〇：It encompasses network and code analysis and is sometimes referred to as electronic data discovery.

Forensics is the analysis of electronic data that may have been affected by technology, authentication, and criminal activity requiring special techniques to ensure the preservation of information. It comes together of computer science, information technology and engineering in the legal system. When discussing digital forensics with others, it may be described as computer forensics, network forensics, electronic data discovery, cyber forensics, etc.

×：The study of computer technology.

Digital forensics is incorrect because it involves information technology rather than research. It encompasses the study of information technology, but also includes collecting and protecting evidence and working within specific legal systems.

×：A set of hardware-specific processes that must be followed in order for evidence to be admissible in court.

Digital forensics is incorrect because it does not refer to hardware or software. It is a set of specific processes related to computer usage, examination of residual data, technical analysis and description of technical characteristics of the data, and reconstruction of the authentication of data by computer usage that must be followed for the evidence to be admissible in court.

×：Before an incident occurs, digital forensics roles and responsibilities should be assigned to network administrators.

This is wrong because digital forensics must be done by people with the proper training and skill set who could not possibly be administrators or network administrators. Digital forensics can be fragile and must have been worked on properly. If someone reboots an attacked system or inspects various files, it could corrupt and change executable evidence, key file timestamps, and erase any footprints the criminal may have left behind.

〇：System logs that operate and are acquired on a daily basis

It is necessary to show that the logs are different from common usage in order to determine whether the access is unauthorized or not. Also, it is less reliable as legal evidence regarding logs that are not routinely obtained.

×：System logs from sophisticated products that comply with international standards

Market sophistication is not a requirement for legal evidence. Conversely, it is unlikely that software developed in-house cannot be used for legal archives.

×：System logs printed and stored as physical media

Whether or not logs are printed is not necessarily a legal requirement. Since the records are printed out as software, they are not purely physical evidence.

×：System logs close to the infrastructure recorded at the OS layer

Logs close to the OS layer have greater systemic traceability, but they are also less relevant to user operations and are not suitable as evidence of unauthorized access.

The EU Data Protection Directive is a very aggressive privacy law. Organizations must inform individuals how their data is collected and used. Organizations must allow people to opt out of data sharing with third parties. Opt-in is required to share the most sensitive data. No transmissions from the EU unless the recipient country is found to have adequate (equivalent) privacy protections, and the U.S. does not meet this standard.

〇：Considering an architecture that can handle health information.

Carol is a systems engineer and is expected to explore systemic realities. It is likely that she is deviating from her role to preemptively explain why it cannot be done systemically, to modify approvals other than the system configuration, or to initiate legal work. The correct answer, therefore, is, “Think about an architecture that can handle health information.” The correct answer would be

×：To address the dangers of handling health information in the system.

The basic stance of a system engineer is to obtain feasibility as a system. Although it is necessary to supplement the danger to the proposed idea, appealing the danger should not be the main purpose.

×：Obtaining permission to entrust health information from a medical institution.

A contract should be signed and the legal scope of responsibility should be clarified. This is outside the scope of the system engineer’s scope.

×：To prepare a written consent to use for handling health information.

It is necessary to obtain consent for end users before using the service, and the scope of legal responsibility needs to be clarified. This is outside the scope object of the system engineer’s scope.

Student numbers, which are left to the control of each school, cannot be considered privacy information because they are not sufficient information to identify an individual.

〇：Cessation of activities that pose a risk.

This question is about choosing what is not included. Discontinuing an activity that introduces risk is a way to address risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) within a company. If a company decides not to allow the use of IM because there is no business need to do so, banning this service is an example of risk avoidance. The risk assessment does not include the implementation of such measures. Therefore, the correct answer is “discontinue the activity that poses a risk”.

×：Asset Identification

This is incorrect because identifying the asset is part of the risk assessment and is required to identify what is not included in the risk assessment. To determine the value of an asset, the asset must first be identified. Identifying and valuing assets is another important task of risk management.

×：Threat Identification

This is incorrect because identifying threats is part of risk assessment and requires identifying what is not included in the risk assessment. A risk exists because a threat could exploit a vulnerability. If there are no threats, there are no risks. Risk links vulnerabilities, threats, and the resulting potential for exploitation to the business.

×：Risk analysis in order of cost

Analyzing risks in order of cost or criticality is part of the risk assessment process and is inappropriate because questions are asked to identify what is not included in the risk assessment. A risk assessment examines and quantifies the risks a company faces. Risks must be addressed in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to effectively address it.

〇：Creating Data Collection Techniques

Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.

×：Risk calculations for each different business function

This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.

×：Identifying Critical Business Functions

Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.

×：Vulnerability and Threat Identification to Business Functions

This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.

〇：DDoS attacks

Availability is one of the properties of the CIA triad that indicates service continuity. An attack that threatens the continuity of service corresponds to a DDoS attack that sends a large number of requests and causes a service outage. Therefore, the correct answer is “DDoS attack”.

×: Wheeling

Whaling is a spear-phishing attack that targets a socially recognized person or organization.

×: TOC/TOU

TOC/TOU is a software bug that occurs when the system is modified between the time a condition is checked and the time the results of that check are used. In many cases, the attack replaces one file with another between looking for the file and reading the file.

×: DRAM

RAM (Random Access Memory) is memory used for CPU and screen displays, etc. DRAM is RAM that is only stored for short periods of time and requires periodic refreshing.

〇：Council of Europe Convention on Cybercrime

The Council of Europe (CoE) Convention on Cybercrime is an example of an attempt to create a standard international response to cybercrime. It is the first international treaty to address computer crime by coordinating national laws and improving investigative techniques and international cooperation. The treaty’s objectives include creating a framework to bind the jurisdiction of the accused and the perpetrators of the crimes. For example, extradition is possible only if the case is a crime in both countries.

×：World Congress Council on Cybercrime

The World Congress Council on Cybercrime is misleading and therefore wrong. The official name of the Convention is the Council of Europe’s Convention on Cybercrime. It establishes comprehensive legislation against cybercrime and serves as a framework for international cooperation among the signatories to the Convention to guide all countries.

×：Organization for Economic Cooperation and Development (OECD)

Image C is wrong because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.

×：Organization for Cooperation and Development in Cybercrime

Organization for Cooperation and Development of Cybercrime is the wrong answer. There is no formal entity of this name.

〇：Business Continuity Processes Integrate Change Management Processes

Unfortunately, business continuity plans can quickly become outdated. An outdated BCP can give a company a false sense of security, which can be fatal if a disaster actually occurs. One of the simplest, most cost-effective, and process-efficient ways to keep your plan current is to incorporate it into your organization’s change management process. Are new applications, equipment, and services documented? Are updates and patches documented? The change management process should be updated to incorporate fields and triggers that alert the BCP team when significant changes occur and provide a means to update recovery documentation. Ensure that the BCP is kept up-to-date, and other measures include maintaining personnel evaluations of the plan and conducting regular training on using the plan, such as making business continuity part of all business decisions.

×：Update hardware, software, and application changes

Wrong because hardware, software, and application changes occur frequently; unless the BCP is part of a change management process, these changes are not included in the BCP. The BCP should be updated when changes to the environment occur. If it is not updated after a change, it is out of date.

×：Infrastructure and Environment Change Updates

Incorrect because infrastructure and environment changes occur frequently. Unless the BCP is part of a change management process, as with software, hardware, and application changes, infrastructure and environment changes are unlikely to result in a transition to the BCP.

×：Personnel changes

Incorrect, as the plan may become obsolete. It is not uncommon for BCPs to be abandoned when the person or persons responsible for maintenance leave the company. These responsibilities must be reassigned. To ensure this, maintenance responsibilities must be built into job descriptions and properly monitored.

〇：COBIT defines IT goals, ITIL provides process-level procedures

COBIT is a framework developed by ISACA (formerly the Information Systems Audit and Controls) and the IT Governance Institute (ITGI). It defines goals for controls, not just security needs, to ensure that IT is properly managed and that IT is responsive to business needs. The IT Infrastructure Library (ITIL) is the de facto standard for IT service management best practices. A customizable framework, ITIL provides goals, the general activities required to achieve these goals, and the input and output values for each process required to achieve these determined goals. In essence, COBIT addresses “what needs to be accomplished” and ITIL addresses “how to accomplish”.

×：COBIT is a model of IT governance, ITIL is a model of corporate governance.

While COBIT can be used as a model for IT governance, ITIL is wrong because it is not a model for corporate governance. In fact, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a model of corporate governance. COBIT is derived from the COSO framework. COBIT can be thought of as a way to accomplish many COSO goals, but only from an IT perspective. To achieve many of the goals addressed in COBIT, organizations can use ITIL, which provides process-level steps to achieve IT service management goals.

×：COBIT is a model for corporate governance, ITIL is customizable for IT service management.

As mentioned above, COBIT is incorrect because it can be used as a model for IT governance, not corporate governance. COSO is a model of corporate governance. The second half of the answer is correct. ITIL is a customizable framework and is available as either a series of books or online for IT service management.

×：COBIT provides a business objectives framework, ITIL provides an IT service level objectives framework.

This is inappropriate because COBIT defines the control objectives that should be used to properly manage IT, enabling IT to address business needs as well as IT security needs. ITIL provides steps to achieve IT service management goals related to business needs. ITIL was created because of the increased reliance on information technology to meet business needs.

The 2001 terrorist attacks triggered the development of various laws against terrorism. Therefore, the correct answer is “2001,September 11 attacks”.

〇：Yes. The same goal should be held because there is security in achieving corporate goals.

There are KPIs and other marketin indicators to achieve organizational goals. Developing a security function in the organization also exists to achieve these goals.

×：Yes. Marketing in the security industry is allowed to be risk-off.

By “marketing in the security industry,” I do not mean aligning the security function within the organization.

×：No. The division of labor should be strictly enforced and left to specialists.

While the division of labor in an organization is certainly important, all members of the organization need to be security conscious.

×：No. Security has nothing to do with confidential information that would be an executive decision.

Security should be addressed by the entire organization. It is not irrelevant.

〇：Security Management Committee

Steve serves on the Security Steering Committee, which is responsible for making decisions on tactical and strategic security issues within the company. The committee consists of individuals from across the organization and should meet at least quarterly. In addition to the responsibilities outlined in this question, the Security Steering Committee is responsible for establishing a clearly defined vision statement that supports it in cooperation with the organizational intent of the business. It should provide support for the goals of confidentiality, integrity, and availability as they relate to the business goals of the organization. This vision statement should be supported by a mission statement that provides support and definition to the processes that apply to the organization and enable it to reach its business goals.

Each organization may call it by a different name, or they may be entrusted with a series of definition-to-approval processes for security. In this case, the term “operations” is the closest that comes to mind.

×：Security Policy Committee

This is incorrect because senior management is the committee that develops the security policy. Usually, senior management has this responsibility unless they delegate it to an officer or committee. The security policy determines the role that security plays within the organization. It can be organizational, issue specific, or system specific. The Governing Board does not directly create the policy, but reviews and approves it if acceptable.

×：Audit Committee

Incorrect because it provides independent and open communication between the Board of Directors, management, internal auditors, and external auditors. Its responsibilities include the system of internal controls, the engagement and performance of the independent auditors, and the performance of the internal audit function. The Audit Committee reports its findings to the Governing Board, but does not fail to oversee and approve the security program.

×：Risk Management Committee

Incorrect as it is to understand the risks facing the organization and work with senior management to bring the risks down to acceptable levels. This committee does not oversee the security program. The Security Steering Committee typically reports its findings to the Risk Management Committee on information security. The risk management committee should consider the entire business risk, not just the IT security risk.

A security document documents the security to be achieved.” To achieve “strong security” a clear definition is needed. Since the definition varies from organization to organization, it is necessary to put it in writing. There are five documents, with policy at the top, each of which is mandatory or optional.

〇：Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) is a U.S. copyright law that makes it a crime, among other things, for technology to infringe upon the access control measures established to protect copyrighted material. Therefore, the correct answer is “Digital Millennium Copyright Act.

If you find a way to “unlock” a proprietary method of protecting an e-book, you can charge this act. Even if you do not share the actual copyrighted book with anyone, the specific law has been broken and you will be convicted.

×：COPPA

The Children’s Online Privacy Protection Act (COPPA) is a law that allows for the safe use of children’s sites on the Internet and prohibits children from being put at risk if they do not have any terms and conditions The law prohibits children from being endangered without any terms and conditions so that they can safely use the Internet for children.

×：Federal Privacy Act

There is no such law, but a close equivalent is the U.S. Federal Data Privacy Act. This would be a comprehensive privacy law at the federal level in the United States.

×：GDPR

The General Data Protection Regulation (GDPR) is a privacy law for EU citizens that is a stricter version of the Data Protection Directive.

This is a “non-ethics item” question.

A statement is made by the Internet Activities Board (IAB) to those who use the Internet about the correct use of Internet resources.

• Attempting to obtain unauthorized access to Internet resources.
• Disrupting the intended use of the Internet.
• Wasting resources (people, capabilities, and computers) through such activities.
• Destroying the integrity of computer-based information.
• Violating the privacy of users.

Awareness is to inform the organization’s members of the information they already have in order to make them more vigilant again. Tranning is the input of information that is unknown to the members of the organization. Therefore, the difference between awareness-raising and tranning is whether the target audience is already aware of the information.

〇：All security activities shall be conducted within the security department.

When all security activities are performed within the security department, security functions within a silo and is not integrated throughout the organization. In companies that have a security governance program in place, security responsibilities are pervasive throughout the organization, from senior management down the chain of command. A common scenario is executive management with the executive director of operations responsible for risk management activities for a particular business unit. Additionally, employees are responsible for malicious or accidental security breaches.

×：Officers will be updated quarterly on the company’s security status.

Incorrect. Security governance is providing strategic guidance, ensuring that goals are being met, risks are properly managed, and resources are used responsibly. Organizations with a security governance program have a board of directors that understands the importance of security and is aware of the organization’s security performance and breaches.

×：Deploy security products, services, and consultants in an informed manner.

Security governance is incorrect because it is a cohesive system of integrated security components that includes products, people, training, and processes. Therefore, organizations that have a security governance program in place will assist consultants with security products, management services, and consultants in an informed manner. They are also constantly reviewed to ensure they are cost effective.

×：The organization establishes metrics and goals for improving security.

inaccurate because security governance requires performance measurement and oversight mechanisms. Organizations that have a security governance program in place are continually reviewing their processes, including security, with the goal of continuous improvement. On the other hand, an organization lacking a security governance program may proceed without analyzing its performance, thus repeating the same mistakes.

〇：Trojan Horse

A Trojan horse is a seemingly harmless piece of malware that is contagious. Have you ever downloaded a nasty image and suddenly your computer stopped working?

×：Spyware

Spyware is malware that looks harmless when it does its evil. It secretly takes information from your computer to the outside.

×：Virus

Viruses are malware that can spread without user intervention and attach itself to other programs. It looks harmless but does not match in that it downloads applications.

×：Data diddlers

A data diddler is malware that gradually changes data over time.