How to Check CNIC Information Online with Pakdata cf
Chapter 10 planning_for_contingencies
1. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 1
1. When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
a. True
b. False
ANSWER: False
2. In most organizations, the COO is responsible for creating the IR plan.
a. True
b. False
ANSWER: False
3. In a warm site, all services and communications links are fully configured and the site can be fully functional within
minutes.
a. True
b. False
ANSWER: False
4. When performing simlation testing, normal operations of the business are not impacted.
a. True
b. False
ANSWER: True
5. Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other
duties to avoid confusion during a disaster.
a. True
b. False
ANSWER: False
6. An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official.
a. True
b. False
ANSWER: True
7. Using standard digital forensics methodology, the first step is to analyze the EM data without risking modification or
unauthorized access.
a. True
b. False
ANSWER: False
8. A slow-onset disaster is a disaster that occurs over time and gradually degrade the capacity of an organization to
withstand their effects. ____________
ANSWER: True
9. Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes
an actualdisaster. ____________
ANSWER: True
2. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 2
10. A(n) wrap-up review is a detailed examination and discussion of the events that occurred during an incident or
disaster, from first detection to final recovery. ____________
ANSWER: False - after action, after-action
11. Patch and proceed is an organizational CP philosophy that focuses on the defense of information assets and preventing
reoccurrence rather than the attacker’s identification and prosecution. ____________
ANSWER: True
12. An alert digest is a description of the incident or disaster that usually contains just enough information so that each
person knows what portion of the IR or DR plan to implement without slowing down the notification process.
____________
ANSWER: False - message
13. Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to
normal business activities after an adverse event?
a. Risk management b. Contingency planning
c. Business response d. Disaster readiness
ANSWER: b
14. In the event of an incident or disaster, which planning element is used to guide off-site operations?
a. Project management b. Business continuity
c. Disaster recovery d. Incident response
ANSWER: b
15. Which is the first step in the contingency planning process among the options listed here?
a. Business continuity training b. Disaster recovery planning
c. Business impact analysis d. Incident response planning
ANSWER: c
16. Which of the following is a mathematical tool that can be useful in assessing relative importance while resolving the
issue of what business function is the most critical?
a. Weighted analysis b. BIA questionnaire
c. Recovery time organizer d. MTD comparison
ANSWER: a
17. What is the final stage of the business impact analysis when using the NIST SP 800-34 approach?
a. Identify resource requirements b. Identify business processes
c. Determine mission/business processes and recovery
criticality
d. Identify recovery priorities for system
resources
ANSWER: d
18. At what point in the incident lifecycle is the IR plan initiated?
a. Before an incident takes place b. Once the DRP is activated
c. When an incident is detected that affects it d. Once the BCP is activated
ANSWER: c
3. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 3
19. Which of the following is the process of examining a possible incident and determining whether it constitutes an
actual incident?
a. Incident classification b. Incident identification
c. Incident registration d. Incident verification
ANSWER: a
20. Which of the following is a possible indicator of an actualincident?
a. Unusual consumption of computing resources
b. Activities at unexpected times
c. Presence of hacker tools
d. Reported attacks
ANSWER: a
21. Which of the following is a definite indicator of an actual incident?
a. Unusual system crashes b. Reported attack
c. Presence of new accounts d. Use of dormant accounts
ANSWER: d
22. Which of the following determines the scope of the breach of confidentiality, integrity, and availability of information
and information assets?
a. Incident report b. Incident damage assessment
c. Information loss assessment d. Damage report
ANSWER: b
23. After an incident, but before returning to its normal duties, the CSIRT must do which of the following?
a. Create the incident damage assessment b. Conduct an after-action review
c. Restore data from backups d. Restore services and processes in use
ANSWER: b
24. Which of the following is a part of the incident recovery process?
a. Identifying the vulnerabilities that allowed the incident to occur and spread
b. Determining the event’s impact on normal business operations and, if necessary, making a disaster declaration
c. Supporting personnel and their loved ones during the crisis
d. Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel
and the enterprise
ANSWER: a
25. Which of the following is the best example of a rapid-onset disaster?
a. Flood b. Pest infestation
c. Famine d. Environmental degradation
ANSWER: a
26. Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving
server archives the data as it is received?.
a. Database shadowing b. Timesharing
4. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 4
c. Traditional backups d. Electronic vaulting
ANSWER: d
27. Which of the following is the transfer of live transactions to an off-site facility?
a. Remote journaling b. Electronic vaulting
c. Database shadowing d. Timesharing
ANSWER: a
28. When a disaster renders the current business location unusable, which plan is put into action?
a. Business continuity b. Crisis management
c. Incident response d. Business impact analysis
ANSWER: a
29. Which of the following is true about a hot site?
a. It is an empty room with standard heating, air conditioning, and electrical service.
b. It includes computing equipment and peripherals with servers but not client workstations.
c. It duplicates computing resources, peripherals, phone systems, applications, and workstations.
d. All communications services must be installed after the site is occupied.
ANSWER: c
30. In which type of site are no computer hardware or peripherals provided?
a. Cold site b. Warm site
c. Timeshare d. Hot site
ANSWER: a
31. Which of the following is a responsibility of the crisis management team?
a. Restoring the data from backups
b. Evaluating monitoring capabilities
c. Keeping the public informed about the event and the actions being taken
d. Restoring the services and processes in use
ANSWER: c
32. In which contingency plan testing strategy do individuals follow each and every IR/DR/BC procedure, including the
interruption of service, restoration of data from backups, and notification of appropriate individuals?
a. Desk check b. Simulation
c. Structured walk-through d. Full-interruption
ANSWER: d
33. In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is
presented with a scenario of an actualincident or disaster and expected to react as if it had occurred?
a. Desk check b. Simulation
c. Structured walk-through d. Parallel testing
ANSWER: b
34. Which of the following allows investigators to determine what happened by examining the results of an event—
5. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 5
criminal, natural, intentional, or accidental?
a. Digital malfeasance b. E-discovery
c. Forensics d. Evidentiary procedures
ANSWER: c
35. Which document must be changed when evidence changes hands or is stored?
a. Chain of custody b. Search warrant
c. Affidavit d. Evidentiary material
ANSWER: a
36. Which type of document grants formal permission for an investigation to occur?
a. Affidavit b. Search warrant
c. Evidentiary report d. Forensic concurrence
ANSWER: b
37. Which of the following is an approach available to an organization as an overall philosophy for contingency planning
reactions?
a. Protect and forget
b. after-action review
c. Transfer to local/state/federal law enforcement
d. Track, hack and prosecute
ANSWER: a
38. In digital forensics, all investigations follow the same basic methodology. Which of the following should be
performed first in a digital forensics investigation?
a. Report the findings to the proper authority
b. Acquire (seize) the evidence without alteration or damage
c. Identify relevant items of evidentiary value (EM)
d. Analyze the data without risking modification or unauthorized access
ANSWER: c
39. The four components of contingency planning are the ____________________, the incident response plan, the
disaster recovery plan, and the business continuity plan.
ANSWER: BIA
Business Impact Analysis
40. If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the
DR plan, enabling the business to continue at an alternate site.
ANSWER: BCP
business continuity plan
BC plan
41. The ____________________ plan is a detailed set of processes and procedures that anticipate, detect, and mitigate the
effects of an unexpected event that might compromise information resources and assets.
ANSWER: incident response
IR
6. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 6
IR plan
42. A(n) ____________________ occurs when an attack affects information resources and/or assets, causing actual
damage or other disruptions.
ANSWER: incident
43. A(n) ____________________ is a document containing contact information of the individuals to notify in the event of
an actualincident.
ANSWER: alert roster
44. When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails
a detailed examination of the events that occurred from first detection to final recovery.
ANSWER: after action review
after-action review
AAR
45. ____________________ planning ensures that critical business functions can continue if a disaster occurs.
ANSWER: Business continuity
BC
business continuity
46. A(n) ____________________ is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.
ANSWER: service bureau
47. The bulk batch-transfer of data to an off-site facility is known as ____________________.
ANSWER: electronic vaulting
48. In ____________________ testing of contingency plans, the individuals follow each and every procedure, including
the interruption of service, restoration of data from backups, and notification of appropriate individuals.
ANSWER: full-interruption
full interruption
49. The first component of the analysis phase of a digital forensic investigation is ___________, which allows the
investigator to quickly and easily search for a specific type of file.
ANSWER: indexing
50. What are the major components of contingency planning?
ANSWER: Business impact analysis (BIA)
Incident response plan (IR plan)
Disaster recovery plan (DR plan)
Business continuity plan (BC plan)
51. What teams are involved in contingency planning and contingency operations?
ANSWER: contingency planning management team
incident response team
disaster recovery team
business continuity team
52. Explain the difference between a business impact analysis and the risk management process.
7. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 7
ANSWER: One of the fundamental differences between a BIA and the risk management processes is that risk
management focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can
protect the information. The BIA assumes that these controls have been bypassed, have failed, or have
otherwise proved ineffective, that the attack succeeded, and that the adversity that was being defended against
has come to fruition.
53. When undertaking the BIA, what should the organization consider?
ANSWER: Scope
Plan
Balance
Objective
Follow-up
54. List four of the eight key components of a typical IR policy.
ANSWER: The key components of a typical IR policy are:
- Statement of management commitment
- Purpose and objectives of the policy
- Scope of the policy
- Definition of InfoSec incidents and related items
- Organizational structure and delineation of roles, responsibilities, and levels of authorities
- Prioritization of severity ratings of incidents
- Performance measures
- Reporting and contact forms
55. There are six key elements that the CP team must build into the DR Plan. What are three of them?
ANSWER: The key elements that the CP team must build in the DRP are:
- Clear delegation of roles and responsibilities
- Execution of the alert roster and notification of key personnel
- Clear establishment of priorities
- Procedures for documentation of the disaster
- Action steps to mitigate the impact of the disaster on the operations of the organization
- Alternative implementations for the various systems components, should primary versions be unavailable
56. List the seven steps of the incident recovery process according to Donald Pipkin.
ANSWER: The incident recovery process involves the following steps:
- Identify the vulnerabilities that allowed the incident to occur and spread. Resolve them.
- Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first
place. Install, replace, or upgrade them.
- Evaluate monitoring capabilities (if present). Improve detection and reporting methods, or install new
monitoring capabilities.
- Restore the data from backups.
- Restore the services and processes in use.
- Continuously monitor the system.
- Restore the confidence of the members of the organization’s communities of interest.
57. Compare and contrast a hot site, a warm site, and a cold site.
ANSWER: Hot site—A hot site is a fully configured computer facility, with all services, communications
links, and physical plant operations. It duplicates computing resources, peripherals, phone systems,
applications, and workstations. Essentially, this duplicate facility needs only the latest data backups and the
personnel to function. If the organization uses one of the data services listed in the following sections, a hot
8. Name: Class: Date:
Chapter 10: Planning for Contingencies
Copyright Cengage Learning. Powered by Cognero. Page 8
site can be fully functional within minutes.
Warm site—A warm site provides many of the same services and options as the hot site, but typically software
applications are not included or are not installed and configured. A warm site frequently includes computing
equipment and peripherals with servers but not client workstations. Overall, it offers many of the advantages
of a hot site at a lower cost. The disadvantage is that severalhours, or days, are required to make a warm site
fully functional.
Cold site—A cold site provides only rudimentary services and facilities. No computer hardware or peripherals
are provided. All communications services must be installed after the site is occupied. A cold site is an empty
room with standard heating, air conditioning, and electrical service. Everything else is an added-cost option.
Despite these disadvantages, a cold site may be better than nothing. Its primary advantage is its low cost.
58. What are the three roles performed by the crisis management team?
ANSWER: Supporting personnel and their loved ones during the crisis
Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel
and the enterprise
Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the
media, and other interested parties
59. Discuss three of the five strategies that can be used to test contingency strategies.
ANSWER:
Desk check: The CP testing strategy in which copies of the appropriate plans are distributed to
all individuals who will be assigned roles during an actual incident or disaster; each individual
reviews the plan and validates its components.
Full-interruption testing: The CP testing strategy in which all team members follow each IR/DR/
BC procedure, including those for interruption of service, restoration of data from backups, and
notification of appropriate individuals.
Simulation: The CP testing strategy in which the organization conducts a role-playing exercise as
if an actual incident or disaster had occurred. The CP team is presented with a scenario in which
all members must specify how they would react and communicate their efforts.
Structured walk-through: The CP testing strategy in which all involved individuals walk
through a site and discuss the steps they would take during an actual CP event. A walk-through
can also be conducted as a conference room talk-through.
Talk-through: A form of structured walk-through in which individuals meet in a conference
room and discuss a CP plan rather than walking around the organization.
60. Describe the methodology an organization should follow in an investigation.
ANSWER: In digital forensics, all investigations follow the same basic 5 stage methodology:
1. Identify relevant items of evidentiary value (EM)
2. Acquire (seize) the evidence without alteration or damage
3. Take steps to assure that the evidence is at every step verifiably authentic at every step and is unchanged
from the time it was seized
4. Analyze the data without risking modification or unauthorized access
5. Report the findings to the proper authority