c. Dependencies

d. Service levels

4. c. The business impact analysis (BIA) examines business processes composition and priorities, business or operating cycles, service levels, and, most important, the business process dependency on mission-critical information systems.

5. The major threats that a disaster recovery and contingency plan should address include which of the following?

a. Physical threats, software threats, and environmental threats

b. Physical threats and environmental threats

c. Software threats and environmental threats

d. Hardware threats and logical threats

5. b. Physical and environmental controls help prevent contingencies. Although many of the other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing breaks, or natural disasters. Logical access controls can address both the software and hardware threats.

6. Risks in the use of cellular radio and telephone networks during a disaster include which of the following?

a. Security and switching office

b. Security and redundancy

c. Redundancy and backup power systems

d. Backup power systems and switching office

6. a. The airwaves are not secure, and a mobile telephone switching office can be lost during a disaster. The cellular company may need a diverse route from the cell site to another mobile switching office.

7. Contingency planning integrates the results of which of the following?

a. Business continuity plan

b. Business impact analysis

c. Core business processes

d. Infrastructural services

7. b. Contingency planning integrates and acts on the results of the business impact analysis. The output of this process is a business continuity plan consisting of a set of contingency plans—with a single plan for each core business process and infrastructure component. Each contingency plan should provide a description of the resources, staff roles, procedures, and timetables needed for its implementation.

Sources and References

“Contingency Planning Guide for Federal Information Systems (NIST SP 800-34R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2010.

“Contingency Planning Guide for Information Technology Systems (NIST SP 800-34),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2002.

“An Introduction to Computer Security: The NIST Handbook (NIST SP 800-12),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 1995.

Domain 9

Legal, Regulations, Investigations, and Compliance

Traditional Questions, Answers, and Explanations

1. Computer fraud is discouraged by:

a. Willingness to prosecute

b. Ostracizing whistle blowers

c. Overlooking inefficiencies in the judicial system

d. Accepting the lack of integrity in the system

1. a. Willingness to prosecute sends a strong message to potential perpetrators, which could discourage computer fraud. Situational pressures (e.g., gambling and drugs), opportunities to commit fraud (e.g., weak system of controls), and personal characteristics (e.g., lack of integrity and honesty) are major causes of fraud, whether or not computer related. There is nothing new about the act of committing fraud. There is perhaps no new way to commit fraud because someone somewhere has already tried it. The other three choices encourage computer fraud.

2. When computers and peripheral equipment are seized in relation to a computer crime, what is it is an example of?

a. Duplicate evidence

b. Physical evidence

c. Best evidence

d. Collateral evidence

2. d. Collateral evidence is evidence relevant only to some evidential fact, and that is not by itself relevant to a consequential fact. Here, computers and peripheral equipment are examples of collateral evidence because they are a part of the crime scene, not a crime by themselves.

Duplicate evidence is a document that is produced by some mechanical process that makes it more reliable evidence of the contents of the original than other forms of secondary evidence (for example, a photocopy of the original). Modern statutes make duplicates easily substitutable for an original. Duplicate evidence is a part of the best evidence rule.

Direct inspection or observation of people, property, or events obtains physical evidence. Best evidence is primary evidence that is the most natural, reliable, and in writing (for example, a written instrument such as a letter, statement, contract, or deed). It is the most satisfactory proof of the fact based on documentary evidence because the best evidence rule prevents a party from proving or disproving the content of writing by oral testimony. However, oral testimony can be used to explain the meaning of the written instrument where the instrument is subject to more than one interpretation.

3. In general, which of the following evidence is not admissible in a court?

a. Hearsay evidence

b. Primary evidence

c. Material evidence

d. Substantive evidence

3. a. Hearsay evidence, whether oral or written, by itself is not admissible in a court because it is second-hand evidence. It refers to any oral or written evidence brought into court and offered as proof of things said out of court. However, hearsay evidence is admissible when the witness is put under oath in a court’s stand and cross examined to state what he saw or heard. This is an example of a court’s procedural checks and balances.

The other three choices are admissible in a court of law. Primary evidence is original and best evidence. It is confined to documentary evidence and applies to proof of a writing’ content. Material evidence is evidence that was relevant to prove a disputed consequential fact and is also used to say evidence having some weight. Substantive evidence is evidence that is admitted to prove the significance of the party’s case rather than to attack the credibility of an opposing witness.

Similarly, business documents (for example, sales orders and purchase orders) created during regular business transactions are considered admissible in a court of law. Another example is photographs represent hearsay evidence but are considered admissible if they are properly authenticated by witnesses who are familiar with the subject.

4. All of the following are the primary elements of a security incident triad except:

a. Detect

b. Respond

c. Report

d. Recover

4. c. The primary elements of a security incident triad include detect, respond, and recover. An organization should have the ability to detect an attack, respond to an attack, and recover from an attack by limiting consequences of or impacts from an attack.