MIS 515 week 4

T of F: In the 6-phase planning approach, governance oversees, reviews and approves policies while management establishes, ensures and assesses them.

True

T of F: In the Crisis Management phase of the 6-phase approach protocols are established to assess and limit damage

True

T of F: Qualitative metrics are subjective in nature

True

T or F: most information security frameworks are initiated out of an organization's risk assessment and the need to mitigate risk

True

T of F: a metric is a point-in-time view of specific factors generated from raw data whereas a measurement is the comparison of predetermined baselines of two or more factors taken over time.

False

T of F: business drivers are high-level concerns based on tactical goals and objectives of the organization

False

T of F: in the second phase of the 6-phase planning approach cycle, risks are identified and ranked

False

T of F: most planning approaches have 3 basic levels: strategic, tactical and disaster planning.

False

T of F: risk management and contingency planning are the same process

False

T of F: virtualization provides less flexibility in quickly deploying services to remote sites

False

T or F: A key risk indicator(KRI) is a measurement of how well something is doing

False

T or F: Metrics are really only useful to the CEO and top managers.

False

Why are business unit analysis important in the BIA process? -Helps identify what control measures are missing -Helps planners identify who should be involved in the planning teams -forces a business unit to inventory its hardware -helps planners identify and prioritize critical unit functions -is not important. it is an optional step in the BIA process

Helps planners identify and prioritize critical unit functions

T of F: A Business continuity plan is typically invoked or executed after a devastating attack or disaster that cripples an organization's primary site of business.

True

T of F: A Business impact analysis assumes all existing controls have been bypassed and a disruption was successful.

True

T of F: Full interruption testing of business continuity plans are not frequently (if at all) done by most organizations because they are expensive and disruptive to operations

True

T of F: If countermeasures are adequate to stop an attack, then the attack does not become an incident.

True

T of F: In DR planning, the purpose of examining existing countermeasures is to identify how well an organization is prepared for a disaster or if new or updated controls are necessary

True

T of F: Metrics enable an understanding of security controls and allow an organization to focus limited resources on that which most needs fixing

True

T of F: Most information security frameworks are initiated out of an organization's risk assessment and the need to mitigate risk

True

T of F: Orech's disaster recovery plan was to use their New Orleans site in the case of a disaster at Long Beach and Visa-versa.

True

T of F: Planning is a process that creates and implements strategies oriented towards the accomplishment or organizational objectives

True

T of F: Quantitative metrics are actual number values that are tracked over time

True

T of F: Top-down approaches to metric formation is often easier when identifying the metrics that should be in place

True

T of F: Top-down approaches to metric formation is often easier when identifying the metrics that should be in place.

True

T of F: Virtualized servers can easily backed up to remote virtual installations because the virtual server is encapsulated in it own snap-shot or save-set profile

True

T of F: balanced scorecards are used to show progress of strategy

True

T of F: business resumption focuses on the remaining unrestored functions or an organization after a disaster

True

T of F: contingency planning's goal is to restore normal modes of operation after unexpected events

True

T of F: crisis management is a series of focused steps that deal with the safety and state of employees and their families during and after a disaster

True

T of F: crisis management is a series of focused steps that deal with the safety and state of employees and their families during and after a disaster.

True

T of F: decreasing the RTO of a business continuity plan will more than likely increase the cost and complexity associated with backup procedures and alternatives

True

T of F: incident response is a reactive measure, not a preventive measure

True

T of F: incident response planning uses the BIA to focus in on what countermeasures, if any, exist and if they are adequate to mitigate an end-case scenario threat.

True

T of F: policies must have enforced consequences to be effective

True

T of F: tactical planning typically involves a scope of 1-5 years

True

T of F: the bottom-up approach to metrics yields the most easily obtainable metrics however many metrics collected in this approach may not be suitable for top-management

True

T or F: Operational planning is short term in nature

True

T or F: Planning is a process that creates and implements strategies oriented towards the accomplishment of organizational objectives

True

T or F: The goal of SecSDLC is to ensure information security is addressed throughout a project's life cycle

True

T of F: Disaster Recovery Plans only focus on natural disasters. Man-made disasters involving information system are covered in the Incident Response Plan

False

T of F: Information security policies only exist to avoid litigation

False

In what phase of the 6-phase planning cycle are countermeasures and controls deployed? -phase 1 -phase 2 -phase 3 -phase 4 -phase 5 -phase 6

-phase 4

T of F: Metrics are really only useful to the CEO and top managers

False

T of F: Oversimplification of a security metric, for the sake of clarity, is advisable.

False

T of F: The Oreck example shows that supplier and vendor relationships are not that important in times of disaster.

False

which two of the following best describes the difference between CP and Risk Management? -Risk management encompasses the broad range of activities to identify, control, and mitigate risk -CP does not concern itself with risk but rather with processes -CP assumes that controls have failed and seeks to recover from such failures -The results of the risk management process are not used in CP CP is used for qualitative assessment of risks

-Risk management encompasses the broad range of activities to identify, control, and mitigate risk -CP assumes that controls have failed and seeks to recover from such failures

Which of the following would not be a goal of disaster recovery planning? -eliminate or reduce the potential for injuries, damage to facilities or loss of assets -ensure an alternate site as adequate resources to facilitate operations -stabilize the effects of a disaster -implement the planned procedures to resume operations

-ensure an alternate site as adequate resources to facilitate operations

Why is an alert roster important in incident response? -it is required by regulations like Sarbanes-Oxley -it categorizes the alert levels -it allows the public to know what is going on -it allows the organization to alert the right people in the correct order

-it allows the organization to alert the right people in the correct order

What a threat becomes a valid attack, it is classified as an information security incident if: -it is directed against information assets -it threatens the confidentiality, integrity, or availability of information assets -it has a realistic chance of success -it is stopped by countermeasures

-it is directed against information assets -it threatens the confidentiality, integrity, or availability of information assets -it has a realistic chance of success

Why is a business impact analysis important to contingency planning? -it provides an assessment of the impact of various attacks on operations and ability to recovery from such attacks -it provides the necessary information for forming the disaster recovery team -it provides a return on investment for security implementation strategies -it provides operations with timelines for security incidents

-it provides an assessment of the impact of various attacks on operations and ability to recovery from such attacks

What is the difference between a recovery time objective and a recovery point objective?

An RTO deal with the amount of time until an operation or service is made available after a disaster while an RPO deals with how current data backups are

Which of the following is true regarding virtualization?

All of the above are true

Oreck took care of its employees all throughout the Katrina devastation. He provided shelter, food and essentials and never missed a payroll. in a contingency planning context, what does this fall under? -incident response -physical security planning -crisis management -business continuity

Crisis management

What is the difference between disaster recovery (DR) and business continuity(BC)? -BC is the next step in incident escalation -DR only focuses on restoring backups. BC focuses on personnel and getting the primary site back in shape -DR focuses on resuming at the primary site. BC focuses on an alternate site -there is no difference

DR focuses on resuming at the primary site. BC focuses on an alternate site

A policy describing the protection of privacy would be which type of policy? -Enterprise information security program policy -Issue-specific security policy -System-specific security policy -Technical Specifications

Issue-specific security policy

Which of the following would not be a strategic level management area? -Risk Analysis & Management -Policy Compliance -Security Program -Governance Model

Policy Compliance

which of the following best represents the order regarding security policy formation? -policy, standards, (practices, guidelines procedures) -policy, guidelines (standards, practices, procedures) -standards, policy (guidelines, practices, procedures) -procedures, practices, standards, policy, guidelines

Policy, standards (practices, guidelines, procedures)

Good metrics should be:

Specific, Measurable, Attainable, Repeatable and Time-Dependent

Why did Oreck's disaster recovery plan fail? -It was never rehearsed or tested before hurricane Katrina -Oreck did not adequately invest in technology -the disaster recovery site was too close and was also rendered unusable -it relied too heavily on vendor relations -all of the above -none of the above

The disaster recovery site was too close and was also rendered unusable

which of the following would not be an element of a security program?

all of the above are elements

T of F: a business continuity plan ensures that critical business functions can continue in the case of a disaster

true