Читаем CISSP Practice полностью

138. a. A computer crime involves many individuals from different disciplines with varied experiences. The roles of each of these individuals, especially those of auditor, investigator, and security officer need to be spelled out in a detailed manner due to their overlapping duties. This is important to minimize duplication, confusion, and omission. On the other hand, the duties of the manager of the crime team are clear, that is, to conduct a thorough research, analysis, and investigation of the crime and to solve the crisis.

139. Prosecuting a computer crime is complex and demanding. Which of the following pose a major challenge to prosecutors?

a. Doing special technical preparation

b. Dealing with special evidence problems

c. Testifying about technical matters before a judge or jury

d. Dealing with electronic evidence problems

139. c. Computer crime is technical in nature and its evidence is mostly electronic and is based on “hearsay.” Trying to convey technical information to nontechnical people such as judges and juror—seven trying to convince them that a crime has actually occurred when no physical equipment has been stolen—can be a major challenge. Preparing technical evidence and collecting proper evidence (paper or electronic) are not major challenges.

140. Which of the following is not a proper criterion for measuring the effectiveness of a computer-security incident response capability?

a. Dollars saved

b. Incidents reported

c. Vulnerabilities fixed

d. Tools implemented

140. a. The payoff from a computer security incident response capability (CSIRC) cannot be quantified in terms of dollars saved and incidents handled. It may not be possible to satisfactorily quantify the benefits a CSIRC provides within its first year of operation. One of the ways in which a CSIRC can rate its success is by collecting and analyzing statistics on its activity. For example, a CSIRC could keep statistics on incidents reported, vulnerabilities reported and fixed, and tools implemented.

141. A computer-security incident-response capability structure can take different forms, depending on organization size, its diversity of technologies, and its geographic locations. Which of the following organization structures is best for reporting computer security-related problems?

a. Centralized reporting

b. Decentralized reporting

c. Distributed reporting

d. Centralized, decentralized, and distributed reporting

141. a. When determining a structure for the computer-security incident-response capability (CSIRC), we should keep in mind the objectives of centralized response and avoiding duplication of effort. For example, the help desk function can be integrated with the CSIRC. A CSIRC provides computer security efforts with the capability to respond to computer security-related incidents such as computer viruses, unauthorized user activity, and serious software vulnerabilities in an efficient and timely manner. Possible threats include loss of data confidentiality, loss of data or system integrity, or disruption or denial of system or data availability.

Centralized reporting of CSIRC is more cost-effective because duplication of effort is avoided. It is also less complicated. Being a physically separate group within the organization and functionally separate from the computer security function, end users can contact the CSIRC directly. The other three choices are incorrect because of possible duplication of efforts and difficulty in coordinating and communicating many business units.

142. A computer security incident response capability (CSIRC) needs to retain a variety of information for its own operational use and for conducting reviews of effectiveness and accountability. Which of the following logs best reflect the course of each day?

a. Contact logs

b. Activity logs

c. Incident logs

d. Audit logs