When performing full-interruption testing, normal operations of the business are not impacted.

Successfully reported this slideshow.

Your SlideShare is downloading. ×

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

More Related Content

1. 1. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 1 1. When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan. a. True b. False ANSWER: False 2. In most organizations, the COO is responsible for creating the IR plan. a. True b. False ANSWER: False 3. In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes. a. True b. False ANSWER: False 4. When performing simlation testing, normal operations of the business are not impacted. a. True b. False ANSWER: True 5. Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster. a. True b. False ANSWER: False 6. An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official. a. True b. False ANSWER: True 7. Using standard digital forensics methodology, the first step is to analyze the EM data without risking modification or unauthorized access. a. True b. False ANSWER: False 8. A slow-onset disaster is a disaster that occurs over time and gradually degrade the capacity of an organization to withstand their effects. ____________ ANSWER: True 9. Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actualdisaster. ____________ ANSWER: True
2. 2. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 2 10. A(n) wrap-up review is a detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery. ____________ ANSWER: False - after action, after-action 11. Patch and proceed is an organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker’s identification and prosecution. ____________ ANSWER: True 12. An alert digest is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. ____________ ANSWER: False - message 13. Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event? a. Risk management b. Contingency planning c. Business response d. Disaster readiness ANSWER: b 14. In the event of an incident or disaster, which planning element is used to guide off-site operations? a. Project management b. Business continuity c. Disaster recovery d. Incident response ANSWER: b 15. Which is the first step in the contingency planning process among the options listed here? a. Business continuity training b. Disaster recovery planning c. Business impact analysis d. Incident response planning ANSWER: c 16. Which of the following is a mathematical tool that can be useful in assessing relative importance while resolving the issue of what business function is the most critical? a. Weighted analysis b. BIA questionnaire c. Recovery time organizer d. MTD comparison ANSWER: a 17. What is the final stage of the business impact analysis when using the NIST SP 800-34 approach? a. Identify resource requirements b. Identify business processes c. Determine mission/business processes and recovery criticality d. Identify recovery priorities for system resources ANSWER: d 18. At what point in the incident lifecycle is the IR plan initiated? a. Before an incident takes place b. Once the DRP is activated c. When an incident is detected that affects it d. Once the BCP is activated ANSWER: c
3. 3. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 3 19. Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident? a. Incident classification b. Incident identification c. Incident registration d. Incident verification ANSWER: a 20. Which of the following is a possible indicator of an actualincident? a. Unusual consumption of computing resources b. Activities at unexpected times c. Presence of hacker tools d. Reported attacks ANSWER: a 21. Which of the following is a definite indicator of an actual incident? a. Unusual system crashes b. Reported attack c. Presence of new accounts d. Use of dormant accounts ANSWER: d 22. Which of the following determines the scope of the breach of confidentiality, integrity, and availability of information and information assets? a. Incident report b. Incident damage assessment c. Information loss assessment d. Damage report ANSWER: b 23. After an incident, but before returning to its normal duties, the CSIRT must do which of the following? a. Create the incident damage assessment b. Conduct an after-action review c. Restore data from backups d. Restore services and processes in use ANSWER: b 24. Which of the following is a part of the incident recovery process? a. Identifying the vulnerabilities that allowed the incident to occur and spread b. Determining the event’s impact on normal business operations and, if necessary, making a disaster declaration c. Supporting personnel and their loved ones during the crisis d. Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise ANSWER: a 25. Which of the following is the best example of a rapid-onset disaster? a. Flood b. Pest infestation c. Famine d. Environmental degradation ANSWER: a 26. Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received?. a. Database shadowing b. Timesharing
4. 4. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 4 c. Traditional backups d. Electronic vaulting ANSWER: d 27. Which of the following is the transfer of live transactions to an off-site facility? a. Remote journaling b. Electronic vaulting c. Database shadowing d. Timesharing ANSWER: a 28. When a disaster renders the current business location unusable, which plan is put into action? a. Business continuity b. Crisis management c. Incident response d. Business impact analysis ANSWER: a 29. Which of the following is true about a hot site? a. It is an empty room with standard heating, air conditioning, and electrical service. b. It includes computing equipment and peripherals with servers but not client workstations. c. It duplicates computing resources, peripherals, phone systems, applications, and workstations. d. All communications services must be installed after the site is occupied. ANSWER: c 30. In which type of site are no computer hardware or peripherals provided? a. Cold site b. Warm site c. Timeshare d. Hot site ANSWER: a 31. Which of the following is a responsibility of the crisis management team? a. Restoring the data from backups b. Evaluating monitoring capabilities c. Keeping the public informed about the event and the actions being taken d. Restoring the services and processes in use ANSWER: c 32. In which contingency plan testing strategy do individuals follow each and every IR/DR/BC procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals? a. Desk check b. Simulation c. Structured walk-through d. Full-interruption ANSWER: d 33. In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actualincident or disaster and expected to react as if it had occurred? a. Desk check b. Simulation c. Structured walk-through d. Parallel testing ANSWER: b 34. Which of the following allows investigators to determine what happened by examining the results of an event—
5. 5. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 5 criminal, natural, intentional, or accidental? a. Digital malfeasance b. E-discovery c. Forensics d. Evidentiary procedures ANSWER: c 35. Which document must be changed when evidence changes hands or is stored? a. Chain of custody b. Search warrant c. Affidavit d. Evidentiary material ANSWER: a 36. Which type of document grants formal permission for an investigation to occur? a. Affidavit b. Search warrant c. Evidentiary report d. Forensic concurrence ANSWER: b 37. Which of the following is an approach available to an organization as an overall philosophy for contingency planning reactions? a. Protect and forget b. after-action review c. Transfer to local/state/federal law enforcement d. Track, hack and prosecute ANSWER: a 38. In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation? a. Report the findings to the proper authority b. Acquire (seize) the evidence without alteration or damage c. Identify relevant items of evidentiary value (EM) d. Analyze the data without risking modification or unauthorized access ANSWER: c 39. The four components of contingency planning are the ____________________, the incident response plan, the disaster recovery plan, and the business continuity plan. ANSWER: BIA Business Impact Analysis 40. If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the DR plan, enabling the business to continue at an alternate site. ANSWER: BCP business continuity plan BC plan 41. The ____________________ plan is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. ANSWER: incident response IR
6. 6. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 6 IR plan 42. A(n) ____________________ occurs when an attack affects information resources and/or assets, causing actual damage or other disruptions. ANSWER: incident 43. A(n) ____________________ is a document containing contact information of the individuals to notify in the event of an actualincident. ANSWER: alert roster 44. When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails a detailed examination of the events that occurred from first detection to final recovery. ANSWER: after action review after-action review AAR 45. ____________________ planning ensures that critical business functions can continue if a disaster occurs. ANSWER: Business continuity BC business continuity 46. A(n) ____________________ is an agency that provides, in the case of DR/BC planning, physical facilities for a fee. ANSWER: service bureau 47. The bulk batch-transfer of data to an off-site facility is known as ____________________. ANSWER: electronic vaulting 48. In ____________________ testing of contingency plans, the individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals. ANSWER: full-interruption full interruption 49. The first component of the analysis phase of a digital forensic investigation is ___________, which allows the investigator to quickly and easily search for a specific type of file. ANSWER: indexing 50. What are the major components of contingency planning? ANSWER: Business impact analysis (BIA) Incident response plan (IR plan) Disaster recovery plan (DR plan) Business continuity plan (BC plan) 51. What teams are involved in contingency planning and contingency operations? ANSWER: contingency planning management team incident response team disaster recovery team business continuity team 52. Explain the difference between a business impact analysis and the risk management process.
7. 7. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 7 ANSWER: One of the fundamental differences between a BIA and the risk management processes is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information. The BIA assumes that these controls have been bypassed, have failed, or have otherwise proved ineffective, that the attack succeeded, and that the adversity that was being defended against has come to fruition. 53. When undertaking the BIA, what should the organization consider? ANSWER: Scope Plan Balance Objective Follow-up 54. List four of the eight key components of a typical IR policy. ANSWER: The key components of a typical IR policy are: - Statement of management commitment - Purpose and objectives of the policy - Scope of the policy - Definition of InfoSec incidents and related items - Organizational structure and delineation of roles, responsibilities, and levels of authorities - Prioritization of severity ratings of incidents - Performance measures - Reporting and contact forms 55. There are six key elements that the CP team must build into the DR Plan. What are three of them? ANSWER: The key elements that the CP team must build in the DRP are: - Clear delegation of roles and responsibilities - Execution of the alert roster and notification of key personnel - Clear establishment of priorities - Procedures for documentation of the disaster - Action steps to mitigate the impact of the disaster on the operations of the organization - Alternative implementations for the various systems components, should primary versions be unavailable 56. List the seven steps of the incident recovery process according to Donald Pipkin. ANSWER: The incident recovery process involves the following steps: - Identify the vulnerabilities that allowed the incident to occur and spread. Resolve them. - Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace, or upgrade them. - Evaluate monitoring capabilities (if present). Improve detection and reporting methods, or install new monitoring capabilities. - Restore the data from backups. - Restore the services and processes in use. - Continuously monitor the system. - Restore the confidence of the members of the organization’s communities of interest. 57. Compare and contrast a hot site, a warm site, and a cold site. ANSWER: Hot site—A hot site is a fully configured computer facility, with all services, communications links, and physical plant operations. It duplicates computing resources, peripherals, phone systems, applications, and workstations. Essentially, this duplicate facility needs only the latest data backups and the personnel to function. If the organization uses one of the data services listed in the following sections, a hot
8. 8. Name: Class: Date: Chapter 10: Planning for Contingencies Copyright Cengage Learning. Powered by Cognero. Page 8 site can be fully functional within minutes. Warm site—A warm site provides many of the same services and options as the hot site, but typically software applications are not included or are not installed and configured. A warm site frequently includes computing equipment and peripherals with servers but not client workstations. Overall, it offers many of the advantages of a hot site at a lower cost. The disadvantage is that severalhours, or days, are required to make a warm site fully functional. Cold site—A cold site provides only rudimentary services and facilities. No computer hardware or peripherals are provided. All communications services must be installed after the site is occupied. A cold site is an empty room with standard heating, air conditioning, and electrical service. Everything else is an added-cost option. Despite these disadvantages, a cold site may be better than nothing. Its primary advantage is its low cost. 58. What are the three roles performed by the crisis management team? ANSWER: Supporting personnel and their loved ones during the crisis Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties 59. Discuss three of the five strategies that can be used to test contingency strategies. ANSWER: Desk check: The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components. Full-interruption testing: The CP testing strategy in which all team members follow each IR/DR/ BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals. Simulation: The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts. Structured walk-through: The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event. A walk-through can also be conducted as a conference room talk-through. Talk-through: A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization. 60. Describe the methodology an organization should follow in an investigation. ANSWER: In digital forensics, all investigations follow the same basic 5 stage methodology: 1. Identify relevant items of evidentiary value (EM) 2. Acquire (seize) the evidence without alteration or damage 3. Take steps to assure that the evidence is at every step verifiably authentic at every step and is unchanged from the time it was seized 4. Analyze the data without risking modification or unauthorized access 5. Report the findings to the proper authority

When an incident takes place the disaster recovery DR plan is invoked before the incident response IR plan?

Is the amount of effort expressed as elapsed time needed to make business functions work again after the technology element is recovered?

Is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption?

What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them?