MIS 515 week 4
T of F: In the 6-phase planning approach, governance oversees, reviews and approves policies while management establishes, ensures and assesses them.
True
T of F: In the Crisis Management phase of the 6-phase approach protocols are established to assess and limit damage
True
T of F: Qualitative metrics are subjective in nature
True
T or F: most information security frameworks are initiated out of an organization's risk assessment and the need to mitigate risk
True
T of F: a metric is a point-in-time view of specific factors generated from raw data whereas a measurement is the comparison of predetermined baselines of two or more factors taken over time.
False
T of F: business drivers are high-level concerns based on tactical goals and objectives of the organization
False
T of F: in the second phase of the 6-phase planning approach cycle, risks are identified and ranked
False
T of F: most planning approaches have 3 basic levels: strategic, tactical and disaster planning.
False
T of F: risk management and contingency planning are the same process
False
T of F: virtualization provides less flexibility in quickly deploying services to remote sites
False
T or F: A key risk indicator(KRI) is a measurement of how well something is doing
False
T or F: Metrics are really only useful to the CEO and top managers.
False
Why are business unit analysis important in the BIA process? -Helps identify what control measures are missing -Helps planners identify who should be involved in the planning teams -forces a business unit to inventory its hardware -helps planners identify and prioritize critical unit functions -is not important. it is an optional step in the BIA process
Helps planners identify and prioritize critical unit functions
T of F: A Business continuity plan is typically invoked or executed after a devastating attack or disaster that cripples an organization's primary site of business.
True
T of F: A Business impact analysis assumes all existing controls have been bypassed and a disruption was successful.
True
T of F: Full interruption testing of business continuity plans are not frequently (if at all) done by most organizations because they are expensive and disruptive to operations
True
T of F: If countermeasures are adequate to stop an attack, then the attack does not become an incident.
True
T of F: In DR planning, the purpose of examining existing countermeasures is to identify how well an organization is prepared for a disaster or if new or updated controls are necessary
True
T of F: Metrics enable an understanding of security controls and allow an organization to focus limited resources on that which most needs fixing
True
T of F: Most information security frameworks are initiated out of an organization's risk assessment and the need to mitigate risk
True
T of F: Orech's disaster recovery plan was to use their New Orleans site in the case of a disaster at Long Beach and Visa-versa.
True
T of F: Planning is a process that creates and implements strategies oriented towards the accomplishment or organizational objectives
True
T of F: Quantitative metrics are actual number values that are tracked over time
True
T of F: Top-down approaches to metric formation is often easier when identifying the metrics that should be in place
True
T of F: Top-down approaches to metric formation is often easier when identifying the metrics that should be in place.
True
T of F: Virtualized servers can easily backed up to remote virtual installations because the virtual server is encapsulated in it own snap-shot or save-set profile
True
T of F: balanced scorecards are used to show progress of strategy
True
T of F: business resumption focuses on the remaining unrestored functions or an organization after a disaster
True
T of F: contingency planning's goal is to restore normal modes of operation after unexpected events
True
T of F: crisis management is a series of focused steps that deal with the safety and state of employees and their families during and after a disaster
True
T of F: crisis management is a series of focused steps that deal with the safety and state of employees and their families during and after a disaster.
True
T of F: decreasing the RTO of a business continuity plan will more than likely increase the cost and complexity associated with backup procedures and alternatives
True
T of F: incident response is a reactive measure, not a preventive measure
True
T of F: incident response planning uses the BIA to focus in on what countermeasures, if any, exist and if they are adequate to mitigate an end-case scenario threat.
True
T of F: policies must have enforced consequences to be effective
True
T of F: tactical planning typically involves a scope of 1-5 years
True
T of F: the bottom-up approach to metrics yields the most easily obtainable metrics however many metrics collected in this approach may not be suitable for top-management
True
T or F: Operational planning is short term in nature
True
T or F: Planning is a process that creates and implements strategies oriented towards the accomplishment of organizational objectives
True
T or F: The goal of SecSDLC is to ensure information security is addressed throughout a project's life cycle
True
T of F: Disaster Recovery Plans only focus on natural disasters. Man-made disasters involving information system are covered in the Incident Response Plan
False
T of F: Information security policies only exist to avoid litigation
False
In what phase of the 6-phase planning cycle are countermeasures and controls deployed? -phase 1 -phase 2 -phase 3 -phase 4 -phase 5 -phase 6
-phase 4
T of F: Metrics are really only useful to the CEO and top managers
False
T of F: Oversimplification of a security metric, for the sake of clarity, is advisable.
False
T of F: The Oreck example shows that supplier and vendor relationships are not that important in times of disaster.
False
which two of the following best describes the difference between CP and Risk Management? -Risk management encompasses the broad range of activities to identify, control, and mitigate risk -CP does not concern itself with risk but rather with processes -CP assumes that controls have failed and seeks to recover from such failures -The results of the risk management process are not used in CP CP is used for qualitative assessment of risks
-Risk management encompasses the broad range of activities to identify, control, and mitigate risk -CP assumes that controls have failed and seeks to recover from such failures
Which of the following would not be a goal of disaster recovery planning? -eliminate or reduce the potential for injuries, damage to facilities or loss of assets -ensure an alternate site as adequate resources to facilitate operations -stabilize the effects of a disaster -implement the planned procedures to resume operations
-ensure an alternate site as adequate resources to facilitate operations
Why is an alert roster important in incident response? -it is required by regulations like Sarbanes-Oxley -it categorizes the alert levels -it allows the public to know what is going on -it allows the organization to alert the right people in the correct order
-it allows the organization to alert the right people in the correct order
What a threat becomes a valid attack, it is classified as an information security incident if: -it is directed against information assets -it threatens the confidentiality, integrity, or availability of information assets -it has a realistic chance of success -it is stopped by countermeasures
-it is directed against information assets -it threatens the confidentiality, integrity, or availability of information assets -it has a realistic chance of success
Why is a business impact analysis important to contingency planning? -it provides an assessment of the impact of various attacks on operations and ability to recovery from such attacks -it provides the necessary information for forming the disaster recovery team -it provides a return on investment for security implementation strategies -it provides operations with timelines for security incidents
-it provides an assessment of the impact of various attacks on operations and ability to recovery from such attacks
What is the difference between a recovery time objective and a recovery point objective?
An RTO deal with the amount of time until an operation or service is made available after a disaster while an RPO deals with how current data backups are
Which of the following is true regarding virtualization?
All of the above are true
Oreck took care of its employees all throughout the Katrina devastation. He provided shelter, food and essentials and never missed a payroll. in a contingency planning context, what does this fall under? -incident response -physical security planning -crisis management -business continuity
Crisis management
What is the difference between disaster recovery (DR) and business continuity(BC)? -BC is the next step in incident escalation -DR only focuses on restoring backups. BC focuses on personnel and getting the primary site back in shape -DR focuses on resuming at the primary site. BC focuses on an alternate site -there is no difference
DR focuses on resuming at the primary site. BC focuses on an alternate site
A policy describing the protection of privacy would be which type of policy? -Enterprise information security program policy -Issue-specific security policy -System-specific security policy -Technical Specifications
Issue-specific security policy
Which of the following would not be a strategic level management area? -Risk Analysis & Management -Policy Compliance -Security Program -Governance Model
Policy Compliance
which of the following best represents the order regarding security policy formation? -policy, standards, (practices, guidelines procedures) -policy, guidelines (standards, practices, procedures) -standards, policy (guidelines, practices, procedures) -procedures, practices, standards, policy, guidelines
Policy, standards (practices, guidelines, procedures)
Good metrics should be:
Specific, Measurable, Attainable, Repeatable and Time-Dependent
Why did Oreck's disaster recovery plan fail? -It was never rehearsed or tested before hurricane Katrina -Oreck did not adequately invest in technology -the disaster recovery site was too close and was also rendered unusable -it relied too heavily on vendor relations -all of the above -none of the above
The disaster recovery site was too close and was also rendered unusable
which of the following would not be an element of a security program?
all of the above are elements
T of F: a business continuity plan ensures that critical business functions can continue in the case of a disaster
true