1.

Which of the following is an appropriate description concerning biometric

authentication?

a) If margin for error in matching with the authentication data is made larger, both the
possibility of rejecting an authorized person and the possibility of accepting an
unauthorized person become smaller.

b) It eliminates the need to remember IDs and passwords for authentication, and the
need to carry keys or cards.

c) It cannot be used with other authentication methods such as passwords or tokens.

d) The effective period in which retina pattern and finger vein pattern can be used for
authentication is short because they change greatly over years.

2. Which of the following is an explanation of spyware?

a) It is a scam where money is demanded just by viewing a web site or clicking an

image on it.
b) It is a mechanism where an attacker packages attack tools such as log removal or a
back door and hides them in a PC so that the attacker can use them after intrusion.
c) It is a program that infects a large number of PCs and performs actions such as
simultaneous attacks by illegitimately operating the PCs as instructed over a
network.
d) It is a program that is installed without the user knowing and collects information
such as the user’s personal information and access history

3. Which of the following is an appropriate disposal method for media that stores
confidential information to ensure that information leakage does not occur?

a) CDs and DVDs are destroyed and then are disposed of.
b) A PC is disposed of with its CPU being destroyed.
c) USB memory is disposed of with its files and folders being deleted.
d) Paper documentation is not reused as memo paper and is sealed in a confidential
envelope and then is disposed of together with general trash.

4. Among confidentiality, integrity, and availability, which of the following is the list
that contains all and only the properties that are lost in the information security
incident below?

All of the files on a server in the workplace were encrypted and saved. However, the
server was infected by a virus, and a number of the files were deleted. Elimination of
the virus and recovery of the files required several hours. During the hours, work
could not be performed, and users were inconvenienced. Some files were unable to be
recovered.
 a) Confidentiality b) Confidentiality, integrity
c) Integrity, availability d) Availability

5. A document file that is stored on a file server is directly edited on a PC and then an
attempt is made to overwrite the file, but the message “You do not have permission,
so the file cannot be saved” is displayed. Which of the following is the appropriate
combination of permissions that were set for the document file and the folder that it is
stored in?

6. During the use of a PC in workplace, a message was displayed stating that antivirus
software had detected a virus. Which of the following is an appropriate action that
should be taken immediately?

a) Reboot of the PC
b) Notification to the workplace by e-mail from the PC
c) Disconnection of the PC from networks
d) Backup of files on the PC

7. Among the threats and vulnerabilities in information security, which of the following
is a vulnerability?
a) Computer virus b) Social engineering
c) Tapping of communications data d) Inappropriate password management

8. Which of the following is an appropriate description concerning a scheme for

authenticating a user of a system?

a) A scheme where authentication is accomplished by utilizing a password that can be

used only once is called a single sign-on.
b) A scheme where the use of multiple servers or applications is authorized by being
authenticated once is called a one time password.
c) A scheme where a sequence of numbers or characters that are placed on positions
that
the user remembers within a table on the screen is entered as a password is called a
matrix authentication.
d) A scheme where authentication of the user is accomplished by using fingerprints,
 voiceprint, or other physical characteristics is called a challenge-response
authentication.

9. Which of the following is the list that contains all appropriate features of chain mail?
A: It is used for the purposes of communication and information sharing within a
group.
B: It places a wasteful load on network servers.
C: The same e-mail is repeatedly replied to.
D: The text of the e-mail encourages forwarding of the e-mail to many people

a) A, C b) A, D c) B, C d) B, D

10. Which of the following is the appropriate combination of terms or phrases to be

inserted into blanks A and B in the description below concerning authentication
accuracy in biometric authentication?

In biometric authentication, the probability of incorrectly rejecting the relevant

person is called the false rejection rate, and the probability of incorrectly accepting
another person is called the false acceptance rate. The rate that an authentication
device or algorithm cannot recognize biometric information is called the unsupported
rate.
In the settings for authentication accuracy, setting the lower increases A
convenience, and setting B lower increases security.

11. In ISMS risk assessment, which of the following is performed first?

a) Risk treatment b) Risk identification
c) Risk evaluation d) Risk analysis
12. When information security management is based on the PDCA cycle, which of the
following corresponds to C?

a) The objectives, processes, and procedures for information security are established.
b) Improvement is made through corrective and preventive actions on the basis of an
evaluation.
c) Processes and procedures are introduced and operated.
d) Effectiveness of the processes are measured and evaluated.

13. Which of the following contains all and only the authentication methods where the
information required for the authentication does not have to be changed nor updated
regularly?
A Iris recognition
B Authentication with a digital certificate
C Password authentication

a) A b) B c) C d) A, B

14. Concerning information security, which of the following is an event where

availability
is compromised?
a) A USB memory that stores a copy of confidential information was stolen.
b) A customer information management system has been operated with incorrect
customer information.
c) An in-house server was hacked and confidential information was leaked.
d) An electronic payment system for business partners suffered a DoS attack and
became unable to perform processing.

15. Which of the following is the name given to a file that is provided to fix a software
problem?

a) Pattern file b) Backup file

c) Batch file d) Patch file

16. One advantage of an application-level firewall is the ability to

A. filter packets at the network level.

B. filter specific commands, such as http:post.
C. retain state information for each packet.
D. monitor tcp handshaking.

17. Which of the following is an example of two factor authentication?

A. PIN Number and Birth Date
B. Username and Password
C. Digital Certificate and Hardware Token
D. Fingerprint and Smartcard ID
18. What is a successful method for protecting a router from potential smurf attacks?
A. Placing the router in broadcast mode
B. Enabling port forwarding on the router
C. Installing the router outside of the network's firewall
D. Disabling the router from accepting broadcast ping messages

19. Which of the following is an example of IP spoofing?

A. SQL injections
B. Man-in-the-middle
C. Cross-site scripting
D. ARP poisoning

20. How can a policy help improve an employee's security awareness?

A. By implementing written security procedures, enabling employee security training,
and promoting the benefits of security
B. By using informal networks of communication, establishing secret passing
procedures, and immediately terminating employees
C. By sharing security secrets with employees, enabling employees to share secrets,
and establishing a consultative help line
D. By decreasing an employee's vacation time, addressing ad-hoc employment
clauses, and ensuring that managers know employee strengths

21. Which of the following is the most appropriate explanation of the operation that
spyware is meant to perform?
a) To destabilize the operation of the OS and software
b) To delete files from the file system without user consent
c) To hijack the browser and forcefully execute a particular operation
d) To collect personal information without being noticed by users

22. Which of the following can be made possible by using a digital signature in
e-commerce?
a) Preventing an unintended third party from accessing any confidential file
b) Checking that a file is not infected with a virus or other malicious software
c) Protecting the content of a transaction from being leaked through wiretapping
d) Confirming the identity of a partner and the correctness of the details of a
transaction

23. Which of the following is an appropriate purpose of using HTTPS for accessing a
Web page?
a) To receive all data of one screen effectively through a single connection
b) To secure communications by authenticating the server and encrypting data
c) To shorten the communication time by compressing data
d) To use a dynamically generated Web page in communications
24. Which type of security document is written with specific step-by-step details?
A. Process
B. Procedure
C. Policy
D. Paradigm

25. It is a kind of malware (malicious software) that criminals install on your computer so
they can lock it from a remote location. This malware generates a pop-up window,
webpage, or email warning from what looks like an official authority. It explains that
your computer has been locked because of possible illegal activities on it and
demands payment before you can access your files and programs again.
Which of the following terms best matches the definition?
A. Ransomware
B. Adware
C. Spyware
D. Riskware

26. Which of the following is the threat that can be prevented by encrypting data?
a) Deletion of data because of an operational error
b) Social engineering
c) Tapping of communication content
d) DoS attack on the server in which data is stored

27. Which of the following is an appropriate operation example of a server room where
security should be maintained?
a) In order to simplify management, an ID card for entry and exit is issued to each
department, not to individuals.
b) In order to make it possible for all employees and visitors to see where the server
room is, a room name sign is posted at the entrance.
c) In order to prevent leakage of entry and exit information, entry and exit records are
not collected.
d) In order to prevent unauthorized activities, working in a server room is not allowed
when a supervisor is absent.

28. What is the best description of SQL Injection?

A. It is an attack used to gain unauthorized access to a database.
B. It is an attack used to modify code in an application.
C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server.
D. It is a Denial of Service Attack.

29. Which of the following is a low-tech way of gaining unauthorized access to systems?
A. Social Engineering
B. Sniffing
C. Eavesdropping
D. Scanning
30. Which method of password cracking takes the most time and effort?
A. Brute force
B. Rainbow tables
C. Dictionary attack
D. Shoulder surfing