A
What is the primary purpose of an audit checklist?
a) To assign monetary value to information.
b) To ensure a systematic and consistent review process.
c) To analyze external market opportunities.
d) To securely destroy data.
b) To ensure a systematic and consistent review process.
An Information Asset Register (IAR) is essentially a(n) ________ of an organization's information.
a) usage policy
b) security protocol
c) inventory
d) backup plan
c) inventory
In a SWOT analysis, what does the 'W' stand for?
a) Workflow
b) Weaknesses
c) Worldwide
d) Warning
b) Weaknesses
Which of the following is an example of an external factor in a SWOT analysis?
a) Company culture
b) Employee skill level
c) New government regulations
d) Outdated internal software
c) New government regulations
The final stage of the information lifecycle is typically:
a) Creation
b) Use
c) Archiving
d) Disposition
d) Disposition
Assigning an "owner" in an IAR helps to establish:
a) Monetary value
b) Responsibility and accountability
c) The physical location of the asset
d) The format of the information
b) Responsibility and accountability
A "server failure" is an example of a potential:
a) Risk
b) Asset
c) Opportunity
d) Strength
a) Risk
What is the first stage in the information lifecycle?
a) Sharing
b) Archiving
c) Creation/Capture
d) Storage
c) Creation/Capture
Which tool is best suited for identifying and listing all of an organization's databases and their locations?
a) SWOT Analysis
b) Risk Assessment Matrix
c) Information Asset Register
d) Audit Checklist
c) Information Asset Register
A 'phishing attack' is best described as a(n):
a) Threat
b) Vulnerability
c) Asset
d) Opportunity
a) Threat
An auditor notes that "Staff have not received data protection training." In a risk assessment, this would be classified as a:
a) Threat
b) Vulnerability
c) Impact
d) Risk control
b) Vulnerability
A company identifies that a new cloud technology could significantly reduce its data storage costs. In a SWOT analysis, this should be listed as a(n):
a) Strength
b) Weakness
c) Opportunity
d) Threat
c) Opportunity
An invoice that is no longer needed for daily operations but must be kept for tax purposes should be moved to which stage of the information lifecycle?
a) Use
b) Create
c) Archive
d) Dispose
c) Archive
A hospital's patient records database is extremely valuable and frequently targeted by cyberattacks. Using the formula Risk = Threat x Vulnerability x Asset Value, if the asset value is very high, the resulting risk will be:
a) Always low, regardless of other factors.
b) High, even if threats and vulnerabilities are low.
c) Negligible.
d) Dependent on the combination of threat and vulnerability levels.
d) Dependent on the combination of threat and vulnerability levels.
An audit checklist for PDPA compliance reveals that there is no process for handling 'right to be forgotten' requests. This finding directly points to a failure in:
a) Information asset valuation.
b) The 'Dispose' phase of the information lifecycle.
c) Adherence to legal and regulatory requirements.
d) Leveraging an external opportunity.
c) Adherence to legal and regulatory requirements.
A company decides to purchase cybersecurity insurance to cover potential losses from a data breach. This is an example of which risk treatment strategy?
a) Risk Mitigation
b) Risk Avoidance
c) Risk Acceptance
d) Risk Transfer
d) Risk Transfer - Purchasing cybersecurity insurance does not reduce or eliminate the risk itself, but it transfers the financial impact of the risk to the insurance provider.
When conducting an Information Lifecycle Analysis for employee contracts, the 'Dispose' stage would be dictated primarily by:
a) The employee's preference.
b) The cost of storage.
c) Labor laws and statutory retention periods.
d) The company's internal IT policy.
c) Labor laws and statutory retention periods.
You are creating an Information Asset Register. The entry 'Chief Financial Officer' would most likely appear in which column for the "Annual Financial Report" asset?
a) Asset Name
b) Owner
c) Location
d) Format
b) Owner
A SWOT analysis reveals that your company's main competitor just suffered a major data breach, damaging its reputation. For your company, this situation is best classified as a(n):
a) Strength
b) Threat
c) Weakness
d) Opportunity
d) Opportunity
An audit checklist item asks, "Is data encrypted during transit?" This item is primarily concerned with the ________ of information.
a) valuation
b) ownership
c) security
d) destruction
c) security
A company has a comprehensive, well-maintained Information Asset Register but fails to use it as an input for its risk assessment process. What is the most likely consequence?
a) The company will overestimate its strengths in a SWOT analysis.
b) The risk assessment will be incomplete, as critical assets and their values are not systematically considered.
c) The information lifecycle for all assets will be shortened.
d) The audit checklist will become redundant.
b) The risk assessment will be incomplete, as critical assets and their values are not systematically considered.
A SWOT analysis identifies a key 'Weakness' as having no formal information retention policy. Which other tool would be most directly impacted and difficult to implement correctly because of this weakness?
a) Risk Assessment, as the impact of data loss cannot be calculated.
b) Audit Checklist, as there is no standard to audit against.
c) Information Asset Register, specifically the 'retention period' field.
d) All of the above.
c) Information Asset Register, specifically the 'retention period' field.
A risk assessment identifies a high-impact, low-likelihood risk. The organization has a limited budget. What is the most prudent course of action?
a) Ignore the risk because it is unlikely to happen.
b) Implement expensive controls immediately to mitigate the risk to zero.
c) Formally accept the risk and create a contingency plan in case it occurs.
d) Avoid the activity that gives rise to the risk, even if it is a core business function.
c) Formally accept the risk and create a contingency plan in case it occurs.
Two departments are audited. Department A uses a formal audit checklist. Department B uses unstructured interviews. Department A's audit is more likely to be:
a) Faster but less detailed.
b) More creative and flexible.
c) More consistent, repeatable, and easily compared to future audits.
d) Less effective at identifying systemic issues.
c) More consistent, repeatable, and easily compared to future audits.
The concept of an "Information Asset Register" is most fundamentally linked to the principle that:
a) All information must be destroyed after 7 years.
b) Information is a valuable business asset that must be managed and protected.
c) All risks can be completely eliminated with technology.
d) SWOT analysis is only useful for financial planning.
b) Information is a valuable business asset that must be managed and protected.