Domain 7 Exam.
A minimum of 70% is required to pass.
#1. Which RAID configuration always provides redundancy?
#2. Which of the following plans would you use to organize information about specific system hardware?
Disaster Recovery Planning (DRP) is the process of creating short-term plans, policies, procedures, and tools to enable the recovery or continuation of critical IT systems in the event of a disaster. It focuses on the IT systems that support critical business functions and how they will be restored after a disaster. For example, it considers what to do if you suffer a distributed denial of service (DDOS) attack, if your servers are compromised, if there is a power outage, etc. BCP is more focused on what should happen and does not necessarily include system requirements.
#3. Which formulas are used in a Business Impact Analysis (BIA) assessment?
#4. Which of the following is the average time it takes to fix and return a broken device?
Mean Time to Repair (MTTR) is the average time it takes to repair a device and return it to pre-failure production. Using a redundant array as an example, MTTR is the time it takes to replace the failed drive after the actual failure is noticed and the time the redundant array has completed rewriting the information on the new drive. Therefore, the correct answer is MTTR.
Service Level Agreements (SLA) are agreements on service quality, such as usage volume and failure recovery.
Hot swapping refers to replacing, attaching, or disconnecting parts, cables, etc. while equipment is still in operation.
Mean Time Between Failures (MTBF) is the average time it takes for a device to fail after repair.
#5. Which of the following backup types does NOT clear the archive bit of the Windows system?
Archive bits are those that have been updated since the previous backup point in time. Full backups are full backups, so there is no need to be aware of where changes have occurred. Incremental backups also do not require awareness of change points because the backup portion is predetermined. Therefore, both clear the archive bit. However, differential backups do not clear the archive bit because only the changed part is known to be backed up.
#6. Server cluster configurations are taken for critical applications, but what functions are achieved by this configuration?
Clustering is designed for fault tolerance. It is often combined with load balancing, but they are essentially separate. Clustering can make an operation active/active. On top of that, the load balancing feature handles traffic from multiple servers. Active/passive, on the other hand, has a designated primary active server and a secondary passive server, with the passive sending keep-alives or heartbeats every few seconds.
#7. The operations team is responsible for ensuring that data is backed up at a regular frequency. Which of the following backs up files that have changed since the last time all data was backed up?
Backups can be taken in full, differential, or incremental. Most files are not changed daily to save very much time and resources, and it is better to develop a backup plan that does not back up for data that is not continually changing. In backup software, when a file is modified or created, the file system sets the archive bit and the backup software determines if that file should be backed up. A differential backup backs up files that have changed since the last full backup.
An incremental backup backs up all data that has changed since the last backup.
A full backup backs up the entire database or the entire system.
Not in the backup category.
#8. Which of the following is a structured walk-through test in disaster recovery testing?
〇：Representatives from each department meet and undergo validation.
Structured walk-through testing allows functional personnel to review the plan as it is fulfilled to ensure its accuracy and validity.
×：Ensures that some systems will run at alternate sites.
This is incorrect because it describes parallel testing.
×：Send a copy of the disaster recovery plan to all departments to verify its completeness.
This is incorrect because it describes a checklist test.
×：Take down the normal operation system.
This is incorrect because it describes a full interruption test.
#9. What type of disaster is an earthquake classified as?
#10. Which of the following is NOT a phase of the Disaster Recovery Planning life cycle?
Disaster Recovery Planning includes the Mitigation, Preparedness, Response, and Recovery life cycles.
- Mitigation: Reduces the impact and likelihood of a disaster.
- Prepare: Create programs, procedures, and tools for response.
- Response: follow procedures and how to respond to a disaster.
- Recovery: re-establish basic functionality and return to a full production environment.
#11. Measuring the damage and recovery requirements by different indicators helps quantify the risk. which is correct about the RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
RPO (Recovery Point Objective) is the target value for recovering data at a point in the past when a failure occurs. When a failure occurs, the data currently handled is lost. The lost data must be recovered from backups, but it is important to know how far in the past the backups are from the current point in time.
RTO (Recovery Time Objective) is a target value that defines when the data should be recovered in the event of a failure. In the event of a failure, the service must not be unavailable indefinitely. Failure response procedures and disaster drills must be implemented to establish a target value for the time from the occurrence of a failure to the startup of service.
#12. One approach to alternative off-site facilities is to establish a reciprocal agreement. Which of the following describes the pros and cons of a reciprocal agreement?
〇：Can be the cheapest of the off-site options, but can create many security problems due to mixed operations.
Reciprocal agreements, also called mutual aid, mean that Company A agrees to allow Company B to use its facilities if Company B suffers a disaster, and vice versa. While this is a less expensive way to move than other off-site alternatives, it is not always the best choice. In most environments, the facility has reached its limits regarding the use of space, resources, and computing power. To allow different firms to come in and operate out of the same store could be detrimental to both firms. The stress of both companies working in the same environment can cause tremendous levels of tension. If that did not work out, it would provide the only short-term solution. Configuration management could be a nightmare, and mixing operations could result in many security problems. Reciprocal agreements have been known to work well for certain companies, such as newsprint. These firms require very specific technology and equipment that is not available through any subscription service. For most other organizations, reciprocity agreements are, at best, generally a secondary option for disaster protection.
×：Fully set up and ready to operate within a few hours is the most expensive of the off-site options.
This is a description of a hot site.
×：Inexpensive option, but takes the most time and effort to get up and running after a disaster.
Explanation for cold sites.
×：A good alternative for companies that rely on proprietary software, but regular annual testing is usually not available.
This is incorrect as it describes with respect to companies that depend on proprietary software. Having proprietary software in a shared space with other vendors is basically undesirable from the standpoint of license agreements involved.
#13. Which of the following plans is intended to establish a senior management or post-disaster headquarters?
〇：Continuity of Operations Plan
A continuity of operations plan (COOP) establishes senior management and post-disaster headquarters. It also outlines roles and authorities and individual role tasks.Creating a COOP begins with an assessment of how the organization operates to identify mission-critical staff, resources, procedures, and equipment. Suppliers, partners, and contractors identify other companies with whom they routinely interact and create a list of these companies. Therefore, the correct answer is the Continuity of Operations Plan.
×：Cyber Incident Response Plan
Cyber Incident Recovery is a plan for recovery from a cyber attack.
×：Crew Emergency Plan
A Crew Emergency Plan is a plan for the smooth transition of a facility’s staff to a secure environment.
×：IT Contingency Plan
A contingency plan is a plan that outlines the measures to be taken in the event of an accident, disaster, or other emergency.
#14. RAID systems are available in a variety of methods that provide redundancy and performance. Which ones write data divided across multiple drives?
RAID redundant arrays is a technology used for redundancy and performance. It combines multiple physical disks and aggregates them into a logical array; RAID appears as a single drive to applications and other devices. With striping, data is written to all drives. With this activity, data is split and written to multiple drives. Since multiple heads are reading and writing data at the same time, write and read performance is greatly improved.
Parity is used to reconstruct corrupted data.
Writing data to two drives at once is called mirroring.
Hot swap refers to a type of disk found on most RAID systems. A RAID system with hot-swap disks allows the drives to be swapped out while the system is running. When a drive is swapped out or added, parity data is used to rebuild the data on the new disk that was just added.
#15. You are the security administrator for a large retail company. Their network has many different network devices and software appliances that generate logs and audit data. At one point, your staff is trying to determine if any suspicious activity is taking place in the network. However, reviewing all the log files is burdensome. Which of the following is the best solution for your company in this case?
Many organizations have implemented security event management systems, called Security Information and Event Management (SIEM) systems. They attempt to correlate log data collected from various devices (servers, firewalls, routers, etc.) and provide analysis capabilities. They also have solutions with networks (IDS, IPS, anti-malware, proxies, etc.) that collect logs in various proprietary formats that require centralization, standardization, and normalization. Therefore, the correct answer is SIEM.
×：Intrusion Detection System
Intrusion Detection System (IDS, Intrusion Detection System) is a mechanism that monitors the system and leads to passive actions. It does not have the ability to collect and analyze logs.
SOAR (Security Orchestration, Automation and Response) is a technology that enables efficient monitoring, understanding, decision-making and action on security incidents. It may be fulfilled by SOAR through intrinsic cause analysis, but it is not a solution used for the purpose of identifying if suspicious activity is taking place in the network.
×：Event correlation tools
The term “event correlation tool” does not exist, but may be a feature of a SIEM.
#16. In a redundant array in a RAID system, data and parity information is striped across several different disks. What is parity information?
〇：Information used to reconstruct data
RAID can improve system performance by providing fault tolerance to the hard drive and the data it holds. Redundancy and speed are provided by splitting the data and writing it to multiple disks, allowing different disk heads to operate simultaneously to retrieve the requested information. Control data is also distributed across each disk. This is called parity, and if one disk fails, the other disks can work together to recover the data.
×：Information used to create new data
This is incorrect because parity information is not used to create new data, but rather as instructions on how to recreate lost or corrupted data.
×：Information used to erase data
Parity information is not used to erase data. This is incorrect because it is used as instructions on how to recreate lost or corrupted data.
×：Information used to construct data
Parity information is not used to create data. Incorrect because it is used as instructions on how to recreate lost or corrupted data.
#17. The Recovery Time Objective (RTO) and the Maximum Tolerable Downtime (MTD) metric have similar roles, but their values are defined differently. Which of the following best describes the difference between RTO and MTD metrics?
#18. Different levels of RAID determine the type of activity that occurs within a RAID system. Which level of RAID is associated with byte-level parity?
〇：RAID Level 3
RAID redundant arrays provide fault tolerance capability for hard drives and can improve system performance. Redundancy and speed are provided by splitting data and writing it to multiple disks, allowing different disk heads to operate simultaneously to retrieve requested information. At this time, recovery data is also created. This is called parity; if one disk fails, the parity data can be used to reconstruct the corrupted or lost information. Different levels of RAID systems experience different activities that provide fault tolerance or improved performance. RAID level 3 is a method that uses byte-level striping and dedicated parity disks.
×：RAID Level 0
Wrong because only striping occurs at level 0.
×：RAID Level 5
RAID 5 is incorrect because it uses block-level striping and interleaved parity on all disks.
×：RAID Level 10
Level 10 is incorrect because it is associated with striping and mirroring.
#19. You are selecting a site for a new data center and offices. Which of the following is not a valid security concern?
Greenfield is undeveloped land that has not yet been built upon. The perspectives for selecting a site as a data center site include topography, utilities, and public safety.
- Topography refers to the physical shape of the landscape-hills, valleys, trees, streams.
- Utility refers to the degree to which power and internet in the area are reliable.
- Public safety is in terms of how high is the crime rate in the area and how close is the police force.
#20. After a disaster has occurred, an impact assessment must be performed. Which of the following steps is the last one performed in an impact assessment?
〇：Declare the impact and consequences of the disaster.
The final step in the damage assessment is to declare the disaster. After the information from the damage assessment has been collected and evaluated, determine if the BCP actually needs to be activated. The BCP coordinator and team should determine the activation criteria before the disaster occurs.
×：Determine the cause of the disaster.
Determining the cause of the disaster is incorrect as it is the first step in the damage assessment process.
×：Identify resources that need to be replaced immediately.
Incorrect because identifying resources that need to be replaced immediately is not the last step in damage assessment.
×：Determine how long it will take to bring critical functions back online.
Incorrect because determining how long it will take to bring critical functions back online is the second-to-last step in damage assessment.