Which of the following describes the acceptable amount of data loss measured in time?
A
Explanation:
The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time.
It is the point in time to which data must
be recovered as defined by the organization. The RPO is generally a definition of what an
organization determines is an "acceptable loss" in a
disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into
production is 5 hours, the RPO is still 2
hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
Answer B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level
within which a business process
must be restored after a disaster or disruption in order to avoid unacceptable consequences
associated with a break in business continuity. It
includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the
communication to the users. Decision time
for user representative is not included. The business continuity timeline usually runs parallel with an
incident management timeline and may
start at the same, or different, points.
In accepted business continuity planning methodology, the RTO is established during the Business
Impact Analysis (BIA) by the owner of a
process (usually in conjunction with the Business Continuity planner). The RTOs are then presented
to senior management for acceptance.
The RTO attaches to the business process and not the resources required to support the process.
Answer D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event,
or predetermined based on
recovery methodology the technology support team develops. This is the time frame the technology
support takes to deliver the recovered
infrastructure to the business.
Answer C is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity
Planning in addition to Recovery Point
Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to
Continuous Data Protection services.
252/252
Copyright holders, content providers, and manufacturers use digital rights management (DRM) in
order to limit usage of digital media and devices. Which of the following security challenges does
DRM include? Each correct answer represents a complete solution. Choose all that apply.
C, A, D
Explanation:
The security challenges for DRM are as follows:
Key hiding: It prevents tampering attacks that target the secret keys. In the key hiding process, secret
keys are used for
authentication, encryption, and node-locking.
Device fingerprinting: It prevents fraud and provides secure authentication. Device fingerprinting
includes the summary of hardware
and software characteristics in order to uniquely identify a device.
OTA provisioning: It provides end-to-end encryption or other secure ways for delivery of copyrighted
software to mobile devices.
Answer B is incorrect. Access control is not a security challenge for DRM.
Which of the following terms refers to the protection of data against unauthorized access?
D
Explanation:
250/252
Questions & Answers PDF
P-
Confidentiality is a term that refers to the protection of data against unauthorized access.
Administrators can provide confidentiality by
encrypting data. Symmetric encryption is a relatively fast encryption method. Hence, this method of
encryption is best suited for encrypting
large amounts of data such as files on a computer.
Answer A is incorrect. Integrity ensures that no intentional or unintentional unauthorized
modification is made to data.
Answer C is incorrect. Auditing is used to track user accounts for file and object access, logon
attempts, system shutdown etc. This
enhances the security of the network. Before enabling auditing, the type of event to be audited
should be specified in the Audit Policy in User
Manager for Domains.
Which of the following are the responsibilities of a custodian with regard to data in an information
classification program? Each correct answer represents a complete solution. Choose three.
B, A, D
Explanation:
The owner of information delegates the responsibility of protecting that information to a custodian.
The following are the responsibilities of a
custodian with regard to data in an information classification program:
Running regular backups and routinely testing the validity of the backup data
Performing data restoration from the backups when necessary
Controlling access, adding and removing privileges for individual users
Answer C is incorrect. Determining what level of classification the information requires is the
responsibility of the owner.
Which of the following DoD directives defines DITSCAP as the standard C&A process for the
Department of Defense?
D
Explanation:
DITSCAP stands for DoD Information Technology Security Certification and Accreditation Process. The
DoD Directive 5200.40 (DoD Information
249/252
Questions & Answers PDF
P-
Technology Security Certification and Accreditation Process) established the DITSCAP as the standard
C&A process for the Department of
Defense. The Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP) is a process defined by the
United States Department of Defense (DoD) for managing risk. DIACAP replaced the former process,
known as DITSCAP, in 2006.
Answer B is incorrect. This DoD Directive is known as National Industrial Security Program Operating
Manual.
Answer C is incorrect. This DoD Directive is known as Defense Information Management (IM)
Program.
Answer A is incorrect. This DoD Directive is known as Management and Control of Information
Requirements.
Which of the following elements of the BCP process emphasizes on creating the scope and the
additional elements required to define the parameters of the plan?
D
Explanation:
The scope and plan initiation process in BCP symbolizes the beginning of the BCP process. It
emphasizes on creating the scope and the
additional elements required to define the parameters of the plan.
The scope and plan initiation phase embodies a check of the company's operations and support
services. The scope activities include creating
a detailed account of the work required, listing the resources to be used, and defining the
management practices to be employed.
Answer C is incorrect. The business impact assessment is a method used to facilitate business units
to understand the impact of a
disruptive event. This phase includes the execution of a vulnerability assessment. This process makes
out the mission-critical areas and
business processes that are important for the survival of business.
It is similar to the risk assessment process. The function of a business impact assessment process is
to create a document, which is used to
help and understand what impact a disruptive event would have on the business.
Answer A is incorrect. The business continuity plan development refers to the utilization of the
information collected in the Business
Impact Analysis (BIA) for the creation of the recovery strategy plan to support the critical business
functions. The information gathered from
the BIA is mapped out to make a strategy for creating a continuity plan. The business continuity plan
development process includes the areas
of plan implementation, plan testing, and ongoing plan maintenance. This phase also consists of
defining and documenting the continuity
strategy.
Answer B is incorrect. The plan approval and implementation process involves creating enterprise-
wide awareness of the plan, getting
the final senior management signoff, and implementing a maintenance procedure for updating the
plan as required.
FILL IN THE BLANK
Fill in the blank with an appropriate phrase The is a formal state transition system of computer
security policy that describes a set of access control rules designed to ensure data integrity.
Biba model
Explanation:
The Biba model is a formal state transition system of computer security policy that describes a set of
access control rules
designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The
model is designed so that subjects may
not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level
than the subject.
Which of the following are the phases of the Certification and Accreditation (C&A) process?
247/252
Questions & Answers PDF
P-
Each correct answer represents a complete solution. Choose two.
D A
Explanation:
The Certification and Accreditation (C&A) process consists of four distinct phases:
1.Initiation
2.Security Certification
3.Security Accreditation
4.Continuous Monitoring
The C&A activities can be applied to an information system at appropriate phases in the system
development life cycle by selectively tailoring
the various tasks and subtasks.
Answer B and C are incorrect. Auditing and detection are not phases of the Certification and
Accreditation process.
You work as an analyst for Tech Perfect Inc. You want to prevent information flow that may cause a
conflict of interest in your organization representing competing clients. Which of the following
security models will you use?
B
Explanation:
The Chinese Wall Model is the basic security model developed by Brewer and Nash. This model
prevents information flow that may cause a
conflict of interest in an organization representing competing clients. The Chinese Wall Model
provides both privacy and integrity for data.
Answer D is incorrect. The Biba model is a formal state transition system of computer security policy
that describes a set of access
control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of
integrity. The model is designed so that
subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from
a lower level than the subject.
Answer C is incorrect. The Clark-Wilson model provides a foundation for specifying and analyzing an
integrity policy for a computing
system. The model is primarily concerned with formalizing the notion of information integrity.
Information integrity is maintained by preventing
corruption of data items in a system due to either error or malicious intent.
The model's enforcement and certification rules define data items and processes that provide the
basis for an integrity policy. The core of the
model is based on the notion of a transaction.
Answer A is incorrect. The Bell-La Padula Model is a state machine model used for enforcing access
control in government and military
applications. The model is a formal state transition model of computer security policy that describes
a set of access control rules which use
security labels on objects and clearances for subjects. Security labels range from the most sensitive
(e.g.,"Top Secret"), down to the least
sensitive (e.g., "Unclassified" or "Public").
The Bell-La Padula model focuses on data confidentiality and controlled access to classified
information, in contrast to the Biba Integrity Model
which describes rules for the protection of data integrity.
You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your
project with your team. How many risk response types are available for a negative risk event in the
project?
D
Explanation:
There are four risk responses available for a negative risk event.
The risk response strategies for negative risks are:
Avoid: It involves altering the project management plan to remove the threats completely.
Transfer: It requires shifting some or all of the negative effects of a threat including the ownership of
response, to a third party.
Mitigate: It implies a drop in the probability and impact of an unfavorable risk event to be within
suitable threshold limits.
Accept: It delineates that the project plan will not be changed to deal with the risk. Management
may develop a contingency plan if the
risk occurs. It is used for both negative and positive risks.
Answer C is incorrect. There are four responses for negative risk events.
Answer A is incorrect. There are four, not three, responses for negative risk events. Do not forget that
acceptance can be used for
negative risk events.
Answer B is incorrect. There are seven total risk responses, four of which can be used for negative
risk events.
246/252
Questions & Answers PDF
P-