〇：Trademarks

Intellectual property can be protected by several different laws, depending on the type of resource. Trademarks are used to protect words, names, symbols, sounds, shapes, colors, or combinations of these, such as logos. The reason a company registers one of these trademarks, or a combination of these trademarks, is to represent their company (brand identity) to the world. Therefore, the correct answer is “trademark”.

×：Patent

A patent is a monopoly right to use a technology for something that is very difficult to invent, such as a medicine.

×：Copyright

A copyright is a right to something that is not technical, such as music or a book, but something that is thought up and created.

×：Trade Secrets

Trade secrets are information that is useful and confidential as a business activity, such as customer information, product technology and manufacturing methods.

〇：To issue ethics-related statements on the use of the Internet.

The Internet Architecture Board (IAB) is the coordinating committee for the design, engineering, and management of the Internet. It is responsible for monitoring and appealing Internet Engineering Task Force (IETF) activities, the Internet standards process, and the architecture of Request for Comments (RFC) editors. The IAB issues ethics-related statements on the use of the Internet. The Internet is a resource that depends on availability and accessibility and is considered useful to a wide range of people. Primarily, irresponsible behavior on the Internet may threaten its existence or adversely affect others.

×：Develop guidelines for criminal sentencing.

The IAB is incorrect because it has nothing to do with the Federal Court Guidelines, which are the rules judges use in determining the appropriate punitive sentence for certain felonies or misdemeanors committed by individuals or businesses. The Guidelines serve as the uniform sentencing policy for entities committing felonies and/or gross misdemeanors in the U.S. federal court system.

×：Edit RFC.

The Internet Architecture Board is responsible for editing RFCs (Request for Comments), which is incorrect because this task is not ethics-related. This answer is a distraction.

×：Maintain the Ten Commandments of Computer Ethics.

This is incorrect because the Institute for Computer Ethics, not the IAB, develops and maintains the Ten Commandments of Computer Ethics. The Institute for Computer Ethics is a non-profit organization that works to advance technology through ethical means.

〇：Trojan Horse

A Trojan horse is a seemingly harmless piece of malware that is contagious. Have you ever downloaded a nasty image and suddenly your computer stopped working?

×：Spyware

Spyware is malware that looks harmless when it does its evil. It secretly takes information from your computer to the outside.

×：Virus

Viruses are malware that can spread without user intervention and attach itself to other programs. It looks harmless but does not match in that it downloads applications.

×：Data diddlers

A data diddler is malware that gradually changes data over time.

Copyright applies to books, art, music, software, etc. It is granted automatically and is valid for 70 years after the creator’s death and 95 years after creation. Therefore, the correct answer is “70 years”.

〇：Extraction of data shared with unauthorized entities

This is a problem of selecting unrelated items. Extraction of data shared with unauthorized entities is a confidentiality issue. Although it is complicatedly worded, the operations on the data are unauthorized and extraction, and none of them include the destruction of data, which is the primary focus of integrity. Therefore, the correct answer is “extraction of data shared with unauthorized entities.

In solving this problem, it is not necessary to know what an entity is. The focus is on whether any modification or destruction has taken place.

×：Unauthorized manipulation or alteration of data

Mistake. Because integrity is associated with unauthorized manipulation or alteration of data. Integrity is maintained when unauthorized modification is prevented. Hardware, software, and communication mechanisms must work together to correctly maintain and process data and move data to its intended destination without unexpected changes. Systems and networks must be protected from outside interference and contamination.

×：Unauthorized data modification

Unauthorized data modification is a mistake as it relates to integrity. Integrity is about protecting data, not changing it by users or other systems without authorization.

×：Intentional or accidental data substitution

Incorrect because intentional or accidental data substitution is associated with integrity. Integrity is maintained when assurances of the accuracy and reliability of information and systems are provided along with assurances that data will not be tampered with by unauthorized entities. An environment that enforces integrity prevents attacks, for example, the insertion of viruses, logic bombs, or backdoors into the system that could corrupt or replace data. Users typically incorrectly affect the integrity of the system and its data (internal users may also perform malicious acts). For example, a user may insert incorrect values into a data processing application and charge a customer $3,000 instead of $300.

〇：Regular training to change employee attitudes

Behavior-directed controls are intended to direct the behavior required of employees as part of organizational management. Regular training that changes employee awareness falls under the action-directed type. Therefore, the correct answer is “Regular training to change employee attitudes”.

×：Remotely directed defenses using drone audits

This falls under reinforcing (compensating) defensive measures.

×：Defensive measures to be behavioral psychological barriers due to physical barriers

This is a physical (physically) defensive measure.

×：Developing recurrence prevention measures to review certain actions

This is a corrective measure.

P.A.S.T.A. is a seven-step process to find ways to protect the value of your assets while analyzing your compliance and business. P.A.S.T.A. provides a roadmap. Threat management processes and policies can be discovered. The main focus is on finding threats, which is where risk-centric thinking and simulation come into play.

The expected annual loss amount is the value of losses that could occur in the future, equalized on an annual basis based on the frequency of occurrence. Therefore, it is the Single Loss Expectancy (SLE) multiplied by the annual frequency of occurrence (ALO).

〇：Creating Data Collection Techniques

Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.

×：Risk calculations for each different business function

This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.

×：Identifying Critical Business Functions

Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.

×：Vulnerability and Threat Identification to Business Functions

This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.

〇：Shoulder Surfing Attacks

Shoulder surfing is a type of browsing attack in which an attacker looks over the shoulder of another person to see what is being typed on that person’s monitor items or keyboard. Of the attacks listed, this is the easiest to perform in that it requires no knowledge of the computer system. Therefore, the correct answer is a shoulder surfing attack.

×：Dictionary attack

A dictionary attack is an unauthorized login that targets users who use words as passwords.

×：Side-channel attack

A side-channel attack is an attack that eavesdrops on system data from physical information.

×：Timing Attacks

A timing attack is an attack in which various input information is given to a device that processes ciphers, and the cipher key or other information is deduced from the difference in processing time. If processing time is taken, it can be inferred as a rough indication that the process is proceeding normally as a process, and so on.

〇：Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) is a U.S. copyright law that makes it a crime, among other things, for technology to infringe upon the access control measures established to protect copyrighted material. Therefore, the correct answer is “Digital Millennium Copyright Act.

If you find a way to “unlock” a proprietary method of protecting an e-book, you can charge this act. Even if you do not share the actual copyrighted book with anyone, the specific law has been broken and you will be convicted.

×：COPPA

The Children’s Online Privacy Protection Act (COPPA) is a law that allows for the safe use of children’s sites on the Internet and prohibits children from being put at risk if they do not have any terms and conditions The law prohibits children from being endangered without any terms and conditions so that they can safely use the Internet for children.

×：Federal Privacy Act

There is no such law, but a close equivalent is the U.S. Federal Data Privacy Act. This would be a comprehensive privacy law at the federal level in the United States.

×：GDPR

The General Data Protection Regulation (GDPR) is a privacy law for EU citizens that is a stricter version of the Data Protection Directive.

〇：It encompasses network and code analysis and is sometimes referred to as electronic data discovery.

Forensics is the analysis of electronic data that may have been affected by technology, authentication, and criminal activity requiring special techniques to ensure the preservation of information. It comes together of computer science, information technology and engineering in the legal system. When discussing digital forensics with others, it may be described as computer forensics, network forensics, electronic data discovery, cyber forensics, etc.

×：The study of computer technology.

Digital forensics is incorrect because it involves information technology rather than research. It encompasses the study of information technology, but also includes collecting and protecting evidence and working within specific legal systems.

×：A set of hardware-specific processes that must be followed in order for evidence to be admissible in court.

Digital forensics is incorrect because it does not refer to hardware or software. It is a set of specific processes related to computer usage, examination of residual data, technical analysis and description of technical characteristics of the data, and reconstruction of the authentication of data by computer usage that must be followed for the evidence to be admissible in court.

×：Before an incident occurs, digital forensics roles and responsibilities should be assigned to network administrators.

This is wrong because digital forensics must be done by people with the proper training and skill set who could not possibly be administrators or network administrators. Digital forensics can be fragile and must have been worked on properly. If someone reboots an attacked system or inspects various files, it could corrupt and change executable evidence, key file timestamps, and erase any footprints the criminal may have left behind.

〇：Risk Mitigation

Risk can be addressed in four basic ways: transfer, avoidance, mitigation, and acceptance. Sue reduces the risk posed by her e-mail system by implementing security controls such as antivirus and anti-spam software. This is also referred to as risk mitigation, where risk is reduced to a level considered acceptable. Risk can be mitigated by improving procedures, changing the environment, erecting barriers to threats, and implementing early detection techniques to stop threats when they occur and reduce damage.

×：Risk Acceptance

This is inappropriate because risk acceptance does not involve spending on protection or countermeasures such as anti-virus software. When accepting a risk, one should be aware of the level of risk faced and the potential damage costs and decide to keep it without implementing countermeasures. If the cost/benefit ratio indicates that the cost of countermeasures exceeds the potential losses, many companies will accept the risk.

×：Risk Avoidance

Wrong because it would mean discontinuing the activity that is causing the risk. In this case, Sue’s firm decides to continue using e-mail. A company may choose to terminate an activity that introduces risk if the risk outweighs the business needs of the activity. For example, a company may choose to block social media websites in some departments because of the risk to employee productivity.

×：Risk Transfer

This is incorrect because it involves sharing risk with other entities, as in the purchase of insurance to transfer some of the risk to the insurance company. Many types of insurance are available to firms to protect their assets. If a company determines that its total or excess risk is too high to gamble, it can purchase insurance.

Users can logically guess the URL or path to access resources they should not. If an organization’s network has access to a report name ending in “financials_2017.pdf”, it is possible to guess other file names that should not be accessed, such as “financials_2018.pdf” or “financials.pdf”.

〇：Council of Europe Convention on Cybercrime

The Council of Europe (CoE) Convention on Cybercrime is an example of an attempt to create a standard international response to cybercrime. It is the first international treaty to address computer crime by coordinating national laws and improving investigative techniques and international cooperation. The treaty’s objectives include creating a framework to bind the jurisdiction of the accused and the perpetrators of the crimes. For example, extradition is possible only if the case is a crime in both countries.

×：World Congress Council on Cybercrime

The World Congress Council on Cybercrime is misleading and therefore wrong. The official name of the Convention is the Council of Europe’s Convention on Cybercrime. It establishes comprehensive legislation against cybercrime and serves as a framework for international cooperation among the signatories to the Convention to guide all countries.

×：Organization for Economic Cooperation and Development (OECD)

Image C is wrong because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.

×：Organization for Cooperation and Development in Cybercrime

Organization for Cooperation and Development of Cybercrime is the wrong answer. There is no formal entity of this name.

〇：Cessation of activities that pose a risk.

This question is about choosing what is not included. Discontinuing an activity that introduces risk is a way to address risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) within a company. If a company decides not to allow the use of IM because there is no business need to do so, banning this service is an example of risk avoidance. The risk assessment does not include the implementation of such measures. Therefore, the correct answer is “discontinue the activity that poses a risk”.

×：Asset Identification

This is incorrect because identifying the asset is part of the risk assessment and is required to identify what is not included in the risk assessment. To determine the value of an asset, the asset must first be identified. Identifying and valuing assets is another important task of risk management.

×：Threat Identification

This is incorrect because identifying threats is part of risk assessment and requires identifying what is not included in the risk assessment. A risk exists because a threat could exploit a vulnerability. If there are no threats, there are no risks. Risk links vulnerabilities, threats, and the resulting potential for exploitation to the business.

×：Risk analysis in order of cost

Analyzing risks in order of cost or criticality is part of the risk assessment process and is inappropriate because questions are asked to identify what is not included in the risk assessment. A risk assessment examines and quantifies the risks a company faces. Risks must be addressed in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to effectively address it.

The 2001 terrorist attacks triggered the development of various laws against terrorism. Therefore, the correct answer is “2001,September 11 attacks”.

〇：ISO / IEC 27005 – Guidelines for Bodies Providing Audits and Certification of Information Security Management Systems

The ISO / IEC 27005 standard is a guideline for information security risk management. ISO / IEC 27005 is an international standard on how risk management should be implemented within the framework of an ISMS.

×：ISO / IEC 27002 – Code of practice for information security management

This is not correct because it is a code of practice for information security management. Therefore, it has the correct mapping. ISO / IEC 27002 provides best practice recommendations and guidelines for starting, implementing, or maintaining an ISMS.

×：ISO / IEC 27003 – ISMS Implementation Guidelines

This is incorrect as it is a guideline for ISMS implementation. Therefore, it has the correct mapping. Focuses on the key aspects necessary for the successful design and implementation of an ISMS according to ISO / IEC 27001:2005. It describes the ISMS specification and design process from its inception to the creation of an implementation plan.

×：ISO / IEC 27004 – Guidelines for Information Security Management Measurement and Metrics Framework

This is incorrect because it is a guideline for an information security management measurement and metrics framework. Therefore, it has the correct mapping. It provides guidance on the development and use of measures to assess the effectiveness of an ISMS and a group of controls or controls, as specified in ISO / IEC 27001.

〇：Parallel testing or full interruption testing

A Business Impact Analysis (BIA) is considered a functional analysis where the team gathers data through interviews and documentation sources. Document business functions, activities, and transactions. Develop a hierarchy of business functions. Finally, a classification scheme is applied that indicates the level of importance of each individual function. Parallel and full interruption tests are not part of the BIA. These tests are performed to ensure the ongoing effectiveness of the business continuity plan to accommodate the constantly changing environment. While full interruption testing involves shutting down the original site and resuming operations and processing at an alternate site, parallel testing is performed to ensure that a particular system will actually function properly at the alternate off-site function.

×：Application of a classification scheme based on criticality levels.

This is incorrect because it is performed during a BIA. This is done by identifying a company’s critical assets and mapping them to characteristics such as maximum allowable downtime, operational disruption and productivity, financial considerations, regulatory liability, and reputation.

×：Gathering information through interviews

This is not correct as it is done during the BIA. The BCP committee does not truly understand all business processes, the steps to be taken, or the resources and supplies those processes require. Therefore, the committee should collect this information from people in the know, which are department heads and specific employees within the organization.

×：Document business functions

This is incorrect because the BCP committee makes this part of the BIA. Business activities and transactions must be documented. This information can come from department managers and specific employees who are interviewed or surveyed. Once the information is documented, the BCP committee can conduct an analysis to determine which processes, equipment, or operational activities are most critical.