〇：Meetings should be conducted with a fixed number of members and should be as small as possible.

The BCP committee should be large enough to represent each department within the organization. It should consist of people who are familiar with the different departments within the company, as each department has unique functions and unique risks and threats. All issues and threats will be formulated when they are brought in and discussed. This cannot be done effectively with a few divisions or a few people. The committee must consist of at least business unit, senior management, IT, security, communications, and legal personnel.

Conducting meetings with a fixed number of members and as few as possible is certainly not a misinterpretation of “elite few. However, one must know what is the “best” answer and answer it.

×：Committee members should be involved in the planning, testing, and implementation phases.

The answer is incorrect because it is correct that committee members need to be involved in the planning, testing, and implementation phases. If Matthew, the coordinator of the BCP, is a good business leader, he will consider that it is best to make team members feel ownership over their duties and roles. The people who develop the BCP must also be the ones who implement it. If some critical tasks are expected to be performed during a time of crisis, additional attention should be given during the planning and testing phase.

×：The business continuity coordinator should work with management to appoint committee members.

This is incorrect because the BCP coordinator should work with management to appoint committee members. However, management’s involvement does not end there. The BCP team should work with management to finalize the goals of the plan, identify the critical parts of the business that must be handled first in the event of a disaster, and identify department and task priorities. Management also needs to help direct the team on the scope and specific goals of the project.

×：The team should consist of people from different departments within the company.

This is incorrect because the team should consist of people from different departments within the company. This will be the only way for the team to consider the risks and threats that each department faces according to the organization.

〇：Extraction of data shared with unauthorized entities

This is a problem of selecting unrelated items. Extraction of data shared with unauthorized entities is a confidentiality issue. Although it is complicatedly worded, the operations on the data are unauthorized and extraction, and none of them include the destruction of data, which is the primary focus of integrity. Therefore, the correct answer is “extraction of data shared with unauthorized entities.

In solving this problem, it is not necessary to know what an entity is. The focus is on whether any modification or destruction has taken place.

×：Unauthorized manipulation or alteration of data

Mistake. Because integrity is associated with unauthorized manipulation or alteration of data. Integrity is maintained when unauthorized modification is prevented. Hardware, software, and communication mechanisms must work together to correctly maintain and process data and move data to its intended destination without unexpected changes. Systems and networks must be protected from outside interference and contamination.

×：Unauthorized data modification

Unauthorized data modification is a mistake as it relates to integrity. Integrity is about protecting data, not changing it by users or other systems without authorization.

×：Intentional or accidental data substitution

Incorrect because intentional or accidental data substitution is associated with integrity. Integrity is maintained when assurances of the accuracy and reliability of information and systems are provided along with assurances that data will not be tampered with by unauthorized entities. An environment that enforces integrity prevents attacks, for example, the insertion of viruses, logic bombs, or backdoors into the system that could corrupt or replace data. Users typically incorrectly affect the integrity of the system and its data (internal users may also perform malicious acts). For example, a user may insert incorrect values into a data processing application and charge a customer $3,000 instead of $300.

Sabotage is an attack by an insider.

Measures have been implemented to reduce the overall risk to an acceptable level. However, no system or environment is 100% safe, and risks remain with all countermeasures. The residual risk after countermeasures have been taken is called residual risk. Residual risk is different from total risk. Total risk is the risk of not implementing countermeasures. While total risk can be determined by calculating (threat x vulnerability x asset value = total risk), residual risk can be determined by calculating (threat x vulnerability x asset value) x control gap = residual risk. The control gap is the amount of protection that the control cannot provide.

〇：Security Management Committee

Steve serves on the Security Steering Committee, which is responsible for making decisions on tactical and strategic security issues within the company. The committee consists of individuals from across the organization and should meet at least quarterly. In addition to the responsibilities outlined in this question, the Security Steering Committee is responsible for establishing a clearly defined vision statement that supports it in cooperation with the organizational intent of the business. It should provide support for the goals of confidentiality, integrity, and availability as they relate to the business goals of the organization. This vision statement should be supported by a mission statement that provides support and definition to the processes that apply to the organization and enable it to reach its business goals.

Each organization may call it by a different name, or they may be entrusted with a series of definition-to-approval processes for security. In this case, the term “operations” is the closest that comes to mind.

×：Security Policy Committee

This is incorrect because senior management is the committee that develops the security policy. Usually, senior management has this responsibility unless they delegate it to an officer or committee. The security policy determines the role that security plays within the organization. It can be organizational, issue specific, or system specific. The Governing Board does not directly create the policy, but reviews and approves it if acceptable.

×：Audit Committee

Incorrect because it provides independent and open communication between the Board of Directors, management, internal auditors, and external auditors. Its responsibilities include the system of internal controls, the engagement and performance of the independent auditors, and the performance of the internal audit function. The Audit Committee reports its findings to the Governing Board, but does not fail to oversee and approve the security program.

×：Risk Management Committee

Incorrect as it is to understand the risks facing the organization and work with senior management to bring the risks down to acceptable levels. This committee does not oversee the security program. The Security Steering Committee typically reports its findings to the Risk Management Committee on information security. The risk management committee should consider the entire business risk, not just the IT security risk.

CIA stands for Confidentiality, Integrity, and Availability.

〇：Risk Mitigation

Risk can be addressed in four basic ways: transfer, avoidance, mitigation, and acceptance. Sue reduces the risk posed by her e-mail system by implementing security controls such as antivirus and anti-spam software. This is also referred to as risk mitigation, where risk is reduced to a level considered acceptable. Risk can be mitigated by improving procedures, changing the environment, erecting barriers to threats, and implementing early detection techniques to stop threats when they occur and reduce damage.

×：Risk Acceptance

This is inappropriate because risk acceptance does not involve spending on protection or countermeasures such as anti-virus software. When accepting a risk, one should be aware of the level of risk faced and the potential damage costs and decide to keep it without implementing countermeasures. If the cost/benefit ratio indicates that the cost of countermeasures exceeds the potential losses, many companies will accept the risk.

×：Risk Avoidance

Wrong because it would mean discontinuing the activity that is causing the risk. In this case, Sue’s firm decides to continue using e-mail. A company may choose to terminate an activity that introduces risk if the risk outweighs the business needs of the activity. For example, a company may choose to block social media websites in some departments because of the risk to employee productivity.

×：Risk Transfer

This is incorrect because it involves sharing risk with other entities, as in the purchase of insurance to transfer some of the risk to the insurance company. Many types of insurance are available to firms to protect their assets. If a company determines that its total or excess risk is too high to gamble, it can purchase insurance.

This is a “non-ethics item” question.

A statement is made by the Internet Activities Board (IAB) to those who use the Internet about the correct use of Internet resources.

• Attempting to obtain unauthorized access to Internet resources.
• Disrupting the intended use of the Internet.
• Wasting resources (people, capabilities, and computers) through such activities.
• Destroying the integrity of computer-based information.
• Violating the privacy of users.

〇：Considering an architecture that can handle health information.

Carol is a systems engineer and is expected to explore systemic realities. It is likely that she is deviating from her role to preemptively explain why it cannot be done systemically, to modify approvals other than the system configuration, or to initiate legal work. The correct answer, therefore, is, “Think about an architecture that can handle health information.” The correct answer would be

×：To address the dangers of handling health information in the system.

The basic stance of a system engineer is to obtain feasibility as a system. Although it is necessary to supplement the danger to the proposed idea, appealing the danger should not be the main purpose.

×：Obtaining permission to entrust health information from a medical institution.

A contract should be signed and the legal scope of responsibility should be clarified. This is outside the scope of the system engineer’s scope.

×：To prepare a written consent to use for handling health information.

It is necessary to obtain consent for end users before using the service, and the scope of legal responsibility needs to be clarified. This is outside the scope object of the system engineer’s scope.

〇：Regular training to change employee attitudes

Behavior-directed controls are intended to direct the behavior required of employees as part of organizational management. Regular training that changes employee awareness falls under the action-directed type. Therefore, the correct answer is “Regular training to change employee attitudes”.

×：Remotely directed defenses using drone audits

This falls under reinforcing (compensating) defensive measures.

×：Defensive measures to be behavioral psychological barriers due to physical barriers

This is a physical (physically) defensive measure.

×：Developing recurrence prevention measures to review certain actions

This is a corrective measure.

The EU Data Protection Directive is a very aggressive privacy law. Organizations must inform individuals how their data is collected and used. Organizations must allow people to opt out of data sharing with third parties. Opt-in is required to share the most sensitive data. No transmissions from the EU unless the recipient country is found to have adequate (equivalent) privacy protections, and the U.S. does not meet this standard.

〇：Trademarks

Intellectual property can be protected by several different laws, depending on the type of resource. Trademarks are used to protect words, names, symbols, sounds, shapes, colors, or combinations of these, such as logos. The reason a company registers one of these trademarks, or a combination of these trademarks, is to represent their company (brand identity) to the world. Therefore, the correct answer is “trademark”.

×：Patent

A patent is a monopoly right to use a technology for something that is very difficult to invent, such as a medicine.

×：Copyright

A copyright is a right to something that is not technical, such as music or a book, but something that is thought up and created.

×：Trade Secrets

Trade secrets are information that is useful and confidential as a business activity, such as customer information, product technology and manufacturing methods.

〇：System logs that operate and are acquired on a daily basis

It is necessary to show that the logs are different from common usage in order to determine whether the access is unauthorized or not. Also, it is less reliable as legal evidence regarding logs that are not routinely obtained.

×：System logs from sophisticated products that comply with international standards

Market sophistication is not a requirement for legal evidence. Conversely, it is unlikely that software developed in-house cannot be used for legal archives.

×：System logs printed and stored as physical media

Whether or not logs are printed is not necessarily a legal requirement. Since the records are printed out as software, they are not purely physical evidence.

×：System logs close to the infrastructure recorded at the OS layer

Logs close to the OS layer have greater systemic traceability, but they are also less relevant to user operations and are not suitable as evidence of unauthorized access.

〇：Business Case

The most important part of establishing and maintaining a current continuity plan is management support. Management may need to be convinced of the need for such a plan. Therefore, a business case is needed to obtain this support. The business case should include current vulnerabilities, legal obligations, current status of the recovery plan, and recommendations. Management is generally most interested in cost-benefit issues, so preliminary figures can be gathered and potential losses estimated. Decisions about how a company should recover are business decisions and should always be treated as such.

×：Business Impact Analysis

Incorrect because the Business Impact Analysis (BIA) was conducted after the BCP team gained management’s support for its efforts. A BIA is conducted to identify areas of greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems required for survival and estimates the amount of downtime the company can tolerate as a result of a disaster or disruption.

×：Risk Analysis

Incorrect, as this is a method of identifying risks and assessing the potential damage that could be caused to justify security protection measures. In the context of BCP, risk analysis methods should be used in a BIA to identify which processes, devices, or operations are critical and should be recovered first.

×：Threat reports

The answer is wrong because it is unintended. However, it is important for management to understand what the actual threats are to the enterprise, the consequences of those threats, and the potential loss value for each threat. Without this understanding, management pays lip service to continuity planning and in some cases may be worse than if it did not plan because of the false awareness of security it creates.

〇：Telnet must be used to send commands and data.

Telnet sends all data, including administrator credentials, in plain text and should not be allowed for remote administration. This type of communication should be via a more secure protocol, such as SSH.

×：Only a small number of administrators should be allowed to perform remote functions.

Wrong, as it is true that only a few administrators should be able to perform remote functions. This minimizes the risk to the network.

×：Critical systems should be managed locally, not remotely.

Wrong because it is true that critical systems need to be managed locally, not remotely. It is safer to send management commands on an internal private network than over a public network.

×：Strong authentication is required.

Wrong because it is true that strong authentication is required for any management activity. Anything weaker than strong authentication, such as a password, is easy for an attacker to break in and gain administrative access.

〇：Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) is a U.S. copyright law that makes it a crime, among other things, for technology to infringe upon the access control measures established to protect copyrighted material. Therefore, the correct answer is “Digital Millennium Copyright Act.

If you find a way to “unlock” a proprietary method of protecting an e-book, you can charge this act. Even if you do not share the actual copyrighted book with anyone, the specific law has been broken and you will be convicted.

×：COPPA

The Children’s Online Privacy Protection Act (COPPA) is a law that allows for the safe use of children’s sites on the Internet and prohibits children from being put at risk if they do not have any terms and conditions The law prohibits children from being endangered without any terms and conditions so that they can safely use the Internet for children.

×：Federal Privacy Act

There is no such law, but a close equivalent is the U.S. Federal Data Privacy Act. This would be a comprehensive privacy law at the federal level in the United States.

×：GDPR

The General Data Protection Regulation (GDPR) is a privacy law for EU citizens that is a stricter version of the Data Protection Directive.

〇：AS / NZS 4360

AS / NZS 4360 can be used for security risk analysis, but it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methods, such as NIST or OCTAVE, which focus on IT threats and information security risks. AS / NZS 4360 can be used to understand a firm’s financial, capital, personnel safety, and business decision-making risks.

×：FAP

Incorrect as there is no formal FAP risk analysis methodology.

×：OCTAVE

Image B is incorrect because it focuses on IT threats and information security risks. OCTAVE is intended for use in situations that manage and direct information security risk assessments within an organization. Employees of an organization are empowered to determine the best way to assess security.

×：NIST SP 800-30

Wrong because it is specific to IT threats and how they relate to information threats. Focus is primarily on systems. Data is collected from network and security practices assessments and from people within the organization. Data is used as input values for the risk analysis steps outlined in the 800-30 document.

〇：To issue ethics-related statements on the use of the Internet.

The Internet Architecture Board (IAB) is the coordinating committee for the design, engineering, and management of the Internet. It is responsible for monitoring and appealing Internet Engineering Task Force (IETF) activities, the Internet standards process, and the architecture of Request for Comments (RFC) editors. The IAB issues ethics-related statements on the use of the Internet. The Internet is a resource that depends on availability and accessibility and is considered useful to a wide range of people. Primarily, irresponsible behavior on the Internet may threaten its existence or adversely affect others.

×：Develop guidelines for criminal sentencing.

The IAB is incorrect because it has nothing to do with the Federal Court Guidelines, which are the rules judges use in determining the appropriate punitive sentence for certain felonies or misdemeanors committed by individuals or businesses. The Guidelines serve as the uniform sentencing policy for entities committing felonies and/or gross misdemeanors in the U.S. federal court system.

×：Edit RFC.

The Internet Architecture Board is responsible for editing RFCs (Request for Comments), which is incorrect because this task is not ethics-related. This answer is a distraction.

×：Maintain the Ten Commandments of Computer Ethics.

This is incorrect because the Institute for Computer Ethics, not the IAB, develops and maintains the Ten Commandments of Computer Ethics. The Institute for Computer Ethics is a non-profit organization that works to advance technology through ethical means.

〇：Data Protection Directive

In many cases, the European Union (EU) takes personal privacy more seriously than most other countries in the world and therefore adheres to strict laws regarding data considered personal information based on the European Union Principles for the Protection of Personal Data. This set of principles addresses the use and communication of information that is considered private in nature. These principles and how to comply with them are contained in the EU Data Protection Directive. All European states must comply with these principles, and all companies doing business with EU companies must follow this directive if their business involves the exchange of privacy-type data.

×：Organization for Economic Cooperation and Development (OECD)

Image B is incorrect because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.

×：Federal Private Sector Bill

The Federal Private Bill is incorrect. There is no official bill by this name.

×：Privacy Protection Act

The Privacy Protection Act is the wrong answer. There is no official legislation by this name.