Self Test | SSCP Study Guide and DVD Training System

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1.	You are performing risk management on a new project being developed by your company. At this point in the risk management cycle, you have recognized certain risks as being potentially harmful. Which phase of the risk management cycle have you just completed? Identification Assessment Monitoring Control
2.	As part of your risk management planning, you want the appropriate parties to understand various risks that are facing the organization. To accommodate this decision, you want to develop education for these people that will best suit their needs for dealing with risks. Which of the following members of your organization will you create education plans for? Senior management IT staff Users All of the above
3.	You are developing a training plan, to inform certain people in your organization on various risks associated with projects and the company as a whole. You want the people involved to know how they are to deal with hacking attempts, viruses, and other incidents, and which servers in the organization may be involved. As part of an education plan, you are determining what may be used to inform users about how to deal with these risks when they become actual problems. Which of the following will you not include in your education plan? Policies and procedures Knowledge bases Procedures used by other companies Handouts specifically created for the training session
4.	A risk has been identified where employees have been entering inaccurate data into a financial application that is used to track payroll deductions. Which of the following measures should be taken to determine where this inaccurate data has been entered, so the problem can be fixed? ARO Planning Validation Identification
5.	A company has opened a branch office in an area where monsoons have struck twice over the last three years. While there is a distinct possibility that the storms may cause damage to the building, the company has decided to do nothing other than purchase insurance to cover the costs of repairing any damage that occurs. Which of the following risk mitigation options have been chosen? Assumption Avoidance Planning Transference
6.	A colleague is assisting in a risk management project, and is responsible for identifying assets and determining their value. This co-worker is unsure how to proceed in determining the value of some assets. Which of the following factors will you inform the colleague not to use in asset valuation? The market value of the asset The cost to support the asset The ALE associated with the asset The importance of the asset to the organization
7.	As part of the risk management process, you create scenarios that examine various situations, and then rank threats and risks associated with them. In doing so, you are attempting to project what could occur from particular events and the damage that could be caused. What type of analysis are you performing? Qualitative analysis Quantitative analysis Both of the above None of the above
8.	A company is planning to install new payroll software that is to be used by the Finance department. The vendor claims that other companies have had no problems with the software, except when the server on which it is installed fails to function. After discussing this with the IT staff, you find that there is a 10 percent chance of this occurring annually, as the current server is old and due to be replaced at some point. When the server fails, they can get it back online within an hour, on average. If the Finance department is unable to perform their work, it can result in a $5,000 per hour loss. Based on this information, what is the total cost of the risk? $5,000 $500 10 percent 1 percent
9.	A company is planning to implement a new Web server, which is estimated as being available and running properly 98 percent of the time every year. When it fails, the IT staff feel they can bring it back online within an average of two hours. Because the Web server hosts the company's e-commerce site, the cost of the server failing can result in losses of $10,000 per hour. Based on this information, what is the ALE? 2 percent $20,000 $4,000 $8,000
10.	You are the administrator of a network that is spread across a main building and a remote site several miles away. You make regular backups of the data on servers, which are centrally located in the main building. Where should you store the backup tapes so they are available when needed in the case of a disaster? (Choose all that apply.) Keep the backup tapes in the server room within the main building, so they are readily at hand. If a disaster occurs, you will be able to obtain these tapes quickly, and restore the data to servers. Keep the backup tapes in another section of the main building, so they are readily at hand. Keep the backup tapes in the remote site. Keep the backup tapes with a firm that provides offsite storage facilities.
11.	An employee has been sending e-mails to coworker, flirting and asking her to go on a date. Some of the language in the e-mail has been explicit as to what the employee's intentions are, and the coworker has asked this person not to send any further e-mails of this type. The coworker has now complained about this activity, and would like the company to do something about it. Which of the following types of policy could be invoked to discipline the employee sending these unwanted e-mails? Acceptable use policy Disaster recovery plan Incident response plan Business continuity plan
12.	You believe that someone has hacked into a Windows 2000 server on your network, and want to view a list of the IP addresses for machines currently connected to the server. Which tool will you use? PING NETSTAT NSLOOKUP ROUTE
13.	As part of the incident investigation process, you create contact information showing who will need to be contacted during an incident, and give this information to department managers. Since you are concerned that some members of the incident response team may not remember every password, or know all of them, you also write down system passwords, seal them in an envelope, and put them in a safe. In which phase of the incident investigation process are you currently performing tasks? Preparation Detection Containment Eradication
14.	When performing a forensic investigation, you are prepared to document certain facts dealing with the incident. This will provide information that may be used in court, and will refresh your memory when the time comes that you have to testify. Which of the following pieces of information are the most important to include in your documentation? Tasks that were performed to obtain evidence, and the date and time of every activity that was documented. The tasks performed as part of your job throughout the day. Information on your skills, training, and experience to validate your ability to perform the examination. The beginning and ending times of your work shift.
15.	You have created an image of the contents of a hard disk to be used in a forensic investigation. You want to ensure that this data will be accepted in court as evidence. Which of the following tasks must be performed before it is submitted to the investigator and prosecutor? Copies of data should be made on media that is forensically sterile. Copies of data should be copied to media containing documentation on findings relating to the evidence. Copies of data should be stored with evidence from other cases, so long as the media is read-only. Delete any previous data from media before copying over data from this case.

Answers

1.	þ Answer A is correct. Identification is where each risk is recognized as being potentially harmful. This is the first phase of the risk management cycle, where risks are identified. ý Answer B is incorrect, because assessment is where the consequences of a potential threat are determined and the likelihood and frequency of a risk occurring are analyzed. Answer C is incorrect, because monitoring is where risks are tracked and strategies are evaluated. Answer D is incorrect, because control is where steps are taken to correct plans that are not working, and improvements are made to the management of a risk.
2.	þ Answer D is correct. By giving management the ability to understand the risks, they will be able to make well-informed decisions. By training decision makers on potential threats, they will be able make informed decisions on budgeting issues needed to manage risks, and justify expenditures made by IT staff. IT staff should also be the focus of an education program, so that they can effectively deal with risks if they become actual problems. Finally, users should also be aware of potential threats, so they can identify problems as they occur and report them to the necessary persons. ý Answers A, B, and C are incorrect, because all of them should be included in an educational program on risks.
3.	þ Answer C is correct. Because the procedures used by other companies would address other servers and systems, they may be different from your own. In addition, these other companies may have policies and procedures that violate those of your own company. ý Answer A is incorrect because policies, procedures, and other documentation should be available through the network, as it will provide an easy, accessible, and controllable method of disseminating information. Answer B is incorrect because knowledge bases are databases of information providing information on the features of various systems and solutions to problems that others have reported. Many software and hardware manufacturers provide support sites and knowledge bases that contain such valuable information. Answer D is incorrect because in classroom or one-on-one training sessions, training handouts are often given to detail how certain actions are performed, and the procedures that should be followed. These handouts can be referred to when needed, but may prove disastrous if this material falls into the wrong hands.
4.	þ Answer C is correct. Validation methods may be used to ensure that data has been entered correctly into systems. This should be done by performing both internal audits of processes, and by using third-party validation. ý Answer A is incorrect because the ARO is the likelihood of a risk occurring within a year. Answer B is incorrect because planning involves generating strategies to deal with specific risks. Answer D is incorrect because identification is where a risk is recognized as being potentially harmful. In this case, the risk has already been identified, and measures need to be taken to deal with the risk.
5.	þ Answer D is correct. With transference, the risk is transferred to another source so that any loss can be compensated or the problem becomes that of another party. Since insurance was purchased, the loss has indeed been transferred to the insurer. ý Answer A is incorrect because with assumption the risk is accepted and a decision is made to continue operating or lower likelihood and consequences of risks by implementing controls. Answer B is incorrect because with avoidance the risk is avoided by removing the cause or consequences of the risk. Answer C is incorrect because planning requires a plan is developed to prioritize, implement, and maintain safeguards.
6.	þ Answer C is correct. This will not be used in asset valuation, because the ALE is not used to determine the value of an asset. Asset valuation is however used to reach the point of being able to calculate the ALE. ý Answers A, B, and D are incorrect because the market value of the asset, the importance of an asset to the organization, and the cost of supporting an asset are all factors that are used in asset valuation.
7.	þ Answer A is correct. The primary component of qualitative analysis is the creation of scenarios, which are outlines or models built from anticipated or hypothetical events. The scenario begins with a focal point, such as a particular decision, and then tries to predict what could occur from that point. In doing so, different risks are identified and ranked. ý Answer B is incorrect, because quantitative analysis uses values and equations to analyze risks and their impact on the company. Answers C and D are incorrect, because qualitative analysis is the correct answer.
8.	þ Answer A is correct. The SLE is the total cost of the risk. In this case, the total cost is estimated at being $5,000. ý Answer B is incorrect, because this is the ALE. Answer C is incorrect, because this is the ARO. Answer D is incorrect, because this figure has no relevance in the scenario.
9.	þ Answer C is correct. The ALE is calculated by multiplying the ARO by the SLE. The formula for this is: ARO × SLE = ALE. This means the ALE would be: 0.2 × $20,000 = $4,000 ý Answer A is incorrect, because this is the ARO. Answer B is incorrect, because this is the SLE. Answer D is incorrect, because this figure has no relevance in the scenario.
10.	þ Answers C and D are correct. Keep the backup tapes in the remote site, or with a firm that provides offsite storage facilities. Since the company has a remote location that is miles from the main building, the tapes can be kept there for safekeeping. A firm can also be hired to keep the tapes in a storage facility. When a disaster occurs, you can then retrieve these tapes and restore the data. ý Answers A and B are both incorrect, because a disaster that affects the server room or main building could also destroy the backup tapes if they were stored in these locations.
11.	þ Answer A is correct. This type of policy establishes guidelines on the appropriate use of technology. It is used to outline what types of activities are permissible when using a computer or network, and what an organization considers proper behavior. Being in breach of this policy could result in severe disciplinary actions, such as being terminated from the company's employ. ý Answer B is incorrect, because a disaster recovery plan provides procedures for recovering from a disaster after it occurs, and addresses how to return normal IT functions to the business. Answer C is incorrect, because an incident response policy addresses various incidents that could occur, and relates procedures that should be followed if such events happen. Answer D is incorrect, because a business continuity plan identifies key functions of an organization, the threats most likely to endanger them, and creates processes and procedures that ensure these functions will not be interrupted (at least for long) in the event of an incident.
12.	þ Answer B is correct. NETSTAT is a tool that provides information about active connections to a machine running TCP/IP, and can provide information on whether a hacker is still connected to a particular computer. ý Answer A is incorrect, because PING allows you to check the configuration of TCP/IP on a machine, and determine if TCP/IP connections can be made to other IP addresses. Answer C is incorrect, because NSLOOKUP is used to view name resolution information. It will allow you to view information related to the resolution of IP addresses to hostnames, and hostnames to IP addresses. Answer D is incorrect, because it is used to view and modify routing tables, which determine how packets will be sent from the computer to other machines on a network.
13.	þ Answer A is correct. During the preparation phase of the incident investigation process, tasks are performed to prepare for when (or if) an incident occurs. This could include making a contact list of people and documenting passwords that may be required during an investigation. ý Answer B is incorrect, because detection involves determining if an incident has actually occurred. Answer C is incorrect, because containment prevents an incident from spreading further. Answer D is incorrect, because eradication involves removing the source of an incident.
14.	þ Answer A is correct. Information that is documented in the course of an investigation should include the date, time, conversations pertinent to the investigation, tasks that were performed to obtain evidence, names of those present or who assisted, and anything else that was relevant to the forensic procedures that took place. ý Answer B is incorrect, because a list of every task performed as part of your job throughout the day will generally not be pertinent of an investigation. Answer C is incorrect, because creating a resume of your abilities is not generally relevant to document during the investigation. A copy of this information can be added to the documentation at a later time, if it is being submitted for the purpose of criminal or civil litigation. However, documentation created during the investigation should strictly deal with the case. Answer D is incorrect because the times you started and ended your shift generally is not pertinent to the investigation.
15.	þ Answer A is correct. Copies of data should be made on media that is forensically sterile. This means that the disk has no other data on it, and has no viruses or defects. This will prevent mistakes involving data from one case mixing with other data, as can happen with cross-linked files or when copies of files are mixed with others on a disk. When providing copies of data to investigators, defense lawyers, or the prosecution, the media used to distribute copies of evidence should also be forensically sterile. ý Answer B is incorrect because the copied data would reside with other documentation created, so that it is no longer forensically sterile. Answer C is incorrect because it would mix the data with data from other cases, which could make the evidence inadmissible in court. Answer D is incorrect because deleting data only removes the pointers to the files from the partition table, but does not erase the data itself. Thus deleted data still resides on the media, meaning that it is not forensically sterile.