Domain 1 Exam.
A minimum of 70% is required to pass.
#1. Matthew, the company’s business continuity coordinator, helps recruit members to the Business Continuity Plan (BCP) Committee. Which of the following is an incorrect explanation?
〇：Meetings should be conducted with a fixed number of members and should be as small as possible.
The BCP committee should be large enough to represent each department within the organization. It should consist of people who are familiar with the different departments within the company, as each department has unique functions and unique risks and threats. All issues and threats will be formulated when they are brought in and discussed. This cannot be done effectively with a few divisions or a few people. The committee must consist of at least business unit, senior management, IT, security, communications, and legal personnel.
Conducting meetings with a fixed number of members and as few as possible is certainly not a misinterpretation of “elite few. However, one must know what is the “best” answer and answer it.
×：Committee members should be involved in the planning, testing, and implementation phases.
The answer is incorrect because it is correct that committee members need to be involved in the planning, testing, and implementation phases. If Matthew, the coordinator of the BCP, is a good business leader, he will consider that it is best to make team members feel ownership over their duties and roles. The people who develop the BCP must also be the ones who implement it. If some critical tasks are expected to be performed during a time of crisis, additional attention should be given during the planning and testing phase.
×：The business continuity coordinator should work with management to appoint committee members.
This is incorrect because the BCP coordinator should work with management to appoint committee members. However, management’s involvement does not end there. The BCP team should work with management to finalize the goals of the plan, identify the critical parts of the business that must be handled first in the event of a disaster, and identify department and task priorities. Management also needs to help direct the team on the scope and specific goals of the project.
×：The team should consist of people from different departments within the company.
This is incorrect because the team should consist of people from different departments within the company. This will be the only way for the team to consider the risks and threats that each department faces according to the organization.
#2. Which of the following cannot be said to be privacy information under the concept of information security?
#3. They downloaded and ran an application via the Internet that looked useful, and now their computer won’t run at all. What type of malware is this?
A Trojan horse is a seemingly harmless piece of malware that is contagious. Have you ever downloaded a nasty image and suddenly your computer stopped working?
Spyware is malware that looks harmless when it does its evil. It secretly takes information from your computer to the outside.
Viruses are malware that can spread without user intervention and attach itself to other programs. It looks harmless but does not match in that it downloads applications.
A data diddler is malware that gradually changes data over time.
#4. Which of the following describes the relationship between COBIT and ITIL?
〇：COBIT defines IT goals, ITIL provides process-level procedures
COBIT is a framework developed by ISACA (formerly the Information Systems Audit and Controls) and the IT Governance Institute (ITGI). It defines goals for controls, not just security needs, to ensure that IT is properly managed and that IT is responsive to business needs. The IT Infrastructure Library (ITIL) is the de facto standard for IT service management best practices. A customizable framework, ITIL provides goals, the general activities required to achieve these goals, and the input and output values for each process required to achieve these determined goals. In essence, COBIT addresses “what needs to be accomplished” and ITIL addresses “how to accomplish”.
×：COBIT is a model of IT governance, ITIL is a model of corporate governance.
While COBIT can be used as a model for IT governance, ITIL is wrong because it is not a model for corporate governance. In fact, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a model of corporate governance. COBIT is derived from the COSO framework. COBIT can be thought of as a way to accomplish many COSO goals, but only from an IT perspective. To achieve many of the goals addressed in COBIT, organizations can use ITIL, which provides process-level steps to achieve IT service management goals.
×：COBIT is a model for corporate governance, ITIL is customizable for IT service management.
As mentioned above, COBIT is incorrect because it can be used as a model for IT governance, not corporate governance. COSO is a model of corporate governance. The second half of the answer is correct. ITIL is a customizable framework and is available as either a series of books or online for IT service management.
×：COBIT provides a business objectives framework, ITIL provides an IT service level objectives framework.
This is inappropriate because COBIT defines the control objectives that should be used to properly manage IT, enabling IT to address business needs as well as IT security needs. ITIL provides steps to achieve IT service management goals related to business needs. ITIL was created because of the increased reliance on information technology to meet business needs.
#5. What is called taking reasonable action to prevent a security breach?
Confidentiality means that the company does everything it could reasonably have done to prevent a security breach under the circumstances and takes appropriate control and action in the event of a security breach. In short, it means that the company is acting responsibly by practicing common sense and prudent management. If a company has a facility that is not fire-immune, its arsonist will be only a small part of this tragedy. The company is responsible for providing fire-resistant building materials, alarms, exits, fire extinguishers, and backup fire detection and suppression systems, all critical information specific areas that could be affected by a fire. If a fire were to burn the company’s building and all records (customer data, inventory records, and information needed to rebuild the business) were to disappear, the company would not take precautions to ensure that it is protected against that loss. For example, it would be possible to back up to an off-site location. In this case, employees, shareholders, customers, and anyone else affected could potentially sue the company. However, if the company has done all that is expected of it in terms of the points mentioned so far, it is difficult to sue without success if proper care (dee care) is not taken.
Is wrong because one firm’s activities (or lack thereof) may have a negative impact on other firms. If either company fails to provide the required level of protection and its negligence affects the partners with whom it cooperates, the affected company can sue the upstream company. For example, suppose Company A and Company B have built an extranet. Company A has not implemented controls to detect and address viruses. Company A is infected with a harmful virus, which infects Company B through the extranet. The virus destroys critical data and causes a major disruption to Company B’s production. Company B can therefore sue Company A for negligence. This is an example of downstream liability.
Incorrect, as it generally refers to the obligation and expected behavior or actions of a particular party. Obligations can have a defined set of specific actions required, which is a more general and open approach that allows parties to determine how to fulfill specific obligations.
A better answer to this question. Liability is not considered a legal term as with the other answers. Due diligence is because the firm has properly investigated all of its possible weaknesses and vulnerabilities. Before you can understand how to properly protect yourself, you need to know that you are protecting yourself. To understand the real level of risk, investigate and assess the real level of vulnerability. Even after these steps and assessments have been made, effective controls and protective measures can be identified and implemented. Due diligence means identifying all potential risks, but an appropriate response is one that actually mitigates the risk.
#6. Sue is charged with implementing several security controls to protect the company’s e-mail system, including antivirus and antispam software. What approach does her company take to address the risks posed by its systems?
Risk can be addressed in four basic ways: transfer, avoidance, mitigation, and acceptance. Sue reduces the risk posed by her e-mail system by implementing security controls such as antivirus and anti-spam software. This is also referred to as risk mitigation, where risk is reduced to a level considered acceptable. Risk can be mitigated by improving procedures, changing the environment, erecting barriers to threats, and implementing early detection techniques to stop threats when they occur and reduce damage.
This is inappropriate because risk acceptance does not involve spending on protection or countermeasures such as anti-virus software. When accepting a risk, one should be aware of the level of risk faced and the potential damage costs and decide to keep it without implementing countermeasures. If the cost/benefit ratio indicates that the cost of countermeasures exceeds the potential losses, many companies will accept the risk.
Wrong because it would mean discontinuing the activity that is causing the risk. In this case, Sue’s firm decides to continue using e-mail. A company may choose to terminate an activity that introduces risk if the risk outweighs the business needs of the activity. For example, a company may choose to block social media websites in some departments because of the risk to employee productivity.
This is incorrect because it involves sharing risk with other entities, as in the purchase of insurance to transfer some of the risk to the insurance company. Many types of insurance are available to firms to protect their assets. If a company determines that its total or excess risk is too high to gamble, it can purchase insurance.
#7. What vulnerability is logically possible for an attacker to guess a URL that he/she does not know?
#8. There are three core rules in the U.S. HIPAA. Which of the following is NOT a core rule?
#9. Follow the guidelines to enable secure remote management. Which of the following is NOT one of those guidelines?
〇：Telnet must be used to send commands and data.
Telnet sends all data, including administrator credentials, in plain text and should not be allowed for remote administration. This type of communication should be via a more secure protocol, such as SSH.
×：Only a small number of administrators should be allowed to perform remote functions.
Wrong, as it is true that only a few administrators should be able to perform remote functions. This minimizes the risk to the network.
×：Critical systems should be managed locally, not remotely.
Wrong because it is true that critical systems need to be managed locally, not remotely. It is safer to send management commands on an internal private network than over a public network.
×：Strong authentication is required.
Wrong because it is true that strong authentication is required for any management activity. Anything weaker than strong authentication, such as a password, is easy for an attacker to break in and gain administrative access.
#10. A student is concerned about his future and wants to attack a political institution. What is this middle school student classified as an attacker?
#11. It is not uncommon for business continuity plans to become outdated. What should you do to ensure that your plan does not become outdated?
〇：Business Continuity Processes Integrate Change Management Processes
Unfortunately, business continuity plans can quickly become outdated. An outdated BCP can give a company a false sense of security, which can be fatal if a disaster actually occurs. One of the simplest, most cost-effective, and process-efficient ways to keep your plan current is to incorporate it into your organization’s change management process. Are new applications, equipment, and services documented? Are updates and patches documented? The change management process should be updated to incorporate fields and triggers that alert the BCP team when significant changes occur and provide a means to update recovery documentation. Ensure that the BCP is kept up-to-date, and other measures include maintaining personnel evaluations of the plan and conducting regular training on using the plan, such as making business continuity part of all business decisions.
×：Update hardware, software, and application changes
Wrong because hardware, software, and application changes occur frequently; unless the BCP is part of a change management process, these changes are not included in the BCP. The BCP should be updated when changes to the environment occur. If it is not updated after a change, it is out of date.
×：Infrastructure and Environment Change Updates
Incorrect because infrastructure and environment changes occur frequently. Unless the BCP is part of a change management process, as with software, hardware, and application changes, infrastructure and environment changes are unlikely to result in a transition to the BCP.
Incorrect, as the plan may become obsolete. It is not uncommon for BCPs to be abandoned when the person or persons responsible for maintenance leave the company. These responsibilities must be reassigned. To ensure this, maintenance responsibilities must be built into job descriptions and properly monitored.
#12. NIST defines best practices for creating a continuity plan. Which phases identify and prioritize critical functions and systems?
〇：Conduct business impact analysis
While no specific scientific equation must be followed to create a continuity plan, certain best practices have been proven over time. The National Institute of Standards and Technology (NIST) organization is responsible for developing and documenting many of these best practices so that they are readily available to all. NIST outlines seven steps in Special Publication 800-34 Rev 1, Continuity Planning Guide for Federal Information Systems. Conduct a business impact analysis. Identify preventive controls. Develop a contingency strategy. Develop an information systems contingency plan. Ensure testing, training, and exercises of the plan. Ensure the plan is maintained. Conduct a business impact analysis by identifying critical functions and systems and prioritize them as needed. It also includes identifying vulnerabilities and threats and calculating risks.
×：Identify preventive controls
Wrong because critical functions and systems are prioritized and preventive controls need to be identified after their vulnerabilities, threats, and identified risks (all of which are part of a business impact analysis). Conducting a business impact analysis involves step 2, which is to create a continuity plan, and step 3, which is to identify preventive controls.
×：Develop a Continuity Plan Policy Statement
This is incorrect because you need to create a policy that provides the guidance needed to develop a business continuity plan and assigns authority to the roles needed to perform these tasks. This is the first step in creating a business continuity plan and is done before identifying and prioritizing critical systems and functions that are part of the business impact analysis.
×：Create contingency strategies
Creating a contingency strategy is incorrect because it requires formulating a method to ensure that systems and critical functions are brought online quickly. Before this can be done, a business impact analysis must be performed to determine critical systems and functions and prioritize them during recovery.
#13. What kind of person does the word sabotage, the root of the word sabotage, refer to?
#14. Which of the following is NOT an appropriate reason to develop and implement a disaster recovery plan?
〇：To create an overview of business functions and systems
Outlining business functions and systems is not a reason to create and execute a disaster recovery plan. While these tasks are likely to be accomplished as a result of the disaster recovery plan, they are not a valid reason to implement the plan compared to other answers to the question. Usually occurring during the planning process, simply outlining business functions and systems is not enough to develop and implement a disaster recovery plan.
×：To create post-disaster recovery procedures
It is not correct to develop and implement a disaster recovery plan because providing post-disaster recovery procedures is a good reason to do so. In fact, this is exactly what a disaster recovery plan provides. The goal of disaster recovery is to take the necessary steps to minimize the impact of a disaster and ensure that resources, personnel, and business processes can resume operations in a timely manner. The goal of a disaster recovery plan is to handle the disaster and its consequences in the immediate aftermath.
×：To back up data and create backup operating procedures
Inappropriate, because not only backing up data but also extending backup operations is a good way to develop and implement a disaster recovery plan. When considering a disaster recovery plan, some companies focus primarily on backing up data and providing redundant hardware. While these items are very important, they are only a small part of a company’s overall operations. Hardware and computers need people to configure and operate them, and data is usually not useful unless it can be accessed by other systems or outside entities. All of these may require backups as well as data.
×：To establish emergency response procedures
This is incorrect because there are good reasons to establish and implement a disaster recovery plan, and providing emergency response procedures is a valid reason. Disaster recovery plans are implemented when everything is in emergency mode and everyone is scrambling to get all critical systems back online. Carefully written procedures will make this entire process much more effective.
Translated with www.DeepL.com/Translator (free version)
#15. Marks is a security auditor. We would like to provide a system log as court evidence of unauthorized access. What are the requirements that must be met as a system log?
〇：System logs that operate and are acquired on a daily basis
It is necessary to show that the logs are different from common usage in order to determine whether the access is unauthorized or not. Also, it is less reliable as legal evidence regarding logs that are not routinely obtained.
×：System logs from sophisticated products that comply with international standards
Market sophistication is not a requirement for legal evidence. Conversely, it is unlikely that software developed in-house cannot be used for legal archives.
×：System logs printed and stored as physical media
Whether or not logs are printed is not necessarily a legal requirement. Since the records are printed out as software, they are not purely physical evidence.
×：System logs close to the infrastructure recorded at the OS layer
Logs close to the OS layer have greater systemic traceability, but they are also less relevant to user operations and are not suitable as evidence of unauthorized access.
#16. Which of the following are effective methods that you as a software system administrator can implement to prevent significant damage?
〇：Regular software updates
You are the system administrator. As an administrator, what you should be doing is updating software on a regular basis. Therefore, the correct answer is “regular software updates.
There may be some that you should implement, but choosing the better of the two will also be tested in the actual exam.
×：Sophisticated product selection
In most cases, products that meet the requirements will be selected in accordance with the Request for Proposal (RFP) presented by the customer. Existing system administrators may be involved in some of these discussions, but this is not an appropriate response.
×：Early reporting to your supervisor
In all jobs, reporting to the supervisor is probably an essential part of the job. Here, however, it is more appropriate to focus on your position as a software system administrator.
×：Human resources to monitor the system
A resident system may allow you to deal with problems in a timely manner. However, here, it is more appropriate to focus on the position as a system administrator of the software.
#17. Which of the following is an incorrect mapping of information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)?
〇：ISO / IEC 27005 – Guidelines for Bodies Providing Audits and Certification of Information Security Management Systems
The ISO / IEC 27005 standard is a guideline for information security risk management. ISO / IEC 27005 is an international standard on how risk management should be implemented within the framework of an ISMS.
×：ISO / IEC 27002 – Code of practice for information security management
This is not correct because it is a code of practice for information security management. Therefore, it has the correct mapping. ISO / IEC 27002 provides best practice recommendations and guidelines for starting, implementing, or maintaining an ISMS.
×：ISO / IEC 27003 – ISMS Implementation Guidelines
This is incorrect as it is a guideline for ISMS implementation. Therefore, it has the correct mapping. Focuses on the key aspects necessary for the successful design and implementation of an ISMS according to ISO / IEC 27001:2005. It describes the ISMS specification and design process from its inception to the creation of an implementation plan.
×：ISO / IEC 27004 – Guidelines for Information Security Management Measurement and Metrics Framework
This is incorrect because it is a guideline for an information security management measurement and metrics framework. Therefore, it has the correct mapping. It provides guidance on the development and use of measures to assess the effectiveness of an ISMS and a group of controls or controls, as specified in ISO / IEC 27001.
#18. Which is the first step in a business impact analysis?
〇：Creating Data Collection Techniques
Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.
×：Risk calculations for each different business function
This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.
×：Identifying Critical Business Functions
Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.
×：Vulnerability and Threat Identification to Business Functions
This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.