(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. Mike Chapple
Читать онлайн книгу.(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide - Mike Chapple
million$7.5 million$15 million
11 Chris is completing the risk acceptance documentation for his organization's business continuity plan. Which one of the following items is Chris least likely to include in this documentation?Listing of risks deemed acceptableListing of future events that might warrant reconsideration of risk acceptance decisionsRisk mitigation controls put in place to address acceptable risksRationale for determining that risks were acceptable
12 Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans?Physical plantInfrastructureFinancialPeople
13 Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment?Loss of a plantDamage to a vehicleNegative publicityPower outage
14 Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?0.01$10 million$100,0000.10
15 Referring to the scenario in question 14, what is the annualized loss expectancy?0.01$10 million$100,0000.10
16 In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?Strategy developmentBusiness impact analysisProvisions and processesResource prioritization
17 Matt is supervising the installation of redundant communications links in response to a finding during his organization's BIA. What type of mitigation provision is Matt overseeing?Hardening systemsDefining systemsReducing systemsAlternative systems
18 Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a disruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance?Business continuity planBusiness impact analysisDisaster recovery planVulnerability assessment
19 Darren is concerned about the risk of a serious power outage affecting his organization's data center. He consults the organization's business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed?20 percent50 percent75 percent100 percent
20 Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance?Vice president of business operationsChief information officerChief executive officerBusiness continuity manager
Chapter 4 Laws, Regulations, and Compliance
THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 1.0: Security and Risk Management1.4 Determine compliance and other requirements1.4.1 Contractual, legal, industry standards, and regulatory requirements1.4.2 Privacy requirements1.5 Understand legal and regulatory issues that pertain to information security in a holistic context1.5.1 Cybercrimes and data breaches1.5.2 Licensing and Intellectual Property (IP) requirements1.5.3 Import/export controls1.5.4 Transborder data flow1.5.5 Privacy
The world of compliance is a legal and regulatory jungle for information technology and cybersecurity professionals. National, state, and local governments have all passed overlapping laws regulating different components of cybersecurity in a patchwork manner. This leads to an incredibly confusing landscape for security professionals, who must reconcile the laws of multiple jurisdictions. Things become even more complicated for multinational companies, which must navigate the variations between international law as well.
Law enforcement agencies have tackled the issue of cybercrime with gusto in recent years. The legislative branches of governments around the world have at least attempted to address issues of cybercrime. Many law enforcement agencies have full-time, well-trained computer crime investigators with advanced security training. Those who don't usually know where to turn when they require this sort of experience.
In this chapter, we'll cover the various types of laws that deal with computer security issues. We'll examine the legal issues surrounding computer crime, privacy, intellectual property, and a number of other related topics. We'll also cover basic investigative techniques, including the pros and cons of calling in assistance from law enforcement.
Categories of Laws
Three main categories of laws play a role in the U.S. legal system. Each is used to cover a variety of circumstances, and the penalties for violating laws in the different categories vary widely. In the following sections, you'll learn how criminal law, civil law, and administrative law interact to form the complex web of our justice system.
Criminal Law
Criminal law forms the bedrock of the body of laws that preserve the peace and keep our society safe. Many high-profile court cases involve matters of criminal law; these are the laws that the police and other law enforcement agencies concern themselves with. Criminal law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating criminal statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences.
Don't Underestimate Technology Crime Investigators
A good friend of one of the authors is a technology crime investigator for the local police department. He often receives cases of computer abuse involving threatening emails and website postings.
Recently, he shared a story about a bomb threat that had been emailed to a local high school. The perpetrator sent a threatening note to the school principal declaring that the bomb would explode at 1 p.m. and warning him to evacuate the school. The author's friend received the alert at 11 a.m., leaving him with only two hours to investigate the crime and advise the principal on the best course of action.
He quickly began issuing emergency subpoenas to internet service providers and traced the email to a computer in the school library. At 12:15 p.m., he confronted the suspect with surveillance tapes showing him at the computer in the library as well as audit logs conclusively proving that he had sent the email. The student quickly admitted that the threat was nothing more than a ploy to get out of school a couple of hours early. His explanation? “I didn't think there was anyone around here who could trace stuff like that.”
He was wrong.
A number of criminal laws serve to protect society against computer crime. In later sections of this chapter, you'll learn how some laws, such as the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Identity Theft and Assumption Deterrence Act (among others), provide criminal penalties for serious cases of computer crime. Technically savvy prosecutors teamed with concerned law enforcement agencies have dealt serious blows to the “hacking underground” by using the court system to slap lengthy prison terms on offenders guilty of what used to be considered harmless pranks.
In the United States, legislative bodies at all levels of government establish criminal laws through elected representatives. At the federal level, both the House of Representatives and the Senate must pass criminal law bills by a majority vote (in most cases) in order for the bill to become law. Once passed, these laws then become federal law and apply in all cases where the federal government