Domain 7: Security Operations Flashcards

Question

# Define: Backup Verification Data

Answer 1

Data used to confirm the integrity of backup copies, ensuring they are valid for restoring the organization's data in case of a disaster or loss. ## Footnote Data that is used to verify the integrity and accuracy of a backup copy. It is used in cybersecurity to ensure that a backup copy can be used to restore an organization's data in case of a disaster or data loss. Examples include checksum values for each file in a backup, timestamps for each file in a backup, and metadata for each file in a backup. *For more information, view this lecture on [Backups](https://courses.thorteaches.com/courses/take/cissp/lessons/19180401-backups). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Backup#Objectives).*

Answer 2

A message displayed on a screen or network device that provides system identification and information, commonly serving as a warning or disclaimer to users. ## Footnote A message displayed on a computer screen or network device that identifies the system and provides information about the system's capabilities and limitations. It is commonly used to provide a warning or disclaimer to users before they access a system or network. Examples include the login banner on a server or the banner displayed by a firewall before allowing access to a network.

Answer 3

The analysis of user or system behavior data to detect anomalies signaling potential threats, often using a baseline to highlight unusual actions. ## Footnote The study of patterns and anomalies in data related to user or system behavior to detect potential threats. By establishing a baseline of 'normal' activity, this approach can highlight unusual or suspicious actions that deviate from the baseline, indicating a possible security issue. It is widely used for detecting sophisticated attacks that may not trigger traditional security alerts, aiding in timely response to potential threats. *For more information, view this lecture on [Malware- Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18684286-malware-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/User_behavior_analytics).*

Answer 4

A security approach monitoring application activities to block actions matching predefined malicious behavior patterns, protecting against known and unknown threats. ## Footnote A proactive security technique that monitors and controls the activities of applications to prevent malicious or abnormal actions. Rather than relying on known malware signatures, this method focuses on the actions an application attempts to perform. If these actions match predefined or dynamically learned malicious behavior patterns, the action is blocked, providing a layer of protection against both known and unknown threats. *For more information, view this lecture on [Malware- Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18684286-malware-part-2).*

Answer 5

In IT and cybersecurity, it refers to non-harmful software or activities and also describes false positives where non-threatening events are mistakenly flagged as threats. ## Footnote In IT and cybersecurity, benign refers to software or activities that are not harmful to systems or data. While the term can apply to innocuous programs or files, it is also used to describe false positives in security alerts, where benign events are mistakenly flagged as threats. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer#Bugs).*

Answer 6

A secure environment free from threats or risks, often used in research and development to conduct controlled experiments, evaluations, or simulations. ## Footnote A safe, secure, and controlled environment that is free from threats or risks. It is commonly used in testing, research, and development to create a controlled environment for experiments, evaluations, or simulations. Examples include a laboratory, a sandbox, and a virtual machine.

Answer 7

A black hat hacker is a cybercriminal who breaches systems and networks illegally for personal gain or malicious intent, disregarding ethical and legal standards. ## Footnote Motivated by profit, sabotage, or notoriety, black hat hackers exploit vulnerabilities through methods like malware deployment, phishing, or zero-day exploits. Their actions can lead to data theft, service disruption, or financial loss. Countermeasures against black hat activities include robust threat detection, continuous patching, and carefully crafted defensive strategies. Understanding their techniques helps security professionals anticipate new attack vectors and enhance protective measures. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Hacker).*

Answer 8

Malware infecting a device's boot sector, persisting through reboots and potentially controlling the system before full OS loading, posing a high security risk. ## Footnote A type of malware that infects the boot sector of storage devices (like hard drives or removable media). Once installed, it is loaded into memory every time the system starts up, enabling it to persist even after a system reboot. It can potentially take control of the system before the operating system is fully loaded, making it particularly dangerous and difficult to detect and remove with standard antivirus tools. *For more information, view this lecture on [Malware- Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18684054-malware-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_virus#Targets_and_replication).*

Answer 9

An automated program performing specific tasks without human input, ranging from benign activities to malicious uses like DDoS attacks or spam distribution. ## Footnote Short for robot, in a digital context, refers to an automated program designed to perform specific tasks without human intervention. These tasks can range from benign activities, such as web crawling for search engines, to malicious uses, such as launching distributed denial-of-service attacks (DDoS), spreading spam, or perpetrating click fraud. Because of their potential for misuse, it's crucial to monitor network activities for unusual patterns that may suggest the presence of malicious bots. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Internet_bot).*

Answer 10

A network of infected, remotely-controlled computers used for malicious activities like DDoS attacks, with examples including the Mirai and Storm botnets. ## Footnote A network of infected computers that are controlled by a single entity, often without the knowledge of the computers' owners. Botnets are typically used to perform distributed denial of service (DDoS) attacks, in which the botnet is used to flood a target website or network with traffic, overwhelming its resources and rendering it inaccessible. Examples of botnets include the Mirai botnet, which was used in several high-profile DDoS attacks, and the Storm botnet, which was one of the largest botnets in history. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Botnet).*

Answer 11

The capacity to maintain essential functions during and after a disaster, aiming to ensure operational continuity and prompt recovery after disruptive incidents. ## Footnote The ability of an organization to maintain essential functions during and after a disaster has occurred. This involves planning and preparation to ensure that an organization can continue to operate in case of serious incidents or disasters and can recover to an operational state within a reasonably short period. This concept extends beyond disaster recovery to include keeping all aspects of a business functioning amidst disruptive events. *For more information, view this lecture on [BCP and DRP - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180431-bcp-and-drp-part-1). View this lecture on [BCP and DRP - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/35948539-bcp-and-drp-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_continuity_planning).*

Answer 12

The creation of systems to prevent and recover from potential threats, identifying critical processes and downtime, resulting in a comprehensive Business Continuity Plan. ## Footnote The process of creating systems of prevention and recovery to deal with potential threats to an organization. BCP involves identifying critical business processes, determining acceptable downtime for each of these, and establishing protocols to restore function quickly and efficiently after a disruption. The end result of this process is a Business Continuity Plan - a comprehensive written document that guides an organization in responding to and recovering from disruptive incidents. *For more information, view this lecture on [BCP and DRP - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180431-bcp-and-drp-part-1). View this lecture on [BCP and DRP - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/35948539-bcp-and-drp-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_continuity_planning).*

Answer 13

Business Email Compromise (BEC) is a social engineering scam where attackers spoof or hijack corporate email accounts to trick employees into transferring funds or disclosing sensitive information. ## Footnote In a BEC attack, cybercriminals analyze organizational structures and targets’ behaviors, often impersonating executives or vendors with urgent requests. These fraudulent emails may request wire transfers or confidential data, capitalizing on trust in recognized email addresses. Advanced BEC schemes employ email spoofing techniques and carefully crafted pretexts to bypass security filters. Detection relies on employee caution, advanced threat intelligence, and anti-spoofing measures like DMARC. Successful BEC attacks can cause severe financial, reputational, and legal consequences for organizations.

Answer 14

A halt or major disruption in normal business operations caused by unexpected events, leading to losses and emphasizing the need for continuity and recovery planning. ## Footnote An unexpected event that causes a halt or significant disruption in the normal operations of a business, such as a natural disaster, cyber-attack, or power outage. It can lead to substantial losses, and therefore, the prompt restoration of services is vital. Preparing for and managing business interruption is a central element of business continuity and disaster recovery planning. *For more information, view this lecture on [BCP and DRP - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180431-bcp-and-drp-part-1). View this lecture on [BCP and DRP - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/35948539-bcp-and-drp-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_interruption_insurance).*

Answer 15

Testing a system's ability to handle its intended workload without performance degradation, usually by simulating high traffic or data loads. ## Footnote The process of testing a system's ability to handle its intended workload without experiencing performance issues. This typically involves simulating high traffic or data loads and monitoring how the system handles them, which can help identify bottlenecks or points of failure that may need to be addressed to ensure optimal performance during peak usage times.

Answer 16

The Center for Internet Security (CIS) is a nonprofit organization offering cybersecurity resources, including benchmarks and the widely adopted CIS Controls, to guide safe IT practices. ## Footnote CIS develops configuration standards and best practices that address known vulnerabilities and foster stronger defenses. These tools include detailed benchmarks for operating systems, cloud environments, and various software. CIS’s signature product, the CIS Controls, outlines prioritized security steps to protect networks from prevalent threats. Through partnerships, training, and collaboration, CIS helps governments and businesses worldwide strengthen their cybersecurity posture and meet compliance mandates. *Or visit this [Wikipedia page](https://www.cisecurity.org).*

Answer 17

A committee evaluating, prioritizing, and approving changes to a system or environment to ensure they are managed methodically and safely. ## Footnote A committee made up of stakeholders and subject matter experts whose role is to assess, prioritize, and approve changes to an environment or system. The CAB is responsible for evaluating the proposed changes in terms of their potential benefits, risks, and impacts to ensure changes are managed methodically to prevent negative effects and maintain smooth operations. This group plays a significant role in ensuring changes do not unintentionally introduce new vulnerabilities or weaken existing safeguards. *For more information, view this lecture on [Change management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180365-change-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Change-advisory_board).*

Answer 18

Managing system alterations through documentation, evaluation, and approval to minimize risks and ensure traceability of changes. ## Footnote A systematic approach to managing alterations to a system, project, or process. The process typically includes steps like documenting, evaluating, approving, and implementing changes. The goal is to prevent unnecessary changes, minimize the risk of adverse effects, and ensure that all modifications are traceable and well-documented. This is especially crucial for maintaining the integrity of the environment, as unplanned or unapproved changes can lead to vulnerabilities or inconsistencies that can be exploited by malicious parties. *For more information, view this lecture on [Change management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180365-change-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Change_control).*

Answer 19

A body reviewing, approving, or rejecting changes to ensure they are beneficial, feasible, and do not negatively impact overall system security. ## Footnote A group that reviews, approves, or rejects proposed changes to a project or system. This body evaluates the implications of the changes on the whole system, taking into account factors such as risk, cost, and schedule. The CCB's role is to ensure that the proposed changes are beneficial, feasible, and compatible with the existing structure and that they do not negatively impact the overall functionality and security. *For more information, view this lecture on [Change management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180365-change-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Change_control_board).*

Answer 20

A record of alterations made to a system, including details of changes, authorizations, timings, reasons, and impacts, serving as an audit trail. ## Footnote The detailed record of any alterations made to a system, project, or process. It includes information about the nature of changes, the individuals who authorized them, the time of their implementation, the reasons for their necessity, and the impact they had. This record serves as an important audit trail for understanding modifications over time and aids in tracking any changes that could potentially introduce vulnerabilities or inconsistencies into a system. *For more information, view this lecture on [Change management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180365-change-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Change_management).*

Answer 21

Handling changes in a structured approach, planning, testing, implementing, and reviewing to minimize disruption and prevent vulnerabilities. ## Footnote A structured approach to handling modifications, both from the organization's perspective and on the individual level. It entails planning, testing, implementing, and reviewing changes to ensure they are managed in a controlled manner. The aim of change management is to minimize disruption, reduce potential vulnerabilities arising from system modifications, and prevent unnecessary consequences that could weaken the overall system. *For more information, view this lecture on [Change management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180365-change-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Change_management).*

Answer 22

A body overseeing changes within an organization, similar to a Change Advisory Board or Change Control Board, ensuring strategic and secure changes. ## Footnote A governance body typically established to oversee and approve changes in an organization, ensuring they align with strategic objectives and do not introduce undue risk. The term "Change Management Board" is less commonly used than "Change Advisory Board" (CAB) or "Change Control Board" (CCB), both of which serve a similar function within the ITIL framework for managing changes effectively. *For more information, view this lecture on [Change management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180365-change-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Change-advisory_board).*

Answer 23

Methods that save intermediate results at certain points, allowing processes to restart from checkpoints after interruptions. ## Footnote A method of managing long-running processes where intermediary results of a process are saved at 'checkpoints.' If the process is interrupted, rather than starting from the beginning, it restarts from the last checkpoint. This strategy is crucial for maintaining system availability and data integrity during unexpected events like system crashes or power outages. Besides saving time, these procedures can also help prevent data loss and minimize the potential for data corruption.

Answer 24

An attack targeting vulnerabilities in client software and requiring the execution of malicious code on the user's device. ## Footnote An attack that targets vulnerabilities in client software that interacts with a compromised server or processes malicious data. Common examples include attacking a user's web browser via malicious web pages, email clients via phishing emails, or software applications via malicious data files. These attacks often rely on the execution of malicious scripts or the exploitation of vulnerabilities in the client software. The aim is often to gain unauthorized access, steal sensitive data, or establish a persistent presence on the victim's system. *For more information, view this lecture on [Malware- Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18684286-malware-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Client%E2%80%93server_model#Server-side).*

Answer 25

The practice of storing copies of data on remote cloud servers to protect against data loss due to hardware failures, deletion, or cyberattacks. ## Footnote The process of storing copies of digital data in a remote, cloud-based server. This practice is a key part of data loss prevention strategies, providing a safeguard against issues like hardware failure, accidental deletion, or cyberattacks. The cloud's scalability and accessibility advantages over traditional, on-premises backup methods make it an increasingly popular choice for ensuring data resilience and continuity. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cloud_backup).*

Answer 26

The planning and implementation of strategies to recover cloud-hosted data and systems during a disaster or disruption to ensure business continuity. ## Footnote The process of planning and implementing strategies to recover data, applications, and systems hosted in the cloud in the event of a disaster or disruption. This includes setting up backups, creating disaster recovery plans, ensuring redundancy, and establishing failover systems. It's crucial for maintaining business continuity and minimizing downtime in the event of an outage or other disruptive events.

Answer 27

CSPM automates cloud resource discovery and continuously checks configurations for security compliance, helping organizations detect misconfigurations and vulnerabilities in their cloud environments. ## Footnote Cloud Security Posture Management uses policy-based tools and services to monitor cloud environments, ensuring alignment with best practices and industry regulations. It scans infrastructure-as-code templates, virtual machines, and container platforms for configuration drift, offering real-time alerts when risky settings are discovered. By reducing human error and enforcing consistent security policies, CSPM lowers the likelihood of data leaks or unauthorized access. This proactive oversight improves overall cloud security and supports governance initiatives.

Answer 28

A CWPP secures cloud-based workloads across different environments by offering threat detection, vulnerability management, and consistent protection policies. ## Footnote A Cloud Workload Protection Platform identifies and defends workloads—whether in virtual machines, containers, or serverless functions—by scanning for malware, misconfigurations, and suspicious activity. It enables unified security enforcement across hybrid and multi-cloud architectures, using techniques like micro-segmentation, real-time monitoring, and anomaly detection. By centralizing policy management, CWPPs help reduce operational complexity and security gaps. Integrating CWPP solutions into DevOps pipelines further ensures that applications are protected from build through runtime. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cloud_workload_protection_platform).*

Answer 29

Grouping objects, nodes, or data points based on similarities, used in systems and networks to improve performance and resilience. ## Footnote The process of grouping a set of objects, nodes, or data points in such a way that objects in the same group (a cluster) are more similar to each other than to those in other groups. In the context of systems and networks, clustering is used to enhance performance, availability, and resilience by distributing workloads across multiple nodes or servers. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_cluster).*

Answer 30

Groups that evaluate, approve, and prioritize changes within an organization, assessing risk and potential impact on systems. ## Footnote These are groups of stakeholders and technical experts who evaluate, approve, and prioritize changes within an organization, often in regard to project management or software development. Their role involves evaluating the risk, cost, and potential impact of proposed changes, ensuring that the implementation of changes does not disrupt existing workflows or create new vulnerabilities in the system. *For more information, view this lecture on [Change management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180365-change-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Change-advisory_board).*

Answer 31

Transitioning to a secondary system during outages where the backup is started from an inactive state, usually requiring manual intervention and longer restoration times. ## Footnote Refers to transitioning to a secondary system or network during a planned or unplanned outage, where the secondary system is started from an inactive state. It generally requires manual intervention to restore services and data from backups, leading to longer restoration times compared to hot or warm rollovers.

Answer 32

A backup facility with no pre-installed hardware or software, providing space and infrastructure for setting up operations but requiring time to become operational. ## Footnote A backup location that is kept on standby for use if the primary business location becomes unavailable due to a disaster or other disruptive event. Unlike a hot site, a cold site doesn't have pre-installed hardware and software ready to take over operations. Instead, it provides the necessary space and infrastructure for setting up a temporary operational environment, but setting it up could take several days or even weeks. *For more information, view this lecture on [Disaster Recovery sites](https://courses.thorteaches.com/courses/take/cissp/lessons/19180523-disaster-recovery-sites). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Backup_site).*

Answer 33

Starting a computer or system from an off state; in cloud services, it also refers to the challenge of making decisions with limited initial data. ## Footnote In computing, a cold start refers to powering up a device or system from a completely off state, as opposed to a warm start or reboot, which involves restarting the system without interruption to power. In the context of cloud services or big data, it can also refer to the challenge of making accurate recommendations or decisions when there is insufficient data about users or items, commonly faced by recommendation systems. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cold_start_(computing)).*

Answer 34

Systematically gathering data and information to support security incident investigations, requiring proper handling to maintain evidence integrity. ## Footnote The process of collecting evidence involves systematically gathering data and information that can help investigate and resolve a security incident or breach. This can include log files, network traffic data, copies of malicious software, or user access records. Proper handling and storage of collected evidence is crucial to maintaining its integrity and usability, especially if it is needed for legal proceedings. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/18552296-laws-and-regulations-evidence). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_forensics#Digital_evidence).*

Answer 35

A computer or network used by attackers to manage a botnet, sending commands and coordinating activities. ## Footnote A computer or network that is used by attackers to remotely control and manage the activities of a network of infected computers, known as a botnet. C&C servers are used to send commands, receive data, and coordinate the activities of the botnet. Examples of C&C servers include DarkComet, Mirai, and TrickBot. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Command_and_control_(malware)).*

Answer 36

Unauthorized access to a system or data that breaches confidentiality, integrity, or availability, potentially leading to serious consequences. ## Footnote In the realm of information security, a compromise refers to a situation where unauthorized access is gained to a system or data, violating the confidentiality, integrity, or availability of the information. This could be due to an external attack, insider threat, or inadvertent actions. The consequences can range from information leakage and system malfunction to financial loss and reputation damage. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_breach).*

Answer 37

Unintended signals from a system that can inadvertently disclose information, mitigated with emission security measures. ## Footnote These are unintended signals or 'leakage' that provide information about the data being processed in a system. These emanations could be electrical, thermal, mechanical, or acoustical signals that can be captured and interpreted by unauthorized individuals to extract sensitive data. These can be mitigated by using emission security (EMSEC) measures. *For more information, view this lecture on [Emanations and Covert Channels](https://courses.thorteaches.com/courses/take/cissp/lessons/18591390-emanations-and-covert-channels). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Tempest_(codename)).*

Answer 38

Misuse of computing resources in unethical, illegal, or agreement-violating ways, ranging from unauthorized access to intellectual property theft. ## Footnote Any action that misuses computing resources or uses them in ways that are unethical, illegal, or in violation of an agreement. This can include a broad range of activities, such as unauthorized access, the creation or distribution of malicious software, identity theft, spamming, violation of privacy, and intellectual property theft. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_crime).*

Answer 39

Groups of experts responding to security incidents and breaches and providing preventive education and vulnerability reports. ## Footnote A group of experts that responds to security incidents, especially those involving the Internet. They handle breaches, viruses, and other potential catastrophic incidents in an attempt to minimize damage and recovery time. Their roles may also extend to educating users about potential threats, reporting vulnerabilities, and providing guidance on how to safeguard data and systems. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_emergency_response_team).*

Answer 40

Investigative techniques that gather and preserve evidence from computing devices for legal proceedings, maintaining a documented chain of evidence. ## Footnote The application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible. *For more information, view this lecture on [Digital forensics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180189-digital-forensics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_forensics).*

Answer 41

Continuous monitoring of systems or components to assess their state and predict failures, often used to prevent downtime in cloud computing. ## Footnote The continuous monitoring of a system or component to assess its current state and predict when it may fail. This is often used in the field of cloud computing to ensure that servers and other infrastructure are operating optimally and to prevent downtime. Examples include monitoring the temperature and humidity of a server room or using predictive maintenance software to identify potential hardware failures. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Condition_monitoring).*

Answer 42

A process for establishing and maintaining consistency of a product's attributes throughout its lifecycle, managing changes effectively. ## Footnote A systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. This process helps identify and manage changes to the system in a controlled manner, ensuring system integrity over time. *For more information, view this lecture on [Configuration Management.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180328-configuration-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Configuration_management).*

Answer 43

A record of system or application events, used for monitoring behavior and troubleshooting issues by capturing error messages and user activities. ## Footnote A record of events or activities that have occurred within an operating system or software interface. They are instrumental in monitoring system behavior and troubleshooting issues. Console logs capture details such as error messages, system status updates, user activities, or program execution details, which can be reviewed for diagnostic and auditing purposes. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Log_file).*

Answer 44

Strategies to prevent the spread of threats within a system or network, isolating affected areas to mitigate further damage. ## Footnote In a security context, containment refers to the strategies and actions taken to prevent the spread of a threat, such as a malware infection or a security breach, within a system or network. It helps in minimizing damage by isolating affected areas, thus preventing further compromise of data or resources.

Answer 45

A cryptographic key used for emergency access to encrypted systems or data, part of business continuity and crisis management. ## Footnote This is a cryptographic key used for emergency purposes when normal operations are disrupted. The contingency key may be used to regain access to an encrypted system or data if the original key is lost, compromised, or unavailable. It should be securely stored and managed due to its high importance for business continuity and crisis management.

Answer 46

The consistent operation of an organization's functions, ensuring services remain accessible even during adverse events. ## Footnote The unbroken and consistent existence or operation of something over a period of time. In a security context, it usually relates to business continuity, which emphasizes maintaining essential functions during and after a disaster has occurred. The goal is to ensure the organization's ability to perform its mission, regardless of the disruptive circumstances or events. *For more information, view this lecture on [BCP and DRP - Part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180431-bcp-and-drp-part-1) Or [BCP and DRP - Part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/35948539-bcp-and-drp-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_continuity_planning).*

Answer 47

Protocols ensuring an organization's essential functions can continue during and after a disaster or disruption. ## Footnote A set of protocols and planning efforts to ensure that an organization's essential functions can continue during and after a disaster or disruption. COOP planning involves identifying vital services and procedures that must be maintained, creating strategies for recovery, and regularly testing and updating the plan to ensure effectiveness in a variety of emergency scenarios. *For more information, view this lecture on [BCP and DRP - Part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180431-bcp-and-drp-part-1) Or [BCP and DRP - Part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/35948539-bcp-and-drp-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_continuity_planning#Overview).*

Answer 48

Designing services or systems to be accessible at all times, implementing redundancy, fault tolerance, and high availability. ## Footnote A state where an organization's services or systems are designed in such a way that they remain accessible at all times, without any interruption or downtime. This involves strategies like redundancy, fault tolerance, and high availability, ensuring seamless operation even during maintenance or in case of failures.

Answer 49

Real-time assessment of operational activities for risk management, enhancing transparency and response to potential threats or breaches. ## Footnote A risk management approach that involves real-time assessment and reporting of operational activities. It is an ongoing process of collecting, analyzing, and reporting operational data to identify anomalies or security incidents. Continuous monitoring provides transparency into organizational activities and enhances the ability to respond rapidly to potential threats or breaches. *For more information, view this lecture on [NIST SP 800-53 Revision 5](https://courses.thorteaches.com/courses/take/cissp/lessons/18588123-nist-sp-800-53-revision-5). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Continuous_monitoring).*

Answer 50

A central location for monitoring and managing security and operational controls, identifying and responding to security incidents. ## Footnote A central location where an organization's security and operational controls are monitored and managed. Often equipped with software tools for real-time monitoring and analysis, a control center plays a critical role in identifying, assessing, and responding to potential security incidents. It enables swift actions, ensuring system stability and minimizing the impact of any disruptions. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Control_center).*

Answer 51

The relationship between variables, such as linking incidents to vulnerabilities, to identify security patterns. ## Footnote The relationship between two or more variables, such as the relationship between a security incident and a potential vulnerability. It is used in security analysis to identify patterns and connections between different data sets. Examples include using correlation to link network traffic to a specific user or to identify a trend in phishing attacks. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Correlation).*

Answer 52

To bypass security measures and access software or systems without authorization, compromising integrity. ## Footnote To bypass or break through security measures of software or systems, often to gain unauthorized access, crack encrypted data, or illegally copy or use software. Cracking compromises the security and integrity of digital assets and is considered a cybercrime. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Password_cracking).*

Answer 53

Benchmarks or standards used to measure the effectiveness of security measures within a system. ## Footnote In the context of system evaluation, criteria refer to the benchmarks or standards used to assess the efficiency and effectiveness of security measures within a system. They serve as the basis for forming judgments and making decisions regarding the state of security controls and their ability to mitigate potential threats. *For more information, view this lecture on [Security Audits.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_criterion_(information_technology)).*

Answer 54

Essential processes that if failed, would significantly affect organizational continuity and safety. ## Footnote The fundamental tasks or processes of a system or organization that, if interrupted or failed, would significantly impact operational continuity, assets, and human safety. The protection and continual operation of critical functions is a primary focus of security strategies. *For more information, view this lecture on [Business Continuity Planning - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588156-business-continuity-planning-part-2) Or [BIA (Business Impact Analysis)](https://courses.thorteaches.com/courses/take/cissp/lessons/18588174-bia-business-impact-analysis).*

Answer 55

The sequence of essential tasks that must be timely completed for a project to finish on schedule. ## Footnote In project management and planning, the critical path refers to the sequence of tasks that must be completed on time for a project to finish on schedule. Each task on the critical path is a critical task. Any delay in these tasks can potentially affect the overall project timeline, meaning these tasks require special attention and optimal allocation of resources. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Critical_path_method).*

Answer 56

The Cyber Kill Chain is a conceptual framework outlining stages of a cyberattack, from reconnaissance to exfiltration, guiding defenders in detecting and disrupting attacks at each phase. ## Footnote Developed by Lockheed Martin, this model breaks down attacks into distinct steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. By understanding each stage, security teams can apply targeted defenses—such as threat intelligence, network segmentation, and intrusion detection—to disrupt or prevent adversaries from progressing. The framework also helps prioritize incident response tasks, ensuring that high-impact phases, like exfiltration, are promptly addressed. Overall, the Cyber Kill Chain aids in a proactive and structured approach to cybersecurity. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cyber_kill_chain).*

Answer 57

Cyber Threat Intelligence is the collection and analysis of data on adversaries, methods, and indicators of compromise, enabling organizations to predict, prevent, and respond to cyberattacks effectively. ## Footnote CTI typically involves gathering information from threat feeds, dark web sources, and security communities, correlating findings to identify malicious IPs, domains, or patterns. By understanding attacker motives and tactics, organizations tailor defenses and optimize incident response. Automated platforms help enrich alerts with real-time threat context, while analysts interpret emerging threats for strategic decision-making. Properly implemented CTI strengthens security postures, reduces attack impact, and informs long-term cybersecurity strategies. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Threat_intelligence).*

Answer 58

Assessing the impact and extent of harm caused by incidents like cyber-attacks to determine compromised assets and associated costs. ## Footnote A process used to assess the extent and impact of harm caused by an event, such as a cyber-attack, natural disaster, or accident. In a cybersecurity context, this involves analyzing the consequences of a breach or attack, determining which assets were compromised, and estimating the associated costs and operational impacts. It includes identifying data loss, service disruptions, financial implications, and reputational damage. A thorough damage evaluation is crucial for developing an effective recovery plan and mitigating future risks.

Answer 59

A visual display that aggregates key security information and metrics, offering a consolidated view of an organization's security posture. ## Footnote In a broad operational sense, a dashboard is a visual display that aggregates and simplifies key information and metrics about the system's operation. In a security context, dashboards are often employed to provide a consolidated view of the organization's security posture, presenting important metrics such as ongoing threats, vulnerabilities, incidents, and overall system health. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Dashboard).*

Answer 60

Inspecting, cleansing, transforming, and modeling data to extract useful information, draw conclusions, and support decision-making. ## Footnote The process of inspecting, cleansing, transforming, and modeling data with the objective of discovering useful information, informing conclusions, and supporting decision-making. Data analysis has multiple facets and approaches, encompassing diverse techniques under various names in different business, science, and social science domains. It typically involves removing noise or inconsistencies from data to highlight meaningful trends and patterns, which can then be used to make informed predictions, decisions, and hypotheses in various areas such as market research, business intelligence, and operational efficiency. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_analysis).*

Answer 61

Backup power sources ensuring continuous data center operation during power failures, including UPS systems and generators. ## Footnote The implementation of backup power sources and systems within a data center to ensure its continuous operation, even during power failures or disruptions. Power redundancy can include multiple power feeds, uninterruptible power supply (UPS) systems, and backup generators. *For more information, view this lecture on [Redundancy.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180421-redundancy) Or [Site selection- Part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149842-site-selection-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_center).*

Answer 62

Fraudulently altering data before or during entry into a system, typically for malicious intent or financial gain, posing security risks. ## Footnote A fraudulent act involving the deliberate alteration of data before or during its entry into a computer system and then changing it back after the processing is complete. This can be done to manipulate the output or results, typically for financial gain or other malicious intent. It's considered a form of cybercrime and is a security risk that organizations need to guard against with appropriate controls and auditing measures. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_diddling).*

Answer 63

Exploring large datasets to find consistent patterns and relationships, then validating findings to inform conclusions and decision-making. ## Footnote The analytical process designed to explore large amounts of data in search of consistent patterns and systematic relationships between variables and then validate the findings by applying the detected patterns to new subsets of data. It is a multidisciplinary approach to discovering useful information from large data sets and is used for various purposes, including market analysis, fraud detection, customer retention, and more. *For more information, view this lecture on [Database security.](https://courses.thorteaches.com/courses/take/cissp/lessons/19121852-database-security). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_mining).*

Answer 64

Software designed to recover or restore lost, deleted, or inaccessible data from storage media, crucial for mitigating data loss. ## Footnote Software tools designed to recover or restore data that has been lost, deleted, corrupted, or made inaccessible. These tools can work on various storage media, such as hard drives, SSDs, memory cards, or even specific files or databases, and are often used after incidents like accidental deletion, hardware failures, or cyber-attacks. *For more information, view this lecture on [Hardware architecture- Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18591307-hardware-architecture-part-3). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_recovery).*

Answer 65

Capturing control of data in a virtual environment, often for forensic analysis, while maintaining integrity and admissibility. ## Footnote The process of capturing or taking control of data within a virtualized environment, often for forensic analysis or legal purposes. Data seizure in virtualization can be complex due to the dynamic and distributed nature of virtual machines (VMs) and their storage. Authorities or forensic experts must ensure the integrity and admissibility of the data by following established protocols and using specialized tools. This includes dealing with challenges such as capturing data without disrupting services, ensuring the consistency of snapshots, and maintaining the chain of custody for the data. Proper techniques ensure that the data seized can provide reliable evidence or insight into the state of the virtualized systems at the time of the seizure.

Answer 66

The unauthorized alteration of data within a system, a security threat undermining data integrity and reliability. ## Footnote The unauthorized, deliberate alteration of data within a database, system, or network. This can involve modifying, deleting, creating, or damaging data to corrupt information, mislead decisions, or gain unauthorized benefits. Data tampering is a security threat that undermines the integrity and trustworthiness of data, and it can have legal, financial, and reputational consequences. Safeguards against tampering include access controls, encryption, hashing, and audit logs. *For more information, view this lecture on [Secure design principles.](https://courses.thorteaches.com/courses/take/cissp/lessons/25340659-secure-design-principles). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security#Tampering).*

Answer 67

A central repository for reporting and analysis, consolidating data from multiple sources for business intelligence. ## Footnote A system used for reporting and data analysis, widely considered as a core component of business intelligence. It involves the consolidation of data from various sources into one comprehensive database. Data warehousing enhances the ability to extract useful insights from the data, as it provides an organized, unified view of the data collected from various parts of an organization. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_warehouse).*

Answer 68

Statistical data related to populations, such as age and income, used for analysis and decision-making. ## Footnote Statistical data relating to the population and particular groups within it, often used for identifying trends. It typically includes factors such as age, gender, income level, education, occupation, and ethnicity. Businesses and governments use demographic information for market research, policy-making, and targeted advertising. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Demographics).*

Answer 69

An attack that disrupts services by overloading systems or exploiting vulnerabilities. ## Footnote An attack on a network or service that aims to overwhelm its infrastructure and make it unavailable to its intended users. This can be achieved through various means, such as flooding the target with superfluous requests to overload the system or exploiting vulnerabilities that cause a crash. Common forms include Distributed Denial of Service (DDoS) attacks where multiple compromised systems are used to launch the attack, smurf attacks, and ping of death attacks. *For more information, view this lecture on [Secure design principles.](https://courses.thorteaches.com/courses/take/cissp/lessons/25340659-secure-design-principles). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Denial-of-service_attack).*

Answer 70

Designing a strategy for implementing changes in a live environment, ensuring methodical and secure integration. ## Footnote A phase in change management that entails designing a detailed strategy for how changes will be executed in the live environment. This involves determining the sequence and timing of changes, identifying required resources, outlining contingency plans for possible failure, and assessing potential impact on users and operations. Effective deployment planning ensures that changes are implemented methodically, minimizing the risk of introducing vulnerabilities or disrupting system operations.

Answer 71

A backup method saving changes since the last full backup, balancing efficiency with ease of data recovery. ## Footnote A type of data backup method that only saves the changes made to data since the last full backup. This approach provides a balance between a full backup (which copies all data) and an incremental backup (which only backs up data changed since the last backup of any type), offering an efficient way to save storage space while still allowing for easier data recovery compared to incremental backups. *For more information, view this lecture on [Backups.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180401-backups). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Backup#Differential).*

Answer 72

Investigative techniques to gather and interpret data from digital devices for legal purposes. ## Footnote A specialized field focusing on uncovering and interpreting electronic data for use in investigations or legal proceedings. The goal is to preserve any evidence in its original state while performing a structured analysis to understand the full details of a digital crime or unauthorized event. *For more information, view this lecture on [Digital forensics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180189-digital-forensics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_forensics).*

Answer 73

Combining digital forensics and incident response to manage security events. ## Footnote A discipline that combines traditional digital forensics (the recovery and investigation of material found in digital devices) with incident response (the process of handling and responding to security incidents or attacks). The goal is to uncover the details of an incident, remediate it, and determine how to prevent similar events in the future. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_forensics).*

Answer 74

Material or information directly proving a fact without needing inference or presumption. ## Footnote In legal terms, direct evidence is any material or information that directly proves a fact. It is evidence that, if believed, immediately establishes the truth of a fact without inference or presumption and does not require further support or corroboration. Examples of direct evidence include eyewitness testimony, a confession, or a video recording of the event in question. Direct evidence can be contrasted with circumstantial evidence, which suggests the truth of a fact indirectly through inference. *For more information, view this lecture on [Laws and Regulations- Evidence](https://courses.thorteaches.com/courses/take/cissp/lessons/18552296-laws-and-regulations-evidence). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Evidence).*

Answer 75

A significant and unexpected event causing disruption to normal functions, necessitating contingency plans to restore operations and minimize impact. ## Footnote An unforeseen event that causes significant disruption to the normal functioning of systems, operations, or services. This could range from natural catastrophes like floods, earthquakes, and fires to human-induced incidents like system failures, cyber-attacks, or data breaches. These events necessitate the activation of contingency or disaster recovery plans to restore functionality and minimize operational and financial impact. If our main facility is unusable for 24 hours or more, it is a disaster. *For more information, view this lecture on [DRP basics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180459-drp-basics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Disaster).*

Answer 76

A formal acknowledgment by management of a disaster's occurrence, activating the disaster recovery plan and mobilization of recovery resources. ## Footnote A formal statement made by an organization's management acknowledging the occurrence of a disaster. It triggers the implementation of a disaster recovery plan and mobilizes resources to respond to and recover from the disaster. Such a declaration is typically based on predefined criteria related to the severity and impact of the incident, and only certain people are allowed to declare a disaster. *For more information, view this lecture on [DRP basics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180459-drp-basics).*

Answer 77

Planning and procedures to enable the recovery of vital technology infrastructure after a disaster, focusing on IT systems supporting critical business functions. ## Footnote An area of security planning that aims to protect an organization from the effects of significant negative events. It involves policies, tools, and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the IT or technology systems supporting critical business functions, as opposed to business continuity, which involves keeping all essential aspects of a business functioning despite significant disruptive events. Disaster recovery strategies typically include data backup and recovery, systems fail-over, and site redundancy. *For more information, view this lecture on [DRP basics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180459-drp-basics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/IT_disaster_recovery).*

Answer 78

A structured guide with instructions for responding to serious incidents, outlining data recovery, system maintenance, and testing for business continuity. ## Footnote A documented, structured approach with instructions for responding to unplanned incidents such as natural disasters, power outages, cyberattacks, and other disruptive events. This plan outlines measures to minimize the effects of a disaster so an organization can continue to operate or quickly resume mission-critical functions. The disaster recovery plan typically covers data backup and recovery, maintenance of critical systems, chain of command, and testing and drills to ensure readiness. It is an essential part of an organization's business continuity planning. *For more information, view this lecture on [DRP basics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180459-drp-basics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/IT_disaster_recovery).*

Answer 79

Reviewing the disaster recovery plan in a non-disruptive setting to identify issues or areas needing improvement, ensuring readiness for actual disasters. ## Footnote A validation process where the disaster recovery plan is reviewed in a non-disruptive environment to identify any issues, omissions, or areas of improvement. It includes going through the plan in detail to understand the procedures, responsibilities, and resources necessary for successful disaster recovery. The aim is to ensure that the plan is accurate, comprehensive, and effective before an actual disaster situation occurs. *For more information, view this lecture on [Testing the Plans - Part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/IT_disaster_recovery#Control_measures).*

Answer 80

A simulated exercise testing the disaster recovery plan's effectiveness, with stakeholders role-playing a disaster scenario to identify gaps and issues. ## Footnote A role-playing exercise that simulates a disaster situation to test the effectiveness of a disaster recovery plan. This involves all stakeholders going through the plan step-by-step to ensure that all roles, responsibilities, and actions are understood and feasible. The objective is to identify any gaps or issues in the plan that need to be addressed, thereby enhancing the readiness of the organization in the face of a real disaster. *For more information, view this lecture on [Testing the Plans - Part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/IT_disaster_recovery#Control_measures).*

Answer 81

An organization's capability to continue operations and provide services amid a disaster, often through redundant systems and geographically dispersed resources. ## Footnote The ability of an organization to maintain its operations and continue to provide services in the face of a disaster or disruptive event. It often involves measures such as redundant systems, fail-over mechanisms, and geographically dispersed resources that can ensure continued operation even when some parts of the infrastructure are affected. *For more information, view this lecture on [BIA (Business Impact Analysis).](https://courses.thorteaches.com/courses/take/cissp/lessons/19180492-bia-business-impact-analysis).*

Answer 82

Duplicating data onto multiple disks to create an exact copy for consistency and immediate data recovery in case of disk failure. ## Footnote A technique used to protect data by duplicating it onto two or more disks. By writing the same data to a pair of storage devices, an exact copy, or mirror, is created. This strategy allows for data consistency and instant data recovery in case of a single disk failure, thereby ensuring high availability and resilience against data loss. *For more information, view this lecture on [RAID (Redundant Array of Independent Disks).](https://courses.thorteaches.com/courses/take/cissp/lessons/19180405-raid-redundant-array-of-independent-disks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Disk_mirroring).*

Answer 83

Dividing and writing data across multiple disks to improve performance by concurrent reading and writing, lacks redundancy for data protection. ## Footnote Splitting data across multiple physical disk drives can improve performance by allowing multiple drives to read and write data concurrently. Each piece of data is broken down into blocks, and each block is written to a separate disk. Disk striping does not provide data redundancy, meaning that if a single drive fails, all data in the stripe is lost. *For more information, view this lecture on [RAID (Redundant Array of Independent Disks)](https://courses.thorteaches.com/courses/take/cissp/lessons/19180405-raid-redundant-array-of-independent-disks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_striping).*

Answer 84

Combining disk striping's performance benefits with redundancy for data protection by writing additional parity information for recovery. ## Footnote A technique that combines the performance benefits of disk striping with added redundancy for data protection. In addition to splitting data across multiple drives, it also writes parity information. Parity information is a kind of checksum that can be used to reconstruct data if a single drive fails. This approach provides a balance between performance and data safety. *For more information, view this lecture on [RAID (Redundant Array of Independent Disks)](https://courses.thorteaches.com/courses/take/cissp/lessons/19180405-raid-redundant-array-of-independent-disks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_striping#Applications).*

Answer 85

Security devices using two different detection methods to improve accuracy and reduce false alarms. ## Footnote These are security devices that utilize two different detection methods to increase accuracy and reduce the likelihood of false alarms. By requiring both detection methods to trigger before raising an alarm, the system can more accurately discern real threats from environmental factors or equipment malfunction. *For more information, view this lecture on [Physical security- Part 5.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149815-physical-security-part-5).*

Answer 86

Being forced to perform an act under threat or pressure, often involving a duress code to signal danger silently. ## Footnote A condition in which a person performs an act as a result of violence, threat, or other pressure against the individual. In the legal context, duress can make a contract voidable if one party involuntarily agrees due to the wrongful threat of the other party. In security terms, a duress code is a covert signal used by an individual to indicate they are in danger without alerting the potential aggressor, commonly used in security systems and protocols where silent alarms or emergency signals are necessary. *For more information, view this lecture on [Personnel safety.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149922-personnel-safety). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Duress_in_American_law).*

Answer 87

The process of identifying, collecting, and producing electronic data for use in legal cases, including data relevant to digital investigations. ## Footnote The process of identifying, collecting, and producing electronic data for use in legal proceedings. It is used in legal cases where electronic information is relevant to the case. For example, in a lawsuit involving a company's email communications, eDiscovery would be used to collect and produce emails for review by attorneys. *For more information, view this lecture on [Network and Software forensics.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180221-network-and-software-forensics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Electronic_discovery).*

Answer 88

Methods and practices to protect electronic systems and data from unauthorized access and threats. ## Footnote A term encompassing the various methods and practices aimed at safeguarding electronic systems from unauthorized access, use, disclosure, disruption, modification, or destruction. ELSEC includes the protection of information and assets related to computing, telecommunications, and any other forms of electronic data storage and transmission. The goal of electronic security is to ensure the confidentiality, integrity, and availability of electronic information and to preserve the functionality of electronic services and infrastructure. ELSEC is a critical aspect of overall cybersecurity strategies in both private and public sectors.

Answer 89

Manipulating email headers to make messages appear from a different sender, often used in phishing or spam campaigns. ## Footnote A malicious practice where the headers of an email are manipulated to make it appear as though the message originated from a different sender. This is often used in phishing and spam campaigns, where the attacker aims to trick the recipient into trusting the false sender, potentially leading to data breaches, financial loss, or other forms of harm. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Email_spoofing).*

Answer 90

EDR tools monitor endpoints (computers, servers, mobile devices) in real time, detecting suspicious activities and enabling swift investigation, containment, and remediation of security incidents. ## Footnote EDR solutions record system-level events and analyze behaviors against known attack patterns or anomalies. They often include threat intelligence feeds, automated response playbooks, and forensic capabilities. When suspicious activity is detected—like unusual process executions or rapid file encryption—EDR can isolate the endpoint or execute mitigation scripts. By providing continuous visibility and rapid response, EDR reduces dwell time and the impact of breaches, forming a key component of modern security architectures. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Endpoint_detection_and_response).*

Answer 91

Systems allowing users to create and use software applications, requiring governance for data integrity and security. ## Footnote End-user computing (EUC) refers to systems and platforms that allow users who are not programming experts to create and use software applications. It includes tools like spreadsheet programs, databases, and graphical interfaces that simplify the development and execution of business programs and processing. EUC empowers users to manage and control their own computing needs but also requires governance to ensure that data integrity and security are maintained, as the widespread creation of disparate applications can lead to data silos and security gaps. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/End-user_computing).*

Answer 92

Integrated software that manages and interprets data from various business activities, supporting informed decision-making. ## Footnote A suite of integrated applications that a company uses to collect, store, manage, and interpret data from numerous business activities, including product planning, manufacturing, marketing and sales, inventory management, and shipping and payment. By automating and integrating core business processes, an ERP system enhances efficiency and supports informed decision-making within an organization. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Enterprise_resource_planning).*

Answer 93

Observing conditions in a setting to ensure optimal performance and detect issues affecting operations or data integrity. ## Footnote The process of continuously observing and analyzing the conditions of a specific setting to ensure optimal performance and detect any potential issues that could affect system operations or data integrity. This includes tracking parameters like temperature, humidity, power supply, water leaks, or even unauthorized access, which can be crucial for maintaining the proper functioning of sensitive equipment like servers in a data center. *For more information, view this lecture on [Fire suppression and hot and cold aisles.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149912-fire-suppression-and-hot-and-cold-aisles). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Environmental_monitoring).*

Answer 94

The complete removal of a security threat from an information system, preventing further damage or recurrence. ## Footnote In the context of cybersecurity, eradication refers to the process of completely removing a security threat, such as a virus or malware, from an information system after it has been identified and contained. This is an integral step in incident response and involves steps to eliminate components of the threat, such as deleting malicious files, disabling breached user accounts, or fixing exploited vulnerabilities. The goal of eradication is to prevent the threat from causing further damage or re-emerging at a later time.

Answer 95

An incorrect result from software or hardware malfunction, which can cause system issues or data corruption, undermining system accuracy and reliability. ## Footnote An unexpected or incorrect result produced by a piece of software or hardware due to faulty code, incorrect data, or unforeseen conditions. Errors can lead to system crashes, incorrect outputs, or data corruption, all of which can undermine the accuracy, reliability, and integrity of a system's operations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Error).*

Answer 96

Any occurrence within a system or network recognized by software, including user actions, system signals, or potential security incidents. ## Footnote In a general context, an event is something that happens or takes place, particularly something of importance. In computing and IT, an event often refers to an action or occurrence recognized by software that may be handled by the system or by user code. Events can include user inputs, system signals, or messages from other programs. In terms of cybersecurity, an event can be any observable occurrence in a system or network, including potential security incidents. Event management is a key part of system monitoring, and cybersecurity event logs are critical for incident response and forensic analysis. It is just a change to a system or data, it is not positive or negative, just an observable change. *For more information, view this lecture on [Domain 7 key concepts.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180142-domain-7-key-concepts) Or view this lecture on [Network Performance and Traffic Management](https://courses.thorteaches.com/courses/take/cissp/lessons/54399148-new-2024-network-performance-and-traffic-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Event_(computing)).*

Answer 97

A classification of security events based on their characteristics, aiding in security monitoring and incident analysis. ## Footnote The categorization of security events based on their nature or characteristics. Event types might include login events, file change events, network traffic events, and more. These categories assist in the analysis of events, helping security professionals to identify trends, spot anomalies, and understand the broader context of security events within a system or network. *For more information, view this lecture on [Domain 7 key concepts](https://courses.thorteaches.com/courses/take/cissp/lessons/19180142-domain-7-key-concepts). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Event_(computing)).*

Answer 98

Generated when operations deviate from standard norms, highlighting anomalies like failed logins or unusual system activities. ## Footnote Documents generated when a process or operation deviates from its predefined norm or standard. In the security realm, these are vital in identifying anomalies such as unauthorized access attempts, failed login attempts, or other forms of unusual system activities that could indicate a security threat. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Exception_handling).*

Answer 99

A temporary cryptographic key for system testing, ensuring operational readiness without revealing actual keys. ## Footnote An exercise key is a temporary cryptographic key used in communications systems during exercises or system testing. This key is employed to protect sensitive data but is not intended for operational use. The purpose is to validate the operational readiness of a system without impacting real-world operations or revealing actual operational keys.

Answer 100

XDR extends EDR capabilities by aggregating data from multiple sources—endpoints, networks, cloud workloads—enabling a unified, holistic approach to threat detection and incident response. ## Footnote Instead of analyzing endpoints or network telemetry in isolation, XDR platforms collect and correlate alerts, logs, and behavioral indicators across the security stack. This cross-domain visibility helps identify complex, multi-vector attacks that might evade siloed solutions. Advanced analytics and machine learning prioritize alerts and automate responses. By centralizing security insights, XDR reduces alert fatigue, shortens investigation times, and streamlines remediation steps, enhancing overall defense maturity. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Extended_detection_and_response).*

Answer 101

An operational backup mode where secondary components take over functions if the primary fails, ensuring continuity. ## Footnote A backup operational mode in which the functions of a system component (such as a processor, server, network, or database) are assumed by secondary system components when the primary component becomes unavailable through either failure or scheduled downtime. Fail-over helps maintain high availability and reliability by ensuring that services continue to operate in the event of a component failure. This process can occur automatically without human intervention or can be manually triggered. *For more information, view this lecture on [Disaster Recovery sites](https://courses.thorteaches.com/courses/take/cissp/lessons/19180523-disaster-recovery-sites). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Failover).*

Answer 102

Plans for maintaining critical functions during interruptions, ensuring operational continuity. ## Footnote Predetermined plans designed to help an organization maintain or quickly resume mission-critical functions in the event of an interruption or failure. The fallback procedures come into play when normal processes cannot continue and often involve the use of redundant systems, backups, or alternative methods to continue operations until normal conditions are restored.

Answer 103

A system's ability to continue operating properly even in the event of hardware or software failures, achieved through redundancy and resilience. ## Footnote The ability of a system to continue functioning properly in the event of a hardware or software failure. This is achieved through the incorporation of redundancy in the system's components or through techniques like replication of tasks so that in the event of a component failure, the system's operation continues without disruption. *For more information, view this lecture on [Redundancy](https://courses.thorteaches.com/courses/take/cissp/lessons/19180421-redundancy). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Fault_tolerance).*

Answer 104

A method that uses diagrams to analyze the potential causes of system failures, helping identify and mitigate risks. ## Footnote A method used to systematically analyze the causes of a failure or undesirable event in a system. Using a tree-like diagram, it represents the relationships between the system's components, highlighting potential problems or threats that could lead to a failure. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Fault_tree_analysis).*

Answer 105

The pre-attack collection of data about a target to identify vulnerabilities and potential attack vectors. ## Footnote The initial step where information gatherers collect as much data as possible about a target, such as an individual, a group, or an organization. This can be performed through various methods, including search engines, social media platforms, WHOIS databases, network tools, and more. This is a commonly used technique in ethical hacking to understand the security posture of a target system and find potential vulnerabilities that can be exploited. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Footprinting).*

Answer 106

Investigation of financial records to uncover fraud, embezzlement, or other financial crimes. ## Footnote An investigation into financial information or activities to determine if there has been any wrongdoing or fraud. It is used to uncover evidence of illegal or unethical behavior, such as embezzlement or money laundering. Examples of forensic audits include investigations into financial fraud or the mismanagement of company funds. *For more information, view this lecture on [Digital forensics](https://courses.thorteaches.com/courses/take/cissp/lessons/19180189-digital-forensics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Forensic_accounting).*

Answer 107

Methodically analyzing digital evidence to reconstruct events, often used in cybersecurity investigations. ## Footnote The methodical collection and analysis of digital evidence to reconstruct past events. This can include activities like recovering deleted files, analyzing system logs, extracting data from databases, or examining network traffic. The goal is to understand what actions were performed, by whom, and when to establish the facts of a case or incident. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_forensics).*

Answer 108

Forensic Readiness ensures an organization’s systems and policies are prepared to gather, preserve, and analyze digital evidence effectively in the event of a security incident. ## Footnote By standardizing logging practices, implementing evidence retention policies, and training staff, companies can quickly respond to incidents with valuable data on hand. This reduces the risk of evidence tampering or data loss, making investigations both efficient and defensible in court. Automated tools and clear procedures for chain of custody further strengthen forensic outcomes. Proactive planning lowers legal exposure, costs, and reputational damage when breaches occur.

Answer 109

Applying digital forensic methods in cloud environments, accounting for the unique challenges of cloud data distribution. ## Footnote The application of digital forensics principles in a cloud computing environment. Due to the distributed nature of data in the cloud, standard forensic procedures may be adapted to accommodate specific cloud infrastructure characteristics, like multitenancy, data redundancy, and virtualization. It involves analyzing logs, recovering data, and investigating activities to reveal details about potential breaches, unauthorized access, or other suspicious activities within the cloud infrastructure. *For more information, view this lecture on [Audit strategies for cloud and hybrid environments - part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/54399189-new-2024-audit-strategies-for-cloud-and-hybrid-environments-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_forensics).*

Answer 110

A complete copy of all system or device data, ensuring a comprehensive data snapshot for disaster recovery. ## Footnote The process of copying every file and piece of data from a particular system or storage device. This backup type creates a comprehensive replica of all directories, files, and databases, ensuring that all information can be restored from this single backup if necessary. While full backups can be more resource-intensive than other types (like incremental or differential backups), they provide a complete snapshot of data at a particular point in time and are essential for disaster recovery and business continuity purposes. *For more information, view this lecture on [Backups](https://courses.thorteaches.com/courses/take/cissp/lessons/19180401-backups). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Backup#Full_only/System_imaging).*

Answer 111

A disaster recovery test simulating a complete system shutdown, assessing an organization's recovery capabilities. ## Footnote A type of disaster recovery testing that involves simulating a complete shutdown of the systems in question to assess how well an organization can recover its operations and continue business processes under such circumstances. This is the most thorough form of testing an organization's resilience to disruptive events. However, it can be risky and disruptive, as it involves halting production systems and can lead to data loss or other adverse effects if not carried out correctly. *For more information, view this lecture on [Testing the Plans - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_continuity_and_disaster_recovery_auditing#Testing).*

Answer 112

A classification system by the Uptime Institute defining the redundancy and complexity of data centers. ## Footnote The tier levels for data center redundancy, typically classified by the Uptime Institute, range from Tier I to Tier IV. Each tier reflects the complexity and redundancy of the data center's infrastructure. Tier I represents the most basic level with no redundant components. Tier II includes some redundancy, Tier III features multiple paths for power and cooling and is concurrently maintainable, and Tier IV offers full fault tolerance with continuous uptime. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/High_availability#Percentage_calculation).*

Answer 113

Adding geographical information to digital media, indicating the location where media was created or taken. ## Footnote The process of adding geographical information to digital media such as photos or videos. It is used to identify the location where the media was taken or created. Examples of GEO tagging include using GPS coordinates on a photo or using location data from a social media platform to add a location tag to a post. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Geotagging).*

Answer 114

GPOs are settings and configurations within Microsoft Windows Active Directory environments, allowing centralized management of user and machine policies across a domain. ## Footnote Administrators use GPOs to enforce security rules, software deployment, and user interface settings. By applying GPOs to organizational units, they standardize configurations, reduce manual tasks, and maintain compliance. Examples include password complexity rules, restricting access to control panel items, or configuring auto-updates. Effective GPO usage fosters consistency, streamlines IT operations, and hardens systems against misconfigurations and threats. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Group_Policy).*

Answer 115

Designing systems to maintain high-level services over time, involving redundancy and fault tolerance. ## Footnote The design and implementation of systems and processes to ensure that a service remains available at a high level over a defined period. This often involves redundancy, failover, load balancing, and other mechanisms to minimize downtime in the event of an outage or failure. From a security perspective, high availability is important not only for maintaining business operations but also for sustaining security controls and processes. An HA design can help prevent service disruptions that could be exploited by attackers, or that could lead to other security vulnerabilities. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/High_availability).*

Answer 116

Hardware maximizing computing power in limited spaces, used in data centers for efficiency. ## Footnote High-density equipment refers to hardware designed to maximize computing power or service capacity within a limited physical space. These systems are ideal for environments where space is at a premium, but demand for computational resources is high. Data centers, for instance, use high-density racks to house servers and storage devices efficiently.

Answer 117

A comprehensive backup strategy encompassing data, system, and operational resilience for maximum protection. ## Footnote Holistic redundancy refers to a comprehensive approach to backup and fault tolerance that encompasses not just data protection but also system and operational resilience. It involves various strategies like data replication, failover systems, and regular testing to ensure all critical components of an IT ecosystem can withstand disruptions.

Answer 118

A decoy document planted to attract malicious access attempts. ## Footnote A honeyfile is a fake or decoy document intentionally placed within a network to lure cyber attackers. Once accessed, the honeyfile alerts security teams to unauthorized activity, enabling early detection and investigation. This proactive defense measure helps organizations identify breach attempts, gather threat intelligence, and improve incident response without risking actual sensitive data. *For more information, view this lecture on [Honeynets and Honeypots](https://courses.thorteaches.com/courses/take/cissp/lessons/19180316-honeynets-and-honeypots). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Honeytoken).*

Answer 119

A network set up to attract and monitor attackers' methods, aiding security research and incident response. ## Footnote A network of computers that is intentionally exposed to the Internet in order to lure attackers and study their methods. It is used in security research and incident response. Examples of honeynets include the Honeynet Project and the Honeypot Project. *For more information, view this lecture on [Honeynets and Honeypots](https://courses.thorteaches.com/courses/take/cissp/lessons/19180316-honeynets-and-honeypots). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Honeynet).*

Answer 120

A decoy system or data set used to detect or study hacker attacks, designed to appear vulnerable to attract threats. ## Footnote A security mechanism set up to detect, deflect, or study hacking attempts. It is designed to appear as a legitimate part of the network but is isolated and monitored to capture unauthorized access attempts or understand an attacker's techniques. *For more information, view this lecture on [Honeynets and Honeypots](https://courses.thorteaches.com/courses/take/cissp/lessons/19180316-honeynets-and-honeypots). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Honeypot_(computing)).*

Answer 121

A Honeytoken is a decoy digital resource—such as a fake account or document—designed to alert defenders when accessed, indicating unauthorized activity or insider threats. ## Footnote Honeytokens are placed within systems or databases, set up to trigger an alarm if someone interacts with them. Since legitimate users rarely utilize these decoy items, any access requests likely signal malicious behavior. This tactic helps security teams detect lateral movement, compromised credentials, or data exfiltration attempts. Honeytokens impose minimal risk but yield actionable intelligence, complementing other detection strategies and improving threat response.

Answer 122

A spurious data element used to detect unauthorized access activities. ## Footnote A honeytoken is an intentionally deceptive piece of information embedded within a system to signal unauthorized access when accessed. It acts as a digital tripwire, alerting security teams to potential breaches by monitoring interactions with the fake data. Honeytokens help organizations proactively detect and analyze attack methods while minimizing the risk associated with actual sensitive data exposure. *For more information, view this lecture on [Honeynets and Honeypots.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180316-honeynets-and-honeypots) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Honeytoken).*

Answer 123

Security software on individual hosts controlling network traffic based on security rules. ## Footnote Security software installed on individual hosts or servers that controls the incoming and outgoing network traffic based on predetermined security rules. Host-based firewalls protect against unauthorized access and can provide tailored security at the host level. *For more information, view this lecture on [Firewalls Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19178275-firewalls-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Firewall_(computing)#Types_of_firewall).*

Answer 124

Security measures on devices monitoring system activity for threats and preventing attacks. ## Footnote Security measures deployed on individual devices or hosts to monitor and analyze system activities for malicious behavior. HIDS focuses on detecting potential threats by examining log files, system calls, and network traffic and then alerting administrators if suspicious activities are detected. On the other hand, HIPS takes it a step further by not only detecting threats but also attempting to prevent them from executing harmful actions. These host-based systems are particularly beneficial in identifying insider threats or targeted attacks that might be missed by network-based security systems. *For more information, view this lecture on [Intrusion detection and prevention systems.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180266-intrusion-detection-and-prevention-systems) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Intrusion_detection_system#Host-based_intrusion_detection_system).*

Answer 125

An urgent software update addressing specific issues, applied without system downtime. ## Footnote A quick and targeted software update designed to resolve specific issues or security vulnerabilities. Hotfixes are released as soon as a problem is identified and are often applied while the system is running, without the need for a system restart. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Hotfix).*

Answer 126

A network device feature allowing configuration changes without network traffic interruption. ## Footnote A feature of certain network devices that allows users to make changes to the device's configuration without interrupting the network traffic. It is used in networking and information technology. Examples of hot rollover include Cisco routers and switches.

Answer 127

A backup location with necessary hardware and software for quick IT operations resumption after a disaster. ## Footnote A location that is equipped with the necessary hardware and software to quickly resume IT operations in the event of a disaster. It is used as a backup site for business continuity and disaster recovery. Examples include having a hot site set up in a different city or region, having duplicate servers and equipment on site, and regularly testing the hot site to ensure it is ready for use. *For more information, view this lecture on [Disaster Recovery sites.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180523-disaster-recovery-sites) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/IT_disaster_recovery).*

Answer 128

A state where a system or device is prepared for use but not actively in operation, often applicable to backup or failover systems. ## Footnote A state in which a system or device is ready to be used but is not currently in use. It is commonly used in systems that need to be available at all times, such as backup systems or failover systems. Examples of idle standby systems include standby power generators and backup servers.

Answer 129

An event that compromises the confidentiality, integrity, or availability of data, requiring immediate attention to mitigate damage. ## Footnote A security incident is any event that negatively affects the confidentiality, integrity, or availability of data or disrupts IT operations. Incidents can range from data breaches, malware infections, unauthorized access, to service outages, requiring immediate attention and response to mitigate potential damage and restore normal functions. *For more information, view this lecture on [Incident Management definitions.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180234-incident-management-definitions).*

Answer 130

Identifying, addressing, and resolving security incidents to maintain an organization's security posture. ## Footnote The process of identifying, responding to, and resolving security incidents in an organization. Incident management includes identifying the cause and extent of an incident, implementing appropriate response measures, and restoring normal operations. Examples include responding to a data breach or implementing contingency plans for a network outage. *For more information, view this lecture on [Incident Management definitions.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180234-incident-management-definitions) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Incident_management_(ITSM)).*

Answer 131

Evaluating the scope and impact of a security incident to formulate an appropriate response strategy. ## Footnote Analysis involves evaluating the impact and scope of the incident to determine the appropriate response. This may include gathering and analyzing data from various sources, such as logs, network traffic, or affected systems. For example, a company may use forensic tools to analyze data from a compromised server to determine the extent of the attack and the data that has been accessed. *For more information, view this lecture on [Incident Management - part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180244-incident-management-part-1) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management).*

Answer 132

Identifying that an incident has occurred, often through monitoring systems and security alerts. ## Footnote Detection refers to the process of identifying that an incident has occurred. This can be done through various methods, such as monitoring systems, using security software, or receiving alerts from employees or external sources. For example, a company may use a security information and event management (SIEM) system to monitor network activity and identify potential threats or set up alerts to notify IT staff of unusual activity. *For more information, view this lecture on [Incident Management - part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180244-incident-management-part-1) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Identification).*

Answer 133

Creating plans and establishing procedures for effective response to potential security incidents. ## Footnote Preparation involves creating a plan and establishing procedures for responding to a security incident. This includes identifying the types of incidents that may occur, assigning roles and responsibilities, and gathering the necessary resources. Preparation is important because it helps organizations be better prepared to handle incidents when they occur. For example, a company may create a checklist of steps to take in the event of a cyber-attack or establish a team of experts to handle data breaches. *For more information, view this lecture on [Incident Management - part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180244-incident-management-part-1) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Preparation).*

Answer 134

Restoring systems to normal operation after a security incident has been resolved. ## Footnote Recovery involves returning affected systems to normal operation after an incident has been resolved. This may include restoring data, rebuilding systems, or updating software. For example, a company may need to restore data from backups after a ransomware attack or rebuild a server that has been compromised. *For more information, view this lecture on [Incident Management - part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/34120646-incident-management-part-2) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Recovery).*

Answer 135

Correcting issues contributing to an incident, preventing future occurrences, and enhancing security. ## Footnote Remediation involves taking steps to correct any issues that may have contributed to the incident. This may include patching vulnerabilities, improving security controls, or implementing additional training for employees. For example, a company may implement stronger password policies or use antivirus software to prevent future attacks. *For more information, view this lecture on [Incident Management - part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/34120646-incident-management-part-2) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Recovery).*

Answer 136

Documenting a security incident, detailing the impact, actions taken, and potential for improvement, crucial for transparency and accountability. ## Footnote Reporting involves documenting the incident and the actions taken to resolve it. This includes creating a report that describes the details of the incident, the impact on the organization, and the steps taken to mitigate the impact. Reporting is important for tracking the effectiveness of incident response efforts and identifying areas for improvement. For example, a company may create a report outlining the steps taken to handle a data breach, including the number of records affected and the actions taken to prevent future breaches. *For more information, view this lecture on [Incident Management - part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/34120646-incident-management-part-2) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Lessons_learned).*

Answer 137

Taking actions to address a security incident, reduce its impact, and implement measures to prevent future occurrences. ## Footnote Response refers to the actions taken to address the incident and minimize its impact. This may include isolating affected systems, blocking access to malicious websites, or restoring data from backups. Mitigation involves taking steps to prevent future incidents from occurring, such as patching vulnerabilities or implementing additional security measures. For example, a company may use firewalls to block incoming traffic from known malicious IP addresses or implement two-factor authentication to improve the security of user accounts. *For more information, view this lecture on [Incident Management - part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/34120646-incident-management-part-2) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Containment).*

Answer 138

Evaluating the effectiveness of incident response and implementing improvements to enhance future readiness and response. ## Footnote Review and improvement involves evaluating the effectiveness of the incident response process and making improvements as needed. This may include reviewing the incident response plan, identifying areas for improvement, and implementing changes to enhance the organization's ability to handle future incidents. For example, a company may conduct a review of its incident response plan after a data breach to identify any gaps or weaknesses and make changes to improve its effectiveness. *For more information, view this lecture on [Incident Management - part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/34120646-incident-management-part-2) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Lessons_learned).*

Answer 139

A predefined set of instructions and procedures that guide an organization's response to a cybersecurity incident. ## Footnote A documented set of procedures and guidelines for how an organization should respond to a security incident. It is used to ensure that all necessary steps are taken in a timely and efficient manner. For example, an IRP may outline the roles and responsibilities of an incident response team, as well as the communication protocols and processes for mitigating the impact of an incident. *For more information, view this lecture on [Incident Management definitions.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180234-incident-management-definitions) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management#Incident_response_plans).*

Answer 140

A group of professionals skilled in handling security incidents, tasked with identifying, mitigating, and resolving cyber threats. ## Footnote A group of individuals trained and equipped to handle security incidents. IRTs are typically composed of IT and security professionals who have the knowledge and expertise to respond to a wide range of security threats. An example of an IRT could be a group of cybersecurity analysts and engineers who are responsible for identifying and mitigating cyberattacks within an organization. *For more information, view this lecture on [Incident Management - part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180244-incident-management-part-1) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_emergency_response_team).*

Answer 141

Events that threaten an organization's information or systems, ranging from data breaches to unauthorized access or outages. ## Footnote An event that poses a potential threat to the confidentiality, integrity, or availability of an organization's information or systems. Incidents can include anything from a data breach to a malware infection to a phishing attack. It is important for organizations to have processes in place to identify and respond to incidents in order to prevent or minimize potential damage. *For more information, view this lecture on [Incident Management definitions.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180234-incident-management-definitions).*

Answer 142

The failure of a software application to fully validate user input, potentially leading to security vulnerabilities. ## Footnote Incomplete parameter checking occurs when a software application does not fully validate user input, which may lead to vulnerabilities such as SQL injection, buffer overflows, or cross-site scripting (XSS). These vulnerabilities can be exploited by attackers to manipulate the application, gain unauthorized access, or compromise data integrity.

Answer 143

A backup method capturing only data changes since the last backup, saving time and storage while aiding recovery. ## Footnote A backup strategy that involves creating backups of only the data that has changed since the last backup. This can save time and storage space, as only the changes need to be backed up rather than the entire system. An example of incremental backup might be a system that creates daily backups of only the files that have been modified since the previous day's backup. *For more information, view this lecture on [Backups.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180401-backups) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Backup#Incremental).*

Answer 144

Information indicating potential security threats, aiding in the detection and prevention of unauthorized access or system breaches. ## Footnote A piece of information that can be used to detect or identify a potential security threat. Indicators can come in many forms, including suspicious behavior, unusual network traffic, or specific patterns in data. An example of an indicator might be a sudden increase in login attempts from a specific IP address, which could indicate a brute-force attack.

Answer 145

Measures safeguarding an organization against unauthorized access and data breaches. ## Footnote The measures and safeguards that an organization implements to protect its sensitive data and assets from unauthorized access, use, disclosure, or disruption. It is used in information security, risk management, and compliance. Examples of internal security controls include access control, encryption, and security awareness training.

Answer 146

A designated period when system updates or critical tasks are performed, potentially disrupting normal operations. ## Footnote An interruption window, often referred to as a maintenance window, is a designated time frame set aside for system updates, backups, or other critical tasks that may disrupt normal operations. Planning these windows during off-peak hours minimizes the potential impact on users and business activities.

Answer 147

Someone who attempts unauthorized access to a system or network, potentially causing security breaches or data leaks. ## Footnote An individual or entity that gains or attempts to gain unauthorized access to a system, network, or data. Intruders can originate from both outside and within an organization and may have various motives, including theft of information, disruption of services, or exploitation of resources for illicit activities. Identifying and responding to potential intruders is a critical part of maintaining security.

Answer 148

Unauthorized access or entry into a computing resource, leading to potential security breaches and data loss. ## Footnote An act of unauthorized access or entry into a computer system or network. It is used in the context of cyber security to describe attempts by malicious actors to gain access to sensitive data or disrupt normal operations. Examples include hacking, malware, and phishing attacks. *For more information, view this lecture on [Intrusion Detection and Prevention Systems](https://courses.thorteaches.com/courses/take/cissp/lessons/19180266-intrusion-detection-and-prevention-systems).*

Answer 149

A tool that monitors network or system activities for malicious actions or policy violations. ## Footnote A device or software application that monitors a network or system for malicious activities or policy violations. These systems work by collecting and analyzing information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). *For more information, view this lecture on [Intrusion Detection and Prevention Systems](https://courses.thorteaches.com/courses/take/cissp/lessons/19180266-intrusion-detection-and-prevention-systems). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Intrusion_detection_system).*

Answer 150

An enhanced IDS that not only detects but also blocks or prevents malicious network activities. ## Footnote A system that not only detects potential security breaches but also takes proactive countermeasures. These systems can automatically block or prevent detected malicious activities, helping to maintain the integrity and security of the network. Their methods can include denying network traffic, redirecting malicious activities, and providing reports of detected threats. *For more information, view this lecture on [Intrusion Detection and Prevention Systems](https://courses.thorteaches.com/courses/take/cissp/lessons/19180266-intrusion-detection-and-prevention-systems). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Intrusion_detection_system#Intrusion_prevention_system).*

Answer 151

Close observation of individuals' activities without their knowledge, often for security or surveillance purposes. ## Footnote The act of closely observing and recording the activities of individuals or groups without their knowledge or consent. It is used in the context of surveillance and espionage to gather intelligence or evidence. Examples include wiretapping, hidden cameras, and social media monitoring. *For more information, view this lecture on [Intrusion Detection and Prevention Systems](https://courses.thorteaches.com/courses/take/cissp/lessons/19180266-intrusion-detection-and-prevention-systems).*

Answer 152

A systematic examination of security incidents or anomalies to understand their cause and impact. ## Footnote The process of systematically examining a security incident or anomaly to understand its nature, cause, and impact. This can involve analyzing system logs, network traffic, user activity records, and other evidence. Investigations are a critical part of incident response, helping to mitigate current threats, understand their origins, prevent future incidents, and comply with legal and regulatory requirements for incident reporting and analysis. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Investigation).*

Answer 153

IOCs are forensic evidence—like IP addresses, file hashes, or malicious registry keys—that help detect intrusions or ongoing cyberattacks in an organization’s environment. ## Footnote Security teams regularly scan logs, threat feeds, and endpoints to find these signs of adversarial activity. IOCs provide valuable context for investigating suspicious events, enabling faster containment. Sharing IOCs across industries fortifies collective defenses against known threats. Proper management and real-time matching of IOCs empower defenders to pinpoint malicious activities before they escalate, reducing damage and response times. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Indicators_of_compromise).*

Answer 154

Preparing for unexpected events affecting critical IT functions or processes, minimizing loss and maintaining security. ## Footnote The creation of a structured approach for responding to unforeseen incidents that could impact critical functions or processes within an organization. This plan includes procedures and information that help an organization recover from a disruptive event while minimizing loss and maintaining security. Key elements include disaster recovery plans, emergency mode operation plans, and data backup plans. *For more information, view this lecture on [BCP and DRP - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180431-bcp-and-drp-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Business_continuity_planning).*

Answer 155

An event impacting IT systems, from unauthorized access to system outages, requiring detection and response. ## Footnote Any unexpected or undesirable event that threatens the confidentiality, integrity, or availability of an organization's systems or data. Incidents can range from unauthorized access and system outages to data breaches, and part of effective incident response is prompt detection, assessment, containment, eradication, and recovery. *For more information, view this lecture on [Incident Management Definitions](https://courses.thorteaches.com/courses/take/cissp/lessons/19180234-incident-management-definitions). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_security_incident_management).*

Answer 156

An event affecting IT systems' confidentiality, integrity, or availability, requiring response measures. ## Footnote An event or occurrence that impacts the availability, confidentiality, or integrity of an organization's information technology systems. It can be caused by natural disasters, cyber-attacks, human error, or equipment failure. It is used in incident response and disaster recovery planning. Examples include a ransomware attack, a power outage, or a server crash. *For more information, view this lecture on [Incident Management Definitions](https://courses.thorteaches.com/courses/take/cissp/lessons/19180234-incident-management-definitions).*

Domain 7: Security Operations Flashcards

Review operational security terms covering monitoring, response, and recovery processes.