SSCP : System Security Certified Practitioner (SSCP) : Part 45

SSCP : System Security Certified Practitioner (SSCP) : Part 45

1. A prolonged high voltage is a:

   • spike
   • blackout
   • surge
   • fault

   Explanation:

   A prolonged high voltage is a surge.
   From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw-Hill/Osborne, 2005, page 368.

2. Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA):

   • Notifying senior management of the start of the assessment.
   • Creating data gathering techniques.
   • Identifying critical business functions.
   • Calculating the risk for each different business function.
   Explanation:

   Source: HARRIS, S., CISSP All- In-One Exam Guide, 3rd. Edition, 2005, Chapter 9, Page 701.

   There have been much discussion about the steps of the BIA and I struggled with this before deciding to scrape the question about “the four steps,” and re-write the question using the AIO for a reference. This question should be easy…. if you know all eight steps.

   The eight detailed and granular steps of the BIA are:

   1. Select Individuals to interview for the data gathering.
   2. Create data gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
   3. Identify the company’s critical business functions.
   4. Identify the resources that these functions depend upon.
   5. Calculate how long these functions can survive without these resources.
   6. Identify vulnerabilities and the threats to these functions.
   7. Calculate risk for each of the different business functions.
   8. Document findings and report them to management.

   Shon goes on to cover each step in Chapter 9.

3. Which of the following results in the most devastating business interruptions?

   • Loss of Hardware/Software
   • Loss of Data
   • Loss of Communication Links
   • Loss of Applications
   Explanation:
   Source: Veritas eLearning CD – Introducing Disaster Recovery Planning, Chapter 1.
   All of the others can be replaced or repaired. Data that is lost and was not backed up, cannot be restored.

4. Which of the following backup sites is the most effective for disaster recovery?

   • Time brokers
   • Hot sites
   • Cold sites
   • Reciprocal Agreement
   Explanation:

   A hot site has the equipment, software and communications capabilities to facilitate a recovery within a few minutes or hours following the notification of a disaster to the organization’s primary site. With the exception of providing your own hot site, commercial hot sites provide the greatest protection. Most will allow you up to six weeks to restore your sites if you declare a disaster. They also permit an annual amount of time to test the Disaster Plan.

   The following answers are incorrect:

   Cold sites. Cold sites are empty computer rooms consisting only of environmental systems, such as air conditioning and raised floors, etc. They do not meet the requirements of most regulators and boards of directors that the disaster plan be tested at least annually.

   Reciprocal Agreement. Reciprocal agreements are not contracts and cannot be enforced. You cannot force someone you have such an agreement with to provide processing to you. Government regulators do not accept reciprocal agreements as valid disaster recovery backup sites.

   Time Brokers. Time Brokers promise to deliver processing time on other systems. They charge a fee, but cannot guaranty that processing will always be available, especially in areas that experienced multiple disasters.

   The following reference(s) were/was used to create this question:
   ISC2 OIG, 2007 p368
   Shon Harris AIO v3. p.710

5. Which of the following is NOT a transaction redundancy implementation?

   • on-site mirroring
   • Electronic Vaulting
   • Remote Journaling
   • Database Shadowing
   Explanation:

   Three concepts are used to create a level of fault tolerance and redundancy in transaction processing.

   They are Electronic vaulting, remote journaling and database shadowing provide redundancy at the transaction level.

   Electronic vaulting is accomplished by backing up system data over a network. The backup location is usually at a separate geographical location known as the vault site. Vaulting can be used as a mirror or a backup mechanism using the standard incremental or differential backup cycle. Changes to the host system are sent to the vault server in real-time when the backup method is implemented as a mirror. If vaulting updates are recorded in real-time, then it will be necessary to perform regular backups at the off-site location to provide recovery services due to inadvertent or malicious alterations to user or system data.

   Journaling or Remote Journaling is another technique used by database management systems to provide redundancy for their transactions. When a transaction is completed, the database management system duplicates the journal entry at a remote location. The journal provides sufficient detail for the transaction to be replayed on the remote system. This provides for database recovery in the event that the database becomes corrupted or unavailable.

   There are also additional redundancy options available within application and database software platforms. For example, database shadowing may be used where a database management system updates records in multiple locations. This technique updates an entire copy of the database at a remote location.

   Reference used for this question:
   Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20403-20407). Auerbach Publications. Kindle Edition.
   and
   Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20375-20377). Auerbach Publications. Kindle Edition.

6. Valuable paper insurance coverage does not cover damage to which of the following?

   • Inscribed, printed and Written documents
   • Manuscripts
   • Records
   • Money and Securities
   Explanation:

   All businesses are driven by records. Even in today’s electronic society businesses generate mountains of critical documents everyday. Invoices, client lists, calendars, contracts, files, medical records, and innumerable other records are generated every day.

   Stop and ask yourself what happens if your business lost those documents today.

   Valuable papers business insurance coverage provides coverage to your business in case of a loss of vital records. Over the years policy language has evolved to include a number of different types of records. Generally, the policy will cover “written, printed, or otherwise inscribed documents and records, including books, maps, films, drawings, abstracts, deeds, mortgages, and manuscripts.” But, read the policy coverage carefully. The policy language typically “does not mean “money” or “securities,” converted data,programs or instructions used in your data processing operations, including the materials on which the data is recorded.”

   The coverage is often included as a part of property insurance or as part of a small business owner policy. For example, a small business owner policy includes in many cases valuable papers coverage up to $25,000.

   It is important to realize what the coverage actually entails and, even more critical, to analyze your business to determine what it would cost to replace records.

   The coverage pays for the loss of vital papers and the cost to replace the records up to the limit of the insurance and after application of any deductible. For example, the insurer will pay to have waterlogged papers dried and reproduced (remember, fires are put out by water and the fire department does not stop to remove your book keeping records). The insurer may cover temporary storage or the cost of moving records to avoid a loss.

   For some businesses, losing customer lists, some business records, and contracts, can mean the expense and trouble of having to recreate those documents, but is relatively easy and a low level risk and loss. Larger businesses and especially professionals (lawyers, accountants, doctors) are in an entirely separate category and the cost of replacement of documents is much higher. Consider, in analyzing your business and potential risk, what it would actually cost to reproduce your critical business records. Would you need to hire temporary personnel? How many hours of productivity would go into replacing the records? Would you need to obtain originals? Would original work need to be recreated (for example, home inspectors, surveyors, cartographers)?

   Often when a business owner considers the actual cost related to the reproduction of records, the owner quickly realizes that their business insurance policy limits for valuable papers coverage is woefully inadequate.
   Insurers (and your insurance professional)will often suggest higher coverages for valuable papers. The extra premium is often worth the cost and should be considered.

   Finally, most policies will require records to be protected. You need to review your declarations pages and speak with your insurer to determine what is required. Some insurers may offer discounted coverage if there is a document retention and back up plan in place and followed. There are professional organizations that can assist your business in designing a records management policy to lower the risk (and your premiums). For example, ARMA International has been around since 1955 and its members consist of some of the top document retention and storage companies.

   Reference(s) used for this question:
   http://businessinsure.about.com/od/propertyinsurance/f/vpcov.htm

7. Which of the following is covered under Crime Insurance Policy Coverage?

   • Inscribed, printed and Written documents
   • Manuscripts
   • Accounts Receivable
   • Money and Securities
   Explanation:
   Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Property Insurance overview, Page 589.

8. Which of the following is the most critical item from a disaster recovery point of view?

   • Data
   • Hardware/Software
   • Communication Links
   • Software Applications
   Explanation:

   The most important point is ALWAYS the data. Everything else can be replaced or repaired.

   Data MUST be backed up, backups must be regularly tested, because once it is truly lost, it is lost forever.

   The goal of disaster recovery is to minimize the effects of a disaster or disruption. It means taking the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner . This is different from continuity planning, which provides methods and procedures for dealing with longer-term outages and disasters.

   The goal of a disaster recovery plan is to handle the disaster and its ramifications right after the disaster hits; the disaster recovery plan is usually very information technology (IT)– focused. A disaster recovery plan (DRP) is carried out when everything is still in emergency mode, and everyone is scrambling to get all critical systems back online.

   Reference(s) used for this question:
   Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 887). McGraw-Hill. Kindle Edition.
   and
   Veritas eLearning CD – Introducing Disaster Recovery Planning, Chapter 1.

9. Which of the following is defined as the most recent point in time to which data must be synchronized without adversely affecting the organization (financial or operational impacts)?

   • Recovery Point Objective
   • Recovery Time Objective
   • Point of Time Objective
   • Critical Time Objective
   Explanation:

   The recovery point objective (RPO) is the maximum acceptable level of data loss following an unplanned “event”, like a disaster (natural or man-made), act of crime or terrorism, or any other business or technical disruption that could cause such data loss. The RPO represents the point in time, prior to such an event or incident, to which lost data can be recovered (given the most recent backup copy of the data).

   The recovery time objective (RTO) is a period of time within which business and / or technology capabilities must be restored following an unplanned event or disaster. The RTO is a function of the extent to which the interruption disrupts normal operations and the amount of revenue lost per unit of time as a result of the disaster.

   These factors in turn depend on the affected equipment and application(s). Both of these numbers represent key targets that are set by key businesses during business continuity and disaster recovery planning; these targets in turn drive the technology and implementation choices for business resumption services, backup / recovery / archival services, and recovery facilities and procedures.

   Many organizations put the cart before the horse in selecting and deploying technologies before understanding the business needs as expressed in RPO and RTO; IT departments later bear the brunt of user complaints that their service expectations are not being met. Defining the RPO and RTO can avoid that pitfall, and in doing so can also make for a compelling business case for recovery technology spending and staffing.

   For the CISSP candidate studying for the exam, there are no such objectives for “point of time,” and “critical time.” Those two answers are simply detracters.

   Reference:
   http://www.wikibon.org/Recovery_point_objective_/_recovery_time_objective_strategy

10. Because ordinary cable introduces a toxic hazard in the event of fire, special cabling is required in a separate area provided for air circulation for heating, ventilation, and air-conditioning (sometimes referred to as HVAC) and typically provided in the space between the structural ceiling and a drop-down ceiling. This area is referred to as the:

    • smoke boundry area
    • fire detection area
    • Plenum area
    • Intergen area
    Explanation:
    In building construction, a plenum (pronounced PLEH-nuhm, from Latin meaning full) is a separate space provided for air circulation for heating, ventilation, and air-conditioning (sometimes referred to as HVAC) and typically provided in the space between the structural ceiling and a drop-down ceiling. A plenum may also be under a raised floor. In buildings with computer installations, the plenum space is often used to house connecting communication cables. Because ordinary cable introduces a toxic hazard in the event of fire, special plenum cabling is required in plenum areas.
    Source: http://searchdatacenter.techtarget.com/sDefinition/0,,sid80_gci213716,00.html

11. How is Annualized Loss Expectancy (ALE) derived from a threat?

    • ARO x (SLE – EF)
    • SLE x ARO
    • SLE/EF
    • AV x EF
    Explanation:

    Three steps are undertaken in a quantitative risk assessment:

    Initial management approval
    Construction of a risk assessment team, and
    The review of information currently available within the organization.

    There are a few formulas that you MUST understand for the exam. See them below:

    SLE (Single Loss Expectancy)
    Single loss expectancy (SLE) must be calculated to provide an estimate of loss. SLE is defined as the difference between the original value and the remaining value of an asset after a single exploit.

    The formula for calculating SLE is as follows: SLE = asset value (in $) × exposure factor (loss due to successful threat exploit, as a %)

    Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of service (perhaps due to business continuity or security issues).

    ALE (Annualized Loss Expectancy)
    Next, the organization would calculate the annualized rate of occurrence (ARO).

    This is done to provide an accurate calculation of annualized loss expectancy (ALE).

    ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.

    When this is completed, the organization calculates the annualized loss expectancy (ALE).
    The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in value of an asset after an SLE.

    The calculation follows ALE = SLE x ARO

    Note that this calculation can be adjusted for geographical distances using the local annual frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). Given that there is now a value for SLE, it is possible to determine what the organization should spend, if anything, to apply a countermeasure for the risk in question.

    Remember that no countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids.
    Countermeasure cost per year is easy and straightforward to calculate. It is simply the cost of the countermeasure divided by the years of its life (i.e., use within the organization). Finally, the organization is able to compare the cost of the risk versus the cost of the countermeasure and make some objective decisions regarding its countermeasure selection.

    The following were incorrect answers:

    All of the other choices were incorrect.

    The following reference(s) were used for this quesiton:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10048-10069). Auerbach Publications. Kindle Edition.

12. What does “residual risk” mean?

    • The security risk that remains after controls have been implemented
    • Weakness of an assets which can be exploited by a threat
    • Risk that remains after risk assessment has has been performed
    • A security risk intrinsic to an asset being audited, where no mitigation has taken place.
    Explanation:

    Residual risk is “The security risk that remains after controls have been implemented” ISO/IEC TR 13335-1 Guidelines for the Management of IT Security (GMITS), Part 1: Concepts and Models for IT Security, 1996. “Weakness of an assets which can be exploited by a threat” is vulnerability. “The result of unwanted incident” is impact. Risk that remains after risk analysis has been performed is a distracter.

    Risk can never be eliminated nor avoided, but it can be mitigated, transferred or accpeted. Even after applying a countermeasure like for example putiing up an Antivirus. But still it is not 100% that systems will be protected by antivirus.

13. What is the most correct choice below when talking about the steps to resume normal operation at the primary site after the green light has been given by the salvage team?

    • The most critical operations are moved from alternate site to primary site before others
    • Operation may be carried by a completely different team than disaster recovery team
    • The least critical functions should be moved back first
    • You moves items back in the same order as the categories document in your plan or exactly in the same order as you did on your way to the alternate site
    Explanation:

    It’s interesting to note that the steps to resume normal processing operations will be different than the steps of the recovery plan; that is, the least critical work should be brought back first to the primary site.

    The most important point above in the steps would be to move the least critical items or resources back to the primary site first. This way you can ensure that the site was really well prepared and that all is working fine.

    Before that first step would be done, you would get the green light from the salvage team that it is fine to move back to the primary site. The first step after getting the green light would be to move the least critical elements first.

    As stated in the Shon Harris book:
    The least critical functions should be moved back first, so if there are issues in network configurations or connectivity, or important steps were not carried out, the critical operations of the company are not negatively affected. Why go through the trouble of moving the most critical systems and operations to a safe and stable site, only to return it to a main site that is untested? Let the less critical departments act as the canary. If they survive, then move over the more critical components of the company.

    When it is time for the company to move back into its original site or a new site, the company enters the reconstitution phase. A company is not out of an emergency state until it is back in operation at the original primary site or a new site that was constructed to replace the primary site, because the company is always vulnerable while operating in a backup facility.

    Many logistical issues need to be considered as to when a company must return from the alternate site to the original site. The following lists a few of these issues:

    Ensuring the safety of employees
    Ensuring an adequate environment is provided (power, facility infrastructure, water, HVAC)
    Ensuring that the necessary equipment and supplies are present and in working order
    Ensuring proper communications and connectivity methods are working
    Properly testing the new environment

    Once the coordinator, management, and salvage team sign off on the readiness of the facility, the salvage team should carry out the following steps:

    Back up data from the alternate site and restore it within the new facility.
    Carefully terminate contingency operations.
    Securely transport equipment and personnel to the new facility.

    All other choices are not the correct answer.

    Reference(s) used for this question:
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Location 19389). McGraw-Hill. Kindle Edition.
    and
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 290.

14. What would be the Annualized Rate of Occurrence (ARO) of the threat “user input error”, in the case where a company employs 100 data entry clerks and every one of them makes one input error each month?

    • 100
    • 120
    • 1
    • 1200
    Explanation:
    If every one of the 100 clerks makes 1 error 12 times per year, it makes a total of 1200 errors. The Annnualized Rate of Occurence (ARO) is a value that represents the estimated frequency in which a threat is expected to occur. The range can be from 0.0 to a large number. Having an average of 1200 errors per year means an ARO of 1200

15. A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks is called a ?

    • Vulnerability
    • Risk
    • Threat
    • Overflow
    Explanation:
    The Answer: Vulnerability; Vulnerability is a weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.

16. What is called the probability that a threat to an information system will materialize?

    • Threat
    • Risk
    • Vulnerability
    • Hole
    Explanation:
    The Answer: Risk: The potential for harm or loss to an information system or network; the probability that a threat will materialize.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.

17. Business Continuity and Disaster Recovery Planning (Primarily) addresses the:

    • Availability of the CIA triad
    • Confidentiality of the CIA triad
    • Integrity of the CIA triad
    • Availability, Confidentiality and Integrity of the CIA triad
    Explanation:

    The Information Technology (IT) department plays a very important role in identifying and protecting the company’s internal and external information dependencies. Also, the information technology elements of the BCP should address several vital issue, including:

    Ensuring that the company employs sufficient physical security mechanisms to preserve vital network and hardware components. including file and print servers.
    Ensuring that the organization uses sufficient logical security methodologies (authentication, authorization, etc.) for sensitive data.

    Reference: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, page 279.

18. What is called an event or activity that has the potential to cause harm to the information systems or networks?

    • Vulnerability
    • Threat agent
    • Weakness
    • Threat
    Explanation:
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.

19. Which one of the following is NOT one of the outcomes of a vulnerability assessment?

    • Quantative loss assessment
    • Qualitative loss assessment
    • Formal approval of BCP scope and initiation document
    • Defining critical support areas
    Explanation:

    When seeking to determine the security position of an organization, the security professional will eventually turn to a vulnerability assessment to help identify specific areas of weakness that need to be addressed. A vulnerability assessment is the use of various tools and analysis methodologies to determine where a particular system or process may be susceptible to attack or misuse. Most vulnerability assessments concentrate on technical vulnerabilities in systems or applications, but the assessment process is equally as effective when examining physical or administrative business processes.

    The vulnerability assessment is often part of a BIA. It is similar to a Risk Assessment in that there is a quantitative (financial) section and a qualitative (operational) section. It differs in that i t is smaller than a full risk assessment and is focused on providing information that is used solely for the business continuity plan or disaster recovery plan.

    A function of a vulnerability assessment is to conduct a loss impact analysis. Because there will be two parts to the assessment, a financial assessment and an operational assessment, it will be necessary to define loss criteria both quantitatively and qualitatively.

    Quantitative loss criteria may be defined as follows:

    Incurring financial losses from loss of revenue, capital expenditure, or personal liability resolution
    The additional operational expenses incurred due to the disruptive event
    Incurring financial loss from resolution of violation of contract agreements
    Incurring financial loss from resolution of violation of regulatory or compliance requirements

    Qualitative loss criteria may consist of the following:

    The loss of competitive advantage or market share
    The loss of public confidence or credibility, or incurring public mbarrassment

    During the vulnerability assessment, critical support areas must be defined in order to assess the impact of a disruptive event. A critical support area is defined as a business unit or function that must be present to sustain continuity of the business processes, maintain life safety, or avoid public relations embarrassment.

    Critical support areas could include the following:

    Telecommunications, data communications, or information technology areas
    Physical infrastructure or plant facilities, transportation services
    Accounting, payroll, transaction processing, customer service, purchasing

    The granular elements of these critical support areas will also need to be identified. By granular elements we mean the personnel, resources, and services the critical support areas need to maintain business continuity

    Reference(s) used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4628-4632). Auerbach Publications. Kindle Edition.

    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 277.

20. The scope and focus of the Business continuity plan development depends most on:

    • Directives of Senior Management
    • Business Impact Analysis (BIA)
    • Scope and Plan Initiation
    • Skills of BCP committee
    Explanation:

    SearchStorage.com Definitions mentions “As part of a disaster recovery plan, BIA is likely to identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits, and so on.

    A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance.

    Where possible, impact is expressed monetarily for purposes of comparison. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence.”

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 278.