SSCP : System Security Certified Practitioner (SSCP) : Part 44

SSCP : System Security Certified Practitioner (SSCP) : Part 44

  1. Which of the following is used to monitor network traffic or to monitor host audit logs in real time to determine violations of system security policy that have taken place?

    • Intrusion Detection System
    • Compliance Validation System
    • Intrusion Management System (IMS)
    • Compliance Monitoring System

    Explanation:

    An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to monitor host audit logs in order to determine if any violations of an organization’s system security policy have taken place.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

  2. Which of the following reviews system and event logs to detect attacks on the host and determine if the attack was successful?

    • host-based IDS
    • firewall-based IDS
    • bastion-based IDS
    • server-based IDS
    Explanation:
    A host-based IDS can review the system and event logs in order to detect an attack on the host and to determine if the attack was successful.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

  3. What would be considered the biggest drawback of Host-based Intrusion Detection systems (HIDS)?

    • It can be very invasive to the host operating system
    • Monitors all processes and activities on the host system only
    • Virtually eliminates limits associated with encryption
    • They have an increased level of visibility and control compared to NIDS
    Explanation:

    The biggest drawback of HIDS, and the reason many organizations resist its use, is that it can be very invasive to the host operating system. HIDS must have the capability to monitor all processes and activities on the host system and this can sometimes interfere with normal system processing.

    HIDS versus NIDS
    A host-based IDS (HIDS) can be installed on individual workstations and/ or servers to watch for inappropriate or anomalous activity. HIDSs are usually used to make sure users do not delete system files, reconfigure important settings, or put the system at risk in any other way.

    So, whereas the NIDS understands and monitors the network traffic, a HIDS’s universe is limited to the computer itself. A HIDS does not understand or review network traffic, and a NIDS does not “look in” and monitor a system’s activity. Each has its own job and stays out of the other’s way.

    The ISC2 official study book defines an IDS as:
    An intrusion detection system (IDS) is a technology that alerts organizations to adverse or unwanted activity. An IDS can be implemented as part of a network device, such as a router, switch, or firewall, or it can be a dedicated IDS device monitoring traffic as it traverses the network. When used in this way, it is referred to as a network IDS, or NIDS. IDS can also be used on individual host systems to monitor and report on file, disk, and process activity on that host. When used in this way it is referred to as a host-based IDS, or HIDS.

    An IDS is informative by nature and provides real-time information when suspicious activities are identified. It is primarily a detective device and, acting in this traditional role, is not used to directly prevent the suspected attack.

    What about IPS?
    In contrast, an intrusion prevention system (IPS), is a technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. An IPS permits a predetermined set of functions and actions to occur on a network or system; anything that is not permitted is considered unwanted activity and blocked. IPS is engineered specifically to respond in real time to an event at the system or network layer. By proactively enforcing policy, IPS can thwart not only attackers, but also authorized users attempting to perform an action that is not within policy. Fundamentally, IPS is considered an access control and policy enforcement technology, whereas IDS is considered network monitoring and audit technology.

    The following answers were incorrect:
    All of the other answer were advantages and not drawback of using HIDS

    TIP FOR THE EXAM:
    Be familiar with the differences that exists between an HIDS, NIDS, and IPS. Know that IDS’s are mostly detective but IPS are preventive. IPS’s are considered an access control and policy enforcement technology, whereas IDS’s are considered network monitoring and audit technology.

    Reference(s) used for this question:
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 5817-5822). McGraw-Hill. Kindle Edition.
    and
    Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press), Domain1, Page 180-188 or on the kindle version look for Kindle Locations 3199-3203. Auerbach Publications.

  4. Which of the following usually provides reliable, real-time information without consuming network or host resources?

    • network-based IDS
    • host-based IDS
    • application-based IDS
    • firewall-based IDS
    Explanation:
    A network-based IDS usually provides reliable, real-time information without consuming network or host resources.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

  5. The fact that a network-based IDS reviews packets payload and headers enable which of the following?

    • Detection of denial of service
    • Detection of all viruses
    • Detection of data corruption
    • Detection of all password guessing attacks
    Explanation:

    Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected.

    This question is an easy question if you go through the process of elimination. When you see an answer containing the keyword: ALL It is something a give away that it is not the proper answer. On the real exam you may encounter a few question where the use of the work ALL renders the choice invalid. Pay close attention to such keyword.

    The following are incorrect answers:

    Even though most IDSs can detect some viruses and some password guessing attacks, they cannot detect ALL viruses or ALL password guessing attacks. Therefore these two answers are only detractors.
    Unless the IDS knows the valid values for a certain dataset, it can NOT detect data corruption.

    Reference used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

  6. A timely review of system access audit records would be an example of which of the basic security functions?

    • avoidance
    • deterrence
    • prevention
    • detection
    Explanation:

    By reviewing system logs you can detect events that have occured.

    The following answers are incorrect:

    avoidance. This is incorrect, avoidance is a distractor. By reviewing system logs you have not avoided anything.

    deterrence. This is incorrect because system logs are a history of past events. You cannot deter something that has already occurred.

    prevention. This is incorrect because system logs are a history of past events. You cannot prevent something that has already occurred.

  7. Which of the following would assist the most in Host Based intrusion detection?

    • audit trails.
    • access control lists.
    • security clearances
    • host-based authentication
    Explanation:

    To assist in Intrusion Detection you would review audit logs for access violations.

    The following answers are incorrect:

    access control lists. This is incorrect because access control lists determine who has access to what but do not detect intrusions.

    security clearances. This is incorrect because security clearances determine who has access to what but do not detect intrusions.

    host-based authentication. This is incorrect because host-based authentication determine who have been authenticated to the system but do not dectect intrusions.

  8. In what way could Java applets pose a security threat?

    • Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP
    • Java interpreters do not provide the ability to limit system access that an applet could have on a client system.
    • Executables from the Internet may attempt an intentional attack when they are downloaded on a client system.
    • Java does not check the bytecode at runtime or provide other safety mechanisms for program isolation from the client system.
    Explanation:
    Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

  9. Which of the following is needed for System Accountability?

    • Audit mechanisms.
    • Documented design as laid out in the Common Criteria.
    • Authorization.
    • Formal verification of system design.
    Explanation:

    Is a means of being able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed.

    Accountability is the ability to identify users and to be able to track user actions.

    The following answers are incorrect:

    Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability.

    Authorization. Is incorrect because Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions.

    Formal verification of system design. Is incorrect because all you have done is to verify the system design and have not taken any steps toward system accountability.

    References:
    OIG CBK Glossary (page 778)

  10. Who can best decide what are the adequate technical security controls in a computer-based application system in regards to the protection of the data being used, the criticality of the data, and it’s sensitivity level ?

    • System Auditor
    • Data or Information Owner
    • System Manager
    • Data or Information user
    Explanation:

    The data or information owner also referred to as “Data Owner” would be the best person. That is the individual or officer who is ultimately responsible for the protection of the information and can therefore decide what are the adequate security controls according to the data sensitivity and data criticality. The auditor would be the best person to determine the adequacy of controls and whether or not they are working as expected by the owner.

    The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations.

    Organizations can have internal auditors and/ or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. For example CobiT, which is a model that most information security auditors follow when evaluating a security program. While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have missed and help you understand how to fix the problem.

    The Official ISC2 Guide (OIG) says:
    IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.

    Example:
    Bob is the head of payroll. He is therefore the individual with primary responsibility over the payroll database, and is therefore the information/data owner of the payroll database. In Bob’s department, he has Sally and Richard working for him. Sally is responsible for making changes to the payroll database, for example if someone is hired or gets a raise. Richard is only responsible for printing paychecks. Given those roles, Sally requires both read and write access to the payroll database, but Richard requires only read access to it. Bob communicates these requirements to the system administrators (the “information/data custodians”) and they set the file permissions for Sally’s and Richard’s user accounts so that Sally has read/write access, while Richard has only read access.

    So in short Bob will determine what controls are required, what is the sensitivily and criticality of the Data. Bob will communicate this to the custodians who will implement the requirements on the systems/DB. The auditor would assess if the controls are in fact providing the level of security the Data Owner expects within the systems/DB. The auditor does not determine the sensitivity of the data or the crititicality of the data.

    The other answers are not correct because:
    A “system auditor” is never responsible for anything but auditing… not actually making control decisions but the auditor would be the best person to determine the adequacy of controls and then make recommendations.

    A “system manager” is really just another name for a system administrator, which is actually an information custodian as explained above.

    A “Data or information user” is responsible for implementing security controls on a day-to-day basis as they utilize the information, but not for determining what the controls should be or if they are adequate.

    References:
    Official ISC2 Guide to the CISSP CBK, Third Edition , Page 477

    Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations 294-298). Auerbach Publications. Kindle Edition.

    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3108-3114).

    Information Security Glossary
    Responsibility for use of information resources

  11. Attributable data should be:

    • always traced to individuals responsible for observing and recording the data
    • sometimes traced to individuals responsible for observing and recording the data
    • never traced to individuals responsible for observing and recording the data
    • often traced to individuals responsible for observing and recording the data
    Explanation:
    As per FDA data should be attributable, original, accurate, contemporaneous and legible. In an automated system attributability could be achieved by a computer system designed to identify individuals responsible for any input.
    Source: U.S. Department of Health and Human Services, Food and Drug Administration, Guidance for Industry – Computerized Systems Used in Clinical Trials, April 1999, page 1.

  12. Who should measure the effectiveness of Information System security related controls in an organization?

    • The local security specialist
    • The business manager
    • The systems auditor
    • The central security manager
    Explanation:

    It is the systems auditor that should lead the effort to ensure that the security controls are in place and effective. The audit would verify that the controls comply with polices, procedures, laws, and regulations where applicable. The findings would provide these to senior management.

    The following answers are incorrect:
    the local security specialist. Is incorrect because an independent review should take place by a third party. The security specialist might offer mitigation strategies but it is the auditor that would ensure the effectiveness of the controls

    the business manager. Is incorrect because the business manager would be responsible that the controls are in place, but it is the auditor that would ensure the effectiveness of the controls.

    the central security manager. Is incorrect because the central security manager would be responsible for implementing the controls, but it is the auditor that is responsibe for ensuring their effectiveness.

  13. In an online transaction processing system (OLTP), which of the following actions should be taken when erroneous or invalid transactions are detected?

    • The transactions should be dropped from processing.
    • The transactions should be processed after the program makes adjustments.
    • The transactions should be written to a report and reviewed.
    • The transactions should be corrected and reprocessed.
    Explanation:

    In an online transaction processing system (OLTP) all transactions are recorded as they occur. When erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.

    As explained in the ISC2 OIG:
    OLTP is designed to record all of the business transactions of an organization as they occur. It is a data processing system facilitating and managing transaction-oriented applications. These are characterized as a system used by many concurrent users who are actively adding and modifying data to effectively change real-time data.

    OLTP environments are frequently found in the finance, telecommunications, insurance, retail, transportation, and travel industries. For example, airline ticket agents enter data in the database in real-time by creating and modifying travel reservations, and these are increasingly joined by users directly making their own reservations and purchasing tickets through airline company Web sites as well as discount travel Web site portals. Therefore, millions of people may be accessing the same flight database every day, and dozens of people may be looking at a specific flight at the same time.

    The security concerns for OLTP systems are concurrency and atomicity.

    Concurrency controls ensure that two users cannot simultaneously change the same data, or that one user cannot make changes before another user is finished with it. In an airline ticket system, it is critical for an agent processing a reservation to complete the transaction, especially if it is the last seat available on the plane.

    Atomicity ensures that all of the steps involved in the transaction complete successfully. If one step should fail, then the other steps should not be able to complete. Again, in an airline ticketing system, if the agent does not enter a name into the name data field correctly, the transaction should not be able to complete.

    OLTP systems should act as a monitoring system and detect when individual processes abort, automatically restart an aborted process, back out of a transaction if necessary, allow distribution of multiple copies of application servers across machines, and perform dynamic load balancing.

    A security feature uses transaction logs to record information on a transaction before it is processed, and then mark it as processed after it is done. If the system fails during the transaction, the transaction can be recovered by reviewing the transaction logs.

    Checkpoint restart is the process of using the transaction logs to restart the machine by running through the log to the last checkpoint or good transaction. All transactions following the last checkpoint are applied before allowing users to access the data again.

    Wikipedia has nice coverage on what is OLTP:
    Online transaction processing, or OLTP, refers to a class of systems that facilitate and manage transaction-oriented applications, typically for data entry and retrieval transaction processing. The term is somewhat ambiguous; some understand a “transaction” in the context of computer or database transactions, while others (such as the Transaction Processing Performance Council) define it in terms of business or commercial transactions.

    OLTP has also been used to refer to processing in which the system responds immediately to user requests. An automatic teller machine (ATM) for a bank is an example of a commercial transaction processing application.

    The technology is used in a number of industries, including banking, airlines, mailorder, supermarkets, and manufacturing. Applications include electronic banking, order processing, employee time clock systems, e-commerce, and eTrading.

    There are two security concerns for OLTP system: Concurrency and Atomicity

    ATOMICITY
    In database systems, atomicity (or atomicness) is one of the ACID transaction properties. In an atomic transaction, a series of database operations either all occur, or nothing occurs. A guarantee of atomicity prevents updates to the database occurring only partially, which can cause greater problems than rejecting the whole series outright.

    The etymology of the phrase originates in the Classical Greek concept of a fundamental and indivisible component; see atom.

    An example of atomicity is ordering an airline ticket where two actions are required: payment, and a seat reservation. The potential passenger must either:

    both pay for and reserve a seat; OR
    neither pay for nor reserve a seat.

    The booking system does not consider it acceptable for a customer to pay for a ticket without securing the seat, nor to reserve the seat without payment succeeding.

    CONCURRENCY
    Database concurrency controls ensure that transactions occur in an ordered fashion.

    The main job of these controls is to protect transactions issued by different users/applications from the effects of each other. They must preserve the four characteristics of database transactions ACID test: Atomicity, Consistency, Isolation, and Durability. Read http://en.wikipedia.org/wiki/ACID for more details on the ACID test.

    Thus concurrency control is an essential element for correctness in any system where two database transactions or more, executed with time overlap, can access the same data, e.g., virtually in any general-purpose database system. A well established concurrency control theory exists for database systems: serializability theory, which allows to effectively design and analyze concurrency control methods and mechanisms.

    Concurrency is not an issue in itself, it is the lack of proper concurrency controls that makes it a serious issue.

    The following answers are incorrect:

    The transactions should be dropped from processing. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.

    The transactions should be processed after the program makes adjustments. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.

    The transactions should be corrected and reprocessed. Is incorrect because the transactions are processed and when erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.

    References:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12749-12768). Auerbach Publications. Kindle Edition.
    and
    http://en.wikipedia.org/wiki/Online_transaction_processing
    and
    http://databases.about.com/od/administration/g/concurrency.htm

  14. A momentary power outage is a:

    • spike
    • blackout
    • surge
    • fault
    Explanation:

    A momentary power outage is a fault.

    Power Excess
    Spike –> Too much voltage for a short period of time.
    Surge –> Too much voltage for a long period of time.

    Power Loss
    Fault –> A momentary power outage.
    Blackout –> A long power interruption.

    Power Degradation
    Sag or Dip –> A momentary low voltage.
    Brownout –> A prolonged power supply that is below normal voltage.

    Reference(s) used for this question:
    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw-Hill/Osborne, 2005, page 368.
    and
    https://en.wikipedia.org/wiki/Power_quality

  15. A momentary high voltage is a:

    • spike
    • blackout
    • surge
    • fault
    Explanation:

    Too much voltage for a short period of time is a spike.

    Too much voltage for a long period of time is a surge.

    Not enough voltage for a short period of time is a sag or dip

    Not enough voltage for a long period of time is brownout

    A short power interruption is a fault

    A long power interruption is a blackout

    You MUST know all of the power issues above for the purpose of the exam.
    From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw-Hill/Osborne, 2005, page 368.

  16. If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be compensated based on:

    • Value of item on the date of loss
    • Replacement with a new item for the old one regardless of condition of lost item
    • Value of item one month before the loss
    • Value of item on the date of loss plus 10 percent
    Explanation:

    This is called the Actual Cash Value (ACV) or Actual Cost Valuation (ACV)

    All of the other answers were only detractors. Below you have an explanation of the different types of valuation you could use. It is VERY important for you to validate with your insurer which one applies to you as you could have some very surprising finding the day you have a disaster that takes place.

    Replacement Cost
    Property replacement cost insurance promises to replace old with new. Generally, replacement of a building must be done on the same premises and used for the same purpose, using materials comparable to the quality of the materials in the damaged or destroyed property.

    There are some other limitations to this promise. For example, the cost of repairs or replacement for buildings
    doesn’t include the increased cost associated with building codes or other laws controlling how buildings must be built today. An endorsement adding coverage for the operation of Building Codes and the increased costs associated with complying with them is available separately — usually for additional premium.
    In addition, some insurance underwriters will only cover certain property on a depreciated value (actual cash value — ACV) basis even when attached to the building. This includes awnings and floor coverings, appliances for refrigerating, ventilating, cooking, dishwashing, and laundering. Depreciated value also applies to outdoor equipment or furniture.

    Actual Cash Value (ACV)
    The ACV is the default valuation clause for commercial property insurance. It is also known as depreciated value, but this is not the same as accounting depreciated value. The actual cash value is determined by first calculating the replacement value of the property. The next step involves estimating the amount to be subtracted, which reflects the
    building’s age, wear, and tear.

    This amount deducted from the replacement value is known as depreciation. The amount of depreciation is reduced by inflation (increased cost of replacing the property); regular maintenance; and repair (new roofs, new electrical systems, etc.) because these factors reduce the effective age of the buildings.

    The amount of depreciation applicable is somewhat subjective and certainly subject to negotiation. In fact, there is often disagreement and a degree of uncertainty over the amount of depreciation applicable to a particular building.

    Given this reality, property owners should not leave the determination of depreciation to chance or wait until suffering
    a property loss to be concerned about it. Every three to five years, property owners should obtain a professional appraisal of the replacement value and depreciated value of the buildings.

    The ACV valuation is an option for directors to consider when certain buildings are in need of repair, or budget constraints prevent insuring all of your facilities on a replacement cost basis. There are other valuation options for property owners to consider as well.

    Functional Replacement Cost
    This valuation method has been available for some time but has not been widely used. It is beginning to show up on property insurance policies imposed by underwriters with concerns about older, buildings. It can also be used for buildings, which are functionally obsolete.

    This method provides for the replacement of a building with similar property that performs the same function, using less costly material. The endorsement includes coverage for building codes automatically.

    In the event of a loss, the insurance company pays the smallest of four payment options.

    1. In the event of a total loss, the insurer could pay the limit of insurance on the building or the cost to replace the building on the same (or different) site with a payment that is “functionally equivalent.”

    2. In the event of a partial loss, the insurance company could pay the cost to repair or replace the damaged portion in the same architectural style with less costly material (if available).

    3. The insurance company could also pay the amount actually spent to demolish the undamaged portion of the building and clear the site if necessary.

    4. The fourth payment option is to pay the amount actually spent to repair, or replace the building using less costly materials, if available (Hillman and McCracken 1997).

    Unlike the replacement cost valuation method, which excluded certain fixtures and personal property used to service the premises, this endorsement provides functional replacement cost coverage for these items (awnings, floor coverings, appliances, etc.) (Hillman nd McCracken 1997).

    As in the standard replacement cost value option, the insured can elect not to repair or replace the property. Under these circumstances the company pays the smallest of the following:

    1. The Limit of Liability

    2. The “market value” (not including the value of the land) at the time of the loss. The endorsement defines “market value” as the price which the property might be expected to realize if ffered for sale in fair market.”

    3. A modified form of ACV (the amount to repair or replace on he same site with less costly material and in the same architectural tyle, less depreciation) (Hillman and McCracken 1997).

    Agreed Value or Agreed Amount
    Agreed value or agreed amount is not a valuation method. Instead, his term refers to a waiver of the coinsurance clause in the property insurance policy. Availability of this coverage feature varies among insurers but, it is usually available only when the underwriter has proof (an independent appraisal, or compliance with an insurance company valuation model) of the value of your property.
    When do I get paid?

    Generally, the insurance company will not pay a replacement cost settlement until the property that was damaged or destroyed is actually repaired or replaced as soon as reasonably possible after the loss.

    Under no circumstances will the insurance company pay more than your limit of insurance or more than the actual amount you spend to repair or replace the damaged property if this amount is less than the limit of insurance.

    Replacement cost insurance terms give the insured the option of settling the loss on an ACV basis. This option may be exercised if you don’t plan to replace the building or if you are faced with a significant coinsurance penalty on a replacement cost settlement.

    References:
    http://www.schirickinsurance.com/resources/value2005.pdf
    and
    TIPTON, Harold F. & KRAUSE, MICKI
    Information Security Management Handbook, 4th Edition, Volume 1
    Property Insurance overview, Page 587.

  17. If your property Insurance has Replacement Cost Valuation (RCV) clause your damaged property will be compensated:

    • Based on the value of item on the date of loss
    • Based on new, comparable, or identical item for old regardless of condition of lost item
    • Based on value of item one month before the loss
    • Based on the value listed on the Ebay auction web site
    Explanation:

    RCV is the maximum amount your insurance company will pay you for damage to covered property before deducting for depreciation. The RCV payment is based on the current cost to replace your property with new, identical or comparable property.

    The other choices were detractor:

    Application and definition of the insurance terms Replacement Cost Value (RCV), Actual Cash Value (ACV) and depreciation can be confusing. It’s important that you understand the terms to help settle your claim fairly.

    An easy way to understand RCV and ACV is to think in terms of “new” and “used.”
    Replacement cost is the item’s current price, new. “What will it cost when I replace it?”
    Actual cash is the item’s used price, old. “How much money is it worth since I used it for five years?”

    Hold Back
    Most policies only pay the Actual Cash Value upfront, and then they pay you the “held back” depreciation after you incur the expense to repair or replace your personal property items.

    NOTE: You must remember to send documentation to the insurance company proving you’ve incurred the additional expense you will be reimbursed.

    Actual Cash Value (ACV)
    ACV is the amount your insurance company will pay you for damage to covered property after deducting for depreciation. ACV is the replacement cost of a new item, minus depreciation. If stated as a simple equation, ACV could be defined as follows: ACV=RCV-Depreciation

    Unfortunately, ACV is not always as easy to agree upon as a simple math equation. The ACV can also be calculated as the price a willing buyer would pay for your used item.

    Depreciation
    Depreciation (sometimes called “hold back”) is defined as the “loss in value from all causes, including age, and wear and tear.” Although the definition seems to be clear, in our experience, value” as a real-world application is clearly subjective and varies widely. We have seen the same adjuster apply NO depreciation (100 percent value) on one claim and 40 percent depreciation almost half value) on an almost identical claim.

    This shows that the process of applying depreciation is subjective and clearly negotiable.

    Excessive Depreciation
    When the insurance company depreciates more than they should, it is called “Excessive depreciation.” Although not ethical, it is very common. Note any items that have excessive depreciation and write a letter to your insurance company.

    References:
    http://carehelp.org/downloads/category/1-insurance-handouts.html?download=17%3Ahandout08-rcv-and-acv
    and
    http://www.schirickinsurance.com/resources/value2005.pdf
    and
    TIPTON, Harold F. & KRAUSE, MICKI, information Security Management Handbook, 4th Edition, Volume 1
    Property Insurance overview, Page 587.

  18. A prolonged complete loss of electric power is a:

    • brownout
    • blackout
    • surge
    • fault
    Explanation:
    A prolonged power outage is a blackout.
    From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw-Hill/Osborne, 2005, page 368.

  19. A prolonged power supply that is below normal voltage is a:

    • brownout
    • blackout
    • surge
    • fault
    Explanation:
    A prolonged power supply that is below normal voltage is a brownout.
    From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw-Hill/Osborne, 2005, page 368.

  20. A momentary low voltage, from 1 cycle to a few seconds, is a:

    • spike
    • blackout
    • sag
    • fault
    Explanation:

    A momentary low voltage is a sag. A synonym would be a dip.

    Risks to electrical power supply:

    POWER FAILURE

    Blackout: complete loss of electrical power
    Fault: momentary power outage

    POWER DEGRADATION

    Brownout: an intentional reduction of voltage by the power company.
    Sag/dip: a short period of low voltage

    POWER EXCESS

    Surge: Prolonged rise in voltage
    Spike: Momentary High Voltage
    In-rush current: the initial surge of current required by a load before it reaches normal operation.

    – Transient: line noise or disturbance is superimposed on the supply circuit and can cause fluctuations in electrical power

    Refence(s) used for this question:
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 462). McGraw-Hill. Kindle Edition.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments