cyb155
Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting. False True
False
The disaster recovery preparation team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters. _____ True False
False
The total time needed to place the business function back in service must be longer than the maximum tolerable downtime. False True
False
The work response time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. _____ True False
False
The detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. is called a(n) _____. search warrant chain of evidence audit trail evidence affidavit
chain of evidence
The CPMT should include a _____ who is a high-level manager to support, promote, and endorse the findings of the project and could be the COO or (ideally) the CEO/president. champion executive-in-charge project instigator project manager
champion
Ideally, the _____, systems administrators, the chief information security officer (CISO), and key IT and business managers should be actively involved during the creation and development of all CP components chief executive officer (CEO) senior auditor chief information officer (CIO) chief financial officer (CFO)
chief information officer (CIO)
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. off-site storage database shadowing remote journaling electronic vaulting
electronic vaulting
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes _____. controls have failed All of the above controls have been bypassed controls have proven ineffective
All of the above
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages? Identify recovery priorities for system resources Determine mission/business processes and recovery criticality All of these are BIA stages Identify resource requirements
All of these are BIA stages
_____ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident. Incident response Damage assessment Containment development Disaster assessment
Damage assessment
A business influence analysis (BIA) is an investigation and assessment of adverse events that can affect the organization. False True
False
A business policy is a task performed by an organization or one of its units in support of the organization's overallmission and operations. _____ False True
False
A cold site provides many of the same services and options of a hot site, but at a lower cost. False True
False
A disaster recovery plan shows the organization's intended efforts to establish operations at an alternate site in the aftermath of a disaster. True False
False
A planning check is a testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster. _____ True False
False
A rapid-onset disaster is one that gradually degrades the capacity of an organization to withstand their effects. False True
False
A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. False True
False
A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. _____ True False
False
A(n) alarming event is an event with negative consequences that could threaten the organization's information assets or operations._____ True False
False
An affidavit is permission to search for evidentiary material at a specified location or to seize items to return to an investigator's lab for examination. True False
False
An after-action re-assessment is an opportunity for everyone who was involved in an incident or disaster to sit down and discuss what happened. _____ True False
False
An after-action review is an opportunity for everyone who was involved in planning for an incident or disaster to sit down and discuss what will happen when the plan is implemented. True False
False
An external event is an event with negative consequences that could threaten the organization's information assets or operations; also referred to as an incident candidate. False True
False
An incident is an adverse event that could result in a loss of information assets and threatens the viability of the entire organization. False True
False
Changes to systems logs are a possible indicator of an actual incident. True False
False
Crisis response is an organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster. False True
False
Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site. False True
False
Incident detail assessment is used to determine the impact from a breach of confidentiality, integrity, and availability on information and information assets. _____ True False
False
Procedures are planned for each identified incident scenario with incident handling procedures established for before and during the incident. True False
False
Reported attacks are a definite indicator of an actual incident. _____ False True
False
Two ways to activate an alert roster are simultaneously and in parallel. False True
False
Each of the following is a role for the crisis management response team EXCEPT: Keeping the public informed about the event Informing local emergency services to respond to the crisis Supporting personnel and their loved ones during the crisis Communicating with major customers and other stakeholders
Informing local emergency services to respond to the crisis
Which type of organizations should prepare for the unexpected? Only those without good insurance. Organizations of every size and purpose should also prepare for the unexpected. Large organizations which have many assets at risk. Small organizations that can easily recover.
Organizations of every size and purpose should also prepare for the unexpected.
____ uses a number of hard drives to store information across multiple drive units. Virtualization RAID Continuous database protection Legacy backup
RAID
Which if these is the primary reason contingency response teams should not have overlapping membership with one person on multiple teams? To spread the work out among more people. To avoid cross-division rivalries. So individuals don't find themselves with different responsibilities in different locations at the same time. To allow people to specialize in one area.
So individuals don't find themselves with different responsibilities in different locations at the same time.
A business process is a task performed by an organization or one of its units in support of the organization's overall mission and operations. False True
True
A business process is a task performed by an organization or one of its units in support of the organization's overall mission and operations. True False
True
A service bureau is an agency that provides a service for a fee. _____ True False
True
An affidavit is a sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place. True False
True
Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment. _____ False True
True
Prior to the development of each of the types of contingency planning documents, the CP team should work todevelop the policy environment. True False
True
Reported attacks are a probable indicator of an actual incident. False True
True
The business impact analysis is a preparatory activity common to both CP and risk management, True False
True
The business impact analysis is a preparatory activity common to both CP and risk management. True False
True
The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement: protect and forget or apprehend and prosecute _____ False True
True
The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement: the two approaches are protect and forget, and apprehend and prosecute. False True
True
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _____ False True
True
The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. _____ True False
True
The work recovery time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. True False
True
A(n) _____ is a document containing contact information for the people to be notified in the event of an incident. phone list call registry alert roster emergency notification system
alert roster
Most common data backup schemes involve ______. both a and/or b RAID disk-to-disk-to-cloud neither a nor b
both a and/or b
A ____ site provides only rudimentary services and facilities. hot cold commercial warm
cold
The most common schedule for tape-based backup is a _____ backup, either incremental or differential, with a weekly off-site full backup. hourly off-site 12-hour on-site daily on-site daily off-site
daily on-site
The storage of duplicate online transaction data, along with the duplication of the databases, at a remote site on a redundant server is called _____. application recovery electronic vaulting remote journaling database shadowing
database shadowing
A crime involving digital media, computer technology, or related components may best be called an act of _____. digital malfeasance computer trespass digital abuse computer theft
digital malfeasance
The process of examining an adverse event or incident and determining whether it constitutes an actual disaster is known as _____. incident review disaster classification event escalation disaster indication
disaster classification
An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor with a ____ backup strategy. RAID disk-to-disk-to-cloud differential disk-to-disk-to-tape
disk-to-disk-to-cloud
A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice. mobile site service bureau hot site cold site
hot site
The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption is _____. recovery point objective (RPO) maximum tolerable downtime (MTD) work recovery time (WRT) recovery time objective (RTO)
maximum tolerable downtime (MTD)
A potential disadvantage of a timeshare site-resumption strategy is: more expensive than other options all of the above requires additional investment in time and technology to get up to speed in the event of a disaster more than one organization might need the facility
more than one organization might need the facility
Digital forensics involves the _____, identification, extraction, documentation, and interpretation of digital media. preservation determination investigation confiscation
preservation
The point in time before a disruption or system outage to which business process data can be recovered after an outage is ____. work recovery time (WRT) maximum tolerable downtime (MTD) recovery point objective (RPO) recovery time objective (RTO)
recovery point objective (RPO)
Data backup should be based on a(n) ____ policy that specifies how long log data should be maintained . incident response replication business resumption retention
retention
A ____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor. time-share agreement mutual agreement memorandum of understanding service agreement
service agreement
A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _____ True False
False
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _____ True False
False
A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. _____ True False
False
The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident. True False
False
The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts. True False
False
Use of dormant accounts is a probable indicator of an actual incident. True False
False
An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement. True False
False
An alert message is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. False True
True
Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster. True False
True
Evidentiary material is any information that could potentially support an organization's legal or policy-based case against a suspect. True False
True
Forensics can provide a determination of the source or origin of an event, problem, or issue like an incident. False True
True
Incident classification is the process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident. False True
True
Incident damage assessment is used to determine the impact from a breach of confidentiality, integrity, and availability on information and information assets. True False
True
Incident response is an organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident. True False
True
The chain of evidence is the detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. True False
True
The disaster recovery planning team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters. False True
True
Using a service bureau is a BC strategy in which an organization contracts with a service agency to provide a facility for a fee. False True
True
The sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place is called a(n) _____. writ of habeus corpus affidavit search warrant sworn warrant
affidavit
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources is ____. recovery time objective (RTO) recovery point objective (RPO) maximum tolerable downtime (MTD) work recovery time (WRT)
recovery time objective (RTO)
The transfer of transaction data in real time to an off-site facility is called ____. electronic vaulting database shadowing remote journaling off-site storage
remote journaling
A ____ is an agency that provides physical facilities in the event of a disaster for a fee. cold site time-share mobile site service bureau
service bureau
