9/5/23, 9:18 AM Content

Points: 2

1. Multiple Answer: Accountability: In the context of information

securit...
Question In the context of information security management systems, which (all) of
the following best describe(s) the term ‘accountability’?

Answer a.
Ensuring that access to assets is authorized and restricted
based on business and security requirements

b. Assignment of actions and decisions to an entity

c.
Assurance that a claimed characteristic of an entity is
correct

d. Property that an entity is what it claims to be

Points: 2
2. Multiple Answer: Chance of materialization of threat: Which of
the following terms best des...
Question Which of the following terms best describes the chances that a threat to
an information system will materialize?

Answer a. Threat

b. Vulnerability

c. Weakest link

d. Risk

Points: 2
3. Multiple Answer: Common criteria: Which of the following
is/are NOT TRU...
Question Which of the following is/are NOT TRUE about Common Criteria?

Answer a.
it ensures that claims about the security attributes of the
evaluated product were independently verified

https://ntulearn.ntu.edu.sg/ultra/courses/_2646668_1/cl/outline 1/7
9/5/23, 9:18 AM Content

b.
it ensures that a minimal time is required to obtain
certification

c. it ensures the security of the evaluated product

d.
it ensures that the product can be sold in multiple countries

Points: 2
4. Multiple Answer: Corrective controls: Which of the following
is/are correct...
Question Which of the following is/are corrective controls

Answer Intrusion detection

Audit

Disaster recovery

Re-training

Replacement

Points: 2
5. Multiple Answer: Defense in Depth: Which of the following
is/are NOT dir...
Question Which of the following is/are NOT directly addressed in the defence in
depth doctrine for information security?

Answer a.
Three mandatory activities of prevention, detection, and
response should be present in a security system

b.
Defense in depth should encompass people, technology
and operations

c.
The aspects of whether information is being stored,
communicated or processed should be discerned when
designing security.

https://ntulearn.ntu.edu.sg/ultra/courses/_2646668_1/cl/outline 2/7
9/5/23, 9:18 AM Content

d.
Information access should be based on least privilege, and
thus compartmentalization and need to know should be
implemented.

e.
Security system design should embrace ease of usage as
the most important criterion

Incorrect The following are NOT directly relevant:

Feedback • The aspects of whether information is being stored, communicated or
processed should be discerned when designing security.
• Information access should be based on least privilege, and thus
compartmentalization and need to know should be implemented.
• Security system design should embrace ease of usage as the most
important criterion

Points: 2
6. Multiple Answer: IT security requirements: Which of the
following best represent...
Question Which of the following best represents the two types of IT security
requirements?

Answer a. Functional and logical

b. Functional and assurance

c. Functional and physical

d. Logical and physical

Correct Functional (what do we want to have?) and assurance (how do we

Feedback validate that we indeed have what was intended?)

Incorrect Functional (what do we want to have?) and assurance (how do we

Feedback validate that we indeed have what was intended?)

Points: 2
7. Multiple Answer: Information security goals: Which of the
following represents att...
Question Which of the following represents attributes/goals of information
security?

Answer a. Prevention, detection, and response

b.
People controls, process controls, and technology controls

https://ntulearn.ntu.edu.sg/ultra/courses/_2646668_1/cl/outline 3/7
9/5/23, 9:18 AM Content

c. Network security, system security, and application security

d. Availability, Integrity, Authenticity

Points: 2
8. Multiple Answer: Need to know: The principle of ‘need to
know’ in in...
Question The principle of ‘need to know’ in information security advocates that
each user should have access to only as much information as needed to
carry out the tasks they are assigned, and no more (least privilege
access). Which of the following is/are potential shortcomings or
drawbacks of such an approach to security?

Answer a.
It is not always obvious what might be adequate information
to carry out a task

b.
It may be difficult to assess and grant access in a timely
manner not to disrupt functionality

c.
It violates transparency, and organizations should always
disclose all information to every employee

d.
It is not feasible to carry out security audit if need to know is
implemented

Points: 2
9. Multiple Answer: Policy:: In the context of information
securit...
Question In the context of information security management systems, which of the
following best describes the term ’policy’?

Answer a.
overall intention and direction as formally expressed by
management

b.
specification of the way to carry out an activity or a process

c. property of consistent intended behavior and results

https://ntulearn.ntu.edu.sg/ultra/courses/_2646668_1/cl/outline 4/7
9/5/23, 9:18 AM Content

d.
activity undertaken to determine the adequacy and
effectiveness of the subject matter to achieve established
objectives

Points: 2
10. Multiple Answer: Purpose of a control: In the context of
information securit...
Question In the context of information security management systems, which of the
following is/are NOT standard classification(s) of the purpose of a
control:

Answer a. prevent

b. predict

c. audit

d. detect

Points: 2
11. Multiple Answer: Risk: In the context of information securit...
Question In the context of information security management systems, which of the
following best describe(s) the term ’risk’?

Answer Financial implication of a security incident expressed in

terms of the combination of consequences and their
likelihood

chance of something happening

effect of uncertainty on objectives

non-fulfillment of a requirement

Points: 2
12. Multiple Answer: Security goal assurance: Which of the
following terms best des...
Question Which of the following terms best describes the assurance that data has
not been changed unintentionally due to an accident or malice?

Answer a. Utility

https://ntulearn.ntu.edu.sg/ultra/courses/_2646668_1/cl/outline 5/7
9/5/23, 9:18 AM Content

b. Availability

c. Control

d. Integrity

Points: 2
13. Multiple Answer: Security requirements: Security functional
requirements desc...
Question Security functional requirements describe which of the following?

Answer a. How to implement the system

b. What controls a security system must implement

c. What a security system should do by design

d. How to test the system

Points: 2
14. Multiple Answer: Shortcomings of standards: Why might
adherence to standards be i...
Question Why might adherence to standards be inadequate to meet information
security objectives?

Answer a.
Standards take a long time to develop and ratify, and may
not cover every issue. Thus only adherence to standards
may lead to a false sense of safety (complacency) in an
organization.

b.
Compliance to standards is expensive, and creates too
much bureaucracy.

c.
There are too many standards, and one never knows which
ones are to be complied with.

d.
Standards provide actionable guideline on what to do, and
are actually useful for meeting security objectives.

https://ntulearn.ntu.edu.sg/ultra/courses/_2646668_1/cl/outline 6/7
9/5/23, 9:18 AM Content

e.
certification provides assurance and acceptability of the
product in the global market

Points: 2
15. Multiple Answer: Weakness in a system: Which of the
following terms best des...
Question Which of the following terms best describes the weakness in a system
that may possibly be exploited?

Answer a. Risk

b. Threat

c. Vulnerability

d. Weakest link

https://ntulearn.ntu.edu.sg/ultra/courses/_2646668_1/cl/outline 7/7