Topic 5
Which of the following actions should be taken when an online trading company discovers a network attack in progress?
C
Explanation:
Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business
to continue processing. Shutting off all network access points would create a denial of service that could result in loss of
revenue. Dumping event logs and enabling trace logging, while perhaps useful, would not mitigate the immediate threat
posed by the network attack.
Topic 5
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site.
Which of the following would be the GREATEST weakness in recovery capability?
D
Explanation:
Sharing a hot site facility is sometimes necessary in the case of a major disaster. Also, first come, first served usually
determines priority of access based on general industry practice. Access to a hot site is not indefinite; the recovery plan
should address a long-term outage. In case of a disaster affecting a localized geographical area, the vendor's facility and
capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely
be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients
based locally.
Topic 5
A desktop computer that was involved in a computer security incident should be secured as evidence by:
A
Explanation:
To preserve the integrity of the desktop computer as an item of evidence, it should be immediately disconnected from all
sources of power. Any attempt to access the information on the computer by copying, uploading or accessing it remotely
changes the operating system (OS) and temporary files on the computer and invalidates it as admissible evidence.
Topic 5
Which of the following should be determined FIRST when establishing a business continuity program?
B
Explanation:
Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different
systems. This will allow recovery time objectives to be determined which, in turn, affects the location and cost of offsite
recovery facilities, and the composition and mission of individual recovery teams. Determining the cost to rebuild information
processing facilities would not be the first thing to determine.
Topic 5
The MOST likely cause of a security information event monitoring (SIEM) solution failing to identify a serious incident is that
the system:
A
Topic 5
Following a highly sensitive data breach at a large company, all servers and workstations were patched. The information
security managers NEXT step should be to:
B
Topic 5
Which is the MOST important to enable a timely response to a security breach?
B
Topic 5
When designing an incident response plan to be agreed upon with a cloud computing vendor, including which of the
following will BEST help to ensure the effectiveness of the plan?
C
Topic 5
Which of the following is the MOST important part of an incident response plan?
A
Topic 5
Which of the following is the MOST important reason to document information security incidents that are reported across the
organization?
B
Topic 5
Which of the following is MOST likely to affect an organizations ability to respond to security incidents in a timely manner?
B
Topic 5
A measure of the effectiveness of the incident response capabilities of an organization is the:
C
Topic 5
Which of the following should be an information security managers MOST important criterion for determining when to review
the incident response plan?
B
Topic 5
Which of the following is the MOST important incident management consideration for an organization subscribing to a cloud
service?
D
Topic 5
Which of the following is MOST important to ensuring that incident management plans are executed effectively?
A