〇：How to use the data

How data is used does not depend on how sensitive it is. In other words, data is sensitive no matter how it is used, even if it is not used at all.

×：Identifying who needs access to the data

Wrong. This is because data classification criteria must take into account very directly who needs access to the data and their clearance level in order to see sensitive data. If data is classified at too high a level, that user will not have access. If the level is classified too low, an unauthorized user may access the data.

×：Value of the data

This is incorrect because the intrinsic value of the data directly determines the degree of protection. This is determined by its classification. This is true regardless of whether the prioritization must be confidentiality, integrity, or availability.

×：The level of damage that could occur if the data were disclosed.

This is erroneous because the degree of damage that disclosure, modification, or destruction of the data would cause is directly related to the level of protection that must be provided.

〇：DNSSEC

DNSSEC is a set of extensions to the DNS that provide DNS clients (resolvers) with authentication of the origin of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types. It is an Internet Engineering Task Force (IETF) specification for securing services.

×：Resource Record

DNS servers contain records that map hostnames to IP addresses, called resource records. The answer is incorrect. When a user’s computer needs to resolve a hostname to an IP address, it looks in its network configuration to find its DNS server. The computer then sends a request containing the hostname to the DNS server for resolution; the DNS server looks at its resource records, finds a record with this particular hostname, retrieves the address, and responds to the computer with the corresponding IP address.

×：Zone Transfer

Primary and secondary DNS servers synchronize their information via zone transfers. The answer is incorrect. After changes are made to the primary DNS server, these changes must be replicated to the secondary DNS server. It is important to configure the DNS servers so that zone transfers can take place between specific servers.

×：Resource Transfer

Equivalent to transferring DNS resource records, but the answer is incorrect.

〇：Dynamic Testing

Dynamic testing is testing that is performed by actually running the developed program. Compared to static testing, it is a practical test in which the program is actually run and checked. Therefore, the correct answer is “dynamic testing.

×：Static Testing

Static testing is testing that is performed without running the developed program.

×：White box testing

White box testing is a test to confirm the operation of a program after understanding the contents of the program.

×：Black box testing

Black box testing is testing to confirm that the program does not behave unexpectedly without understanding the contents of the program.

〇：Security Management Committee

Steve serves on the Security Steering Committee, which is responsible for making decisions on tactical and strategic security issues within the company. The committee consists of individuals from across the organization and should meet at least quarterly. In addition to the responsibilities outlined in this question, the Security Steering Committee is responsible for establishing a clearly defined vision statement that supports it in cooperation with the organizational intent of the business. It should provide support for the goals of confidentiality, integrity, and availability as they relate to the business goals of the organization. This vision statement should be supported by a mission statement that provides support and definition to the processes that apply to the organization and enable it to reach its business goals.

Each organization may call it by a different name, or they may be entrusted with a series of definition-to-approval processes for security. In this case, the term “operations” is the closest that comes to mind.

×：Security Policy Committee

This is incorrect because senior management is the committee that develops the security policy. Usually, senior management has this responsibility unless they delegate it to an officer or committee. The security policy determines the role that security plays within the organization. It can be organizational, issue specific, or system specific. The Governing Board does not directly create the policy, but reviews and approves it if acceptable.

×：Audit Committee

Incorrect because it provides independent and open communication between the Board of Directors, management, internal auditors, and external auditors. Its responsibilities include the system of internal controls, the engagement and performance of the independent auditors, and the performance of the internal audit function. The Audit Committee reports its findings to the Governing Board, but does not fail to oversee and approve the security program.

×：Risk Management Committee

Incorrect as it is to understand the risks facing the organization and work with senior management to bring the risks down to acceptable levels. This committee does not oversee the security program. The Security Steering Committee typically reports its findings to the Risk Management Committee on information security. The risk management committee should consider the entire business risk, not just the IT security risk.

〇：Verifying Data Availability

The responsibility for verifying data availability is the sole responsibility that does not belong to the data (information) owner. Rather, it is the responsibility of the data (information) controller. The data controller is also responsible for maintaining and protecting the data in accordance with the data owner’s instructions. This includes performing regular backups of data, restoring data from backup media, maintaining records of activities, and enforcing information security and data protection requirements in company policies, guidelines, and standards. Data owners work at a higher level than data managers. The data owner basically says, “This is the level of integrity, availability, and confidentiality you need to provide. Please do it now”. The data administrator is executing these permissions and following up on the installed controls to ensure they are working properly.

×：Assigning Information Classification

Incorrect as you are asking if Jim is not responsible for the assignment of information classifications because as the data owner, Jim is responsible for the assignment of information classifications.

×：Determining how to protect data

Incorrect because the data owner, such as Jim, is responsible for determining how the information is protected. The data owner has organizational responsibility for data protection and is liable for any negligence with respect to protecting the organization’s information assets. This means that Jim needs to decide how to protect the information and ensure that the data controller (a role usually occupied by IT or security) is implementing these decisions.

×：Determining how long to retain data

This is incorrect because the decision of how long to retain data is the responsibility of the data owner. The data owner is also responsible for determining who can access the information and ensuring that the appropriate access rights are used. He may approve access requests himself or delegate that function to the business unit manager. The business unit manager approves the request based on the user access criteria defined by the data owner.

〇：Federation Identity

A federation identity is a portable identity and associated credentials that can be used across business boundaries. It allows users to authenticate across multiple IT systems and across the enterprise. Federation Identity is based on linking otherwise distinct identities of users in two or more locations without the need to synchronize or consolidate directory information. Federated Identity is an important component of e-commerce, providing businesses and consumers with a more convenient way to access distributed resources.

×：User Provisioning

User provisioning is incorrect because it refers to the creation, maintenance, and deactivation of user objects and attributes.

×：Directory

While most companies have some type of directory that contains information about company network resources and users, generally these directories are not utilized as spread across different companies. It is true that nowadays, with open APIs and cloud computing, there is a trend to deploy services through a single directory, but the directory service itself does not include resource sharing implications. In other words, it is just used as a shared service.

×：Web Access Management

Web Access Management (WAM) software is incorrect because it controls what users can access when using a Web browser to interact with Web-based corporate assets.

Disasters are classified by cause into natural, human, and environmental categories. Natural disasters are natural, human errors are human, and facilities and equipment are environmental.

Disk mirroring means writing the same data to multiple hard disks; a RAID (Redundant Array of Independent Disks) controller must write all data twice, requiring at least two disks. Disk striping can also be provided when parity is used, but disk striping alone cannot provide redundancy.

〇：Level of insurance required to cover assets.

This question is about choosing what is not used. There are several ways to calculate asset value (AV, Asset Value): the market approach, which refers to similar assets in the market, the income approach, which measures it by the profit it will earn in the future, and the cost approach, which measures it by the cost spent on the asset. The level of insurance needed to cover an asset is a decision made after identifying the asset value and conducting an appropriate risk analysis, allowing the organization to more easily determine the level of insurance coverage to purchase for that asset. Therefore, the correct answer is “level of insurance required to cover the asset”.

×：Value of the asset in the external market.

The technique of referring to similar assets in the market is known as the market approach.

×：Initial costs and outlay for purchasing, licensing, and supporting the asset.

The method of measuring by the cost spent on an asset is known as the cost approach.

×：The value of the asset to the organization’s production operations.

The method of measuring by the profit that will be earned in the future is known as the revenue approach.

〇：For early detection or enclosure in the event of an attack.

Attackers will conduct an investigation before launching a substantial attack. In such cases, a vulnerable network can provide preventative information such as where the attacker is accessing the network from. This is because only an attacker would have the incentive to break into the network. Vulnerable network domains, such as honeypots, make this kind of intrusion easier and clarify the attacker’s behavior. Thus, the correct answer is “to detect or enclose them early in the event of an attack.” will be

×：Debugging environment for when a system outage occurs in the current environment.

The answer is not to intentionally create a vulnerable environment. It is only the result of creating an environment that is vulnerable.

×：Aiming to prevent regressions due to old vulnerabilities.

Even if it is an old vulnerability, it should be addressed and there is no point in allowing it to remain.

×：A special environment for running a product with a low version that is no longer supported.

It is not an answer to intentionally create a vulnerable environment. It is merely the result of creating an environment that is vulnerable.

〇：AS / NZS 4360

AS / NZS 4360 can be used for security risk analysis, but it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methods, such as NIST or OCTAVE, which focus on IT threats and information security risks. AS / NZS 4360 can be used to understand a firm’s financial, capital, personnel safety, and business decision-making risks.

×：FAP

Incorrect as there is no formal FAP risk analysis methodology.

×：OCTAVE

Image B is incorrect because it focuses on IT threats and information security risks. OCTAVE is intended for use in situations that manage and direct information security risk assessments within an organization. Employees of an organization are empowered to determine the best way to assess security.

×：NIST SP 800-30

Wrong because it is specific to IT threats and how they relate to information threats. Focus is primarily on systems. Data is collected from network and security practices assessments and from people within the organization. Data is used as input values for the risk analysis steps outlined in the 800-30 document.

〇：Primary entry doors should have controlled access via swipe card or cryptographic locks. Secondary doors should not be secured from the inside and allowed entry. 

Data centers, server rooms, and wiring closets should be located in the core areas of the facility, near wiring distribution centers. Strict access control mechanisms and procedures should be implemented for these areas. Access control mechanisms can lock smart card readers, biometric readers, or a combination of these. These restricted areas should have only one access door, but fire code requirements typically dictate that there must be at least two doors in most data centers and server rooms. Only one door should be used for daily entry and exit and the other door should be used only in case of an emergency, i.e., if a fire breaks out in a data center or server room, the door should be locked. This second door should not be an access door, meaning people should not be able to come through this door. It should be locked, but should have a panic bar that will release the lock if it is used as an exit, pushed from the inside.

×：The primary and secondary entry doors must have control access via swipe cards or cryptographic locks.  

This is incorrect because even two entry doors should not be allowed to pass through with the identification, authentication, and authorization process. There should only be one entry point into the server room. No other door should provide an entry point, but can be used for an emergency exit. Therefore, secondary doors should be protected from the inside to prevent intrusion.

×：The primary entry door should have controlled access via a guard. Two doors should not be secured from the inside and allowed entry.

The main entry door to the server room is incorrect as it requires an identification, authentication, and authorization process to be performed. Swipe cards and cryptographic locks perform these functions. Server rooms should ideally not be directly accessible from public areas such as stairways, hallways, loading docks, elevators, and restrooms. This helps prevent foot traffic from casual passersby. Those who are by the door to the area to be secured should have a legitimate reason for being there, as opposed to those on the way to the meeting room, for example.

×：The main entry door must have controlled access via swipe card or crypto lock. Two doors must have security guards.  

Two doors should not have security guards, because it is wrong. The door should be protected from the inside simply so it cannot be used as an entry. Two-door must function as an emergency exit.

〇：Business Case

The most important part of establishing and maintaining a current continuity plan is management support. Management may need to be convinced of the need for such a plan. Therefore, a business case is needed to obtain this support. The business case should include current vulnerabilities, legal obligations, current status of the recovery plan, and recommendations. Management is generally most interested in cost-benefit issues, so preliminary figures can be gathered and potential losses estimated. Decisions about how a company should recover are business decisions and should always be treated as such.

×：Business Impact Analysis

Incorrect because the Business Impact Analysis (BIA) was conducted after the BCP team gained management’s support for its efforts. A BIA is conducted to identify areas of greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems required for survival and estimates the amount of downtime the company can tolerate as a result of a disaster or disruption.

×：Risk Analysis

Incorrect, as this is a method of identifying risks and assessing the potential damage that could be caused to justify security protection measures. In the context of BCP, risk analysis methods should be used in a BIA to identify which processes, devices, or operations are critical and should be recovered first.

×：Threat reports

The answer is wrong because it is unintended. However, it is important for management to understand what the actual threats are to the enterprise, the consequences of those threats, and the potential loss value for each threat. Without this understanding, management pays lip service to continuity planning and in some cases may be worse than if it did not plan because of the false awareness of security it creates.

〇：Data Protection Directive

In many cases, the European Union (EU) takes personal privacy more seriously than most other countries in the world and therefore adheres to strict laws regarding data considered personal information based on the European Union Principles for the Protection of Personal Data. This set of principles addresses the use and communication of information that is considered private in nature. These principles and how to comply with them are contained in the EU Data Protection Directive. All European states must comply with these principles, and all companies doing business with EU companies must follow this directive if their business involves the exchange of privacy-type data.

×：Organization for Economic Cooperation and Development (OECD)

Image B is incorrect because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.

×：Federal Private Sector Bill

The Federal Private Bill is incorrect. There is no official bill by this name.

×：Privacy Protection Act

The Privacy Protection Act is the wrong answer. There is no official legislation by this name.

Penetration testing is an attempt to penetrate a system connected to a network. Penetration allows for any kind of manipulation and can bring the service itself to a halt. Therefore, the focus of testing is on penetration. The sequence is: planning, preliminary investigation, search for vulnerabilities, evaluation, attack, and reporting. Therefore, the correct answer is “report generation.

〇：Differential Backup

Backups can be taken in full, differential, or incremental. Most files are not changed daily to save very much time and resources, and it is better to develop a backup plan that does not back up for data that is not continually changing. In backup software, when a file is modified or created, the file system sets the archive bit and the backup software determines if that file should be backed up. A differential backup backs up files that have changed since the last full backup.

×：Incremental Backup

An incremental backup backs up all data that has changed since the last backup.

×：Full Backup

A full backup backs up the entire database or the entire system.

×：Partial Backup

Not in the backup category.

Users can logically guess the URL or path to access resources they should not. If an organization’s network has access to a report name ending in “financials_2017.pdf”, it is possible to guess other file names that should not be accessed, such as “financials_2018.pdf” or “financials.pdf”.

Copyright applies to books, art, music, software, etc. It is granted automatically and is valid for 70 years after the creator’s death and 95 years after creation. Therefore, the correct answer is “70 years”.

A key escrow system is one in which a third-party organization holds a copy of the public/private key pair. If the private key is stolen, all ciphers can be decrypted. Conversely, if it is lost, all ciphers cannot be decrypted. Therefore, you want to have a copy. However, if you have it yourself, it may be stolen if a break-in occurs, so you leave it with a third-party organization.

Overwrapping is done by writing zero or random characters to the data. Overwrapping on corrupted media is not possible.

Carrier Sense Multiple Access Collision Detection (CSMA / CD) is used for systems that can transmit and receive simultaneously, such as Ethernet. If two clients listen at the same time and make sure the line is clear, both may transmit at the same time, causing a collision. Collision Detection (CD) is added to solve this scenario. The client checks to see if the line is idle and transmits if it is idle. If in use, they wait for a random time (milliseconds). During transmission, they monitor the network and if more input is received than transmitted, another client is also transmitting and sends a jam signal instructing other nodes to stop transmitting, wait a random time and then start transmitting again.

〇：Teardrop

Teardrop is an attack to bring a system to a halt by forging the offset of IP packets when they are returned before splitting.

×：Fraggle attack

Fraggle attack is an attack that uses the CHARGEN function to generate an appropriate string.

×：CHARGEN attack

There is no attack with such a name.

×：War Driving

Wardriving is the act of driving around a city looking for vulnerable wireless LAN access points.

〇：Only during code development.

Maintenance hoc refers to functions and tools that are temporarily used by the developer for testing purposes. In fact, in system development, tools are provided to assist in confirming that individual functions are working properly. However, if maintenance hocks are left in the production environment, they may be used by attackers and must be removed.

×：Maintenance hooks should not be used.

The use of maintenance hooks can make the work more efficient.

×：When you want to make the software available to administrators in a simplified manner.

In some cases, attackers can exploit tools that were supposed to be available only to administrators.

×：When you want users to be able to use the software in a simplified manner.

After the actual release of the software, maintenance hooks are not made available to users.

〇：Run an algorithm that identifies unused committed memory and informs the operating system that memory is available.

This answer describes the function of the garbage collector, not the memory manager. The garbage collector is a countermeasure against memory leaks. It is software that runs an algorithm to identify unused committed memory and tells the operating system to mark that memory as “available. Different types of garbage collectors work with different operating systems, programming languages, and algorithms.

In some cases, a four-choice question can be answered without knowing the exact answer; since there is only one correct answer in a four-choice question, the answers can be grouped together to reduce it to “since they are saying the same thing, it is not right that only one of them is correct, therefore they are both wrong.

There are two answers to the effect of controlling the process to handle memory appropriately, but if the memory manager does not have that functionality, both would be correct, and therefore can be eliminated from the choices in the first place.

×：If processes need to use the same shared memory segment, use complex controls to guarantee integrity and confidentiality.

If processes need to use the same shared memory segment, the memory manager uses complex controls to ensure integrity and confidentiality. This is important to protect memory and the data in it, since two or more processes can share access to the same segment with potentially different access rights. The memory manager also allows many users with different levels of access rights to interact with the same application running on a single memory segment.

×：Restrict processes to interact only with the memory segments allocated to them.

The memory manager is responsible for limiting the interaction of processes to only those memory segments allocated to them. This responsibility falls under the protection category and helps prevent processes from accessing segments to which they are not allowed. Another protection responsibility of the memory manager is to provide access control to memory segments.

×：Swap contents from RAM to hard drive as needed.

This is incorrect because swapping contents from RAM to hard drive as needed is the role of memory managers in the relocation category. When RAM and secondary storage are combined, they become virtual memory. The system uses the hard drive space to extend the RAM memory space. Another relocation responsibility is to provide pointers for applications when instructions and memory segments are moved to another location in main memory.

〇：Test the restore procedure.

The ability to successfully restore from a backup must be tested periodically. Therefore, the correct answer is: “Test the restore procedure.” will be

×：Ensure that all user data is backed up.

Making copies of user data is important, but copies are useless unless it is ensured that the copies can be restored.

×：Back up the database management system (DBMS) to your own specifications.

While it is a good idea to use measures to meet the proprietary specifications of the DBMS to ensure that transactional copies are usable, those copies will not be trusted unless the restores are tested.

×：Ensure that the backup log files are complete.

Monitoring backup logs for completion is good operational practice, but it is wrong because it is no substitute for regular testing of the backups themselves and their ability to truly recover from data loss.

Distributed Denial of Service (DDoS) attacks usually do not provide financial gain to the attacker. Often, the motivation is revenge, disagreement with the organization’s policy decisions, or the attacker proving the extent of his or her animosity toward the organization. Certainly, it can be used to bloat the cost of a pay-as-you-go cloud service by causing it to consume more resources than expected by accessing it in large volumes, but it is a mistake in that it is not the financial objective of the parties involved.

In an asymmetric algorithm, every user must have at least one key pair (private and public key). In a public key system, each entity has a separate key. The formula for determining the number of keys needed in this environment is by the number N × 2, where N is the number of people to distribute. In other words, 260 x 2 = 520. Therefore, the correct answer is 520.

〇：Make the mail relay server available to everyone.

This is a question of choosing the “ineffective” one. An open mail relay server is not an effective countermeasure against spam. In fact, spammers often use spammers to distribute spam, because the attackers can hide their identities. An open mail relay server is an SMTP server configured to allow inbound SMTP connections from anyone on the Internet, and many relays are properly configured to prevent attackers from distributing spam and pornography. Thus, the correct answer is “have an email relay server available to everyone.” will be.

×：Build a properly configured mail relay server.

A properly configured mail relay server can also suppress spam mail.

×：Perform filtering at the e-mail gateway.

Filtering emails that are considered spam mail at the gateway will help to prevent spam mail.

×：Filtering at the client.

Filtering spam mail at the client, i.e., in a mailing application such as Outlook, is considered to be a countermeasure against spam mail.

〇：Trademarks

Intellectual property can be protected by several different laws, depending on the type of resource. Trademarks are used to protect words, names, symbols, sounds, shapes, colors, or combinations of these, such as logos. The reason a company registers one of these trademarks, or a combination of these trademarks, is to represent their company (brand identity) to the world. Therefore, the correct answer is “trademark”.

×：Patent

A patent is a monopoly right to use a technology for something that is very difficult to invent, such as a medicine.

×：Copyright

A copyright is a right to something that is not technical, such as music or a book, but something that is thought up and created.

×：Trade Secrets

Trade secrets are information that is useful and confidential as a business activity, such as customer information, product technology and manufacturing methods.

〇：Conforms to the X.509 standard and assigns a namespace to each object accessed in the database by LDAP.

Most companies have directories that contain information about company network resources and users. Most directories use a hierarchical database format based on the X.500 standard (not X.509) and a type of protocol such as LDAP (Lightweight Directory Access Protocol) that allows subjects and applications to interact with the directory The application can then use LDAP to access the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a particular resource using a similar request. The directory service assigns an Distinguished Name (DN) to each object in the database based on the X.500 standard to be accessed. Each distinguished name represents a set of attributes about a particular object and is stored as an entry in the directory.

×：Namespaces are used to manage objects in the directory.

This is incorrect because objects in a hierarchical database are managed by a directory service. Directory services allow administrators to configure and manage identification, authentication, permissions, and access control for the network. Objects in the directory are labeled and identified by namespace, which is how the directory service keeps objects organized.

×：Enforce security policies by performing access control and identity management functions.

This is incorrect because directory services enforce the security policy set by performing access control and identity management functions. For example, when a user logs into a domain controller in a Windows environment, the directory service (Active Directory) determines which network resources are accessible and which are not.

×：Administrators can configure and manage how identification takes place within the network.

Directory service is incorrect because it allows the administrator to configure and manage identification within the network. It also allows for the configuration and management of authentication, authorization, and access control.

〇：Tell your business partner that your company is not ready

Planned business continuity procedures can provide an organization with many benefits. In addition to the other response options listed previously, organizations can provide a quick and appropriate response to an emergency, mitigate the impact on their business, and work with outside vendors during the recovery period. Efforts in these areas should communicate to business partners that they are prepared in the event of a disaster.

×：Resuming Critical Business Functions

This is incorrect because a business continuity plan allows an organization to resume critical business functions. As part of the BCP development, the BCP team conducts a business impact analysis that includes identifying the maximum allowable downtime for critical resources. This effort helps the team prioritize recovery efforts so that the most critical resources can be recovered first.

×：Protecting Lives and Ensuring Safety

Business continuity planning allows organizations to protect lives and ensure safety, which is wrong. People are a company’s most valuable asset. Therefore, human resources are an integral part of the recovery and continuity process and must be fully considered and integrated into the plan. Once this is done, a business continuity plan will help a company protect its employees.

×：Ensure business viability

This is a fallacy because a well-planned business continuity plan can help a company ensure the viability of its business. A business continuity plan provides methods and procedures for dealing with long-term outages and disasters. It involves moving critical systems to another environment while the original facility is being restored and conducting business operations in a different mode until normal operations return. In essence, business continuity planning addresses how business is conducted after an emergency.

〇：Identity Theft

Identity theft is a situation in which a person obtains important personal information, such as driver’s license numbers, bank account numbers, identification cards, or social security numbers, and uses that information to impersonate another person. Typically, identity thieves use personal information to obtain credit, goods, or services in the victim’s name. This can have consequences such as destroying the victim’s credit rating, creating a false criminal record, and issuing an arrest warrant to the wrong individual. Identity theft can be categorized in two ways: true name and account takeover. True name identity theft means that the thief uses your personal information to open a new account. The thief might open a new credit card account, establish cell phone service like Sam’s, or open a new checking account to obtain blank checks.

×：Phishing Scams

Incorrect because it is a type of social engineering attack intended to obtain personal information, letters of credit, credit card numbers, and financial data. Attackers use a variety of methods to entice users to divulge sensitive data. While the goal of phishing scams is to get victims to hand over their personal information, the goal of identity theft is to use that personal information for personal or financial gain. Attackers can use phishing attacks as a means of committing identity theft.

Since the specific technique is not described in the question text, it cannot be said to be a phishing scam.

×：Pharming

Incorrect, as this is a technical attack in which the victim is deceived into submitting personal information to the attacker via an unauthorized website.The victim types a web address such as “www.nicebank.com” into their browser. The victim’s system sends a request to the victimized DNS server that directs the victim to a website under the attacker’s control. The site looks like the requested Web site, and the user enters his or her personal information. The personal information can be used by the attacker for identity theft.

We cannot say that this is pharming because the specific technique is not described in the question text.

×：Account takeover

Account takeover identity theft is incorrect because it means using personal information to access a person’s existing account rather than opening a new account. Typically, the mailing address on the account is changed and a huge bill is filed before the person whose account was stolen is aware of the problem. The Internet has made it easier for identity thieves to use stolen information because they can conduct transactions without personal interaction.

〇：Control of the processing and distribution process

An important part of the digital forensic process is to maintain a proper chain of custody of evidence.

The question structure assumes Chain of Custody (Chain of Custody) from “the purpose of securing all evidence and notating it as information to be presented to those who verify it” and selects the one that comes closest to the definition.

×：Reasonable care

Wrong because reasonable care implies performing an activity that a reasonable person would be expected to perform under similar circumstances.

×：Investigation

Incorrect because investigation involves the proper collection of relevant data during the incident response process and includes analysis, interpretation, reaction, and recovery.

×：Motive, Opportunity, Means

Motive, Opportunity, and Means (MOM) is incorrect because it is a strategy used to understand why certain crimes were committed and by whom.

Brute force can be used to decrypt the plaintext, given enough time. This is valid for all key-based ciphers except one-time pads. Eventually the data will be decrypted, but so many false positives will occur that the data will be rendered useless.

〇：Data User

An individual who uses data for work-related tasks is a data user. Users must have the necessary level of access to data to perform their job duties. They are also responsible for adhering to operational security procedures to ensure the confidentiality, integrity, and availability of the data to others. This means that users must take appropriate precautions and follow both security policies and data classification rules.

×：Data Owners

This is incorrect because the data owner has a higher level of responsibility in protecting the data. The data owner is responsible for classifying the data, regularly reviewing the classification level, and delegating responsibility for the data protection position to the data controller. The data owner is usually a manager or executive within the organization and is responsible for the protection of the company’s information assets.

×：Data Controller

Incorrect, as the data controller is responsible for implementing and maintaining security controls as directed by the data owner. In other words, the data administrator is the technician of the controls that protect the data. Her duties include creating backups, restoring data, implementing and maintaining countermeasures, and managing controls.

×：Information Systems Auditor

Incorrect, as they are responsible for evaluating controls. After evaluating the controls, the auditor submits a report to management, mapping the results to the organization’s acceptable level of risk. This has nothing to do with using data or being meticulous in the use of data.

〇：Multiple processes are using the same resources.

The system uses hard drive space (called swap space) that is reserved to expand RAM memory space. When the system fills up volatile memory space, data is written from memory to the hard drive. When a program requests access to this data, it is returned from the hard drive to memory in specific units called page frames. Accessing data stored on hard drive pages takes longer than accessing data stored in memory because it requires read/write access to the physical disk. A security issue with using virtual swap space is that two or more processes can use the same resources and corrupt or damage data.

×：Allowing cookies to remain persistent in memory

This is incorrect because virtual storage is not associated with cookies. Virtual storage uses hard drive space to extend RAM memory space. Cookies are small text files used primarily by web browsers. Cookies can contain credentials for web sites, site preferences, and shopping history. Cookies are also commonly used to maintain web server-based sessions.

×：Side-channel attacks are possible.

Side-channel attacks are incorrect because they are physical attacks. This type of attack gathers information about how a mechanism (e.g., smart card or encryption processor) works from abandoned radiation, time spent processing, power consumed to perform a task, etc. Using the information, reverse engineer the mechanism to reveal how it performs its security task. This is not related to virtual storage.

×：Two processes can perform a denial of service attack.

The biggest threat within a system where resources are shared between processes is that one process can adversely affect the resources of another process, since the operating system requires memory to be shared among all resources. This is especially true in the case of memory. It is possible for two processes to work together to perform a denial of service attack, but this is only one of the attacks that can be performed with or without the use of virtual storage.

〇：Review the schedule.

Unit testing is testing to confirm that the developed module works as a stand-alone unit. Acceptance testing is testing to make sure that the customer who ordered the development actually uses it and is satisfied with it. Acceptance testing cannot take the place of unit testing. It is not upward compatible as a test, and the perspectives are different. Therefore, the correct answer is “Review the schedule.” The correct answer is “Review the schedule.

×：Unit testing is not performed for the sake of work efficiency.

It does not mean that unit tests are not performed.

×：Increase the number of items in the acceptance test for the unit test that could not be done.

The items that should have been done in the actual unit test are simply accounted for as acceptance tests, and the unit test is not considered to have been completed. This is an action that is close to concealment.

×：Report to your supervisor.

You are in charge of project management.

〇：Provisioning accounts, modifying accounts, auditing account usage, and deactivating accounts.

All phases of the authenticated access lifecycle should be considered. Access should not be granted without proper instructions, nor should access be granted or denied without expected authorization. Suspension of access must also be auditable.

×：Provisioning or adding accounts, changing accounts, and suspending accounts.

Incorrect because it does not include auditing of account usage.

×：Adding an account, deleting an account, or deleting a user’s data.

Incorrect because deletion of user data may conflict with data retention requirements.

×：Verifying account passwords, checking account usage, and deleting accounts.

Incorrect because it is merely an authentication step and not related to account management.

〇：Replay attacks

Replay attacks occur when an intruder stores the acquired information and uses it to gain unauthorized access later. In this case, Emily uses a technique called electronic monitoring (sniffing) to retrieve passwords sent over the wire to an authentication server. She can later use the password to access network resources. Even if the password is encrypted, resending valid credentials can be enough to gain access.

×：Brute force attacks

Brute force attacks are incorrect because the cycle is done through many possible combinations of letters, numbers, and symbols, using tools to discover the password.

×：Dictionary attacks

Dictionary attacks are incorrect because they involve an automatic comparison of a user’s password to a file of thousands of words.

×：Social Engineering attack

A social engineering attack is incorrect because in a social engineering attack, the attacker mistakenly convinces an individual that she has the necessary permissions to access certain resources.

This is a “non-ethics item” question.

A statement is made by the Internet Activities Board (IAB) to those who use the Internet about the correct use of Internet resources.

• Attempting to obtain unauthorized access to Internet resources.
• Disrupting the intended use of the Internet.
• Wasting resources (people, capabilities, and computers) through such activities.
• Destroying the integrity of computer-based information.
• Violating the privacy of users.

〇：Business Continuity Processes Integrate Change Management Processes

Unfortunately, business continuity plans can quickly become outdated. An outdated BCP can give a company a false sense of security, which can be fatal if a disaster actually occurs. One of the simplest, most cost-effective, and process-efficient ways to keep your plan current is to incorporate it into your organization’s change management process. Are new applications, equipment, and services documented? Are updates and patches documented? The change management process should be updated to incorporate fields and triggers that alert the BCP team when significant changes occur and provide a means to update recovery documentation. Ensure that the BCP is kept up-to-date, and other measures include maintaining personnel evaluations of the plan and conducting regular training on using the plan, such as making business continuity part of all business decisions.

×：Update hardware, software, and application changes

Wrong because hardware, software, and application changes occur frequently; unless the BCP is part of a change management process, these changes are not included in the BCP. The BCP should be updated when changes to the environment occur. If it is not updated after a change, it is out of date.

×：Infrastructure and Environment Change Updates

Incorrect because infrastructure and environment changes occur frequently. Unless the BCP is part of a change management process, as with software, hardware, and application changes, infrastructure and environment changes are unlikely to result in a transition to the BCP.

×：Personnel changes

Incorrect, as the plan may become obsolete. It is not uncommon for BCPs to be abandoned when the person or persons responsible for maintenance leave the company. These responsibilities must be reassigned. To ensure this, maintenance responsibilities must be built into job descriptions and properly monitored.

〇：Salt

A rainbow table is a pre-built list of ciphertexts that match plaintext and have hashes that match passwords. The table can contain millions of pairs. Salting is random data used as additional input to a one-way function that “hashes” a password or passphrase. The primary function of a salting is to protect against dictionary or compiled rainbow table attacks.

×：Login Attempt Restrictions

Effective against all unauthorized login methods, but not a direct or effective countermeasure against rainbow tables.

×：Key stretching

Replacing passwords with longer, random strings for encryption purposes.

×：Hashing

Password hashing is a fixed-length cipher (hash) statement for secure password storage.

〇：IP Session Restriction via Media Gateway

The VoIP Media Gateway translates Internet Protocol (VoIP) voice over time division multiplexing (TDM) voice to and from. As a security measure, the number of calls through the Media Gateway should be limited. The Media Gateway is vulnerable to denial-of-service attacks, hijacking, and other types of attacks.

×：Identification of Rogue Devices  

Incorrect, as rogue devices on both IP telephony and data networks need to be identified.

×：Implementation of Authentication

Incorrect because authentication is recommended for both data and voice networks.

×：Encryption of packets containing sensitive information

Incorrect because sensitive data can be transmitted over either voice or data networks and must be encrypted in both cases. Eavesdropping is a very real threat for VoIP networks.

〇：A change unanimously approved by the change control committee would be a step that does not require testing of the actual equipment.

This is a false choice question.

For different types of environmental changes, a structured change management process needs to be in place. Depending on the severity of the change requirement, the change and implementation may need to be presented to a change control committee. Change requests approved by the change control committee must be tested to discover any unintended consequences. This helps to demonstrate the purpose, consequences, and possible effects of the change in its various aspects. This means that just because a change has been approved by the change control board does not mean that it does not need to be tested. The change control board has mandated action on the change, and its appropriateness must be ensured by testing. Therefore, the correct answer is: “A change that is unanimously approved by the change control committee is a step that does not require testing on the actual equipment.” The result will be

×：Changes approved by the change control committee should be kept as a log of changes.

This is correct change management.

×：A rough schedule should be created during the planning phase of the change.

This is correct change management.

×：Proposed changes should be prioritized and reviewed.

This is correct change management.

〇：Time-Based Synchronous Dynamic Token

A synchronous token device synchronizes with the authentication service using time or a counter as a core part of the authentication process. When synchronization is time-based, the token device and authentication service must maintain the same time within their internal clocks. The time values of the token device and private key are used to generate a one-time password that is displayed to the user. The user then passes this value and user ID to the server running the authentication service and enters this value and user ID into the computer. The authentication service decrypts this value and compares it to the expected value. If both match, the user is authenticated and allowed to use the computer and resources.

×：Counter-Based Synchronous Dynamic Token

If the token device and authentication service use counter synchronization, it is incorrect because it is not based on time. When using a counter-synchronized token device, the user must initiate the creation of a one-time password by pressing a button on the token device. This causes the token device and authentication service to proceed to the next authentication value. This value, the base secret, is hashed and displayed to the user. The user enters this resulting value along with the user ID to be authenticated. For either time or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption.

×：Asynchronous Tokens

Asynchronous token generation methods are incorrect because they use a challenge/response method for the token device to authenticate the user. Instead of using synchronization, this technique does not use separate steps in the authentication process.

×：Mandatory Tokens

Wrong because there is no such thing as a mandatory token. This is an incorrect answer.

〇：Disk Redundancy

Information that is required to be available at all times must be mirrored or duplexed. In both mirroring (also called RAID 1) and duplexing, all data write operations are performed simultaneously or nearly simultaneously at multiple physical locations.

×：Direct Access Storage

Direct access storage is incorrect because it is a general term for magnetic disk storage devices traditionally used in mainframe and minicomputer (midrange computer) environments. RAID is a type of direct access storage device (DASD).

×：Striping

Incorrect because the technique of striping is used when data is written to all drives. This activity splits the data and writes it to multiple drives. Write performance is not affected, but read performance is greatly improved because multiple heads are getting data at the same time. Parity information is used to reconstruct lost or corrupted data. Striping simply means data; parity information may be written to multiple disks.

×：Parallel Processing

Parallel processing is incorrect because a computer has multiple processing units built into it to execute multiple streams of instructions simultaneously. While mirroring may be used to implement this type of processing, it is not a requirement.

〇：Software Configuration Management

Products that provide software configuration management (SCM) identify software attributes at various points in time and provide systematic control of change to maintain software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release. During a software development project, it is stored in a system that can be managed as a centralized code repository and perform SCM functions to track revisions made by multiple people to a single master set.

×：Software Change Control Management

This is incorrect as it is not an official term for this type of function. Software Change Control Management is only part of Software Configuration Management. Software configuration management systems provide concurrency management, version control, and synchronization.

×：Software Escrow

A software escrow framework in which a third party holds a copy of the source code that will be released to the customer in the event of certain circumstances, such as bankruptcy of the vendor who developed the code.

×：Software Configuration Management Escrow

Incorrect, as this is not an official term for this type of functionality.

〇：CA signs certificates.

A Certificate Authority (CA) is a trusted agency (or server) that maintains digital certificates. When a certificate is requested, the Registration Authority (RA) verifies the identity of the individual and passes the certificate request to the CA The CA creates the certificate, signs it, and maintains the certificate over its lifetime.

×：RA creates the certificate and CA signs it.

Incorrect because the RA does not create the certificate; the CA creates it and signs it; the RA performs authentication and registration tasks; establishes the RA, verifies the identity of the individual requesting the certificate, initiates the authentication process to the CA on behalf of the end user, and performs certificate life cycle RAs cannot issue certificates, but can act as a broker between the user and the CA When a user needs a new certificate, they make a request to the RA and the RA goes to the CA to verify all necessary identification before granting the request The RA verifies all necessary identification information before granting the request.

×：RA signs certificates.

The RA signs the certificate, which is incorrect because the RA does not sign the certificate; the CA signs the certificate; the RA verifies the user’s identifying information and then sends the certificate request to the CA.

×：The user signs the certificate.

Incorrect because the user has not signed the certificate; in a PKI environment, the user’s certificate is created and signed by the CA. The CA is a trusted third party that generates the user certificate holding its public key.

〇：The attacker knows nothing about the organization other than the information that is publicly available.

In black box testing (zero-knowledge), the attacker has no knowledge about the organization other than the publicly available information. The focus is on what the external attacker does. Therefore, the correct answer is “knows nothing about the organization other than the information that is publicly available.” The result will be

×：I know everything.

White box testing is testing to verify the operation of a program, which is done after knowing what is in the program.

×：I keep the product manual and retain privileged access.

A gray box test is a test that is performed by a pen tester to some extent, with the attacker having only limited knowledge of the program.

This is a white box test or gray box test.

×：The vendor retains an accessible level of information.

In a black box test, the attacker has no information in principle.

The Kerckhoffs’s principle is the idea that cryptography should be secure even if everything but the private key is known. When encrypting data, one decides on a private key and how to encrypt it using that private key. Kerckhoffs says that even if it is known how it is encrypted, it should not be deciphered as long as the secret key is not discovered. Encryption has been with the history of human warfare. The main purpose is to communicate a strategy to one’s allies without being discovered by the enemy. In battle, its designs and encryption devices may be stolen by spies. Therefore, the encryption must be such that it cannot be solved without the key, no matter how much is known about how it works.

〇：Vulnerability assessments can help prioritize weaknesses that need to be addressed.

The most important aspect of an internal or third-party vulnerability assessment is that it can enumerate all potential vulnerabilities a company has and prioritize corrective actions.

×：Third-party security audits are only required if regulations require it.

Even if some organizations do not require an independent review, it can often help find minor weaknesses that might have been overlooked.

×：Vulnerability assessments and penetration tests are essentially the same.

A vulnerability assessment is wrong because it enumerates all weaknesses and ensures that countermeasures are properly prioritized. Penetration testing aims to examine the likelihood that a real-world attacker will exploit a given weakness to achieve a goal.

×：Internal assessments are of little value.

Internal audits of enterprise security are usually not sufficient and can be very beneficial when conducted in conjunction with third-party reviews. However, it can often help find minor weaknesses that may have been overlooked.

〇：Continuity of Operations Plan

A continuity of operations plan (COOP) establishes senior management and post-disaster headquarters. It also outlines roles and authorities and individual role tasks.Creating a COOP begins with an assessment of how the organization operates to identify mission-critical staff, resources, procedures, and equipment. Suppliers, partners, and contractors identify other companies with whom they routinely interact and create a list of these companies. Therefore, the correct answer is the Continuity of Operations Plan.

×：Cyber Incident Response Plan

Cyber Incident Recovery is a plan for recovery from a cyber attack.

×：Crew Emergency Plan

A Crew Emergency Plan is a plan for the smooth transition of a facility’s staff to a secure environment.

×：IT Contingency Plan

A contingency plan is a plan that outlines the measures to be taken in the event of an accident, disaster, or other emergency.

〇：Conduct business impact analysis

While no specific scientific equation must be followed to create a continuity plan, certain best practices have been proven over time. The National Institute of Standards and Technology (NIST) organization is responsible for developing and documenting many of these best practices so that they are readily available to all. NIST outlines seven steps in Special Publication 800-34 Rev 1, Continuity Planning Guide for Federal Information Systems. Conduct a business impact analysis. Identify preventive controls. Develop a contingency strategy. Develop an information systems contingency plan. Ensure testing, training, and exercises of the plan. Ensure the plan is maintained. Conduct a business impact analysis by identifying critical functions and systems and prioritize them as needed. It also includes identifying vulnerabilities and threats and calculating risks.

×：Identify preventive controls

Wrong because critical functions and systems are prioritized and preventive controls need to be identified after their vulnerabilities, threats, and identified risks (all of which are part of a business impact analysis). Conducting a business impact analysis involves step 2, which is to create a continuity plan, and step 3, which is to identify preventive controls.

×：Develop a Continuity Plan Policy Statement

This is incorrect because you need to create a policy that provides the guidance needed to develop a business continuity plan and assigns authority to the roles needed to perform these tasks. This is the first step in creating a business continuity plan and is done before identifying and prioritizing critical systems and functions that are part of the business impact analysis.

×：Create contingency strategies

Creating a contingency strategy is incorrect because it requires formulating a method to ensure that systems and critical functions are brought online quickly. Before this can be done, a business impact analysis must be performed to determine critical systems and functions and prioritize them during recovery.

〇：Softphones are safer than IP phones. 

IP softphones should be used with caution. A softphone is a software application that allows users to make calls via computer over the Internet. Replacing dedicated hardware, a softphone works like a traditional telephone. Skype is an example of a softphone application. Compared to hardware-based IP phones, softphones are more receptive to IP networks. However, softphones are no worse than other interactive Internet applications because they do not separate voice traffic from data, as IP phones do, and also because data-centric malware can more easily enter the network through softphones. network.

×：VoIP networks should be protected with the same security controls used on data networks.

The statement is incorrect because it correctly describes the security of an IP telephony network. an IP telephony network uses the same technology as a traditional IP network, which allows it to support voice applications. Therefore, IP telephony networks are susceptible to the same vulnerabilities as traditional IP networks and should be protected accordingly. This means that IP telephony networks should be designed to have adequate security.

×：As an endpoint, IP telephony can be a target of attack.

Incorrect because true: An IP phone on an IP telephony network is equivalent to a workstation on a data network in terms of vulnerability to attack. Thus, IP phones should be protected with many of the same security controls implemented on traditional workstations. For example, the default administrator password must be changed. Unnecessary remote access functions need to be disabled. Logging should be enabled and the firmware upgrade process should be secured.

×：The current Internet architecture in which voice is transmitted is more secure than physical phone lines.

True and therefore incorrect. In most cases, the current Internet architecture in which voice is transmitted is more secure than physical telephone lines. Physical phone lines provide a point-to-point connection, which is difficult to leverage over the software-based tunnels that make up the bulk of the Internet. This is an important factor to consider when protecting IP telephony networks because the network is now transmitting 2 valuable asset data and voice. It is not unusual for personal information, financial information, and other sensitive data to be spoken over the phone; intercepting this information over an IP telephony network is as easy as intercepting regular data. Currently voice traffic should also be encrypted.

Injection attacks are cracking attacks in which special strings are embedded in user forms and submitted to malfunction the receiving user’s information processing. Sufficiently strong input validation and data type restrictions on input fields, input length limits, and modifications are to do it. Only allow users to enter appropriate data into fields. Limit the number of characters a user can use, and possibly restrict by character type, allowing only letters in names, numbers in phone numbers, and displaying country and state drop-downs.

〇：Keys will need to be distributed via a secure transmission channel.

For two users to exchange messages encrypted with a symmetric algorithm, they need to figure out how to distribute the key first. If the key is compromised, all messages encrypted with that key can be decrypted and read by an intruder. Simply sending the key in an email message is not secure because the key is not protected and can easily be intercepted and used by an attacker.

×：Computation is more intensive than in asymmetric systems.

That is incorrect because it describes the advantages of symmetric algorithms. Symmetric algorithms tend to be very fast because they are less computationally intensive than asymmetric algorithms. They can encrypt and decrypt relatively quickly large amounts of data that take an unacceptable amount of time to encrypt and decrypt with asymmetric algorithms.

×：Much faster operation than asymmetric systems

Symmetric algorithms are faster than asymmetric systems, but this is an advantage. Therefore, it is incorrect.

×：Mathematically intensive tasks must be performed

Asymmetric algorithms are wrong because they perform a mathematically intensive task. Symmetric algorithms, on the other hand, perform relatively simple mathematical functions on bits during the encryption and decryption process.

〇：All failed access attempts should be logged and reviewed.

The physical access control system may use software and auditing capabilities to generate an audit trail or access log associated with access attempts. The date and time of the entry point when access was attempted, the user ID used when access was attempted, and any failed access attempts, among others, should be recorded.

×：Failed access attempts are recorded and only security personnel are entitled to review them.

Unless someone actually reviews them, the access logs are as useless as the audit logs generated by the computer. Security guards should review these logs, but security professionals and facility managers should review these logs on a regular basis. The administrator must know the existence and location of entry points into the facility.

×：Only successful access attempts should be logged and reviewed.

Wrong, as unsuccessful access attempts should be logged and reviewed. Audit should be able to alert you to suspicious activity even though you are denying an entity access to a network, computer, or location.

×：Failed access attempts outside of business hours should be logged and reviewed.

Incorrect, as all unauthorized access attempts should be logged and reviewed regardless. Unauthorized access can occur at any time.

Gates and fences are used as physical deterrents and preventative measures. Fences as small as 3 feet can be a deterrent, but as tall as 8 feet can be a deterrent and prevention mechanism. The purpose of the fence is to limit the routes in and out of the facility so that they occur only through doors, gates, and turnstiles.

〇：Representatives from each department meet and undergo validation.

Structured walk-through testing allows functional personnel to review the plan as it is fulfilled to ensure its accuracy and validity.

×：Ensures that some systems will run at alternate sites.

This is incorrect because it describes parallel testing.

×：Send a copy of the disaster recovery plan to all departments to verify its completeness.

This is incorrect because it describes a checklist test.

×：Take down the normal operation system.

This is incorrect because it describes a full interruption test.

〇：Well-Formed Transaction

In the Clark-Wilson model, subjects cannot access objects without going through some type of application or program that controls how this access is done. The subject (usually the user) can access the required object based on access rules within the application software, defined as “Well-Formed Transaction,” in conjunction with the application.

×：Childwall model

This is incorrect because it is another name for the Brewer Nash model created to provide access control that can be dynamically modified according to the user’s previous behavior. It is shaped by access attempts and conflicts of interest and does not allow information to flow between subjects and objects. In this model, a subject can only write to an object if the subject cannot read another object in a different data set.

×：Access tuples

The Clark-Wilson model is incorrect because it uses access triples instead of access tuples. The access triple is the subject program object. This ensures that the subject can only access the object through the authorized program.

×：Write Up and Write Down

The Clark-Wilson model is incorrect because there is no Write Up and Write Down. These rules relate to the Bell-LaPadula and Biba models. The Bell-LaPadula model contains a simple security rule that has not been read and a star property rule that has not been written down. The Biba model contains an unread simple completeness axiom and an unwritten star completeness axiom.

〇：(A) Web Service Description Language – (B) Universal Description, Discovery and Integration

Services in service-oriented architectures (SOA) are typically provided via Web services, which enable Web-based communication to occur seamlessly using Web-based standards such as Simple Object Access Protocol (SOAP), HTTP, Web Service Description Language (WSDL), Universal Description, Discovery, and Integration （WSDL provides a machine-readable description of the specific operations provided by a service; UDDI is an XML-based registry that lists available services UDDI provides a way for services to be registered by service providers and deployed by service consumers.

×：(A) generic description, discovery and integration – (B) web service description language

Incorrect because the terms are not in the correct order and do not map to the definitions provided within the question.

×：(A) Web Service Description Language – (B) Simple Object Access Protocol

SOAP (Simple Object Access Protocol) is incorrect because it is an XML-based protocol that encodes messages in a Web services environment. SOAP defines an XML schema for how communication is actually going to take place. SOAP XML schema defines how objects communicate directly.

×：(A) Simple Object Access Protocol (B) Universal Description, Discovery and Integration

SOAP (Simple Object Access Protocol) is incorrect because it is an XML-based protocol that encodes messages in a Web services environment. SOAP defines the XML schema of how communication is actually going to take place. SOAP XML Schema defines how objects communicate directly.

Student numbers, which are left to the control of each school, cannot be considered privacy information because they are not sufficient information to identify an individual.

〇：To issue ethics-related statements on the use of the Internet.

The Internet Architecture Board (IAB) is the coordinating committee for the design, engineering, and management of the Internet. It is responsible for monitoring and appealing Internet Engineering Task Force (IETF) activities, the Internet standards process, and the architecture of Request for Comments (RFC) editors. The IAB issues ethics-related statements on the use of the Internet. The Internet is a resource that depends on availability and accessibility and is considered useful to a wide range of people. Primarily, irresponsible behavior on the Internet may threaten its existence or adversely affect others.

×：Develop guidelines for criminal sentencing.

The IAB is incorrect because it has nothing to do with the Federal Court Guidelines, which are the rules judges use in determining the appropriate punitive sentence for certain felonies or misdemeanors committed by individuals or businesses. The Guidelines serve as the uniform sentencing policy for entities committing felonies and/or gross misdemeanors in the U.S. federal court system.

×：Edit RFC.

The Internet Architecture Board is responsible for editing RFCs (Request for Comments), which is incorrect because this task is not ethics-related. This answer is a distraction.

×：Maintain the Ten Commandments of Computer Ethics.

This is incorrect because the Institute for Computer Ethics, not the IAB, develops and maintains the Ten Commandments of Computer Ethics. The Institute for Computer Ethics is a non-profit organization that works to advance technology through ethical means.

Measures have been implemented to reduce the overall risk to an acceptable level. However, no system or environment is 100% safe, and risks remain with all countermeasures. The residual risk after countermeasures have been taken is called residual risk. Residual risk is different from total risk. Total risk is the risk of not implementing countermeasures. While total risk can be determined by calculating (threat x vulnerability x asset value = total risk), residual risk can be determined by calculating (threat x vulnerability x asset value) x control gap = residual risk. The control gap is the amount of protection that the control cannot provide.

〇：Database Migration

The movement of accessible data from one repository to another may be required over its lifetime, but is generally not as important as the other phases provided in response to this question.

×：Data specification and classification

This is incorrect because the determination of what the data is and its classification is the first essential phase that can provide the appropriate level of protection.

×：Continuous monitoring and auditing of data access

Incorrect because without continuous monitoring and auditing of access to sensitive data, breaches cannot be identified and security cannot be guaranteed.

×：Data Archiving

Incorrect as even the most sensitive data is subject to retention requirements. This means that it must be archived for an appropriate period of time and with the same level of security as during actual use.

〇：Can be the cheapest of the off-site options, but can create many security problems due to mixed operations.

Reciprocal agreements, also called mutual aid, mean that Company A agrees to allow Company B to use its facilities if Company B suffers a disaster, and vice versa. While this is a less expensive way to move than other off-site alternatives, it is not always the best choice. In most environments, the facility has reached its limits regarding the use of space, resources, and computing power. To allow different firms to come in and operate out of the same store could be detrimental to both firms. The stress of both companies working in the same environment can cause tremendous levels of tension. If that did not work out, it would provide the only short-term solution. Configuration management could be a nightmare, and mixing operations could result in many security problems. Reciprocal agreements have been known to work well for certain companies, such as newsprint. These firms require very specific technology and equipment that is not available through any subscription service. For most other organizations, reciprocity agreements are, at best, generally a secondary option for disaster protection.

×：Fully set up and ready to operate within a few hours is the most expensive of the off-site options.

This is a description of a hot site.

×：Inexpensive option, but takes the most time and effort to get up and running after a disaster.

Explanation for cold sites.

×：A good alternative for companies that rely on proprietary software, but regular annual testing is usually not available.

This is incorrect as it describes with respect to companies that depend on proprietary software. Having proprietary software in a shared space with other vendors is basically undesirable from the standpoint of license agreements involved.

〇：Regular software updates

You are the system administrator. As an administrator, what you should be doing is updating software on a regular basis. Therefore, the correct answer is “regular software updates.

There may be some that you should implement, but choosing the better of the two will also be tested in the actual exam.

×：Sophisticated product selection

In most cases, products that meet the requirements will be selected in accordance with the Request for Proposal (RFP) presented by the customer. Existing system administrators may be involved in some of these discussions, but this is not an appropriate response.

×：Early reporting to your supervisor

In all jobs, reporting to the supervisor is probably an essential part of the job. Here, however, it is more appropriate to focus on your position as a software system administrator.

×：Human resources to monitor the system

A resident system may allow you to deal with problems in a timely manner. However, here, it is more appropriate to focus on the position as a system administrator of the software.

〇：The client generates a session key and encrypts it with a public key.

Transport Layer Security (TLS) uses public key cryptography to provide data encryption, server authentication, message integrity, and optionally client authentication. When a client accesses a cryptographically protected page, the web server initiates TLS and begins the process of securing subsequent communications. The server performs a three-handshake to establish a secure session. After that, client authentication with a digital certificate, as the case may be, comes in. The client then generates a session key, encrypts it with the server’s public key, and shares it. This session key is used as the symmetric key for encrypting the data to be transmitted thereafter. Thus, the correct answer is: “The client generates a session key and encrypts it with the public key.” will be

×：The server generates the session key and encrypts it with the public key.

The server does not encrypt with the public key.

×：The server generates a session key and encrypts it with the private key.

Even if encryption is performed from the server side, it can be decrypted with the public key, so it is not structurally possible.

×：The client generates a session key and encrypts it with its private key.

The client side does not have the private key.

Disposable passwords and one-time pads are passwords but generated from something you own, not something you know. In other words, possession.

〇：Public key infrastructure is a mechanism configuration for public key cryptographic distribution, and public key cryptography is another name for asymmetric encryption.

Public key cryptography is asymmetric cryptography. The terms are used interchangeably. Public key cryptography is a concept within the Public Key Infrastructure (PKI), which consists of various parts such as Certificate Authorities, Registration Authorities, certificates, keys, programs, and users. Public Key Infrastructure is used to identify and create users, distribute and maintain certificates, revoke and distribute certificates, maintain encryption keys, and for the purpose of encrypted communication and authentication.

×：Public key infrastructure uses symmetric algorithms and public key cryptography uses asymmetric algorithms.

This is incorrect because the public key infrastructure uses a hybrid system of symmetric and asymmetric key algorithms and methods. Public key cryptography is to use asymmetric algorithms. Therefore, asymmetric and public key cryptography are interchangeable, meaning they are the same. Examples of asymmetric algorithms are RSA, elliptic curve cryptography (ECC), Diffie-Hellman, and El Gamal.

×：Public key infrastructure is used to perform key exchange, while public key cryptography is used to create public/private key pairs.

This is incorrect because public key cryptography is the use of asymmetric algorithms used to create public/private key pairs, perform key exchange, and generate and verify digital signatures.

×：Public key infrastructure provides confidentiality and integrity, while public key cryptography provides authentication and non-repudiation.

Incorrect because the public key infrastructure itself does not provide authentication, non-repudiation, confidentiality, or integrity.

〇：A virtual firewall in bridge mode allows the firewall to monitor individual traffic links, while a firewall integrated into the hypervisor can monitor all activity taking place within the host system.

Virtual firewalls can be bridge-mode products that monitor individual communication links between virtual machines. They can also be integrated within a hypervisor in a virtual environment. The hypervisor is the software component that manages the virtual machines and monitors the execution of guest system software. When a firewall is embedded within the hypervisor, it can monitor all activities that occur within the host system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual network links, while a firewall integrated into the hypervisor can monitor all activities taking place within the guest system.

A virtual firewall in bridge mode is incorrect because the firewall can monitor individual traffic links between hosts and not network links. Hypervisor integration allows the firewall to monitor all activities taking place within the guest system rather than the host system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual traffic links, while a firewall integrated into the hypervisor can monitor all activities taking place within the guest system.

A virtual firewall in bridge mode is wrong because the firewall can monitor individual traffic links, and the hypervisor integration allows the firewall to monitor all activity taking place within the host system, but not the guest system. The hypervisor is the software component that manages the virtual machines and monitors the execution of the guest system software. A firewall, when embedded within the hypervisor, can monitor all activities taking place within the system.

×：A virtual firewall in bridge mode allows the firewall to monitor individual guest systems, while a firewall integrated into the hypervisor can monitor all activities taking place within the network system.

A virtual firewall in bridge mode allows the firewall to monitor individual traffic between guest systems, and a hypervisor integrated allows the firewall to monitor all activity taking place within the host system, not the network system, so Wrong.

Remote journaling means that a transaction log file, not the file itself, is sent remotely. A transaction is one or more update operations performed on a file. In other words, it is a history of updates to a file. This means that if the original file is lost, it can be reconstructed from the transaction log.

〇：Multiple major and used usages should be screened to make sure they work on the target browsers.

If the service is for BtoC, it is considered that more target users should be supported.

×：It should be checked if it works on a particular browser.

User cases that do not work on certain browsers may occur after release.

×：Confirm that it works on the most secure browser.

If it is secure, it is expected to work in the most restricted of browsers.

In reality, however, browser specifications also vary, including browser backs and terminals.

×：Make sure it works on OS-standard browsers.

Browsers are not just OS standard. In reality, end users also download and use their favorite browsers from app stores.

〇：Calculate the potential impact for fatal errors.

Software testing is a must, but when that testing reveals numerous defects, it must be handled with care. Systems do not have the same concept as human forgetfulness, but it is not realistic to ask someone who scored 30 on this week’s test to score 100 on next week’s test.

Before any corrections can be made, the data taken from the test must be analyzed with the test completed, including log reviews. Priority must be given to determining what to implement first and what is acceptable and unacceptable. Think about qualitative risk analysis; if it is unlikely and has little impact, it can be left alone and focus on high priority items. Thus, the correct answer is, “Calculate the likelihood of impact for fatal errors.” will be.

×：Fix them all.

If many defects are found, it is likely that a lot of time will be taken to deal with their correction.

×：Leave them alone because of the huge number.

In principle, it is unacceptable to leave defects unattended.

×：Calculate the potential impact for all errors.

Performing an analysis for all errors can also be very work intensive.

〇：Cessation of activities that pose a risk.

This question is about choosing what is not included. Discontinuing an activity that introduces risk is a way to address risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) within a company. If a company decides not to allow the use of IM because there is no business need to do so, banning this service is an example of risk avoidance. The risk assessment does not include the implementation of such measures. Therefore, the correct answer is “discontinue the activity that poses a risk”.

×：Asset Identification

This is incorrect because identifying the asset is part of the risk assessment and is required to identify what is not included in the risk assessment. To determine the value of an asset, the asset must first be identified. Identifying and valuing assets is another important task of risk management.

×：Threat Identification

This is incorrect because identifying threats is part of risk assessment and requires identifying what is not included in the risk assessment. A risk exists because a threat could exploit a vulnerability. If there are no threats, there are no risks. Risk links vulnerabilities, threats, and the resulting potential for exploitation to the business.

×：Risk analysis in order of cost

Analyzing risks in order of cost or criticality is part of the risk assessment process and is inappropriate because questions are asked to identify what is not included in the risk assessment. A risk assessment examines and quantifies the risks a company faces. Risks must be addressed in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to effectively address it.

〇：Restore the virus unpatched file version from the backup media.

The best practice is to install an unpatched, uninfected version of the file from the backup media. It is important to restore files that are known to be clean, as attempts to remove the files may corrupt them. The most important thing is not to spread the impact, but attempting to unilaterally delete files may make them unavailable for later investigation.

×：Replace the file with the file saved the previous day.

The file saved the previous day may also contain the virus.

×：Delete the file and contact the vendor.

This is an incorrect answer because the condition of this question is that if the file is deleted, the normal file content itself may be damaged.

×：Back up the data and delete the file.

This is an incorrect answer because backing up the data that contains the virus and deleting the file does not result in a clean situation.

〇：SOAP allows Remote Procedure Calls to be used to exchange information between applications over the Internet.

To allow applications to exchange information over the Internet, the Simple Object Access Protocol (SOAP) was created to be used instead of Remote Procedure Call (RPC). SOAP is an XML-based protocol that encodes messages in a Web service setting. It allows programs running on different operating systems to communicate using Web-based communication methods.

×：SOAP is designed to overcome compatibility and security issues associated with remote procedure calls.

Attempting to allow communication between objects of different applications over the Internet is incorrect because SOAP was created to overcome the compatibility and security issues introduced by RPC. SOAP is designed to work with multiple operating system platforms, browsers, and servers.

×：SOAP and remote procedure calls were created to enable application layer communication.

This is incorrect because both SOAP and RPC were created to enable application layer communication. SOAP is an XML-based protocol that encodes messages in a Web service setting. Therefore, if a Windows client needs to access a Windows server that provides a particular web service, programs on both systems can communicate using SOAP without running into interoperability problems.

×：HTTP is not designed to work with remote procedure calls, but SOAP is designed to work with HTTP.

HTTP is not designed to work with RPC, but SOAP is designed to work with HTTP. SOAP actually defines the structure of the XML schema or communication mechanism. The SOAP XML schema defines how objects communicate directly with each other. One of the advantages of SOAP is that program calls most likely get through firewalls, since HTTP communication is generally allowed. This ensures that the client/server model is not broken by getting denied by firewalls during the communication entity.

〇：OCSP is a protocol developed specifically to check CRLs during the certificate validation process.

A Certificate Authority (CA) is responsible for creating certificates, maintaining and distributing them, and revoking them when necessary. Revocation is handled by the CA and the revoked certificate information is stored in a Certificate Revocation List (CRL). This is a list of all revoked certificates. This list is maintained and updated periodically. A certificate is revoked if the key owner’s private key has been compromised, if the CA has been compromised, or if the certificate is incorrect. If a certificate is revoked for any reason, the CRL is a mechanism for others to inform you of this information. The Online Certificate Status Protocol (OCSP) uses this CRL; when using CRLs, the user’s browser must examine the CRL value to the client to see if the accreditation has been revoked or the CA is constantly checking to make sure they have an updated CRL. If OCSP is implemented, it will do this automatically in the background. It performs real-time verification of the certificate and reports back to the user whether the certificate is valid, invalid, or unknown.

×：CRL was developed as a more efficient approach to OCSP.

CRLs are often incorrect because they are a cumbersome approach; OCSP is used to deal with this tediousness; OCSP does this work in the background when using CRLs; OCSP checks the CRL to see if the certificate has been revoked by Checks.

×：OCSP is a protocol for submitting revoked certificates to CRLs.

OCSP is incorrect because it does not submit revoked certificates to the CRL; the CA is responsible for certificate creation, distribution, and maintenance.

×：CRL provides real-time validation of certificates and reports to OCSP.

Incorrect because CRL does not provide real-time validation of certificates to OCSP.

There are many different types of distributed denial of service (DDoS) attacks; there is no IPSec flood; UDP flood, SYN flood, and MAC flood are all distributed denial of service (DDoS) attacks.

The expected annual loss amount is the value of losses that could occur in the future, equalized on an annual basis based on the frequency of occurrence. Therefore, it is the Single Loss Expectancy (SLE) multiplied by the annual frequency of occurrence (ALO).

〇：Review labeling and treat as critical confidential information.

Labeling is the process of sorting data according to its level of confidentiality. Labeling helps clarify the confidentiality level of data management. If the labeling is incorrect, it should be corrected at any time to manage the data in accordance with the confidentiality level. Therefore, “Review the labeling and treat it as critical confidential information.” is the correct answer.

×：The entire sentence should be treated as confidential information because the business should be flexible.

This is not an appropriate operation because the text containing critical confidential information is treated as confidential information.

×：As supplemental information to the document, state that “a part of the text contains material confidential information.

This is not a fundamental solution because stating this as supplementary information is in effect treating the information as different confidential levels.

×：Destroy the document because it is impossible for different confidential information to be crossed.

Destroying the document is not an appropriate operation because it is a damage to one’s own assets.

Translated with www.DeepL.com/Translator (free version)

〇：Used in structured languages, it decreases development time but is somewhat resource intensive.

Third generation programming languages are easier to deal with than their predecessors. They reduce program development time and allow for simplified and quick debugging. However, these languages are more resource intensive when compared to second generation programming languages.

×：Intuitive manipulation of programming reduces effort, but the amount of manual coding for specific tasks tends to be greater than in previous generations.

The advantages and disadvantages of 4th generation programming are explained below. It is true that the use of heuristics in fourth generation programming languages has greatly reduced programming effort and errors in the code. However, there is something untrue about the fact that the amount of manual coding is more than required of 3rd generation languages.

×：The use of binaries for coding is very time consuming, but the potential for errors is reduced.

This is incorrect because it is a description of a machine language and implies the advantages and disadvantages of a first generation programming language.

×：It contributes to decreasing programming processing time, but knowledge of machine structures is essential.

Incorrect because it describes second generation programming languages. These languages require extensive knowledge of machine architecture and the programs written in them are only for specific hardware.

〇：ACL

Access Control List (ACL) A map value from the Access Control Matrix to an object; ACLs are used in several operating system, application, and router configurations. They are lists of items that are authorized to access a particular object and they define the level of authorization to be granted. Authorization can be specified to an individual or to a group. Therefore, ACLs are bound to an object and indicate which subjects can access it, and feature tables are bound to a subject and indicate which objects the subject can access.

×：Function table

The function table is a row in the access control matrix.

×：Constraint Interface

Constraint interfaces are wrong because they limit the user’s access ability by not allowing them to request certain functions or information or have access to certain system resources.

×：Role-based values

The role-based access control (RBAC) model, called non-discretionary access control, is wrong because it uses a centralized set of controls to determine how subjects and objects interact.

〇：Virtual Container for Data from Multiple Sources
Network directories are containers for users and network resources. Because one directory does not contain all the users and resources in an enterprise, a collection of directories must be used. A virtual directory collects the necessary information used from sources scattered throughout the network and stores it in a central virtual directory (virtual container). This provides a unified view of digital identity information for all users across the enterprise. The virtual directory is regularly synchronized with all identity stores (individual network directories) to ensure that up-to-date information is being used by all applications and identity management components in the enterprise.

×：Metadirectory

Virtual directories are similar to metadirectories, but incorrect because metadirectories work with one directory and virtual directories work with multiple data sources. When the Identity Management component calls the virtual directory, it can scan different directories across the enterprise, but the metadirectory only has the ability to scan one directory it is associated with.

×：User attribute information stored in the HR database

Incorrect because it describes an identity store. Much of the information stored in identity management directories is scattered throughout the enterprise. User attribute information (employee status, job description, department, etc.) is typically stored in the HR database. Authentication information can be stored in a Kerberos server, and resource-oriented authentication information can be stored in the domain controller’s Active Directory. These are commonly referred to as identity stores and are located elsewhere on the network. Many identity management products use virtual directories to call up the data in these identity stores.

×：Services that allow administrators to configure and manage the way identities are

This is incorrect because it describes a directory service. Directory services allow administrators to configure and manage how identification, authentication, permissions, and access control are performed within a network. It uses namespaces to manage objects in the directory and enforces security policies configured by performing access control and identity management functions.

〇：Subject

The functionality table identifies the access rights that a particular subject owns with respect to a particular object. Each subject is mapped for a function (capability) such as read or write perform. Therefore, the subject is the one that seems to fit in the choices.

×：Objects

Incorrect because the Object is bound to an Access Control List (ACL), not a functional component.

×：Product

Product is incorrect because it is just an example to implement a subject, object, or feature table.

×：Application

Application is incorrect because it is just a concrete example of an object.

Type 1 authentication treats what you know as credentials. This is accomplished through passwords, passphrases, PINs, etc., and is also referred to as the knowledge factor.

〇：COBIT defines IT goals, ITIL provides process-level procedures

COBIT is a framework developed by ISACA (formerly the Information Systems Audit and Controls) and the IT Governance Institute (ITGI). It defines goals for controls, not just security needs, to ensure that IT is properly managed and that IT is responsive to business needs. The IT Infrastructure Library (ITIL) is the de facto standard for IT service management best practices. A customizable framework, ITIL provides goals, the general activities required to achieve these goals, and the input and output values for each process required to achieve these determined goals. In essence, COBIT addresses “what needs to be accomplished” and ITIL addresses “how to accomplish”.

×：COBIT is a model of IT governance, ITIL is a model of corporate governance.

While COBIT can be used as a model for IT governance, ITIL is wrong because it is not a model for corporate governance. In fact, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a model of corporate governance. COBIT is derived from the COSO framework. COBIT can be thought of as a way to accomplish many COSO goals, but only from an IT perspective. To achieve many of the goals addressed in COBIT, organizations can use ITIL, which provides process-level steps to achieve IT service management goals.

×：COBIT is a model for corporate governance, ITIL is customizable for IT service management.

As mentioned above, COBIT is incorrect because it can be used as a model for IT governance, not corporate governance. COSO is a model of corporate governance. The second half of the answer is correct. ITIL is a customizable framework and is available as either a series of books or online for IT service management.

×：COBIT provides a business objectives framework, ITIL provides an IT service level objectives framework.

This is inappropriate because COBIT defines the control objectives that should be used to properly manage IT, enabling IT to address business needs as well as IT security needs. ITIL provides steps to achieve IT service management goals related to business needs. ITIL was created because of the increased reliance on information technology to meet business needs.

Clustering is designed for fault tolerance. It is often combined with load balancing, but they are essentially separate. Clustering can make an operation active/active. On top of that, the load balancing feature handles traffic from multiple servers. Active/passive, on the other hand, has a designated primary active server and a secondary passive server, with the passive sending keep-alives or heartbeats every few seconds.

〇：Conduct a risk analysis.

The first step in the procedure described, which is the first step to be taken only to deploy an effective physical security program, is to conduct a risk analysis to identify vulnerabilities and threats and to calculate the business impact of each threat. The team presents the results of the risk analysis to management to define an acceptable risk level for the physical security program. From there, the team evaluates and determines if the baseline is met by implementation. Once the team identifies its responses and implements the measures, performance is continually evaluated. These performances will be compared to the established baselines. If the baseline is maintained on an ongoing basis, the security program is successful because it does not exceed the company’s acceptable risk level.

×：Create a performance metric for the countermeasure.  

The procedure to create a countermeasure performance metric is incorrect because it is not the first step in creating a physical security program. If monitored on a performance basis, it can be used to determine how beneficial and effective the program is. It allows management to make business decisions when investing in physical security protection for the organization. The goal is to improve the performance of the physical security program, leading to a cost-effective way to reduce the company’s risk. You should establish a performance baseline and then continually evaluate performance to ensure that the firm’s protection goals are being met. Examples of possible performance metrics include: number of successful attacks, number of successful attacks, and time taken for attacks.

×：Design program.  

Designing the program is wrong because it should be done after the risk analysis. Once the level of risk is understood, then the design phase can be done to protect against the threats identified in the risk analysis. The design of deterrents, delays, detections, assessments, and responses will incorporate the necessary controls for each category of the program.

×：Implement countermeasures.  

Wrong because implementing countermeasures is one of the last steps in the process of deploying a physical security program.

Within the U.S. military complex and national security apparatus, the most common names for data classification become unclassified and classified. “Classified” information includes classified, critical secret, and top secret (Top Secret). Classified data is data that, if improperly disclosed, could harm national security. Top Secret data is data that, if improperly disclosed, could cause “serious” harm to national security. Finally, Top Secret data is data that, if improperly disclosed, could cause “serious” harm to national security.

A security document documents the security to be achieved.” To achieve “strong security” a clear definition is needed. Since the definition varies from organization to organization, it is necessary to put it in writing. There are five documents, with policy at the top, each of which is mandatory or optional.

〇：The format of the audit log is unknown and is not available to the intruder in the first place.

Audit tools are technical controls that track activity within a network, on a network device, or on a specific computer. Auditing is not activity that denies an entity access to a network or computer, but it tracks activity so that the security administrator can understand the type of access made, identify security violations, or alert the administrator of suspicious activity. This information points out weaknesses in other technical controls and helps the administrator understand where changes need to be made to maintain the required level of security within the environment. Intruders can also use this information to exploit these weaknesses. Therefore, audit logs should be protected by controls on privileges, permissions, and integrity, such as hashing algorithms. However, the format of system logs is generally standardized for all similar systems. Hiding the log format is not a normal measure and is not a reason to protect audit log files.

×：If not properly protected, audit logs may not be admissible during prosecution.

This is incorrect because great care must be taken to protect audit logs in order for them to be admissible in court. Audit trails can be used to provide alerts about suspicious activity that can be investigated later. In addition, it is useful in determining exactly how far away the attack took place and the extent of any damage that may have occurred. It is important to ensure that a proper chain of custody is maintained so that all data collected can be properly and accurately represented in case it needs to be used in later events such as criminal proceedings or investigations.

×：Because audit logs contain sensitive data, only a specific subset of users should have access to them.

This is incorrect because only administrators and security personnel need to be able to view, modify, and delete audit trail information. Others cannot see this data and can rarely change or delete it. The use of digital signatures, message digest tools, and strong access controls can help ensure the integrity of the data. Its confidentiality can be protected with encryption and access control as needed, and it can be stored on write-once media to prevent data loss or tampering. Unauthorized access attempts to audit logs should be captured and reported.

×：Intruders may attempt to scrub logs to hide their activities.

If an intruder breaks into your home, do your best to leave no fingerprints or clues that can be used to link them to criminal activity. The same is true for computer fraud and illegal activity. Attackers often delete audit logs that hold this identifying information. In the text, deleting is described as scrubbing. Deleting this information may alert administrators to an alert or perceived security breach and prevent valuable data from being destroyed. Therefore, audit logs should be protected by strict access controls.

〇：The ability to control access close to the resource.

Central access control has various advantages such as uniform rules and reduced operational burden. Distributed access control allows access control in close proximity to resources, thus protecting resources independently.

×：It should be possible to design a comprehensive

Distributed access control is not a comprehensive design because the authentication and authorization functions are distributed.

×：Relatively low cost.

Whether or not costs can be kept down cannot be determined by this design concept alone.

×：Logs from various devices make it easier to understand the current status.

Both central access control and distributed access control can acquire logs from various devices.

Scoping determines which parts of a standard will be deployed to the organization. It selects the standards that apply to the request or industry and determines which are within the organizational scope and which are outside of it.

〇：Striping

RAID redundant arrays is a technology used for redundancy and performance. It combines multiple physical disks and aggregates them into a logical array; RAID appears as a single drive to applications and other devices. With striping, data is written to all drives. With this activity, data is split and written to multiple drives. Since multiple heads are reading and writing data at the same time, write and read performance is greatly improved.

×：Parity

Parity is used to reconstruct corrupted data.

×：Mirroring

Writing data to two drives at once is called mirroring.

×：Hot Swap

Hot swap refers to a type of disk found on most RAID systems. A RAID system with hot-swap disks allows the drives to be swapped out while the system is running. When a drive is swapped out or added, parity data is used to rebuild the data on the new disk that was just added.

MTD represents the time it takes to signify severe and irreparable damage to the reputation and bottom line of an organization; RTO values are smaller than MTD values; RTO assumes that there is a period of acceptable downtime.

UDP (User Datagram Protocol) floods are often used in distributed denial of service (DDOS) attacks because they are connectionless and yet allow for easy generation of UDP messages from various scripting and compilation languages. UDP is a datagram protocol.

A structured change management process must be established to direct staff to make appropriate configuration changes. Standard procedures keep the process under control and ensure that it can be implemented in a predictable manner. Change management policies should include procedures for requesting changes, approving changes, documenting, testing and viewing changes, implementing, and reporting changes to management. The configuration management change control process is not typically associated with service level agreement approvals.

〇：Social Engineering

Social engineering is an attack that invites human error rather than system. It occurs regardless of system architecture and installed software.

×：DDoS Attacks

A DDoS attack is a mass DoS attack against a target website or server from multiple computers.

×：Ransomware

Ransomware is malware that freezes data by encrypting it and demands a ransom from the owner.

×：Zero-day attacks

A zero-day attack is an attack on a vulnerability that was disclosed before it was fixed.