Domain 4 - Incident Management 30%
Which of the following BEST contributes to the design of data restoration plans? A. Transaction turnaround time B. Mean time between failures C. Service delivery objectives D. The duration of the data restoration job
Service delivery objectives Justification Transaction turnaround time may be a concern when the effectiveness of an application system is evaluated. Normally it is not the main agenda in the restoration stage. Mean time between failures (MTBF) is the predicted elapsed time between inherent failures of a system during operation. MTBF is not a factor in determining restoration of data. The service delivery objective (SDO) relates directly to the business needs; SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. The duration of a data restoration job may be of secondary importance. The strategic importance of data should be considered first.
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs? A. Database server B. Domain name server C. Time server D. Proxy server
Time server Justification The database server would not assist in the correlation and review of the logs. The domain name server would not assist in the correlation and review of the logs. To accurately reconstruct the course of events, a time reference is needed, and that is provided by the time server. The proxy server would not assist in the correlation and review of the logs.
A newly hired information security manager examines the 10-year-old business continuity plan and notes that the maximum tolerable outage (MTO) is much shorter than the allowable interruption window (AIW). What action should be taken as a result of this information? A. Reassess the MTO. B. Conduct a business impact analysis and update the plan. C. Increase the service delivery objective. D. Take no action; MTO is not related to AIW.
Conduct a business impact analysis and update the plan. Justification Performing a business impact analysis (BIA) will include reassessment of the maximum tolerable outage (MTO); until that time, there is no way to determine whether it is the MTO or the allowable interruption window (AIW) that is incorrect. The first issue is to determine whether the plan is current and then update requirements as necessary. The BIA will most likely be a collaborative effort with the business process owners. The service delivery objective will need to be updated by performing a BIA. The MTO should always be at least equal to the AIW and is generally longer.
Evidence from a compromised server must be acquired for a forensic investigation. What would be the BEST source? A. A bit-level copy of the hard drive B. The last verified backup stored offsite C. Data from volatile memory D. Backup servers
A bit-level copy of the hard drive Justification The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law. The last verified backup will not copy everything and will not provide a forensic quality image for investigative work. Dumping memory runs the risk that swap files or other disk activities will alter disk-based evidence. Standard advice from law enforcement is to pull the power plug on the compromised server to maximize preservation of evidence. Backup servers may not have been compromised.
An enterprise's chief information security officer would like to ensure that operations are prioritized correctly for recovery in case of a disaster. Which of the following would be the BEST to use? A. A business impact analysis B. An enterprise risk assessment C. A business process map D. A threat statement
A business impact analysis Justification A business impact analysis (BIA) ensures that operations are prioritized correctly for recovery in case of a disaster. An enterprise risk assessment would not support prioritization of system recovery. A business process map would not support prioritization of system recovery. A threat statement would not support prioritization of system recovery.
Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster recovery? A. A business impact analysis, which identifies the requirements for availability of critical business processes B. Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites C. A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence D. Differences between the regulatory requirements applicable at the primary site and those at the alternate site
A business impact analysis, which identifies the requirements for availability of critical business processes Justification The business impact analysis will help determine the recovery time objective and recovery point objective for the enterprise. This information will drive the decision on the requirements for an alternate site. Natural disasters are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery. While a benchmark could provide useful information, the decision should be based on a BIA, which considers factors specific to the enterprise. Regulatory requirements are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery.
If an enterprise has a requirement for continuous operations, which of the following approaches would be BEST to test response and recovery? A. A full interruption test B. A simulation test C. A parallel test D. A structured walk-through
A parallel test Justification A full interruption test, in which operations are shut down at the primary site and shifted to the recovery site, is the most stringent form of response and recovery testing, but it is potentially disruptive. Even though the enterprise in this scenario might accept the cost of such a test, the need for continuous operations makes it inappropriate. Simulation testing addresses people and processes but does not address startup recovery-site operations; therefore, it provides a lower level of assurance than a parallel test would provide. The enterprise in this scenario requires continuous operations. A parallel test, in which operations are brought online at the recovery site alongside primary-site operations, is the closest an enterprise can come to full testing without risking a business impact; therefore, it is the best fit for the requirement. Structured walk-throughs are pen-and-paper activities. A walk-through may help identify constraints, deficiencies and opportunities for enhancement, but the level of assurance it provides is low relative to a parallel test.
Which of the following is the BEST indicator that operational risk is effectively managed in an enterprise? A. A tested business continuity plan/disaster recovery plan B. An increase in timely reporting of incidents by employees C. Extent of risk management education D. Regular review of risk by senior management
A tested business continuity plan/disaster recovery plan Justification A tested business continuity plan/disaster recovery plan is the best indicator that operational risk is managed effectively in the enterprise. Reporting incidents by employees is an indicator but not the best choice, because it is dependent upon the knowledge of the employees. Extent of risk management education is not correct, because it may not necessarily indicate that risk is effectively managed in the enterprise. A high level of risk management education would help but would not necessarily mean that risk is managed effectively. Regular review of risk by senior management is not correct because it may not necessarily indicate that risk is effectively managed in the enterprise. Top management involvement would greatly help but would not necessarily mean that risk is managed effectively.
What is the MOST appropriate IT incident response management approach for an enterprise that has outsourced its IT and incident management function? A. A tested plan and a team to provide oversight B. An individual to serve as the liaison between the parties C. Clear notification and reporting channels D. A periodic audit of the provider's capabilities
A tested plan and a team to provide oversight Justification An approved and tested plan will provide assurance of the provider's ability to address incidents within an acceptable recovery time, and an internal team's ability to provide oversight and liaison functions that ensure the response is executed according to plan. Identifying a liaison is not sufficient by itself to provide assurance of adequate incident response performance. Notification and reporting is not a sufficient assurance of suitable response activities and provides no capability for input, participation or addressing related issues in a timely manner. Audits provide a periodic snapshot of the sufficiency of the provider's plans and capabilities but are not adequate to manage collateral and consequential issues in the event of a significant incident.
Which of the following choices is the MOST important incident response resource for timely identification of an information security incident? A. A fully updated intrusion detection system B. Multiple channels for distribution of information C. A well-defined and structured communication plan D. A regular schedule for review of network device logs
A well-defined and structured communication plan Justification Not all information security incidents originate from the network; an intrusion detection system will provide no detection value for a variety of incident types. Diversifying the means of communication increases the odds that information reaches the people to whom it is sent, but it does nothing to ensure that the correct people receive the correct information at the correct time. An incident is not identified within an enterprise until it is declared, which is a business responsibility beyond the scope of the technical staff. A well-defined and structured communication plan ensures that information flows from the technical staff to decision makers in a timely fashion, allowing incidents to be recognized, declared and appropriately addressed. Reviewing logs provides an opportunity to identify irregular traffic patterns that may indicate an information security incident, but these logs provide insight into only a subset of attack vectors (e.g., external penetration would generally be covered, but insider threats may not). Additionally, if analysts who identify potentially revealing information do not have mechanisms in place to share those revelations with others in the enterprise, an effective response is less likely.
While a disaster recovery exercise in the enterprise's hot site successfully restored all essential services, the test was deemed a failure. Which of the following circumstances would be the MOST likely cause? A. The maximum tolerable outage exceeded the acceptable interruption window (AIW). B. The recovery plans specified outdated operating system versions. C. Some restored systems exceeded service delivery objectives. D. Aggregate recovery activities exceeded the AIW.
Aggregate recovery activities exceeded the AIW. Justification The maximum tolerable outage, the amount of time the enterprise can operate in alternate mode, would normally exceed the acceptable interruption window (AIW). While a difference in operating system versions might cause a delay, it would probably be minor. Service delivery objectives (SDOs) are directly related to the business needs. The SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. Not meeting SDOs on some systems might be a concern but would not necessarily lead to the conclusion that the test was a failure. Exceeding the AIW would cause the enterprise significant damage and must be avoided. The acceptable interruption window is the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectives.
What is the PRIMARY factor that should be taken into consideration when designing the technical solution for a disaster recovery site? A. Service delivery objective B. Recovery time objective C. Allowable interruption window D. Maximum tolerable outage
Allowable interruption window Justification The service delivery objective is the required level of functionality that must be supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal or acceptable operations defined by the service level objective. The RTO must be shorter than the allowable interruption window (AIW). The length of the AIW is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services and applications. AIW is generally based on the downtime before the enterprise suffers major financial damage. The technical implementation of the disaster recovery site will be based on this constraint, especially the choice between a mirrored, hot, warm or cold site. Maximum tolerable outage is the amount of time the enterprise can operate in alternate mode based on various factors such as accessibility and performance levels.
Which of the following choices includes the activity of evaluating the computing infrastructure by performing proactive security assessment and evaluation? A. A disaster recovery plan B. A business continuity plan C. An incident management plan D. A continuity of operations plan
An incident management plan Justification A disaster recovery plan is a set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency. A business continuity plan is a plan used by an enterprise to respond to disruption of critical business processes. It depends on the contingency plan for restoration of critical systems. This activity is part of the protect phase of the incident management planning process flow. A continuity of operations plan is an effort within individual executive departments and agencies to ensure that primary mission-essential functions continue to be performed during a wide range of emergencies, including localized acts of nature, accidents and technological or attack-related emergencies.
A security operations center detected an attempted structured query language injection but could not determine if it was successful. Which of the following resources should the information security manager approach to assess the possible impact? A. Application support team B. Business process owner C. Network management team D. System administrator
Application support team Justification Structured query language (SQL) injection is an application-based attack. Because the security operations center has detected an attempt of SQL injection and could not determine if it was successful, the information security manager should approach the application support group that has access to data in order to identify the impact. The business process owner may help the application support group determine the overall impact, after it has been determined if the attack has been successful. Because SQL injection is an application-based attack, the network management team is not the best resource to assess the possible impact. The system administrator is not the best resource to assess the possible impact but may assist the application support team and assist with incident response activities, should the attack have been successful.
Which of the following activities is performed during the detection and analysis phase of the incident response life cycle? A. Assist in managing communication to news media B. Assign a category based on the impact of the incident. C. Determine accountability for the root cause D. Notify the concerned stakeholders
Assign a category based on the impact of the incident. Justification Assisting in proactively managing news media, social media, regulators, vendors and other third parties is part of the containment, eradication and recovery phase. During the detection and analysis phase, the financial, legal, regulatory, operational and reputational impacts are determined. From this analysis, the incident can be assigned a category. Identifying accountable parties for the incident root cause and assigning ownership of remedies is part of the post-incident activity phase. Notifying concerned stakeholders is part of the response activities in the incident response plan.
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected? A. Applying patches B. Changing access rules C. Upgrading hardware D. Backing up files
Backing up files Justification Applying patches does not significantly increase the level of difficulty. Changing access rules has no effect on eradication of malicious code. Upgrading hardware does not significantly increase the level of difficulty. If malicious code is not immediately detected, it will most likely be backed up as part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.
The recovery point objective requires which of the following? A. Disaster declaration B. Before-image restoration C. System restoration D. After-image processing
Before-image restoration Justification Disaster declaration is independent of this processing checkpoint. The recovery point objective is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Restoration of the system can occur at a later date. After-image processing can occur at a later date.
Which of the following MOST effectively reduces false-positive alerts generated by a security information and event management process? A. Building use cases B. Conducting a network traffic analysis C. Performing an asset-based risk assessment D. The quality of the logs
Building use cases Justification Implementing a security information and event management (SIEM) process helps ensure that incidents are correctly identified and handled appropriately. Because an SIEM process depends on log analysis based on predefined rules, the most effective way to reduce false-positive alerts is to develop use cases for known threats to identified critical systems. The use cases would then inform development of appropriate rules for the SIEM solution. Although security monitoring requires traffic analysis, only properly defined use cases can ensure that the rules are accurately defined and that events are properly identified, thereby reducing false-positive alerts. A risk assessment will not reduce false positive alerts. The quality of the logs can affect alerts but is usually a minor consideration.
An enterprise is primarily concerned with the financial impact of downtime associated with an information security incident. Which of the following items would be the MOST appropriate compensating control to have in place? A. An offsite media storage contract B. Business interruption insurance C. A real-time failover architecture D. A disaster recovery plan
Business interruption insurance Justification Storing backup media offsite improves the odds that they will be available to use for recovery activities, but it also increases the amount of time needed to complete the recovery. In a situation in which the primary concern is the financial impact of downtime, an offsite media storage contract is not helpful. Business interruption insurance does not help restore operations, but it does compensate a business for the financial impact associated with interruption. In this scenario, the financial impact of downtime is the primary concern; therefore, insurance is an appropriate compensating control. An architecture that provides for real-time failover prevents financial impact from downtime, but it does so at significant cost. An enterprise that is primarily concerned with financial impact (rather than operational efficiency or other concerns) is unlikely to accept this higher cost because the other benefits associated with real-time failover are not seen as justified. A disaster recovery plan aids an enterprise in performing the steps needed to return to normal operations after a disaster, but even a clearly drafted and tested plan does not compensate for the financial impact of downtime, and many information security incidents have impacts that do not meet the disaster threshold.
What is the PRIMARY consideration when defining recovery time objectives for information assets? A. Regulatory requirements B. Business requirements C. Financial value D. IT resource availability
Business requirements Justification Regulatory requirements may not be consistent with business requirements. The criticality to business should always drive the decision. The financial value of an asset may not correspond to its business value and is irrelevant. While a consideration, IT resource availability is not a primary factor.
Which of the following actions should be taken when an information security manager discovers that a hacker is footprinting the network perimeter? A. Reboot the border router connected to the firewall. B. Check intrusion detection system logs and monitor for any active attacks. C. Update IDS software to the latest available version. D. Enable server trace routing on the demilitarized zone segment.
Check intrusion detection system logs and monitor for any active attacks. Justification Rebooting the router would not be relevant. Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that. Updating the IDS could create a temporary exposure until the new version can be properly tuned. Enabling server trace routing is of no use.
Which of the following is the MOST important consideration when conducting a forensic investigation of a cybersecurity incident? A. Identify the threat actors that caused the incident. B. Collect and preserve evidence in its original form. C. Analyze the evidence to understand the root cause. D. Determine if law enforcement should be notified.
Collect and preserve evidence in its original form. Justification Identifying the threat actors may be the outcome of the investigation, but it is not the main objective of forensics. Forensic investigation focuses on collecting uncontaminated evidence that can be presented in its original form. Determining the root cause of a cybersecurity incident is important; however, forensic investigation may come after determining the root cause. Whether to notify law enforcement is senior management's decision, depending on various factors identified during a forensic investigation.
Which of the following should be performed FIRST in the aftermath of a denial-of-service (DoS) attack? A. Restore servers from backup media stored offsite. B. Conduct an assessment to determine system status. C. Perform an impact analysis of the outage. D. Isolate the screened subnet.
Conduct an assessment to determine system status. Justification Servers may not have been affected, so it is not necessary at this point to rebuild any servers. An assessment should be conducted to determine the overall system status and whether any permanent damage occurred. An impact analysis of the outage will not provide any immediate benefit. Isolating the screened subnet is after the fact and will not provide any benefit.
Which of the following activities MUST a financial services enterprise do with regard to a web-based service that is gaining popularity among its customers? A. Perform annual vulnerability mitigation. B. Maintain third-party liability insurance. C. Conduct periodic business impact analysis. D. Architect a real-time failover capability.
Conduct periodic business impact analysis Justification Vulnerability management is an important part of managing any system, not only a web-based service, but mitigation decisions are made on the basis of risk and are not isolated to an annual activity. The decision of whether to carry liability insurance is a business decision made on the basis of quantified risk. A service that is gaining popularity will increase in value to the enterprise as it grows, leading to corresponding growth in the magnitude of potential loss should the service be interrupted. Periodic business impact analyses (BIAs) quantify this magnitude and ensure that adequate recovery capabilities can be put in place. Real-time failover capabilities may be warranted, but the decision to design and deploy such capabilities is a business decision based in large part on an accurate BIA quantifying the magnitude of potential loss should the service be interrupted.
What task should be performed after a security incident has been verified? A. Identify the incident. B. Contain the incident. C. Determine the root cause of the incident. D. Perform a vulnerability assessment.
Contain the incident. Justification Identifying the incident means verifying whether an incident has occurred and finding out more details about the incident. After an incident has been confirmed (identified), the incident management team should limit further exposure. Determining the root cause takes place after the incident has been contained. Performing a vulnerability assessment takes place after the root cause of an incident has been determined to check if the vulnerability has been addressed.
An information security manager is in the process of investigating a network intrusion. One of the enterprise's employees is a suspect. The manager has just obtained the suspect's computer and hard drive. Which of the following is the BEST next step? A. Create an image of the hard drive. B. Encrypt the data on the hard drive. C. Examine the original hard drive. D. Create a logical copy of the hard drive.
Create an image of the hard drive. Justification One of the first steps in an investigation is to create an image of the original hard drive. A physical copy will copy the data, block by block, including any hidden data blocks and hidden partitions that can be used to conceal evidence. Encryption is not required. Examining the hard drive is not good practice because it risks destroying or corrupting evidence. A logical copy will only copy the files and folders and may not copy other necessary data to properly examine the hard drive for forensic evidence.
Which of the following is MOST important in determining whether a disaster recovery test is successful? A. Only business data files from offsite storage are used. B. IT staff fully recovers the processing infrastructure. C. Critical business processes are duplicated. D. All systems are restored within recovery time objectives.
Critical business processes are duplicated. Justification Although ensuring that only materials taken from offsite storage are used in the test is important, it is not as critical in determining a test's success. While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test. To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated. Achieving recovery time objectives is an important milestone, but it does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.
There is a concern that lack of detail in the recovery plan may prevent an enterprise from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the recovery time objectives would be met? A. Establishment of distributed operation centers B. Delegation of authority in recovery execution C. Outsourcing of the business restoration process D. Incremental backup of voluminous databases
Delegation of authority in recovery execution Justification Establishment of distributed operation centers does not compensate for a lack of detail in the recovery plan. When recovery is underway in response to an incident, there are many cases in which decisions need to be made at each management level. This may take up considerable time due to escalation procedures. Therefore, it is desirable that delegation of authority becomes effective during the recovery process. Scope of delegation of authority in recovery execution may be assessed and documented in business continuity policies and procedures. Outsourcing will not resolve any failure to meet recovery time objectives, unless the recovery strategy includes a clear line of authority and adequate detail in the plan. Incremental backup of voluminous databases may be recommended to expedite the data backup process. However, it generally increases the time needed to recover.
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster? A. Detailed technical recovery plans are maintained offsite. B. Network redundancy is maintained through separate providers. C. Hot site equipment needs are recertified on a regular basis. D. Appropriate declaration criteria have been established.
Detailed technical recovery plans are maintained offsite. Justification In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is, therefore, critical to maintain an updated copy of the detailed recovery plan at an offsite location. In a disaster situation, without the detailed technical plan, business recovery will be seriously impaired. Continuity of the business requires adequate network redundancy. Ideally, the business continuity program addresses this satisfactorily. Continuity of the business requires hot site infrastructure that is certified as compatible, along with clear criteria. Ideally, the business continuity program addresses these needs satisfactorily. Continuity of the business requires clear criteria for declaring a disaster. Ideally, the business continuity program addresses this satisfactorily.
Which of the following actions is the BEST to ensure that incident response activities are consistent with the requirements of business continuity? A. Develop a scenario and perform a structured walk-through. B. Draft and publish a clear practice for enterprise-level incident response. C. Establish a cross-departmental working group to share perspectives. D. Develop a project plan for end-to-end testing of disaster recovery.
Develop a scenario and perform a structured walk-through. Justification A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. Publishing an enterprise-level incident response plan would be effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. Sharing perspectives is valuable, but a working group does not necessarily lead to action ensuring that the interface between plans is workable. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.
For global enterprises, which of the following is MOST essential to the continuity of operations in an emergency situation? A. A documented succession plan B. Distribution of key process documents C. A reciprocal agreement with an alternate site D. Strong senior management leadership
Distribution of key process documents Justification During contingency situations, contact with one or more senior managers may be lost. In such cases, a documented succession plan is important as a means of establishing who is empowered to make decisions on behalf of the enterprise. However, if an enterprise experiencing a contingency situation has only a succession plan and no distributed key process documentation, the effectiveness of the empowered decision maker will be limited. A succession plan is, therefore, worthwhile but less important than process documentation. Many factors come into play during contingency situations, but continuity is possible only when personnel who are able to resume key processes have the knowledge to do so. When key process documentation is distributed to contingency locations, it is available for the use of any staff who report to these locations during contingencies, and so long as that documentation is up to date, it may be used even by those who may not typically be involved in performing those functions. Reciprocal agreements are established when contingency sites are shared among multiple business partners. There are business justifications for establishing these relationships, but having them established is generally not going to ensure continuity of operations. Strong leadership by senior management drives the preparation that goes into continuity of operations planning before a contingency situation arises. Assuming that this preparation has been adequate, however, the continuity functions should be carried out by enterprise personnel even if leadership during the contingency is interrupted or lacking in strength.
What action should the security manager take FIRST when incident reports from different organizational units are inconsistent and highly inaccurate? A. Ensure that a clear organizational incident definition and severity hierarchy exists. B. Initiate a company-wide incident identification training and awareness program. C. Escalate the issue to the security steering committee for appropriate action. D. Involve human resources in implementing a reporting enforcement program.
Ensure that a clear organizational incident definition and severity hierarchy exists. Justification The first action is to validate that clear incident definition and severity criteria are established and communicated throughout the enterprise. A training program will not be effective until clear incident identification and severity criteria have been established. The steering committee may become involved after incident criteria have been clearly established and communicated. Enforcement activities will not be effective unless incident criteria have been clearly established and communicated.
Which of the following is MOST important when collecting evidence for forensic analysis? A. Ensure the assignment of qualified personnel. B. Request the IT department do an image copy. C. Disconnect from the network and isolate the affected devices. D. Ensure law enforcement personnel are present before the forensic analysis commences.
Ensure the assignment of qualified personnel. Justification Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved properly. The IT department is unlikely to have the necessary level of expertise and should, therefore, be prevented from taking action. Disconnecting from the network may be a prudent step prior to collecting evidence but does not eliminate the requirement for properly qualified forensic personnel. Notifying law enforcement will likely occur after the forensic analysis has been completed.
Addressing the root cause of an incident is one aspect of which of the following incident management processes? A. Eradication B. Recovery C. Lessons learned D. Containment
Eradication Justification Determining the root cause of an incident and eliminating it are key activities that occur as part of the eradication process. Recovery focuses on restoring systems or services to conditions specified in service delivery objectives (SDOs) or business continuity plans (BCPs). Lessons learned are documented at the end of the incident response process, after the root cause has been identified and remediated. Containment focuses on preventing the spread of damage associated with an incident, typically while the root cause either is still unknown or is known but cannot yet be remediated.
What action should an incident response team take if the investigation of an incident response event cannot be completed in the time allocated? A. Continue to work the current action. B. Escalate to the next level for resolution. C. Skip to the next action in the plan. D. Declare a disaster.
Escalate to the next level for resolution. Justification Every unsuccessful action simply wastes time; escalate and move on. Because the investigation process must have time constraints, if the initial team cannot find resolution in the plan time allotted, it should escalate the resolution to the next level and move on to system recovery. The activity in an incident response event should not stop until the root cause has been determined, but other teams may need to be called in to divide the work and complete the response plan. A disaster should not be declared until the event root cause has been determined or senior management has determined that the resolution will take longer than acceptable for a system outage.
Which of the following benefits that the enterprise receives from employing a systematic incident management program with a formal methodology is MOST important? A. A formal methodology makes incident management more flexible. B. A formal methodology is more reliant on business continuity activities. C. Each incident responder is able to get broad-based experience. D. Evidence of due diligence supports legal and liability claims.
Evidence of due diligence supports legal and liability claims. Justification The more formalized that something becomes, the less flexible it is. A formal methodology is actually able to more easily operate as a stand-alone function, with less reliance on business continuity activities. Having a formal methodology means that duties are generally assigned based on competence and availability of time. Legal and liability claims are most credible when the mechanisms used to collect them are formally documented, repeatable and regularly practiced.
In a forensic investigation, which of the following would be the MOST important factor? A. Operation of a robust incident management process B. Identification of areas of responsibility C. Involvement of law enforcement D. Expertise of resources
Expertise of resources Justification Operation of a robust incident management process should occur prior to an investigation. The identification of areas of responsibility should occur prior to an investigation. Involvement of law enforcement is dependent upon the nature of the investigation. The most important factor in a forensic investigation is the expertise of the resources participating in the project, due to the inherent complexity.
Which of the following gives the MOST assurance of the effectiveness of an enterprise's disaster recovery plan? A. Checklist test B. Table-top exercise C. Full interruption test D. Simulation test
Full interruption test Justification A checklist test does not provide more assurance than a full interruption test. Checklist tests are a preliminary step to a real test. Recovery checklists are distributed to all members of a recovery team to review and ensure that the checklist is current. A table-top exercise does not provide more assurance than a full interruption test. Table-top exercises may consist of virtual walk-throughs of the disaster recovery plan (DRP), or they may involve virtual walk-throughs of the DRP based on different scenarios. A full interruption test gives the enterprise the best assurance because it is the closest test to an actual disaster. It generally involves shutting down operations at the primary site and shifting them to the recovery site in accordance with the recovery plan; this is the most rigorous form of testing. A simulation test does not provide more assurance than a full interruption test. During simulation testing, the recovery team role-plays a prepared disaster scenario without activating processing at the recovery site.
Which of the following is the BEST solution for addressing the time lag in incident identification when detection relies mainly on event log review? A. Introduce impact analysis to the log event review process. B. Increase the headcount to review events captured in the logs. C. Reduce the number of security events recorded in the logs. D. Have log events associated with a security information and event management system.
Have log events associated with a security information and event management system. Justification Impact analysis may help to assess the damage to the business. It may somewhat enhance the quality of log analysis; however, it would not support the accomplishment of the timely detection of an incident. Increasing the number of employees is a costly approach that requires additional workload. There is still a risk that significant events could be overlooked, even if the log is reviewed with an increased headcount. Reducing the number of security events to be recorded may not directly contribute to the timely detection of an incident. Reducing the number of events reported in the logs may increase the risk of unidentified events. A monitoring system, such as a security information and event management system (SIEM), would interface with production systems. Therefore, log events would be sent to the agent layer of the security management system, followed by the analysis and escalation steps. This approach would compensate for the disadvantages involved in the periodic review of log events.
The post-incident review of a security incident revealed that there was a process that was not monitored. As a result, monitoring functionality has been implemented. Which of the following may BEST be expected from this remediation? A. Reduction in total incident duration B. Increase in risk tolerance C. Improvement in identification D. Facilitation of escalation
Improvement in identification Justification Monitoring may cause incident duration to become longer, as each event is investigated and possibly escalated for further remediation. Risk tolerance is a determination made by senior management based on the results of a risk analysis and the amount of risk senior management believes the enterprise can manage effectively. Risk tolerance will not change from implementation of a monitoring process. When a key process is not monitored, that lack of monitoring may lead to a security vulnerability or threat going undiscovered, resulting in a security incident. Once consistent monitoring is implemented, identification of vulnerabilities and threats will improve. Monitoring itself is simply an identification and reporting tool; it has little bearing on how information is escalated to other staff members for investigation and resolution.
An enterprise determined that in a worst-case situation it was not feasible to recreate all the data lost in a system crash in the time available. Various constraints prevent increasing the frequency of backups. What other solutions to this issue could the information security manager suggest? A. Increase the recovery time objective B. Decrease the service delivery objective C. Adjust the maximum tolerable outage D. Increase the allowable interruption window
Increase the recovery time objective Justification Because the original recovery time objective (RTO) cannot be met due to the time required to restore data, the RTO could be increased. Decreasing the service delivery objective (SDO) would increase the problem and is not a solution. Adjusting the maximum tolerable outage (MTO) would not have any effect on the situation. Increasing the allowable interruption window (AIW) is based on the maximum time the enterprise can be down before major financial impacts occur.
Which of the following functions is responsible for determining the members of the enterprise's response teams? A. Governance B. Risk management C. Compliance D. Information security
Information security Justification The governance function will determine the strategy and policies that will set the scope and charter for incident management and response capabilities. While response is a component of managing risk, the basis for risk management is determined by governance and strategy requirements. Compliance would not be directly related to this activity, although this function may have representation on the incident response team. The information security manager, or designated manager for incident response, should select the team members to ensure that all required disciplines are represented on the team.
Which action should the information security manager first take when alerted to a possible cybersecurity incident by the security operations center team? A. Contain and eradicate the incident B. Initiate incident analysis C. Gather and handle evidence D. Perform incident eradication and recovery
Initiate incident analysis Justification Containing and eradicating the incident would occur only after the incident is validated. The first step in incident response is to confirm the incident is valid. This would be done through incident analysis. Evidence gathering, eradication and containment occur after the incident is confirmed. Recovery, evidence gathering, eradication and containment occur after the incident is confirmed.
An enterprise has been experiencing a number of network-based security attacks that all appear to originate internally. What is the BEST course of action? A. Require the use of strong passwords. B. Assign static Internet Protocol addresses. C. Implement centralized logging software. D. Install an intrusion detection system.
Install an intrusion detection system. Justification Requiring the use of strong passwords will not be sufficiently effective against an internal network-based attack. Assigning Internet Protocol (IP) addresses would not be effective since these can be spoofed. Implementing centralized logging software will not necessarily provide information on the source of the attack. Installing an intrusion detection system (IDS) will allow the information security manager to better pinpoint the source of the attack so that countermeasures may then be taken. An IDS is not limited to detection of attacks originating externally. Proper placement of agents on the internal network can be effectively used to detect an internally based attack.
Which of the following choices is MOST useful to an incident response team determining the severity level of reported security incidents? A. Reviewing past incidents to determine impact B. Integrating incident management with business continuity C. Maintaining an inventory of assets and resources D. Involving managers from affected operational areas
Involving managers from affected operational areas Justification Past incidents can be a useful guide to the types and severity of incidents but will not necessarily provide any information on a current incident. Integrating incident management with business continuity facilitates response to high-severity incidents, but severity level must be determined prior to invoking the business continuity plan. Maintaining an inventory of assets and resources may be helpful when determining the severity of incidents but is not a requirement. The incident response team is likely not as well-informed regarding each operational area impacted by a security incident as the managers from those areas, so it makes sense to consult with the managers to get their estimates.
What is the PRIMARY benefit of having an updated communication plan when an incident occurs? A. It provides guidance on how and what to communicate to regulatory authorities. B. It guides the staff on when to invoke the business continuity plan. C. It enables the staff to know what should be communicated to stakeholders. D. It provides the necessary templates for incident communication.
It enables the staff to know what should be communicated to stakeholders. Justification Detailed guidance on communicating to regulatory authorities is just one of the many relevant types of information documented in the communication plan. If it is unclear who should communicate what to whom and how, the plan is inefficient. Whether to invoke the enterprise's business continuity plan (BCP) may or may not be documented in the communication plan. One of the primary objectives of a communication plan is to inform staff members about their roles and responsibilities, including whom to contact and how to communicate with them during an incident. Keeping the communication plan updated will ensure that this information is current should an incident occur. Templates for incident communication are just one of the many relevant pieces of information documented in the communication plan. However, they are not of use if it is unclear who should use the templates and when.
Which of the following is likely to be the MOST significant challenge when developing an incident management plan? A. Misalignment between plan and organizational goals B. Implementation of log centralization, correlation and event tracking C. Development of incident metrics D. Lack of management support and organizational consensus
Lack of management support and organizational consensus Justification The incident management plan is a subset of the security strategy, which already aligns with organizational goals and, therefore, does not represent a major challenge. Implementation of log centralization, correlation and event tracking is required, but it is not the most significant challenge. Incident metrics must be developed, but they are straightforward and not a significant challenge. Getting senior management buy-in is often difficult, but it is the necessary first step to move forward with any incident management plan.
When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority? A. Assigning responsibility for acquiring the data B. Locating the data and preserving the integrity of the data C. Creating a forensically sound image D. Issuing a litigation hold to all affected parties
Locating the data and preserving the integrity of the data Justification While assigning responsibility for acquiring the data is a step that should be taken, it is not the first step or the highest priority. Locating the data and preserving data integrity are the first priorities. Creating a forensically sound image may or may not be a necessary step, depending on the type of investigation, but it would never be the first priority. Issuing a litigation hold to all affected parties might be a necessary step early in an investigation of certain types, but not the first priority.
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a hot site operated by a third party? A. Cost to rebuild information processing facilities B. Incremental daily cost of losing different systems C. Location and cost of commercial recovery facilities D. Estimated annual loss expectancy from key risk
Location and cost of commercial recovery facilities Justification The cost of rebuilding the primary processing facility is not a factor in choosing an alternate recovery site. The daily cost of losing systems is the same whether the alternate site is built or rented. The decision whether to build an alternate facility or rent hot site facilities from a third party should be based entirely on business decisions of cost and ensuring the location is not susceptible to the same environmental risk as the primary facility. Annual loss expectancy is not a factor in choosing to build or rent an alternate site.
When a large enterprise discovers that it is the subject of a network probe, which of the following actions should be taken? A. Reboot the router connecting the demilitarized zone (DMZ) to the firewall. B. Power down all servers located on the DMZ segment. C. Monitor the probe and isolate the affected segment. D. Enable server trace logging on the affected segment.
Monitor the probe and isolate the affected segment. Justification Rebooting the router is not warranted. Powering down the demilitarized zone servers is not warranted. In the case of a probe, the situation should be monitored and the affected network segment isolated. Enabling server trace routing is not warranted.
Which of the following needs to be MOST seriously considered when designing a risk-based incident response management program? A. The chance of collusion among staff B. Degradation of investigation quality C. Minimization of false-positive alerts D. Monitoring repeated low-risk events
Monitoring repeated low-risk events Justification In general, any control practice is vulnerable to collusion, and if an incident is carefully crafted among a number of staff, it is hard to detect. However, successful collusion is not common. As long as it is well-defined, it is unlikely that the quality of incident investigation will fall short. A risk-based approach may not guarantee the minimization of false-positive alerts. A risk-based approach focuses on high-risk items. Those attempting to commit fraud may take advantage of its weaknesses. When risk-based monitoring is in place, there is a higher chance of overlooking low-risk activities. Even though the impact of a low-risk event is small, it may not be possible to ignore the accumulated damage from its repeated occurrence. Therefore, it is essential to review the chance of the repeated occurrence of low-risk events.
Which of the following is the MOST effective method to ensure that a business continuity plan (BCP) meets an enterprise's needs? A. Require quarterly updating of the BCP. B. Automate the survey of plan owners to obtain input to the plan. C. Periodically test the cross-departmental plan with varied scenarios. D. Conduct face-to-face meetings with management for discussion and analysis.
Periodically test the cross-departmental plan with varied scenarios. Justification Quarterly updates do not establish that a plan meets the enterprise's needs. Automated surveys are a method that could be used during testing but, on its own, is not sufficient. Cross-departmental testing of a plan with varied scenarios is most effective in determining the validity of a business continuity plan (BCP). Face-to-face meetings is a method that could be used during testing but, on its own, is not sufficient.
What is the FIRST step in investigating an information security incident for which the enterprise may want to file criminal charges? A. Notify law enforcement and senior management B. Prevent contamination of evidence C. Activate the incident response team D. Contain the scope of impact
Prevent contamination of evidence Justification Notification to law enforcement or senior management may occur in tandem with other activities, but preventing contamination of evidence takes priority. In many enterprises, the decision to notify law enforcement is made by senior management. If criminal charges may be filed, preventing contamination of evidence is the foremost concern to facilitate prosecution. Activation of the incident response team must be delayed until after steps have been taken to prevent contamination of evidence in situations where criminal charges may be filed. Containment is part of an effective incident response strategy, but preventing contamination of evidence takes priority over containment in situation where criminal charges may be filed.
Malware has spread through multiple departments in an enterprise after an employee installed software from a universal serial bus (USB) drive. Which of the following is the MOST crucial to successful containment of the incident? A. Restoring servers B. Protecting evidence C. Training employees D. Updating management
Protecting evidence Justification Restoring servers is important; however, it is not related to containment and usually occurs after containment. There is a delicate balance between protecting evidence from an incident and containing an incident to prevent further impact. If evidence is destroyed, it may be difficult to determine the root cause and prosecute the attacker. Training employees is important; however, it is not related to containment and usually occurs as a protective measure. Updating management is important; however, it is not related to containment.
Which of the following would be MOST appropriate for collecting and preserving evidence? A. Encrypted hard drives B. Generic audit software C. Proven forensic processes D. Log correlation software
Proven forensic processes Justification Whether hard drives are encrypted is not relevant to collecting and preserving evidence. Audit software is not useful for collecting and preserving evidence. When collecting evidence about a security incident, it is very important to follow appropriate forensic procedures to handle electronic evidence using a method approved by local jurisdictions. Log correlation software may help when collecting data about an incident; however, these data might not be accepted as evidence in a court of law if they are not collected using a method approved by local jurisdictions.
What is the PRIMARY factor to be taken into account when designing a backup strategy that will be consistent with a disaster recovery strategy? A. Volume of sensitive data B. Recovery point objective C. Recovery time objective D. Interruption window
Recovery point objective Justification The volume of data will be used to determine the capacity of the backup solution. The recovery point objective defines the maximum loss of data acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy— frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring). The recovery time objective—the time between disaster and return to normal operation—will not have any impact on the backup strategy. The availability to restore backups in a time frame consistent with the interruption window will have to be checked and will influence the strategy (e.g., full backup versus incremental), but it will not be the primary factor.
Which of the following would a security manager establish to determine the target for restoration of normal processing? A. Recovery time objective B. Maximum tolerable outage C. Recovery point objectives D. Service delivery objectives
Recovery time objective Justification Recovery time objective is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage is the maximum time for which an enterprise can operate in alternate mode. Recovery point objectives relate to the age of the data required for recovery. Service delivery objectives are the levels of service required for acceptable operations.
Which of the following practices would BEST ensure the adequacy of a disaster recovery plan? A. Regular reviews of recovery plan information B. Tabletop walkthrough of disaster recovery plans C. Regular recovery exercises using expert personnel D. Regular audits of disaster recovery facilities
Regular reviews of recovery plan information Justification The most common failure of disaster recovery plans is lack of current essential operational information. Tabletop walkthroughs are useful only if the information about systems and versions is up-to-date. Recovery exercises are critical for testing plans and procedures. However, using expert personnel makes the recovery tests less useful because experts already have the knowledge to recover systems without using plans and written procedures, and there is no assurance that in a real disaster they would be available. Audits can be helpful, but they are typically infrequent and use sampling; therefore, they provide limited and only occasional assurance that information in recovery plans is up-to-date.
Which of the following is the BEST way to confirm that disaster recovery planning is current? A. Audits of the business process changes B. Maintenance of the latest configurations C. Regular testing of the disaster recovery plan D. Maintenance of the personnel contact list
Regular testing of the disaster recovery plan Justification Auditing business process changes will not necessarily enable maintenance of the disaster recovery plan (DRP). Maintenance of the latest configuration will not show how current the process is, which is vital for disaster recovery planning. When a DRP is properly tested, the results of the tests will reveal shortcomings and opportunities for improvement. The maintenance of the personnel contact list is an indication of the personnel to be involved in the DRP. Although indicative of how current the DRP is, the DRP also should include the suppliers, customers and vendors needed for its success.
Which of the following activities MOST increases the probability that an enterprise will be able to resume operations after a disaster? A. Restoration testing B. Establishment of a warm site C. Daily data backups D. An incident response plan
Restoration testing Justification A demonstrated ability to restore data is the best way to ensure that data can be restored after a disaster, and data drive the majority of business processes. If an enterprise is unable to restore its data, it will be of little value to have other considerations in place. On the other hand, if data can be restored, the enterprise can likely find workarounds for other challenges that it may face. Having a warm site speeds up the process of disaster recovery by providing the facilities and equipment where data can be restored and operations reconstituted. However, if the data themselves cannot be restored, having the facilities and equipment will not be nearly as useful. Performing data backups on a daily or other periodic basis is a good practice, but it is not until recovery is attempted that an enterprise gains knowledge of whether these backups are effective. Should the enterprise diligently perform backups for months or years and then discover that it cannot restore the data, all the time and expense of the backup program will have been wasted. Recovery procedures are documented in the disaster recovery plan rather than in the incident response plan.
Which of the following is the PRIMARY focus of incident response following a data breach? A. Root cause analysis B. Restore systems to production C. Identify changes to security D. Prevent reoccurrence of the breach
Root cause analysis Justification Following the eradication phase, the enterprise needs to understand the cause of the incident to ensure that it implements appropriate additional controls, fixes control lapses and is able to start the recovery process. Before systems are restored, the enterprise must first identify the cause. Before changes can be implemented, the cause of the incident must be understood. Preventing reoccurrence is an important part of the lessons learned phase. Analysis is needed before the enterprise can protect against future breaches.
Which of the following technologies is likely to be the MOST useful in countering advanced persistent threats? A. Anomaly-based intrusion detection system B. Security information and event management system C. Automated vulnerability scanning tools D. Integrated network management system
Security information and event management system Justification Intrusion detection systems can detect and notify of a potential attack but provide no information on subsequent breaches, making them less effective at identifying persistent threats than system information and event management (SIEM) systems. SIEM systems can identify incidents or potential incidents, prioritize according to potential impact, track incidents until they are closed, and provide substantial trend analysis over time. Vulnerability scanning tools identify weaknesses in systems and networks that correspond to known paradigms. In general, advanced persistent threats (APTs) involve exploits that are outside the scope of published vulnerabilities, making vulnerability scanning a limited countermeasure against APTs. Integrated network management typically provides a limited subset of the capabilities of fully implemented SIEM.
An enterprise decides its old recovery facility is no longer adequate because it is not capable of operation for an extended period. The enterprise decides to build a new facility in another location that would address the major shortcomings of the old site and provide more space for possible future expansion. Until the new facility is completed, which of the following objectives for recovery will have to be changed? A. Maximum tolerable outage B. Recovery point objective C. Service delivery objective D. Allowable interruption window
Service delivery objective Justification Although the current recovery facility cannot satisfy the maximum tolerable outage (MTO), that does not change the MTO. The enterprise should document an inability to meet the MTO and continue developing a new facility that will satisfy the objective. The recovery point objective (RPO) is not affected by the stated deficiencies in the current recovery facility. The service delivery objective (SDO) reflects a commitment to internal customers to meet certain performance standards. To be realistic, the objective must be changed to reflect the operating capabilities of the current recovery facility. The MTO must be at least as great as the allowable interruption window (AIW). Therefore, it is possible that exceeding the MTO will result in not being able to meet the AIW, which will result in unacceptable damage to the enterprise. However, as with the MTO, the inability to meet the AIW does not make the associated damage acceptable, so changing the AIW would not be appropriate.
Which of the following is the MOST important measure an enterprise should take to deal with the potential impacts of zero-day attacks? A. Set comprehensive prevention, detection and response mechanisms. B. Have an updated business impact analysis. C. Perform a zero-day scenario analysis. D. Perform a walkthrough test of the incident response plan.
Set comprehensive prevention, detection and response mechanisms. Justification To effectively detect and mitigate zero-day attacks, coordinated and optimized defense and tested response plans are needed. These should include the best prevention and detection technology, a plan for worst-case scenarios and a comprehensive response plan. The business impact analysis identifies and analyzes business processes, which drives the assignment of recovery objectives and prioritization. It can be used to help develop the incident response plan. A scenario analysis helps to assess risk qualitatively and is part of a risk assessment process. However, the incident response plan would be a more effective tool in dealing with zero-day attacks. A walkthrough tests the design and effectiveness of existing controls. However, existing controls typically do not defend against non-identified zero-day attacks.
What is the PRIMARY basis for a detailed business continuity plan? A. Consideration of different alternatives B. The solution that is least expensive C. Strategies that cover all applications D. Strategies validated by senior management
Strategies validated by senior management Justification Senior management should select the most appropriate strategy from the alternatives provided. All recovery strategies have associated costs, including costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive. The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not cover all applications. A recovery strategy identifies the best way to recover a system in case of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan.
Different types of tests exist for testing the effectiveness of recovery plans. Which of the following choices would occur during a parallel test but not occur during a simulation test? A. The team members step through the individual recovery tasks. B. The primary site operations are interrupted. C. A fictitious scenario is used for the test. D. The recovery site is brought to operational readiness.
The recovery site is brought to operational readiness. Justification A walk-through of all necessary recovery tasks is part of both tests. Only a full interruption test includes interruption of primary site operations. Both parallel tests and simulation tests rely on fictitious scenarios. A parallel recovery test includes the test of the operational capabilities of the recovery site, while a simulation test focuses on role-playing.
How does a security information and event management solution MOST likely detect the existence of an advanced persistent threat in its infrastructure? A. Through analysis of the network traffic history B. Through stateful inspection of firewall packets C. Through identification of zero-day attacks D. Through vulnerability assessments
Through analysis of the network traffic history Justification Advanced persistent threat (APT) refers to stealthy attacks not easily discovered without detailed analysis of behavior and traffic flows. Security information and event management (SIEM) solutions analyze network traffic over long periods of time to identify variances in behavior that may reveal APTs. Stateful inspection is a function of some firewalls but is not part of a SIEM solution. A stateful inspection firewall keeps track of the destination Internet Protocol address of each packet that leaves the enterprise's internal network. Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the incoming message is in response to the request that went out from the enterprise. Zero-day attacks are not APTs because they are unknown until they manifest for the first time and cannot be proactively detected by SIEM solutions. A vulnerability assessment identifies areas that may potentially be exploited, but does not detect attempts at exploitation, so it is not related to APT.
Which of the following would be the BEST indicator of the readiness of the incident response team in the context of the overall incident management program? A. Amount of time for incident detection B. Time between incident detection and severity determination C. Time between detection and response D. Amount of time between incident occurrence and its resolution
Time between detection and response Justification The time to detect is a measure of detection capability, which is typically provided by automated controls. Time between detection and determining severity is a part of response. Readiness is the time it takes from detection to initiate a response. The first time that the incident response team typically becomes aware of an event is when an alert is provided by monitoring mechanisms. Time between incident and resolution is a function of response capability.
Which of the following is the MOST important reason to develop a communication plan regarding security incidents as part of an incident management program? A. To increase security awareness B. To comply with regulatory requirements C. To identify communication flows to stakeholders D. To improve incident response
To improve incident response Justification Although a communication plan helps increase awareness, it is not the most important reason. Meeting compliance requirements may be a requirement in some cases, but it is not the most important reason for communication regarding incidents. Communication flows are part of the communication plan to improve the resolution of the incident. The overall goal of the communication plan is to improve incident response. Effective communication helps stakeholders respond to the incident.
Serious security incidents typically lead to renewed focus by management on information security that then usually fades over time. What opportunity should the information security manager seize to BEST use this renewed focus? A. To improve the integration of business and information security processes B. To increase information security budgets and staffing levels C. To develop tighter controls and stronger compliance efforts D. To acquire better supplemental technical security controls
To improve the integration of business and information security processes Justification Close integration of information security governance with overall enterprise governance is likely to provide better long-term information security by institutionalizing activities and increasing visibility in all organizational activities. Increased budgets and staff may improve information security but will not have the same beneficial impact as incorporating security into the strategic levels of the enterprise's operations. Control strength and compliance efforts must be balanced against business requirements, culture and other organizational factors and are best undertaken at the governance level. While technical security controls may improve some aspects of security, they will not address management issues or provide the enduring organizational changes needed for improved maturity levels.
Which of the following choices is the PRIMARY purpose of maintaining an information security incident history? A. To provide evidence for forensic analysis B. To record progress and document exceptions C. To determine a severity classification of incidents D. To track errors to assign accountability
To record progress and document exceptions Justification Recording incidents helps in providing evidence of forensic analysis in case legal action is required. Providing evidence for forensic analysis may or may not be the primary requirement for all incidents. Recording information security incidents helps in maintaining a record of events from detection of the incident to closure of the incident. This helps the incident management teams to ensure that all related aspects required for resolving, closing and preventing reocurrence of incidents are covered. Recording incidents helps in identifying all required parameters for determining a severity classification; however, incident management is focused on containment, prevention and recovery. Tracking errors to assign accountability is not the primary purpose for recording details of information security incidents. Process improvement is the primary purpose.
Which of the following is the PRIMARY function of an endpoint detection and response system? A. To analyze security alerts generated by network devices B. To review activity data and logs from end points and systems to indicate a threat C. To block and remove viruses from the end points D. To use forensics and analysis tools to research identified threats and suspicious activities
To use forensics and analysis tools to research identified threats and suspicious activities Justification A network monitoring system provides analysis of security alerts generated by network devices. A security information and event management system monitors activity data and log from endpoints and systems that could indicate a threat. Endpoint detection and response (EDR) not only includes antiviruses but also contains security tools like firewall, whitelisting tools, monitoring tools, etc., to provide comprehensive protection against digital threats. However, this is not its primary function. An EDR system, in addition to providing analysis and prevention, has forensic capabilities that facilitate post-incident investigation and security research.
An information security manager has been notified that a server that is used within the entire enterprise has been breached. What is the FIRST step to take? A. Inform management. B. Notify users. C. Isolate the server. D. Verify the information.
Verify the information. Justification The information security manager should inform management but not before verifying the information. Users should be notified after the information security manager has verified the information and informed management. Isolating the server is not the first step that the information security manager should take. Before any action is taken, the information security manager should verify that there has been a breach.
An employee has found a suspicious file on a server. The employee thinks the file is a virus and contacts the information security manager. What is the FIRST step to take? A. Contain the file. B. Delete the file. C. Verify whether the file is malicious. D. Report the suspicious file to management.
Verify whether the file is malicious. Justification Containment is the next step in the incident response cycle. Deleting the file could be part of the containment process after it has been determined that it is safe to do so. The first step in incident response is to verify whether the file is malicious. Reporting to management would be a later step in the incident handling cycle and will vary based on policy, but it would not come before verification or general containment.
When a computer hacking attack has been crafted carefully, perpetrators may not leave a trace in transaction logs. If such an attack is anticipated, which of the following will be the MOST vital information source from a forensic perspective? A. Reconciliation results against external statements B. Reviews of approval steps executed by business managers C. Interviews collected from operation staff D. Volatile data remaining in the computer resources
Volatile data remaining in the computer resources Justification When hacking is carefully completed, it can be difficult to find any observable trace evidence of the attack. Hence, reconciliation against external statements or logs may not be effective, as there may be no traces of the attack. Hacking most likely is conducted from the back end. Hence, business approval procedures may not provide vital information from a forensic perspective. Interviews are subjective and, therefore, are weak evidence from a forensic perspective. Attackers make sure to hide evidence of infiltration, such as erasing logs, editing control reports, etc. From a forensic perspective, it is equally important to capture volatile data, such as open ports, active processes, RAM data, etc., for further investigation.
Digital forensic analyses PRIMARILY focus on finding digital evidence: A. based on threat intelligence reports. B. after a security breach has occurred. C. immediately after a security incident is reported. D. when log files are inadequate for investigation.
after a security breach has occurred. Justification It will be a waste of resources if forensic analyses are based on threat intelligence reports. Forensics can be performed for actual and suspected breaches based on digital evidence. They primarily focus on finding digital evidence after a breach has occurred. Every security incident does not call for forensics. Initiating forensics would be more useful once a breach has occurred than after it is reported. Forensics will not be useful without logs. If files are not available as desired, the evidence will be insufficient.
The information security manager identifies a vulnerability in a publicly exposed business application during risk assessment activities. The NEXT step to take is: A. containment. B. eradication. C. analysis. D. recovery.
analysis. Justification Containment is necessary when an incident is found to have occurred. Prior to analysis, the information security manager has no way of knowing whether an incident may have occurred in the past or might even still be underway, so analysis should precede containment. Eradication is undertaken once an incident has been contained, which requires that it first be analyzed to determine its scope. Identification of a vulnerability does not necessarily mean that an incident has occurred, but reliance on automated detection mechanisms when a vulnerability has been identified may allow any compromises that have already occurred to continue unimpeded. Analysis is appropriate to determine whether a threat actor may have already exploited the vulnerability and, if so, to determine the scope of the compromise. Recovery is the last step taken before concluding an incident. At the time that a vulnerability is detected, there is no apparent impact, so recovery is not yet needed. Eradication and recovery will take place if an incident has occurred. However, it is important to first determine if an incident has taken place.
The PRIMARY factor determining maximum tolerable outage is: A. available resources. B. operational capabilities. C. long haul network diversity. D. last mile protection.
available resources. Justification The main variable affecting the ability to operate in the recovery site is adequate resource availability, such as diesel fuel to operate generators. Although resources would be taken into account during initial calculation of the maximum tolerable outage (MTO), circumstances associated with disaster recovery frequently have unexpected impacts on availability of resources. As a result, the expectations may not be met during real-world events. The operational capabilities of the recovery site would have been predetermined and factored into the MTO. Long haul diversity does not affect MTO. Last mile protection does not affect MTO.
A forensic team was commissioned to perform an analysis of unrecognized processes running on a desktop personal computer. The lead investigator advised the team against disconnecting the power in order to: A. prevent disk corruption. B. conduct a hot-swap of the main disk drive. C. avoid loss of data in server logs. D. avoid loss of data stored in volatile memory.
avoid loss of data stored in volatile memory. Justification Preventing disk corruption does not address capture of the data that exist in volatile memory. Conducing a hot-swap of the main disk drive does not address capture of the data that exist in volatile memory. Avoiding loss of data in server logs does not address capture of the data that exist in volatile memory. Disconnecting power from a system results in loss of data stored in volatile memory. Those data could be vital for the investigation and for understanding the extent of the impact of the event. Disconnecting power is not recommended if analysis of running processes or the content of volatile memory is required.
An enterprise determined that if its email system failed for three days, the cost to the enterprise would be eight times greater than if it could be recovered in one day. This determination MOST likely was the result of: A. disaster recovery planning. B. business impact analysis. C. site proximity analysis. D. full interruption testing.
business impact analysis. Justification A disaster recovery plan does not include impact of system loss. A business impact analysis must be completed prior to disaster recovery planning. A business impact analysis is used to establish the escalation of loss over time, in addition to other elements. Site proximity is a consideration during disaster recovery planning for locating a recovery site. Where the site is located does not indicate the business impact. Full interruption testing is used to validate disaster recovery plans. A business impact analysis must be completed prior to disaster recovery planning.
Prioritization of incident response activities is driven primarily by a: A. recovery point objective. B. quantitative risk assessment. C. business continuity plan. D. business impact analysis.
business impact analysis. Justification A recovery point objective identifies the maximum acceptable data loss associated with successful recovery. It does not prioritize the order of incident response. Risk assessment (both qualitative and quantitative) examines sources of threat, associated vulnerability and probability of occurrence. At the point that an incident occurs, the probability aspect of risk is no longer unknown, so the degree of impact drives the prioritization of incident response, captured in the specialized business impact analysis. Business continuity plans define procedures to follow when business functions are impacted. They do not prioritize the order of incident response. Business impact analysis is a systematic activity designed to assess the effect upon an enterprise associated with impairment or loss of a function. At the point that an incident occurs, its probability is no longer unknown, so it is the potential impact on the enterprise that determines prioritization of response activities.
During a business continuity plan test, one department discovered that its new software application was not going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by: A. conducting a periodic and event-driven business impact analysis to determine the needs of the business during a recovery. B. assigning new applications a higher degree of importance and scheduling them for recovery first. C. developing a help desk ticket process that allows departments to request recovery of software during a disaster. D. conducting a thorough risk assessment prior to purchasing the software.
conducting a periodic and event-driven business impact analysis to determine the needs of the business during a recovery. Justification A periodic business impact analysis (BIA) can help compensate for changes in the needs of the business for recovery during a disaster. Assigning new applications a higher degree of importance and scheduling them for recovery first reflects an incorrect assumption regarding the automatic importance of a new program. Developing a help desk ticket process that allows departments to request recovery of software during a disaster is not an appropriate recovery procedure because it allows individual business units to make unilateral decisions without consideration of broader implications. The risk assessment may not include the BIA.
While developing incident response procedures an information security manager must ensure that the procedure is PRIMARILY aimed at: A. containing incidents to minimize damage. B. identifying root causes of incidents. C. implementing solutions to prevent reocurrence. D. recording and closing incident tickets.
containing incidents to minimize damage. Justification Incident response procedures primarily focus on containing the incident and minimizing damage. Root cause analysis is a component of the overall incident management process rather than the incident response procedure. Implementing solutions is possible only after a cause has been determined. Recording and closing tickets is part of the subsequent documentation process but is not the primary focus of incident response.
The BEST time to determine who should notify external entities of an information security breach involving customer privacy data is: A. after the incident has been detected and confirmed. B. after the approval of the incident by senior management. C. during the development of the incident response plan. D. dependent on applicable laws and regulations.
during the development of the incident response plan. Justification Determining roles and responsibilities during an incident is counterproductive and causes confusion. Senior management does not approve incidents; incident response teams confirm them. Responsibilities, including who should communicate what and how, should be established when the incident response plan is developed. This ensures that teams know their roles and responsibilities prior to an incident occurring. Laws and regulations and requirements are part of the foundation of an incident response plan.
In a large enterprise, effective management of security incidents will be MOST dependent on: A. clear policies detailing incident severity levels. B. broadly dispersed intrusion detection capabilities. C. training employees to recognize security incidents. D. effective communication and reporting processes.
effective communication and reporting processes. Justification Understanding severity levels is important but, on its own, is not sufficient to ensure that the information security manager is able to manage the incident effectively. Intrusion detection is a useful tool for detecting potential network security incidents, but without robust communication and reporting processes, it is less effective. Conducting awareness training so individuals can recognize potential incidents is important, but it is not effective unless the information is communicated to the right people in a timely manner. Timely communication and reporting are most likely to ensure that the information security manager receives the information necessary to effectively manage a security incident. Effective communication will also help ensure that the correct resources are engaged at the appropriate time.
When collecting evidence for forensic analysis, it is MOST important to: A. perform a vulnerability assessment on the applications affected. B. use a digital rights management solution to access the data. C. follow data preservation procedures. D. perform a backup of the affected media to new media.
follow data preservation procedures. Justification Performing a vulnerability assessment takes place after the root cause of an incident has been determined to find new vulnerabilities, not to collect evidence. A digital rights management solution is not intended to support forensic analysis. The information security manager must follow procedures that preserve evidence, ensure a legally sufficient chain of custody and are appropriate to meet business objectives. The suspect media should never be used as the source for analysis. The source or original media should be secured and only used to create a bit-for-bit image.
The PRIMARY business objective of incident management is: A. containment. B. root-cause analysis. C. eradication. D. impact control.
impact control. Justification Containment is one of the steps of the standard incident management process, not the primary objective. Depending on the nature of the incident and its potential impact on the enterprise, containment may or may not be a priority. Root-cause analysis facilitates long-term remediation of vulnerabilities to prevent the recurrence of a given type of incident, but it is not the purpose of incident management. Eradication is one of the steps of the standard incident management process, not the primary objective. The purpose of incident management is to identify and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels.
After performing an asset classification, the information security manager is BEST able to determine the: A. level of risk to information resources. B. impact of a compromise. C. requirements for control strength. D. annual loss expectancy.
impact of a compromise. Justification The value of resources does not provide information on the risk to those resources. Knowledge of an information resource's value provides an understanding of the potential impact of the loss of the resource. Information regarding potential impact is not adequate to determine control strength requirements; risk levels must also be understood. The annual loss expectancy can only be calculated after determining the magnitude of the loss and frequency of occurrence.
To ensure the timely identification of security incidents, the BEST course of action is to: A.document a business impact analysis. B. review a risk analysis. C. implement incident detection. D. apply preventive and detective controls.
implement incident detection. Justification The business impact analysis identifies and analyzes business processes and activities with the objective of understanding the impact of downtime, which drives the assignment of recovery objectives and prioritization. Downtime is a variable bound with the availability requirement in the information security scope. Risk analysis does not ensure the timely identification of information security incidents. The incident process performance deals with timely operations. Risk analysis is mainly concerned with calculating the probability and impact of a potential risk. Incident detection provides timely notification of an incident and could ensure the timely triggering and identification of incidents. Subsequently, implementing incident detection ensures proper incident response, reducing impacts to within acceptable levels. Incident management is built on reactive controls because it must handle effects not manageable with preventive controls. Detective controls represent a wide range of countermeasures and do not ensure timely identification and handling of incidents.
When establishing effective incident escalation processes for the incident response team, it is PRIMARILY necessary to state how: A. long a member should wait for a response and what to do if no response occurs. B. critical the incident is and which business units are directly impacted. C. the incident is communicated to senior managers and other affected stakeholders. D. incident response team managers are informed quickly about high-risk incidents.
long a member should wait for a response and what to do if no response occurs. Justification When defining and establishing effective incident escalation processes, it is primarily relevant to state how long a team member should wait for an incident response and what to do if no response occurs. This is the necessary (initial) platform for all further steps of an effective escalation process. It is relevant to know how critical an incident is and which business units are impacted, but when establishing escalation processes, it is much more relevant to state how long a person should wait for a response and what to do if no response occurs. Communication to stakeholders is part of the incident response process, but it is more important to establish waiting times and alternative responses because time is of the essence. It is relevant to inform incident response team managers quickly, but initially it is more relevant to state how long a person should wait for a response and what to do if no response occurs.
While defining incident response procedures, an information security manager must PRIMARILY focus on: A. closing incident tickets in a predetermined time frame. B. reducing the number of incidents. C. minimizing operational interruptions. D. meeting service delivery objectives.
meeting service delivery objectives. Justification Closing tickets is not a priority of incident response. Reducing the number of incidents is the focus of overall incident management. Minimizing the impact on operations is not necessarily the primary focus. Some disruption in operations may be within acceptable limits. The primary focus of incident response is to ensure that business-defined service delivery objectives are met.
The typical requirement for security incidents to be resolved quickly and service restored is: A. always the best option for an enterprise. B. often in conflict with effective problem management. C. the basis for enterprise risk management activities. D. a component of forensics training.
often in conflict with effective problem management. Justification Quickly restoring service will not always be the best option, such as in cases of criminal activity, which require preservation of evidence precluding use of the systems involved. Problem management is focused on investigating and uncovering the root cause of incidents, which will often be a problem when restoring service compromises the evidence needed. Managing risk goes beyond the quick restoration of services (e.g., if doing so would increase some other risk disproportionately). Forensics is concerned with legally adequate collection and preservation of evidence, not with service continuity.
In a business impact analysis, the value of an information system should be based on the overall: A. cost of recovery. B. cost to recreate. C. opportunity cost. D. cost of emergency operations.
opportunity cost. Justification The cost of recovering the system is not the basis for determining the value of the system to the enterprise. The primary basis is loss of revenues or other costs. The cost to recreate is not a basis for valuing the system; the cost to the enterprise of the loss of the function is the basis. Opportunity cost reflects the cost to the enterprise resulting from the loss of a function. Cost of emergency operations is unrelated to the value of an information system.
The PRIMARY way in which incident management adds value to an enterprise is by: A. reducing the overall threat level. B. optimizing risk management efforts. C. eliminating redundant recovery plans. D. streamlining the reporting structure.
optimizing risk management efforts. Justification Incident management focuses on prevention, containment and restoration activities and does not reduce the threat level. Incident management is a component of risk management that can provide an optimal balance between prevention, containment and restoration. Recovery plans are created by business and process owners. Incident management should ideally be integrated with continuity and recovery plans, but an enterprise does not seek to evaluate these plans for redundancy. Reporting structures are typically created for business reasons. Incident management may play a role in clarifying or modifying the structures used for reporting incidents in particular, but streamlining the reporting structure is not the primary way in which incident management adds value to an enterprise.
The systems administrator forgot to immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by: A. periodically testing the incident response plans. B. regularly testing the intrusion detection system. C. establishing mandatory training of all personnel. D. periodically reviewing incident response procedures.
periodically testing the incident response plans. Justification Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring that the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
The PRIMARY purpose of creating a crisis communication plan related to handling major cybersecurity incidents is to: A. provide details on when and how to contact stakeholders. B. minimize the loss of information from a major cybersecurity incident. C. outline details and procedures for communicating with the cyberinsurance provider. D. address how and when to communicate with the media, including who is authorized to speak.
provide details on when and how to contact stakeholders. Justification Providing procedures on disseminating internal and external communications is the purpose of establishing a crisis communication plan. While a crisis communication plan may reduce the overall impact of a cybersecurity incident, such as reputational damage, it does not minimize the loss of information or data from a major cybersecurity incident, which is the objective of incident response. Details on how and when to contact cyberinsurance providers are typically included in a communication plan for all types of incidents. Communication with the media is only one part of the crisis communication plan.
The PRIMARY objective of measuring the cybersecurity incident response capability is to: A. reduce the overall number of incidents over time. B. reduce the mean time of detection, eradication and recovery from incidents. C. increase awareness of the effectiveness of the capabilities of senior management. D. increase accuracy of the detection of cybersecurity incidents.
reduce the mean time of detection, eradication and recovery from incidents. Justification The objective is to measure the effectiveness of the response to cybersecurity incidents, not reduce the number of incidents overall. Reducing the mean time to detect, respond and recover is aligned with the objective of cybersecurity incident response. While it is important to increase awareness, this is not the primary objective of incident response. Increasing the accuracy of detecting cybersecurity incidents is the objective of security monitoring, not incident response.
After measures have been applied to contain the escalation of a security incident, the NEXT step should be: A. updating the risk register. B. conducting a post-incident review. C. updating the incident response plan. D. restoring systems to their operational state.
restoring systems to their operational state. Justification Updating the risk register is important but should be done after restoring systems to their operational state. Conducting a post-incident review should be done after restoring the systems to their operational state. Updating the incident response plan should be done after restoring systems to their operational state. Once the containment has been completed, system operations must be restored to ensure business continuity.
The factor that is MOST likely to result in identification of security incidents is: A. effective communication and reporting processes. B. clear policies detailing incident severity levels. C. intrusion detection system capabilities. D. security awareness training.
security awareness training. Justification Timely communication and reporting is only useful after identification of an incident has occurred. Understanding how to establish severity levels is important, but it is not the essential element for ensuring that the information security manager is aware of anomalous events that might signal an incident. Intrusion detection systems are useful for detecting IT-related incidents but are not useful for identifying other types of incidents such as social engineering or physical intrusion. Ensuring that employees have the knowledge to recognize and report a suspected incident is most likely to result in identification of security incidents.
The acceptability of a partial system recovery after a security incident is MOST likely to be based on the: A. ability to resume normal operations. B. maximum tolerable outage. C. service delivery objective. D. acceptable interruption window.
service delivery objective. Justification The ability to resume normal operations is situational and would not be a standard for acceptability. While the maximum tolerable outage, in addition to many other factors, is part of a service delivery objective (SDO), it does not by itself address the acceptability of a specific level of operational recovery. A prior determination of acceptable levels of operation in the event of an outage is the SDO. The SDO may be set at operation levels that are less than normal but sufficient to sustain essential business functions. While the acceptable interruption window, in addition to many other factors, is part of an SDO, it does not by itself address the acceptability of a specific level of operational recovery.
The MOST effective way to test the incident response plan is to conduct a: A. red team test. B. penetration test. C. simulation test. D. vulnerability scan.
simulation test. Justification A red team test is a simulation of a real-life attack on the enterprise. It does not necessarily relate to testing the incident response plan. A penetration test is a simulated test to break into the enterprise's network infrastructure. It does not necessarily relate to testing the incident response plan. A simulation test will ensure that all personnel know exactly what to do when an incident occurs. Vulnerability scanning detects defects in the enterprise's infrastructure and applications. It does not necessarily relate to testing the incident response plan.
A password hacking tool was used to capture detailed bank account information and personal identification numbers. Upon confirming the incident, the NEXT step is to: A. notify law enforcement. B. start containment. C. make an image copy of the media. D. isolate affected servers.
start containment. Justification Notifying law enforcement should be performed after the containment plan has been executed. After an incident has been confirmed, containment is the first priority of incident response because it will generally mitigate further impact. Making an image copy of the media should be performed after the containment plan has been executed. Isolating affected servers is part of containment.
In order to contain an incident, which of the following would be the MOST effective to ensure that the proper tools, technologies and subject matter experts are engaged? A. process B. team C. plan D. strategy
strategy Justification Processes will be developed based on the strategy. Once processes are developed, teams are defined by the strategy. Unless a strategy is defined, a plan cannot be developed. A strategy is the most effective, as it defines the overall goal of the incident response.
Forensic investigators can determine what is currently happening on a system by examining: A. a bit-by-bit copy. B. isolated systems. C. volatile data. D. the original media.
volatile data. Justification A bit-by-bit copy of the data is an imaging activity, and imaging of the volatile memory is not possible using this method. Both isolated and live systems can be forensically analyzed. Volatile data are only present while the computer is running. During an investigation, volatile data can contain critical information that would be lost if not first collected. For example, many types of malware are designed to be present in the computer's memory when it is operating and to disappear when the computer is turned off, leaving no trace. Forensic analysis should never be done on original media and it will not provide information regarding volatile memory.
Which of the following choices is the BEST input for the definition of escalation guidelines? A. Risk management issues B. A risk and impact analysis C. Assurance review reports D. The effectiveness of resources
A risk and impact analysis Justification Risk management deals primarily with controls and is not a viable basis for the definition of escalation guidelines. A risk and impact analysis will be a basis for determining what authority levels are needed to respond to particular incidents. Assurance review reports and results, such as the description of reporting effectiveness, are primarily suited for the monitoring of stakeholder communications. The effectiveness of resources belongs to the description of reporting and communication and is not a viable basis for the definition of escalation guidelines.
After a service interruption of a critical system, the incident response team finds that it needs to activate the warm recovery site. Discovering that throughput is only half of the primary site, the team nevertheless notifies management that it has restored the critical system. This is MOST likely because it has achieved the: A. recovery point objective. B. recovery time objective. C. service delivery objective. D. maximum tolerable outage.
service delivery objective. Justification The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The recovery time objective is the target time to restore services to either the service delivery objective (SDO) or normal operations. The SDO is the agreed-on level of service required to resume acceptable operations. Maximum tolerable outage is the maximum length of time that the enterprise can operate at the recovery site.