(TS-4.

1) Establish and maintain an organizational definition of, and severity hierarchy for, information security
incidents to allow accurate identification of and response to incidents.

Question # 669

The factor that is MOST likely to result in identification of security incidents is:

A. effective communication and reporting processes.

B. clear policies detailing incident severity levels.

C. intrusion detection system (IDS) capabilities.

D. security awareness training.

Answer: D

Ensuring that employees have the knowledge to recognize and report a suspected incident is most likely to result in
identification of security incidents.
Timely communication and reporting is only useful once identification of an incident has occurred.
Understanding how to establish severity levels is important, but not the essential element of ensuring that the
information security manager is aware of anomalous events that might signal an incident.
IDSs are useful for detecting IT-related incidents, but not useful in identifying other types of incidents such as
social engineering or physical intrusion.

Question # 670

Establishing severity criteria should be based PRIMARILY on:

A. standards.

B. impact.

C. policies.

D. risk.

Answer: B

The potential business impact as the result of a specific type of incident should be the primary basis for
determining severity criteria.
Standards and policies may define some requirements for severity levels, but are not the primary basis for
establishing them.
Risk associated with particular incidents may affectseverity levels, but only insofar as potential impact is concerned.

Organizational definition of severity hierarchy for accurate identification and response to incidents
Page 1 of 1
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 671

Which of the following actions should be taken when an online trading company discovers a network attack in
progress?

A. Shut off all network access points

B. Dump all event logs to removable media

C. Isolate the affected network segment

D. Enable trace logging on all events

Answer: C

Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the
business to continue processing.
Shutting off all network access points would create a denial of service that could result in loss of revenue.
Dumping event logs and enabling trace logging, while perhaps useful, would not mitigate the immediate threat posed by
the network attack.

Question # 672

The FIRST priority when responding to a major security incident is:

A. documentation.

B. monitoring.

C. restoration.

D. containment.

Answer: D

The first priority in responding to a security incident is to contain it to limit the impact.
Documentation, monitoring and restoration are all important, but they should follow containment.

Question # 673

An incident response policy must contain:

A. updated call trees.

B. escalation criteria.

C. press release templates.

D. critical backup files inventory.

Answer: B

Incident response plan to effectively and timely response to incidents

Page 1 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained
within an incident response policy.
Telephone trees, press release templates and lists of critical backup files are too detailed to be included in a policy
document.

Question # 674

The BEST approach in managing a security incident involving a successful penetration should be to:

A. allow business processes to continue during the response.

B. allow the security team to assess the attack profile.

C. permit the incident to continue to trace the source.

D. examine the incident response process for deficiencies.

Answer: A

Since information security objectives should always be linked to the objectives of the business, it is imperative that
business processes be allowed to continue whenever possible.
Only when there is no alternative should these processes be interrupted.
Although it is important to allow the security team to assess the characteristics of an attack, this is subordinate to the
needs of the business.
Permitting an incident to continue may expose the organization to additional damage.
Evaluating the incident management process for deficiencies is valuable but it, too, is subordinate to allowing business
processes to continue.

Question # 675

A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet.
Which of the following should be performed FIRST in response to this threat?

A. Quarantine all picture files stored on file servers

B. Block all e-mails containing picture file attachments

C. Quarantine all mail servers connected to the Internet

D. Block incoming Internet mail, but permit outgoing mail

Answer: B

Until signature files can be updated, incoming e-mail containing picture file attachments should be blocked.
Quarantining picture files already stored on file servers is not effective since these files must be intercepted before they
are opened.
Quarantine of all mail servers or blocking all incoming mail is unnecessary overkill since only those e-mails containing
attached picture files are in question.

Incident response plan to effectively and timely response to incidents

Page 2 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 676

When a large organization discovers that it is the subject of a network probe, which of the following actions should be
taken?

A. Reboot the router connecting the DMZ to the firewall

B. Power down all servers located on the DMZ segment

C. Monitor the probe and isolate the affected segment

D. Enable server trace logging on the affected segment

Answer: C

In the case of a probe, the situation should be monitored and the affected network segment isolated.
Rebooting the router, powering down the demilitarized zone (DMZ) servers and enabling server trace routing
are not warranted.

Question # 677

Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?

A. Restore servers from backup media stored offsite

B. Conduct an assessment to determine system status

C. Perform an impact analysis of the outage

D. Isolate the screened subnet

Answer: B (*)

An assessment should be conducted to determine whether any permanent damage occurred and the overall system
status.
It is not necessary at this point to rebuild any servers.
An impact analysis of the outage or isolating the demilitarized zone (DMZ) or screen subnet will not provide any
immediate benefit.

Question # 678

Which of the following actions should be taken when an information security manager discovers that a hacker is
footprinting the network perimeter?

A. Reboot the border router connected to the firewall

B. Check IDS logs and monitor for any active attacks

C. Update IDS software to the latest available version

D. Enable server trace logging on the DMZ segment

Incident response plan to effectively and timely response to incidents

Page 3 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Answer: B

Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation.
It would be inappropriate to take any action beyond that.
In fact, updating the IDS could create a temporary exposure until the new version can be properly tuned.
Rebooting the router and enabling server trace routing would not be warranted.

Question # 679

A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?

A. Risk assessment results

B. Severity criteria

C. Emergency call tree directory

D. Table of critical backup files

Answer: B

Quickly ranking the severity criteria of an incident is a key element of incident response.
The other choices refer to documents that would not likely be included in a computer incident response team (CIRT)
manual.

Question # 680

When properly tested, which of the following would MOST effectively support an information security manager in
handling a security breach?

A. Business continuity plan

B. Disaster recovery plan

C. Incident response plan

D. Vulnerability management plan

Answer: C

An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities
pertaining to all parties involved in responding to an information security breach.
A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan
in the case of a breach impacting the business continuity.
A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through
configuration changes (patch management).

Incident response plan to effectively and timely response to incidents

Page 4 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 681

A web server in a financial institution that has been compromised using a super-user account has been isolated, and
proper forensic processes have been followed. The next step should be to:

A. rebuild the server from the last verified backup.

B. place the web server in quarantine.

C. shut down the server in an organized manner.

D. rebuild the server with original media and relevant patches.

Answer: D

The original media should be used since one can never be sure of all the changes a super-user may have made nor the
timelines in which these changes were made.
Rebuilding from the last known verified backup is incorrect since the verified backup may have been compromised by the
super-user at a different time.
Placing the web server in quarantine should have already occurred in the forensic process.
Shut down in an organized manner is out of sequence and no longer a problem.
The forensic process is already finished and evidence has already been acquired.

Question # 682

What is the FIRST action an information security manager should take when a company laptop is reported stolen?

A. Evaluate the impact of the information loss

B. Update the corporate laptop inventory

C. Ensure compliance with reporting procedures

D. Disable the user account immediately

Answer: C

The first step in such an incident is to report it to mitigate any loss.

After this, the other actions should follow.

Question # 683

Which of the following actions should take place immediately after a security breach is reported to an information
security manager?

A. Confirm the incident

B. Determine impact

C. Notify affected stakeholders

D. Isolate the incident

Incident response plan to effectively and timely response to incidents

Page 5 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Answer: A

Before performing analysis of impact, resolution, notification or isolation of an incident,

it must be validated as a real security incident.

Question # 684

The PRIORITY action to be taken when a server is infected with a virus is to:

A. isolate the infected server(s) from the network.

B. identify all potential damage caused by the infection.

C. ensure that the virus database files are current.

D. establish security weaknesses in the firewall.

Answer: A

The priority in this event is to minimize the effect of the virus infection and to prevent it from spreading by removing the
infected server(s) from the network.
After the network is secured from further infection, the damage assessment can be performed,
the virus database updated and any weaknesses sought.

Question # 685

Which of the following situations would be the MOST concern to a security manager?

A. Audit logs are not enabled on a production server

B. The logon ID for a terminated systems analyst still exists on the system

C. The help desk has received numerous results of users receiving phishing e-mails

D. A Trojan was found to be installed on a system administrator's laptop

Answer: D (*)

The discovery of a Trojan installed on a system administrator's laptop is highly significant since this may mean that
privileged user accounts and passwords may have been compromised.
The other choices, although important, do not pose as immediate or as critical a threat.

Incident response plan to effectively and timely response to incidents

Page 6 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 686

A customer credit card database has been reported as being breached by hackers.
The FIRST step in dealing with this attack should be to:

A. confirm the incident.

B. notify senior management.

C. start containment.

D. notify law enforcement.

Answer: A

Asserting that the condition is a true security incident is the necessary first step in determining the correct response.
The containment stage would follow.
Notifying senior management and law enforcement could be part of the incident response process that takes place after
confirming an incident.

Question # 687

What is the BEST method for mitigating against network denial of service (DoS) attacks?

A. Ensure all servers are up-to-date on OS patches

B. Employ packet filtering to drop suspect packets

C. Implement network address translation to make internal addresses nonroutable

D. Implement load balancing for Internet facing devices

Answer: B

Packet filtering techniques are the only ones which reduce network congestion caused by a network denial of service
(DoS) attack.
Patching servers, in general, will not affect network traffic.
Implementing network address translation and load balancing would not be as effective in mitigating most
network DoS attacks.

Question # 688

Which of the following is an example of a corrective control?

A. Diverting incoming traffic as a response to a denial of service (DoS) attack

B. Filtering network traffic

C. Examining inbound network traffic for viruses

D. Logging inbound network traffic

Incident response plan to effectively and timely response to incidents

Page 7 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Answer: A

Diverting incoming traffic corrects the situation and, therefore, is a corrective control.
Choice B, Filtering network traffic is a preventive control.
Choices C and D are detective controls.

Question # 689

An organization has been experiencing a number of network-based security attacks that all appear to originate
internally. The BEST course of action is to:

A. require the use of strong passwords.

B. assign static IP addresses.

C. implement centralized logging software.

D. install an intrusion detection system (IDS).

Answer: D

Installing an intrusion detection system (IDS) will allow the information security manager to better pinpoint the source of
the attack so that countermeasures may then be taken.
An IDS is not limited to detection of attacks originating externally.
Proper placement of agents on the internal network can be effectively used to detect an internally based attack.
Requiring the use of strong passwords will not be sufficiently effective against a network-based attack.
Assigning IP addresses would not be effective since these can be spoofed.
Implementing centralized logging software will not necessarily provide information on the source of the attack.

Question # 690

A serious vulnerability is reported in the firewall software used by an organization.

Which of the following should be the immediate action of the information security manager?

A. Ensure that all OS patches are up-to-date

B. Block inbound traffic until a suitable solution is found

C. Obtain guidance from the firewall manufacturer

D. Commission a penetration test

Answer: C

The best source of information is the firewall manufacturer since the manufacturer may have a patch to fix the
vulnerability or a workaround solution.
Ensuring that all OS patches are up-to-date is a best practice, in general, but will not necessarily address the reported
vulnerability.
Blocking inbound traffic may not be practical or effective from a business perspective.
Commissioning a penetration test will take too much time and will not necessarily provide a solution for corrective
actions.

Incident response plan to effectively and timely response to incidents

Page 8 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 691

Which of the following has the highest priority when defining an emergency response plan?

A. Critical data

B. Critical infrastructure

C. Safety of personnel

D. Vital records

Answer: C

The safety of an organization's employees should be the most important consideration given human safety laws.
Human safety is considered first in any process or management practice. All of the other choices are secondary.

Question # 692

Three employees reported the theft or loss of their laptops while on business trips. The FIRST course of action for the
security manager is to:

A. assess the impact of the loss and determine mitigating steps.

B. communicate the best practices in protecting laptops to all laptop users.

C. instruct the erring employees to pay a penalty for the lost laptops.

D. recommend that management report the incident to the police and file for insurance.

Answer: A

The first step when addressing theft or loss is to determine what was actually lost and the appropriate response.
Choice B may occur after the impact is assessed. Choices C and D depend upon company policy.

Question # 693

The FIRST step in an incident response plan is to:

A. notify the appropriate individuals.

B. contain the effects of the incident to limit damage.

C. develop response strategies for systematic attacks.

D. validate the incident.

Answer: D

Appropriate people need to be notified; however, one must first validate the incident.
Containing the effects of the incident would be completed after validating the incident.
Developing response strategies for systematic attacks should have already been developed prior to the occurrence of an
incident.

Incident response plan to effectively and timely response to incidents

Page 9 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 694

An organization has verified that its customer information was recently exposed.
Which of the following is the FIRST step a security manager should take in this situation?

A. Inform senior management.

B. Determine the extent of the compromise.

C. Report the incident to the authorities.

D. Communicate with the affected customers.

Answer: B

Before reporting to senior management, affected customers or the authorities,

the extent of the exposure needs to be assessed.

Question # 695

A possible breach of an organization's IT system is reported by the project manager.

What is the FIRST thing the incident response manager should do?

A. Run a port scan on the system

B. Disable the logon ID

C. Investigate the system logs

D. Validate the incident

Answer: D

When investigating a possible incident, it should first be validated.

Running a port scan on the system, disabling the logon IDs and investigating the system logs may be required based on
preliminary forensic investigation, but doing so as a first step may destroy the evidence.

Question # 696

What task should be performed once a security incident has been verified?

A. Identify the incident.

B. Contain the incident.

C. Determine the root cause of the incident.

D. Perform a vulnerability assessment.

Answer: B (***)

Incident response plan to effectively and timely response to incidents

Page 10 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Identifying the incident means verifying whether an incident has occurred and finding out more details about the
incident.
Once an incident has been confirmed (identified), the incident management team should limit further exposure.
Determining the root cause takes place after the incident has been contained.
Performing a vulnerability assessment takes place after the root cause of an incident has been determined, in order to
find new vulnerabilities.

Question # 697

An information security manager believes that a network file server was compromised by a hacker.
Which of the following should be the FIRST action taken?

A. Ensure that critical data on the server are backed up.

B. Shut down the compromised server.

C. Initiate the incident response process.

D. Shut down the network.

Answer: C

The incident response process will determine the appropriate course of action.
If the data have been corrupted by a hacker, the backup may also be corrupted.
Shutting down the server is likely to destroy any forensic evidence that may exist and may be required by the
investigation.
Shutting down the network is a drastic action, especially if the hacker is no longer active on the network.

Question # 698

The PRIMARY objective of incident response is to:

A. investigate and report results of the incident to management.

B. gather evidence.

C. minimize business disruptions.

D. assist law enforcement in investigations.

Answer: C

The primary role of incident response is to detect, respond to and contain incidents so that impact to business operations
is minimized.
Choice A is a responsibility of incident response teams, but not the primary objective.
Choices B and D are activities that an incident response team may conduct, depending on circumstances, but neither is a
primary objective.

Incident response plan to effectively and timely response to incidents

Page 11 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 699

An employee's computer has been infected with a new virus. What should be the FIRST action?

A. Execute the virus scan.

B. Report the incident to senior management.

C. Format the hard disk.

D. Disconnect the computer from the network.

Answer: D

The first action should be containing the risk, i.e., disconnecting the computer so that it will not infect other computers
on the network.
The virus may start infecting other computers while the virus scan is running.
Only when the impact to the IT environment is significant should it be reported to senior management.
A case of virus infection does not warrant the action. Formatting the hard disk is the last resort.

Question # 700

Security-related breaches are assessed and contained through:

A. disaster recovery.

B. incident response.

C. a forensic analysis.

D. the IT support team.

Answer: B

The incident response plan must be activated when an incident occurs.

A disaster recovery plan (DRP) can be activated as part of an incident response plan (IRP).
A forensic analysis can be part of an IRP, but is not necessarily a component.
IT support can be part of a response team, but the team can have other members.

Incident response plan to effectively and timely response to incidents

Page 12 of 13
 (TS-4.2) Establish and maintain an incident response plan to ensure an effective and timely response to
information security incidents.

Question # 701

Which of the following would present the GREATEST risk to information security?

A. Virus signature files updates are applied to all servers every day

B. Security access logs are reviewed within five business days

C. Critical patches are applied within 24 hours of their release

D. Security incidents are investigated within five business days

Answer: D

Security incidents are configured to capture system events that are important from the security perspective;
they include incidents also captured in the security access logs and other monitoring tools.
Although, in some instances, they could wait for a few days before they are researched,
from the options given this would have the greatest risk to security.
Most often, they should be analyzed as soon as possible.
Virus signatures should be updated as often as they become available by the vendor,
while critical patches should be installed as soon as they are reviewed and tested, which could occur in 24 hours.

Incident response plan to effectively and timely response to incidents

Page 13 of 13
 (TS-4.3) Develop and implement processes to ensure the timely identification of information security
incidents.

Question # 702

The BEST method for detecting and monitoring a hacker's activities without exposing information assets to
unnecessary risk is to utilize:

A. firewalls.

B. bastion hosts.

C. decoy files.

D. screened subnets.

Answer: C

Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting
security of the hacker's presence.
Firewalls and bastion hosts attempt to keep the hacker out,
while screened subnets or demilitarized zones (DMZs) provide a middle ground between the trusted internal network
and the external untrusted Internet.

Question # 703

The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:

A. weaknesses in network security.

B. patterns of suspicious access.

C. how an attack was launched on the network.

D. potential attacks on the internal network.

Answer: D

The most important function of an intrusion detection system (IDS) is to identify potential attacks on the network.
Identifying how the attack was launched is secondary.
It is not designed specifically to identify weaknesses in network security or to identify patterns of suspicious logon
attempts.

Question # 704

Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus
signature files?

A. Verify the date that signature files were last pushed out

B. Use a recently identified benign virus to test if it is quarantined

C. Research the most recent signature file and compare to the console

D. Check a sample of servers that the signature files are current

Timely identification of incidents

Page 1 of 3
 (TS-4.3) Develop and implement processes to ensure the timely identification of information security
incidents.

Answer: D

The only accurate way to check the signature files is to look at a sample of servers.
The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server.
Checking the vendor information to the management console would still not be indicative as to whether the file was
properly loaded on the server.
Personnel should never release a virus, no matter how benign.

Question # 705

Which of the following are the MOST important criteria when selecting virus protection software?

A. Product market share and annualized cost

B. Ability to interface with intrusion detection system (IDS) software and firewalls

C. Alert notifications and impact assessments for new viruses

D. Ease of maintenance and frequency of updates

Answer: D

For the software to be effective, it must be easy to maintain and keep current.
Market share and annualized cost, links to the intrusion detection system (IDS) and automatic notifications are all
secondary in nature.

Question # 706

Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop
each Friday at 11:00 p.m. (23.00 hrs.)?

A. Most new viruses' signatures are identified over weekends

B. Technical personnel are not available to support the operation

C. Systems are vulnerable to new viruses during the intervening week

D. The update's success or failure is not known until Monday

Answer: C

Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released
during the week; far more frequent updating is essential. All other issues are secondary to this very serious exposure.

Timely identification of incidents

Page 2 of 3
 (TS-4.3) Develop and implement processes to ensure the timely identification of information security
incidents.

Question # 707

An intrusion detection system (IDS) should:

A. run continuously.

B. ignore anomalies.

C. require a stable, rarely changed environment.

D. be located on the network.

Answer: A

If an intrusion detection system (IDS) does not run continuously the business remains vulnerable.
An IDS should detect, not ignore, anomalies.
An IDS should be flexible enough to cope with a changing environment.
Both host- and network-based IDSs are recommended for adequate detection.

Question # 708

Which of the following MOST effectively reduces false-positive alerts generated by a security information and event
management (SIEM) process?

A. Building use cases

B. Conducting a network traffic analysis

C. Performing an asset-based risk assessment

D. The quality of the logs

Answer: A

Implementing an SIEM process helps ensure that incidents are correctly identified and handled appropriately.
Since an SIEM process depends on log analysis based on predefined rules, the most effective way to reduce false-positive
alerts is to develop use cases for known threats to identified critical systems.
The use cases would then be used to develop appropriate rules for the SIEM solution.
Although security monitoring requires traffic analysis, risk assessment, and quality logs,
only properly defined use cases can ensure that the rules are accurately defined and that events are properly identified,
thereby reducing false-positive alerts.

Timely identification of incidents

Page 3 of 3
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 709

A post-incident review should be conducted by an incident management team to determine:

A. relevant electronic evidence.

B. lessons learned.

C. hacker's identity.

D. areas affected.

Answer: B

Post-incident reviews are beneficial in determining ways to improve the response process through lessons learned from
the attack.
Evaluating the relevance of evidence, who launched the attack or what areas were affected are not the primary purposes
for such a meeting because these should have been already established during the response to the incident.

Question # 710

Isolation and containment measures for a compromised computer have been taken and information security
management is now investigating. What is the MOST appropriate next step?

A. Run a forensics tool on the machine to gather evidence

B. Reboot the machine to break remote connections

C. Make a copy of the whole system's memory

D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports

Answer: C

When investigating a security breach, it is important to preserve all traces of evidence left by the invader.
For this reason, it is imperative to preserve the memory contents of the machine in order to analyze them later.
The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running
the appropriate tools.
This is also important from a legal perspective since an attorney may suggest that the system was changed during the
conduct of the investigation.
Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may
overwrite evidence.
Rebooting the machine will delete the contents of the memory, erasing potential evidence.
Collecting information about current connections and open Transmission Control Protocol/User Datagram Protocol
(TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.

Timely investigation and responding appropriately

Page 1 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 711

Why is “slack space” of value to an information security manager as part of an incident investigation?

A. Hidden data may be stored there

B. The slack space contains login information

C. Slack space is encrypted

D. It provides flexible space for the investigation

Answer: A

“Slack space” is the unused space between where the file data end and the end of the cluster the data occupy.
Login information is not typically stored in the slack space.
Encryption for the slack space is no different from the rest of the file system.
The slack space is not a viable means of storage during an investigation.

Question # 712

What is the PRIMARY objective of a post-event review in incident response?

A. Adjust budget provisioning

B. Preserve forensic data

C. Improve the response process

D. Ensure the incident is fully documented

Answer: C

The primary objective is to find any weakness in the current process and improve it. The other choices are all secondary.

Question # 713

Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?

A. A bit-level copy of all hard drive data

B. The last verified backup stored offsite

C. Data from volatile memory

D. Backup servers

Answer: A

The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law.
Choices B and D may not provide forensic quality data for investigative work,
while choice C alone may not provide enough evidence.

Timely investigation and responding appropriately

Page 2 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 714

In the course of responding to an information security incident, the BEST way to treat evidence for possible legal action is
defined by:

A. international standards.

B. local regulations.

C. generally accepted best practices.

D. organizational security policies.

Answer: B

Legal follow-up will most likely be performed locally where the incident took place; therefore, it is critical that the
procedure of treating evidence is in compliance with local regulations.
In certain countries, there are strict regulations on what information can be collected.
When evidence collected is not in compliance with local regulations, it may not be admissible in court.
There are no common regulations to treat computer evidence that are accepted internationally.
Generally accepted best practices such as a common chain-of-custody concept may have different implementation in
different countries, and thus may not be a good assurance that evidence will be admissible.
Local regulations always take precedence over organizational security policies.

Question # 715

A root kit was used to capture detailed accounts receivable information.

To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated,
the next step should be to:

A. document how the attack occurred.

B. notify law enforcement.

C. take an image copy of the media.

D. close the accounts receivable system.

Answer: C

Taking an image copy of the media is a recommended practice to ensure legal admissibility.
All of the other choices are subsequent and may be supplementary.

Timely investigation and responding appropriately

Page 3 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 716

When collecting evidence for forensic analysis, it is important to:

A. ensure the assignment of qualified personnel.

B. request the IT department do an image copy.

C. disconnect from the network and isolate the affected devices.

D. ensure law enforcement personnel are present before the forensic analysis commences.

Answer: A

Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved.
In choice B, the IT department is unlikely to have that level of expertise and should, thus, be prevented from taking action
Choice C may be a subsequent necessity that comes after choice A.
Choice D, notifying law enforcement, will likely occur after the forensic analysis has been completed.

Question # 717

To justify the establishment of an incident management team, an information security manager would find which of
the following to be the MOST effective?

A. Assessment of business impact of past incidents

B. Need of an independent review of incident causes

C. Need for constant improvement on the security level

D. Possible business benefits from incident impact reduction

Answer: D

Business benefits from incident impact reduction would be the most important goal for establishing an incident
management team.
The assessment of business impact of past incidents would need to be completed to articulate the benefits.
Having an independent review benefits the incident management process.
The need for constant improvement on the security level is a benefit to the organization.

Timely investigation and responding appropriately

Page 4 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 718

A database was compromised by guessing the password for a shared administrative account and confidential customer
information was stolen.
The information security manager was able to detect this breach by analyzing which of the following?

A. Invalid logon attempts

B. Write access violations

C. Concurrent logons

D. Firewall logs

Answer: A

Since the password for the shared administrative account was obtained through guessing, it is probable that there were
multiple unsuccessful logon attempts before the correct password was deduced.
Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity.
Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity since
concurrent usage is common in this situation.
Write access violations would not necessarily be observed since the information was merely copied and not altered.
Firewall logs would not necessarily contain information regarding logon attempts.

Question # 719

To determine how a security breach occurred on the corporate network, a security manager looks at the logs of
various devices. Which of the following BEST facilitates the correlation and review of these logs?

A. Database server

B. Domain name server (DNS)

C. Time server

D. Proxy server

Answer: C

To accurately reconstruct the course of events, a time reference is needed and that is provided by the time server.
The other choices would not assist in the correlation and review of these logs.

Timely investigation and responding appropriately

Page 5 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 720

If an organization considers taking legal action on a security incident, the information security manager should focus
PRIMARILY on:

A. obtaining evidence as soon as possible.

B. preserving the integrity of the evidence.

C. disconnecting all IT equipment involved.

D. reconstructing the sequence of events.

Answer: B

The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a
chain of custody procedure to maintain the evidence (in order to be accepted in a court of law).
All other options are part of the investigative procedure, but they are not as important as preserving the integrity of the
evidence.

Question # 721

Which of the following is the MOST critical consideration when collecting and preserving admissible evidence during an
incident response?

A. Unplugging the systems

B. Chain of custody

C. Separation of duties

D. Clock synchronization

Answer: B

Admissible evidence must be collected and preserved by “chain of custody”.

Unplugging the systems can cause potential loss of information critical to the investigation.
Separation of duties is not necessary in evidence collection and preservation since the entire process can be done by a
single person. Clock synchronization is not as important for the collection and preservation of admissible evidence.

Question # 722

In a forensic investigation, which of the following would be the MOST important factor?

A. Operation of a robust incident management process

B. Identification of areas of responsibility

C. Involvement of law enforcement

D. Expertise of resources

Timely investigation and responding appropriately

Page 6 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Answer: D

The most important factor in a forensic investigation is the expertise of the resources participating in the project due to
the inherent complexity.
Operation of a robust incident management process and the identification of areas of responsibility should occur prior to
an investigation.
Involvement of law enforcement is dependent upon the nature of the investigation.

Question # 723

An unauthorized user gained access to a merchant's database server and customer credit card information.
Which of the following would be the FIRST step to preserve and protect the evidence of unauthorized intrusion
activities?

A. Shut down and power off the server.

B. Duplicate the hard disk of the server immediately.

C. Isolate the server from the network.

D. Copy the database log file to a protected server.

Answer: C

Isolating the server will prevent further intrusions and protect evidence of intrusion activities left in memory and on the
hard drive.
Some intrusion activities left in virtual memory may be lost if the system is shut down.
Duplicating the hard disk will only preserve the evidence on the hard disk, not the evidence in virtual memory, and will
not prevent further unauthorized access attempts.
Copying the database log file to a protected server will not provide sufficient evidence should the organization choose to
pursue legal recourse.

Question # 724

Which of the following would be MOST appropriate for collecting and preserving evidence?

A. Encrypted hard drives

B. Generic audit software

C. Proven forensic processes

D. Log correlation software

Answer: C

When collecting evidence about a security incident, it is very important to follow appropriate forensic procedures to
handle electronic evidence by a method approved by local jurisdictions.
All other options will help when collecting or preserving data about the incident; however these data might not be
accepted as evidence in a court of law if they are not collected by a method approved by local jurisdictions.

Timely investigation and responding appropriately

Page 7 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 725

Which of the following is the MOST important aspect of forensic investigations that will potentially involve legal
action?

A. The independence of the investigator

B. Timely intervention

C. Identifying the perpetrator

D. Chain of custody

Answer: D

Establishing the chain of custody is one of the most important steps in conducting forensic investigations since
it preserves the evidence in a manner that is admissible in court.
The independence of the investigator may be important, but is not the most important aspect.
Timely intervention is important for containing incidents, but not as important for forensic investigation.
Identifying the perpetrator is important, but maintaining the chain of custody is more important in order to have the
perpetrator convicted in court.

Question # 726

In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently
altered. Which of the following should have been the FIRST course of action in the investigative process?

A. Perform a backup of the suspect media to new media.

B. Create a bit-by-bit image of the original media source onto new media.

C. Make a copy of all files that are relevant to the investigation.

D. Run an error-checking program on all logical drives to ensure that there are no disk errors.

Answer: B

The original hard drive or suspect media should never be used as the source for analysis.
The source or original media should be physically secured and only used as the master to create a bit-by-bit image.
The original should be stored using the appropriate procedures, depending on location.
The image created for forensic analysis should be used.
A backup does not preserve 100 percent of the data, such as erased or deleted files and data in slack space - which may
be critical to the investigative process.
Once data from the source are altered, they may no longer be admissible in court.
Continuing the investigation, documenting the date, time and data altered, are actions that may not be admissible in
legal proceedings.
The organization would need to know the details of collecting and preserving forensic evidence relevant to their
jurisdiction.

Timely investigation and responding appropriately

Page 8 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 727

When electronically stored information is requested during a fraud investigation, which of the following should be the
FIRST priority?

A. Assigning responsibility for acquiring the data

B. Locating the data and preserving the integrity of the data

C. Creating a forensically sound image

D. Issuing a litigation hold to all affected parties

Answer: B

Locating the data and preserving data integrity is the only correct answer because it represents the primary responsibility
of an investigator and is a complete and accurate statement of the first priority.
While assigning responsibility for acquiring the data is a step that should be taken, it is not the first step or the highest
priority.
Creating a forensically sound image may or may not be a necessary step, depending on the type of investigation,
but it would never be the first priority.
Issuing a litigation hold to all affected parties might be a necessary step early on in an investigation of certain types,
but not the first priority.

Question # 728

When creating a forensic image of a hard drive, which of the following should be the FIRST step?

A. Identify a recognized forensics software tool to create the image.

B. Establish a chain of custody log.

C. Connect the hard drive to a write blocker.

D. Generate a cryptographic hash of the hard drive contents.

Answer: B

The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of
custody.
Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come
after several of the other options.
Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been
established.
Generating a cryptographic hash of the hard drive contents is another important step, but one that comes after several of
the other options.

Timely investigation and responding appropriately

Page 9 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 729

An information security manager is in the process of investigating a network intrusion.

One of the enterprise's employees is a suspect. The manager has just obtained the suspect's computer and hard drive.
Which of the following is the BEST next step?

A. Create an image of the hard drive.

B. Encrypt the data on the hard drive.

C. Examine the original hard drive.

D. Create a logical copy of the hard drive.

Answer: A

One of the first steps in an investigation is to create an image of the original hard drive.
A physical copy will copy the data, block by block, including any hidden data blocks and hidden partitions that can be
used to conceal evidence.
Encryption is not required.
Examining the hard drive is not good practice.
A logical copy will only copy the files and folders and may not copy the necessary data to properly examine the hard drive
for forensic evidence.

Question # 730

A forensic team was commissioned to perform an analysis of unrecognized processes running on a desktop PC.
The lead investigator advised the team against disconnecting the power in order to:

A. prevent disk corruption.

B. conduct a hot-swap of the main disk drive.

C. avoid loss of data in server logs.

D. avoid loss of data stored in volatile memory.

Answer: D

Disconnecting power from a system results in loss of data stored in volatile memory.
Those data could be vital for the investigation and for understanding the extent of the impact of the event.
Disconnecting power is not recommended where analysis of running processes or the content of volatile memory is
required.
The other choices do not address the capture of the data that exist in volatile memory.

Timely investigation and responding appropriately

Page 10 of 11
 (TS-4.4) Establish and maintain processes to investigate and document information security incidents to be
able to respond appropriately and determine their causes while adhering to legal, regulatory and
organizational requirements.

Question # 731

When attempting data recovery of a specific file during forensic analysis, an investigator would be challenged the
MOST when:

A. all files in the directory have been deleted.

B. the partition table on the disk has been deleted.

C. the file content has been overwritten.

D. high-level disk formatting has been performed.

Answer: C

When the actual file content on the disk is overwritten, it generally cannot be recovered without significant resources
and highly specialized tools, and frequently cannot be recovered at all.
Deleted files that have not been physically overwritten, partition tables and even drives that have been high-level
formatted can generally be retrieved using commonly available forensic tools.

Question # 732

The requirement for security incidents to be resolved quickly and for service to be restored is:

A. a key concept of problem management.

B. the basis for organization risk management activities.

C. a component of forensics training.

D. often in conflict with effective problem management.

Answer: D

Problem management is focused on investigating and uncovering the root cause of incidents.
Quick restoration of service will often be in direct conflict with problem management,
particularly when restoring service compromises the evidence needed to complete an investigation.
Quick restoration of service can actually increase risk and would not be a sound basis for risk management activities.
Forensics training is concerned with the legally sound collection and preservation of evidence and does not directly relate
to rapid service restoration.

Timely investigation and responding appropriately

Page 11 of 11
 (TS-4.6) Organize, train and equip teams to effectively respond to information security incidents in a timely
manner.

Question # 733

Which of the following would represent a violation of the chain of custody when a backup tape has been identified as
evidence in a fraud investigation? The tape was:

A. removed into the custody of law enforcement investigators.

B. kept in the tape library pending further analysis.

C. sealed in a signed envelope and locked in a safe under dual control.

D. handed over to authorized independent investigators.

Answer: B

Since a number of individuals would have access to the tape library, and could have accessed and tampered with the
tape, the chain of custody could not be verified.
All other choices provide clear indication of who was in custody of the tape at all times.

Question # 734

Which of the following functions is responsible for determining the members of the enterprise's response teams?

A. Governance

B. Risk management

C. Compliance

D. Information security

Answer: D

The information security manager, or designated manager for incident response, should select the team members
required to ensure that all required disciplines are represented on the team.
The governance function will determine the strategy and policies that will set the scope and charter for incident
management and response capabilities.
While response is a component of managing risk, the basis for risk management is determined by governance and
strategy requirements.
Compliance would not be directly related to this activity, although this function may have representation on the incident
response team.

Responding to incidents appropriately

Page 1 of 3
 (TS-4.6) Organize, train and equip teams to effectively respond to information security incidents in a timely
manner.

Question # 735

The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure
the system is secure would be to:

A. change the root password of the system.

B. implement multifactor authentication.

C. rebuild the system from the original installation medium.

D. disconnect the mail server from the network.

Answer: C

Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and
potential stealth malicious programs have been destroyed.
Changing the root password of the system does not ensure the integrity of the mail server.
Implementing multifactor authentication is an aftermeasure and does not clear existing security threats.
Disconnecting the mail server from the network is an initial step, but does not guarantee security.

Question # 736

A password hacking tool was used to capture detailed bank account information and personal identification numbers
(PINs). Upon confirming the incident, the NEXT step is to:

A. notify law enforcement.

B. start containment.

C. make an image copy of the media.

D. isolate affected servers.

Answer: B

Once an incident has been confirmed, containment is the first priority of incident response, because it will generally
mitigate further impact.
Notifying law enforcement, making an image copy of the media and isolating the system should be performed after the
containment plan has been executed.

Responding to incidents appropriately

Page 2 of 3
 (TS-4.6) Organize, train and equip teams to effectively respond to information security incidents in a timely
manner.

Question # 737

An employee has found a suspicious file on a server. The employee thinks the file is a virus and contacts the
information security manager. What is the FIRST step to take?

A. Contain the file.

B. Delete the file.

C. Verify whether the file is malicious.

D. Report the suspicious file to management.

Answer: C

The first step in incident response is to identify whether an event is an actual threat.
Containment is the next step in the incident response cycle.
Deleting the file could be part of the containment process, but only after proper digital forensics have been performed so
it is safe to delete the file.
Reporting to management would be a later step in the incident handling cycle and will vary based on policy,
but it would not come before verification or general containment.

Responding to incidents appropriately

Page 3 of 3
(TS-4.7) Test and review the incident response plan periodically to ensure an effective response to information
security incidents and to improve response capabilities.

Question # 738

The systems administrator did not immediately notify the security officer about a malicious attack.
An information security manager could prevent this situation by:

A. periodically testing the incident response plans.

B. regularly testing the intrusion detection system (IDS).

C. establishing mandatory training of all personnel.

D. periodically reviewing incident response procedures.

Answer: A

Security incident response plans should be tested to find any deficiencies and improve existing processes.
Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation.
All personnel need to go through formal training to ensure that they understand the process, tools and methodology
involved in handling security incidents.
However, testing of the actual plans is more effective in ensuring the process works as intended.
Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.

Test and review incident response plan

Page 1 of 1
 (TS-4.8) Establish and maintain communication plans and processes to manage communication with internal
and external entities.

Question # 739

Which of the following is the MOST important consideration for an organization interacting with the media during a
disaster?

A. Communicating specially drafted messages by an authorized person

B. Refusing to comment until recovery

C. Referring the media to the authorities

D. Reporting the losses and recovery strategy to the media

Answer: A

Proper messages need to be sent quickly through a specific identified person so that there are no rumors or statements
made that may damage reputation.
Choices B, C and D are not recommended until the message to be communicated is made clear and the spokesperson has
already spoken to the media.

Question # 740

During the security review of organizational servers it was found that a file server containing confidential human
resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:

A. copy sample files as evidence.

B. remove access privileges to the folder containing the data.

C. report this situation to the data owner.

D. train the HR team on properly controlling file permissions.

Answer: C

The data owner should be notified prior to any action being taken.
Copying sample files as evidence is not advisable since it breaches confidentiality requirements on the file.
Removing access privileges to the folder containing the data should be done by the data owner or by the security
manager in consultation with the data owner frequently the security manager would not have this right anyway;
regardless, this would be done only after formally reporting the incident.
Training the human resources (HR) team on properly controlling file permissions is the method to prevent such incidents
in the future, but should take place once the incident reporting and investigation activities are completed.

Communication in case of Incidents

Page 1 of 4
 (TS-4.8) Establish and maintain communication plans and processes to manage communication with internal
and external entities.

Question # 741

When a major vulnerability in the security of a critical web server is discovered, immediate notification should be
made to the:

A. system owner to take corrective action.

B. incident response team to investigate.

C. data owners to mitigate damage.

D. development team to remediate.

Answer: A

In order to correct the vulnerabilities, the system owner needs to be notified quickly before an incident can take place.
Choice B is not correct because the incident has not taken place and notification could delay implementation of the fix.
Data owners would be notified only if the vulnerability could have compromised data.
The development team may be called upon by the system owner to resolve the vulnerability.

Question # 742

When a significant security breach occurs, what should be reported FIRST to senior management?

A. A summary of the security logs that illustrates the sequence of events

B. An explanation of the incident and corrective action taken

C. An analysis of the impact of similar attacks at other organizations

D. A business case for implementing stronger logical access controls

Answer: B

When reporting an incident to senior management, the initial information to be communicated should include an
explanation of what happened and how the breach was resolved.
A summary of security logs would be too technical to report to senior management.
An analysis of the impact of similar attacks and a business case for improving controls would be desirable; however, these
would be communicated later in the process.

Question # 743

When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate
network and modified customer information, an information security manager should FIRST notify:

A. the information security steering committee.

B. customers who may be impacted.

C. data owners who may be impacted.

D. regulatory agencies overseeing privacy.

Communication in case of Incidents

Page 2 of 4
 (TS-4.8) Establish and maintain communication plans and processes to manage communication with internal
and external entities.

Answer: C

The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a
plan for corrective action with the computer incident response team.
Other parties will be notified later as required by corporate policy and regulatory requirements.

Question # 744

Which of the following would a security manager establish to determine the target for restoration of normal
processing?

A. Recovery time objective (RTO)

B. Maximum tolerable outage (MTO)

C. Recovery point objectives (RPOs)

D. Services delivery objectives (SDOs)

Answer: A

Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must
be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level.
Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode.
Recovery point objectives (RPOs) relate to the age of the data required for recovery.
Services delivery objectives (SDOs) are the levels of service required in reduced mode.

Question # 745

Major security events with serious legal implications should be communicated to:

A. appropriate civil authorities when there has been a crime committed.

B. management after the incident has been verified and the severity determined.

C. all affected stakeholders, including legal and the insurance carrier.

D. only to human resources (HR) and the legal department for appropriate action.

Answer: B

Communication regarding security events, particularly ones that have legal implications, is a business decision that is the
responsibility of management.
There are few, if any, circumstances where the information security manager should contact external authorities directly.
It is also the decision of management to determine which stakeholders and external entities should be informed.
This process should be detailed in the enterprise's incident response communication plan.

Communication in case of Incidents

Page 3 of 4
 (TS-4.8) Establish and maintain communication plans and processes to manage communication with internal
and external entities.

Question # 746

After a significant security breach has occurred, what is the MOST important item to report to the chief information
officer (CIO)?

A. A summary of the security logs that illustrates the sequence of events

B. An analysis of the impact of similar attacks at other organizations

C. A business case for implementing stronger logical access controls

D. The impact of the incident and corrective actions taken

Answer: D

The actual impact to the organization and corrective actions taken would be the most important item to share with the
CIO.
A summary of security logs would be too technical to report to the CIO.
An analysis of the impact of similar attacks would be helpful, but is not the most important item to report.
A business case for implementing stronger controls would be helpful to report to management, but is not the most
important item to report, and would be subsequent to reporting impact and corrective actions.

Question # 747

In a large organization, effective management of security incidents will be MOST dependent on:

A. clear policies detailing incident severity levels.

B. broadly dispersed intrusion detection capabilities.

C. training employees to recognize security incidents.

D. effective communication and reporting processes.

Answer: D

Timely communication and reporting is most likely to ensure that the information security manager receives the
information necessary to effectively manage a security incident.
Effective communication will also help ensure that the correct resources are engaged at the appropriate time.
Understanding severity levels is important, but on its own is not sufficient to ensure that the information security
manager is able to manage the incident effectively.
Intrusion detection is useful for detecting potential network security incidents, but without robust communication and
reporting processes, the tool is less effective.
Conducting awareness training so individuals can recognize potential incidents is important, but not effective unless the
information is communicated to the right people in a timely manner.

Communication in case of Incidents

Page 4 of 4
(TS-4.9) Conduct post incident reviews to determine the root cause of information security incidents, develop
corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.

Question # 748

The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security
incidents is to:

A. enable independent and objective review of the root cause of the incidents.

B. obtain support for enhancing the expertise of the third-party teams.

C. identify lessons learned for further improving the information security management process.

D. obtain better buy-in for the information security program.

Answer: A

It is always desirable to avoid the conflict of interest involved in having the information security team carry out the post
event review.
Obtaining support for enhancing the expertise of the third-party teams is one of the advantages, but is not the primary
driver.
Identifying lessons learned for further improving the information security management process is the general purpose of
carrying out the post event review.
Obtaining better buy-in for the information security program is not a valid reason for involving third-party teams.

Question # 749

The MOST important objective of a post incident review is to:

A. capture lessons learned to improve the process.

B. develop a process for continuous improvement.

C. develop a business case for the security program budget.

D. identify new incident management tools.

Answer: A

The main purpose of a post incident review is to identify areas of improvement in the process.
Developing a process for continuous improvement is not true in every case.
Developing a business case for the security program budget and identifying new incident management tools may come
from the analysis of the incident, but are not the key objectives.

Post incident review

Page 1 of 3
(TS-4.9) Conduct post incident reviews to determine the root cause of information security incidents, develop
corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.

Question # 750

Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?

A. Incident response metrics

B. Periodic auditing of the incident response process

C. Action recording and review

D. Post incident review

Answer: D

Post event reviews are designed to identify gaps and shortcomings in the actual incident response process so that these
gaps may be improved over time.
The other choices will not provide the same level of feedback in improving the process.

Question # 751

The typical requirement for security incidents to be resolved quickly and service restored is:

A. always the best option for an enterprise.

B. often in conflict with effective problem management.

C. the basis for enterprise risk management (ERM) activities.

D. a component of forensics training.

Answer: B

Problem management is focused on investigating and uncovering the root cause of incidents, which will often be a
problem when restoring service compromises the evidence needed.
Quickly restoring service will not always be the best option such as in cases of criminal activity, which requires
preservation of evidence precluding use of the systems involved.
Managing risk goes beyond the quick restoration of services, e.g., if doing so increased some other risk disproportionately
Forensics is concerned with legally adequate collection and preservation of evidence, not with service continuity.

Question # 752

The PRIMARY reason for senior management review of information security incidents is to:

A. ensure adequate corrective actions were implemented.

B. demonstrate management commitment to the information security process.

C. evaluate the incident response process for deficiencies.

D. evaluate the ability of the security team.

Answer: A

Post incident review

Page 2 of 3
(TS-4.9) Conduct post incident reviews to determine the root cause of information security incidents, develop
corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.

Although some corrective actions are being taken by the security team and the incident response team, management
review will ensure whether there are any other corrective actions that need to be taken.
Sometimes this will result in improvements to information security policies.
Management will not review information security incidents merely to demonstrate management commitment.
Management will not perform a review for fault finding such as examining the incidence response process for deficiencies
and the ability of the security team.

Question # 753

Which of the following is the MOST important area of focus when examining potential security compromise of a new
wireless network?

A. Signal strength

B. Number of administrators

C. Bandwidth

D. Encryption strength

Answer: B

The number of individuals with access to the network configuration presents a security risk.
Encryption strength is an area where wireless networks tend to fall short; however, the potential to compromise the
entire network is higher when an inappropriate number of people can alter the configuration.
Signal strength and network bandwidth are secondary issues.

Post incident review

Page 3 of 3
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 754

Which of the following should be determined FIRST when establishing a business continuity program?

A. Cost to rebuild information processing facilities

B. Incremental daily cost of the unavailability of systems

C. Location and cost of offsite recovery facilities

D. Composition and mission of individual recovery teams

Answer: B

Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing
different systems.
This will allow recovery time objectives to be determined which, in turn, affects the location and cost of offsite recovery
facilities, and the composition and mission of individual recovery teams.
Determining the cost to rebuild information processing facilities would not be the first thing to determine.

Question # 755

A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a
hot site. Which of the following would be the GREATEST weakness in recovery capability?

A. Exclusive use of the hot site is limited to six weeks

B. The hot site may have to be shared with other customers

C. The time of declaration determines site access priority

D. The provider services all major companies in the area

Answer: D

Sharing a hot site facility is sometimes necessary in the case of a major disaster.
Also, first come, first served usually determines priority of access based on general industry practice.
Access to a hot site is not indefinite; the recovery plan should address a long-term outage.
In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for
all of its clients, which will all be competing for the same resource.
Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be
smaller than other clients based locally.

Integrate incident response plan, DR plan and BCP

Page 1 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 756

Which of the following is the MOST important to ensure a successful recovery?

A. Backup media is stored offsite

B. Recovery location is secure and accessible

C. More than one hot site is available

D. Network alternate links are regularly tested

Answer: A

Unless backup media are available, all other preparations become meaningless.
Recovery site location and security are important, but would not prevent recovery in a disaster situation.
Having a secondary hot site is also important, but not as important as having backup media available.
Similarly, alternate data communication lines should be tested regularly and successfully but, again, this is not as critical.

Question # 757

Which of the following is the MOST important element to ensure the success of a disaster recovery test at a
vendor-provided hot site?

A. Tests are scheduled on weekends

B. Network IP addresses are predefined

C. Equipment at the hot site is identical

D. Business management actively participates

Answer: D

Disaster recovery testing requires the allocation of sufficient resources to be successful.

Without the support of management, these resources will not be available, and testing will suffer as a result.
Testing on weekends can be advantageous but this is not the most important choice.
As vendor-provided hot sites are in a state of constant change, it is not always possible to have network addresses
defined in advance.
Although it would be ideal to provide for identical equipment at the hot site, this is not always practical as multiple
customers must be served and equipment specifications will therefore vary.

Integrate incident response plan, DR plan and BCP

Page 2 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 758

At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the
vendor's hot site facility?

A. Erase data and software from devices

B. Conduct a meeting to evaluate the test

C. Complete an assessment of the hot site provider

D. Evaluate the results from all test scripts

Answer: A

For security and privacy reasons, all organizational data and software should be erased prior to departure.
Evaluations can occur back at the office after everyone is rested, and the overall results can be discussed and compared
objectively.

Question # 759

An organization with multiple data centers has designated one of its own facilities as the recovery site.
The MOST important concern is the:

A. communication line capacity between data centers.

B. current processing capacity loads at data centers.

C. differences in logical security at each center.

D. synchronization of system software release versions.

Answer: B

If data centers are operating at or near capacity, it may prove difficult to recover critical operations at an alternate data
center.
Although line capacity is important from a mirroring perspective, this is secondary to having the necessary capacity to
restore critical systems.
By comparison, differences in logical and physical security and synchronization of system software releases are much
easier issues to overcome and are, therefore, of less concern.

Question # 760

Which of the following is MOST important in determining whether a disaster recovery test is successful?

A. Only business data files from offsite storage are used

B. IT staff fully recovers the processing infrastructure

C. Critical business processes are duplicated

D. All systems are restored within recovery time objectives (RTOs)

Integrate incident response plan, DR plan and BCP

Page 3 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Answer: C

To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business
functions were successfully recovered and duplicated.
Although ensuring that only materials taken from offsite storage are used in the test is important, this is not as critical in
determining a test's success.
While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test.
Achieving the RTOs is another important milestone, but does not necessarily prove that the critical business functions can
be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes,
materials and accessories, etc.

Question # 761

Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a
third-party hot site?

A. Cost to build a redundant processing facility and invocation

B. Daily cost of losing critical systems and recovery time objectives (RTOs)

C. Infrastructure complexity and system sensitivity

D. Criticality results from the business impact analysis (BIA)

Answer: C

The complexity and business sensitivity of the processing infrastructure and operations largely determines the viability of
such an option;
the concern is whether the recovery site meets the operational and security needs of the organization.
The cost to build a redundant facility is not relevant since only a fraction of the total processing capacity is considered
critical at the time of the disaster and recurring contract costs would accrue over time.
Invocation costs are not a factor because they will be the same regardless.
The incremental daily cost of losing different systems and the recovery time objectives (RTOs) do not distinguish whether
a commercial facility is chosen.
Resulting criticality from the business impact analysis (BIA) will determine the scope and timeline of the recovery efforts,
regardless of the recovery location.

Question # 762

Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site
contract?

A. A hot site facility will be shared in multiple disaster declarations

B. All equipment is provided “at time of disaster, not on floor”

C. The facility is subject to a “first-come, first-served” policy

D. Equipment may be substituted with equivalent models

Answer: B

Integrate incident response plan, DR plan and BCP

Page 4 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Equipment provided “at time of disaster (ATOD), not on floor” means that the equipment is not available but will be
acquired by the commercial hot site provider on a best effort basis.
This leaves the customer at the mercy of the marketplace.
If equipment is not immediately available, the recovery will be delayed.
Many commercial providers do require sharing facilities in cases where there are multiple simultaneous declarations, and
that priority may be established on a first-come, first-served basis.
It is also common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and
changing equipment.

Question # 763

Which of the following is the MOST important element to ensure the successful recovery of a business during a
disaster?

A. Detailed technical recovery plans are maintained offsite

B. Network redundancy is maintained through separate providers

C. Hot site equipment needs are recertified on a regular basis

D. Appropriate declaration criteria have been established

Answer: A

In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business
knowledge can be lost.
It is therefore critical to maintain an updated copy of the detailed recovery plan at an offsite location.
Continuity of the business requires adequate network redundancy,
hot site infrastructure that is certified as compatible, and clear criteria for declaring a disaster.
Ideally, the business continuity program addresses all of these satisfactorily.
However, in a disaster situation, where all these elements are present, but without the detailed technical plan, business
recovery will be seriously impaired.

Question # 764

The business continuity policy should contain which of the following?

A. Emergency call trees

B. Recovery criteria

C. Business impact assessment (BIA)

D. Critical backups inventory

Answer: B

Recovery criteria, indicating the circumstances under which specific actions are undertaken, should be contained within a
business continuity policy.
Telephone trees, business impact assessments (BIAs) and listings of critical backup files are too detailed to include in a
policy document.

Integrate incident response plan, DR plan and BCP

Page 5 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 765

When an organization is using an automated tool to manage and house its business continuity plans, which of the
following is the PRIMARY concern?

A. Ensuring accessibility should a disaster occur

B. Versioning control as plans are modified

C. Broken hyperlinks to resources stored elsewhere

D. Tracking changes in personnel and plan assets

Answer: A

If all of the plans exist only in electronic form, this presents a serious weakness if the electronic version is dependent on
restoration of the intranet or other systems that are no longer available.
Versioning control and tracking changes in personnel and plan assets is actually easier with an automated system.
Broken hyperlinks are a concern, but less serious than plan accessibility.

Question # 766

When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost
estimates?

A. Business continuity coordinator

B. Information security manager

C. Business process owners

D. IT management

Answer: C

Business process owners are in the best position to understand the true impact on the business that a system outage
would create.
The business continuity coordinator, IT management and even the information security manager will not be able to
provide that level of detailed knowledge.

Question # 767

Which of the following is MOST closely associated with a business continuity program?

A. Confirming that detailed technical recovery plans exist

B. Periodically testing network redundancy

C. Updating the hot site equipment configuration every quarter

D. Developing recovery time objectives (RTOs) for critical functions

Answer: D

Integrate incident response plan, DR plan and BCP

Page 6 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Technical recovery plans, network redundancy and equipment needs are all associated with infrastructure disaster
recovery.
Only recovery time objectives (RTOs) directly relate to business continuity.

Question # 768

Which of the following application systems should have the shortest recovery time objective (RTO)?

A. Contractor payroll

B. Change management

C. E-commerce web site

D. Fixed asset system

Answer: C

In most businesses where an e-commerce site is in place, it would need to be restored in a matter of hours, if not
minutes.
Contractor payroll, change management and fixed assets would not require as rapid a recovery time.

Question # 769

Detailed business continuity plans should be based PRIMARILY on:

A. consideration of different alternatives.

B. the solution that is least expensive.

C. strategies that cover all applications.

D. strategies validated by senior management.

Answer: D

A recovery strategy identifies the best way to recover a system in case of disaster and provides guidance based on
detailed recovery procedures that can be developed.
Different strategies should be developed and all alternatives presented to senior management.
Senior management should select the most appropriate strategy from the alternatives provided.
The selected strategy should be used for further development of the detailed business continuity plan.
The selection of strategy depends on criticality of the business process and applications supporting the processes.
It need not necessarily cover all applications.
All recovery strategies have associated costs, which include costs of preparing for disruptions and putting them to use in
the event of a disruption.
The latter can be insured against, but not the former.
The best recovery option need not be the least expensive.

Integrate incident response plan, DR plan and BCP

Page 7 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 770

Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:

A. determining the extent of property damage.

B. preserving environmental conditions.

C. ensuring orderly plan activation.

D. reducing the extent of operational damage.

Answer: D

During an incident, emergency actions should minimize or eliminate casualties and damage to the business operation,
thus reducing business interruptions.
Determining the extent of property damage is not the consideration;
emergency actions should minimize, not determine, the extent of the damage.
Protecting/preserving environmental conditions may not be relevant.
Ensuring orderly plan activation is important but not as critical as reducing damage to the operation.

Question # 771

When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into
consideration is the:

A. services delivery objective.

B. recovery time objective (RTO).

C. recovery window.

D. maximum tolerable outage (MTO).

Answer: C

The length of the recovery window is defined by business management and determines the acceptable time frame
between a disaster and the restoration of critical services/applications.
The technical implementation of the disaster recovery (DR) site will be based on this constraint,
especially the choice between a hot, warm or cold site.
The service delivery objective is supported during the alternate process mode until the normal situation is restored,
which is directly related to business needs.
The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal
operations.
It is then longer than the interruption window and is very difficult to estimate in advance.
The time frame between the reduced operation mode at the end of the interruption window and the return to normal
operations depends on the magnitude of the disaster.
Technical disaster recovery solutions alone will not used for returning to normal operations.
Maximum tolerable outage (MTO) is the maximum time acceptable by a company operating in reduced mode before
experiencing losses. Theoretically, recovery time objectives (RTOs) equal the interruption window plus the maximum
tolerable outage. This will not be the primary factor for the choice of the technical disaster recovery solution.

Integrate incident response plan, DR plan and BCP

Page 8 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 772

In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken
into account will be the:

A. volume of sensitive data.

B. recovery point objective (RPO).

C. recovery time objective (RTO).

D. interruption window.

Answer: B (*)

The recovery point objective (RPO) defines the maximum loss of data (in terms of time) acceptable by the business
(i.e., age of data to be restored).
It will directly determine the basic elements of the backup strategy -
frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring).
The volume of data will be used to determine the capacity of the backup solution.
The recovery time objective (RTO) - the time between disaster and return to normal operation - will not have any impact
on the backup strategy.
The availability to restore backups in a time frame consistent with the interruption window will have to be checked and
will influence the strategy (e.g., full backup vs. incremental), but this will not be the primary factor.

Question # 773

Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives
have been achieved?

A. The recovery time objective (RTO) was not exceeded during testing

B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently

C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing

D. Information assets have been valued and assigned to owners per the business continuity plan/disaster recovery plan

Answer: A

Consistent achievement of recovery time objective (RTO) objectives during testing provides the most objective evidence
that business continuity/disaster recovery plan objectives have been achieved.
The successful testing of the business continuity/disaster recovery plan within the stated RTO objectives is the most
indicative evidence that the business needs are being met.
Objective testing of the business continuity/disaster recovery plan will not serve as a basis for evaluating the alignment of
the risk management process in business continuity/disaster recovery planning.
Mere valuation and assignment of information assets to owners (per the business continuity/disaster recovery plan) will
not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery
planning.

Integrate incident response plan, DR plan and BCP

Page 9 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 774

An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and
usable during a system crash, the MOST appropriate measure the organization should perform is to:

A. use the test equipment in the warm site facility to read the tapes.

B. periodically retrieve the tapes from the warm site and test them.

C. have duplicate equipment available at the warm site.

D. inspect the facility and inventory the tapes on a quarterly basis.

Answer: B

A warm site is not fully equipped with the company's main systems; therefore, the tapes should be periodically tested
using the company's production systems.
Inspecting the facility and checking the tape inventory does not guarantee that the tapes are usable.

Question # 775

Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?

A. Business impact analysis (BIA)

B. Risk assessment

C. Vulnerability assessment

D. Business process mapping

Answer: A (*****)

A business impact analysis (BIA) provides results, such as impact from a security incident and required response times.
The BIA is the most critical process for deciding which part of the information system/business process should be given
prioritization in case of a security incident.
Risk assessment is a very important process for the creation of a business continuity plan.
Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of
countermeasures, but not in the prioritization.
As in choice B, a vulnerability assessment provides information regarding the security weaknesses of the system,
supporting the risk analysis process.
Business process mapping facilitates the creation of the plan by providing mapping guidance on actions after the decision
on critical business processes has been made - translating business prioritization to IT prioritization.
Business process mapping does not help in making a decision, but in implementing a decision.

Integrate incident response plan, DR plan and BCP

Page 10 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 776

In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?

A. Copies of critical contracts and service level agreements (SLAs)

B. Copies of the business continuity plan

C. Key software escrow agreements for the purchased systems

D. List of emergency numbers of service providers

Answer: B

Without a copy of the business continuity plan, recovery efforts would be severely hampered or may not be effective.
All other choices would not be as immediately critical as the business continuity plan itself.
The business continuity plan would contain a list of the emergency numbers of service providers.

Question # 777

The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:

A. regulatory requirements.

B. business requirements.

C. financial value.

D. IT resource availability.

Answer: B

The criticality to business should always drive the decision.

Regulatory requirements could be more flexible than business needs.
The financial value of an asset could not correspond to its business value.
While a consideration, IT resource availability is not a primary factor.

Question # 778

Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP)
or disaster recovery program (DRP)?

A. Setting up a backup site

B. Maintaining redundant systems

C. Aligning with recovery time objectives (RTOs)

D. Data backup frequency

Answer: C

Integrate incident response plan, DR plan and BCP

Page 11 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

BCP/DRP should align with business RTOs.

The RTO represents the amount of time allowed for the recovery of a business function or resource after a disaster
occurs.
The RTO must be taken into consideration when prioritizing systems for recovery efforts to ensure that those systems
that the business requires first are the ones that are recovered first.

Question # 779

Which of the following recovery strategies has the GREATEST chance of failure?

A. Hot site

B. Redundant site

C. Reciprocal arrangement

D. Cold site

Answer: C (*****)

A reciprocal arrangement is an agreement that allows two organizations to back up each other during a disaster.
This approach sounds desirable, but has the greatest chance of failure due to problems in keeping agreements and plans
up to date.
A hot site is incorrect because it is a site kept fully equipped with processing capabilities and other services by the vendor.
A redundant site is incorrect because it is a site equipped and configured exactly like the primary site.
A cold site is incorrect because it is a building having a basic environment such as electrical wiring, air conditioning,
flooring, etc. and is ready to receive equipment in order to operate.

Question # 780

Recovery point objectives (RPOs) can be used to determine which of the following?

A. Maximum tolerable period of data loss

B. Maximum tolerable downtime

C. Baseline for operational resiliency

D. Time to restore backups

Answer: A

The RPO is determined based on the acceptable data loss in the case of disruption of operations.
It indicates the farthest point in time prior to the incident to which it is acceptable to recover the data.
RPO effectively quantifies the permissible amount of data loss in the case of interruption.
It also dictates the frequency of backups required for a given data set since the smaller the allowable gap in data, the
more frequent that backups must occur.

Integrate incident response plan, DR plan and BCP

Page 12 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 781

Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the
effectiveness of the plan?

A. Preparedness tests

B. Paper tests

C. Full operational tests

D. Actual service disruption

Answer: A

Preparedness tests would involve simulation of the entire test in phases and help the team better understand and
prepare for the actual test scenario.
Choices B, C and D are not cost-effective ways to establish plan effectiveness.
Paper tests in a walk-through do not include simulation and so there is less learning and it is difficult to obtain evidence
that the team has understood the test plan.
Choice D is not recommended in most cases.
Choice C would require an approval from management, is not easy or practical to test in most scenarios and may itself
trigger a disaster.

Question # 782

The BEST time to determine who should be responsible for declaring a disaster is:

A. during the establishment of the plan.

B. once an incident has been confirmed by operations staff.

C. after fully testing the incident management plan.

D. after the implementation details of the plan have been approved.

Answer: A

Roles and responsibilities for all involved in incident response should be established when the incident response plan is
established.
Determining roles and responsibilities during a disaster is not the best time to make such decisions, unless it is absolutely
necessary.
While testing the plan may drive some changes in roles based on test results, roles (including who declares the disaster)
should have been established before testing and plan approval.

Integrate incident response plan, DR plan and BCP

Page 13 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 783

Which of the following should be the FIRST action to take when a fire spreads throughout the building?

A. Check the facility access logs.

B. Call together the crisis management team.

C. Launch the disaster recovery plan (DRP).

D. Launch the business continuity plan (BCP).

Answer: A

Safety of people always comes first; therefore, verifying access logs of personnel to the facility should be the first action
in order to ensure that all staff can be accounted for.
Calling the crisis management team together should be done after the initial emergency response (i.e., evacuation of
people).
Launching the DRP is not the first action. Launching the BCP is not the first action.

Question # 784

Which of the following tests gives the MOST assurance that a business continuity plan (BCP) works, without potentially
impacting business operations?

A. Checklist tests

B. Simulation tests

C. Walk-through tests

D. Full operational tests

Answer: B

Business continuity coordinators come together to practice executing a plan based on a specific scenario.
This does not interrupt normal operations and provides the most assurance of the given nonintrusive methods.
With checklist tests, copies of the BCP are distributed to various persons for review.
In these tests, people do not exercise a plan.
In walk-through tests, representatives come together to go over the plan (one or more scenarios) and ensure the plan's
accuracy. The plan itself is not executed.
Full operational tests are the most intrusive to regular operations and business productivity.
The original site is actually shut down and processing is performed at another site, thus providing the most assurance, but
interrupting normal business productivity.

Integrate incident response plan, DR plan and BCP

Page 14 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 785

Observations made by staff during a disaster recovery test are PRIMARILY reviewed to:

A. identify people who have not followed the process.

B. determine lessons learned.

C. identify equipment that is needed.

D. maintain evidence of review.

Answer: B

After a test, results should be reviewed to ensure that lessons learned are applied.
It is not the aim of observation to identify people who have not followed the process.
Identifying equipment that is needed may be part of the lessons learned, but is not the sole reason for the review.
Review is conducted not only to maintain evidence, but to make improvements.

Question # 786

The PRIMARY selection criterion for an offsite media storage facility is:

A. that the primary and offsite facilities not be subject to the same environmental disasters.

B. that the offsite storage facility be in close proximity to the primary site.

C. the overall storage and maintenance costs of the offsite facility.

D. the availability of cost-effective media transportation services.

Answer: A

It is important to prevent a disaster that could affect both sites.

The distance between sites may be important in cases of widespread disasters; however, this is covered by choice A.
The costs should not be the primary criteria to selection.
A cost-effective media transport service may be a consideration, but is not the main concern.

Question # 787

The recovery time objective (RTO) is reached at which of the following milestones?

A. Disaster declaration

B. Recovery of the backups

C. Restoration of the system

D. Return to business as usual processing

Answer: C (*)

Integrate incident response plan, DR plan and BCP

Page 15 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

The recovery time objective (RTO) is based on the amount of time required to restore a system;
disaster declaration occurs at the beginning of this period.
Recovery of the backups occurs shortly after the beginning of this period.
Return to business as usual processing occurs significantly later than the RTO.
RTO is an “objective,” and full restoration may or may not coincide with the RTO.
RTO can be the minimum acceptable operational level, far short of normal operations.

Question # 788

The recovery point objective (RPO) requires which of the following?

A. Disaster declaration

B. Before-image restoration

C. System restoration

D. After-image processing

Answer: B (***)

The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur.
This is the predetermined state of the application processing and data used to restore the system and to continue the
processing flow.
Disaster declaration is independent of this processing checkpoint.
Restoration of the system can occur at a later date, as does the return to normal, after-image processing.

Question # 789

Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?

A. Business continuity coordinator

B. Chief operations officer (COO)

C. Information security manager

D. Internal audit

Answer: B

The recovery point objective (RPO) is the processing checkpoint to which systems are recovered.
In addition to data owners, the chief operations officer (COO) is the most knowledgeable person to make this decision.
It would be inappropriate for the information security manager or an internal audit to determine the RPO because they
are not directly responsible for the data or the operation.

Integrate incident response plan, DR plan and BCP

Page 16 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 790

Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster
recovery?

A. A business impact analysis (BIA), which identifies the requirements for continuous availability of critical business
processes

B. Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously
impact both sites

C. A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due
diligence

D. Differences between the regulatory requirements applicable at the primary site and those at the alternate site

Answer: A

The BIA will help determine the recovery time objective (RTO) and recovery point objective (RPO) for the enterprise.
This information will drive the decision on the appropriate level of protection for its assets.
Natural disasters and regulatory requirements are just two of many factors that an enterprise must consider when it
decides whether to pursue an alternate site for disaster recovery.
While a benchmark could provide useful information, the decision should be based on a BIA, which considers factors
specific to the enterprise.

Question # 791

During a business continuity plan (BCP) test, one department discovered that its new software application was not
going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by:

A. conducting a periodic and event-driven business impact analysis (BIA) to determine the needs of the business during
a recovery.

B. assigning new applications a higher degree of importance and scheduling them for recovery first.

C. developing a help-desk ticket process that allows departments to request recovery of software during a disaster.

D. conducting a thorough risk assessment prior to purchasing the software.

Answer: A

A periodic BIA can help compensate for changes in the needs of the business for recovery during a disaster.
Choice B is an incorrect assumption regarding the automatic importance of a new program.
Choice C is not an appropriate recovery procedure because it allows individual business units to make unilateral decisions
without consideration of broader implications.
The risk assessment may not include the BIA.

Integrate incident response plan, DR plan and BCP

Page 17 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 792

Which of the following is the BEST indicator that operational risks are effectively managed in an enterprise?

A. A tested business continuity/disaster recovery plan (BCP/DRP)

B. An increase in timely reporting of incidents by employees

C. Extent of risk management education

D. Regular review of risks by senior management

Answer: A

A tested BCP/DRP is the best indicator that operational risks are managed effectively in the enterprise.
Reporting incidents by employees is an indicator, but not the best choice because it is dependent upon the knowledge of
the employees.
Extent of risk management education is not correct since this may not necessarily indicate that risks are effectively
managed in the enterprise.
A high level of risk management education would help, but would not necessarily mean that risks are managed effectively
Regular review of risks by senior management is not correct since this may not necessarily indicate that risks are
effectively managed in the enterprise.
Top management involvement would greatly help, but would not necessarily mean that risks are managed effectively.

Question # 793

The acceptability of a partial system recovery after a security incident is MOST likely to be based on the:

A. ability to resume normal operations.

B. maximum tolerable outage (MTO).

C. service delivery objective (SDO).

D. acceptable interruption window (AIW).

Answer: C (*****)

A prior determination of acceptable levels of operation in the event of an outage is the SDO.
The SDO may be set at less than normal operation levels, but sufficient to sustain essential business functions.
The ability to resume normal operations is situational and would not be a standard for acceptability.
While the MTO and the AIW, in addition to many other factors, are parts of an SDO, neither the MTO nor the AIW, by
itself, addresses the acceptability of a specific level of operational recovery.

Integrate incident response plan, DR plan and BCP

Page 18 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 794

Which of the following is the MOST effective method to ensure that a business continuity plan (BCP) meets an
organization's needs?

A. Require quarterly updating of the BCP.

B. Automate the survey of plan owners to obtain input to the plan.

C. Periodically test the cross-departmental plan with varied scenarios.

D. Conduct face-to-face meetings with management for discussion and analysis.

Answer: C

Cross-departmental testing of a plan with varied scenarios is most effective in determining the validity of a BCP.
Quarterly updates do not establish that a plan meets the organization's needs.
Face-to-face meetings and automated surveys are methods that could be used during testing,
but on their own are not sufficient.

Question # 795

When performing a business impact analysis (BIA), which of the following would be the MOST appropriate to calculate
the recovery time and cost estimates?

A. Information security manager

B. Information owners

C. Business continuity coordinator

D. Information technology (IT) operations manager

Answer: B

Information owners are in the best position to understand the true business impact that a specific system outage would
create.
The other roles listed cannot provide that level of detailed knowledge unless they happen to be the owners of a particular
information set.

Question # 796

During the recovery process following a natural disaster, a server that hosts an important new customer-facing web
service was among the last systems restored, resulting in significant lost sales. Which of the following is the BEST
approach to prevent this from happening again?

A. Regularly review and update the business impact analysis (BIA).

B. Improve incident identification methods.

C. Ensure that the sales department has representation on the recovery team.

D. Establish a warm site for recovery purposes.

Integrate incident response plan, DR plan and BCP

Page 19 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Answer: A

The purpose of a BIA is to help stakeholders understand the impact of system downtime to key business processes.
This process will help to prioritize the sequence of recovery for primary and supporting systems to meet the most
important needs of the business first.
Better incident identification would not resolve the issue because incident response without a BIA to reference would not
address prioritization.
Representation of the sales department on the recovery team does not ensure that the appropriate systems will be
restored first, and could actually hinder the process.
The establishment of a warm site would ensure that there is a site for recovery purposes, but would not necessarily result
in systems being restored in the proper sequence.

Question # 797

Which of the following is the MOST significant risk of using reciprocal agreements for disaster recovery?

A. Both entities are vulnerable to the same threat.

B. The contract contains legal inadequacies.

C. The cultures of the organizations are not compatible.

D. One party has more frequent disruptions.

Answer: A

The use of reciprocal disaster recovery is based on the hope that both organizations will not suffer a disaster at the same
time - which is not always a safe assumption.
Inadequate contracts can be a risk, but generally a lesser one.
While incompatible cultures can create problems, this is less of a risk than the scenario of both enterprises being
impacted by a disaster simultaneously.
While one party may utilize the other's resources more frequently, this can be addressed by contractual provisions and is
not a major risk.

Question # 798

Proximity factors must be considered when:

A. conducting a business impact assessment.

B. conducting a table-top business continuity test.

C. developing disaster recovery metrics.

D. selecting an alternate recovery site.

Answer: D

Proximity to the primary site, the scope of potential hazards, and their possible impact on the recovery site are important
considerations when selecting the location of a recovery site.
Proximity to hazards is not a primary consideration in the other choices.

Integrate incident response plan, DR plan and BCP

Page 20 of 21
 (TS-4.10) Establish and maintain integration among the incident response plan, disaster recovery plan and
business continuity plan.

Question # 799

When establishing recovery time objectives (RTOs) during a business impact analysis (BIA), it is important to take into
consideration that the result:

A. may be cyclical, depending on the nature of the business and the information involved.

B. may remain consistent throughout a planning cycle, to allow for definition of planned recovery requirements.

C. may be based on the ability of information technology (IT) to recover services, not on the business recovery
requirements.

D. may not be based on cost of resolution, but on criticality of business recovery.

Answer: A

RTOs that are based on business requirements will often be cyclical,

specifically when recovery of an application or database is not as critical during certain time periods as it is during others
(e.g.,retail vendor ordering systems are extremely critical during the winter holidays, but may not be as critical in
February or March).
The other choices are not appropriate or primary considerations for an RTO.

Question # 800

An organization's chief information security officer (CISO) would like to ensure that operations are prioritized correctly
for recovery in case of a disaster. Which of the following would be the BEST to use?

A. A business impact assessment

B. An organization risk assessment

C. A business process map

D. A threat statement

Answer: A

Business impact assessments ensure that operations are prioritized correctly for recovery in case of a disaster.
The other choices on their own would not directly support prioritization of system recovery.

Integrate incident response plan, DR plan and BCP

Page 21 of 21