Chapter 1: Security and Risk Management

Question 1

NIST Document for Disaster Recovery

Answer 1

800-34

Question 2

BCP

Answer 2

sustaining operation & more business than IT long term “the sky is fallen” now what do we do… umbrella term

Question 3

DRP

Answer 3

part of the BCP plan.

Question 4

Life Safety

Answer 4

1 Priority

Question 5

Categories of Disaster

Answer 5

Non-disaster, urgent, disaster, catastropheemergency - an immediate event.

Question 6

warm site

Answer 6

office furniture general equipment

Question 7

hot site

Answer 7

ready to go in 24hrs

Question 8

cold site

Answer 8

empty building

Question 9

4 steps of BCP

Answer 9

project scope and planning, biz impact assessment, continuity planning, and approval and implementation

Question 10

MTD

Answer 10

max tolerable downtime = WRT x RTO

Question 11

bridges gap between BIA and BCP

Answer 11

strategy development task.

Question 12

provision and process phase

Answer 12

BCP team designs procedures to mitigate risk

Question 13

BCP Coordinator

Answer 13

only he can declare disaster.

Question 14

wrt

Answer 14

CONFIGURE!!!! work recovery time to configure a recovered system (WRT) describes the time required to configure a recovered system.

Question 15

mtbf

Answer 15

mean time between failures

Question 16

BRP

Answer 16

provides plans to recover business after a disaster

Question 17

RPO

Answer 17

Max amount of data loss a organization can withstand -recovery point objective example: how much time to go without a backup.

Question 18

rto

Answer 18

RECOVER SYSTEM!!! max about of time to recover a biz system —-recovery time objective—–

Question 19

WRT

Answer 19

work recovery time X RPO

Question 20

Threat

Answer 20

Anything that can cause harm to an asset

Question 21

Vulnerability

Answer 21

a weakness that allows a threat to cause harm.

Question 22

Risk

Answer 22

Threat x Vulnerabilityadded variable called impact which addresses severity in dollars

Question 23

EF

Answer 23

Exposure Factor is the percentage of value an asset lost due to an incident.

Question 24

SLE

Answer 24

AV x EF

Question 25

ARO

Answer 25

annual rate of occurence number of losses you suffer per year

Question 26

ALE

Answer 26

annual loss expectancey SLE x ARO

Question 27

OCTAVE

Answer 27

Operationally Critical Threat Asset and Vulnerability evaluation . risk management framework from carnegie mellon. three phase process for managing risk

Question 28

ISO 17799 and ISO2700 series

Answer 28

17799 was re-numbered to ISO27002 a broad based approach for information security code of practice by the International organization for standardization TEchniquesISO27001 is a related standard describing a process for auditing...Requirements.

Question 29

COBIT/COSO

Answer 29

Secure Governance goals for IT orgs. best practices

Question 30

ITIL

Answer 30

framework for providing best services in IT service management.

Question 31

accreditation

Answer 31

is the data owners acceptance of the risk represented by that system.

Question 32

certification

Answer 32

is a detailed inspection that verifies whether a system meets the documented security requirements.

Question 33

BCP Planning Stages

Answer 33

1. Select Individual to interview for data gathering 2. create data-gathering techniques 3. id company's cirital biz fuctions 4. id the resources these functions depend upon 5. Calculate how long these functinos can survive without resources. 6. ID vulnerablilites an threats to these functions 7. Caluclate Ricks for each different biz funcion 8. document findings report to management.

Question 34

Software Escrow involves how many parties

Answer 34

3 company, client and a trusted 3 rd party for escrow.

Question 35

formula for calulating risks

Answer 35

P \* M = C Probability of harm (P) : the chance that a damaging event will occur Magnitude or Harm (M): the amount of financial damage that would occur should a disaster happen A tip to use to remember this is: "A Project Manager (PM) cries many times when he thinks of the cost " (P \* M = C)