Chapter 4 & 5 - Risk Management and Incident Response
Summarize the strategies that can be chosen by an organization when planning for business continuity.
1. Empower your team. 2. Enhance your reporting 3. Keep communication constant. 4. Automate as much as possible. 5. Provide the necessary tools.
A(n) _____ is a detailed examination of the events that occurred during an incident or disaster, from first detection to final recovery
AAR (after-action review)
Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.
Appetite
A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.
Assessment
____ is the process of assigning financial value or worth to each information asset.
Asset valuation
Of the three types of mitigation plans, the _____ plan is the most strategic and long-term, as it focuses on the steps to ensure the continuation of the organization.
Business Continuity
The CPMT should include a _____ who is a high-level manager to support, promote, and endorse the findings of the project and could be the COO or (ideally) theCEO/president.
Champion
Ideally, the _____, systems administrators, the chief information security officer (CISO), and key IT and business managers should be actively involved during the creation and development of all CP components
Chief Information Officer
_____ are the fixed moral attitudes or customs of a particular group.
Cultural Mores
The most common schedule for tape-based backup is a _____ backup, either incremental or differential, with a weekly off-site full backup
Daily on-site
Incident _____ assessment is used to determine the impact from a breach of confidentiality, integrity, and availability on information and information assets.
Damage
_____ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident.
Damage Assessment
_____ use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities, if the use is for educational or library purposes,is not for profit, and isnot excessive.
Fair
A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict when people who can access it.
False
A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.
False
A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them.
False
A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. _____
False
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. ______________
False
An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement.
False
Changes to systems logs are a possible indicator of an actual incident.
False
Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended.
False
In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack; the SLE is the product of the asset's value and the annualized loss expectancy.
False
Knowing yourself means identifying, examining, and understanding the threats facing the organization's information assets
False
Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _____
False
Risk perception is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically part of the risk appetite. _____
False
The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident
False
When an organization depends on IT-based systems to remain viable, InfoSec and the discipline of asset management must become an integral part of the economic basis for making business decisions. _____
False
Which of the following acts is also widely known as the Gramm-Leach-Bliley Act?
Financial Services Modernization Act
A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice.
Hot site
Each of the following is a role for the crisis management response team EXCEPT:
Informing local emergency services to respond to the crisis
Understanding the _____ context means understanding elements that could impact or influence the RM process such as the organization's governance structure (or lack thereof), the organization's internal stakeholders, as well as the organization's culture.
Internal
The probability that a specific vulnerability within an organization will be attacked by a threat is known as _____
Likelihood
_____ is the probability that a specific vulnerability within an organization's assets will be successfully attacked.
Likelihood
The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption is _____.
MTD ( Maximum tolerable downtime)
The _____ risk treatment strategy attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards.
Mitigation
When deciding which information assets to track, consider the following asset attributes: people, _____, data, software, and hardware.
Procedures
____ uses a number of hard drives to store information across multiple drive units
RAID
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources is ____.
Recovery Time Objective (RTO)
s each information asset is identified, categorized, and classified, a(n) _____ value must be assigned to it.
Relative
The transfer of transaction data in real-time to an off-site facility is called ____.
Remote journaling
Incident _____ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets.
Response
_____ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty.
Risk
Risk _____ is a determination of the extent to which an organization's information assets are exposed to risk.
Risk Assessment
A service bureau is an agency that provides a service for a fee. _____
True
Establishing a competitive business model, method, or technique enables an organization to provide a product or service that is superior and creates a(n) competitive advantage. _____
True
Incident classification is the process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident.
True
Incident response is an organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident.
True
Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment. _____
True
Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment.
True
Residual risk is the risk that organizations are willing to accept even after current current controls have been applied.
True
Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.
True
The code of ethics put forth by (ISC) focuses on four mandatory canons: "Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession." _____
True
The disaster recovery preparation team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters.
True
The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement: the two approaches are protect and forget, and apprehend and prosecute.
True
The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings.
True
The upper management of an organization must structure the IT and information security functions to defend the organization's information assets.
True
The value of information to the organization's competition should influence the asset's valuation.
True
To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.
True
Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____.
Vulnerabilities
A(n) _____ plan ensures that critical business functions continue if a catastrophic incident or disaster occurs.
business continuity
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes _____.
controls have proven ineffective controls have failed controls have been bypassed All of the above
In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies _____
develop policies and procedures based on risk assessments provide security awareness training periodic assessment of risk all of the other answers are correct
An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor with a ____ backup strategy.
disk-to-disk-to-cloud
A potential disadvantage of a timeshare site-resumption strategy is:
more than one organization might need the facility
