〇：DDoS attacks

Availability is one of the properties of the CIA triad that indicates service continuity. An attack that threatens the continuity of service corresponds to a DDoS attack that sends a large number of requests and causes a service outage. Therefore, the correct answer is “DDoS attack”.

×: Wheeling

Whaling is a spear-phishing attack that targets a socially recognized person or organization.

×: TOC/TOU

TOC/TOU is a software bug that occurs when the system is modified between the time a condition is checked and the time the results of that check are used. In many cases, the attack replaces one file with another between looking for the file and reading the file.

×: DRAM

RAM (Random Access Memory) is memory used for CPU and screen displays, etc. DRAM is RAM that is only stored for short periods of time and requires periodic refreshing.

〇：Extraction of data shared with unauthorized entities

This is a problem of selecting unrelated items. Extraction of data shared with unauthorized entities is a confidentiality issue. Although it is complicatedly worded, the operations on the data are unauthorized and extraction, and none of them include the destruction of data, which is the primary focus of integrity. Therefore, the correct answer is “extraction of data shared with unauthorized entities.

In solving this problem, it is not necessary to know what an entity is. The focus is on whether any modification or destruction has taken place.

×：Unauthorized manipulation or alteration of data

Mistake. Because integrity is associated with unauthorized manipulation or alteration of data. Integrity is maintained when unauthorized modification is prevented. Hardware, software, and communication mechanisms must work together to correctly maintain and process data and move data to its intended destination without unexpected changes. Systems and networks must be protected from outside interference and contamination.

×：Unauthorized data modification

Unauthorized data modification is a mistake as it relates to integrity. Integrity is about protecting data, not changing it by users or other systems without authorization.

×：Intentional or accidental data substitution

Incorrect because intentional or accidental data substitution is associated with integrity. Integrity is maintained when assurances of the accuracy and reliability of information and systems are provided along with assurances that data will not be tampered with by unauthorized entities. An environment that enforces integrity prevents attacks, for example, the insertion of viruses, logic bombs, or backdoors into the system that could corrupt or replace data. Users typically incorrectly affect the integrity of the system and its data (internal users may also perform malicious acts). For example, a user may insert incorrect values into a data processing application and charge a customer $3,000 instead of $300.

Sabotage is an attack by an insider.

Defense-in-Depth is the concept that protection should not be monolithic, but should be multi-layered in all aspects. The term “defense-in-depth” comes close to the alternative, as multiple layers of protection are required to protect against a single vulnerability.

P.A.S.T.A. is a seven-step process to find ways to protect the value of your assets while analyzing your compliance and business. P.A.S.T.A. provides a roadmap. Threat management processes and policies can be discovered. The main focus is on finding threats, which is where risk-centric thinking and simulation come into play.

〇：System logs that operate and are acquired on a daily basis

It is necessary to show that the logs are different from common usage in order to determine whether the access is unauthorized or not. Also, it is less reliable as legal evidence regarding logs that are not routinely obtained.

×：System logs from sophisticated products that comply with international standards

Market sophistication is not a requirement for legal evidence. Conversely, it is unlikely that software developed in-house cannot be used for legal archives.

×：System logs printed and stored as physical media

Whether or not logs are printed is not necessarily a legal requirement. Since the records are printed out as software, they are not purely physical evidence.

×：System logs close to the infrastructure recorded at the OS layer

Logs close to the OS layer have greater systemic traceability, but they are also less relevant to user operations and are not suitable as evidence of unauthorized access.

HIPAA covered entities and the organizations and individuals who assist them in their business are treated in the same manner as HIPAA covered entities. Health care providers, health information clearinghouses, and health insurance plans are covered entities. Developers of health apps are responsible as programmers rather than holders or plan holders of bodily information. They may not be covered by HITECH, which focuses on how body information is managed. Therefore, the correct answer is “health app developer”.

It is not necessary to know the detailed HITECH requirements. You can classify them based on whether or not you are dealing with information and answer the questions by process of elimination.

〇：Creating Data Collection Techniques

Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.

×：Risk calculations for each different business function

This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.

×：Identifying Critical Business Functions

Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.

×：Vulnerability and Threat Identification to Business Functions

This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.

〇：Reconfiguration Phase

When a firm returns to its original or new site, the firm is ready to enter the reconfiguration phase. The firm has not entered the emergency state until it is operating at the original primary site or until it returns to the new site that was built to replace the primary site. If a firm needs to return from the replacement site to the original site, a number of logistical issues must be considered. Some of these issues include ensuring employee safety, proper communication and connection methods are working, and properly testing the new environment.

The definition of a rebuilding phase needs to be imagined and answered in the question text. It will test your language skills to see how it reads semantically rather than lexically correct.

×：Recovery Phase

Incorrect because it involves preparing an off-site facility (if needed), rebuilding networks and systems, and organizing staff to move to the new facility. To get the company up and running as quickly as possible, the recovery process needs to be as structured as possible. Templates should be developed during the planning phase. It can be used by each team during the recovery phase to take the necessary steps and document the results. The template keeps the team on task and quickly communicates to the team leader about progress, obstacles, and potential recovery time.

×：Project Initiation Phase

This is incorrect because it is how the actual business continuity plan is initiated. It does not occur during the execution of the plan. The Project Initiation Phase includes obtaining administrative support, developing the scope of the plan, and securing funding and resources.

×：Damage Assessment Phase

Incorrect because it occurs at the start of the actual implementation of the business continuity procedures. The damage assessment helps determine if the business continuity plan should be implemented based on the activation criteria predefined by the BCP coordinator and team. After the damage assessment, the team will move into recovery mode if one or more of the situations listed in the criteria occur.

The Health Insurance Interoperability and Accountability Act (HIPAA) has three rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. The rules mandate administrative, physical, and technical safeguards.

〇：Business Continuity Processes Integrate Change Management Processes

Unfortunately, business continuity plans can quickly become outdated. An outdated BCP can give a company a false sense of security, which can be fatal if a disaster actually occurs. One of the simplest, most cost-effective, and process-efficient ways to keep your plan current is to incorporate it into your organization’s change management process. Are new applications, equipment, and services documented? Are updates and patches documented? The change management process should be updated to incorporate fields and triggers that alert the BCP team when significant changes occur and provide a means to update recovery documentation. Ensure that the BCP is kept up-to-date, and other measures include maintaining personnel evaluations of the plan and conducting regular training on using the plan, such as making business continuity part of all business decisions.

×：Update hardware, software, and application changes

Wrong because hardware, software, and application changes occur frequently; unless the BCP is part of a change management process, these changes are not included in the BCP. The BCP should be updated when changes to the environment occur. If it is not updated after a change, it is out of date.

×：Infrastructure and Environment Change Updates

Incorrect because infrastructure and environment changes occur frequently. Unless the BCP is part of a change management process, as with software, hardware, and application changes, infrastructure and environment changes are unlikely to result in a transition to the BCP.

×：Personnel changes

Incorrect, as the plan may become obsolete. It is not uncommon for BCPs to be abandoned when the person or persons responsible for maintenance leave the company. These responsibilities must be reassigned. To ensure this, maintenance responsibilities must be built into job descriptions and properly monitored.

〇：Parallel testing or full interruption testing

A Business Impact Analysis (BIA) is considered a functional analysis where the team gathers data through interviews and documentation sources. Document business functions, activities, and transactions. Develop a hierarchy of business functions. Finally, a classification scheme is applied that indicates the level of importance of each individual function. Parallel and full interruption tests are not part of the BIA. These tests are performed to ensure the ongoing effectiveness of the business continuity plan to accommodate the constantly changing environment. While full interruption testing involves shutting down the original site and resuming operations and processing at an alternate site, parallel testing is performed to ensure that a particular system will actually function properly at the alternate off-site function.

×：Application of a classification scheme based on criticality levels.

This is incorrect because it is performed during a BIA. This is done by identifying a company’s critical assets and mapping them to characteristics such as maximum allowable downtime, operational disruption and productivity, financial considerations, regulatory liability, and reputation.

×：Gathering information through interviews

This is not correct as it is done during the BIA. The BCP committee does not truly understand all business processes, the steps to be taken, or the resources and supplies those processes require. Therefore, the committee should collect this information from people in the know, which are department heads and specific employees within the organization.

×：Document business functions

This is incorrect because the BCP committee makes this part of the BIA. Business activities and transactions must be documented. This information can come from department managers and specific employees who are interviewed or surveyed. Once the information is documented, the BCP committee can conduct an analysis to determine which processes, equipment, or operational activities are most critical.

Users can logically guess the URL or path to access resources they should not. If an organization’s network has access to a report name ending in “financials_2017.pdf”, it is possible to guess other file names that should not be accessed, such as “financials_2018.pdf” or “financials.pdf”.

〇：ISO / IEC 27005 – Guidelines for Bodies Providing Audits and Certification of Information Security Management Systems

The ISO / IEC 27005 standard is a guideline for information security risk management. ISO / IEC 27005 is an international standard on how risk management should be implemented within the framework of an ISMS.

×：ISO / IEC 27002 – Code of practice for information security management

This is not correct because it is a code of practice for information security management. Therefore, it has the correct mapping. ISO / IEC 27002 provides best practice recommendations and guidelines for starting, implementing, or maintaining an ISMS.

×：ISO / IEC 27003 – ISMS Implementation Guidelines

This is incorrect as it is a guideline for ISMS implementation. Therefore, it has the correct mapping. Focuses on the key aspects necessary for the successful design and implementation of an ISMS according to ISO / IEC 27001:2005. It describes the ISMS specification and design process from its inception to the creation of an implementation plan.

×：ISO / IEC 27004 – Guidelines for Information Security Management Measurement and Metrics Framework

This is incorrect because it is a guideline for an information security management measurement and metrics framework. Therefore, it has the correct mapping. It provides guidance on the development and use of measures to assess the effectiveness of an ISMS and a group of controls or controls, as specified in ISO / IEC 27001.

〇：Data Protection Directive

In many cases, the European Union (EU) takes personal privacy more seriously than most other countries in the world and therefore adheres to strict laws regarding data considered personal information based on the European Union Principles for the Protection of Personal Data. This set of principles addresses the use and communication of information that is considered private in nature. These principles and how to comply with them are contained in the EU Data Protection Directive. All European states must comply with these principles, and all companies doing business with EU companies must follow this directive if their business involves the exchange of privacy-type data.

×：Organization for Economic Cooperation and Development (OECD)

Image B is incorrect because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.

×：Federal Private Sector Bill

The Federal Private Bill is incorrect. There is no official bill by this name.

×：Privacy Protection Act

The Privacy Protection Act is the wrong answer. There is no official legislation by this name.

Student numbers, which are left to the control of each school, cannot be considered privacy information because they are not sufficient information to identify an individual.

〇：Social Engineering

Social engineering is an attack that invites human error rather than system. It occurs regardless of system architecture and installed software.

×：DDoS Attacks

A DDoS attack is a mass DoS attack against a target website or server from multiple computers.

×：Ransomware

Ransomware is malware that freezes data by encrypting it and demands a ransom from the owner.

×：Zero-day attacks

A zero-day attack is an attack on a vulnerability that was disclosed before it was fixed.

CIA stands for Confidentiality, Integrity, and Availability.

〇：Regular software updates

You are the system administrator. As an administrator, what you should be doing is updating software on a regular basis. Therefore, the correct answer is “regular software updates.

There may be some that you should implement, but choosing the better of the two will also be tested in the actual exam.

×：Sophisticated product selection

In most cases, products that meet the requirements will be selected in accordance with the Request for Proposal (RFP) presented by the customer. Existing system administrators may be involved in some of these discussions, but this is not an appropriate response.

×：Early reporting to your supervisor

In all jobs, reporting to the supervisor is probably an essential part of the job. Here, however, it is more appropriate to focus on your position as a software system administrator.

×：Human resources to monitor the system

A resident system may allow you to deal with problems in a timely manner. However, here, it is more appropriate to focus on the position as a system administrator of the software.