Infringement
SOP on Customer Sensitive Granular Data Sharing
What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data Sharing and Access – Within Ban
Regulated & Limited access
Restricted & Registered access
Free & Uncontrolled access
None of the above
In case of demand for customer Data by Regulatory Authority, it be shared as per DG Policy
FALSE
TRUE
LESSON 3
Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resour
b.The goal of confidentiality protection is to prevent unauthorized access to the information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
Only a and b
a, b and c
a, c and d
a, b and d
With the enhanced sharing of information over a global network for almost all life functions , which one of the follow
Authentication
Non-repudiation
Authorization
Non-refutation
Which one of the following is the leading illicit dark web marketplace which was taken down by the FBI in what was
Silk Road 2.0
DisrupTor
Tor
Dark Market
The technique for sending SMS that appears to be initiated from the organization for KYC updation, Account credit, A
Vishing
Spoofing
Stegnography
Identity theft
The technique used to send the emails to all the employees of the Bank is known as ____________.
Smishing
Vishing
Phishing
Spear Phishing
The Cyber-attacks originate through a third party vendor are also called ________?
Service provider attacks
Supplier attacks
Supply chain attacks
Vendor attacks
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is a Sunday and Bank is close
Change the password
Lock User access using the relevant link
Contact the Branch on Monday to deactivate INB facility
Type an incorrect login password 4 times so that the username gets locked for a day
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential. What is the
Audio Captcha in the login screen.
Virtual keyboard in the login screen
OTP has been made mandatory at the time of login
Image based Captcha in the login screen
Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while protecting against intende
omission).
d.Use of a secure Hashing algorithm for the information ensures Integrity.
Only a and b
a, b and c
a, c and d
a, b and d
Which of the following browsers allows access to the Network which is popular for implementing encrypted routing
Chrome
Edge
Tor
Firefox
The fraudster gets the personal details of the people through _______technique.
Spoofing
Keylogger malware
Vishing
Social engineering
Which of the following is not the examples of data?
Employees information
Customer Information
Official conversation over phone
All are examples of data
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online payment. H
It should start with https://www.retail.onlinesbi.com
It should start with https://www.merchant.onlinesbi.sbi
It should start with https://www.onlinesbi.com
It should start with https://www.retailmerchant.sbi
If you want to change the username and password for your SBI Internet banking, which of the following statements i
You cannot change the Username but he/she can change the password at any time
You can change the Username but not the password
You can only interchange the username by the password and vice versa
You can change both the Username and password at any time
A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations and causing information or
is a targeted assault on the Bank’s cyberspace and its underlying infrastructure systems
option a or b
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection. Once such a co
Man in the Middle attack
Bluesnarfing
Steganography
Spoofing
Which one of the following statements is FALSE about APT attacks?
A type of cyberattack where an unauthorized attacker code enters a system and remains there.
APT attacks may help the attacker in stealing information
APT attacks may be identified immediately as it shuts down the whole system
In APT attacks, attacker code may spread into other machines in the victim’s network and compromise them.
SBI internet banking site provides a facility to bypass such keylogger malware. Identify the feature.
Audio Captcha
Image Captcha
Online Virtual Keyboard
Biometric access
LESSON 4
1
Which one of the following is the most important aspect for an organization as big and global as SBI to protect itself f
A training program for all the vendors to underscore secure coding practices.
A training and awareness program for all the employees in the Information Security department.
An awareness program among all the customers to provide education and guidance on a range of topics, including ema
A training awareness program that would provide education and guidance on a range of information security topics to a
2
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
ATM Channel Manager
Branch Manager
Regional Manager (RBO)
3
Which one of the following options does not substantiate the Acceptable Usage Policy of our Bank?
We need to protect the data by following acceptable usage policy guidelines of our bank.
All the workstations / devices should be protected by strong passwords.
However, Mobile and laptop given to the staff for personal holding have exceptions to the policy.
Always lock your desktop while leaving your seat.
4
Which of the following statements is NOT correct in the WannaCry case?
A Windows vulnerability discovered by the United States National Security Agency (NSA).
After the system got affected by WannaCry, Microsoft released the patch for the system which has updated security.
The attackers collective called The Lazarus Group.
This was only one month after Windows released patches for the exploit, meaning that computers that had yet to upda
5
Identify some of the risks involved in using public free WiFi.
All of the above statements are correct
It can expose the users to Man-in-the-middle attacks
The free WiFi could be a rouge network, harvesting the internet user’s data.
Hackers may be misusing the free Wi-Fi to distribute malware
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from _______.
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing
7
Which one of the following options is not a concern for password security?
In case of any breach in a Social Media Handle, delete your Social Media Account instead of changing the password.
Password is required to be sufficiently long and secret
Users are responsible for all activities originated from their User credentials
Password should be treated like signature
8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All cyber incidents irrespective of amount of loss
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s) exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT systems
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets etc. to office for offic
Bring Your Own Desktop
Bring Your Own Device
Buy Your Own Device
Budget Your Own Device
10
Can we create the password in other regional language (Other than English and Hindi) in Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
The multilingual image based virtual keyboard is available in 13 languages.
You can use the multilingual image based virtual keyboard in Hindi or Tamil only
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi only
11
Pick the odd one.
Passwords should be complex, sufficiently long and secret.
Passwords must be created using small & upper case, when own name or short form of own name and own initials are
Users are responsible for all activities originating from their user credentials.
Passwords should not be treated like signatures.
12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
Users should not install any software that is not authorized for the Bank’s business.
Users on whose PC / Server such software runs shall be solely responsible for Copyrights / IPR violation, Legal and Pena
Successful backup of critical applications or data should be ensured yearly and to be kept offsite.
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of our Bank?
Employees, to whom State Bank owned laptops or any other Portable devices are issued, are responsible for its safe cu
Employees who are authorized to access emails and Bank’s data on mobile devices should ensure that MDM application
Employee’s mobile devices need not have Antivirus software
Loss of portable devices should be reported immediately to the local police and to the appropriate authority.
14
What action will you take, when you are defrauded?
Change the username immediately
Lock the user access immediately
Send a written letter to the branch immediately
Write a letter to the RBI immediately
15
The company asked their employees to use their own devices and internet access while working from home. List som
devices of the employees (iii) Asking the employees to use enterprise VPN
Options (i) and (ii) are sufficient
Options (i) alone is sufficient
Options (i) , (ii) and (iii) are necessary
Option (ii) alone is sufficient
16
Which of the following options is NOT the best password security practices?
Enable two-factor authentication
Never completely trust service providers
Change your password, only if you suspect it may have been exposed
Never reuse a password
17
Which one of the following options is not considered as incident for reporting to RBI, NCIIPC and CERT-In?
Frauds/ Customer complaints related to frauds.
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are rectified subsequently.
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the customer service/digital channels ev
All of the above
18
Which of the following statements is correct regarding creation of Profile password using the Multilingual Image bas
The Profile password should be a combination of alphabets in two of the languages chosen
The Profile password should be a combination of alphabets (in the language chosen), and numerals and special charact
The Profile password should be a combination of alphabets (in the language chosen), and numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and numerals
19
Which one of the following applications is not a threat to compromise confidentiality of the data of portable devices
Facebook
Air watch agent
WhatsApp
True caller
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Call the Branch
Call ATM Channel Manager OR ATM Channel Manager Facilitator linked to the ATM
Option a or c
21
Which of the following steps would not be a part of the planning for Work from home?
Ensuring the physical access to the systems room is restricted and monitored
Providing connectivity through a reputed service provider
Installing Anti-Virus in these systems
Arranging official laptops with proper configuration for the employees
22
Which of the following will not be considered as cyber incidents for reporting to RBI?
Incorrect accounting entries that are rectified subsequently
All the options will not be considered
Customer complaints related to frauds.
Physical tampering of ATMs
23
Select the correct statement in this case.
Ransomware Malware uses simple encryption codes to encrypt a victim’s files.
The patches could not stop the spreading malware
The motive for this Ransomware attack is always monetary
Ransomware Malware affects more devices in less time.
24
Which one of the following options is NOT a violation of acceptable usage policy?
The laptop was not protected by password
The laptop was kept open, and the desktop was not locked
There was a breach of critical and confidential data.
There was a data vulnerability due to lack of Anti-virus
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities CERT-In & NCIIPC? Who
All cyber security incidents should be reported within 24 hours by Incident Response & Management Team
All cyber security incidents should be reported within 12 hours by Incident Response & Management Team
All cyber security incidents should be reported within 2 to 6 hours by Incident Response & Management Team
All cyber security incidents should be reported within 24 to 48 hours by Incident Response & Management Team
26
Which of the following options is an example of inappropriate use of the e-mail service?
Use of other officers' user ids or using a false identity.
Authorized exchange of proprietary information or confidential information
Use the accounts of others with their permission
Creation and exchange of e-mails information or content for official purpose.
27
Cyber security incidents can be reported
by any employee or public
by home branch only
by public
by any employee
28
Method that is NOT suggested to prevent new account fraud.
Ensure ATM Card connected to operational SB Account is blocked
Contact the bank immediately and ensure all the operating accounts are closed
Ensure to lock the internet banking user ID.
Applying the use of end-to-end encryption to protect online transactions.
29
What should be the minimum and maximum length of the login password in Retail Internet Banking?
Minimum length should be 6 characters and maximum length 15 characters
Minimum length should be 8 characters and maximum length 20 characters
Minimum length should be 6 characters and maximum length 20 characters
Minimum length should be 8 characters and maximum length 15 characters
30
Select the wrong statement.
For online meetings, Manage screen sharing options. Change screen sharing to “Host Only.” Avoid file sharing
Do not play online games on company devices as they may download trojans.
Secure your Wi-Fi router connections by enabling WPA2 + AES security
For web security, verify full URL by clicking the link, but do not give any personal/confidential information
DATA GOVERNANCE AND CYBER SECURITY MODULE 1
Q: Data Governance Policy is applicable to all the domestic offices of SBI including:
A: All of the above
Q: What is the frequency of the meeting for Data Governance Council-Business Unit/
Vertical (DGC-BU/V)?
A: Monthly
Q: At the time of account opening, it was found that Educational Qualification was not
mentioned by the customer in AOF, but it is a mandatory filed in CBS
A: Teller should contact, the customer and get the required details and then fill in CBS
Q: Data Management Officer is accountable for all Data Governance related activities of
their respective department
A: FALSE
Q: Which one of the following does NOT come under People factor in Data
Management prctices?
A: Data Trainers
Q: Data Governance Policy is applicable to third parties having access to SBI network
and Data
A: TRUE
Q: Which among the following play major role in support of company-wide Data quality
initiatives?
A: People
Q: (i) Data Governance is about the rules how to build the content.
(ii) Data Privacy is about the rules how to protect and use the content.
A: Only (ii) is correct
Q: Against availability of sizeable number of eligible customers only few confirmed leads
could be generated for an Analytics based product. What could be the underlying
reason?
A: Poor Data Quality
Q: While creating new CIF, customer has given marital status, but as it is not mandatory
in CBS:
A: As the customer has given the details in AOF, teller should fill the same in CBS
Q: What is the frequency of the meeting for Data Governance Council-Business Unit/
Vertical (DGC-BU/V)?
A: Quarterly
Q: Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result
in ________
A: Incorrect AML/CFT compliance
Q: Data Governance Policy is applicable to third parties having access to SBI network and
Data.
A: TRUE
Q: Against availability of sizeable number of eligible customers only few confirmed leads
could be generated for an Analytics based product. What could be the underlying reason?
A: Poor Data Quality
Q: Data Governance process includes activities as:
A: All of the above
Q: Which among the following play major role in support of company-wide Data quality
initiatives?
A: Regulators
Q: Data-driven business decisions are possible when _____ is involved in the Data
Governance.
A: Business Unit
Q: An SBI Card employee sitting in an branch asks for list of high value customers
along with Mobile numbers for telecalling to sell SBI cards for the Branch. Branch
may share the list with SBI Card employee.
A: FALSE
Q: While verifying the pop-up name of PAN holder in CIF creation screen
A: 1 & 3
Q: To boost the housing loan business of the branch , list of HNIs can be shared with
HLCs through:
A: Not to be shared
Q: India is coming with its own Bill on Data Protection which is called ___
A: Personal Data Protection Bill
Q: Branch has sanctioned a Car loan to one of his staff, but the loan instalment was
not fed in HRMS. The staff paid the instalment through his account and informed the
BM that a SI has been registered for the same.
A: Recovery to staff loan should be through HRMS only, so recovery details in
HRMS needs to be updated
Q: What are the impacts of feeding incorrect date of birth of a customer in CBS
A: 1& 2
Q: If a car dealer asks us for a list of customers having existing car loans, to market
loans for new cars for us, shall we share the list?
A: Cannot be shared
Q: DQI Index has been included as one of the Key Responsibility Areas (KRAs) in
Career Development System (CDS)
A: TRUE
Q: As per the Bank‟s approved “SOP on Data Sharing with External Agencies/ Third
Parties” which of the following is to be considered as “Third Party”
A: All the above are to be treated as Third Parties
DATA GOVERNANCE & CYBER SECURITY MODULE -2
Q: Data Quality Index (DQI) dashboard measures the Data Quality for-
A: CIFs & Loans
Q: As per the Bank‟s approved “SOP on Data Sharing with External Agencies/ Third
Parties” which of the following is NOT to be considered as “Third Party”
A: Internal Auditors
Q: Customer sensitive Granular Data can be copied and stored without any approval
A: FALSE
Q: What are the two important pillars of the SOP on „Customer Sensitive Granular A:
Data Sharing and Access – Within Bank‟s Environment‟:
A: Regulated & Limited access
Q: Which of the following is not one of the functions of an effective Data Loss
Prevention (DLP) program
A: Follow-up with Data users for Data Quality enhancement
DATA GOVERNANCE & CYBER SECURITY MODULE -2
Q: For official purpose, if we are required to share customer sensitive data, then we
should:
A: Delete the data after use
Q: Which one is NOT an approved way of sharing granular Data/access Data under
normal circumstances:
A: E-mail
Q: What are the impacts of not verifying the pop-up name of PAN holder, while
fetching PAN details
A: 1& 2
Q: Incorrect spelling of Customer name comes under which one of the following Data
Quality Dimension?
A: Accuracy
Q: What are the impacts of feeding incorrect date of birth of a customer in CBS
A: 1& 2
Q: A customer has submitted Voter Card as OVD, along with AOF. During the
scrutiny, it was found that the age of customer is less than 18
A: DOB on OVD and AOF, if same, then only account may be opened
Q: Capturing of incorrect CRA rating / ECR in a loan account may result in _____
A: Both 1 & 2
Q: Non capturing of PAN in CIF, even if furnished in the AOF, may result in ___
A: Both 1 & 2
Q: If a car dealer asks us for a list of customers having existing car loans, to market
loans for new cars for us, shall we share the list?
A: Cannot be shared
Q: While verifying the pop-up name of PAN holder in CIF creation screen
A: 1 & 3
Q: The access to Customer Sensitive Granular Data to the users should be made
strictly on the basis of-
A: Both 1 & 2
Q: As per the Bank‟s approved “SOP on Data Sharing with External Agencies/ Third
Parties” which of the following is to be considered as “Third Party”
A: All the above are to be treated as Third Parties
Q: What are the possible means by which Customer Sensitive Granular Data can get
divulged or leaked to any unrelated person / third party like vendors, dealers etc:
A: All of the above
DATA GOVERNANCE & CYBER SECURITY MODULE 3
Q: Which one of the following risks is not considered while evaluating a third party
vendor for risk assessment?
A: Market Risk
Q: Which one of the following is the leading illicit dark web marketplace which was
taken down by the FBI in what was considered then as a significant action on the Dark
web market?
A: Silk Road 2.0
Q: Which one of the following best describes a Man in the Middle (MITM) attack?
A: An attack used to monitor and potentially modify communications between two users
Q: Which of the following principles of the first of the CIA Triad Confidentiality is/are
Correct?
A: a, c and d
Q: Which of the following attacks is not categorised under Exploit based attacks?
A: Email hijacking
Q: If you click on the padlock sign in the Address bar. Which of the following information
will be available to you?
A: You will get information on who owns the site and who has verified the site
Q: Which one of the following statements is more appropriate in terms of Vendor risk
assessment?
A: Continuous assessment of Vendor security practices need to be done throughout the
Contract life cycle.
Q: The Cyber-attacks originate through a third party vendor are also called ________?
A: Supply chain attacks
Q: Which of the following may not be the signs that the Mobile Phone (Android/iOS) is
hacked?
A: All statements are signs that the Mobile phone is hacked
Q: Even if a user compromises his/her login credentials of OnlineSBI, no one can login
using this credential. What is the new security feature in OnlineSBI?
A: OTP has been made mandatory at the time of login
Q: Which of the following principles of the second of CIA Triad Integrity is/are Correct?
A: Use of a secure Hashing algorithm for the information ensures Integrity.
Q: Which one of the following is a precautions to be taken while operating the ATM?
A: Check if any extra suspicious device is attached to the ATM machine.
Q: Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
A: a, b and d
Q: With the enhanced sharing of information over a global network for almost all life functions ,
which one of the following
A: Non-repudiation
Q: Which one of the following is the leading illicit dark web marketplace which was taken down by
the FBI in what was
DATA GOVERNANCE & CYBER SECURITY MODULE 3
Q: The technique for sending SMS that appears to be initiated from the organization for KYC
updation, Account credit, Account
A: Spoofing
Q: The technique used to send the emails to all the employees of the Bank is known as
____________.
A: Spear Phishing
Q: The Cyber-attacks originate through a third party vendor are also called ________?
A: Supply chain attacks
Q: Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is a
Sunday and Bank is closed.
A: Change the password
Q:
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential. What is
the
A: OTP has been made mandatory at the time of login
Q: Which of the following principles of the second of CIA Triad Integrity is/are Correct?
A:
a, c and d
Q: Which of the following browsers allows access to the Network which is popular for implementing encrypted
routing
A: Tor
Q: The fraudster gets the personal details of the people through _______technique.
A: Social engineering
Q: Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online
DATA GOVERNANCE & CYBER SECURITY MODULE 3
payment. He
A: It should start with https://www.onlinesbi.com
Q: If you want to change the username and password for your SBI Internet banking, which of the following
statements is
A: You cannot change the Username but he/she can change the password at any time
Q:A Cyber-Attack
A: option a & b
Q: _____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection. Once
such a connection
A: Bluesnarfing
Q: SBI internet banking site provides a facility to bypass such keylogger malware. Identify the feature.
A: Online Virtual Keyboard
DATA GOVERNANCE & CYBER SECURITY MODULE 4
Q: Can we create the password in other regional language (Other than English and
Hindi) in Retail Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English
only.
Q: Which one of the following options is not a violation of acceptable usage policy?
A: Receiving mails from his batchmate
Q: What is the “Time of detection of incident” for reporting the purpose of a cyber
incident to RBI, CERT-In & NCIIPC?
A: Time at which, the incident is brought to the knowledge of any official of AO,
including DGM & Module CISO
Q: Which of the following is NOT one of the best practices to maintain your
password?
A: Only difficult dictionary words should be used
DATA GOVERNANCE & CYBER SECURITY MODULE 4
Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our
Bank?
A: Successful backup of critical applications or data should be ensured yearly and to
be kept offsite.
Q: The time at which the cyber incident is brought to the knowledge of any official of
__________ shall be treated as time of detection of incident.
A: Information Security Dept. CC Mumbai
Q: Which of the following options is crucial in any UPI fraud related to Collect
request?
A: option a & b
Q: Which of the following options is NOT the best password security practices?
A: Change your password, only if you suspect it may have been exposed
Q: Which one of the following is the most important aspect for an organization as big
and global as SBI to protect itself from cyber security attacks and subsequent loss of
brand image?
A: A training awareness program that would provide education and guidance on a
range of information security topics to all the internal users of its systems and
applications.
Q: Which one of the following options does not substantiate the Acceptable Usage Policy of our Bank?
A: However, Mobile and laptop given to the staff for personal holding have exceptions to the policy.
Q: Websites use CAPTCHA to avoid password guessing by automated tools to prevent from
_______.
A: Dictionary Attack
Q: Which one of the following options is not a concern for password security?
A: In case of any breach in a Social Media Handle, delete your Social Media Account instead of
changing the password.
Q: Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
A: All of the above
Q: If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets
etc. to office for office use
A: Bring Your Own Device
Q: Can we create the password in other regional language (Other than English and Hindi) in Retail
Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English only.
Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
A: All are true
Q: Which of the following statements is not true about Acceptable usage policy (IS Policy) of our
Bank?
A: Employee’s mobile devices need not have Antivirus software
Q: The company asked their employees to use their own devices and internet access while
working from home. List some devices of the employees (iii) Asking the employees to use
enterprise VPN
A: Options (i) , (ii) and (iii) are necessary
Q: Which of the following options is NOT the best password security practices?
A: Change your password, only if you suspect it may have been exposed
Q: Which one of the following options is not considered as incident for reporting to RBI, NCIIPC
and CERT-In?
A: All of the above
Q: Which of the following statements is correct regarding creation of Profile password using the
Multilingual Image based
A: The Profile password should be a combination of alphabets (in the language chosen), and
numerals and special characters
DATA GOVERNANCE & CYBER SECURITY MODULE 4
Q: Which one of the following applications is not a threat to compromise confidentiality of the
data of portable devices?
A: Air watch agent
Q: What are the ways you can report an unauthorised transaction (ATM) without visiting the
branch?
A: Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Q: Which of the following steps would not be a part of the planning for Work from home?
A: Ensuring the physical access to the systems room is restricted and monitored
Q: Which one of the following options is NOT a violation of acceptable usage policy?
A: There was a data vulnerability due to lack of Anti-virus
Q: What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
CERT-In & NCIIPC? Who
A: All cyber security incidents should be reported within 2 to 6 hours by Incident Response &
Management Team
Q: Which of the following options is an example of inappropriate use of the e-mail service?
A: Use of other officers' user ids or using a false identity.
b. false
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
c. Both 1 & 2
d. Neither 1 nor 2
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
b. Need-To-Access
c. Both 1 & 2
d. Neither 1 nor 2
b. CGM (DMO)
c. GM & CDMO
b. FALSE
b. Analytical Models
c. Both 1 & 2
d. Neither 1 nor 2
10. What are the impacts of not verifying the pop-up name of PAN
holder, while fetching PAN details
a. PAN of any other person could be fed in the system
b. Feeding incorrect PAN details could lead to mis-match of TDS details of the customer
c. 1& 2
d. No impact of not verifying the pop-up name of PAN holder, while fetching PAN details
b. Reputational damage
c. Regulatory strictures
12. A customer has submitted Voter Card as OVD, along with AOF.
During the scrutiny, it was found that the age of customer is less than 18
a. OVD can be accepted
b. DOB on OVD and AOF, if same, then only account may be opened
13. DQI Index has been included as one of the Key Responsibility Areas
(KRAs) in Carrer Development System (CDS)
a. TRUE
b. FALSE
c. Both 1 & 2
d. Neither 1 nor 2
15. As per the Data Governance Policy, Data Governance Officer (DGO)
needs to be nominated/designated at -
a. Circle
b. Administrative Office
c. RBO
b. CGM (Compliance)
b. To define the roles and responsibilities for Data stakeholders, and to establish clear lines of
accountability.
18. To boost the housing loan business of the branch , list of HNIs can be
shared with HLCs through:
a. Email
b. Physical copy
c. Not to be shared
d. Pen drive
c. Either 1 or 2
c. Either 1 or 2
b. 2 DAYS
c. 5 DAYS
d. 7 DAYS
b. Real Time
c. Virtual Time
d. System
24. What are the main sources for low Data Quality?
a. Initial Data Conversion
b. Manual Data Entry
c. Batch Feed
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
c. i only
d. None of above
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
Get eCertificate