Sabotage is an attack by an insider.

〇：Due Care

Confidentiality means that the company does everything it could reasonably have done to prevent a security breach under the circumstances and takes appropriate control and action in the event of a security breach. In short, it means that the company is acting responsibly by practicing common sense and prudent management. If a company has a facility that is not fire-immune, its arsonist will be only a small part of this tragedy. The company is responsible for providing fire-resistant building materials, alarms, exits, fire extinguishers, and backup fire detection and suppression systems, all critical information specific areas that could be affected by a fire. If a fire were to burn the company’s building and all records (customer data, inventory records, and information needed to rebuild the business) were to disappear, the company would not take precautions to ensure that it is protected against that loss. For example, it would be possible to back up to an off-site location. In this case, employees, shareholders, customers, and anyone else affected could potentially sue the company. However, if the company has done all that is expected of it in terms of the points mentioned so far, it is difficult to sue without success if proper care (dee care) is not taken.

×：Downstream Liability

Is wrong because one firm’s activities (or lack thereof) may have a negative impact on other firms. If either company fails to provide the required level of protection and its negligence affects the partners with whom it cooperates, the affected company can sue the upstream company. For example, suppose Company A and Company B have built an extranet. Company A has not implemented controls to detect and address viruses. Company A is infected with a harmful virus, which infects Company B through the extranet. The virus destroys critical data and causes a major disruption to Company B’s production. Company B can therefore sue Company A for negligence. This is an example of downstream liability.

×：Liability

Incorrect, as it generally refers to the obligation and expected behavior or actions of a particular party. Obligations can have a defined set of specific actions required, which is a more general and open approach that allows parties to determine how to fulfill specific obligations.

×：Due diligence

A better answer to this question. Liability is not considered a legal term as with the other answers. Due diligence is because the firm has properly investigated all of its possible weaknesses and vulnerabilities. Before you can understand how to properly protect yourself, you need to know that you are protecting yourself. To understand the real level of risk, investigate and assess the real level of vulnerability. Even after these steps and assessments have been made, effective controls and protective measures can be identified and implemented. Due diligence means identifying all potential risks, but an appropriate response is one that actually mitigates the risk.

Users can logically guess the URL or path to access resources they should not. If an organization’s network has access to a report name ending in “financials_2017.pdf”, it is possible to guess other file names that should not be accessed, such as “financials_2018.pdf” or “financials.pdf”.

〇：Shoulder Surfing Attacks

Shoulder surfing is a type of browsing attack in which an attacker looks over the shoulder of another person to see what is being typed on that person’s monitor items or keyboard. Of the attacks listed, this is the easiest to perform in that it requires no knowledge of the computer system. Therefore, the correct answer is a shoulder surfing attack.

×：Dictionary attack

A dictionary attack is an unauthorized login that targets users who use words as passwords.

×：Side-channel attack

A side-channel attack is an attack that eavesdrops on system data from physical information.

×：Timing Attacks

A timing attack is an attack in which various input information is given to a device that processes ciphers, and the cipher key or other information is deduced from the difference in processing time. If processing time is taken, it can be inferred as a rough indication that the process is proceeding normally as a process, and so on.

Service Organization Control (SOC) is a rule established by the American Institute of Certified Public Accountants (AICPA) to assure the internal control of the party contracted to perform services. Sometimes, work is contracted out to other firms. In order to guarantee the quality of its own work, the company that is contracted to perform the work must also have appropriate controls in place. For this reason, we check the internal control of the outsourcing company to which the work is outsourced.

• SOC-1 (Internal Control over Financial Reporting (ICFR)) Audits the accounting of the trustee company.
  SOC-2 (Trust Services Criteria): Checks security and other controls other than accounting for the fiduciary company. Usually takes six months to complete.
  SOC-3 (Trust Services Criteria for General Use Report) Confirms security and other controls other than accounting for unspecified persons (users).

〇：System logs that operate and are acquired on a daily basis

It is necessary to show that the logs are different from common usage in order to determine whether the access is unauthorized or not. Also, it is less reliable as legal evidence regarding logs that are not routinely obtained.

×：System logs from sophisticated products that comply with international standards

Market sophistication is not a requirement for legal evidence. Conversely, it is unlikely that software developed in-house cannot be used for legal archives.

×：System logs printed and stored as physical media

Whether or not logs are printed is not necessarily a legal requirement. Since the records are printed out as software, they are not purely physical evidence.

×：System logs close to the infrastructure recorded at the OS layer

Logs close to the OS layer have greater systemic traceability, but they are also less relevant to user operations and are not suitable as evidence of unauthorized access.

The 2001 terrorist attacks triggered the development of various laws against terrorism. Therefore, the correct answer is “2001,September 11 attacks”.

The expected annual loss amount is the value of losses that could occur in the future, equalized on an annual basis based on the frequency of occurrence. Therefore, it is the Single Loss Expectancy (SLE) multiplied by the annual frequency of occurrence (ALO).

〇：Business Case

The most important part of establishing and maintaining a current continuity plan is management support. Management may need to be convinced of the need for such a plan. Therefore, a business case is needed to obtain this support. The business case should include current vulnerabilities, legal obligations, current status of the recovery plan, and recommendations. Management is generally most interested in cost-benefit issues, so preliminary figures can be gathered and potential losses estimated. Decisions about how a company should recover are business decisions and should always be treated as such.

×：Business Impact Analysis

Incorrect because the Business Impact Analysis (BIA) was conducted after the BCP team gained management’s support for its efforts. A BIA is conducted to identify areas of greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems required for survival and estimates the amount of downtime the company can tolerate as a result of a disaster or disruption.

×：Risk Analysis

Incorrect, as this is a method of identifying risks and assessing the potential damage that could be caused to justify security protection measures. In the context of BCP, risk analysis methods should be used in a BIA to identify which processes, devices, or operations are critical and should be recovered first.

×：Threat reports

The answer is wrong because it is unintended. However, it is important for management to understand what the actual threats are to the enterprise, the consequences of those threats, and the potential loss value for each threat. Without this understanding, management pays lip service to continuity planning and in some cases may be worse than if it did not plan because of the false awareness of security it creates.

〇：Council of Europe Convention on Cybercrime

The Council of Europe (CoE) Convention on Cybercrime is an example of an attempt to create a standard international response to cybercrime. It is the first international treaty to address computer crime by coordinating national laws and improving investigative techniques and international cooperation. The treaty’s objectives include creating a framework to bind the jurisdiction of the accused and the perpetrators of the crimes. For example, extradition is possible only if the case is a crime in both countries.

×：World Congress Council on Cybercrime

The World Congress Council on Cybercrime is misleading and therefore wrong. The official name of the Convention is the Council of Europe’s Convention on Cybercrime. It establishes comprehensive legislation against cybercrime and serves as a framework for international cooperation among the signatories to the Convention to guide all countries.

×：Organization for Economic Cooperation and Development (OECD)

Image C is wrong because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.

×：Organization for Cooperation and Development in Cybercrime

Organization for Cooperation and Development of Cybercrime is the wrong answer. There is no formal entity of this name.

〇：Creating Data Collection Techniques

Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.

×：Risk calculations for each different business function

This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.

×：Identifying Critical Business Functions

Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.

×：Vulnerability and Threat Identification to Business Functions

This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.

This is a “non-ethics item” question.

A statement is made by the Internet Activities Board (IAB) to those who use the Internet about the correct use of Internet resources.

• Attempting to obtain unauthorized access to Internet resources.
• Disrupting the intended use of the Internet.
• Wasting resources (people, capabilities, and computers) through such activities.
• Destroying the integrity of computer-based information.
• Violating the privacy of users.

HIPAA covered entities and the organizations and individuals who assist them in their business are treated in the same manner as HIPAA covered entities. Health care providers, health information clearinghouses, and health insurance plans are covered entities. Developers of health apps are responsible as programmers rather than holders or plan holders of bodily information. They may not be covered by HITECH, which focuses on how body information is managed. Therefore, the correct answer is “health app developer”.

It is not necessary to know the detailed HITECH requirements. You can classify them based on whether or not you are dealing with information and answer the questions by process of elimination.

〇：Yes. The same goal should be held because there is security in achieving corporate goals.

There are KPIs and other marketin indicators to achieve organizational goals. Developing a security function in the organization also exists to achieve these goals.

×：Yes. Marketing in the security industry is allowed to be risk-off.

By “marketing in the security industry,” I do not mean aligning the security function within the organization.

×：No. The division of labor should be strictly enforced and left to specialists.

While the division of labor in an organization is certainly important, all members of the organization need to be security conscious.

×：No. Security has nothing to do with confidential information that would be an executive decision.

Security should be addressed by the entire organization. It is not irrelevant.

〇：Tell your business partner that your company is not ready

Planned business continuity procedures can provide an organization with many benefits. In addition to the other response options listed previously, organizations can provide a quick and appropriate response to an emergency, mitigate the impact on their business, and work with outside vendors during the recovery period. Efforts in these areas should communicate to business partners that they are prepared in the event of a disaster.

×：Resuming Critical Business Functions

This is incorrect because a business continuity plan allows an organization to resume critical business functions. As part of the BCP development, the BCP team conducts a business impact analysis that includes identifying the maximum allowable downtime for critical resources. This effort helps the team prioritize recovery efforts so that the most critical resources can be recovered first.

×：Protecting Lives and Ensuring Safety

Business continuity planning allows organizations to protect lives and ensure safety, which is wrong. People are a company’s most valuable asset. Therefore, human resources are an integral part of the recovery and continuity process and must be fully considered and integrated into the plan. Once this is done, a business continuity plan will help a company protect its employees.

×：Ensure business viability

This is a fallacy because a well-planned business continuity plan can help a company ensure the viability of its business. A business continuity plan provides methods and procedures for dealing with long-term outages and disasters. It involves moving critical systems to another environment while the original facility is being restored and conducting business operations in a different mode until normal operations return. In essence, business continuity planning addresses how business is conducted after an emergency.

Measures have been implemented to reduce the overall risk to an acceptable level. However, no system or environment is 100% safe, and risks remain with all countermeasures. The residual risk after countermeasures have been taken is called residual risk. Residual risk is different from total risk. Total risk is the risk of not implementing countermeasures. While total risk can be determined by calculating (threat x vulnerability x asset value = total risk), residual risk can be determined by calculating (threat x vulnerability x asset value) x control gap = residual risk. The control gap is the amount of protection that the control cannot provide.

〇：Organization for Economic Cooperation and Development

Almost every country has its own set of rules regarding what constitutes private data and how it should be protected. With the advent of the digital and information age, these different laws have begun to adversely affect business and international trade. Thus, the Organization for Economic Cooperation and Development (OECD) created guidelines for different countries to ensure that data is properly protected and that everyone follows the same rules.

×：COSO

An organization that studies fraudulent financial reporting and which elements lead to them is fraudulent because the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was established in 1985. The acronym COSO refers to a model of corporate governance that addresses IT at the strategic level, corporate culture, and financial accounting principles.

×：COBIT (Control Objectives for Information and Related Technology)

Incorrect, as this framework defines control objectives to ensure that IT is properly managed and that IT is responsive to business needs. It is an international open standard that provides control and security requirements for sensitive data and reference frameworks.

×：International Organization for Standardization (ISO)

Incorrect because it is an international standards organization composed of representatives of national standards bodies. Its purpose is to establish global standardization. But its standardization goes beyond the privacy of data moving across international borders. For example, some standards address quality control; others address assurance and security.

〇：DDoS attacks

Availability is one of the properties of the CIA triad that indicates service continuity. An attack that threatens the continuity of service corresponds to a DDoS attack that sends a large number of requests and causes a service outage. Therefore, the correct answer is “DDoS attack”.

×: Wheeling

Whaling is a spear-phishing attack that targets a socially recognized person or organization.

×: TOC/TOU

TOC/TOU is a software bug that occurs when the system is modified between the time a condition is checked and the time the results of that check are used. In many cases, the attack replaces one file with another between looking for the file and reading the file.

×: DRAM

RAM (Random Access Memory) is memory used for CPU and screen displays, etc. DRAM is RAM that is only stored for short periods of time and requires periodic refreshing.

〇：Regular software updates

You are the system administrator. As an administrator, what you should be doing is updating software on a regular basis. Therefore, the correct answer is “regular software updates.

There may be some that you should implement, but choosing the better of the two will also be tested in the actual exam.

×：Sophisticated product selection

In most cases, products that meet the requirements will be selected in accordance with the Request for Proposal (RFP) presented by the customer. Existing system administrators may be involved in some of these discussions, but this is not an appropriate response.

×：Early reporting to your supervisor

In all jobs, reporting to the supervisor is probably an essential part of the job. Here, however, it is more appropriate to focus on your position as a software system administrator.

×：Human resources to monitor the system

A resident system may allow you to deal with problems in a timely manner. However, here, it is more appropriate to focus on the position as a system administrator of the software.

〇：Regular training to change employee attitudes

Behavior-directed controls are intended to direct the behavior required of employees as part of organizational management. Regular training that changes employee awareness falls under the action-directed type. Therefore, the correct answer is “Regular training to change employee attitudes”.

×：Remotely directed defenses using drone audits

This falls under reinforcing (compensating) defensive measures.

×：Defensive measures to be behavioral psychological barriers due to physical barriers

This is a physical (physically) defensive measure.

×：Developing recurrence prevention measures to review certain actions

This is a corrective measure.