CIST 1602 Module 5
If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the DR plan, enabling the business to continue at an alternate site.
BCP business continuity plan BC plan
The four components of contingency planning are the ____________________, the incident response plan, the disaster recovery plan, and the business continuity plan.
BIA Business Impact Analysis
____________________ planning ensures that critical business functions can continue if a disaster occurs.
Business continuity
what is database shadowing?
Data backup technique in which an identical copy of a firm's database is maintained on a local (onsite) and/or a remote (offsite) computer. The primary database and its shadow are so linked via cable, telephone line, or wireless that any change in the former is instantly reflected in the latter.
A company deemed to be using 'best security practices' establishes high-quality security in every area of their security program.
False
Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization.
False
In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
False
In most organizations, the COO is responsible for creating the IR plan.
False
The first phase in the NIST performance measurement process is to identify and document InfoSec performance goals and objectives.
False
Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster.
False
Using a practice called benchmarking, you are able to develop an acceptable use policy based on the typical practices of the industry in which you are working.
False
When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
False
what is electronic vaulting?
It typically fits between tape backup and disk mirroring as part of an overall data protection plan. It can be a service offering, a product, a feature of a product, or some combination of these.
One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"
True
When performing parallel testing, normal operations of the business are not impacted.
True
what is internal benchmarking?
An effort to improve information security practices by comparing an organizations current efforts against it's past efforts, or a desired Target value, to identify Trends and performance , areas of excellence, and areas in need of improvement.
In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality? a. accreditation b. certification c. performance measurement d. testimonial
a accreditation
Which of the following is the last phase in the NIST process for performance measures implementation? a. Apply corrective actions b. Obtain resources c. Document the process d. Develop the business case
a apply corrective actions
According to NIST SP 800-37, which of the following is the first step in the security controls selection process? a. categorize the information system and the information processed b. select an initial set of baseline security controls c. assess the security controls using appropriate assessment procedures d. authorize information system operation based on risk determination
a assess the security controls using appropriate assessment procedures
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following? a. benchmarking b. best practices c. baselining d. due diligence
a benchmarking
In which type of site are no computer hardware or peripherals provided? a. cold site b. warm site c. timeshare d. hot site
a cold site
what is certifications?
a comprehensive assessment of a cyst of Technical and non-technical protection strategies, as specified by a particular set of requirements.
Which of the following is an example of a rapid-onset disaster? a. Flood b. Pest infestation c. Famine d. Environmental degradation
a flood
Which of the following is a part of the incident recovery process? a. Identifying the vulnerabilities that allowed the incident to occur and spread b. Determining the event's impact on normal business operations and, if necessary, making a disaster declaration c. Supporting personnel and their loved ones during the crisis d. Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
a identifying the vulnerabilites that allowed the incident to occur and spread.
Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people? a. Do you perform background checks on all employees with access to sensitive data, areas, or access points? b. Are the user accounts of former employees immediately removed on termination? c. Would the typical employee recognize a security issue? d. Would the typical employee know how to report a security issue to the right people?
b are the user accounts of former employees immediately removed on termination
In the event of an incident or disaster, which team sets up and starts off-site operations? a. project management b. business continuity c. disaster recovery d. incident response
b business continuity
When a disaster renders the current business location unusable, which plan is put into action? a. crisis management b. business continuity c. incident response d. disaster recovery
b business continuity
After an incident, but before returning to its normal duties, the CSIRT must do which of the following? a. create the incident damage assessment b. conduct an after-action review c. restore data from backups d. restore services and processes in use
b conduct an after-action review
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event? a. risk management b. contingency planning c. business response d. disaster readiness
b contingency planning
Which of the following InfoSec measurement specifications makes it possible to define success in the security program? a. development approach b. establishing targets c. prioritization and selection d. measurements templates
b establishing targets
Which of the following is NOT a factor critical to the success of an information security performance program? a. Strong upper level management support b. High level of employee buy-in to performance measurements c. Quantifiable performance measurements d. Results oriented measurement analysis
b high level of employee buy-in to performance measurements
Which of the following determines the scope of the breach of confidentiality, integrity, and availability of information and information assets? a. incident report b. incident damage assessment c. information loss assessment d. damage report
b incident damage assessment
Which of the following is Tier 3 (indicating tactical risk) of the tiered risk management approach? a. mission/business process b. information system c. accounting/logistics d. organization
b information system
Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? a. criminal proceedings b. legal liability c. chapter 11 filings d. certification revocation
b legal liability
InfoSec measurements collected from production statistics depend greatly on which of the following factors? a. types of performance measures developed b. number of systems and users of those systems c. number of monitored threats and attacks d. activities and goals implemented by the business unit
b number of systems and users of those systems
Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical? a. BIA questionnaire b. weighted analysis tool c. recovery time organizer d. MTD comparison
b weighted analysis tool
At what point in the incident lifecycle is the IR plan initiated? a. before an incident takes place b. when an incident is detected c. once the DRP is activated d. once the BCP is activated
b when an incident is detected
A practice related to benchmarking is ____________, which is a measurement against a prior assessment or an internal goal.
baselining, baseline
Which of the following is a responsibility of the crisis management team? a. Restoring the data from backups b. Evaluating monitoring capabilities c. Activating the alert roster d. Restoring the services and processes in use
c activating the alert roster
The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? a. prepare the plan of action and develop milestones b. assemble the security authorization package c. determine if the cost/benefit ratio is acceptable d. determine the risk to organizational operations
c determine if the cost/benefit ratio is acceptable
Which of the following is true about a hot site? a. It is an empty room with standard heating, air conditioning, and electrical service. b. It includes computing equipment and peripherals with servers but not client workstations. c. It duplicates computing resources, peripherals, phone systems, applications, and workstations. d. All communications services must be installed after the site is occupied.
c it duplicates computing resources, peripherals, phone systems, applications and workstations
Two examples of security best practices include: "Decision paper on use of screen warning banner", and "Sample warning banner from the NLRB". Under which best security practice area do these two examples fall? a. policy and procedures b. personnel security c. logical access controls d. identification and authentication
c logical access controls
Which of the following is the first phase in the NIST process for performance measurement implementation? a. Develop the business case b. Obtain resources c. Prepare for data collection d. Identify corrective actions
c prepare for data collection
Which of the following is NOT one of the three types of performance measures used by organizations? a. Those that determine the effectiveness of the execution of InfoSec policy b. Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services c. Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy d. Those that assess the impact of an incident or other security event on the organization or its mission
c those that evaluate the compliance of non-security personnel in adhering to infosec policy
Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich? a. Why should these measurements be collected? b. Where will these measurements be collected? c. What affect will measurement collection have on efficiency? d. Who will collect these measurements?
c what effect will measurement collection have on efficiency?
The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2.
corrective
Problems with benchmarking include all but which of the following? a. Organizations don't often share information on successful attacks b. Organizations being benchmarked are seldom identical c. Recommended practices change and evolve, thus past performance is no indicator of future success d. Benchmarking doesn't help in determining the desired outcome of the security process
d benchmarking doesn't help in determining the desired outcome of the security process
Which is the first step in the contingency planning process? a. business continuity training b. disaster recovery planning c. incident response planning d. business impact analysis
d business impact analysis
Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received?. a. Database shadowing b. Timesharing c. Traditional backups d. Electronic vaulting
d electric vaulting
Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program? a. Measurements must yield quantifiable information b. Data that supports the measures needs to be readily obtainable c. Only repeatable InfoSec processes should be considered for measurement d. Measurements must be useful for tracking non-compliance by internal personnel
d measurements must be useful for tracking non-compliance by internal personnel
In which contingency plan strategy do individuals act as if an actual incident occurred, and begin performing their required tasks and executing the necessary procedures, without interfering with the normal operations of the business? a. a desk check b. a simulation c. a structured walk-through d. parallel testing
d parallel testing
What is the last stage of the business impact analysis? a. identify resource requirements b. analysis and prioritization of business processes c. collect critical information about each business unit d. prioritize resources associated with the business processes
d prioritize resources associated with the business processes
Which of the following is NOT a consideration when selecting recommended best practices? a. threat environment is similar b. resource expenditures are practical c. organization structure is similar d. product or service is the same
d product or service is the same
Which of the following is a definite indicator of an actual incident? a. Unusual system crashes b. Reported attack c. Presence of new accounts d. Use of dormant accounts
d use of dormant accoutns
what is performance measurement?
data or the trends in data that may indicate the effectiveness of security countermeasures or controls Technical and managerial implemented in the organization.
____________________ encompasses a requirement that the implemented standards continue to provide the required level of protection.
due diligence
The bulk batch-transfer of data to an off-site facility is known as ____________________.
electronic vaulting
In ____________________ testing of contingency plans, the individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.
full-interruption
what is standard of due care?
illegal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances.
A(n) ____________________ occurs when an attack affects information resources and/or assets, causing actual damage or other disruptions.
incident
The ____________________ plan is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.
incident response IR
what is Crisis management plan (CMPT)?
is a document that outlines the processes an organization will use to respond to a critical situation that would negatively affect its profitability, reputation or ability to operate.
what is a business impact analysis (BIA)?
is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency.
what is disaster recovery planning team (DRPT)?
is an important process that organisations of all sizes implement to ensure the rapid recovery of applications, data and hardware that are critical to business operations in the event of a natural disaster, network or hardware failure or human error.
what is recovery time objective (RTO)?
is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
what is maximum tolerable downtime (MTD)?
is the time after which the process being unavailable creates irreversible consequences generally, exceeding this results with severe damage to the viability of the business.
what is due diligence?
reasonable steps taken by a person in order to satisfy a legal requirement, especially in buying or selling something.
what is best security practices (BSPs)?
security efforts that are considered among the best in the industry.
what are recommended practices?
security efforts that seek to provide a superior level of performance and the protection of information.
A(n) ____________________ is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.
service bureau
A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________.
target
what is accreditation?
the authorization bad oversight authority of an IT system to process store or transmit information.
what is baselining?
the process of conducting a Baseline.
Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident? a. Incident classification b. Incident identification c. Incident registration d. Incident verification
a incident classification
Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program? a. performance management b. baselining c. best practices d. standards of due care/diligence
a performance management
what is infosec Performance Management?
a process of Designing, implementing, and managing the use of specific measurements to determine the effectiveness of the overall security program.
Which of the following is the transfer of live transactions to an off-site facility? a. Remote journaling b. Electronic vaulting c. Database shadowing d. Timesharing
a remote journaling
what is a metric?
a term traditionally used to describe any detailed statistical analysis technique on performance, but now commonly synonymous with performance measurements
Which of the following is a possible indicator of an actual incident? a. Unusual consumption of computing resources b. Activities at unexpected times c. Presence of hacker tools d. Reported attacks
a unusual consumption of computing resources
Best security practices balance the need for user _____________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility.
access
When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails a detailed examination of the events that occurred from first detection to final recovery.
after action review
A(n) ____________________ is a document containing contact information of the individuals to notify in the event of an actual incident.
alert roster
what is a baseline?
an assessment of the performance of some action or process against which future performance is assessed; the first measurement Benchmark in benchmarking.
what is benchmarking?
an attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry develop standard to produce results it would like to duplicate.
In which phase of the NIST performance measures development process will the organization identify and document the InfoSec performance goals and objectives? a. Phase 1 b. Phase 2 c. Phase 3 d. Phase 4
b Phase 2
Which contingency plan strategy do individuals work on their own tasks and are responsible for identifying the faults in their own procedures? a. A desk check b. A simulation c. A structured walk-through d. Parallel testing
b a simulation