S Level 4 ertificate in Governance, Organisation, Law, Regulation and Standards QN 603/0855/2 Specimen Paper Record your surname/ last/ family name and initials on the nswer Sheet. Specimen paper only. 20 multiple-choice questions 1 mark awarded to each question. Mark only one answer for each question. There are no trick questions. number of possible answers are given for each question, indicated by either... or. Your answers should be clearly indicated on the nswer Sheet. The pass mark is 13/20. This is a specimen examination paper only. The full paper will contain 40 questions with a pass mark for the full paper of 26/40. opying of this paper is expressly forbidden without the direct approval of S, The hartered Institute for IT. opyright S 2016 Page 1 of 8 S Level 4 ertificate in Specimen Paper
1 Who are the responsible officers within the HMG Information Governance Framework? a) hief Executive. b) ccounting Officer. c) ccreditor. d) Senior Information Risk Owner. a, c and d only. a, b and c only. b, c and d only. a, b and d only. 2 The Microsoft orporation versus United States of merica (2013) case, colloquially known as the Microsoft Ireland case, was concerned with which matter of international law? The applicability of data disclosure warrants served on the US parent of an EU company for access to personal data stored in the EU. The application of anti-trust provisions in US law to a US company's activities in the European Union. The responsibility of a US company to inform EU citizens of the disclosure of their personal information when demanded by a US warrant. Microsoft's circumvention of privacy features built in to common browsers to allow the continued use of directed advertising. 3 Which of the following certifications are specifically concerned with ata entre security? a) SO 2. b) NSI/TI 942-. c) S EN 50600-2-5. d) ISO/IE 20648 (it's a standard for ata Storage devices in general) a and d only. b and d only. a only. c only. opyright S 2016 Page 2 of 8 S Level 4 ertificate in Specimen Paper
4 Who is accountable for information security within an ISO27001 certified organisation? The Information Security Manager. Everybody. The oard. The ata Protection Officer. 5 PI-SS forbids the storage of what sort of data? ard Holder ata (H). Personally Identifiable Information (PII). Primary ccount Number (PN). Sensitive uthentication ata (S). 6 Which of the following activities is core to a Security Operations entre? Resetting a user's password. Reviewing a rejected attempt to access a sensitive document. Provisioning a new user's access. llowing a user exceptional access to another user's online calendar. 7 resident of a nursing home is being treated for a serious, but not lifethreatening condition in hospital. Prior to discharge, the consultant wishes to share information about the resident s condition with the nursing home. Which is the MOST appropriate answer? The consultant can share relevant information on the resident s condition and ongoing treatment with medical staff who are employed by the nursing home. The consultant must first get the explicit and informed consent of the patient, then relevant information may be shared with the nursing home. The consultant can only give information regarding ongoing treatment that the patient cannot share themselves. The consultant can share relevant information if it is covered by a ata Sharing greement between the hospital and the nursing home. opyright S 2016 Page 3 of 8 S Level 4 ertificate in Specimen Paper
8 n employee has been accused of running their own business in work time and using work IT. The organisation, which is NOT a law enforcement body, wishes to investigate in accordance with their disciplinary policy. Which law or regulatory guidance is MOST pertinent? Police and riminal Evidence ct 1984. Information ommissioner's Employment Practices ode. Telecommunications (Lawful usiness Practice) (Interception of ommunications) Regulations 2000. Regulation of Investigatory Powers ct 2000. 9 Which of the following types of devices would USULLY be certified under the ESG ssisted Product Scheme (PS)? Firewalls. ryptographic Link Encryptors. Intrusion etection Systems. Intrusion Protection Systems. 10 Which new offence under the omputer Misuse ct was created by the Serious rime ct 2015? Unauthorised acts causing, or creating risk of, serious damage. Unlawful obtaining etc. of personal data. Making, supplying or obtaining articles for use in offence under sections 1 or 3. Unauthorised access with intent to commit or facilitate commission of further offences. opyright S 2016 Page 4 of 8 S Level 4 ertificate in Specimen Paper
11 What is the name of the replacement scheme for the EU / US Safe Harbour greement? Safe Harbour 2. Privacy Guard. Safe Guard. Privacy Shield. 12 Which is the EST order for implementing an ISO27001 compliant ISMS? a) Risk assessment. b) Executive sponsorship. c) ontrols selection. d) Scoping. a, b, c, d. a, c, d, b. b, d, a, c. d, b, c, a. 13 What is the name of the international agreement, which is similar to the US ITR regulations? London. Vienna. hicago. Wassenaar. opyright S 2016 Page 5 of 8 S Level 4 ertificate in Specimen Paper
14 Which of the following are significant aspects introduced by the General ata Protection Regulation? a) hanges to the meaning of consent. b) The accountability principle. c) The right to be forgotten. d) Mandatory breach reporting.. a, b and c only.. a, b and d only.. a, c and d only.. b, c and d only. 15 The ata Protection ct 1998 s29 exemption, for notifying data subjects about data disclosures, applies to which of the following?. National Security.. Health, Education and Social Work.. rime and Taxation.. Transfers to parent organisations. 16 The project officer, in charge of an organisation s ISO27001 compliance programme, has been asked to advise a small customer finance office that is currently struggling to achieve PI-SS certification. What might the project officer suggest as the EST way forward? The finance office should carry on with PI-SS as that will be sufficient for ISO27001 compliance. The finance office should stop PI-SS certification as ISO27001 compliance will be sufficient. The finance office should be removed from the ISO27001 scope until they have achieved PI-SS as the standards are significantly different. The finance office should continue with both ISO27001 and PI-SS compliance efforts as the standards are very similar. opyright S 2016 Page 6 of 8 S Level 4 ertificate in Specimen Paper
17 Which ISO/IE standard specifically covers cloud services? ISO/IE 27002. ISO/IE 27015. ISO/IE 27017. ISO/IE 25999. 18 The Information ommissioner OUL issue a monetary penalty under s55 of the ata Protection ct 1998 for which of the following breaches of the ct? Failure to notify the ommissioner that the organisation is processing personal data. Unlawfully obtaining personal data. significant data loss uncovered as a result of a s41 assessment notice. negligent breach of Principle 1 that might cause substantial distress. 19 Who does an expert witness act on behalf of? a) The prosecuting legal team. b) The defence legal team. c) The court. d) The rown Prosecution Service. a and b. c only. a and d. d only. 20 Which of the following is NOT an example of the principle of least privilege? personal assistant having delegate access to their boss's calendar. web-server instance running within a chroot environment. system administrator being required to log in as a normal user and then use sudo or Run s. n SNMP daemon running with local system administration privileges. opyright S 2016 Page 7 of 8 S Level 4 ertificate in Specimen Paper
-End of Paper- opyright S 2016 Page 8 of 8 S Level 4 ertificate in Specimen Paper