Domain 7 - Operations

Question 1

Maximum Tolerable Downtime (MTD)?

Answer 1

Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time the system owner/authorizing official is willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave contingency planners with imprecise direction on selection of an appropriate recovery method, and the depth of detail which will be required when developing recovery procedures, including their scope and content.

Question 2

Recovery Time Objective (RTO)?

Answer 2

Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD. When it is not feasible to immediately meet the RTO and the MTD is inflexible, a Plan of Action and Milestone should be initiated to document the situation and plan for its mitigation.

Question 3

Recovery Point Objective (RPO)?

Answer 3

Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) after an outage. Unlike RTO, RPO is not considered as part of MTD. Rather, it is a factor of how much data loss the mission/business process can tolerate during the recovery process. Because the RTO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD. For example, a system outage may prevent a particular process from being completed, and because it takes time to reprocess the data, that additional processing time must be added to the RTO to stay within the time limit established by the MTD.

Question 4

Raid Level 0

Answer 4

Stripping only to increase the performance.

Question 5

Raid Level 1

Answer 5

Miroir on two disks minimum. Most expensive.

Question 6

RAID 2

Answer 6

(HAMMING CODE PARITY)
Multiple disks
Parity information created using a hamming code
Can be used in 39 disk array 32 Data and 7 recovery
Not used, replaced by more flexible levels

Question 7

RAID 3

Answer 7

Raid 3
(BYTE LEVEL PARITY) 
Stripe across multiple drives
Parity information on a parity drive
Provides redundancy
Can affect performance with single parity drive

Question 8

RAID 4

Answer 8

(BLOCK LEVEL PARITY)
RAID 4 – Block level
Stripe across multiple drives
Parity information on a parity drive
Provides redundancy
Can affect performance with single parity drive

Question 9

RAID 5

Answer 9

(INTERLEAVE PARITY)
Most popular
Stripes data and parity information across all drives
Uses interleave parity
Reads and writes performed concurrently
Usually 3-5 drives. If one drive fails, can reconstruct the failed drive by using the information from the other 2.

Question 10

RAID 7

Answer 10

RAID 7 (SINGLE VIRTUAL DISK)
Functions as a single virtual disk
Usually software over Level 5 hardware
Enables the drive array to continue to operate if any disk or any path to any disk fails.

Question 11

RAID Summary

Answer 11

0 – Striping
1 – Mirroring
2 – Hamming code parity
3 – Byte level parity
4 – Block level parity
5 – Interleave parity
7 – Single Virtual Disk

Question 12

When RAID runs as part of the operating system on the file server, it is an example of a:

Answer 12

When RAID runs as part of the operating system on the file server, it is an example of a software implementation. RAID can also be implemented as hardware.

Question 13

What is a Tape Array?

Answer 13

A Tape Array is a large hardware/software backup system based on the RAID technology.

Question 14

What is an Hierarchical Storage Management ( HSM )

Answer 14

Hierarchical Storage Management (HSM) provides a continuous on-line backup by using optical or tape “jukeboxes,” similar to WORMs.

Question 15

What is the main purpose of off-site testing?

Answer 15

Ensure the continued compatibility of the contingency facilities

Question 16

The Chain of Custody will include a detailed record of:

Answer 16

Who obtained the evidence
What was the evidence
Where and when the evidence was obtained
Who secured the evidence
Who had control or possession of the evidence

With the purpose of presenting in court.

Question 17

What is the backup that will not change the archive bit even after backup?

Answer 17

A differential backup is a partial backup that copies a selected file to tape only if the archive bit for that file is turned on, indicating that it has changed since the last full backup. A differential backup leaves the archive bits unchanged on the files it copies.

Question 18

What include Media Viability Controls?

Answer 18

Media Viability Controls include marking, handling and storage.

Question 19

Detectice security controls examples?

Answer 19

detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection.

Question 20

What is the equivalent of Memory dump in court?

Answer 20

Hearsay
A memory dump can be admitted as evidence if it acts merely as a statement of fact. A system dump is not considered hearsay because it is used to identify the state of the system, not the truth of the contents.

Question 21

When a post-morthem should be done?

Answer 21

5 days after the incident.

Question 22

Another name for Fail Safe is ?

Answer 22

fail-safe (sometimes called fail-open)

Question 23

How work Fail Secure?

Answer 23

After an alarm, or intrusion, the system stay secure. This would be used for systems, like Windows Blue Screen, not when Humain life in possibly in danger.

Question 24

Which RAID level does NOT offer parity protection?

Answer 24

RAID Level 10 is a combination of Levels 0 and 1, neither of which offer parity protection.

Question 25

What is a Checklist during a test of a disaster recovery plan?

Answer 25

Checklist—Copies of the plan are sent to different department managers and business unit managers for review. This is a simple test and should be used in conjunction with other tests.

Question 26

What is a Structured Walk-Through during a test of a disaster recovery plan?

Answer 26

Structured Walk-through—Team members and other individuals responsible for recovery meet and walk through the plan step-by-step to identify errors or assumptions.

Question 27

What is a Simulation during a test of a disaster recovery plan?

Answer 27

Simulation—This is a simulation of an actual emergency. Members of the response team act in the same way as if there was a real emergency.

Question 28

What is a Parrallel test during a test of a disaster recovery plan?

Answer 28

Parallel—This is similar to simulation testing, but the primary site is uninterrupted and critical systems are run in parallel at the alternative and primary sites. The systems are then compared to ensure all systems are in sync.

Question 29

What is a Full interruption test during a test of a disaster recovery plan?

Answer 29

Full interruption—This test involves all facets of the company in a response to an emergency. It mimics a real disaster where all steps are performed to test the plan. Systems are shut down at the primary site and all individuals who would be involved in a real emergency, including internal and external organizations, participate in the test. This test is the most detailed, time-consuming, and expensive all of these.

Question 30

What is DAM for Database?

Answer 30

DAM is designed to monitor databases and report on suspicious activities and is widely used by organizations who are concerned about security breaches or attacks which could be costly in terms of availability of data disclosure.

Question 31

What is X.500?

Answer 31

LDAP is a protocol used to query X.500 directory services and not a security event management system.

Question 32

What is the Chain of Events in case of Forensic investigation?

Answer 32

Identify, Preserve, Analyze and Present

Question 33

What are the 5 levels of CCMI?

Answer 33

Level 1 is Initial or Chaotic
Level 2 is Repeatable
Level 3 is Defined
Level 4 is Managed
Level 5 Optimizing

Question 34

What CCMI Level is Defined?

Answer 34

Level 3 : It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization.

Question 35

What CCMI Level is Managed?

Answer 35

Level 4 : It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level.

Question 36

The major objective of system configuration management is which of the following?

Answer 36

Operations stability.

Question 37

What is important about DB Electronic Vaulting?

Answer 37

Electronic vaulting is accomplished by backing up system data over a network. The backup location is usually at a separate geographical location known as the vault site. Vaulting can be used as a mirror or a backup mechanism using the standard incremental or differential backup cycle. Changes to the host system are sent to the vault server in real-time when the backup method is implemented as a mirror. If vaulting updates are recorded in real-time, then it will be necessary to perform regular backups at the off-site location to provide recovery services due to inadvertent or malicious alterations to user or system data.

Question 38

What is important about DB Remote Journaling?

Answer 38

Journaling or Remote Journaling is another technique used by database management systems to provide redundancy for their transactions. When a transaction is completed, the database management system duplicates the journal entry at a remote location. The journal provides sufficient detail for the transaction to be replayed on the remote system. This provides for database recovery in the event that the database becomes corrupted or unavailable.

Question 39

What is different in DB Shadowing?

Answer 39

Database shadowing may be used where a database management system updates records in multiple locations. This technique updates an entire copy of the database at a remote location.

Question 40

What is MTD?

Answer 40

The Maximum Tolerable Downtime (MTD) is the maximum length of time a BUSINESS FUNCTION can endure without being restored, beyond which the BUSINESS is no longer viable

Question 41

Explain RTO, Recovery Time Objective.

Answer 41

. RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD. When it is not feasible to immediately meet the RTO and the MTD is inflexible, a Plan of Action and Milestone should be initiated to document the situation and plan for its mitigation.

Question 42

What is different about RPO, Recovery Point Objective?

Answer 42

The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) after an outage. Unlike RTO, RPO is not considered as part of MTD. Rather, it is a factor of how much data loss the mission/business process can tolerate during the recovery process. Because the RTO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD. For example, a system outage may prevent a particular process from being completed, and because it takes time to reprocess the data, that additional processing time must be added to the RTO to stay within the time limit established by the MTD.

Question 43

Is a Policy normally detective, preventive or corrective?

Answer 43

Preventive or Directive depending on the situation.
Preventive security controls are put into place to prevent intentional or unintentional disclosure, alteration, or destruction (D.A.D.) of sensitive information.

Question 44

What is the equivalent of Directive Security Controls.

Answer 44

Directive security controls are the equivalent of administrative controls. Directive controls direct that some action be taken to protect sensitive organizational information. The directive can be in the form of a policy, procedure, or guideline.

Question 45

After a computer has been infected, and cleaning what should you do with it?

Answer 45

It need to be completelly reinstalled before being reused.

Question 46

There are other names for :
Knowledge-based ID systems
Behavior-based ID systems
both type of Intrusion Detection methodology.

Answer 46

Signature-based ID and Statistical anomaly-based ID, respectively.