MODULE 1

QUESTIONS ANSWER
(i) Data Governance is about the rules how to build the content.(ii) Data Privacy is about
Both (i) & (ii) are incorrect
the rules how to protect and use the content.
_________________is ultimately accountable with regard to the definition, Data quality
Data Custodian
and value of Data in a given subject area.
________shall ensure that there is commensurate adherence,management and periodic
upkeep/review for Data in their respective custodies, asprescribed by Data Governance Data Owners
Policy
Administrative office Data Governance Council (A-DGC), is headed by DGM (B&O)

Against availability of sizeable number of eligible customers only few confirmed leads could
Poor Data Quality
be generated for an Analytics based product. What could be the underlying reason?

Apex level Data Governance Council (ADGC), is headed by CHAIRMAN

As per the Bank's Data Governance structure, presently which is the Apex body for Data
Apex level Data Governance Council (ADGC)
Governance?
As per the Data Governance Policy, which of the following is the Data Custodian Respective Business Unit
Capturing of correct & complete Data at the ____________ should be the Mantra first time and every time
Capturing of incorrect / incomplete Data adversely affects: Both 1 & 2
Circle Data Governance Council (C-DGC) is headed by CIRCLE CGM
Data Governance can NOT be achieved by Technology alone. TRUE
Data Governance Council (DGC) is presently being headed by CHAIRMAN
Data Governance does NOT refer to which one of the following term? Practices
Data Governance includes All of the above
Data Governance is aligned with which one of the following departments? Business Unit
Data Governance Organisation involves a multi-tiered combination of business and
All of the above
technology roles which include(s)
Data Governance Policy is applicable to All employees of the Bank
Data Governance Policy is applicable to all the domestic offices of SBI including: All of the above
Data Governance Policy is applicable to third parties having access to SBI network and
TRUE
Data.
Data Governance Policy is formulated by which Department: Data Management Office
Data Governance process includes activities as: All of the above
Data governance processes primarily must focus on __________ MIS Needs of Top Mgmt.
Data Management Office (DMO) is headed by GM & CDMO
Data Management Office reports to which of the DMDs DMD & Chief Information Officer
Data Processes especially for compliance reasons does NOT include which one of the
Interpretation Processes
following?
Data processes must Include ____________ Definitions of how data will be accessed
Data Protection officer reports to ….. GM & Chief Data Management Officer
Data Quality Tools and Applications come under which one the following factors of Data
Technology
Management Practices?
Data-driven business decisions are possible when _____ is involved in the Data
Business Unit
Governance.
DBAs are NOT part of Data Stakeholders FALSE
Design of better Analytics based products mainly depends on ________ Data Quality
In Data Management, CDE refers to- Correct Data Entry

Incorect handling of data may result in exposing an organization to significant liabilities. TRUE

Master Data Management Process Includes ______ All of the Above

Poor Data Quality may result in ______ Incorrect Regulatory Reporting
Prime objective of Data governance framework is to ensure- All of the above
Process for submission and handling of the Data request is mentioned in Data Governance Policy
Providing training to staff is one of the responsibilities of Data Privacy Officer TRUE
Robust Data Management practices does NOT involve which one of the following? Punishment
The primary priority of Data Processes must be _____ MIS Needs
The word “Data” shall collectively refer to the following descriptions: All of the above

What is the frequency of the meeting for Apex level Data Governance Council (ADGC)? Quarterly

What is the frequency of the meeting for Data Governance Council-Business Unit/ Vertical
Quarterly
(DGC-BU/V)?
What is/are the responsibility(ies) of the Data Governance Council (DGC) All of the above
Where does Data come from? People, Process and Technology
Which among the following may be held accountable for quality of data? Practices
Which among the following play major role in support of company-wide Data quality
People
initiatives?
Which among the following play major role in support of company-wide Data quality
Procedures
initiatives?
Which of the below helps in monitoring Data Governance Activities? Data Quality
Which of the below helps in monitoring Data Governance Activities? Data Process
Which of the following is/are a Key Data Quality Dimension? Accuracy
Which one of the following does NOT come under People factor in Data Management
Data Trainers
prctices?
While creating new CIF, customer has given marital status, but as it is not mandatory in As the customer has given the details in
CBS: AOF, teller should fill the same in CBS
While creating new CIF, customer has given marital status, but as it is not mandatory in As it is non- mandatory, teller should not fill in
CBS: the details in CBS
Who among the following has a role to ensure that data governance initiatives are aligned
Business Units
with business needs
Apex Data Governance Council / Data
Who Provides directions in Data Governance Organisation
Governance Executive Council
MODULE 2
QUESTIONS ANSWER
“Card Holder Details, CIF, Account Information (credentials, balance, transactions,
SENSITIVE
premiums, dividends, etc.)” are classified as
“Internal audit reports” is classified as ____________ Data CONFIDENTIAL
“SBI telephone directory” is classified as ____________ Data PUBLIC
“SOP on Data Sharing with External agencies/ Third Parties” rests on four pillars, which
one of the following is NOT one of these four pillars:
“Training materials and manuals” are classified as ____________ Data INTERNAL
DOB on OVD and AOF to be checked, even
A customer has submitted Driving License as OVD, along with AOF. During the scrutiny, it
then he is less than 18 yrs, OVD not to be
was found that the age of customer is less than 18
accepted
A customer has submitted Voter Card as OVD, along with AOF. During the scrutiny, it was DOB on OVD and AOF, if same, then only
found that the age of customer is less than 18 account may be opened
A staff can be held accountable for Data quality errors. TRUE
An SBI Card employee sitting in an branch asks for list of high value customers along with
Mobile numbers for telecalling to sell SBI cards for the Branch. Branch may share the list TRUE
with SBI Card employee.
As per Data Protection Bill (Draft) PII stands for Personally Identifiable Information
Branch has sanctioned a Car loan to one of his staff, but the loan instalment was not fed in Recovery to staff loan should be through
HRMS. The staff paid the instalment through his account and informed the BM that a SI HRMS only, so recovery details in HRMS
has been registered for the same. needs to be updated
Can we store customer data on our Desktop ? NO

Capturing of incorrect security in secured loan accounts may result in _____________. Both 1 & 2
Customer Sensitive Granular Data made available through SSO to ensure an audit trail
Need to Know
comes under which one of the following?
Data Quality Index (DQI) dashboard measures the Data Quality for- CIFs & Loans
Data quality is necessary to fulfil the needs of an organization in terms of All of the above
DQI dashboard displays errors All of the above
DQI Index has been included as one of the Key Responsibility Areas (KRAs) in Career
Development System (CDS TRUE
Error categories in DQI for CIF related errors are: A. Risk categorization B. Personal Profile
A, B, C, D & E
C. PAN Related D. Gender Related E. Age Related
For official communication , we can use our personal email IDs TRUE
For personal communication, we can use our official email IDs FALSE
If a car dealer asks us for a list of customers having existing car loans, to market loans for
Cannot be shared
new cars for us, shall we share the list?
Impact of poor Data Quality on a Branch include ____ Both 1 & 2 above
In ________________ Processing, small group of transactions are processed on demand Batch

In an Account Opening Form, if Data has been provided by customer in non mandatory Input the Data exactly as given by the
field ( like mobile number /email ID ), what should be done while inputting in CBS? customer
In the Data Infringement portal, unattended infringements on Data Loss Prevention (DLP) Penal Score (1 to 4 marks) in RFIA of the
may result in_____ Branch
Incorrect spelling of Customer name comes under which one of the following Data Quality
Accuracy
Dimension?
Non capturing of PAN in CIF, even if furnished in the AOF, may result in ________. Both 1 & 2
Non-sensitive Information includes: Public Information
Restricted access to Data means: Both 1 & 2
Scope of Customer Sensitive Granular Data Sharing & Access Framework covers: All of the above
Sharing of customer sensitive granular Data is governed by which Policy : Data Governance Policy
SOP on Data Sharing with External
Sharing of Data with exernal agencies is governed by
agencies/third parties
Some of the key Data Privacy initiatives include: All of the above
Some of the key Data Privacy initiatives include: Secure Cloud Data Storage system
The access to Customer Sensitive Granular Data to the users should be made strictly on
Both 1 & 2
the basis of-
To boost the housing loan business of the branch , list of HNIs can be shared with HLCs
Not to be shared
through:
SENSITIVE, CONFIDENTIAL, INTERNAL,
What are the different categories of Data Classification
PUBLIC
What are the impacts of feeding incorrect date of birth of a customer in CBS 1& 2
What are the impacts of not verifying the pop-up name of PAN holder, while fetching PAN
1& 2
details
What are the possible means by which Customer Sensitive Granular Data can get divulged
All of the above
or leaked to any unrelated person / third party like vendors, dealers etc:
What does GDPR stand for- General Data Protection Regulation
What is needed to create Data Quality Index? Dashboards and scorecards.
What is/are the possible consequences of Data Leakage: All the above
Which of the following is NOT a type of Customer Sensitive Data List of Top Management of the Bank
Which of the following is not a type of Data leak Improper categorization of sensitive Data
Which of the following is true: All of the above
Which one is NOT an approved way of sharing granular Data/access Data under normal
E-mail
circumstances:
Which Portal to be accessed for Data Loss Prevention (DLP) incidents Data Infringement Portal
"From & To" date in the temporary screen
While inputting temporary address of a customer in CBS, it should be taken care that needs to be filled in as declared by the
customer
While verifying the pop-up name of PAN holder in CIF creation screen 1&3
MODULE 3
QUESTIONS ANSWER
__________ malware is a warning-like popup or reminder in a Laptop/PC/Mobile? Scareware
_____________ is a technique used by the fraudsters, wherein they penetrate a system
Steganography
where the program/script/files will be hidden within another file.
_____________is used for obtaining unauthorized access to mobile phones via Bluetooth
connection. Once such a connection is established then the attacker will be able to steal Bluesnarfing
photos, messages and contacts etc.
“You need special software to access this part of the Web because a lot of it is encrypted,
and most of the pages are hosted anonymously”. Which of the following the statement Dark Web
refers to?
Social engineering uses Human traits,
A fraudster may use Social engineering techniques to steal critical information of a user.
Curiosity, Concern around and technical
Which of the following options is not true in case of social engineering?
hacking techniques
After completion of a Cash withdrawal transaction at an ATM, the system ensures to
update the customer’s balance with the withdrawal transaction before displaying it on the Availability
screen or printing the receipt. This process is similar to which of the following triad of CIA?
Ajit is doing a merchant transaction to pay the mobile bill. He selects net banking of SBI for
making online payment. He is redirected to a site of SBI. Before he logs in what should be It should start with https://www.onlinesbi.com
the website address on the screen.
Even if a user compromises his/her login credentials of OnlineSBI, no one can login using OTP has been made mandatory at the time
this credential. What is the new security feature in OnlineSBI? of login
If a Cyber attack is carried out by sending to SBI's customers an email that claims to be
Phishing Attack
from SBI but it's not, then what kind of cyber attack technique is it?
If a hacker manages to exploit the vulnerability before software developers can find a fix,
Zero day attack
that exploit becomes known as a _______.
If you click on the padlock sign in the Address bar. Which of the following information will You will get information on who owns the site
be available to you? and who has verified the site
In Social engineering attacks, the fraudsters lure/appeal the potential victims to gain
confidence to reveal confidential information and use the same for fraud and system APT attacks may be identified immediately as
access. it shuts down the whole system
After 3 invalid attempts, the user id is
Mr. Ajay had tried to login to Mr. Deepak's SBI net banking. He tried thrice but failed. Now
automatically locked for one day. Thereafter
when Mr. Deepak tries to login with his correct password will he be able to do so?
Mr. Deepak can login.
Non-repudiation is carried out through the services of authentication, authorization,
Secure encryption of the information
confidentiality, and integrity. Confidentiality ensures which one of the following?
Pretending to be an Airtel customer service executive and contacting the victim is
Vishing
called____________.
Select the correct statement about the impact of Cyber Risks. All are true
Deep Web - Research Papers & Medical
Select the incorrect option.
Records
Select the wrong statement. Option a & b
Cyber Security primarily focuses on
Select the wrong statement. protecting employees information on
computers
Sending SMS messages to many people with bad intentions may be termed as
Smishing
__________.
Social Engineering Attacks does not include ________________. Denial of Service attack
The data loss or compromise while charging the mobile is called________. Juice Jacking
The fraudster gets the personal details of the people through _______technique. Social engineering
The malware, which can record the keystrokes on a keyboard in order to gain access to
Keylogger
sensitive information is known as________________malware.
The objective of setting up a wide network of ATMs across the country resembles which of
Availability
the following triad of CIA?
The technique used to send the emails to all the employees of the Bank is known as
Spear Phishing
____________.
Third party systems have less robust security
Third party attacks are attractive to hackers, because ____________.
controls
What is a “Collect Request” in a UPI transaction? It is a feature available in BHIM SBI Pay
It is a surveillance software that records
What is a keylogger? every keystroke made in the system, creates
a file and sends it to a specified server.
 It is a malicious attempt to disrupt the normal
traffic of a targeted server, service or network
What is Denial of Service Attacks?
with a flood of Internet traffic from multiple
computers at the same time
It is an attack which is a malicious attempt to
disrupt the normal traffic of a targeted server,
What is Distributed Denial of Service Attacks? service or network with a flood of Internet
traffic from multiple computers at the same
time
Disabling data transfer mode in Settings will
What is not true about Juice-jacking?
not help in this case
What is not true about myths associated with Cyber Risk? Cyber threat always starts externally
What is not true about SIM Swapping? SIM Swapping is also known as SIM cloning
Fraudsters get access to the root of the
What is not true about SIM Swapping?
mobile phone through SIM Swapping
The hackers through one malicious code in
What makes SolarWinds attack an unusual hack? SolarWinds Orion software gained access to
thousands of other companies.
This attack was designed to impact one
What makes SolarWinds hack one of the biggest and the most dangerous Cyber attack?
vendor and subsequently all their clients
Lock User access option is available in the
Where is the option to lock user access in SBI Retail Internet Banking?
login page of Retail INB
Which of the following attacks is not categorised under Exploit based attacks? Distributed Denial of Service attacks
Supply chain attack occurs when hackers
infiltrates systems through an outside partner
Which of the following best describes the Supply chain attack?
or provider who has access to the target
systems and data
Which of the following browsers allows access to the Network which is popular for
Tor
implementing encrypted routing technology and preventing user tracking?
Which of the following channels is NOT available for blocking the UPI services for
YONO
unauthorized transactions?
It offers a high level of assurance that the
information, objects and resources are
Which of the following is NOT an objective of Non-repudiation?
accessible to authorized subjects within the
promised timeframe.
Which of the following is not the examples of data? All are examples of data
Which of the following may not be the signs that the Mobile Phone (Android/iOS) is All statements are signs that the Mobile
hacked? phone is hacked
Which of the following Mobile Apps may be suggested to resolve the issues related to non-
SBI Secure OTP
receipt of OTP (Through SMS) for their transaction?
Check your physical hardware, keep your
Which of the following options is not to protect yourself from keyloggers? system locked and protect from unauthorised
access.
Which of the following principles of the second of CIA Triad Integrity is/are
Correct?a.Integrity is the concept of protecting the accuracy and completeness of
information and processing methods. b.Integrity protection prevents any kind of alteration
of the information. c.Properly implemented integrity protection provides a means for
authorized changes while protecting against intended and malicious unauthorized activities a, c and d
(such as viruses and intrusions) as well as mistakes made by authorized users (by
commission or omission). d.Use of a secure Hashing algorithm for the information ensures
Integrity.

Which one is not an option for disabling UPI services? YONO Main Screen UPI Enable/Disable UPI
The website address should start with https
Which one of the following is a good safety measure, while using www.onlinesbi.com?
and there should be a padlock sign
Check if any extra suspicious device is
Which one of the following is a precautions to be taken while operating the ATM? attached to the ATM machine
An unauthorized attacker code enters a
Which one of the following is a unique feature of APT attacks? system and remains there for an extended
period of time
Which one of the following is the leading illicit dark web marketplace which was taken down
Silk Road 2.0
by the FBI in what was considered then as a significant action on the Dark web market?
Which one of the following risks is not considered while evaluating a third party vendor for
Market Risk
risk assessment?
A type of cyberattack where an unauthorized
Which one of the following statements is FALSE about APT attacks? attacker code enters a system and remains
there.
The user’s response to bulk SMS can
Which one of the following statements is false?
compromise their identities.
Continuous assessment of Vendor security
Which one of the following statements is more appropriate in terms of Vendor risk
practices need to be done throughout the
assessment?
Contract life cycle.
With the enhanced sharing of information over a global network for almost all life functions
, which one of the following has become the latest addition to the essential objectives of Non-repudiation
Information Security after the CIA Triad?
Your friend fears that he has shared the user credentials of OnlineSBI with a stranger. It is Contact the Branch on Monday to deactivate
a Sunday and Bank is closed. What immediate steps would you NOT advise him? INB facility
MODULE 4
QUESTIONS ANSWER
“Ransomware” can be spread through_____________? Option 1 and 2
After how many days of customer complaint, shadow reversal given to customer account in On 8th working day from date of customer
our Bank? complaint
As part of IS awareness and commemoration of Computer Security Day, SBI did NOT
Cold calling all the employees
organize which one of the following activities?
As part of IS awareness, SBI observes Computer Security Day on which of the following
30th November
day?
Creating IS awareness is important at all levels in the Bank. But the initiation should start
Branch staff
from _______________.
Customer reported an unauthorised UPI transaction of Rs.72,000/- in his account. He
reported the incident on the same day to the bank. The bank is not able to establish
customer negligence even after completion of 90 days from the date of complaint. As per Rs.72,000/-
Limiting Liability of customer guidelines, how much amount does the Bank needs to pay to
the customer in this situation?
The free WiFi could be a rouge network,
Identify some of the risks involved in using public free WiFi.
harvesting the internet user’s data.
If a Bank always allow some of the employees to bring their own laptops, smart phones,
Bring Your Own Device
tablets etc. to office for office work. This policy is called BYOD. What does BYOD stand for?
If a customer reports an unauthorised transaction of Rs.6000/- (ATM) on the 5th working
day. It is a case of third party negligence. As per Limiting Liability of customer, what will be Nil
the liability of customer in this case?
If ATM Skimming happens at an ATM, who can report to IT Team? Anyone
If you have a Facebook account and you came to know about a breach in the Facebook Change the password of Facebook and all
server, what will be your action? the services/apps offered by Facebook.
Impact of Cyber risks are_________________. All of the above
Many websites use CAPTCHA to avoid password guessing by automated tools called
Dictionary Attack
____________.
Passwords must be created using small &
Pick the odd one. upper case, when own name or short form of
own name and own initials are used.
Anti-virus is crucial for safety of data. While
Select the correct statement about Desktop / Laptops /Workstations Usage? leaving the room user is supposed to put the
laptop for scanning.
The motive for this Ransomware attack is
Select the correct statement in this case always monetary
Unauthorized personnel can access and
Select the wrong statement about Desktop / Laptops /Workstations Usage?
exploit your system
Create a shortcut of a document/file instead
Select the wrong statement about Desktop / Laptops /Workstations Usage?
of copying it on the desktop
Select the wrong statement about the Acceptable usage policy (IS Policy) of our Bank? All are true
Select the wrong statement from the below statements.(i) Lock your phone with mPIN or
password OR biometric when not in use. Always keep your mobile device in a safe
location.(ii) Download the Mobile Banking application only from the Bank’s site –
www.sbi.co.in. For using Mobile Banking service over insecure Wi-Fi, never click on any
links. Always type the URL http://mobile.prepaidsbi.com/sbiwap/ in your mobile browser(iii) All are correct
Check your linked accounts on a regular basis. Once your transaction is over, logout of the
mobile banking website and then close the browser. (iv) Delete any SMS from the Bank
that might contain your personal information like user Id, mPIN received at the time of
registration, or details sent to you. Do not part with your ATM card and PIN as this may be
misused for Mobile banking registration.
Password need not be necessarily be
Select the wrong statement.
complex but easy to remember.
You can restrict the use of ATM card details
Select the wrong statement. for online transactions in Corporate Internet
banking
For web security, verify full URL by clicking
Select the wrong statement. the link, but do not give any
personal/confidential information
It is not necessary to inform your
Select the wrong statement. organization always, if you come across any
discrepancies.
For online meetings, share a link to a
Select the wrong statement. meeting on an unrestricted publicly available
social media post, only with password

The company asked their employees to use their own devices and internet access while
working from home. List some precautions that they could have exercised even under
these conditions: (i) Ensuring that authorized antivirus is installed in the devices of the Options (i) , (ii) and (iii) are necessary
employees (ii) Ensuring that appropriate software patches are updated in the devices of
the employees (iii) Asking the employees to use enterprise VPN
WannaCry was ____________ attack. Ransomware
Negligence that causes the unauthorized
What are the parameters on which compensation to customer will depend for resolution of
transaction & Reporting time about
unauthorised transactions complaints?
unauthorized transaction to his/her Bank/FIs
What are the ways you can report an unauthorised transaction (ATM) without visiting the Call dedicated number 1800 1111 09 also
branch? Can raise through https://crcf.sbi.co.in
Time at which, the incident is brought to the
What is the “Time of detection of incident” for reporting the purpose of a cyber incident to
knowledge of any official of ISD, including
RBI, CERT-In & NCIIPC?
CGM & Group CISO
Reversal of loss amount to customer account
if Bank fails to establish customer negligence
What is the meaning of Shadow Reversal?
within 10 days, but it is allowed to withdraw
by customer
All cyber security incidents should be
What is the timelines for reporting of cyber incidents to RBI and other Statutory Authorities
reported within 2 to 6 hours by Incident
CERT-In & NCIIPC? Who should report the incident?
Response & Management Team
What should be the minimum and maximum length of the login password in Retail Internet Minimum length should be 8 characters and
Banking? maximum length 20 characters
Option to change login password is in the
Where is the option to change the Login password in Retail Internet Banking?
Profile section, post login
Phishing / Vishing attacks on customers
Which of the following incident(s) should be reported to RBI, CERT-In & NCIIPC? resulting cumulative loss for the customer(s)
exceeding ₹ 50 lakh
Confidential or secret information with a
Which of the following is NOT inappropriate content of email? password protection when transmitted over
email.
Which of the following is NOT one of the best practices to maintain your password? Only difficult dictionary words should be used
Use of other officers' user ids or using a false
Which of the following options is an example of inappropriate use of the e-mail service?
identity.
Which of the following options is crucial in any UPI fraud related to Collect request? option a & b
 You can use unsecure or open Wi-Fi for
Which of the following options is NOT a good wi-fi security practice?
official purposes in case of emergency
The User is responsible for any e-mail that is
Which of the following options is not a violation of acceptable usage policy?
transmitted using the e-mail
The Profile password should be a
Which of the following statements is correct regarding creation of Profile password using
combination of alphabets (in the language
the Multilingual Image based Virtual keyboard?
chosen), and numerals and images
Which of the following statements is not true about Acceptable usage policy (IS Policy) of Employee’s mobile devices need not have
our Bank? Antivirus software
Ensuring the physical access to the systems
Which of the following steps would not be a part of the planning for Work from home?
room is restricted and monitored
Which of the following will not be considered as cyber incidents for reporting to RBI? All the options will not be considered
A training awareness program that would
Which one of the following is the most important aspect for an organization as big and
provide education and guidance on a range
global as SBI to protect itself from cyber security attacks and subsequent loss of brand
of information security topics to all the
image?
internal users of its systems and applications.
However, Mobile and laptop given to the staff
Which one of the following options does not substantiate the Acceptable Usage Policy of for personal holding have exceptions to the
our Bank? policy.
Users are responsible for all activities
Which one of the following options is not a concern for password security?
originated from their User credentials
Which one of the following options is not a violation of acceptable usage policy? Receiving mails from his batchmate
Which one of the following options is not doable as per user acceptance policy?
The updates in the operating systems (say
Android, iOS etc.) and installed applications
might compromise the security of these
Which one of the following statements is not a threat to mobile and portable devices? devices.
Anyone who knows about cyber incidents
Who can report cyber incidents to Information Security Department (ISD)? including general public
Who is primarily responsible for reporting cyber security incidents ? Deputy General Manager (AC) at LHO
With every data breach or phishing attack, cybercriminals gain access to more data. Users
Change the password
should ___________________ after knowing about such attacks.