1) What are the Roles and responsibilities of 7) How Can we take dispention on

Board of Directors? noncompliance issues

a ) Ensuring that the ICT strategy is aligned with √ a ) Compliance Plan with specific timeline should
business strategy. be submitted to BB
b ) Approving ICT strategy and policy documents. b ) Create a compliance plan for BB auditor
c ) Ensuring that the management has placed an
effective planning process. 8) The organogram for ICT function of bank
√ d ) All of the above must be
√a ) Documented and Updated
2) What are the Roles and responsibilities of ICT b ) Documented
Steering Committee? c ) Updated
a ) Ensure compliance to regulatory/statutory d ) None of the above
requirements
b ) Consult and advise on selection of standard 9) ICT personnel can be identified in branch
technology organogram by -
c ) Provide guidance related to risk, funding, or a ) by appointing IT officer by office order
sourcing √b ) Creating a section/unit in branch organogram
√d ) All of the Above
e ) Monitor management methods to determine and 10) ICT personnel in the Bank should have job
achieve strategic goals description, which must be -
a ) Approved
3) What are the Roles and responsibilities of ICT b ) Fallback resource is not required
Security Committee? c ) Approval is not mandatory
a ) Support to formulate ICT risk management
framework. √ d ) Approved with fallback plan
b ) Provide management support to the ICT security
processes. 11) What is segregation of duties
c ) Ensure development and implementation of ICT a ) Maker
security objectives, related policies and procedures. √ b ) both maker and checker
d ) Periodic review and approval for modification in c ) Checker
ICT Security processes.
√e ) All of the Above 12) The Bank should maintain design diagram
for --
4) Who will approve the ICT Security Guideline √ a ) all Critical services
√ a ) Board of Directors b ) Data centre
b ) Executive Committee c ) Network
c ) Risk Management Committee d ) eIBS
d ) Management Committee
13) Roster duties in ICT operations must be
5) What are the frequency of updating policy a ) Prescheduled for all regular tasks
√ a ) Yearly √ b ) Prescheduled and for sensitive tasks
b ) Half yearly
c ) after any major changes 14) The Bank should maintain SOP (Standard
d ) Ad hoc basis Operating Procedure) for --
a ) Database
6) Why we need separate ICT Security Team in b ) eIBS
Bank c ) Operating System
√ a ) Impartial dealing with security incidents and d ) Network
Risk √ e ) All Functional activities
b ) Increase the size of IT
 24) Remediation measure of the observations in
15) Services can be obtained by Audit report should
a ) Mail √ a ) Documented and preserved with the report
b ) Verbal request b ) Documented
√ c ) Approved Requisition Form
d ) Office Note 25) The Bank may engage external auditor for IS
audit in line with their financial audit
16) The Bank should maintain User manual for a ) false
a ) Bank employees √ b ) true
b ) online user
√ c ) All Stakeholder 26) The Internal IS audit report must be
d ) Customers preserved for
a ) internal user only
17) Who will conduct internal information √ b ) Regulators
system audit
√ a ) Internal IS audit team 27) The Bank may obtain industry standard
b ) Risk Management Team certification related to Information system
c ) Information security team security, BCP, Payment card Data security
√ a ) true
18) The audit team should be comprised with b ) false
knowledge of
a ) sufficient audit skill 28) Why the stake holder require proper
b ) Certified IS audit personnel technology training
√ c ) sufficient expertise and skill of IS audit √ a ) The technology evolved rapidly
d ) sufficient technical skill b ) To improve the current knowledge
c ) as the business changes rapidly
19) What does CAAT mean
√ a ) Computer-Assisted-Auditing Tool 29) What type of training required for ICT
b ) Confidential Accounting and Auditing Tool Personnel of the Bank
c ) Computer-And-Auditing Tool a ) ICT Related Training
d ) Computer-Aided-Auditing Tool b ) business training
√ c ) ICT with minimum business training
20) The purpose of CAAT to perform IS audit is
a ) To plan the Audit 30) Security Awareness training required for-
√ b ) To conduct the complete audit life cycle a ) Officials only
c ) To extract the Data for audit √ b ) All employees of the Bank
d ) To monitor the Audit c ) Executives only
d ) Sub staffs only
21) Annual IS Audit Plan scope should include
a ) All Services of the Bank 31) IS Audit Team need the following type of
b ) The operational Branches only training--
√ c ) Critical technology-based services and ICT a ) Training related to Existing Banking function
infrastructure. b ) Training related to new technology
d ) Critical processes of the Bank √ c ) Training related to new and existing services
and technology
23) IS audit issues should be
√ a ) Properly Tracked 32) Why Bank needs risk Coverage Fund
b ) Properly rectified √ a ) To meet the costs of mitigating loss/damage of
c ) Properly Recorded the ICT assets.
d ) Properly Followed up b ) To meet the regulatory compliance
c ) To procure software for new services
d ) To procure Hardware for new business
33) Who will maintain the Risk coverage Fund c ) None of the Above
a ) ICTW as a emergency fund √ d ) All of the Above
b ) Operation wing as an emergency fund e ) SMS, Email, ATM Screenshot, IVR etc
√ c ) FAD to reflect in Accounting system
41) Why we need a well calibrated feedback
34) How the risk coverage fund will be used strategy implemented for customer education?
√ a ) As per approved policy by management √ a ) Continuous improvement in service
b ) As per approval of Managing Director b ) To record the customer complain
c ) As and when required c ) To comply with the regulatory requirement

35) How to design a fruitful Awareness program 42) Before appointment of a service provider,
a ) Needs identified bank should ---
√ b ) All of the above √ a ) Do Risk assessment
c ) Budget approved b ) carry due diligence process
d ) needs with priorities established c ) take declaration from the vendor

36) What are the content of customer awareness 43) How can bank ensure that the vendor will be
plan responsible
√ a ) Activities with required resources with target a ) Some verbal and some written
b ) remedial action only b ) Verbal statement only
c ) Target only √ c ) All are in a written document
d ) Activities only
44) How can IBBL evaluate the ICT outsourcing
37) Why are the common objectives of customer activities
awareness program a ) Considering Economic viability
a ) Provide information about fraud only. √ b ) all of the above
b ) Create a weak security culture. c ) Considering objectives
c ) Motivate customer not to adopt recommended d ) Considering Risk and security
practices.
√ d ) Help to identify vulnerable areas and make 45) How can bank ensure that outsourcing
them aware of their responsibilities. activities will not result in degradation of bank's
internal control?
38) How Can we ensure effective communication √ a ) ensuring high standard of care and diligence
with customer by the vendor
a ) Select right audience b ) ensuring appropriate procedure
√ b ) All of the above c ) Ensuring appropriate policy
c ) Select proper communication channel
d ) prepare right content 46) What security policy will be implemented by
the third party
39) How can IBBL create Awareness building a ) IBBL policy should be at least as stringent as
collaterals for the customers Vendor policy.
a ) SMS, Leaflet, brochure, newsletter etc √ b ) Vendor policy should be at least as stringent as
√ b ) All of the above IBBL policy.
c ) Security tips for Phone Banking customer during c ) Vendor security policies, procedures and
call controls
d ) receipt used in ATM/POS, A/C opening d ) IBBL security policies, procedures and controls
envelop, a/c statement
47) How can bank ensure the security adequacy
40) How can IBBL reach to the customer related of the vendor
to security awareness √ a ) By regular monitoring and review
a ) Only Print, TV media and online platform b ) By Engaging Auditor by IBBL
b ) Bill Board and Festoon c ) By taking confirmation from the vendor
48) What will ensure the disaster recovery 55) The Bank shall closely monitor non-
contingency of the system provided by the employees for access restrictions. Who are
vendor those?
√ a ) BCP of vendor a ) Contractual
b ) BCP of IBBL b ) Outsourced
c ) Both a & b
49) What should the Bank do to ensure √ d ) All of the above
continuation of the services of vendor e ) Vendor staff
√ a ) Separate plan document developed by Bank
b ) Separate plan developed by vendor 56) Each user of IBBL ICT System must have---?
c ) IBBL BCP a ) A unique User ID
d ) Vendor BCP document b ) A valid password
√ c ) Both a & b
50) What is the service catalogue of third party d ) Fingerprint
services? e ) An employee ID
a ) third party service list
√ b ) up-to-date details information of services 57) To have access in the IBBL ICT System the
rendered following form with access privileges shall be
duly approved by the appropriate authority?
51) What type of document required to maintain a ) Internet Request form
with vendor b ) Change Management Form
√ a ) SLA and AMC c ) Problem Management Form
b ) NDA d ) Account Opening Form
c ) SLA √ e ) User ID Maintenance form
d ) AMC
58) User access shall be locked for --------------.
52) How can we ensure the confidentiality of the a ) User login attempt
data during servicing/repairing? √ b ) Unsuccessful login attempts
√ a ) Equipment should not contain live data c ) None of the above
b ) Equipment should send for servicing without d ) Authenticated user only
any modification e ) Authorized user only
c ) Equipment should not repaired outside the Bank
59) When a user’s job status got changed, the
53) The Service contract with third party must user --------.
include in addition to pricing, deliverables, roles √ a ) The user privileges must be updated
and responsibilities are -- b ) The user must got a new user ID
√ a ) Confidentiality and right to audit clause c ) None of the above
b ) Reward clause d ) Both b & c
c ) Third party clause e ) The user must change password
d ) Negotiation clause
60) The Bank shall ensure that records of user
54) The Bank shall only grant user access to ICT access are uniquely identified and logged for -----
systems and networks based on ----------------? ---------
a ) need-to-use basis a ) Change Management purpose
b ) within the period when the access is required b ) Audit Purpose
√ c ) Both a & b c ) None of the above
d ) Based on Ranks & Designation √ d ) Both b & c
e ) Based on the division the user posted e ) Review Purpose
61) The Bank shall perform regular reviews of c ) None of the above
user access privileges to verify that ---------------. √ d ) Three
a ) User Update e ) Three attempt in a day
b ) Privilege escalation
c ) None of the above 68) Password history maintenance shall be
d ) Both b & c enabled in the system to allow same passwords to
√ e ) Privileges are granted appropriately be used again after ----------.
a ) at least in three months
62) The Bank shall enforce -------------------------- b ) at least in same month
controls over users’ access c ) None of the above
√ a ) Strong password control d ) All of the above
b ) Monitoring √ e ) at least three (03) times
c ) Internal Control
d ) None of the above 69) Administrative passwords of Operating
e ) Both b & c System, Database and Business Applications
shall be kept ----------------.
63) Password controls shall include a change of a ) In the bank cash vault in plain text
password upon first logon. √ b ) In a safe custody with sealed envelope.
√ a ) Upon first logon c ) to CISO
b ) After three attempt d ) to the head of ICTW
c ) None of the above e ) to the branch manager
d ) All of the above
e ) As and when required 70) Session time-out period for users shall be set
--------------------.
64) Minimum password length should be ---------- √ a ) In accordance with the Bank's Policy
a ) At least 5 characters b ) In accordance with Manger discretion.
√ b ) At least 6 characters c ) In accordance with BB circular.
c ) None of the above
d ) At least 8 characters 71) Operating time schedule of users’ input for
e ) At least 7 characters banking applications shall be implemented ------?
a ) As per regulatory enforcement
65) Password shall be combination of -------- of b ) As per approval from bank management
stated criteria like uppercase, lowercase, special √ c ) Both a & b
characters and numbers? d ) As decided by BCD
a ) Two e ) As decided by Branch Management
b ) Three
√ c ) at least three 72) Audit trail with User ID and date-time stamp
d ) at least two shall be maintained for data -------?
e ) Four a ) Insertion
b ) Deletion
66) Password must not be valid for more than---. c ) None of the above
√ a ) 90 days √ d ) All of the above
b ) 100 days e ) Modification
c ) None of the above
d ) password must be changed regularly 73) Software shall not allow the same user to be
e ) 120 days both maker and checker of the same transaction.
a ) true
67) What is the maximum number of consecutive b ) False
invalid login attempt allowed in the system of c ) None of the above
IBBL? d ) All of the above
a ) Five attempts in a row √ e ) Unless otherwise permitted from appropriate
b ) Four attempt in a day authority.
74) Management ---------------- must be in place 80) Project plans should be ----------------------?
for delegation of authority. a ) Clearly Documented
a ) Supervision b ) Approved
√ b ) Approval c ) both a & c
c ) None of the above √ d ) both a and b
d ) Planning e ) as per market trend
e ) Oversight
81) Which of the following should be included in
75) Sensitive data and fields of banking the project plans? `
applications shall be restricted from ----------. a ) Functional requirement
a ) Being hacked b ) Business Case
b ) Both b & c √ c ) All of the above
c ) Being deleted d ) Cost benefit analysis
√ d ) Being accessed e ) Technical specifications
e ) None of the above
82) Which of the following should be established
76) The Bank shall apply ---------------------- when to ensure that milestones are reached and
appointing staff to critical operations and deliverables are realized in timely manner?
security functions. a ) Planning
a ) Stringent selection criteria b ) controlling
b ) Thorough screening c ) both a & c
c ) Both a & c √ d ) Management oversight
√ d ) Both a & b e ) Financing
e ) Mental capacity
83) To select vendor for the bank, official form
77) With privileged access who can inflict severe following division is required?
damage on critical systems of the Bank? a ) ICTW
a ) System administrators b ) ICCW
b ) ICT security officers √ c ) Both a, b & c
√ c ) All of the above d ) FAD
d ) Employees performing critical operations e ) Division related to the procured products
e ) Programmers
84) Vendor selection process must have
78) Which of the following controls and security conformity with the --------------------?
practices the Bank shall adopt for privileged √ a ) Procurement Policy of the Bank
users? b ) Risk Management guideline of Central Bank
a ) Implement strong controls over remote access c ) None of the above
b ) Grant privileged access on a “need-to-have” d ) IBBL ICT Security Policy
basis e ) Procurement policy of Bangladesh Bank
√ c ) All of the above
d ) Restrict the number of privileged users 85) Vendor selection criteria for application
e ) Disallow vendors from gaining privileged access must address the followings:
to systems without close supervision and a ) Market presence & Years in operation
monitoring. b ) Technology alliances
c ) None of the above
79) For an efficient project management √ d ) All of the above
framework which of the following is required? e ) Extent of customization and work around
a ) Project Risk Assessment & Classification solutions
b ) Critical Success Factors in each project phase
√ c ) All of the above
d ) Deliverables
e ) Definition of project milestone
86) While outsourcing / procuring any product, c ) None of the above
detailed business requirements shall be d ) All of the above
documented and approved by e ) Disaster Recovery plan
a ) ICTW
b ) ICCW 93) Software documentation should include----- ?
c ) None of the above a ) Functionality
d ) All of the above b ) Security features
√ e ) Competent Authority c ) None of the above
√ d ) All of the above
87) What is required while procuring a service/ e ) Interface requirements with other systems
application?
a ) Design 94) All the software used by IBBL shall be --------
b ) Detail technical requirements -----?
√ c ) All of the above a ) Licensed
d ) Availability b ) Legally acquired
e ) Application security √ c ) Both a & b
d ) From torrent
88) Functionality development in the application e ) Not procured but modified by Bank
shall be according to?
√ a ) Design specification 95) Which of the following is true?
b ) Approval from MANCOM √ a ) Test environment and production environment
c ) Work Order must be separated
d ) BCP b ) Test environment and production environment
e ) BB Guideline must be same for security reason

89) Software Development Life Cycle (SDL with 96) User Acceptance Test shall be carried out
User Acceptance Test (UAT) shall be followed and signed-off by the relevant business units/
and conducted in the ------------? division -----------?
a ) Development stage a ) Immediately after live operation starts.
b ) Implementation stage b ) After getting clients feedback.
c ) Organizing stage √ c ) Before rolling out in LIVE operation.
d ) Planning stage
√ e ) development and implementation stage 97) Which of the following required for
development, acquisition and procurement of
90) UVT stands for -------------- ? any ICT software, hardware or service?
a ) User vulnerability test a ) Regulatory Compliance requirements
b ) Usage & viability stage b ) Banking procedures and practices
√ c ) User Verification Test c ) None of the above
√ d ) All of the above
91) Which of the following should be handed e ) Relevant laws of Government of Bangladesh
over to concerned division regarding application
development or acquisition? 98) Any bugs and/or defects found due to design
a ) System usage report flaws must be escalated to -------------- in time?
b ) System documentation a ) Higher levels in Software Vendors’ organization
√ c ) Both b and c b ) Appropriate authority of IBBL
d ) All of the above √ c ) Both a & b
e ) User Manual d ) All of the above
e ) Central Bank
92) Developed or procured software must be
complaint with?
√ a ) IBBL ICT Security Policy.
b ) Business Continuity Plan
99) Which of the following is required for the 105) Bank should define which Risk role to the
software and product are in service? individuals for ensuring successful completion of
a ) Support agreement with the supplier. work?
b ) Non Disclosure Agreement (NDA) √ a ) Risk Responsibilities
c ) None of the above b ) Risk Culture
√ d ) All of the above c ) Risk Communication
e ) License d ) Risk Awareness

100) Who will govern Bank's overall ICT risks 106) Which Risk Attributes should be applies to
and relevant mitigation measures? individuals/officials who owned the required
√ a ) ICT Risk Management Committee resources and have the authority to approve the
b ) Management Committee execution and/or accept the outcome of an
c ) Executive Committee of the Board of Directors activity within specific ICT Risk processes?
d ) ICT Steering Committee √ a ) Risk Accountability
b ) Risk Awareness
101) The amount of risk Bank is prepared to c ) Risk Communication
accept to achieve its’ objectives in terms of d ) Risk Responsibility
combinations of frequency and magnitude of a
risk to absorb loss (e.g., financial loss, reputation 107) Ownership (whoever is in better position to
damage) is called what? mitigate the identified risk for that specific ICT
√ a ) Risk Appetite asset.) of the ICT risk stays with whom?
b ) Risk Register √ a ) Asset Owner or custodian
c ) Risk Treatment b ) Chief Information Security Officer (CISO)
d ) Risk Tolerance c ) Chief Information Technology Officer (CITO)
d ) Divisional Head of the Asset
102) What is called the tolerable deviation from
the ICT Risk level set by the risk appetite 108) Bank should acknowledge all risks by which
definition? Risk Attribute? (so that those are well
√ a ) Risk Tolerance understood and known and recognized as the
b ) Risk Register means to manage them)
c ) Risk Treatment √ a ) Risk Awareness
d ) Risk Appetite b ) Risk Responsibility
c ) Risk Register
103) Which ICT Risk is required to having d ) Risk Accountability
approval from the board/Risk Management
Committee and clearly communicated to all 109) By which process Bank should contribute to
stakeholders? executive management’s understanding ofthe
√ a ) Risk Tolerance actual exposure to ICT risk? (So that enabling
b ) Risk Register the definition of appropriate and informed risk
c ) Risk Treatment responses)
d ) Risk Appetite a ) Limited Communication
b ) Email & Visual Communication
104) Which ICT Risks are required to be √ c ) Open Communication
reviewed and approved the change over time? d ) Secret Communication
(specially for new technology, structure, new
business strategy and other factors require the 110) Bank should aware amongst whom of the
bank to reassess its risk portfolio at a regular importance of integrating risk and opportunity
interval) in their daily duties?
√ a ) Risk appetite and Risk tolerance a ) Only External Stakeholders
b ) Risk Culture & Communication b ) Only Divisional Heads
c ) Risk Responsibilities & Accountabilities √ c ) All internal stakeholders
d ) Risk Awareness & Communication d ) Only ICT Employees
111) To what factors/attributes Bank should be 117) Bank should establish what process to
transparent to external stakeholders? understand the effects of adverse events as well
√ a ) Actual level of risk and Risk management as describe ICT risks in business terms?
processes in use. √ a ) Business Impact Analysis (BI
b ) Vulnerabilities of Critical Assets b ) Patch Management Process
c ) Risk Appetite & Tolerance Level of the Bank c ) Gap-Analysis of ICT Security Policy &
d ) Classified Data & Information of the Bank Guideline
d ) IT Self-Assessment Analysis
112) Bank should begin which Risk Attribute
from the top with board and executives, who set 118) Bank should develop and use of Which
direction, communicate risk-aware decision technique (which can be used during risk
making and reward effective risk management analysis where frequency and impact of the
behaviors? scenario are assessee to identify the important
√ a ) Risk-aware Culture and relevant risks amongst all?
b ) Risk Appetite √ a ) Risk Scenarios Techniques
c ) Risk Treatment b ) Risk Awareness
d ) Risk Register c ) Risk Treatment
d ) Risk Appetite
113) Bank's Risk-aware Culture should begin
from which direction? 119) Bank should define which Risk Function
√ a ) From the top with board and executives that will influence the frequency and/or business
b ) From the bottom impact of risk scenarios?
c ) From Divisional Heads to all employees of the √ a ) Risk Factors
Bank b ) Risk Register
d ) From CITO & CISO c ) Risk Treatment
d ) Risk Appetite
114) ICT security department/unit/cell should
report status of identified ICT security risk 120) Bank should interpret what as casual
periodically to whom? factors of the scenario that is materializing, or as
√ a ) ICT security committee and Risk Management vulnerabilities or weaknesses?
Committee √ a ) Risk factors
b ) Executive Committee of the Board of Directors b ) Risk Register
c ) Audit Committee c ) Risk Treatment
d ) Management Committee d ) Risk Appetite
115) Who should understand how ICT-related
failures or events can impact Bank objectives 121) ICT security department/unit/cell should
and cause direct or indirect loss to the bank? conduct which periodic activity of ICT related
√ a ) An ICT person assets (process and system) and provide
b ) A Law & Shariah Person recommendation to risk owners for mitigation?
c ) A Marketing Person √ a ) ICT Risk Assessment
d ) A Business Person b ) Patch Management
c ) Set Risk Appetite & Tolerance Level of the
116) Who should understand how ICT-related Bank
failures or events can affect key services and d ) ICT Risk Scenarios Analysis
processes in the business?
√ a ) A Business Person 122) Who should conduct periodic activity of
b ) A Law & Shariah Person ICT related assets (process and system) and
c ) A Marketing Person provide recommendation to risk owners for
d ) An ICT Person mitigation?
√ a ) ICT Security department/unit/cell
b ) Branches & Zonal Offices
c ) All Asset Owners
d ) All Divisions & Departments 129) Selection of the right set of ICT Key Risk
Indicators (KRIs) should increase the likelihood
123) Indicators for risks with high business of achieving which objectives?
impact are most likely to be called what? (Which √ a ) The Strategic objectives
Bank should develop as set of metrics to serve) b ) The Regulatory objectives
√ a ) Key Risk indicators (KRI) c ) The Financial objectives
b ) Risk Accountability d ) The Operational objectives
c ) Risk Register
d ) Risk Responsibility 130) Selection of the right set of ICT Key Risk
Indicators (KRIs) should Assist in continually
124) Bank should give effort to implement, optimizing which factors?
measure and report to What that are equivalent √ a ) Risk governance and management
in sensitivity? environment
√ a ) Different Indicators b ) Compliance & Regulatory environment
b ) Different Risk Appetite c ) Risk Accountability & Financial environment
c ) Different Risk Transfers d ) Risk ownership & business environment
d ) Different Risk factors
131) Bank should define What to bring risk in
125) ICT Key Risk Indicators (KRIs) should be line with the defined risk appetite for the Bank
capable to provide an early warning for a high after risk analysis?
risk. Based on that bank can take Which action? √ a ) Risk Response
√ a ) Proactive action b ) Risk Accountability
b ) Corrective action c ) Risk Responsibilities
c ) Traditional action d ) Risk Governance
d ) Reactive action
132) Bank should strengthen overall ICT risk
126) Selection of the right set of ICT Key Risk management practices with What processes?
Indicators (KRIs), KRI should be capable to √ a ) Sufficient Risk Management Processes
provide What kind of view on risk events that b ) Sufficient Classification of Data Processes
have occurred? c ) Sufficient Inventory Management Processes
a ) A Forward-looking view d ) Sufficient Risk Identification Processes
√ b ) A backward-looking view
c ) Reputational loss view 133) Bank should introduce what measures
d ) Financial loss view intended to reduce either of an adverse event
and/or the business impact of an event?
127) Selection of the right set of ICT Key Risk √ a ) Number of Control Measures
Indicators (KRIs), KRI should be capable to b ) Number of Financial Measures
provide enabling the documentation and analysis c ) Number of Self-Assessment Measures
of What? d ) Number of Impact analysis Measures
√ a ) Analysis of Trends
b ) Analysis of Return on Investment 134) Bank should share or reduce risk frequency
c ) Analysis of Business Impact or impact by transferring or otherwise sharing a
d ) Analysis of Financial Loss portion of the risk by what measures?
√ a ) Insurance or outsourcing of services
128) ICT Key Risk Indicators (KRI) should b ) Informing Regulatory Authority
provide an indication of the risk’s appetite and c ) Informing Bank Management
tolerance through what setting? d ) Acknowledgement by the Asset owner
√ a ) Metric setting
b ) Weightage Settings
c ) Judgmental Settings
d ) Qualitative Settings
135) ICT risk is associated with the use, √ b ) All of the above
ownership, operation, involvement, influence c ) Approval of the risk acknowledgement from the
and adoption of ICT within the Bank. It consists owner
of ICT related events and conditions that could d ) Formulation of a remedial plan to reduce the
potentially impact the business. ICT Risk is risk.
Which type of Risk? 142) The primary objective of Which Risk
√ a ) Business Risk Assessment is to leverage the internal audit
b ) Environmental Risk function by shifting some of the control
c ) Credit Risk monitoring responsibilities to the functional
d ) Market risk areas (Branches & Head Office)?
136) Failing to prevent or detect a material error a ) Impact Analysis of ICT Risk
would represent which type of risk? b ) Scenario Assessment of ICT Risk
√ a ) Detection Risk c ) Risk Tolerance Assessment of ICT Risk
b ) Overall Audit Risk √ d ) Self-Assessment of ICT Rick
c ) Control Risk 143) Self-Assessment of ICT Risk should be
d ) Inherent Risk implemented by whom?
137) ICT Risk is expressed in terms of What √ a ) The Management and staff of Head Office &
factors? Branch
√ a ) Probability of occurrence and Impact. b ) Only ICTW officials
b ) Asset Classification & Recovery time objectives c ) Only Divisional heads
(RTO) d ) CITO & CISO
c ) Vulnerabilities & Recovery Point objectives 144) Meaningful ICT risk assessments and risk-
(RPO) based decisions require What?
d ) Probability of not occurrence & Maximum √ a ) ICT risks to be expressed in unambiguous and
Tolerable Downtime (MT clear, business-relevant terms.
138) ICT risk is a component of the overall risk b ) ICT risks to be expressed in terms of
universe of the Bank. ICT related risk is reputational & regulatory loss only
considered to be a component of Which Specific c ) ICT risks to be expressed in terms of Financial
Risks? loss only
a ) Compliance & Reputational Risk d ) ICT risks to be expressed in terms of technical
b ) Investment Risk & Environmental Risk viewpoint only
c ) Market Risk & Liquidity risk 145) What is ensured by mutual understanding
√ d ) Operational risk & Strategic risk between ICTW and the business over which risk
139) Effective Risk assessment should be needs to be managed?
conducted for What components? √ a ) Effective Risk management
√ a ) Any new processes and systems as well as a b ) Effective Compliance management
post-launch review. c ) Effective Financial management
b ) Specific processes and systems selected by d ) Effective Operational management
Management 146) Who should have the ability to understand
c ) Only existing processes & systems and express how adverse events on ICT may
d ) Any new processes & systems after launch affect business objectives?
140) The Risk management function should √ a ) All stakeholders
ensure What? b ) CITO & CISO
a ) Awareness of and compliance with the ICT c ) Only ICTW officials
security control policies d ) Only Divisional Heads
b ) None of the above 147) When a Risk analysis shows ICT risks
√ c ) Both A & B deviating from the defined tolerance levels, What
d ) Provide support for investigation of any ICT needs to be defined?
related frauds and incidents. √ a ) Risk Response
141) The risk management process should b ) Risk Accountability
include what? c ) Risk Tolerance
a ) Identification of mitigation controls. d ) Risk Appetite
148) Which is the component of Risk Response 154) Does the IBBL implement biometric finger
function? vein sensing technology to resist PIN
√ a ) Risk Acceptance compromise?
b ) Risk Accountability a ) Yes
c ) Risk Identification b ) Don't know
d ) Risk Appetite c ) May be
√ d ) No
149) The Risk management process should
include a description and assessment of the risk 155) Does IBBL conduct video surveillance of
being considered and accepted for activities for 24 hours at these machines and
acknowledgement by whom? maintain the quality of CCTV footage and
√ a ) Owner of the risk preserve for at least one year?
b ) Only CISO √ a ) Yes
c ) Branch Head b ) Don't know
d ) Divisional Head c ) May be
d ) No
150) Which solution must need to install on
ATM devices to detect the presence of unknown 156) Does IBBL have a centralized online
devices placed over or near a card entry slot? monitoring system for Cash Balance, Loading-
√ a ) Anti-Skimming Device Unloading functions, Disorders of machine, etc?
b ) Security Guard √ a ) Yes
c ) Firewall b ) Don't know
d ) Anti-Hacking Device c ) May be
d ) No
151) The Bank or NBFI shall ------ to
appropriate staff for follow-up response and 157) Does IBBL deploy security personnel for all
action. ATM devices 24 hour basis?
a ) Install detection mechanisms √ a ) Yes
√ b ) Only A and B b ) Not Applicable
c ) Security Guard c ) May be
d ) Send alerts d ) No

152) The Bank or NBFI shall implement tamper- 158) Which physical security measures are
resistant keypads to ensure that customers’ PINs implemented in ATM devices?
are encrypted during transmission. What a ) Close Circuit Camera
measurement should be taken while customers’ b ) Security Guard
PINs are transmitting? √ c ) All of the above.
a ) Green PIN d ) Anti-Skimming Devices
b ) No need to take any extra measurement.
√ c ) Encrypting by tamper resistant keypad 159) Does IBBL inspect all ATM/POS devices
d ) Tamper-proof envelop frequently to ensure standard practice is in place
with necessary compliance?
153) What will be the appropriate measures to √ a ) Yes
prevent shoulder surfing of customers’ PINs? b ) Not Applicable
√ a ) Educate security guard to ensure one person c ) May be
will allow for each ATM machine d ) No
b ) None of the above
c ) Close Circuit Camera 160) Where ATM Inspection log sheet shall be
d ) Anti-Hacking Device kept?
a ) in ATM booth premises
√ b ) both a and b.
c ) in Zonal Office and Centrally
d ) In centrally. b ) Not Applicable
c ) May be
161) Does IBBL monitor third party cash d ) No
replenishment vendors’ activities constantly and
visit third party cash sorting houses regularly? 167) Does IBBL ensure that information
a ) Yes processed, stored or transmitted between the
√ b ) Not Applicable bank and its customers is accurate, reliable and
c ) May be complete?
d ) No √ a ) Yes
b ) Not Applicable
162) Does IBBL train and provide necessary c ) Sometimes
manual to its merchants about security practices d ) No
(e.g. signature verification, device 168) Does IBBL implement appropriate
tampering/replacement attempt, changing processing and transmission controls to protect
default password, etc.) to be followed for POS the integrity of systems and data, e.g. SSL, TLS?
device handling? √ a ) Yes
√ a ) Yes b ) Not Applicable
b ) Not Applicable c ) IBBL Implement TCP/IP to protect the integrity
c ) May be of systems and data.
d ) No d ) No

163) Does IBBL educate its customers on 169) Does IBBL implement 2-FA (two-factor
security measures that are put in place by IBBL authentication) for all types of online financial
and are to maintain by the customers for ATM transactions?
and POS transactions? √ a ) Yes
√ a ) Yes b ) Not Applicable
b ) Not Applicable c ) IBBL Implement TCP/IP to protect the integrity
c ) May be of systems and data.
d ) No d ) No

164) Does IBBL provide assurance to its 170) Which type of 2-FA are using by IBBL?
customers and users so that online access and √ a ) Hardware
transactions performed over the internet are b ) Both a and b
adequately protected and authenticated? c ) Not Applicable
√ a ) Yes d ) Software
b ) Not Applicable
c ) May be 171) In iBanking, does online session
d ) No automatically terminated after a fixed period of
time user inactivity?
165) Does IBBL properly evaluate security √ a ) Yes
requirements associated with its internet b ) Not Applicable
banking system and adopt mechanisms which c ) May be
are well-established international standards? d ) No
√ a ) Yes
b ) Not Applicable 172) Does IBBL implement monitoring or
c ) Not Frequently surveillance systems to follow-up and address
d ) No subsequently any abnormal system activities,
transmission errors or unusual online
166) Does IBBL formulate Internet Banking transactions?
Security policy considering technology security a ) No
aspects as well as operational issues? √ b ) Partial
√ a ) Yes c ) Not Applicable
d ) Yes 179) Does IBBL guarantees that sensitive card
data is encrypted to ensure the confidentiality
173) Does all system accesses, including messages and integrity of these data in storage and
received are logged, reported and followed up? transmission.
√ a ) Yes √ a ) Yes
b ) Not Applicable b ) Not Applicable
c ) May be c ) May be
d ) No d ) No

174) Does IBBL have tools for monitoring 180) Does IBBL ensure that the processing of
systems and networks against intrusions and sensitive or confidential information is done in a
attacks in real time? secure environment?
a ) Yes √ a ) Yes
b ) Not Applicable b ) Not Applicable
c ) May be c ) May be
√ d ) No d ) No

175) Does IBBL maintain high resiliency and 181) Does IBBL deploy secure chips with
availability of online systems and supporting multiple payment application supported to store
systems? sensitive payment card data?
√ a ) Yes √ a ) Yes
b ) Not Applicable b ) Not Applicable
c ) May be c ) May be
d ) No d ) No
176) Does IBBL take appropriate measures to
minimize exposure to other forms of attacks such 182) Does IBBL perform the authentication of
as middleman attack which is commonly known customers' sensitive static information, such as
as a man- in-the-middle attack (MITM, man-in- PINs or passwords?
the browser attack or man-in-the application √ a ) Yes
attack? b ) Not Applicable
√ a ) Yes c ) May be
b ) Not Applicable d ) No
c ) May be
d ) No 183) Does IBBL managed equipments used to
generate payment card PINs and keys in a
177) What are the activities performed by an secured manner?
information security office in a penetration √ a ) Yes
testing (not limited to)? b ) Not Applicable
a ) Checking middleman attacks c ) May be
√ b ) All of the above. d ) No
c ) Injecting malicious codes to application and
database servers 184) Does IBBL's Card personalization, PIN
d ) Attempting to guess passwords generation, Card distribution, PIN distribution,
Card activation groups are different from each
178) Does IBBL educate its customers on other?
security measures to protect them in an online a ) Yes
environment? √ b ) Not Applicable
√ a ) Yes c ) May be
b ) Not Applicable d ) No
c ) May be
d ) No
185) Does IBBL comply with the industry 191) Does IBBL follow Security standards
security standards, e.g. - Payment Card Industry appropriately to the complexity of services
Data Security Standard (PCI DSS) to ensure the offered?
security of cardholder's data? √ a ) Yes
a ) Yes b ) Not Applicable
b ) Not Applicable c ) Not frequently
c ) May be d ) No
√ d ) No
192) Does IBBL clearly identify risks associated
186) Does IBBL only activate new payment cards with the types of services being offered in the
upon obtaining the customer’s instruction? risk management process?
√ a ) Yes √ a ) Yes
b ) Not Applicable b ) Not Applicable
c ) Activate new payment cards automatically. c ) Not frequently
d ) No d ) No

187) Does IBBL implement a dynamic one-time- 193) Does IBBL take appropriate risk mitigation
password (“OTP”) as 2-FA for CNP (Card Not measures like transaction limit, transaction
Present) transactions via internet to reduce frequency limit, fraud checks, AML checks etc.
fraud risk associated with it? depending on the risk perception, unless
a ) Not Applicable otherwise mandated by the regulatory body?
b ) Not frequently √ a ) Yes
c ) No b ) Not Applicable
√ d ) Yes c ) Don't know
d ) No
188) Does IBBL promptly notify cardholders via
transaction alerts including source and amount 194) Does IBBL arrange an agreement with
for any transactions made on the customers’ Mobile Network Operator (MNOs) about SIM
payment cards? replacement process which includes sending
√ a ) Yes prior notification and getting confirmation to
b ) Not Applicable ensure appropriate measures of MFS account for
c ) Not frequently avoiding risk of unwanted transactions?
d ) No √ a ) Yes
b ) Not Applicable
189) Does IBBL set out risk management c ) Don't know
parameters according to risks posed by d ) No
cardholders, the nature of transactions or other
risk factors to enhance fraud detection 195) Does IBBL provided services through
capabilities? mobile comply with security principles and
√ a ) Yes practices for the authentication of transactions
b ) Not Applicable mandated by the regulatory body?
c ) Not frequently √ a ) Yes
d ) No b ) Not Applicable
c ) Don't know
190) Does IBBL implement solution to follow up d ) No
on transactions exhibiting behavior which
deviates significantly from a cardholder’s usual 196) Does IBBL conduct periodic risk
card usage patterns? management analysis and security assessment of
a ) Yes the MFS operation and take appropriate
b ) Not Applicable measures accordingly?
c ) Not frequently a ) Yes
√ d ) No b ) Not Applicable
√ c ) Partially d ) Disaster recovery site map.
d ) No e ) Grab list of items such as backup tapes, laptops,
flash drives, etc.
197) Does IBBL have conformity with
'Regulatory Compliance' requirements of the 204) When should the BCP be tested and
country? reviewed?
√ a ) Yes a ) at least quarterly
b ) Not Applicable b ) at least twice a year
c ) Don't know √ c ) at least once a year
d ) No d ) monthly

198) Does IBBL maintains and updated proper 205) The Bank shall consider which scenarios
documentation of security practices, guidelines, during formulating a rapid recovery plan?
methods and procedures used in such mobile a ) system faults
financial services? b ) hardware malfunction
√ a ) Yes √ c ) All of the above
b ) Not Applicable d ) Total incapacitation of the primary DC.
c ) Don't know e ) security incidents
d ) No
206) What is the geographical location criterion
199) Bank or NBFI must have an approved for setting up the DRS?
Business Continuity Plan addressing the a ) minimum 10 km radial distance from DC
recovery from disaster to continue its operation. √ b ) All of the above
a ) False c ) must be capable to restore critical systems
√ b ) True d ) Preferably different seismic zone.
200) Approved BCP shall be circulated to
______________. 207) If Disaster Recovery Site (DRS) is not in
a ) Top Management different seismic zone, what shall the bank do?
b ) All of the above a ) Bank may establish a third site in different
√ c ) All Relevant stakeholders. seismic zone.
d ) Executives of the bank. b ) none of the above
√ c ) both option a and b
201) Documents related to BCP must be kept d ) Establish a third site as Disaster Recovery Site
safe and no copy shall be stored in the office. (DRS)/Far DC
√ a ) False
b ) true 208) DRS and/or Near DC shall be equipped
with compatible hardware and
202) The BCP shall be coordinated with and telecommunication equipments to support which
supported by the Business Impact Analysis (BI services of the business?
and the Disaster Recovery Plan (DRP) √ a ) Critical
considering which of the following? b ) All
a ) system requirements c ) foreign exchange
√ b ) All of the above d ) investment
c ) interdependencies
d ) processes 209) _________ and ___________ security of the
DRS and/or Near DC shall be maintained.
203) BCP shall address which criteria? √ a ) Physical, environmental
a ) Action plan to restore business operations within b ) none of the above
the specified time frame c ) Option a and b
b ) Emergency contacts, addresses and phone d ) Hardware, software
numbers of employees, venders and agencies.
√ c ) All of the above
210) Which of the following specific recovery 217) DR Test report shall be communicated to all
objectives shall the Bank define for system the employee of the bank.
recovery and business resumption priorities? √ a ) False
a ) Recovery Time Objective (RTO) b ) true
b ) none of the above 218) Data backup strategy shall involve what
√ c ) Option a and b activities?
d ) Recovery Point Objective (RPO) a ) Making of online backups
√ b ) All of the above
211) The Bank shall consider inter-dependencies c ) transfer of backups to secure off-site storage
between critical systems in drawing up its d ) Making of offline backups
recovery plan and conducting contingency tests.
a ) False 219) What are the criteria that must be specified
√ b ) true in the plan of the backup schedule?
√ a ) Full
212) To enhance the recovery capability the b ) Real-time monitoring
Bank may explore recovery strategies and c ) Incremental
technologies such as ______________ d ) Partial
a ) On-site redundancy
b ) none of the above 220) The frequency of backups taken for
√ c ) Option a and b information for each business application must
d ) real time data replication be determined in line with which criteria?
a ) Classification of the information
213) _____________ security shall be maintained √ b ) Option a and c
properly throughout the recovery process. c ) Requirements of the business continuity plan
√ a ) Information d ) volume of the backup
b ) none of the above
c ) Software 221) The details of the planned backup schedule
d ) Hardware for each business application must include the
retention period that must be consistent with
214) An up-to-date and tested copy of the DR which requirements?
plan shall be securely held off-site. One copy a ) Local Legal Requirements
shall be stored in the office for ready reference. √ b ) Option a and b
√ a ) true c ) Business Requirements
b ) False d ) Local Regulatory Requirements
215) What is the frequency of the testing and
validation of the effectiveness of recovery 222) All media contained backed-up information
requirements and the ability of staff to execute must be labeled with which information?
the necessary emergency and recovery a ) content
procedures? √ b ) All of the above
a ) At least quarterly c ) Classification
b ) At least Half-yearly d ) backup cycle, serial, identifier and date
c ) At least monthly
√ d ) At least annually 223) Who shall sign, maintain and check the
backup inventory and log sheet?
216) The Bank or shall involve it’s a ) Managing Director (M
_______________ in the design and execution of √ b ) Supervisor
comprehensive test cases c ) Chief Information Security Officer (CISO)
√ a ) business users d ) Chief Information Technology Officer (CITO)
b ) Directors
c ) Power Supply Company
d ) Vendors
224) Sensitive or confidential backup 231) Which one is below mandatory in order to
information shall be __________ before identify/classify ICT asset?
transporting to offsite for storage. a ) IP Address
√ a ) Encrypted and kept in tapes or disks b ) both a & b
b ) none of the above √ c ) Labeling
c ) both option a and b d ) Diagram
d ) physically locked with key
232) Which one is below should be included in
225) At least one copy of backup shall be kept asset inventory details?
__________ for the time critical delivery. a ) Owner
a ) Off-site √ b ) All of above
b ) in a vault c ) None of above
c ) to a vendor d ) Purchase date
√ d ) On-site
233) ICT asset inventory should be reviewed __?
226) The process of restoring information from a ) Once a month
both on- and off-site backup storage must be b ) Whenever required
documented. √ c ) Periodically;
a ) False d ) Once a year
√ b ) true
234) To ensure security, all information assets
227) Which activities shall the Bank carry out shall be protected from_?
periodically? a ) Misuse
a ) testing and validation of the recovery capability b ) Fraudulent modification
of backup media c ) Disclosure
√ b ) All of the above √ d ) All of above
c ) c. assess whether recovery capability is
sufficiently effective to support the bank’s recovery 235) When any device/equipment is ready for
process disposal/re-use, what must be done?
d ) assess whether recovery capability is adequate a ) Take Backup
b ) Delete files
228) Prior to procuring any new ICT assets, c ) Inform ICTW
compatibility assessment (with existing system) √ d ) Destroyed or Overwritten
shall be performed by IBBL?
a ) False 236) IBBL shall not allow portable device usage
√ b ) True outside the organization.
√ a ) False
229) What policy should be followed while b ) True
procuring ICT asset?
a ) ICT Security Policy 237) When an employee leaves the organization,
√ b ) Bank's own procurement policy he/she can retain organizational asset(s).
c ) Gov Procurement Policy. √ a ) False
d ) BB ICT Security Guideline. b ) True

230) Who will perform development, 238) Which type of license can bank use
maintenance, usage & security of ICT asset? √ a ) Purchased
√ a ) Custodian b ) None of above
b ) ICTW c ) Illegally purchased
c ) AO to PO d ) Crack
d ) CISO
239) If IBBL use outsource software then which c ) All of above.
contract is mandatory before Go-Live? d ) Return back to your in-charge
a ) Purchase Contract with Bank
√ b ) Service/Support Level Agreement with Bank 247) The computers of the Bank may have open
c ) Selling contract with Bangladesh Bank access in USB port.
d ) Selling contract with BTRC √ a ) False
b ) True
240) Which software can be used in Bank/NBFI
computers? 248) Paper containing sensitive business
a ) Bangladesh Bank approved software information should be..?
b ) Any purchased software a ) kept on the table
c ) Open Source Software b ) None of above.
√ d ) Bank/NBFI's approved software c ) kept in box-file
√ d ) kept inside secure cabinet
241) How to use unauthorized or pirated
software within the bank? 249) How can the users install software by
√ a ) Use of pirated software is strictly prohibited by themselves?
Bangladesh Bank a ) General Users should have open internet access
b ) Both B & C. to download
c ) Take approval from Board of Directors b ) Both a & b
d ) Take approval from MC √ c ) User may download/install software by taking
approval from authority
242) Connecting desktop computers to UPS is d ) General users should have admin privilege to
optional. install
√ a ) False
b ) True 250) When virus infection is identified, what will
be the first task for user?
243) Before leaving the station unattended, an a ) Restart PC
employee should…? √ b ) Inform Br. IT/Zonal IT/ICTW
√ a ) Lock workstation c ) Unplug the device and send to ICTW for
b ) Disconnect from UPS. repairing.
c ) Request a colleague to look after the workstation d ) Shutdown PC.
d ) Shutdown workstation
251) If you identify any virus file by yourself,
244) Confidential information stored in portable what should you do first?
device (Laptop) must be…? a ) Delete
a ) Saved in Drive E b ) Shutdown PC.
√ b ) Encrypted within the device. √ c ) Take expert help to clean.
c ) Taken backup in Google Drive d ) Inform Br. Manager
d ) Taken backup in any pen drive
252) Who must consider the confidentiality and
245) What should an employee do to his/her sensitivity of all email content, before forwarding
workstation at the end of each business day? email or replying to external parties?
a ) Lock workstation a ) Bank
√ b ) Turn-off the devices after shutdown. b ) Customers
c ) Log-off workstation c ) Managers
d ) Shutdown workstation √ d ) Employees

246) What's the strategy to secure portable 253) Disciplinary action might be taken mails
device which contains sensitive data? contains______
a ) Take it to home after EOD a ) abusive material
√ b ) Keep it in Secure Location with lock-key √ b ) all of the above
c ) harmful to employee or customer d ) Penetration Testing
d ) damage the reputation of the bank
261) IBBL shall conduct penetration test s on
254) Bank email system is principally provided network infrastructure and internet-based
for___________ systems_______
a ) Personal use a ) periodically
b ) Only Management Can use √ b ) Both a & b
c ) Anyone can use c ) Quarterly
√ d ) Business use d ) need basis

255) Where Corporate email address must not 262) What should be performed before
be used deployment of security patches into the
a ) Social Networking production environment
√ b ) All of the above a ) researching
c ) Groups & Forums √ b ) Testing
d ) Blogs c ) Monitoring
d ) Change Management
256) Email transmissions from the Bank must
have a disclaimer stating about __________ of 263) IBBL shall establish appropriate security
the email content. monitoring systems and processes, to facilitate
√ a ) confidentiality prompt detection of unauthorized or malicious
b ) Reliability activities.
c ) Reachability a ) False
d ) Availability √ b ) True

257) Concerned department shall perform 264) Which network security device can be
regular _________and monitoring of email implemented for network surveillance and
services. security monitoring procedures?
a ) Change √ a ) Intrusion Detection & Prevention System
b ) Patching b ) Router
√ c ) review c ) Antimalware
d ) Vulnerability Assessment d ) Antivirus

258) IBBL shall conduct VAs regularly to 265) IBBL may implement security monitoring
detect____________ tools which enable the detection of changes to
a ) Error critical ICT resources
b ) Misconfiguration a ) False
√ c ) Vulnerability √ b ) True
d ) Changes
266) IBBL shall retained security logs of systems,
259) What method Bank shall deploy to perform applications and network devices for defined
VA period.
a ) Automated Tools a ) False
√ b ) Both a & b √ b ) True
c ) Any
d ) Manual Techniques

260) IBBL shall establish a process to remedy

issues identified in__________
√ a ) Vulnerability Assessment
b ) Risk Assessment
c ) Virus Scan