Domain: 7 Security Operations 13%

Question 1

Administrative Security

Answer 1

Provides the means to control people’s operational access to data.

Question 2

Least Privilege

Answer 2

We give employees the minimum necessary access they need, no more, no less.

Question 3

Need to know

Answer 3

Even if you have access, if you do not need to know, then you should not access the data.

Question 4

Separation of duties

Answer 4

More than one individual in a single task is an internal control intended to prevent fraud and error. We do not allow the same person to enter the purchase order and issue the check.

Question 5

Job rotation

Answer 5

Job rotation to detect errors and frauds. Makes it easier to detect fraud and there is less chance of collusion btw individuals if we use job rota

Question 6

Mandatory vacations

Answer 6

Done to ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help us detect it. Their accounts are locked and an audit is prfrmd on the accnt.

Question 7

NDA (non disclosure agreement)

Answer 7

Can be btw employees and the org. Or btw two orgs.

Question 8

Background check

Answer 8

references, degrees, employment history, certifications, criminal history, credit history. For sensitive pos the bckgrnd chck is an ongoing process.

Question 9

Privilege monitoring

Answer 9

The more access and privilege an employee has the more we keep an eye on their activity. We continually audit and monitor what they access. This is normally automated.

Question 10

Digital (comp) forensics

Answer 10

Focuses on the recovery and investigation of material found in digital devices, often in relation to comp crime. Forensics is based on gathering and protecting the evidence, where incidents responses are how we react in an event breach. We preserve the crime scene and the evidence, we can prove the integrity of it at a later needed time,oftn court.

Question 11

The forensic process:

Answer 11

• Id the potential evidence, acquire the evidence, anayze the evidence, make a report.
• be aware of how we gather our forensic evidence, attckrs are cvring their tracks, deleting the evdnc and logs.
• This can be through malware that is only in volatile mem, if pwr is shut off (to preserve the crime scene), the malware is gone and the evidence is lost.
• Disconnect sys from ntwrk adn take bit by bit copies of the mem, drives, running processes & ntwrk cxn data.

Question 12

The evidence

Answer 12

we collect must be accurate, complete, authentic, convincing, admissible.

Question 13

Identification

Answer 13

Id the evidence, what is left behind.

Question 14

Preservation

Answer 14

Evrythng is documented, chain of custody: Who had it when? What was done? When did they do it? Pull the og, put it in write protected machine, we make a hash. We ony do examinations and analysis on bit level copies, we confirm they have the same hash as the og before and after examination.

Question 15

Collection

Answer 15

We examine and analyze the data, again we document evrythng. We handle the evidence as little as possible. Work from most volatile to least volatile, starting with the RAM and ending with the hard disks.

Question 16

Incidence response plan

Answer 16

can include getting our HR and Legal dept involved. Ensure evidence is acquired in a legal manner remember US Cons 4th amendment.

Question 17

Examination

Answer 17

find the facts and document them, collecting the data.

Question 18

Analysis

Answer 18

look at the data and look for meaning or reason

Question 19

Presentation in court

Answer 19

we present our findings and any other evidence.

Question 20

Decision

Answer 20

The court rules on the case.

Question 21

Forensic data

Answer 21

is normally obtained from binary images of secondary storage, portable storages devices: hard drives, flash drvs, CDs, DVDs, cell phone, mp3 players. We use binary or bit stream image copy to ensure ew get an exact copy of the device, and not just a copy of certain sectors.

Question 22

Real Evidence

Answer 22

Tangible adn physical objects, in IT Sec: hd, usb -NOT the data on them.

Question 23

Evidence Integrity

Answer 23

It is vital the evidences integrity cannot be questioned, we do this with hashes. Any forensics is done on copies and never the originals, we check hash on both original and copy before and after the forensics. Heresay, but admissible due to Law 803.

Question 24

Chain of Custody

Answer 24

Chain of custody form, this is done to prove the integrity of the data. No tampering is done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?

Question 25

Allocated space

Answer 25

The portions of the disk that are marked as actively containing data.

Question 26

Unallocated space

Answer 26

The portions of the disk that does not contain active data. This is parts that have never been allocated and previously allocated parts that have been marked unallocated. When a file is deleted, the parts of the disk that held the deted file are marked as unallocated and made avaialble for use. So that data is there unit ovrwrtten

Question 27

Slack space

Answer 27

data is stored in specific size chunks known as clusters (clusters = sectors or blocks). A cluster is the minimum size that can be allocated by a file system. If a particular file, or final portion of a file, does not require the use of the entire cluster then some extra space will exist within the cluster. This leftover space is known as slack space: it may contain old data, or can be used intentionally by the attackers to hide information.

Question 28

Bad blocks/clusters/sectors

Answer 28

HD end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will ignored by the OS since no data could be read in those defective portions. Attackers can mark sectors or clusters as being bad in order to hide data within this portion of the disk.

Question 29

Network forensics

Answer 29

we look at monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Network investigations deal with volatile and dynamic info. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

Question 30

The first type

Answer 30

monitoring a network for anomalous traffic and id intrusions (IDS/IPS). An attacker might be able to erase all log files on a compromised host, a network-based evidence might be the only evidence available for forensic analysis.

Question 31

The second type

Answer 31

relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human comm such as emls or cht sessions

Question 32

Catch-it-as-you-can

Answer 32

All packets passing through a certain traffic point are captured and written to storage with analysis beind done subsequently in batch mode. This approach requires large amounts of storage.

Question 33

Stop, look and listen

Answer 33

each packet is anlyzed in a basic way in memory and only certain fino is saved for future analysis. The approach requires a faster process to keep up with incoming traffic.

Question 34

Catch-it-as-you-can

Answer 34

All packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage.

Question 35

Stop, look and listen

Answer 35

each packet is anlyzed in a basic way in memory and only certain info is saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

Question 36

Forensic software analysis

Answer 36

Comparing and/or reverse engineering software. REverse engineering malware is one of the most common examples. Investigators often have a binary copy of a malware program, and try to deduce what it does. Common tools are disassembers and debuggers.

Question 37

Embedded device forensics

Answer 37

SSD’s, GPS’, cell phones, PDA. They contain a lot of info, but how we safely retrieve it while keeping the integrity of the data. IOT can be a sec concern. Where does the GPS say the car, phone or person was at a certain time? When did the AC turn on? Can we assume someone was home at that time?

Question 38

Incident management

Answer 38

Involves the monitoring and detection of security sevents on our systems, and how we react in those events. The primary purpose is to have a well understood and predictable reponse to events and computer intrusions. We have very clear processes and a responses, and our teams are trained in them and know what to when an even occurs.

Question 39

Incidents and events can generally be categorized in 3 classes

Answer 39

Natural: Hurricanes, flds, earthquakes, blizzards, anything that is caused by nature. Human: Done intentially or unintentionally by humans, these are by far the most common. Enviromental: The pwr grid, the Internet cxns, hwd failure, sftwr flaws.

Question 40

Event

Answer 40

An observable change in state, this is neither negative nor positive, it is just something has changed.

Question 41

Alert

Answer 41

Triggers warnings if certain event happens.

Question 42

Incident

Answer 42

Multiple adverse events happening on our systems or network, often caused by people.

Question 43

Problem

Answer 43

Incidence with an unknown cause, we would follow similar steps to incidence reponse. More time would be spent on root cause analysis, we need to know what happened so we can prevent it from happening again.

Question 44

Inconvenience (non-disasters)

Answer 44

Non-disruptive failures, hd failure, 1 server in a cluster is down.

Question 45

Emergency (Crisis)

Answer 45

Urgent, event with the potential for loss of life or property.

Question 46

Diaster

Answer 46

Our entire facility is unusable for 24 hrs or +

Question 47

Diaster

Answer 47

Our entire facility is unusable for 24 hrs or +. Yes, a snowstorm can be a disaster.

Question 48

Incident management, 7-step lifecycle

Answer 48

1. Prep (left out in exam). 2. Detection (Id). 3. Response (Containment). 4 Mitigation (Eradication). 5 Reporting. 6. Recovery. 7 Remediation. 8 Lessons Learned (Post-incident activity, post mortem, or reporting)

Question 49

1. Preparation

Answer 49

We write the policies, procedures, we train our staff, we procure the detection sft/hrdwr, we give our incidence response team the tools they need to respond to an incident.

Question 50

2. Detection

Answer 50

Events are analyzed to determine if they might be a security incident. IDS’ can help us detect, IPS’ can help us detect and prevent further compromise. SIEM = security incident event manager, collects everything from everything all alerts,logs, event, incident.

Question 51

3. Response

Answer 51

When the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. Isolate the sys, network/traffic. Make bit level copies of sys

Question 52

3. Response

Answer 52

When the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. Isolate the sys, network/traffic. Make bit level copies of sys Stop it from spreading

Question 53

4. Mitigation

Answer 53

Understanding the cause of the incident that the sys can be reliably cleaned and restored to operational status later in the recovery phase.

Question 54

5. Reporting

Answer 54

begins with the detection, and we start reporting immediately when twe detect malicious activity. Reporting has 2 focus areas technical and non-technical. The incident handling team reports the tech details of the incident as they start the incident handling process, but they also notify management of serious incidents. The procedures and policies will outline when which level of managment needs to be informed and involved.

Question 55

6. Recovery

Answer 55

We carefully restore the sys/s to operational status. We closely monitor the rebuilt sys incase a backdoor was left.

Question 56

7. Remediation

Answer 56

Remediation happens during the mitigation phase, where vulnerabilities on teh impacted system/s are mitigated. Patching all sys with the same vulnerability or change how the org authenticates.

Question 57

8. Lessons Learned

Answer 57

Problem there has been fixed, what was compromised, what are the vulnerabilities, how did the team react, which part of our plans worked and which didn’t.

Question 58

Root-cause analysis

Answer 58

We need to fix the vulner on the sys/s that were effected, but also on any system in the organization that has the particular vulnerability or set of vulnerability.

Question 59

IDS and IPS

Answer 59

can be categorized into 2 types and with 2 different approaches to identifying malicious traffic.

Question 60

Network based

Answer 60

placed on a network segment (a switch port in promiscuous mode)

Question 61

Host based

Answer 61

on a client, normally a server or workstation

Question 62

Signature (pattern) matching

Answer 62

similar to antivirus, it matches traffic against a long list of known malicious traffic patterns

Question 63

Heuristic (Behavioral) based

Answer 63

uses a normal traffic pattern baseline to monitor for abnormal traffic.

Question 64

SIEM (Security Info and Event Management)

Answer 64

gives you a full picture views and data correlation.

Question 65

IDS (Intrustion Detection Sys)

Answer 65

They are passive, they monitor, but they take no action other than sending out alerts.

Question 66

IPS (Intrusion Prevention System)

Answer 66

Similar to IDS, but they also take action to malicious traffic, what they do with the traffic is determined by configuration. Events trigger an action.

Question 67

IDS/IPS

Answer 67

Part of our layered defense. Basically they are packet sniffers with analysis engines.

Question 68

Network based

Answer 68

placed on a network segment (a switch port in promiscuous mode). Inspects hostdestination ports, IP’s, protocols, content of traffic, but can obviously not look at in encrypted traffic. Can protect against DDOS, Port scans, brute force attacks, Deployed on 1 switch, port and NIC must be promiscuous and port must be a span port.

Question 69

Host based

Answer 69

on a client, normally a server or workstation. We only look at a single sys. Who is using the sys, the resource usage, traffic. It can be app specific if needed. Certain attacks turn off HIDS/HIPS.

Question 70

Signature based

Answer 70

looks for known malware signatures. Faster since they just check traffic against malicious signatures. Vulnerable to 0 day attacks

Question 71

Heuristic (Behavioral) based

Answer 71

Looks for abnormal behaviro -can produce a lot of false positives. We build a baseline of what normal network traffic looks liek and all traffic is matched to that baseline.

Question 72

Hybrid based

Answer 72

combines both are more used now and check for both signatures and abnormalities.

Question 73

Ways attackers

Answer 73

attempt to avoid detection

Question 74

Fragmentation

Answer 74

sending fragmented packets, the attack can avoid teh detection systems’s ability to detect the attack signature

Question 75

Avoiding defaults

Answer 75

TCP port utilized by a proto does not always provide an indication to the proto which is being transported. Attackers can send malware over an unexpected port.

Question 76

Low-bandwidth coordinated attacks

Answer 76

a number of attackers (agents) allocate different ports or hosts to different attackers making it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress. Address spoofing/proxying

Question 77

Pattern change evasion

Answer 77

The attacker changes the data used in the attack slightly, which may avoid detection.

Question 78

Alerts on IDS’/IPS’ can like

Answer 78

biometrics be one of 4 categories:

Question 79

True positive

Answer 79

an attack is happening and the sys detects it and acts.

Question 80

True negative

Answer 80

normal traffic on the network and teh system detects it and does nothing

Question 81

Falso Positive

Answer 81

normal traffic and the sys detects it and acts

Question 82

False Negative

Answer 82

an attack is happening and the sys does not detect it and does nothing.

Question 83

SIEM (Security info and event management)

Answer 83

Gathers from all our systems and looks at everything. Centralizes the storage and interpretation of logs, traffic and allows near real-time automated id, analysis and recovery of security events.

Question 84

Application whitelisting

Answer 84

we allow our users to run these apps on our enviroments, but it can also be compromised. White list against a trusted digital cert, a known hash or path and name.

Question 85

Removable media controls

Answer 85

lock down USB ports, CD Drives, memory card ports

Question 86

Honeypots

Answer 86

System looking like a real system, but with the sole purpose of atracting attackers. They are used to learn about our vulnerabilities and how attackers would circumvent our security measures. Talk to the Legal Dept. before deploying honeypots.

Question 87

Honeynets

Answer 87

a network of honeypots, can be a full server farm simulated with applications, OS’ and fake data.

Question 88

Configuration Management

Answer 88

Harden sys before we deploy them. Close network ports, services to disable, accounts to delete, missing patches. We do this for any device on our network. Pre introduction into our production enviro we run vulnerability scans against the system to ensure we didn’t miss anything.

Question 89

Patch Management

Answer 89

apply patches on a reg basis. Make sure you update network equip, array updates, IOT updates and so on.

Question 90

Change Mangement

Answer 90

Our formalized process on how we handle changes to our enviroments. If done right we will have full documentation, understanding and we communicate changes to appropriate parties. The change review board should be compromised of both IT and other operational units from the org. The board can have senior leadership on itt.

Question 91

Change management flow

Answer 91

1. ID the change 2. Propose the chng 3. Assessing rsks, impcts and bnfts of implementing and not imple 4. Provisional change approval 5. Testing the change 6. Scheduling the change 7. Change notification for impacted parties 8. Implementing the change. 9 Post implementation reporting of the actual change impact.

Question 92

Change control

Answer 92

the parts where we control the change.

Question 93

0 day vulnerabilities

Answer 93

Vulner not generally known or discovered. Protect against this with defense in depth.

Question 94

0 day exploit

Answer 94

code that uses the 0 day vulnerability.

Question 95

Fault tolerance

Answer 95

To ensure our internal SLA’s and provides as high availability as possible we use as high degree of redundancy and resiliency as makes sense to that particular sys and data set.

Question 96

Backups

Answer 96

For backups we use Full, Incremental, Diff and Copy backups.

Question 97

Full backup

Answer 97

This backs everything up, the entire database (most often), or the system. A full backup clears the all archive bits.

Question 98

Incremental backup

Answer 98

Backs up everything that has changed since the last backup. Clears the archive bits. The downside to them is if we do montly full backup and daily incrementals, we would have 30 tapes to restore.

Question 99

Differential backup

Answer 99

backs up everything since the last Full backup. Does not clear the archive bit. Faster to restore since we just need 2 tapes for a full restore, the full and the differential.

Question 100

Copy backup

Answer 100

Full backup that doesn’t clear the archive bit. Often used before we do sys updates, patches and similar upgrades.

Question 101

Archive bit

Answer 101

For Win NTFS has an archive bit on files, it indicates if the file was changed since the last Full or Incremental backup

Question 102

RAID

Answer 102

(Redundant Array of Independent Disks)

Question 103

Disk mirroring

Answer 103

Writing the same data across multiple hd, slower, because the controller has to write everything twice.

Question 104

Disk striping

Answer 104

Writing the data simultaneoulsy across mult disks providing higher write speed. Uses at least 2 disks. No redundency unless you use parity, but you nd 3 hd.

Question 105

RAID 0

Answer 105

Striping with no mirroring or parity, no fault tol, only provides faster read/write speed, req at least 2 hd

Question 106

RAID 1

Answer 106

Mirror set, 2 hd with identical data, and write function is written to both disks simultaneously.

Question 107

RAID 5

Answer 107

block level striping with distributed parity, req at least 3 disks. Combined speed with redundancy.

Question 108

Redundant parts

Answer 108

PSU, fans, NICS, disk controllers

Question 109

System redundancy

Answer 109

load balancing and clustering. Geographically dispersed.

Question 110

Database shadowing

Answer 110

exact real time copy of the DB or files to another location. It can be another disk in the same server, but best practices dictates another geograph loc, often on a different media.

Question 111

Electonic vaulting (e-vaulting)

Answer 111

Using a remote backup service, backups are sent off-site elec at a certain interval or when files change.

Question 112

Remote jounaling

Answer 112

Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.

Question 113

BCP (Business Continuity Plan)

Answer 113

the process of creating the long-term strategic business plans, policies and procedures for continued operation after a disruptive event. It is for the entire org, everything that could be impacted, not just IT. Lists a range of disaster scenarios and the steps the org must take in any particular scenario to return to regular ops.

Question 114

BCP’s often contain:

Answer 114

COOP, Crisis Comm Plan, Critical Infr Prot Plan, Cyber Incident Res Pln, DRP,

Question 115

DRP (Diaster Recovery Plan)

Answer 115

This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT sys in a diaster. It focuses on the IT sys supporting critical business func, and how we get those back up after a disaster. DRP is a subset of our BCP

Question 116

Most common reason for a disruptive events are internal employees.

Answer 116

often called errors and omissions.

Question 117

DRP should answer at least 3 basic questions:

Answer 117

What is the objective and purpose? Who will be the people or teams who will be responsible in case any disruptions happen? What will these people do (our procedures) when the disaster hits? *Inform every who should know of what has happened.

Question 118

Mitigation (pre-disaster)

Answer 118

reduce the impact, and likeliness of a disaster

Question 119

Preparation

Answer 119

build programs, procedures and tools for our response

Question 120

Response

Answer 120

how we react in a disaster, following the procedures.

Question 121

Recovery

Answer 121

reestablish basic functionality and get back to full production.

Question 122

Older v of NIST 800-34 had these steps as a framework for building our BCP/DRP

Answer 122

Project Initiation, Scope of Project, Business Impact Analysis, Id Preventitive Controls, Recovery Strategy, Plan Design and Development, (Implementation, Training, and Testing) BCP/DRP Maintenance

Question 123

Rescue team (activation/notification)

Answer 123

responsible for dealing w/ the disaster as it happens. Evacute employees, notifies the appropriate personnel, pull the network from teh infected server/shutdown sys

Question 124

Recovery team (failover)

Answer 124

responsible for getting the alternate site up and running as fast as possible or for getting the sys rebuilt. We get most critical sys up first.

Question 125

Salvage team

Answer 125

responsible for returning our full infrastructure, staff and ops to our primary site or a new facility if the old site was destroyed.

Question 126

BIA (Business impact analysis)

Answer 126

Ids critical and non-critical org sys, fnc, activities. Critical is where disruption is considered unacceptable, the acceptability is also based on the cost of recover. A fnc may also be considered if dictated by law.

Question 127

Each critical sys, function or activity has two values assigned to them

Answer 127

RPO and MTD

Question 128

RPO (Recovery Point Objective)

Answer 128

The acceptable amount of data that can not be recovered. The recovery point objective must ensure that the maximum tolerable data loss for each system, function or activity is not exceeded.

Question 129

MTD (Max Toler Dwntime)

MTD>=RTO+WRT

Answer 129

The time to rebuild the sys and config for reinsertion into prod must be less than or equal to our MTD. The total time a sys can be inoperable before our org is severely impacted.

Question 130

RTO (Recovery Time Obj)(hardware)

Answer 130

The amnt of time to restore the sys (hardware). The recovery time obj must ensure that the MTD for each sys, func or activity is not exceeded.

Question 131

WRT (Work Recovery Time)(software)

Answer 131

How long does it take us to the time required to configure a recovered sys.

Question 132

Redundant site

Answer 132

Complete identical site to our prod, receives a real time copy of our data. Expensive.

Question 133

Hot site

Answer 133

only houses critical app and sys. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-tiem copies of data.

Question 134

Warm site

Answer 134

Similar to the hot site, but not with real or near-real time data, often restored with backups. A smaller but full data center. We manually fail traffic over, a full switch and restore can take 4-24 hrs.+

Question 135

Cold site

Answer 135

a smaller but full data center. No hardware or backups are at the cold site, they require sys to be acquired, conf and applications loaded and config. This is the cheapest, but also longeste recovery option, can be weeks+

Question 136

Reciprocol Agreement site

Answer 136

your org has a contract w/ another org that they will give you space in their data center in a disaster even and vice versa.

Question 137

Mobile site

Answer 137

Basically a data center on wheels, often a container or trailer that can be moved whereever by a truck.

Question 138

Subscription/cloud site

Answer 138

We pay someone else to have a minimal or full replica of our production enviro up and running within a certain number of hours (SLA)

Question 139

COOP (Continuity of Operations Plan)

Answer 139

How we keep operating in a disaster, how do we get staff to alternate sites, what are all the operational things we need to ensure we function even if at reduced capacity for up to 30 days.

Question 140

Cyber Incident Response Plan

Answer 140

How we respond in cyber events, can be part of the DRP or not.

Question 141

OEP (Occupant Emergency Plan)

Answer 141

How do we protect our facilities, our staff and the enviroment in a disaster event. Focuses on safety and evacutation, details how we evacuate, how often we do drills and the training staff should get.

Question 142

BRP (Business Recovery Plan)

Answer 142

Lists the steps we need to restore normal business operations after recovering from a disruptive event.

Question 143

Continuity of Support Plan

Answer 143

Focuses narrowly on support of specififc IT sys and apps. Also called the IT Contigency Plan, emphasizing IT over general business support.

Question 144

CMP (The Crisis Management Plan)

Answer 144

Gives us effective coordination among the managment of the org, in the event of an emergency or disruptive event. Details what manag must take to ensure that life and safety of personnel and property are immediately protected in case of a disaster.

Question 145

Crisis Comm Plan

Answer 145

A subplan of the CMP. How we comm inter and ext during a disaster

Question 146

Call Trees

Answer 146

Each user in the tree calls a sml # of users.

Question 147

Off site copies and plans

Answer 147

We keep both digital and phy copies of all our plans at offsite locations.

Question 148

EOC (Emergency Operations Center)

Answer 148

A central temporary command and control facility responsible for our emergency management or disaster management functions at a strategic level during an emergency.

Question 149

MOU/MOA (Memorandum of Understanding/Agreement

Answer 149

Staff signs a legal document ack they are responsible for a certain activity.

Question 150

Executive Succession Planning

Answer 150

Senior leadership often are the only ones who can decalre a disaster. Our plans should clearly outline who should declasre a disaster, if they are not available.

Question 151

Employee redundancy

Answer 151

We should have as high degree of skilled employee redundancy, just like we have on our critical hardware. Can be mitigated with training and job rotation.

Question 152

DRP review

Answer 152

Team members wo are part of the DRP team review the plan quickly looking for glaring omissions, gaps or missing sections in the plan.

Question 153

Read-through (checklist)

Answer 153

Managers and functional areas go through the plan and check a list of components needed for in the recovery process.

Question 154

Walk/Talk-through (tabletop or structured walkthrough)

Answer 154

a group of managers and critical personnel sit down and talk through the recovery process. Can often expose gaps, omissions or just technically inaccurracies that would prevent the recovery.

Question 155

Simulated Test (Walkthrough Drill)

Answer 155

Similar to the walkthrough (but different, do not confure them). The team simulates a disaster and teh teams respond with their pieces from the DRP.

Question 156

Parallel processing

Answer 156

we bring critical components up at a secondary site using backups and compare to the same sys at the primary site

Question 157

Partial Interruption

Answer 157

We interrupt a single app and fail it over to our secondary facilities, often done off hours.

Question 158

Full Interruption

Answer 158

We interrupt all app and fail it over to our secondary facilities, always done off hours. Both partial and full are mostly done by fully redundant orgs.

Question 159

Testing

Answer 159

to ensure the plan is accurate, complete and effective, happens before we implement the plan

Question 160

Drills (exercises)

Answer 160

Walkthroughs of the plan, main focus is to train staff, and improve employee response (think fire drills)

Question 161

Auditing

Answer 161

A 3rd party ensure that the plan is being followed, understood and the measures in the plan are effective.

Question 162

We train staff to raise the awareness

Answer 162

awareness is their ability to do a task in the DRP.

Question 163

The plans need to be continually updated

Answer 163

it is an iterative process. Plans should be reviewed and updated at least every 12 months. When we update the plans older copies are retrieved and destroyed, and current versions are distributed.

Question 164

After a disruption

Answer 164

we only use our BCP/DRP’s when our other countermeasures have failed.

Question 165

NIST 800-34

Answer 165

Provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information sys services after a disruption.

Question 166

ISO 22301

Answer 166

Societal security, Business continuity management sys, specifies a management sys to manage an orgs business continuity plan, supported by ISO 27031.

Question 167

ISO/IEC-27031

Answer 167

Societal security, business continuity management sys - guidance, which provides more pragmatic advice concerning business continutiy managment.

Question 168

BCI (Business Continuity Institute)

Answer 168

6 step process of Good Practice Guidelines (GPG) the independent body of knowledge for Business Continuity.