Solution Manual for CISSP Guide to Security Essentials

2nd Edition by Gregory ISBN 1285060423

9781285060422

Full download link at:

Solution manual: https://testbankpack.com/p/solution-manual-for-cissp-guide-tosecurity-essentials-2nd-edition-by-gregory-isbn-1285060423-9781285060422/

CISSP Guide to Security Essentials, 2nd Edition

Chapter 4 Solutions

Review Questions

1. The purpose of a Business Impact Analysis (BIA) is to determine: a. The impact of a disaster b. The extent of damage in a disaster c. Which business processes are the most critical d. Which processes depend on IT systems

2. During the early phases of a disaster recovery project, the project team needs to identify the disaster scenarios that can jeopardize the ongoing viability of the organization.

The team should perform: a. A business impact analysis b. A threat analysis c. A walkthrough test d. A failover test

3. Maximum Tolerable Downtime (MTD) should be determined by: a. The project manager b. The risk manager c. Senior management d. The threat modeling tool

4. Recovery Time Objective (RTO) is defined as: a. The maximum length of time that a business process will be unavailable during a disaster b. The maximum amount of data loss during a disaster c. The point-in-time when a recovery is initiated after a disaster d. The maximum period of time that a business can tolerate downtime during a disaster

5. Recovery Point Objective (RPO) is defined as: a. The maximum length of time that a business process will be unavailable during a disaster b. The maximum amount of data loss during a disaster c. The point in time when a recovery is initiated after a disaster d. The maximum point in time that a business can tolerate downtime during a disaster

6. The purpose of a criticality analysis is to: a. Develop a rank-ordered list of the most critical threats b. Develop a rank-ordered list of the most critical business processes c. Develop a rank-ordered list of the most critical vulnerabilities d. Develop a rank-ordered list of the most critical staff a. Those that are ranked highest in the criticality analysis b. Those with the lowest MTD values c. Those with the highest MTD values d. Those that are ranked lowest in the criticality analysis

7. Because of limited resources, Company A cannot develop disaster recovery plans for all of its processes. What should Company A use to determine which processes require recovery plans?

8. Which should be protected first during a disaster: a. Critical business records b. Critical systems c. Backup media for critical systems d. Personnel

9. The purpose of UPS is: a. Filter electric power created by an electric generator b. Delivery of critical supplies during a disaster c. Protection of electric generators during a power failure d. Continuous electric power during a power failure

10. Over a period of several years, an organization has exceeded the capacity of its emergency electric generator. The organization should: a. Increase UPS capacity to make up the difference b. Purchase a larger generator that can handle the entire workload c. Purchase an additional generator so that the old and new generators together will generate enough power d. Decrease UPS capacity to make up the difference

11. An organization is experiencing a large number of spikes, surges, and noise on its incoming electric power. The organization should consider: a. An electric generator b. An uninterruptible power supply (UPS) c. A line conditioner d. A power distribution unit

12. An organization has just completed development of a disaster recovery plan. The first test of the plan that should be performed is: a. Parallel b. Simulation c. Walkthrough d. Cutover

13. A company has determined that its Recovery Time Objective (RTO) for a critical system is three minutes. In order to ensure the continuous availability of its critical systems, the company should consider: a. An active-passive geographic server cluster b. An active-active local server cluster c. An active-passive local server cluster d. An active-active geographic server cluster

14. A company has determined that its Recovery Time Objective (RTO) for critical systems is two hours. In order to facilitate a timely resumption of critical applications, the company should consider: a. Data replication to servers in a hot site b. Data replication to servers in a warm site c. Clustered servers d. Disk to disk backup

15. The risk associated with a cutover test is: a. A failure will result in a service interruption b. A failure will result in data loss c. A failure will result in data corruption d. Adverse publicity

Hands-On Projects Project 4-1

Students are instructed to develop a personal disaster preparedness plan. There are several similarities between an individual or family and a small business, with regards to disaster preparation. The steps used here are common for individuals or families, small businesses, and organizations (to an extent).

Students are first directed to identify the types of natural disasters that can occur in the region in which they live. Students can search local and regional government web sites for information on disaster preparation that will provide valuable clues regarding local natural disasters.

Students are then directed to document steps for disaster preparation, emergency communications, disaster response, and teaching others.

Project 4-2

Students are instructed to obtain and analyze an existing contingency planning document and make recommendations for improvement.

The project directs students to download the Business Pandemic Influenza Planning Checklist from http://www.flu.gov/planning-preparedness/business/businesschecklist.pdf, although any local and more relevant document may be used.

Students are asked to express their opinion on whether the plan can be implemented in their organization. This will help them to understand that there is no ready-made checklist (of any kind) that will easily work in any organization. However, proper analysis should reveal the principles behind the plan that can be applied to most organizations.

Case Projects

Case Project 4-1

In this project, students are directed to set recovery objectives for a web-based e-mail application used by a private organization. The recovery objectives to be set are Recovery Point Objective (RPO), Recovery Time Objective (RTO), Recovery Consistency Objective (RCO), and Recovery Capacity Objective (RCapO)

Students need to justify the recovery targets they set. Students should employ reasonableness for a private organization and not go “overboard” and suggest an elaborate scheme that few organizations would find economically feasible.