1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 237
Выбрать главу

62. A major risk in the use of cellular radio and telephone networks during a disaster include:

a. Security and switching office issues

b. Security and redundancy

c. Redundancy and backup power systems

d. Backup power systems and switching office

62. a. The airwaves are not secure and a mobile telephone switching office can be lost during a disaster. The cellular company may need to divert a route from the cell site to another mobile switching office. User organizations can take care of the other three choices because they are mostly applicable to them, and not to the telephone company.

63. Regarding BCP and DRP, which of the following is not an element of risk?

a. Threats

b. Assets

c. Costs

d. Mitigating factors

63. c. Whether it is BCP/DRP or not, the three elements of risk include threats, assets, and mitigating factors.

Risks result from events and their surroundings with or without prior warnings, and include facilities risk, physical and logical security risk, reputation risk, network risk, supply-chain risk, compliance risk, and technology risk.

Threat sources include natural (for example, fires and floods), man-made attacks (for example, social engineering), technology-based attacks (DoS and DDoS), and intentional attacks (for example, sabotage).

Assets include people, facilities, equipment (hardware), software, and technologies.

Controls in the form of physical protection, logical protection, and asset protection are needed to avoid or mitigate the effects of risks. Some examples of preventive controls include passwords, smoke detectors, and firewalls and some examples of reactive/recovery controls include hot sites and cold sites.

Costs are the outcomes or byproducts of and derived from threats, assets, and mitigating factors, which should be analyzed and justified along with benefits prior to the investment in controls.

64. Physical disaster prevention and preparedness begins when a:

a. Data center site is constructed

b. New equipment is added

c. New operating system is installed

d. New room is added to existing computer center facilities

64. a. The data center should be constructed in such a way as to minimize exposure to fire, water damage, heat, or smoke from adjoining areas. Other considerations include raised floors, sprinklers, or fire detection and extinguishing systems and furniture made of noncombustible materials. All these considerations should be taken into account in a cost-effective manner at the time the data (computer) center is originally built. Add-ons will not only be disruptive but also costly.

65. Disaster notification fees are part of which of the following cost categories associated with alternative computer processing support?

a. Initial costs

b. Recurring operating costs

c. Activation costs

d. Development costs

65. c. There are three basic cost elements associated with alternate processing-support: initial costs, recurring operating costs, and activation costs. The first two components are incurred whether the backup facility is put into operation; the last cost component is incurred only when the facility is activated.

The initial costs include the cost of initial setup, including membership, construction or other fees. Recurring operating costs include costs for maintaining and operating the facility, including rent, utilities, repair, and ongoing backup operations. Activation costs include costs involved in the actual use of the backup capability. This includes disaster notification fees, facility usage charges, overtime, transportation, and other costs.

66. When comparing alternative computer processing facilities, the major objective is to select the alternative with the:

a. Largest annualized profit

b. Largest annualized revenues

c. Largest incremental expenses

d. Smallest annualized cost

66. d. The major objective is to select the best alternative facility that meets the organization’s recovery needs. An annualized cost is obtained by multiplying the annual frequency with the expected dollar amount of cost. The product should be a small figure.

67. Which of the following statements is not true about contracts and agreements associated with computer backup facilities?

a. Small vendors do not need contracts due to their size.

b. Governmental organizations are not exempted from contract requirements.

c. Nothing should be taken for granted during contract negotiations.

d. All agreements should be in writing.

67. a. All vendors, regardless of their size, need written contracts for all customers, whether commercial or governmental. Nothing should be taken for granted, and all agreements should be in writing to avoid misunderstandings and performance problems.

68. All of the following are key stakeholders in the disaster recovery process except:

a. Employees

b. Customers

c. Suppliers

d. Public relations officers

68. d. A public relations (PR) officer is a company’s spokesperson and uses the media as a vehicle to consistently communicate and report to the public, including all stakeholders, during pre-crisis, interim, and post-crisis periods. Hence, the PR officer is a reporter, not a stakeholder. Examples of various media used for crisis notification include print, radio, television, telephone (voice mail and text messages), post office (regular mail), the Internet (for example, electronic mail and blogs), and press releases or conferences.

The other stakeholders (for example, employees, customers, suppliers, vendors, labor unions, investors, creditors, and regulators) have a vested interest in the positive and negative effects and outcomes, and are affected by a crisis situation, resulting from the disaster recovery process.

69. Which of the following is the most important consideration in locating an alternative computing facility during the development of a disaster recovery plan?

a. Close enough to become operational quickly

b. Unlikely to be affected by the same contingency issues as the primary facility

c. Close enough to serve its users

d. Convenient to airports and hotels

69. b. There are several considerations that should be reflected in the backup site location. The optimum facility location is (i) close enough to allow the backup function to become operational quickly, (ii) unlikely to be affected by the same contingency, (iii) close enough to serve its users, and (iv) convenient to airports, major highways, or train stations when located out of town.

70. Which of the following alternative computing backup facilities is intended to serve an organization that has sustained total destruction from a disaster?

a. Service bureaus

~ 237 ~