Remote journaling means that a transaction log file, not the file itself, is sent remotely. A transaction is one or more update operations performed on a file. In other words, it is a history of updates to a file. This means that if the original file is lost, it can be reconstructed from the transaction log.

Disaster Recovery Planning (DRP) is the process of creating short-term plans, policies, procedures, and tools to enable the recovery or continuation of critical IT systems in the event of a disaster. It focuses on the IT systems that support critical business functions and how they will be restored after a disaster. For example, it considers what to do if you suffer a distributed denial of service (DDOS) attack, if your servers are compromised, if there is a power outage, etc. BCP is more focused on what should happen and does not necessarily include system requirements.

〇：RAID Level 3

RAID redundant arrays provide fault tolerance capability for hard drives and can improve system performance. Redundancy and speed are provided by splitting data and writing it to multiple disks, allowing different disk heads to operate simultaneously to retrieve requested information. At this time, recovery data is also created. This is called parity; if one disk fails, the parity data can be used to reconstruct the corrupted or lost information. Different levels of RAID systems experience different activities that provide fault tolerance or improved performance. RAID level 3 is a method that uses byte-level striping and dedicated parity disks.

×：RAID Level 0

Wrong because only striping occurs at level 0.

×：RAID Level 5

RAID 5 is incorrect because it uses block-level striping and interleaved parity on all disks.

×：RAID Level 10

Level 10 is incorrect because it is associated with striping and mirroring.

〇：Representatives from each department meet and undergo validation.

Structured walk-through testing allows functional personnel to review the plan as it is fulfilled to ensure its accuracy and validity.

×：Ensures that some systems will run at alternate sites.

This is incorrect because it describes parallel testing.

×：Send a copy of the disaster recovery plan to all departments to verify its completeness.

This is incorrect because it describes a checklist test.

×：Take down the normal operation system.

This is incorrect because it describes a full interruption test.

Clustering is designed for fault tolerance. It is often combined with load balancing, but they are essentially separate. Clustering can make an operation active/active. On top of that, the load balancing feature handles traffic from multiple servers. Active/passive, on the other hand, has a designated primary active server and a secondary passive server, with the passive sending keep-alives or heartbeats every few seconds.

Greenfield is undeveloped land that has not yet been built upon. The perspectives for selecting a site as a data center site include topography, utilities, and public safety.

• Topography refers to the physical shape of the landscape-hills, valleys, trees, streams.
• Utility refers to the degree to which power and internet in the area are reliable.
• Public safety is in terms of how high is the crime rate in the area and how close is the police force.

〇：Control of the processing and distribution process

An important part of the digital forensic process is to maintain a proper chain of custody of evidence.

The question structure assumes Chain of Custody (Chain of Custody) from “the purpose of securing all evidence and notating it as information to be presented to those who verify it” and selects the one that comes closest to the definition.

×：Reasonable care

Wrong because reasonable care implies performing an activity that a reasonable person would be expected to perform under similar circumstances.

×：Investigation

Incorrect because investigation involves the proper collection of relevant data during the incident response process and includes analysis, interpretation, reaction, and recovery.

×：Motive, Opportunity, Means

Motive, Opportunity, and Means (MOM) is incorrect because it is a strategy used to understand why certain crimes were committed and by whom.

〇：Ensure that some systems are executed at the alternate site.

Parallel testing compares how some systems run at the alternate site and how the results are processed at the primary site. This is to assure that systems run at the alternate site and does not affect service productivity.

×：All departments will be sent a copy of the disaster recovery plan for completeness.

This alternative is incorrect because it describes a checklist test.

×：Representatives from each department meet to validate the plan.

This option is incorrect because it describes a structured walk-through test.

×：The normal operation system is taken down.

This option is incorrect because it describes a full interruption test.

Archive bits are those that have been updated since the previous backup point in time. Full backups are full backups, so there is no need to be aware of where changes have occurred. Incremental backups also do not require awareness of change points because the backup portion is predetermined. Therefore, both clear the archive bit. However, differential backups do not clear the archive bit because only the changed part is known to be backed up.

〇：Declare the impact and consequences of the disaster.

The final step in the damage assessment is to declare the disaster. After the information from the damage assessment has been collected and evaluated, determine if the BCP actually needs to be activated. The BCP coordinator and team should determine the activation criteria before the disaster occurs.

×：Determine the cause of the disaster.

Determining the cause of the disaster is incorrect as it is the first step in the damage assessment process.

×：Identify resources that need to be replaced immediately.

Incorrect because identifying resources that need to be replaced immediately is not the last step in damage assessment.

×：Determine how long it will take to bring critical functions back online.

Incorrect because determining how long it will take to bring critical functions back online is the second-to-last step in damage assessment.

〇：Differential Backup

Backups can be taken in full, differential, or incremental. Most files are not changed daily to save very much time and resources, and it is better to develop a backup plan that does not back up for data that is not continually changing. In backup software, when a file is modified or created, the file system sets the archive bit and the backup software determines if that file should be backed up. A differential backup backs up files that have changed since the last full backup.

×：Incremental Backup

An incremental backup backs up all data that has changed since the last backup.

×：Full Backup

A full backup backs up the entire database or the entire system.

×：Partial Backup

Not in the backup category.

〇：Can be the cheapest of the off-site options, but can create many security problems due to mixed operations.

Reciprocal agreements, also called mutual aid, mean that Company A agrees to allow Company B to use its facilities if Company B suffers a disaster, and vice versa. While this is a less expensive way to move than other off-site alternatives, it is not always the best choice. In most environments, the facility has reached its limits regarding the use of space, resources, and computing power. To allow different firms to come in and operate out of the same store could be detrimental to both firms. The stress of both companies working in the same environment can cause tremendous levels of tension. If that did not work out, it would provide the only short-term solution. Configuration management could be a nightmare, and mixing operations could result in many security problems. Reciprocal agreements have been known to work well for certain companies, such as newsprint. These firms require very specific technology and equipment that is not available through any subscription service. For most other organizations, reciprocity agreements are, at best, generally a secondary option for disaster protection.

×：Fully set up and ready to operate within a few hours is the most expensive of the off-site options.

This is a description of a hot site.

×：Inexpensive option, but takes the most time and effort to get up and running after a disaster.

Explanation for cold sites.

×：A good alternative for companies that rely on proprietary software, but regular annual testing is usually not available.

This is incorrect as it describes with respect to companies that depend on proprietary software. Having proprietary software in a shared space with other vendors is basically undesirable from the standpoint of license agreements involved.

〇：Software Escrow

If you do not have access to the software, but the developer may be out of business, you should plan for what to do after that out-of-business event. Software escrow means that the third party retains the source and compiled code, backup manuals, and other support materials. The agreement between the software vendor, the customer, and the third party would typically be that the customer would only have access to the source code when the vendor goes out of business and in the event of the vendor’s inability to fulfill its stated responsibilities or breach of the original agreement. The customer is protected because they can gain access to the source code and other materials through a third-party escrow agent.

×：Reciprocal Treatment Agreement

Although the term “reciprocal treatment agreement” does not exist, a close concept is mutual assistance agreements. A Mutual Assistance Agreement (MAA) is a promise to support each other in the event of a disaster by sharing facilities. There are times when you want to do something about a disaster, but you don’t have the funds to do it. In such a case, you can find a similar organization and agree to cooperate with each other in the event of a disaster.

×：Electronic Data Vault

Electronic data vaulting (e-vaulting) is the use of a remote backup service to electronically transmit backups off-site at regular intervals or when files are changed.

×：Business interruption insurance

Although the term business interruption insurance does not exist, it can be interpreted as a concept similar to insurance in the event of business interruption. Insurance is typically applied against financial risk. In this issue, software escrow is more appropriate because we want to continue access to the software.

〇：Restore the virus unpatched file version from the backup media.

The best practice is to install an unpatched, uninfected version of the file from the backup media. It is important to restore files that are known to be clean, as attempts to remove the files may corrupt them. The most important thing is not to spread the impact, but attempting to unilaterally delete files may make them unavailable for later investigation.

×：Replace the file with the file saved the previous day.

The file saved the previous day may also contain the virus.

×：Delete the file and contact the vendor.

This is an incorrect answer because the condition of this question is that if the file is deleted, the normal file content itself may be damaged.

×：Back up the data and delete the file.

This is an incorrect answer because backing up the data that contains the virus and deleting the file does not result in a clean situation.

〇：Continuity of Operations Plan

A continuity of operations plan (COOP) establishes senior management and post-disaster headquarters. It also outlines roles and authorities and individual role tasks.Creating a COOP begins with an assessment of how the organization operates to identify mission-critical staff, resources, procedures, and equipment. Suppliers, partners, and contractors identify other companies with whom they routinely interact and create a list of these companies. Therefore, the correct answer is the Continuity of Operations Plan.

×：Cyber Incident Response Plan

Cyber Incident Recovery is a plan for recovery from a cyber attack.

×：Crew Emergency Plan

A Crew Emergency Plan is a plan for the smooth transition of a facility’s staff to a secure environment.

×：IT Contingency Plan

A contingency plan is a plan that outlines the measures to be taken in the event of an accident, disaster, or other emergency.

〇：Send a report labeled “No output”.

If there is nothing to report (nothing to report), you need to make sure the manager is aware that the report has no information and is not only to be held accountable.

×：Send an email notifying the manager that there is nothing to report.

It is not appropriate to suddenly keep a record of the report by e-mail, since the report is normally scheduled to be reported in the operation. Realistically, wouldn’t you be more endearing to your manager if you communicated with him or her every step of the way? No, I am not asking you to do that.

×：Re-submit last week’s report and submit the date of last week’s report as this week’s date.

Delivering last week’s report does not express that nothing was reported this week.

×：Nothing.

You are required to report that nothing happened.

Disk mirroring means writing the same data to multiple hard disks; a RAID (Redundant Array of Independent Disks) controller must write all data twice, requiring at least two disks. Disk striping can also be provided when parity is used, but disk striping alone cannot provide redundancy.

Disaster Recovery Planning includes the Mitigation, Preparedness, Response, and Recovery life cycles.

• Mitigation: Reduces the impact and likelihood of a disaster.
• Prepare: Create programs, procedures, and tools for response.
• Response: follow procedures and how to respond to a disaster.
• Recovery: re-establish basic functionality and return to a full production environment.

〇：SIEM

Many organizations have implemented security event management systems, called Security Information and Event Management (SIEM) systems. They attempt to correlate log data collected from various devices (servers, firewalls, routers, etc.) and provide analysis capabilities. They also have solutions with networks (IDS, IPS, anti-malware, proxies, etc.) that collect logs in various proprietary formats that require centralization, standardization, and normalization. Therefore, the correct answer is SIEM.

×：Intrusion Detection System

Intrusion Detection System (IDS, Intrusion Detection System) is a mechanism that monitors the system and leads to passive actions. It does not have the ability to collect and analyze logs.

×：SOAR

SOAR (Security Orchestration, Automation and Response) is a technology that enables efficient monitoring, understanding, decision-making and action on security incidents. It may be fulfilled by SOAR through intrinsic cause analysis, but it is not a solution used for the purpose of identifying if suspicious activity is taking place in the network.

×：Event correlation tools

The term “event correlation tool” does not exist, but may be a feature of a SIEM.