5.0 Risk Management

Question 1

Full backups

Answer 1

Full backups are used to backup all selected data.

Using differential backups after a full backup is known to offer a balance in backup and restore times.

Question 2

Differential backups

Answer 2

Differential backups are used to backup any data that has changed since the last full backup, Using differential backups after a full backup is known to offer a balance in backup and restore times.

Question 3

Incremental backups

Answer 3

Incremental backups are used to backup any data that has changed since the last backup. Using incremental backups can be time consuming during restore operations.

Question 4

A snapshot

Answer 4

A snapshot is not a backup type, but rather a method that is used to backup open files.

Question 5

Data sovereignty

Answer 5

describes the sociopolitical outlook of a nation concerning computing technology and the handling of information. Data sovereignty should be a concern for business that operate internationally - in particular if there are website that are located in various countries.

Question 6

Continuity of Operations (COOP)

Answer 6

Continuity of Operations (COOP) is a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.

Question 7

alternate business practice

Answer 7

An alternate business practice is a fallback to business operations in the event of an incident. To the extreme is a plan is to handle transactions using pen-and-paper systems.

Question 8

An automated courses of action

Answer 8

An automated courses of action is a process that can work to maintain or to restore services on a downed system with minimal human intervention or even no intervention at all.

Question 9

A warm site

Answer 9

A warm site is similar to a hot site with the exception that quick adjustments need to be made. For example, a warm site may be ready to use with the exception of needing a copy of the most recent data.

Question 10

A cold site

Answer 10

is a site that requires some setup and configuration before use – usually a few days or more. This may include systems that need to be purchased, installed, or updated, equipment that needs to be implemented, and data that needs to be made available.

Question 11

A hot site

Answer 11

is prepared and ready for a near immediate failover from the primary site. In a hot site, software and systems are up to date, as is the data that will be used.

Question 12

disk controller cache

Answer 12

A disk controller cache is a storage location used for improving disk read and write operations. This cache changes very frequently as data is accessed on a physical disk. As a result, it is extremely volatile.

Question 13

Functional exercises

Answer 13

Functional exercises contain action-based sessions where employees can validate disaster recovery plans (DRPs) by performing scenario-based activities in a simulated environment.

Question 14

Full-scale exercises

Answer 14

Full-scale exercises contain action-based sessions that reflect real situations. These exercises are held onsite and use real equipment and real personnel as much as possible.

Question 15

An After-Action Report

Answer 15

An After-Action Report (AAR) or “lessons learned” report is a process to determine how effective incident analysis, prevention, and response effectiveness was performed.

Question 16

Walkthroughs, workshops, and orientation seminars

Answer 16

Walkthroughs, workshops, and orientation seminars are often used to provide basic awareness and training for disaster recovery team members. These exercises describe the contents of disaster recovery plans (DRPs) and other plans.

Question 17

BPA-

Answer 17

BPA-For mission essential functions, it is important to reduce the number of dependencies between components by performing a business process analysis (BPA). Inputs, outputs, and process flow are factors found by performing a BPA.

Question 18

SLE

Answer 18

SLE-Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of a risk factor.It is determined by multiplying the value of the asset by an Exposure Factor (EF).

Question 19

ALE

Answer 19

Annual Loss Expectancy (ALE)is the amount that would be lost over the course of a year. It is determined bymultiplying the SLE by the Annual Rate of Occurrence (ARO).

Question 20

MTBF

Answer 20

Mean Time Between Failures (MTBF)is not a quantitative assessment type and represents the expected lifetime of a product. MTBF should be used for repairable assets (such as a server).

Question 21

MTTF

Answer 21

Mean Time to Failure (MTTF)is not a quantitative assessment type represents the expected lifetime of a product. MTTF should be used for non-repairable assets (such as a hard drive).

Question 22

MTTR

Answer 22

MTTR-Mean time to repair- time it takes to make repairs

Question 23

ARO

Answer 23

Annual Rate of Occurrence(ARO) represents the frequency of failures for an entity and is used to gain the annual loss expectancy (ALE).

Question 24

Data owner

Answer 24

Data owner -A data owner has the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is also responsible for labeling the asset (such as determining who should have access and determining the asset’s criticality and sensitivity).

Question 25

data stewardrole

Answer 25

data stewardrole is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, and that data is collected and stored in a format that complies with regulations.

Question 26

data custodian

Answer 26

data custodianis responsible for managing the system where the data assets are stored. This includes responsibility for enforcing access control, encryption, along with backup and recovery measures.

Question 27

System admin

Answer 27

System admin -system administrator is responsible for ensuring the upkeep of the technical systems that provide functionality for the business.

Question 28

Recovery Point Objective

Answer 28

Recovery Point Objective (RPO)is the amount of data loss that a system can sustain, measured in time. In this case, RPO is 8 hours. With a backup from 12 hours ago, 4 hours’ worth of data is lost.

Question 29

RTO

Answer 29

Recovery Time Objective (RTO)is the period following a disaster that an individual IT system may remain offline. This represents the amount of time it takes to identify that there is a problem and then perform recovery.

Question 30

MTD

Answer 30

Maximum Tolerable Downtime (MTD)is the longest period of time that a business function outage may occur for without causing irrecoverable business failure.

Question 31

Critical systems

Answer 31

Critical systems-An organization should identify critical systems to support business functions. This is done by compiling an inventory of its business processes and its tangible and intangible assets and resources. These could include people, buildings, furniture, systems, brands, and ideas.

Question 32

PIA

Answer 32

Privacy impact assessment- A Privacy Impact Assessment (PIA) is performed to identify vulnerabilities that may lead to data breach when storing, processing, and disclosing Personally Identifiable Information (PII). It also evaluates controls mitigating those risks.

Question 33

PTA

Answer 33

Privacy threshold assessment-A Privacy Threshold Analysis (PTA) is an initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA must be performed.

Question 34

Environmental threat

Answer 34

Environmental threat-An environmental event is caused by a type of failure in the surrounding environment. Such an event includes power or telecom failure, pollution, or accidental damage (including fire).

Question 35

Man-made threat

Answer 35

Man-made threat-Manmade events are intentional man-made threats such as terrorism, war, or vandalism/arson. They may also be unintentional threats, such as user error or accident.

Question 36

A natural disaster

Answer 36

A natural disasteris caused by sources such as river or sea floods, earthquakes, storms, etc. Natural disasters may or may not be predictable.

Question 37

Legal and commercial events

Answer 37

Legal and commercial eventsinclude downloading or distributing of obscene material, defamatory comments published on social networking sites, or hijacked mail or web servers used for spam or phishing attacks.

Question 38

Risk register

Answer 38

Risk register-A risk register is a document showing the results of risk assessments in a comprehensible format. It may resemble a “traffic light” grid with columns for impact and likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status.

Question 39

Supply chain assessment

Answer 39

Supply chain assessment -Supply chains are included in a critical systems inventory. Inputs/outputs systems process related and deal with such data or resources produced by a business process function (provided in a business analysis).

Question 40

Quantitative

Answer 40

Quantitative-A quantitative risk assessment is used in assessing likelihood and risk. This method aims to assign concrete values to each risk factor and uses Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) metrics.

Question 41

Qualitative

Answer 41

Qualitative-A qualitative risk assessment is used in assessing likelihood and risk. The qualitative approach seeks out people’s opinions of significant risk factors.

Question 42

Escalation

Answer 42

Escalation-Increased involvement of senior staff in the management of an incident is called escalation. Escalation may be necessary if no response is made to an incident within an acceptable time frame.

Question 43

Reporting requirements

Answer 43

Reporting requirements-The suspicion of data theft is typically enough to have to trigger reporting procedures. This involves notifying stakeholders, regulation entities, and customers if applicable.

Question 44

Data integrity

Answer 44

Data integrityis typically the most important factor in prioritizing incidents and will often be based on the value of the at-risk data.

Question 45

Downtime

Answer 45

Downtimeis the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. An alternate business practice (paper and pen) can commonly be utilized while systems are down.

Question 46

cryptographic hash

Answer 46

cryptographic hashis a method that is used to ensure that an image of a system is valid. A hash created on both source and destination and are compared. Identical hashes mean the data is identical.

Question 47

eDiscovery

Answer 47

eDiscoveryis a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.

Question 48

Identification, Containment, Eradication, Recovery

Answer 48

Identification-In this stage, it is determined whether an incident has taken place. The assessment of how severe the incident might be is followed by notification of the incident to stakeholders.

Containment-In this stage, the goal is to limit the scope and reach of the event. One approach in containment is to isolate infected systems.

Eradication-In this stage the threat is removed in order to proceed to recovery.

Recovery-This stage ensures that the threat no longer exists, and all systems are brought back to a secure state.

Question 49

Order of volatility

Answer 49

Order of volatility-Volatility refers to data storage rather than chain of custody. With the order of volatility in mind, storage must be handled carefully as to not lose data. In this case volatility has likely been compromised, however, volatility is not related to chain of custody.

Question 50

Synchronous replication & Asynchronous replication

Answer 50

Synchronous replicationis particularly sensitive to distance. With synchronous replication, sites will replicate with each other at the same time. Latency can occur with slow links and long distances.

Synchronous replication indicates data must be written at both sites to be considered valid. A slow link will result in longer wait times for data synchronization.

Asynchronous replicationindicates data is mirrored from a primary site to a secondary site.

Asynchronous replication is not as particularly sensitive to distance as Synchronous due to the one-way synchronization.

Question 51

Differential backup-
Incremental backup
Full backup
Offsite backups

Answer 51

Differential backup- A differential backup is performed after a previous backup, and only data that has been changed since the last full backup will be included. This backup type can miss open files if snapshot technology is not being used.

Incremental backup-An incremental backup is performed after a previous backup, and only data that has been changed since the last backup will be included. This backup type can miss open files if snapshot technology is not being used.

Full backup -A full backup type is used to backup an entire system or target. A full backup can miss open files if snapshot technology is not being used.

Offsite backupsare backup sets removed from the facility where the systems reside. These types of backups can also be backups performed from a system to a remote location or cloud storage. An offsite back can be used for redundancy.

Question 52

Deterrent controls
Preventive controls-
A corrective controL
Detective controls
Compensating controls
Technical controls
Administrative controls

Answer 52

Deterrent controls-A deterrent control may not physically or logically prevent access, rather it psychologically discourages an attacker from attempting an intrusion. An example of a deterrent control is a warning sign or security guard.

Preventive controls-A preventive control is used to physically or logically restrict unauthorized access. A system password and physical door lock are examples of preventive controls.

A corrective controlresponds to and fixes an incident. It may also prevent reoccurrence. An example of a corrective control is antivirus software.

Detective controls-A detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. An example of a detective control is a security camera system.

Compensating controls-A compensating control does not prevent an attack, but can restore functionality of systems through other means, such as a backup.

Technical controls- A technical control is implemented in operating systems, software, and security appliances. Examples include Access Control Lists (ACL) and Intrusion Prevention Systems (IPS). An ACL is used to provide access to a system resource.

Administrative controls-Administrative security controls are used to determine behavior through policies, procedures, and guidance.

Question 53

Burning
Shredding
Pulping-
Pulverizing
Degaussing
Wiping

Answer 53

Burning-Burning media involves using fire to destroy contents. Burning releases toxins that can be dangerous and should only be performed in a controlled environment.

Shredding -Shedders, such as those found at office supply stores, are often used as a means for destroying optical media such as CDs and DVDs.

Pulping-Pulping takes shredding one step further. Once data (such as documents) are subjected to shredding, the remains can be mixed with water (for example) for further destruction. Note that in this case, data is mentioned and not a storage disk which would likely use another method.

Pulverizing -Pulverizing is a method that can be used to grind or shred hard disks. Note that this type of shredding is much more powerful and uses different equipment than found with basic document shredding.

Degaussing -Degaussing is the process of using electromagnetic forces to erase magnetic-based storage media. This method can be used to destroy or to erase for reuse.

Wiping-Wiping the media involves erasing. There are many methods and utilities available to perform such actions, like low level format. This method may be time consuming, but it is cost effective and requires very little interaction.

Question 54

Data labeling
Confidential
Private-Classified 
Secret 
Proprietary

Answer 54

Data labeling-Classification restricts who may see a document’s contents.

Confidential-Confidential (or low) information is highly sensitive, and intended for viewing only by approved persons within the organization (and possibly by trusted third-parties under NDA).

Private-Classified (private, restricted, internal use only, official use only) material restricts viewing to the owner organization or third-parties under a Non-Disclosure Agreement (NDA).

Secret (or medium)information is too valuable to permit any risk of capture. Viewing is severely restricted to authorized individuals only.

Proprietary-Proprietary information or Intellectual Property (IP) is information created by the company, typically about the products or services that they make or perform.

Question 55

COOP
CER
FRR
FAR

Answer 55

Continuity of Operations (COOP)is a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event. Fault tolerance through redundancy of critical hardware and systems is such a process.

CER- The process of fine-tuning a biometric system involves adjusting the Crossover Error Rate (CER), the point at which the false rejection rate and false acceptance rate meet.

The False Rejection Rate (FRR) is also known as a type I error, which rejects authorized templates. FRR most commonly produces frustration, and can impede traffic flow if not properly tuned.

The False Acceptance Rate (FAR) is the rate at which the system lets in unauthorized users, which constitutes a security breach. Fine-tuning a system to minimize the FAR is imperative.

A type II error is also known as a false positive, measured by the False Acceptance Rate (FAR). This is the rate at which unauthorized personnel gain access to the secure facility. This number must be minimized.