Module 5: Incident Response and Contingency Planning
A(n) ____________ plan ensures the critical business functions continue if a catastrophic incident or disaster occurs.
Business continuity
____________ material is any information that could potentially support an organization's legal or policy-based case against a suspect.
Evidentiary
A cold site provides many of the same services and options of a hot site, but at a lower cost. True or False
False
A(n) disaster is any adverse even that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. True or False
False
A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. True or False
False
An external event is an event with negative consequences that could threaten the organization's information assets or operation, also referred to as an incident candidate. True or False
False
Changes to systems logs are a possible indicator of an actual incident. True or False
False
Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site. True or False
False
Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting. True or False
False
The computer security incident response team is comprised solely of technical IT professionals who are prepared to detect, react to, and recover from an incident. True or False
False
The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts. True or False
False
Which of these is the primary reason contingency response team should not have overlapping membership with one person on multiple teams? To spread the work out among more people So individuals don't find themselves with different responsibilities in different locations at the same time To allow people to specialize in one area To avoid cross-division rivalries
So individuals don't find themselves with different responsibilities in different locations at the same time
A business process is a task performed by an organization or one of its units in support of the organization's overall mission and operations. True or False
True
An affidavit is sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place. True or False
True
An alert message is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. True or False
True
Forensics can provide a determination of the source or origin of an event, problem, or issue like an incident. True or False
True
Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment. True or False
True
The business impact analysis is a preparatory activity common to both CP and risk management. True or False
True
The disaster recover planning team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters. True or False
True
The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement protect and forget or apprehend and prosecute. True or False
True
The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. True or False
True
A(n) ___________ is a document containing contact information for the people to be notified in the event of an incident. emergency notification system alert roster phone list call registry
alert roster
The CPMT should include a ______________ who is a high-level manager to support, promote, and endorse the findings of a project and could be the COO or (ideally) the CEO/president. champion executive-in-charge project manager project instigator
champion
Disaster _________ is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster.
classification
Incident ____________ is the process of examining a potential incident, or incident candidate, and determining whether or not the candidate constitutes an actual incident.
classification
The storage of duplicate online transaction data, along with the duplication of the databases, at a remote site on a redundant server is called __________. application recovery electronic vaulting remote journaling database shadowing
database shadowing
A crime involving digital media, computer technology, or related components may best be called an act of _______________. computer theft digital abuse computer trespass digital malfeasance
digital malfeasance
The CPMT should include individuals from all functional areas of the organization in order to ___________communications and cooperation.
facilitate
Digital forensics involves the ______________, identification, extraction, documentation, and interpretation of digital media. investigation determination confiscation preservation
preservation
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources is ______________. recovery time objective (RTO) recovery point objective (RPO) work recovery time (WRT) maximum tolerable downtime (MTD)
recovery time objective (RTO)
