SSCP : System Security Certified Practitioner (SSCP) : Part 13

SSCP : System Security Certified Practitioner (SSCP) : Part 13

  1. Computer-generated evidence is considered:

    • Best evidence
    • Second hand evidence
    • Demonstrative evidence
    • Direct evidence

    Explanation:

    Computer-generated evidence normally falls under the category of hearsay evidence, or second-hand evidence, because it cannot be proven accurate and reliable. Under the U.S. Federal Rules of Evidence, hearsay evidence is generally not admissible in court. Best evidence is original or primary evidence rather than a copy or duplicate of the evidence. It does not apply to computer-generated evidence. Direct evidence is oral testimony by witness. Demonstrative evidence are used to aid the jury (models, illustrations, charts).

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 310).
    And: ROTHKE, Ben, CISSP CBK Review presentation on domain 9.

  2. The MOST common threat that impacts a business’s ability to function normally is:

    • Power Outage
    • Water Damage
    • Severe Weather
    • Labor Strike
    Explanation:

    The MOST common threat that impacts a business’s ability to function normally is power. Power interruption cause more business interruption than any other type of event.

    The second most common threat is Water such as flood, water damage from broken pipe, leaky roof, etc…

    Threats will be discovered while doing your Threats and Risk Assessments (TRA).
    There are three elements of risks: threats, assets, and mitigating factors (countermeasures, safeguards, controls).

    A threat is an event or situation that if it occured would affect your business and may even prevent it from functioning normally or in some case functioning at all. Evaluation of threats is done by looking at Likelihood and Impact of possible threat. Safeguards, countermeasures, and controls would be used to bring the threat level down to an acceptable level.

    Other common events that can impact a company are:

    Weather, cable cuts, fires, labor disputes, transportation mishaps, hardware failure, chemical spills, sabotage.

    References:
    The Official ISC2 Guide to the CISSP CBK, Second Edition, Page 275-276

  3. Failure of a contingency plan is usually:

    • A technical failure.
    • A management failure.
    • Because of a lack of awareness.
    • Because of a lack of training.
    Explanation:

    Failure of a contingency plan is usually management failure to exhibit ongoing interest and concern about the BCP/DRP effort, and to provide financial and other resources as needed. Lack of management support will result in a lack awareness and training.

    Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 9: Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) (page 163).

  4. Which of the following proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses?

    • Direct evidence.
    • Circumstantial evidence.
    • Conclusive evidence.
    • Corroborative evidence.
    Explanation:

    Direct evidence can prove a fact all by itself and does not need backup information to refer to. When using direct evidence, presumptions are not required. One example of direct evidence is the testimony of a witness who saw a crime take place. Although this oral evidence would be secondary in nature, meaning a case could not rest on just it alone, it is also direct evidence, meaning the lawyer does not necessarily need to provide other evidence to back it up. Direct evidence often is based on information gathered from a witness’s five senses.

    The following answers are incorrect:

    Circumstantial evidence. Is incorrect because Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact.
    Conclusive evidence. Is incorrect because Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is very strong all by itself and does not require corroboration.

    Corroborative evidence. Is incorrect because Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence.

  5. This type of supporting evidence is used to help prove an idea or a point, however It cannot stand on its own, it is used as a supplementary tool to help prove a primary piece of evidence. What is the name of this type of evidence?

    • Circumstantial evidence
    • Corroborative evidence
    • Opinion evidence
    • Secondary evidence
    Explanation:

    This type of supporting evidence is used to help prove an idea or a point, however It cannot stand on its own, it is used as a supplementary tool to help prove a primary piece of evidence. Corrobative evidence takes many forms.

    In a rape case for example, this could consist of torn clothing, soiled bed sheets, 911 emergency calls tapes, and
    prompt complaint witnesses.

    There are many types of evidence that exist. Below you have explanations of some of the most common types:
    Physical Evidence

    Physical evidence is any evidence introduced in a trial in the form of a physical object, intended to prove a fact in issue based on its demonstrable physical characteristics. Physical evidence can conceivably include all or part of any object.

    In a murder trial for example (or a civil trial for assault), the physical evidence might include DNA left by the attacker on the victim’s body, the body itself, the weapon used, pieces of carpet spattered with blood, or casts of footprints or tire prints found at the scene of the crime.
    Real Evidence
    Real evidence is a type of physical evidence and consists of objects that were involved in a case or actually played a part in the incident or transaction in question.

    Examples include the written contract, the defective part or defective product, the murder weapon, the gloves used by an alleged murderer. Trace evidence, such as fingerprints and firearm residue, is a species of real evidence. Real evidence is usually reported upon by an expert witness with appropriate qualifications to give an opinion. This normally means a forensic scientist or one qualified in forensic engineering.

    Admission of real evidence requires authentication, a showing of relevance, and a showing that the object is in “the same or substantially the same condition” now as it was on the relevant date. An object of real evidence is authenticated through the senses of witnesses or by circumstantial evidence called chain of custody.

    Documentary
    Documentary evidence is any evidence introduced at a trial in the form of documents. Although this term is most widely understood to mean writings on paper (such as an invoice, a contract or a will), the term actually include any media by which information can be preserved. Photographs, tape recordings, films, and printed emails are all forms of documentary evidence.

    Documentary versus physical evidence
    A piece of evidence is not documentary evidence if it is presented for some purpose other than the examination of the contents of the document. For example, if a blood-spattered letter is introduced solely to show that the defendant stabbed the author of the letter from behind as it was being written, then the evidence is physical evidence, not documentary evidence. However, a film of the murder taking place would be documentary evidence (just as a written description of the event from an eyewitness). If the content of that same letter is then introduced to show the motive for the murder, then the evidence would be both physical and documentary.

    Documentary Evidence Authentication
    Documentary evidence is subject to specific forms of authentication, usually through the testimony of an eyewitness to the execution of the document, or to the testimony of a witness able to identify the handwriting of the purported author. Documentary evidence is also subject to the best evidence rule, which requires that the original document be produced unless there is a good reason not to do so.
    The role of the expert witness

    Where physical evidence is of a complexity that makes it difficult for the average person to understand its significance, an expert witness may be called to explain to the jury the proper interpretation of the evidence at hand.
    Digital Evidence or Electronic Evidence

    Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial.

    The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files.

    While many courts in the United States have applied the Federal Rules of Evidence to digital evidence in the same way as more traditional documents, courts have noted very important differences. As compared to the more traditional evidence, courts have noted that digital evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive, and more readily available. As such, some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence rule, and privilege. In December 2006, strict new rules were enacted within the Federal Rules of Civil Procedure requiring the preservation and disclosure of electronically stored evidence.
    Demonstrative Evidence
    Demonstrative evidence is evidence in the form of a representation of an object. This is, as opposed to, real evidence, testimony, or other forms of evidence used at trial.

    Examples of demonstrative evidence include photos, x-rays, videotapes, movies, sound recordings, diagrams, forensic animation, maps, drawings, graphs, animation, simulations, and models. It is useful for assisting a finder of fact (fact-finder) in establishing context among the facts presented in a case. To be admissible, a demonstrative exhibit must “fairly and accurately” represent the real object at the relevant time.
    Chain of custody

    Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal.

    The idea behind recoding the chain of custody is to establish that the alleged evidence is fact related to the alleged crime – rather than, for example, having been planted fraudulently to make someone appear guilty.

    Establishing the chain of custody is especially important when the evidence consists of fungible goods. In practice, this most often applies to illegal drugs which have been seized by law enforcement personnel. In such cases, the defendant at times disclaims any knowledge of possession of the controlled substance in question.

    Accordingly, the chain of custody documentation and testimony is presented by the prosecution to establish that the substance in evidence was in fact in the possession of the defendant.

    An identifiable person must always have the physical custody of a piece of evidence. In practice, this means that a police officer or detective will take charge of a piece of evidence, document its collection, and hand it over to an evidence clerk for storage in a secure place. These transactions, and every succeeding transaction between the collection of the evidence and its appearance in court, should be completely documented chronologically in order to withstand legal challenges to the authenticity of the evidence. Documentation should include the conditions under which the evidence is gathered, the identity of all evidence handlers, duration of evidence custody, security conditions while handling or storing the evidence, and the manner in which evidence is transferred to subsequent custodians each time such a transfer occurs (along with the signatures of persons involved at each step).

    Example

    An example of “Chain of Custody” would be the recovery of a bloody knife at a murder scene:
    Officer Andrew collects the knife and places it into a container, then gives it to forensics technician Bill. Forensics technician Bill takes the knife to the lab and collects fingerprints and other evidence from the knife. Bill then gives the knife and all evidence gathered from the knife to evidence clerk Charlene. Charlene then stores the evidence until it is needed, documenting everyone who has accessed the original evidence (the knife, and original copies of the lifted fingerprints).

    The Chain of Custody requires that from the moment the evidence is collected, every transfer of evidence from person to person be documented and that it be provable that nobody else could have accessed that evidence. It is best to keep the number of transfers as low as possible.

    In the courtroom, if the defendant questions the Chain of Custody of the evidence it can be proven that the knife in the evidence room is the same knife found at the crime scene. However, if there are discrepancies and it cannot be proven who had the knife at a particular point in time, then the Chain of Custody is broken and the defendant can ask to have the resulting evidence declared inadmissible.

    “Chain of custody” is also used in most chemical sampling situations to maintain the integrity of the sample by providing documentation of the control, transfer, and analysis of samples. Chain of custody is especially important in environmental work where sampling can identify the existence of contamination and can be used to identify the responsible party.

    REFERENCES:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 23173-23185). Auerbach Publications. Kindle Edition.
    http://en.wikipedia.org/wiki/Documentary_evidence
    http://en.wikipedia.org/wiki/Physical_evidence
    http://en.wikipedia.org/wiki/Digital_evidence
    http://en.wikipedia.org/wiki/Demonstrative_evidence
    http://en.wikipedia.org/wiki/Real_evidence
    http://en.wikipedia.org/wiki/Chain_of_custody

  6. What is called an exception to the search warrant requirement that allows an officer to conduct a search without having the warrant in-hand if probable cause is present and destruction of the evidence is deemed imminent?

    • Evidence Circumstance Doctrine
    • Exigent Circumstance Doctrine
    • Evidence of Admissibility Doctrine
    • Exigent Probable Doctrine
    Explanation:

    An Exigent Circumstance is an unusual and time-sensitive circumstance that justifies conduct that might not be permissible or lawful in other circumstances.

    For example, exigent circumstances may justify actions by law enforcement officers acting without a warrant such as a mortal danger to a young child. Examples of other exigent circumstances include protecting evidence or property from imminent destruction.

    In US v Martinez, Justice Thomas of the United States Court of Appeal used these words:

    “As a general rule, we define exigent circumstances as those circumstances that would cause a reasonable person to believe that entry was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement efforts.”

    In Alvarado, Justice Blackburn of the Court of Appeals of Georgia referred to exigent circumstances in the context of a drug bust:

    “The exigent circumstance doctrine provides that when probable cause has been established to believe that evidence will be removed or destroyed before a warrant can be obtained, a warrantless search and seizure can be justified. As many courts have noted, the need for the exigent circumstance doctrine is particularly compelling in narcotics cases, because contraband and records can be easily and quickly destroyed while a search is progressing. Police officers relying on this exception must demonstrate an objectively reasonable basis for deciding that immediate action is required.”

    All of the other answers were only detractors made up and not legal terms.

    Reference(s) used for this question:
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 313.
    and
    http://www.duhaime.org/LegalDictionary/E/ExigentCircumstances.aspx

  7. A copy of evidence or oral description of its contents; which is not as reliable as best evidence is what type of evidence?

    • Direct evidence
    • Circumstantial evidence
    • Hearsay evidence
    • Secondary evidence
    Explanation:

    Secondary evidence is a copy of evidence or oral description of its contents; not as reliable as best evidence

    Here are other types of evidence:
    Best evidence — original or primary evidence rather than a copy of duplicate of the evidence

    Direct evidence — proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses

    Conclusive evidence — incontrovertible; overrides all other evidence

    Opinions — two types: Expert — may offer an opinion based on personal expertise and facts, Non-expert — may testify only as to facts

    Circumstantial evidence — inference of information from other, immediate, relevant facts

    Corroborative evidence — supporting evidence used to help prove an idea or point; used as a supplementary tool to help prove a primary piece of evidence

    Hearsay evidence (3rdparty) — oral or written evidence that is presented in court that is second hand and has no firsthand proof of accuracy or reliability
    (i) Usually not admissible in court
    (ii) Computer generated records and other business records are in hearsay category
    (iii) Certain exceptions to hearsay rule:
    (1) Made during the regular conduct of business and authenticated by witnesses familiar with their use
    (2) Relied upon in the regular course of business
    (3) Made by a person with knowledge of records
    (4) Made by a person with information transmitted by a person with knowledge
    (5) Made at or near the time of occurrence of the act being investigated
    (6) In the custody of the witness on a regular basis

    Reference:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 310.
    and
    CISSP for Dummies, Peter Gregory, page 270-271

  8. Controls are implemented to:

    • eliminate risk and reduce the potential for loss
    • mitigate risk and eliminate the potential for loss
    • mitigate risk and reduce the potential for loss
    • eliminate risk and eliminate the potential for loss
    Explanation:

    Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks.

    It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.

  9. What can be described as a measure of the magnitude of loss or impact on the value of an asset?

    • Probability
    • Exposure factor
    • Vulnerability
    • Threat
    Explanation:

    The exposure factor is a measure of the magnitude of loss or impact on the value of an asset.

    The probability is the chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur.

    A vulnerability is the absence or weakness of a risk-reducing safeguard.
    A threat is event, the occurrence of which could have an undesired impact.
    Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 3, August 1999.

  10. To understand the ‘whys’ in crime, many times it is necessary to understand MOM. Which of the following is not a component of MOM?

    • Opportunities
    • Methods
    • Motivation
    • Means
    Explanation:
    To understand the whys in crime, many times it is necessary to understand the Motivations, Opportunities, and Means (MOM). Motivations are the who and why of a crime. Opportunities are the where and when of a crime, and Means pertains to the capabilities a criminal would need to be successful. Methods is not a component of MOM.

  11. In the statement below, fill in the blank:

    Law enforcement agencies must get a warrant to search and seize an individual’s property, as stated in the _____ Amendment.

    • First.
    • Second.
    • Third.
    • Fourth.
    Explanation:

    The Fourth Amendment does not apply to a seizure or an arrest by private citizens.

    Search and seizure activities can get tricky depending on what is being searched for and where.
    For example, American citizens are protected by the Fourth Amendment against unlawful search and seizure, so law enforcement agencies must have probable cause and request a search warrant from a judge or court before conducting such a search.

    The actual search can only take place in the areas outlined by the warrant. The Fourth Amendment does not apply to actions by private citizens unless they are acting as police agents. So, for example, if Kristy’s boss warned all employees that the management could remove files from their computers at any time, and her boss was not a police officer or acting as a police agent, she could not successfully claim that her Fourth Amendment rights were violated. Kristy’s boss may have violated some specific privacy laws, but he did not violate Kristy’s Fourth Amendment rights.

    In some circumstances, a law enforcement agent may seize evidence that is not included in the warrant, such as if the suspect tries to destroy the evidence. In other words, if there is an impending possibility that evidence might be destroyed, law enforcement may quickly seize the evidence to prevent its destruction. This is referred to as exigent circumstances, and a judge will later decide whether the seizure was proper and legal before allowing the evidence to be admitted. For example, if a police officer had a search warrant that allowed him to search a suspect’s living room but no other rooms, and then he saw the suspect dumping cocaine down the toilet, the police officer could seize the cocaine even though it was in a room not covered under his search warrant. After evidence is gathered, the chain of custody needs to be enacted and enforced to make sure the evidence’s integrity is not compromised.

    All other choices were only detractors.

    Reference(s) used for this question:
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 1057). McGraw-Hill. Kindle Edition.

  12. Which of the following would be MOST important to guarantee that the computer evidence will be admissible in court?

    • It must prove a fact that is immaterial to the case.
    • Its reliability must be proven.
    • The process for producing it must be documented and repeatable.
    • The chain of custody of the evidence must show who collected, secured, controlled, handled, transported the evidence, and that it was not tampered with.
    Explanation:

    It has to be material, relevant and reliable, and the chain of custody must be maintained, it is unlikely that it will be admissible in court if it has been tampered with.

    The following answers are incorrect:
    It must prove a fact that is immaterial to the case. Is incorrect because evidence must be relevant. If it is immaterial then it is not relevant.

    Its reliability must be proven. Is incorrect because it is not the best answer. While evidence must be relevant if the chain of custody cannot be verified, then the evidence could lose it’s credibility because there is no proof that the evidence was not tampered with. So, the correct answer above is the BEST answer.

    The process for producing it must be documented and repeatable. Is incorrect because just because the process is documented and repeatable does not mean that it will be the same. This amounts to Corroborative Evidence that may help to support a case.

  13. What can be defined as an event that could cause harm to the information systems?

    • A risk
    • A threat
    • A vulnerability
    • A weakness
    Explanation:
    A threat is an event or activity that has the potential to cause harm to the information systems. A risk is the probability that a threat will materialize. A vulnerability, or weakness, is a lack of a safeguard, which may be exploited by a threat, causing harm to the information systems.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 1: Access Control Systems (page 32).

  14. Most access violations are:

    • Accidental
    • Caused by internal hackers
    • Caused by external hackers
    • Related to Internet
    Explanation:
    The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent.
    Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 4: Protection of Information Assets (page 192).

  15. When referring to a computer crime investigation, which of the following would be the MOST important step required in order to preserve and maintain a proper chain of custody of evidence:

    • Evidence has to be collected in accordance with all laws and all legal regulations.
    • Law enforcement officials should be contacted for advice on how and when to collect critical information.
    • Verifiable documentation indicating the who, what, when, where, and how the evidence was handled should be available.
    • Log files containing information regarding an intrusion are retained for at least as long as normal business records, and longer in the case of an ongoing investigation.
    Explanation:

    Two concepts that are at the heart of dealing effectively with digital/electronic evidence, or any evidence for that matter, are the chain of custody and authenticity/integrity.

    The chain of custody refers to the who, what, when, where, and how the evidence was handled—from its identification through its entire life cycle, which ends with destruction or permanent archiving.

    Any break in this chain can cast doubt on the integrity of the evidence and on the professionalism of those directly involved in either the investigation or the collection and handling of the evidence. The chain of custody requires following a formal process that is well documented and forms part of a standard operating procedure that is used in all cases, no exceptions.

    The following are incorrect answers:
    Evidence has to be collected in accordance with all laws and legal regulations. Evidence would have to be collected in accordance with applicable laws and regulations but not necessarily with ALL laws and regulations. Only laws and regulations that applies would be followed.

    Law enforcement officials should be contacted for advice on how and when to collect critical information. It seems you failed to do your homework, once you have an incident it is a bit late to do this. Proper crime investigation as well as incident response is all about being prepared ahead of time. Obviously, you are improvising if you need to call law enforcement to find out what to do. It is a great way of contaminating your evidence by mistake if you don’t have a well documented processs with clear procedures that needs to be followed.

    Log files containing information regarding an intrusion are retained for at least as long as normal business records, and longer in the case of an ongoing investigation. Specific legal requirements exists for log retention and they are not the same as normal business records. Laws such as Basel, HIPPAA, SOX, and others has specific requirements.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 23465-23470). Auerbach Publications. Kindle Edition.
    and
    ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 282-285).

  16. When should a post-mortem review meeting be held after an intrusion has been properly taken care of?

    • Within the first three months after the investigation of the intrusion is completed.
    • Within the first week after prosecution of intruders have taken place, whether successful or not.
    • Within the first month after the investigation of the intrusion is completed.
    • Within the first week of completing the investigation of the intrusion.
    Explanation:
    A post-mortem review meeting should be held with all involved parties within three to five working days of completing the investigation of the intrusion. Otherwise, participants are likely to forget critical information. Even if it enabled an organization to validate the correctness of its chain of custody of evidence, it would not make sense to wait until prosecution is complete because it would take too much time and many cases of intrusion never get to court anyway.
    Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (page 297).

  17. Which of the following statements pertaining to disaster recovery planning is incorrect?

    • Every organization must have a disaster recovery plan
    • A disaster recovery plan contains actions to be taken before, during and after a disruptive event.
    • The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.
    • A disaster recovery plan should cover return from alternate facilities to primary facilities.
    Explanation:

    It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.

    Remember that DRP is related to systems needed to support your most critical business functions.

    The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.

    To be effective, the plan would certainly cover before, during, and after the disaster actions.

    It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.

    All other statements are true.

    NOTE FROM CLEMENT:
    Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.

    Some companies such as utilities, power, etc… might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very complex and varies in different countries. Always talk to your lawyer to ensure you follow the law of the land 🙂

    Read the details below:
    So Who, Legally, MUST Plan?

    With the caveats above, let’s cover a few of the common laws where there is a duty to have a disaster recovery plan. I will try to include the basis for that requirement, where there is an implied mandate to do so, and what the difference is between the two
    Banks and Financial Institutions MUST Have a Plan

    The Federal Financial Institutions Examination Council (Council) was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination Council (the Council).

    The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to make recommendations to promote uniformity in the supervision of financial institutions. In other words, every bank, savings and loan, credit union, and other financial institution is governed by the principles adopted by the Council.

    In March of 2003, the Council released its Business Continuity Planning handbook designed to provide guidance and examination procedures for examiners in evaluating financial institution and service provider risk-management processes.
    Stockbrokers MUST Have a Plan

    The National Association of Securities Dealers (NASD) has adopted rules that require all its members to have business continuity plans. The NASD oversees the activities of more than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770 registered securities representatives.

    As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which are specified in Rule 3510, begin with the following:

    3510. Business Continuity Plans. (a) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member’s existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to NASD staff.

    NOTE:
    The rules apply to every company that deals in securities, such as brokers, dealers, and their representatives, it does NOT apply to the listed companies themselves.
    Electric Utilities WILL Need a Plan

    The disaster recovery function relating to the electric utility grid is presently undergoing a change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only coordinate volunteer efforts between utilities. This has changed with the adoption of Title XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC to create an Electric Reliability Organization (ERO).
    The ERO will have the capability to adopt and enforce reliability standards for “all users, owners, and operators of the bulk power system” in the United States. At this time, FERC is in the process of finalizing the rules for the creation of the ERO. Once the ERO is created, it will begin the process of establishing reliability standards.

    It is very safe to assume that the ERO will adopt standards for service restoration and disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
    Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT

    Telecommunications utilities are governed on the federal level by the Federal Communications Commission (FCC) for interstate services and by state Public Utility Commissions (PUCs) for services within the state.

    The FCC has created the Network Reliability and Interoperability Council (NRIC). The role of the NRIC is to develop recommendations for the FCC and the telecommunications industry to “insure [sic] optimal reliability, security, interoperability and interconnectivity of, and accessibility to, public communications networks and the internet.” The NRIC members are senior representatives of providers and users of telecommunications services and products, including telecommunications carriers, the satellite, cable television, wireless and computer industries, trade associations, labor and consumer representatives, manufacturers, research organizations, and government-related organizations.

    There is no explicit provision that we could find that says telecommunications carriers must have a Disaster Recovery Plan. As I have stated frequently in this series of articles on disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.

    You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It’s not much. The following is the statement used in most telephone company tariffs with regard to its liability:

    The Telephone Company’s liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company’s liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)

    All Health Care Providers WILL Need a Disaster Recovery Plan
    HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring “Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards.”

    The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present, or future.

    The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.

    The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.

    Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices.
    Companies with More than 10 Employees

    The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:

    (a) Each employer:

    (1) shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;

    (2) shall comply with occupational safety and health standards promulgated under this Act.

    (b) Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.

    Other Considerations or Expensive Research Qs for Lawyers (Sorry, Eddie!)

    The Foreign Corrupt Practices Act of 1977
    Internal Revenue Service (IRS) Law for Protecting Taxpayer Information
    Food and Drug Administration (FDA) Mandated Requirements
    Homeland Security and Terrorist Prevention
    Pandemic (Bird Flu) Prevention
    ISO 9000 Certification
    Requirements for Radio and TV Broadcasters
    Contract Obligations to Customers
    Document Protection and Retention Laws
    Personal Identity Theft…and MORE!

    Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!

    I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)

    I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck

    See original article at: http://www.informit.com/articles/article.aspx?p=777896

    See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1

    References used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).

  18. Which of the following statements do not apply to a hot site?

    • It is expensive.
    • There are cases of common overselling of processing capabilities by the service provider.
    • It provides a false sense of security.
    • It is accessible on a first come first serve basis. In case of large disaster it might not be accessible.
    Explanation:

    Remember this is a NOT question. Hot sites do not provide a false sense of security since they are the best disaster recovery alternate for backup site that you rent.

    A Cold, Warm, and Hot site is always a rental place in the context of the CBK. This is definivily the best choices out of the rental options that exists. It is fully configured and can be activated in a very short period of time.

    Cold and Warm sites, not hot sites, provide a false sense of security because you can never fully test your plan.

    In reality, using a cold site will most likely make effective recovery impossible or could lead to business closure if it takes more than two weeks for recovery.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 284).

  19. A business continuity plan is an example of which of the following?

    • Corrective control
    • Detective control
    • Preventive control
    • Compensating control
    Explanation:

    Business Continuity Plans are designed to minimize the damage done by the event, and facilitate rapid restoration of the organization to its full operational capacity. They are for use “after the fact”, thus are examples of corrective controls.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 273).
    and
    Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle Location 8069). Elsevier Science (reference). Kindle Edition.
    and

  20. When preparing a business continuity plan, who of the following is responsible for identifying and prioritizing time-critical systems?

    • Executive management staff
    • Senior business unit management
    • BCP committee
    • Functional business units
    Explanation:
    Many elements of a BCP will address senior management, such as the statement of importance and priorities, the statement of organizational responsibility, and the statement of urgency and timing. Executive management staff initiates the project, gives final approval and gives ongoing support. The BCP committee directs the planning, implementation, and tests processes whereas functional business units participate in implementation and testing.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 275).
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments