Incident Response, Disaster Recovery, and Continuity of Operations Flashcards
What is the term used to describe the steps an organization performs after any situation determined to be abnormal in the operation of a computer system?
Computer/network penetration incident plan
Incident response plan
Backup restoration and reconfiguration
Incident response plan
Incident response plan is the term used to describe the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system.
Two major elements play a role in determining the level of response to an incident. Information criticality is the primary determinant. What is the other?
Information sensitivity or the classification of the data
The value of any data lost in the incident
How the incident potentially affects the organization’s operations
How the incident potentially affects the organization’s operations
The second factor involves a business decision on how this incident plays into current business operations. A series of breaches, whether minor or not, indicates a pattern that can have public relations and regulatory issues
The designated group of personnel who will respond to an incident is called which of the following?
Incident response red team
Cyber-emergency response group
Cyber-incident response team
Cyber-incident response team
The designated group of personnel who will respond to an incident is known as the cyber-incident response team
Which phase of the incident response process occurs before an actual incident?
Preparation
Identification
Containment
Preparation
Preparation is the phase of incident response that occurs before a specific incident. Preparation includes all the tasks needed to be organized and ready to respond to an incident. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. Containment is the set of actions taken to constrain the incident to the minimal number of machines. Prevention is not a phase of the incident response process
Which phase of the incident response process involves removing the problem?
Identification
Eradication
Recovery
Eradication
Eradication involves removing the problem, and in today’s complex system environment, this may mean rebuilding a clean machine. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. The recovery process includes the steps necessary to return the systems and applications to operational status. Mitigation is not a phase in the incident response process
In which phase of the incident response process are actions taken to constrain the incident to the minimal number of machines?
Identification
Containment
Recovery
Containment
Containment is the set of actions taken to constrain the incident to the minimal number of machines. Eradication involves removing the problem, and in today’s complex system environment, this may mean rebuilding a clean machine. The act of identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR team. The recovery process includes the steps necessary to return the systems and applications to operational status
Which of the following is a fully configured environment similar to the normal operating environment that can be operational immediately or within a few hours depending on its configuration and the needs of the organization?
Cold site
Warm site
Hot site
Hot site
A hot site is a fully configured environment similar to the normal operating environment that can be operational immediately or within a few hours depending on its configuration and the needs of the organization. A cold site will have the basic environmental controls necessary to operate but few of the computing components necessary for processing. A warm site is partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer. A recovery site is any location where restoration of services would take place, whether cold, warm, or hot
Which of the following is a partially configured location, usually having the peripherals and software but perhaps not a more expensive main processing computer?
Cold site
Warm site
Hot site
Warm site
A warm site is partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer. A cold site will have the basic environmental controls necessary to operate but few of the computing components necessary for processing. A hot site is a fully configured environment similar to the normal operating environment that can be operational immediately or within a few hours depending on its configuration and the needs of the organization. A recovery site is any location where restoration of services would take place, whether cold, warm, or hot
Which of the following are considerations for an organization’s data backup strategy? (Choose all that apply.)
How frequently backups should be conducted
How extensive backups need to be
Where the backups will be stored
How long the backups will be kept
How frequently backups should be conducted
How extensive backups need to be
Where the backups will be stored
How long the backups will be kept
All of these are considerations for an organization’s data backup strategy
Which backup strategy includes only the files and software that have changed since the last full backup?
Incremental
Snapshot
Differential
Differential
In a differential backup, only the files and software that have changed since the last full backup was completed are backed up. The incremental backup is a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, the incremental backup backs up only files that have changed since the last full or incremental backup occurred, thus requiring fewer files to be backed up. In a full backup, all files and software are copied onto the storage media. Snapshots refer to copies of virtual machines
Which backup strategy focuses on copies of virtual machines?
Incremental
Full
Snapshot
Snapshot
Snapshots refer to copies of virtual machines. The incremental backup is a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, the incremental backup backs up only files that have changed since the last full or incremental backup occurred, thus requiring fewer files to be backed up. In a full backup, all files and software are copied onto the storage media. In a differential backup, only the files and software that have changed since the last full backup was completed are backed up
When discussing location for storage of backups, which of the following is true? (Choose all that apply.)
The most recent copy should be stored off-site, as it is the one that is most current and is thus the most valuable one.
Off-site storage is generally not necessary except in cases where the possibility of a break-in at the main facility is high.
Off-site storage is a good idea so that you don’t lose your backup to the same event that caused you to lose your operational data and thus need the backup.
The most recent copy can be stored locally, as it is the most likely to be needed, while other copies can be kept at other locations.
Off-site storage is a good idea so that you don’t lose your backup to the same event that caused you to lose your operational data and thus need the backup.
The most recent copy can be stored locally, as it is the most likely to be needed, while other copies can be kept at other locations.
Off-site storage is a good idea so that you don’t lose your backup to the same event that caused you to lose your operational data and thus need the backup. Additionally, the most recent copy can be stored locally, as it is the most likely to be needed, while other copies can be kept at other locations
What is the term used to describe the requirement where some countries have enacted laws stating that certain types of data must be stored within their boundaries?
Data sovereignty
International privacy rights
National data protection rights
Data sovereignty
Data sovereignty is a relatively new phenomena, but in the past couple of years several countries have enacted laws stating the certain types of data must be stored within their boundaries. The other terms do not describe any actual situation
What is the term for the set of steps needed to develop a comprehensive plan to enact during a situation where normal operations are interrupted?
Disaster recovery
Continuity of operations planning
Incident response planning
Continuity of operations planning
Continuity of operations planning is the set of steps needed to develop a comprehensive plan to enact during a situation where normal operations are interrupted. Disaster recovery is the process that an organization uses to recover from events that disrupt normal operations. An incident response plan describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system. Restoration of business functions planning is not a standard term used in recovery planning
What is the name of the process for moving from a normal operational capability to the continuity-of-operations version of the business?
Disaster recovery
Alternate business practices
Failover
Failover
Failover is the process for moving from a normal operational capability to the continuity-of-operations version of the business. Disaster recovery is the process that an organization uses to recover from events that disrupt normal operations. Alternate business practices are developed in recognition that processes may need to be different in a continuity of operations situation since the focus is only on maintaining key systems. Continuity of business functions is not a term used in industry