ITM 350 chapter 4 study guide

what is Business continuity plan (BCP)?

- a written plan for a structured response to any events that result in an interruption to critical business activities or functions

what is Business impact analysis (BIA)?

- analysis of an organization's functions and activities that classifies them as critical or noncritical - identifies the impact to the business if one or more IT functions fails - identifies the priority of different critical systems

what is a cold site?

- facility with basic environmental utilities but no infrastructure components - least expensive option but at the cost of the longest switchover time because all hardware, software, and data must be loaded at the new site

what is a warm site?

- facility with environmental utilities and basic computer hardware - less expensive than a hot site but requires more time to load operating systems, software, data, and configurations

what is a hot site?

- facility, with environmental utilities, hardware, software, and data, that closely mirrors the original data center - this is the most expensive option - has the least switchover time

what is a DRP?

- it directs the actions necessary to recover resources after a disaster - extends and supports the BCP by identifying events that could cause damage to resources that are necessary to support critical business functions

what are some authentication controls?

- passwords and personal identification numbers (PINs) - smart cards and tokens - biometric devices - digital certificates -challenge - response handshakes - Kerberos authentication -one-time passwords

what does DRP consider what could happen to each resource?

- threat analysis -impact scenarios - recovery requirement documentation - disaster recover

what is a mobile site?

- trailer with necessary environmental utilities that can operate as a warm or cold site - very flexible, fairly short switchover time, and widely varying costs based on size and capacity

what is Challenge-response handshake (CHAP)?

-is a challenge and response authentication method that Point-to-Point Protocol (PPP) servers use to verify the identity of a remote user. - begins after the remote user initiates a PPP link.

The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?

13

Which of the following is not true of gap analysis?

A gap analysis can be performed only through a formal investigation.

Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?

Business continuity plan (BCP)

what is Bring your own device (BYOD)?

Business policy that permits employees to use their own mobile devices to access company computing resources and applications

What compliance regulation is similar to the European Union (EU) General Data Protection Regulation (GDPR) of 2016 and focuses on individual privacy and rights of data owners?

California Consumer Privacy Act (CCPA) of 2018

Which regulation requires schools to receive written permission from a parent or an eligible student before releasing any information contained in a student's education record?

Children's Online Privacy Protection Act (COPPA)

Rodrigo is a security professional. He is creating a policy that gives his organization control over mobile devices used by employees while giving them some options as to the type of device they will use. Which approach to mobile devices is Rodrigo focusing on in the policy?

Choose Your Own Device (CYOD)

What is the first priority when responding to a disaster recovery effort?

Ensuring that everyone is safe

Aditya recently assumed an information security role for a financial institution located in the United States. He is tasked with assessing the institution's risk profile and cybersecurity maturity level. What compliance regulation applies specifically to Aditya's institution?

FFIEC

Which one of the following is an example of a direct cost that might result from a business disruption?

Facility Repair

Which of the following is an example of a direct cost that might result from a business disruption?

Facility repair

True/False: The first step in creating a comprehensive disaster recovery plan (DRP) is to document likely impact scenarios.

False

True/False: Continuity of critical business functions and operations is the first priority in a well-balanced business continuity plan (BCP).

False The order of priorities for a well-balanced BCP should be as follows:• Safety and well-being of people• Continuity of critical business functions and operations, whether onsite or offsite, manual, or dependent upon IT systems• Continuity of IT infrastructure components within the seven domains of an IT infrastructure

true/False: The first step in creating a comprehensive disaster recovery plan (DRP) is to document likely impact scenarios.

False Ensure everyone's safety first—No other resource is as important as people.

What compliance regulation applies specifically to the educational records maintained by schools about students?

Family Education Rights and Privacy Act (FERPA)

What compliance regulation applies specifically to the educational records maintained by schools about students? Family Education Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Federal Information Security Management Act (FISMA) Gramm-Leach-Bliley Act (GLBA)

Family Education Rights and Privacy Act (FERPA)

A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?

Payment Card Industry Data Security Standard (PCI DSS)

Hajar is developing a business impact assessment for her organization. She is working with business units to determine the target state of recovered data that allows the organization to continue normal processing after a major interruption. Which of the following is Hajar determining?

Recovery point objective (RPO)

Which is the typical risk equation?

Risk = Threat x Vulnerability

As a follow-up to her annual testing, Isabella would like to conduct quarterly disaster recovery tests. These tests should include role-playing and introduce as much realism as possible without affecting live operations. What type of test should Isabella conduct?

Simulation test

What is the main purpose of risk identification in an organization?

To make the organization's personnel aware of existing risk

True/False: A disaster recovery plan (DRP) directs the actions necessary to recover resources after a disaster.

True

True/False: In a Bring Your Own Device (BYOD) policy, the user acceptance component may include separation of private data from business data.

True

True/False: Remote wiping is a device security control that allows an organization to remotely erase data or email in the event of loss or theft of the device.

True

True/False: The business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.

True

True/False:T he business impact analysis (BIA) identifies the resources for which a business continuity plan (BCP) is necessary.

True

What level of technology infrastructure should you expect to find in a cold site alternative data center facility?

No technology infrastructure

Which of the following is an example of an authorization control?

Access control list

Isabella is in charge of the disaster recovery plan (DRP) team. She needs to ensure that data center operations will transfer smoothly to an alternate site in the event of a major interruption. She plans to run a complete test that will interrupt the primary data center and transfer processing capability to a hot site. What option is described in this scenario?

Full-interruption test

What compliance regulation focuses on management and evaluation of the security of unclassified and national security systems?

Government Information Security Reform Act (Security Reform Act) of 2000

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers?

HIPAA

Betsy recently assumed an information security role for a hospital located in the United States. What compliance regulation applies specifically to health care providers? FFIEC FISMA HIPAA PCI DSS

HIPAA

Dawn is selecting an alternative processing facility for her organization's primary data center. She needs a facility with the least switchover time, even if it's the most expensive option. What is the most appropriate option in this situation?

Hot site

what are the types of Disaster recovery Plan (DRP) testing?

Hot site warm site cold site mobile site

Which of the following is an example of a reactive disaster recovery plan?

Moving to a warm site

What is not a commonly used endpoint security technique?

Network firewall

what is Kerberos authentication?

computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

What is the first step in a disaster recovery effort? Respond to the disaster. Follow the disaster recovery plan (DRP). Communicate with all affected parties. Ensure that everyone is safe.

ensure that everyone is safe

Treu/False: The term risk methodology refers to a list of identified risks that results from the risk-identification process.

false A description of how you will manage overall risk. It includes the approach, required information, and techniques to address each risk.

true/false: A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.

false A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements.

who what and why is the health Insurance portability and Accountability act (HIPPA)?

is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

who what and why is the federal financial institutions examination council (FFIEC)?

is a formal interagency body comprising five banking regulators that are responsible for US federal government examinations of financial institutions in the United States

who, what and why is the Payment card industry data security standard ( PCI DSS)?

is an information security standard used to handle credit cards from major card brands? The standard is administered by the Payment Card Industry Security Standards Council and its use is mandated by the card brands.

Which one of the following is an example of a reactive disaster recovery control?

moving to a warm site

what is mobile device management (MDM)?

require a software agent to be installed on all mobile devices

what is choose your own device(CYOD)?

the company might opt to provide employees with a few options from which to choose a device

True or False? A business continuity plan (BCP) directs all activities required to ensure that an organization's critical business functions continue when an interruption occurs that affects the organization's viability.

true

true/false: Authentication controls include passwords and personal identification numbers (PINs).

true

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation?

warm site

Dawn is selecting an alternative processing facility for her organization's primary data center. She would like to have a facility that balances cost and switchover time. What would be the best option in this situation? Hot site Warm site Cold site Primary site

warm site