Читаем CISSP Practice полностью

110. Initial analysis revealed that an employee is the apparent target of or is suspected of causing a computer security incident in a company. Which of the following should be notified first?

a. Legal department

b. Human resources department

c. Public affairs department

d. Information security department

110. b. When an employee is the apparent target of or is suspected of causing a computer security incident in a company, the human resources department should be notified first because it can assist with disciplinary actions or employee counseling depending on the nature and extent of the incident. Note that incidents can be accidental/intentional, small/large, or minor/major, and each has its own set of disciplinary actions and proceedings based on the due process.

The other three choices are incorrect because these departments are not the ones that should be notified first, even though they are involved later. The role of the legal department is to review incident response plans, policies, and procedures to ensure their compliance with laws and regulations. The legal department comes into play when an incident has legal ramifications, including evidence collection, prosecution of a suspect, or potential for a lawsuit. The role of the public affairs department is to inform the media and the law enforcement authorities depending on the nature and impact of an incident. The role of the information security department is to conduct the initial analysis of incidents and later to contain an incident with altering network security controls (such as firewall rulesets).

111. Which of the following solutions to overcome log management challenges address periodic audits and testing and validation?

a. Prioritize log management function.

b. Establish policies and procedures for log management.

c. Maintain a secure log management infrastructure.

d. Provide training for all staff with log management responsibilities.

111. b. Periodic audits are one way to confirm that logging standards and guidelines are being followed throughout the organization. Testing and validation can further ensure that the policies and procedures in the log management process are being performed properly. The other three choices do not address the periodic audits, testing, and validation.

112. A well-defined incident response capability helps the organization in which of the following ways?

1. Detect incidents rapidly.

2. Minimize loss and destruction.

3. Identify weaknesses.

4. Restore IT operations rapidly.

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

112. d. A well-defined incident response capability helps the organization to detect incidents rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations rapidly. Proper execution of the incident response plan is important.

113. Regarding incident containment, which one of the following items makes the other items much easier to accomplish?

a. Strategies and procedures

b. Shutting down a system

c. Disconnecting a system from the network

d. Disabling certain system functions

113. a. An essential part of incident containment is decision making, such as shutting down a system, disconnecting it from the network, or disabling certain system functions. Such decisions are much easier to make if strategies and procedures for containing the incident have been predetermined.

114. Which of the following statements is not true about computer security incidents?

a. After a resource is successfully attacked, it is not attacked again.

b. After a resource is successfully attacked, other resources within an organization are attacked in a similar manner.

c. After an incident has been contained, it is necessary to delete malicious code.

d. After an incident has been contained, it is necessary to disable breached user accounts.

114. a. After a resource is successfully attacked, it is often attacked again or other resources within the organization are attacked in a similar manner. After an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malicious code and disabling breached user accounts.

115. A reliable way to detect superzapping of work is by:

a. Comparing current data files with previous data files

b. Examining computer usage logs