CISSP Chapter 7
A change management process should include a number of procedures which of the following incorrectly describes a characteristic or component of a change control policy? A. Changes that are unanimously approved by the Change Control committee must be tested to uncover any unforeseen results B. Changes approved by the Change Control committee should be entered into a change log C. A schedule that outlines the projected phases of the chain should be developed D. An individual or group should be responsible for approving proposed changes
A
Countries around the world are focusing on cyber warfare and how it can affect their utility and power grid infrastructures. Securing water, power, oil, gas, transportation, and manufacturing systems is an increasing priority for the governments. These critical infrastructures are made up of different types of industrial control systems (ICS) That provide this type of functionality. Which of the following answers is not considered a common ICS? A. Central control systems B. Programmable logic controllers C. Supervisory control and data acquisition D. Distributed control systems
A
Device backup and other availability Solutions are chosen to balance the value of having information available against the cost of keeping that information available. Which of the following best describes the fault-tolerant technologies? A. They are among the most expensive solutions and are usually only for the most mission-critical information B. They help service providers identify appropriate availability services for a specific customer C. They are required to maintain integrity, regardless of other technologies in place D. They Allow a failed component to be replaced while the system continues to run
A
Of the following plans, which establishes Senior Management and a headquarters after a disaster? A. Continuity of operations plan B. Cyber incident response play C. Occupant emergency plan D. IT contingency plan
A
When developing a recovery and continuity plan within an organization, different metrics can be used to properly measure the potential dangers and recovery requirements. These metrics help us quantify are risks and the belief of controls we can put into place. Two metrics commonly used in the development of recovery programs are recovery point objective (RPO) and recovery time objective (RTO). Data restoration (RPO) requirements can be different from service restoration (RTO) requirements. Which of the following best defines these two main recovery measurements in this type of scenario? A. RPO is the acceptable amount of data lost measured in time. RTO the acceptable time before a service level must be restored. B. RTO is the earliest time period in which a data set must be restored. RPO is the acceptable amount of downtime in a given period. C. RPO is the acceptable amount of data loss measured in time. RTO is the earliest time period in which data must be restored. D. RPO is the acceptable amount of downtime measured. RTO is the earliest time period in which a service-level must be restored.
A
Which of the following correctly describes direct access and sequential access storage devices? A. Any point on a direct access storage device may be promptly reached whereas every point in between the current position and the desired position of a sequential access storage device must be traversed in order to reach the desired position B. RAIT is an example of a direct access storage device while RAID is an example of a sequential access storage device C. MAID is a direct access storage device while RAID is an example of a sequential access storage device D. As an example of sequential access storage tape drivers are faster than direct access storage devices
A
Which of the following dictates that all evidence be labeled with information indicating who secured it and validated it? A. Chain of custody B. due care C. investigation D. motive, opportunity, and means
A
Which of the following is not true of a forensic investigation? A. The crime scene should be modified as necessary. B. A file copy to a may not recover all data areas of the device that are necessary for investigation. C. Contamination of the crime scene may not negate derived evidence but it should still be documented. D. Only individuals with knowledge of basic crime scene analysis should have access to the crime scene.
A
Which of the following statements is true with respect to preventing and detecting security disasters? A. Information security continuous monitoring (ISCM), defined by a NIST special publication 800-137 as maintaining an ongoing awareness of your current security posture, vulnerability, and threats, is the best way to facilitate sound risk management decisions. B. Whitelisting allowed executables or, barring that, blacklisting known bad ones is the only effective means of preventing malware from compromising systems and causing a serious security breach. C. A rigorous regime of vulnerability and Patch management can effectively eliminate the risk of known malware compromising critical corporate systems. D. By aggregating and correlating asset data and the security events concerning them, the deployment of a security information and event management (Siem) system is the best way to ensure that attacks can properly be dealt with before they result in a disaster.
A
ACME, Inc., Pay the software vendor to develop specialized software, and that vendor has gone out of business. ACME, Inc., does not have access to the code and therefore cannot keep it updated. What mechanism should the company have implemented to prevent this from happening? A. Reciprocal agreement B. software escrow C. electronic vaulting D. business Interruption insurance
B
Bob is a new Security administrator at a financial institution. The organization has experienced some suspicious activity on one of the critical servers that contain customer data. When reviewing how the systems are administered, he uncovers some concerning issues pertaining to remote administration. Which of the following should not be put into place to reduce these concerns? i. Commands and data should not be sent in clear text ii. SSH should be used, not telnet iii. Truly critical systems should be administered locally instead of remotely iv. Only a small number of administrators should be able to carry out remote functionality v. Strong authentication should be in place for any administration activities A. i, ii B. none of them C. ii, iv D. all of them
B
Miranda has been directed to investigate a possible violation of her organization's acceptable use policy (AUP) by a co-worker suspected of running cryptocurrency mining software on his desktop system. Which of the following is not a very likely scenario that could arise during her investigation? A. During the course of her investigation, Miranda discovered that her co-worker was also downloading and storing pornographic images, many of which appear to involve minors. What began as an administrative investigation becomes a criminal one. B. Miranda was able to find evidence that appeared to corroborate the intentional use of illicit software to mine cryptocurrency using corporate resources (mainly CPU and power). As a result Miranda's co-worker was charged with criminal violation of the Computer Fraud and Abuse Act (CFAA). C. As a result of Miranda's investigation, her co-worker was terminated for violating the AUP. However, he hired an attorney and sued for company for wrongful dismissal based on knowledge that other employees were also running cryptocurrency mining software but went unpunished. Her administrative case becomes a civil one. D. Compelling evidence was found of a significant AUP violation, resulting in termination. However during the subsequent wrongful dismissal suit (as described in option C), it was discovered that Miranda had not anticipated a court case. And so had not properly obtained or preserved evidence. Consequently, the judge found some early for the plaintiff who got his job back along with the compensatory damages.
B
Stephanie has been put in charge of developing incident response in forensic procedures her company needs to carry out if an incident occurs. She needs to ensure that their procedures map to the international principles for gathering and protecting digital evidence. She also needs to ensure that if and when internal forensics teams are deployed, they have labels, tags, evidence bags, cable ties, imaging software, and other associated tools. Which of the following best describes what Stephanie needs to build for the deployment teams? A. Local and remote Imaging system B. forensics field kit C. chain of custody procedures and tools D. digital evidence collection software
B
The recovery time objective (RTO) and maximum tolerable downtime (MTD) metrics have similar roles, but their values are very different. Which of the following best describes the difference between RTO and MTD metrics? A. The RTO is a time period that represents the inability to recover, and the MTD represents an allowable amount of downtime. B. The RTO is an allowable amount of downtime, and the MTD represents a time period after which severe and perhaps irreparable damage is likely. C. Brto is a metric used in disruptions, and the MTD is a metric used in disasters. D. The RTO is a metric pertaining to loss of access to data, and MTD is a metric pertaining to the loss of access to hardware and processing capabilities.
B
There are often scenarios where the IT staff must react to emergencies and quickly apply fixes or change configurations. When dealing with such emergencies, which of the following is the best approach to make changes? A. Review the changes within 48 hours of making them B. Review and document the emergency changes after the incident is over C. Activity should not take place in this manner D. Formally submit a change to a change control committee and follow the complete change control process
B
Various levels of RAID dictate the type of activity that will take place within the RAID system which level is associated with byte level parity? A. RAID level 0 B. RAID level 3 C. RAID level 5 D. RAID level 10
B
Which of the following is not a common component of configuration management change control steps? A. Tested and presented B. Service level agreement approval C. Report change to management D. Approval of the change
B
Which of the following refers to the expected amount of time it will take to get a device fixed and back into production after its failure? A. SLA B. MTTR C. Hot-swap D. MTBF
B
___________ provides for availability and scalability. It groups physically different systems and combines them logically, while helping to provide immunity to false and improves performance. A. Disc duping B. Clustering C. RAID D. Virtualization
B
A suspected crime has been reported within your organization. Which of the following steps should the incident response team take first? A. Establish a procedure for responding to the incident. B. Call in forensic experts. C. Determine that a crime has been committed. D. Notify Senior Management.
C
After a disaster occurs, a damage assessment needs to take place. Which of the following steps occurs last in a damage assessment? A. Determine the cause of the disaster. B. Identify the resources that must be replaced immediately. C. Declare a disaster. D. Determine how long it will take to bring critical functions back online.
C
Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotate job assignments. Which of the following best describes the differences between these countermeasures? A. They are the same thing with different titles. B. They are administrative controls that enforce access control and protect the company's resources. C. Separation of duties insurance that one person cannot perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position. D. Job rotation ensures that one person cannot perform a high-risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position.
C
Brian, a Security administrator, is Responding to a virus infection. The anti-virus application reports that a file has been infected with a dangerous virus and disinfecting it could damage the file. What course of action should Brian take? A. Replace the file with the file saved from the day before B. Disinfect the file and contact the vendor C. Restore and uninfected version of the patched file from a backup media D. Backup the data and disinfect file
C
For evidence to be legally admissible, it must be relevant, complete, sufficient, and reliably obtained. which characteristic refers to the evidence having a reasonable and sensible relationship to the findings? A. Complete B. reliable C. relevant D. sufficient
C
In a redundant array of inexpensive disks (RAID) System, data and parity information are stripped over several different discs. What is parity information? A. Information used to create new data B. Information used to erase data C. Information used to rebuild data D. Information used to build data
C
Jeff is leaving the business continuity group in his company. They have completed a business impact analysis and have determined that if a company's credit card processing functionality was available for 48 hours the company would most likely experience such a large Financial hit that it would have to go out of business. The team has calculated that this functionality needs to be up and running within 28 hours After experiencing a disaster for the company to stay in business. The team has also determined that the restoration steps must be able to restore data that is 60 Minutes old or less. In the scenario, what would the 60-minute time period be referred to as? A. Recovery time period B. Maximum tolerable downtime C. recovery Point objective D. recovery point time period
C
Jeff is leaving the business continuity group in his company. They have completed a business impact analysis and have determined that if a company's credit card processing functionality was available for 48 hours the company would most likely experience such a large Financial hit that it would have to go out of business. The team has calculated that this functionality needs to be up and running within 28 hours After experiencing a disaster for the company to stay in business. The team has also determined that the restoration steps must be able to restore data that is 60 Minutes old or less. In this scenario, which of the following is the work recovery time valuable? A. 48 hours B. 28 hours C. 20 hours D. 1 hour
C
John is responsible for providing a weekly report to his manager outlining the week's security incidents and mitigation steps. Which steps should he take if a report has no information? A. Send his manager an email telling her so B. Deliver last week's report and make sure it's clearly dated C. Deliver a report that states "no output" D. Don't do anything
C
RAID systems use a number of techniques to provide redundancy and performance. Which of the following activities divides and writes data over several drivers? A. Parity B. Mirroring C. Striping D. Hot-swapping
C
Several teams should be involved in carrying out the business continuity plan. Which team is responsible for starting the recovery of the original site? A. Damage assessment team B. BCP team C. Salvage team D. Restoration Team
C
What is the difference between hierarchical storage management and storage area network technologies? A. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology B. HSM and SAN are one in the same. The difference is in the implementation. C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage D. SAN uses optical or tape jukeboxes and HSM is a network of connected storage system
C
Which of the following is a correct statement regarding digital forensics? A. It is the study of computer technology. B. It is a set of hardware specific processes that must be followed in order for evidence to be admissible in a court of law. C. It encompasses networking code analysis, and may be referred to as electronic data discovery. D. Digital forensic responsibilities should be assigned to a network administrator before an incident occurs.
C
An approach to alternate off-site facilities is to establish a reciprocal agreement. Which of the following describes the pros and cons of a reciprocal agreement? A. It is fully configured and ready to operate within a few hours, but it is the most expensive of the off-site choices. B. It Is an inexpensive option, but it takes the most time and effort to get up and running after a disaster. C. It is a good alternative for companies that depend upon proprietary software, but annual testing is not usually available. D. It is the cheapest of off-site choices, but mixing operations could introduce many security issues.
D
Gizmos and Gadgets has restored its original facility after a disaster. What should be moved in first? A. Management B. most critical systems C. most critical functions D. least critical functions
D
Guidelines should be followed to allow secure remote administration. Which of the following is not one of those guidelines? A. A small number of Administrators should be allowed to carry out remote functionality B. Critical systems should be administered locally instead of remotely C. Strong authentication should be in place D. Telnet should be used to send commands and data
D
High availability (HA) is the combination of Technologies and processes that work together to ensure that specific critical functions are always up and running at the necessary level. To provide this level of high availability, a company has to have a long list of Technologies and processes that provide redundancy, fault tolerance, and failover capabilities. Which of the following best describes these characteristics question A. Redundancy is the duplication of non critical components or functions of a system with the intention of decreasing reliability of the system. Fault tolerance is the capability of a technology to discontinue to operate as expected even if something unexpected takes place. If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is "switched over" to a working system. B. Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system. Fault tolerance is the capability of a technology discontinued to operate as expected even if something unexpected takes place. If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is switched over to a working system. C. Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system.. Lawrence has the capability of a technology to continue to operate as expected even if something unexpected takes place. Every technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is switched over to a non-working system. D. Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of that system. Fault tolerance has the capability of a technology to continue to operate as expected even if something unexpected takes place. If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is switched over to a working system.
D
Maria has been tasked with reviewing and ultimately augmenting her organization's physical security. Of the following controls and approaches, which should be her highest priority to ensure our properly implemented? A. Physical facility access controls, such as mechanical and device locks, on all necessary ingress points B. Personnel access controls, such as badges, biometric systems, etc C. external boundary controls, including the perimeter intrusion detection assessment systems (PIDAS) fencing, security guards, etc D. Layered facility access controls, with multiple internal and external ingress and egress controls
D
The operations team is responsible for defining which data gets backed up and how often. Which type of backup process backs of files that have been modified since the last time all data was backed up? A. Incremental process B. full backup C. partial back up D. differential process
D
Which of the following incorrectly describes the concept of executive succession planning? A. Predetermined steps to protect the company of a senior executive leaves. B. Two or more senior staff cannot be exposed to a particular risk at the same time. C. It documents the assignment of Deputy rules. D. It covers assigning a skeleton crew to resume operations after a disaster.
D
