upcoming---
an indicator is an activity in progress that may signal an incident could occur in the future
false
risk analysis is the probability that a specific vulnerability within an organization will be attacked by a threat.
false
the emergence of cloud computing technologies and practices has had little or no effect on the world of contingency planning and operations
false
the health insurance portability and accountability act (HIPAA) of 1996, which is also known as gramm-leach-bliley. attempts to protect the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange.
false
the public relations (PR) department needs to be briefed on what information should be disclosed to the organization's employees if an incident occurs
false
__is the organized research and investigation of internet addresses owned or controlled by a target organization
footprinting
the incident response policy element of __ states that the policy must use concrete language that directs behavior and avoid statements that are subject to individual interpretation
functionality
which of the following laws addresses privacy and security concerns associated with the electronic transmission of PHI, in part through several provisions that strengthen HIPAA rules for civil and criminal enforcement?
health information technology for economic and clinical health (HITECH) act of 2009
the CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred some organizations prefer that employees contact the __ which then determines whether to contact the CSIRT
help desk
A(n) _____________ is generally a fully configured computer facility, with all services, communications links, and physical plant operations, which is capable of establishing operations at a moment's notice.
hot site
what is the process of acting on risk after the organization has identified risk, assessed it, evaluated it, and then determined that the residual risk is unacceptable?
risk control
the entire program of planning for and managing risk to information assets in the organization is referred to as_.
risk management
Which of the following steps of building a CSIRT comes later in the process than the other steps listed below?
Communicate the CSIRT's vision and operational plan
Laws Germane to Contingency Planning
Computer Fraud and Abuse (CFA) Act of 1986 Electronic Communications Privacy Act (ECPA) of 1986 Health Insurance Portability and Accountability Act (HIPAA) of 1996 Federal Trade Commission Act (FTCA) Gramm-Leach-Bliley (GLB) Act of 1999 Sarbanes-Oxley (SOX) Act of 2002 American Recovery and Reinvestment Act (ARRA) of 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (part of ARRA-2009) Disaster Recovery Reform Act of 2018
The _is an investigation and assessment of the impact that various events or incidents can have on the organization.
business impact analysis
the _is an investigation and assessment of the impact that various events or incidents can have on the organization.
business impact analysis
an__ may signal an adverse event is under way and provide a notification of an incident candidate
indicator
is the protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training, and awareness , and technology.
information security
a CPMT should include__who can oversee the security planning of the project and provide information on threats, vulnerabilities, and recovery requirements needed in the planning process.
information security managers
information assets have when they are not exposed (while being stored, processed, or transmitted) to a corruption, damage, destruction, or other disruption of their authentic states.
integrity
the __ department of an organization needs to review the procedure of the CSIRT and understand the steps the CSIRT and understand the steps the CSRT will perform to ensure it is within legal and ethical guidelines for the municipal, state, and federal jurisdictions
legal
a backup plan using WAN/VLAN replication and a recovery strategy using a warm site is most suitable for information systems that have__ priority within an organization
moderate
the general categories of unethical behavior that an organizations management seeks to eliminate include each of the following except .
opportunism
organizations with limited funding, staffing, or IR needs may have only __ IR team members
part time
the organization must first understand what skills are needed to effectively respond to an incident. if necessary, management must determine if it is willing to acquire needed __ to fill
personnel
the u.s national institute of standards and technology defines the incident response life cycle as having four main processes 1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, and 4___
post incident activity
an __may signal an incident that could occur in the future
precursor
___incident responses enables the organization to react to a detected incident quickly and effectively, without confusion or wasted time and effort
predefining
an __is an extension of an organization's intranet into cloud computing
private cloud
both data backups and archives should be based on an __ schedule that guides the frequency of replacement and the duration of the storage
retention
The transference risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations.
true
an incident is an adverse event that violates the security of an organization and represents a potential risk of loss of loss of the confidentiality, integrity, or availability of its assets and outgoing operations
true
gathering information on and identifying network assets is known as fingerprinting
true
it is the responsibility of infosec personnel to deter and, where possible, prevent unethical and illegal acts.
true
risk treatment is the selection of a strategy to address residual risk in an effort to bring it into alignment with the organizations risk appetite.
true
some data is required by law to be retained and stored for years
true
the CSIRT may also be known as the IR reaction team
true
without formal management support at all levels from the top down to each supervisor any organization wide effort will fail
true
the __ flow of information needed from the CSIRT to organizational and IT/infosec management is a critical communication requirement
upward
an entry level infosec professional often responsible for the routine monitoring and operation of a particular infosec technolgy is called a __
watchstander
Whether the objective is to recover a backup of a file that has been accidentally deleted or to transfer an entire data center to an alternate facility, there are five key mechanisms that help restore critical information and the continuation of business operations:
•Delayed data protection •Real-time data protection •Server recovery •Application recovery Site recovery
Deterrence is the best method for preventing an illegal or unethical activity; however, laws, policies, and their associated penalties only deter if three conditions are present:
•Fear of penalty •Probability of being caught •Probability of penalty being administered
There are three general categories of unethical behavior that an organization's management seeks to eliminate:
•Ignorance •Accident •Malicious intent
A typical roster for the CPMT may include
•Leadership •A champion •A project manager •Team members •Representatives from other business units: •Business managers •IT managers •InfoSec managers •Representatives from subordinate planning teams (IR/DR/BC/CM) •Representatives from subordinate response teams (IR/DR/BC/CM)
What is the period of time within which systems, applications, or functions must be recovered after an outage?
. RTO (recovery time objective)
_____________ is/are responsible for the overall planning and development of the contingency planning process, including the organization of subordinate teams and oversight of subordinate plans.
. The contingency planning management team (CPMT)
A(n) _____________ is the long-term storage of a document or data file, usually for legal or regulatory purposes.
. archive
The CPMT conducts the BIA in three stages:
1.Assessing mission/business processes and recovery criticality 2.Identifying resource requirements 3.Identifying recovery priorities
What is a description of a potential attack that includes as much information as the IRPT can document on the most likely attack methods and attack points?
Attack scenario
Which of the following is not a common consideration when an organization funds a CSIRT operation?
Budgeting for team retreats and recruiting bonuses to attract CSIRT membership
Which of the following is a definite indicator of an incident?
Changes to logs
what is a targeted technique to misuse a specific vulnerability and compromise a system?
Exploit
Risk appetite is the recognition, enumeration, and documentation of risks to an organizations information assets.
False
the __of an organization defines the roles and responsibilities for incident response by the CSIRT and others who will be mobilized in the activation of the plan
IR policy
Which of the following is not a general detection strategy for incidents?
Inform law enforcement about suspicious behavior.
__uses a number of hard drives to store information across multiple drive units
RAID
a subject or objects ability to use, manipulate, modify, or affect another subject or objects known as_.
access
NIST SP 800-61 REV 1 provides a five category classification scheme for network based incidents that includes each of these except
all of these are NIST incident classifications
the duplication of systems data to external media or a secondary location to provide recovery capability in the event of data loss is a __
answer is not "data archive"
the__CSIRT model is used when the organization needs a full time, on site CSIRT but does not haveenough available qualified employees
answer not "24/7"
__is used to maintain awareness of evolving threats in general and is a resource for researching specific threats as an organization develops usable threat intelligence
answer not "deep web research"
Information assets have___when authorized users-people or computer systems=are able to access them in the specified format without interference or obstruction.
availability
a CSIRT model in which a single CSIRT handles incidents throughout the organization is called an__
central CSIRT
in a CPMT the __ should be a high level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the combined effort.
champion
the champion for the CSIRT may be the same person as the champion for the entire IR function typically the __
chief information officer
the incident response policy element of __ states that each person expected to comply with policy must be able to understand the policy as it is written
clarity
within an organization an__ is a group of individuals who are united by shared interests or values and who have a common goal of making the organization function to meet its objectives.
community of interest
which of the following laws is the cornerstone of many U.S computer related federal laws and enforcement efforts and formally criminalizes accessing a computer without authorization or exceeding authorized access for the systems that contain information of national interest as determined by the U.S government?
computer fraud and abuse (CFA) act of 1986
__ensures that only those with the rights and privileges to access information are able to do so.
confidentiality
the elements required to begin the __process are a planning methodology, a policy environment to enable the planning process, an understanding of the causes and effects of core precursor activities and across to financial and other resources.
contingency planning
a series of steps hat follow the stages of a cyberattack from early reconnaissance to the exfiltration of data is known as the __
cyber kill chain
the most common schedule for tape based backups is a __ backup, either incremental or differential , with a weekly off site full backup
daily on site
__is the stage in the cyber kill chain that deals with the transmission of the weaponized delivery mechanism to the intended target or targets
delivery
RAID 0 creates one logical volume across several available hard disk drives and stores the data using__ in which data segments are written in turn to each disk drive in the array
disk striping
an organization aggregates all local backups to a central repository and then backs up the repository to an online vendor with a __ backup strategy
disk to disk to cloud
a CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the __
distributed CSIRT
from the detailed scenarios they create the BIA planning team must estimate the cost of the best, worst, and most likely outcomes by preparing an attack scenario __
end case
__ is the stage in the cyber kill chain that includes the activation and intuition of the process whereby the crafted exploit gains a foothold and attempts to expand its influence
exploitation