|
Full Book |
https://www.dropbox.com/s/5toa4ljjcyjkvlj/Principles_Of_Incident_Response_Disaster_Recovery_2nd_Ed.pdf?dl=0 |
|
A recommended practice for the implementation of the physical IR plan is to select a ____ binder. |
red |
|
____ is the process of systematically examining information assets for evidentiary material that can provide insight into how an incident transpired. |
Forensics analysis |
|
One of the primary responsibilities of the IRP team is to ensure that the ____ is prepared to respond to each incident it may face. |
CSIRT |
|
Should an incident begin to escalate, the CSIRT team leader continues to add resources and skill sets as necessary to attempt to contain and terminate the incident. The resulting team is called the ____ for this particular incident. |
reaction force |
|
A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment. |
network-attached storage |
|
Incident analysis resources include network diagrams and lists of ____, such as database servers. |
critical assets |
|
The ____ of an organization defines the roles and responsibilities for incident response for the CSIRT and others who will be mobilized in the activation of the plan. |
IR policy |
|
When using virtualization, it is commonplace to use the term ____ to refer to a virtualized environment operating in or on a host platform. |
virtual machine |
|
____ uses a number of hard drives to store information across multiple drive units. |
RAID |
|
The U.S. National Institute of Standards and Technology recommends a set of tools for the CSIRT including incident reporting mechanisms with which users can report suspected incidents. At least one of these mechanisms should permit people to report incidents ____. |
anonymously |
|
A ____ is an agency that provides physical facilities in the event of a disaster for a fee. |
service bureau |
|
A(n) ____ is an agreement in which the client agrees not to use the vendor’s services to compete directly with the vendor, and for the client not to use vendor information to gain a better deal with another vendor. |
covenant not to compete |
|
Considered to be the traditional "lock and copy" approach to database backup, _____ require the database to be inaccessible while a backup is created to a local drive. |
legacy backup applications |
|
The training delivery method with the lowest cost to the organization is ____. |
self-study (noncomputerized) |
|
RAID 0 creates one logical volume across several available hard disk drives and stores the data using ____, in which data segments are written in turn to each disk drive in the array. |
disk striping |
|
There are several national training programs that focus on incident response tools and techniques. |
True |
|
A recommended practice for implementation of a physical IR plan document is to attach copies of relevant documents such as service agreements for the ISP, telephone, water, gas, etc. |
True |
|
Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage. |
retention |
|
The ____ Department of an organization needs to review the procedures of the CSIRT and understand the steps the CSIRT will perform to ensure it is within legal and ethical guidelines for the municipal, state, and federal jurisdictions. |
Legal |
|
A potential disadvantage of a ____ site-resumption strategy is that more than one organization might need the facility simultaneously. |
time-share |
|
A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment’s notice. |
hot site |
|
E-mail spoofing attacks require an immediate response, typically no more than 30 minutes to one hour. |
False |
|
A(n) ____ covers the confidentiality of information from everyone unless disclosure is mandated by the courts. |
nondisclosure agreement |
|
A(n) ____ is a detailed examination of the events that occurred, from first detection of an incident to final recovery. |
after-action review |
|
A(n) ____ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization’s information infrastructure for signs of an incident. |
IR duty officer |
|
Database shadowing techniques are generally used in organizations that do not need immediate data recovery after an incident or disaster. |
False |
|
RAID is an acronym for Redundant Array of Incident-Recovery Drives. |
False |
|
A recommended practice for the implementation of the physical IR plan document is to organize the contents so that the first page contains the ____ actions. |
"during attack" |
|
General users require training on the technical details of how to do their jobs securely, including good security practices, ____ management, specialized access controls, and violation reporting. |
password |
|
A(n) ____ is an extension of an organization’s intranet into cloud computing. |
private cloud |
|
A ____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor. |
service agreement |
|
The Southeast Collegiate Cyber Defense Competition is unique in that it focuses on the operational aspect of managing and protecting an existing network infrastructure. Unlike "capture-the-flag " exercises, this competition is exclusively a real-world ____ competition. |
defensive |
|
One real-time protection and data backup strategy is the use of mirroring. |
True |
|
Some data is required by law to be retained and stored for years. |
True |
|
A(n) ____ is often included in legal documents to ensure that a vendor is not liable for actions taken by a client. |
statement of indemnification |
|
A favorite pastime of information security professionals is ____, which is a simulation of attack and defense activities using realistic networks and information systems. |
war gaming |
|
In contingency planning, an adverse event that threatens the security of an organization’s information is called a(n) ____. |
incident |
|
Some recovery strategies seek to improve the ____ of a server or system in addition to, or instead of, performing backups of data. |
robustness |
|
Advances in cloud computing have opened a new field in application redundancy and backup. Because organizations that lease ____ are in effect using a preconfigured set of applications on someone else’s systems, it is reasonable to ask that the service agreement include contingencies for recovery. |
SaaS |
|
In computer-based training settings, trainees receive a seminar presentation at their computers. |
False |
|
____ are used for recovery from disasters that threaten on-site backups. |
Data archives |
|
Regardless of which IR model an organization chooses, multiple employees should be in charge of incident response. |
False |
|
As soon as the CSIRT is able to determine what exactly is happening, it is expected to report its preliminary finding to management. |
True |
|
The focus during a(n) ____ is on learning what worked, what didn’t, and where communications and response procedures may have failed. |
after action review |
|
The ____ flow of information needed from the CSIRT to organizational and IT/InfoSec management is a critical communication requirement. |
upward |
|
One of the first signals that an organization is making progress in the development of its IR program, specifically in the development of its CSIRT, is a dramatic drop in the number of identified incidents. |
False |
|
The determination of what systems fall under the CSIRT ‘s responsibility is called its ____. |
scope of operations |
|
One way to build and maintain staff skills is to develop incident-handling ____ and have the team members discuss how they would handle them. |
scenarios |
|
The CSIRT is also known as the IR Reaction Team. |
True |
|
The CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred. Some organizations prefer that employees contact a ____, which then makes the determination as to whether to contact the CSIRT or not. |
help desk |
|
The involvement of the CSIRT in incident response typically starts with prevention. |
False |
|
A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____. |
distributed CSIRT |
|
The announcement of an operational CSIRT should minimally include ____. |
contact methods and numbers |
|
The organization must first understand what skills are needed to effectively respond to an incident. If necessary, management must determine if it is willing to acquire needed ____ to fill in the gaps. |
personnel |
|
The first step in building a CSIRT is to ____. |
obtain management support and buy-in |
|
A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future. |
precursor |
|
When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model. |
fully outsourced |
|
The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____. |
incident candidates |
|
A(n) ____ is any system resource that is placed onto a functional system but has no normal use for that system. If it attracts attention, it is from unauthorized access and will trigger a notification or response. |
honeytoken |
|
Giving the IR team the responsibility for ____ is generally not recommended. |
patch management |
|
A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization. |
site policy |
|
The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface. |
snort |
|
In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers’ answers to routine DNS queries from other systems on that network. |
DNS cache poisoning |
|
A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs. |
log file monitor |
|
If an intruder can ____ a device, then no electronic protection can deter the loss of information. |
physically access |
|
A CSIRT model in which a single CSIRT handles incidents throughout the organization is called a(n) ____. |
central CSIRT |
|
According the to NIST definition of an event as "any observable occurrence in a system or network," all events are computer or network oriented. |
False |
|
The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device. |
monitoring port |
|
New systems can respond to an incident threat autonomously, based on preconfigured options that go beyond simple defensive actions usually associated with IDPS and IPS systems. These systems, referred to as ____, use a combination of resources to detect an intrusion and then to trace the intrusion back to its source. |
trap and trace |
|
Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____. |
false positives |
|
Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____. |
proactive services |
|
Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks. |
True |
|
The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do. |
mission |
|
The ____ is a federal law that creates a general prohibition on the realtime monitoring of traffic data relating to communications. |
Pen/Trap Statute |
|
The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers. |
False |
|
____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation. |
Honeypots |
|
Those services performed in response to a request or a defined event such as a help desk alert are called ____. |
reactive services |
|
The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place. |
anomaly-based IDPS |
|
To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite. |
True |
|
The first group to communicate the CSIRT’s vision and operational plan is the managerial team or individual serving as the ____. |
champion |
|
____ is a valuable resource for additional information on building and staffing CSIRTs. |
NIST |
|
The task of monitoring file systems for unauthorized change is best performed by using a(n) ____. |
HIDPS |
|
The champion for the CSIRT may be the same person as the champion for the entire IR function—typically, the ____. |
chief information officer |
|
Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way. |
signature matching |
|
Information assets have ____ when authorized users – persons or computer systems – are able to access them in the specified format without interference or obstruction. |
availability |
|
A ____ attack seeks to deny legitimate users access to services by either tying up a server’s available resources or causing it to shut down. |
DoS |
|
A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made. |
disaster recovery plan |
|
A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset. |
threat |
|
____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. |
Mitigation |
|
____ hack systems to conduct terrorist activities through network or Internet pathways. |
Cyberterrorists |
|
____ assigns a risk rating or score to each information asset. Although this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process. |
Risk assessment |
|
Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states. |
integrity |
|
____ of risk is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation. |
Acceptance |
|
A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site. |
business continuity plan |
|
____ is the process of moving an organization toward its vision. |
Strategic planning |
|
A(n) ____ is any clearly identified attack on the organization’s information assets that would threaten the assets’ confidentiality, integrity, or availability. |
incident |
|
____ is the process of examining, documenting, and assessing the security posture of an organization’s information technology and the risks it faces. |
Risk identification |
|
The vision of an organization is a written statement of an organization’s purpose. |
False |
|
____ ensures that only those with the rights and privileges to access information are able to do so. |
Confidentiality |
|
The ____ is an investigation and assessment of the impact that various events or incidents can have on the organization. |
business impact analysis |
|
Intellectual property (IP) includes trade secrets, copyrights, trademarks, and patents. |
True |
|
An manual alternative to the normal way of accomplishing an IT task might be employed in the event that IT is unavailable. This is called a ____. |
work-around procedure |
|
The ____ is the point in time by which systems and data must be recovered after an outage as determined by the business unit. |
recovery point objective |
|
An enterprise information security policy (EISP) addresses specific areas of technology and contains a statement on the organization’s position on each specific area. |
False |
|
To a large extent, incident response capabilities are part of a normal IT budget. The only area in which additional budgeting is absolutely required for incident response is the maintenance of ____. |
redundant equipment |
|
The recovery time objective (RTO) downtime metric is the defined as the point in time to which lost systems and data can be recovered after an outage as determined by the business unit. |
False |
|
The ____ job functions and organizational roles focus on costs of system creation and operation, ease of use for system users, timeliness of system creation, and transaction response time. |
information technology management and professionals |
|
____ (sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability. |
Defense |
|
An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object. |
True |
|
A weighted analysis table can be useful in resolving the issue of which business function is the most critical to the organization. |
True |
|
One modeling technique drawn from systems analysis and design that can provide an excellent way to illustrate how a business functions is a(n) ____.: |
collaboration diagram |
|
The elements required to begin the ____ process are a planning methodology; a policy environment to enable the planning process; an understanding of the causes and effects of core precursor activities, and access to financial and other resources. |
contingency planning |
|
A(n) ____ is used to anticipate, react to, and recover from events that threaten the security of information and information assets in an organization; it is also used to restore the organization to normal modes of business operations; |
contingency plan |
|
A(n) ____ is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization. |
policy |
|
The ____ job functions and organizational roles focus on protecting the organization’s information systems and stored information from attacks. |
information security management and professionals |
|
Effective contingency planning begins with effective policy. |
True |
|
A(n) ____ is an investigation and assessment of the impact that various attacks can have on the organization. |
business impact analysis (BIA) |
|
The ____ is the period of time within which systems, applications, or functions must be recovered after an outage. |
recovery time objective |
|
The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe. |
C.I.A. triangle |
|
Team leaders from the subordinate teams, including the IR, DR, and BC teams, should not be included in the CPMT. |
False |
|
The ____ is used to collect information directly from the end users and business managers. |
facilitated data-gathering session |
|
What is a common approach used in the discipline of systems analysis and design to understand the ways systems operate and to chart process flows and interdependency studies? |
systems diagramming |
|
The last stage of a business impact analysis is prioritizing the resources associated with the ____, which brings a better understanding of what must be recovered first. |
mission/business processes |
|
A CPMT should include _____ who can oversee the security planning of the project and provide information on threats, vulnerabilities, and recovery requirements needed in the planning process. |
information security managers |
|
In a CPMT, a(n) ____ leads the project to make sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed. |
project manager |
|
In a CPMT, a(n) ____ should be a high-level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the combined effort. |
champion |
|
The purpose of the ____ is to define the scope of the CP operations and establish managerial intent with regard to timetables for response to incidents, recovery from disasters, and reestablishment of operations for continuity. |
contingency planning policy |
|
____ is a risk control approach that attempts to shift the risk to other assets, other processes, or other organizations. |
Transference |
|
The final component to the CPMT planning process is to deal with ____. |
budgeting for contingency operations |
|
Which of the following collects and provides reports on failed login attempts, probes, scans, denial-of-service attacks, and detected malware? |
system logs |
|
The IR plan is usually ____ when an incident causes minimal damage with little or no disruption to business operations. |
activated |
|
A key step in the ____ approach to incident response is to discover the identify of the intruder while documenting his or her activity. |
apprehend and prosecute |
|
The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____. |
noise |
|
The committees of the CPMT follow a set of general stages to develop their subordinate plans. In the case of incident planning, the first stage is to ____. |
form the IR planning committee |
|
The U.S. National Institute of Standards and Technology defines the incident response life cycle as having four main processes: 1) preparation; 2) detection and analysis; 3) containment, eradication, and recovery; and 4) ____. |
post-incident activity |
|
Companies may want to consider budgeting for contributions to employee loss expenses (such as funerals) as well as for counseling services for employees and loved ones as part of ____. |
crisis management budgeting |
|
In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately. |
IR plan |
|
According the to NIST definition of an event as "any observable occurrence in a system or network," all events are computer or network oriented. |
False |
|
A Disaster Recovery Plan (DR plan) deals with identifying, classifying, responding to, and recovering from an incident. |
False |
|
For recovery from an incident (as opposed to a disaster), archives are used as the most common solution. |
False |
|
A business impact analysis (BIA) identifies threats, vulnerabilities, and potential attacks to determine what controls can protect the information. |
False |
|
According to the 2010/2011 Computer Crime and Security Survey, ____ is "the most commonly seen attack, with 67.1 percent of respondents reporting it." |
malware infection |
|
Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT’s operations. |
IR reaction strategies |
|
Automated IR systems to facilitate IR documentation are available through a number of vendors. |
True |
|
Many practitioners feel that a system, once compromised, can never be restored to a trusted state. |
True |
|
When an alert warns of new malicious code that targets software used by an organization, the first response should be to research the new virus to determine whether it is ____. |
real |
|
The number-one IU preparation-and-prevention strategy is ____. |
organizational policy |
|
Clifford Stoll’s book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue. |
The Cuckoo’s Egg |
|
The CSIRT may not wish to "tip off" attackers that they have been detected, especially if the organization is following a(n) ____ approach. |
apprehend and prosecute |
|
Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat. |
malware hoax |
|
If a user receives a message whose tone and terminology seems intended to invoke a panic or sense of urgency, it may be a(n) ____. |
hoax |
|
____ is a common indicator of a DoS attack. |
User reports of system unavailability |
|
According to NIST, which of the following is an example of a UA attack? |
Modifying Web-based content without permission |
|
A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site. |
cookie |
|
A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target. |
distributed denial-of-service |
|
Because it is possible for investigators to confuse the suspect and destination disks when performing imaging, and to preclude any grounds for challenging the image output, it is common practice to protect the suspect media using a ____. |
write blocker |
|
The laws governing search and seizure in the public sector are much more straightforward than those in the private sector. |
False |
|
A continuously changing process presents challenges in acquisition, as there is not a fixed state that can be collected, hashed, and so forth. This has given rise to the concept of ____ forensics which captures a point-in-time picture of a process. |
snapshot |
|
Ignorance of policy is a legal excuse for an employee. |
True |
|
A forensics team typically uses two methods to document a scene as it exists at the time of arrival: photography and ____. |
field notes |
|
The forensic tool ____ does extensive pre-processing of evidence items that recovers deleted files and extracts e-mail messages. |
Forensic Toolkit (FTK) |
|
A search is constitutional if it does not violate a person’s reasonable or legitimate____. |
expectation of privacy |
|
The legal decision that establishes the start point for "warrantless" workplace searches is the Supreme Court’s complex ruling in ____. |
O’Connor v. Ortega |
|
Many private sector organizations require a formal statement, called a(n) ____, which provides search authorization and furnishes much of the same information usually found in a public sector search warrant. |
affidavit |
|
____ is the determination of the initial flaw or vulnerability that allowed an incident to occur. |
Root cause analysis |
|
The ____ handles computer crimes that are categorized as felonies. |
FBI |
|
Forensic investigators use ____ copying when making a forensic image of a device, which reads a sector (or block; 512 bytes on most devices) from the source drive and writes it to the target drive; this process continues until all sectors on the suspect drive have been copied. |
bitstream |
|
Within the private sector, the Supreme Court stated, "Every warrantless workplace search must be evaluated carefully on its facts. In general, however, law enforcement officers can conduct a warrantless search of private (i.e., nongovernment) workplaces only if the officers obtain the consent of either the employer or another employee with common authority over the area searched." |
True |
|
____ is defined as the search for, collection, and review of items stored in electronic (or, more precisely, digital) format that are of potential evidentiary value based on criteria specified by a legal team. |
eDiscovery |
|
The stability of information over time is called its ____. |
volatility |
|
In evidence handling, specifically designed ____ are helpful because they are very difficult to remove without breaking. |
evidence seals |
|
When an incident includes a breach of physical security, all aspects of physical security should be escalated under a containment strategy known as ____. |
lockdown |
|
A(n) ____ attack is a method of combining attacks with rootkits and back doors. |
hybrid |
|
____ is used both for intrusion analysis and as part of evidence collection and analysis. |
Forensics |
|
In general, a law enforcement organization can become the target of a retaliatory lawsuit for damages arising from an investigation that proves to be groundless. |
False |
|
To analyze evidence, the original is obtained from storage, a copy of the evidence is made for analysis, and the original is returned to storage, because it is crucial that the analysis never takes place on the original evidence. |
True |
|
One way to identify a particular digital item (collection of bits) is by means of a(n) ____. |
cryptographic hash |
|
The ____ is a detailed examination of the events that occurred, from first detection to final recovery. |
after-action review |
|
Most digital forensic teams have a prepacked field kit, also known as a(n) ____. |
jump bag |
|
Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method. |
blended |
|
In a "block" containment strategy, in which the attacker’s path into the environment is disrupted, you should use the most precise strategy possible, starting with ____. |
blocking a specific IP address |
|
There are a number of professional IR agencies, such as ____, that can provide additional resources to help prevent and detect DoS incidents. |
US-CERT |
|
Grounds for challenging the results of a digital investigation can come from possible ____—that is, alleging that the relevant evidence came from somewhere else or was somehow tainted in the collection process. |
contamination |
|
Once a compromised system is disconnected, it is safe from further damage. |
False |
|
____ incidents are predominantly characterized as a violation of policy rather than an effort to abuse existing systems. |
Inappropriate use |
|
The functional part of forensics called ____ is about assessing the "scene," identifying the sources of relevant digital information, and preserving it for later analysis using sound processes. |
first response |
|
Which of the following is the most suitable as a response strategy for malware outbreaks? |
Blocking known attackers |
|
____ may be caused by earthquakes, floods, storm winds, tornadoes, or mud flows. |
Rapid onset disasters |
|
____ are those that occur suddenly, with little warning, taking the lives of people and destroying the means of production. |
Rapid onset disasters |
|
Deciding which technical contingency strategies are selected, developed, and implemented is most often based on the type of ____ being used. |
information system |
|
____ are highly probable when infected machines are brought back online or when other infected computers that may have been offline at the time of the attack are brought back up. |
Follow-on incidents |
|
In disaster recovery, the ____ is the point at which a management decision to react is made in reaction to a notice or other datum such as a weather report or an activity report from IT indicating the escalation of an incident. |
trigger |
|
Once the incident has been contained, and all signs of the incident removed, the ____ phase begins. |
actions after |
|
The part of a disaster recovery policy that identifies the organizational units and groups of employees to which the policy applies is called the ____ section. |
scope |
|
A ____ is a collection of nodes in which the segments are geographically dispersed and the physical link is often a data communications channel provided by a public carrier. |
WAN |
|
The purpose of the disaster recovery program is to provide for the direction and guidance of all disaster recovery operations. |
True |
|
An ____ may escalate into a disaster when it grows in scope and intensity. |
incident |
|
Over 90 percent of organizations that experienced disruption at a data center lasting 10 days or longer were forced into bankruptcy within one year. |
True |
|
In disaster recovery, most triggers occur in response to one or another natural event. |
True |
|
A DR plan addendum should include the trigger, the ____ method, and the response time associated with each disaster situation. |
notification |
|
____ disasters include acts of terrorism and acts of war. |
Man-made |
|
____ occur over time and slowly deteriorate the organization’s capacity to withstand their effects. |
Slow onset disasters |
|
The ____ team is responsible for recovering and reestablishing operations of critical business applications. |
applications recovery |
|
The ____ involves providing copies of the DR plan to all teams and team members for review. |
DR plan desk check |
|
The ____ team is responsible for providing any needed supplies, space, materials, food, services, or facilities needed at the primary site other than vendor-acquired technology and other material obtained by the vendor team. |
logistics |
|
The ____ team is primarily responsible for data restoration and recovery. |
data management |
|
A(n) ____ occurs when a situation results in service disruptions for weeks or months, requiring a government to declare a state of emergency. |
worst-case scenario |
|
The ____ team is responsible for reestablishing connectivity between systems and to the Internet. |
network recovery |
|
The ____ team is responsible for working with the remainder of the organization to assist in the recovery of nontechnology functions. |
business interface |
|
The ____ team is responsible for providing the initial assessments of the extent of damage to equipment and systems on-site and/or for physically recovering the equipment to be transported to a location where the other teams can evaluate it. |
damage assessment |
|
____ is the deactivation of the disaster recovery teams, releasing individuals back to their normal duties. |
Standing down |
|
The ____ team is responsible for recovering and reestablishing operating systems (OSs). |
systems recovery |
|
A ____ is a description of the disasters that may befall an organization, along with information on their probability of occurrence, a brief description of the organization’s actions to prepare for that disaster, and the best case, worst case, and most likely case outcomes of the disaster. |
disaster scenario |
|
____ is the inclusion of action steps to minimize the damage associated with the disaster on the operations of the organization. |
Mitigation of impact |
|
____ means making an organization ready for possible contingencies that can escalate to become disasters. |
Preparation |
|
Which of the following is not usually an insurable loss? |
Electrostatic discharge |
|
The ____ is the phase associated with implementing the initial reaction to a disaster; it is focused on controlling or stabilizing the situation, if that is possible. |
response phase |
|
____ are likely in the event of a hacker attack, when the attacker retreats to a chat room and describes in specific detail to his or her associates the method and results of his or her latest conquest. |
Follow-on incidents |
|
Network recovery teams may be used to replacing downed systems, but it is unlikely that they have experience in physically repairing damaged systems. |
True |
|
____ requires effective backup strategies and flexible hardware configurations. |
Data recovery |
|
The purpose of the ____ is to provide a way for management to obtain input and feedback from representatives of each team. |
after-action review |
|
During the ____ phase, the organization begins the recovery of the most time-critical business functions – those necessary to reestablish business operations and prevent further economic and image loss to the organization. |
recovery |
|
Most disaster-related loss occurs because of physical damage to property. |
False |
|
The alert roster must be tested more frequently than other components of a disaster recovery plan because it is subject to continual change due to employee turnover. |
True |
|
____ is a set of focused steps that deal primarily with the safety and state of the people from the organization who are involved in the disaster. |
Crisis management |
|
Training focuses on the particular roles each individual is expected to execute during an actual disaster. |
True |
|
The ____ assembles a disaster recovery team. |
CPMT |
|
Useful resources in the DR planning process are the ____ provided by the Federal Agency Security Practices (FASP) section of NIST’s Computer Security Resource Center (CSRC). |
contingency plan templates |
|
In disaster recovery planning, there is a prevention phase similar to that in IR planning. |
False |
|
The ____ system is an information system with a telephony interface that can be used to automate the alert process. |
auxiliary phone alert and reporting system |
|
Contingency strategies for ____ should emphasize the need for absolutely reliable data backup and recovery procedures because they have less inherent redundancy than a distributed architecture. |
mainframes |
|
The ____ team is responsible for the recovery of information and the reestablishment of operations in storage area networks or network attached storage. |
storage recovery |
|
Mainframe systems leverage data communications to decentralize and/or distribute capacity. |
False |
|
In the ____ section of the business continuity policy, the training requirements for the various employee groups are defined and highlighted. |
training requirements |
|
Unless an organization has contracted for a ____ or equivalent, office equipment such as desktop computers are not provided at BC alternate site. |
hot site |
|
The ____ is the amount of time that a business can tolerate losing capabilities until alternate capabilities are available. |
recovery time objective |
|
The Business Continuity Institute offers an uncertified category of membership called a(n) ____ that is accepted by application and does not require assessment or a review process. |
Affiliate |
|
A BC subteam called the ____ is responsible for establishing the core business functions needed to sustain critical business operations. |
operations team |
|
____ planning represents the final response of the organization when faced with any interruption of its critical operations. |
Business continuity |
|
A business continuity plan should be a single unified plan. |
False |
|
One activity that occurs during the clearing phase of a BC implementation is scheduling a move back to the primary site. |
False |
|
Identifying measures, called ____, that reduce the effects of system disruptions can reduce continuity life-cycle costs. |
preventive controls |
|
BC is specifically designed to get the organization’s most critical services up and running as quickly as possible in order to enable the continued operation of the organization and thereby ensure its existence and minimize the financial losses from the disruption. |
True |
|
In the ____ phase of the BC plan, the organization specifies what type of relocation services are desired and what type of data management strategies are deployed to support relocation. |
preparation for BC actions |
|
The ____ section of the business continuity policy identifies the roles and responsibilities of the key players in the business continuity operation. |
roles and responsibilities |
|
The ____ section of the business continuity policy provides an overview of the information storage and retrieval plans of the organization. |
special considerations |
|
Once BC activities have come to a close and the organization has reoccupied its primary facility or new permanent facility, the team should meet for a(n) ____. |
after-action review |
|
The plan maintenance schedule in a BC policy statement should address the ____ of reviews, along with who will be involved in each review. |
frequency |
|
Testing the BC plan is an ongoing activity, with each scenario tested annually at walk-through level or higher. |
False |
|
Using desk check, talk-throughs, walk-throughs, simulation, and other exercises on a regular basis helps prepare the organization for crises and, additionally, helps keep the CM plan up to date. |
True |
|
____ are those steps taken to inform stakeholders regarding the timeline of events, the actions taken, and sometimes the reasons for those actions. |
Crisis communications |
|
____ are individuals who are hired above and beyond the minimum number of personnel needed to perform a business function. |
Redundant personnel |
|
The ____ is responsible for contacting and managing all interaction between the organization’s management and staff and any needed emergency services, including utility services. |
emergency services coordinator |
|
____ are those actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident. |
Emergency response |
|
A recent trend in corporate settings is to provide each employee with a disaster recovery identification card. |
False |
|
A ____ is defined by the ICM as a disruption in the company’s business that occurs without warning and is likely to generate news coverage and may adversely impact employees, investors, customers, suppliers, and other stakeholders. |
sudden crisis |
|
A(n) ____ is created to enable management to gain and maintain control of ongoing emergency situations, to provide oversight and control to designated first responders, and to marshal IR, DR, and DC plans and resources as needed. |
crisis management team |
|
____ is the set of actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life. |
Crisis management |
|
A special police unit trained to deal with incendiary, explosive, or contaminating devices is known as the ____. |
bomb squad |
|
In contrast to emergency response that focuses on the immediate safety of those affected, ____ addresses the services needed to get the organization and its stakeholders back to original levels of productivity or satisfaction. |
humanitarian assistance |
|
____ is the movement of employees from one position to another so they can develop additional skills and abilities. |
Job rotation |
|
A(n) ____ is an area where people should gather in the event of a specific type of emergency, to facilitate quick head count. |
assembly area |
|
Cross-training provides a mechanism to get everyone out of the crime scene and thus prevent contamination of possible evidentiary material. |
False |
|
Organizations typically respond to a crisis by focusing on technical issues and economic priorities, and overlook the steps needed to preserve the most critical assets of the organization: its people. |
True |
|
A(n) ____ is the list of officials ranging from an individual’s immediate supervisor through the top executive of the organization. |
chain of command |
Share This
Flashcard
