Refer to the information below to answer the question. A large, multinational organization has decided to outsource a portion of their Information Technology (IT) organization to a third-party provider's facility. This provider will be responsible for the design, development, testing, and support of several critical, customer- based applications used by the organization. The organization should ensure that the third party's physical security controls are in place so that they
Correct Answer: D
Question 47
Which of the following is often implemented by a one-for-one disk to disk ratio?
Correct Answer: A
This is often implemented by a one-for-one disk-to-disk ratio. RAID Level 2 provides redundancy by writing all data to two or more drives set. The performance of a level 1 array tends to be faster on reads and slower on writes compared to a single drive, but if either of the drive sets fails, no data is lost. This is a good entry-level redundant system, since only two drives are required as a minimum; however, since one drive is used to store a duplicate of the data, the cost per megabyte is high. This level is commonly referred to as mirroring. Please visit http://www.sohoconsult.ch/raid/raid1.html for a nice overview of RAID Levels. For the purpose of the exam you must be familiar with RAID 0 to 5, 10, and 50. References: http://www.sohoconsult.ch/raid/raid1.html and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 65.
Question 48
What is it called when a system has apparent flaws that were deliberately available for penetration and exploitation?
Correct Answer: C
Administrators that leave systems with apparent flaws are performing an act of enticement. This is sometimes called a honeypot.
Question 49
Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)?
Correct Answer: D
Question 50
Which one of the following is NOT one of the outcomes of a vulnerability assessment?
Correct Answer: C
When seeking to determine the security position of an organization, the security professional will eventually turn to a vulnerability assessment to help identify specific areas of weakness that need to be addressed. A vulnerability assessment is the use of various tools and analysis methodologies to determine where a particular system or process may be susceptible to attack or misuse. Most vulnerability assessments concentrate on technical vulnerabilities in systems or applications, but the assessment process is equally as effective when examining physical or administrative business processes. The vulnerability assessment is often part of a BIA. It is similar to a Risk Assessment in that there is a quantitative (financial) section and a qualitative (operational) section. It differs in that i t is smaller than a full risk assessment and is focused on providing information that is used solely for the business continuity plan or disaster recovery plan. A function of a vulnerability assessment is to conduct a loss impact analysis. Because there will be two parts to the assessment, a financial assessment and an operational assessment, it will be necessary to define loss criteria both quantitatively and qualitatively. Quantitative loss criteria may be defined as follows: -Incurring financial losses from loss of revenue, capital expenditure, or personal liability resolution -The additional operational expenses incurred due to the disruptive event - Incurring financial loss from resolution of violation of contract agreements - Incurring financial loss from resolution of violation of regulatory or compliance requirements Qualitative loss criteria may consist of the following: - The loss of competitive advantage or market share - The loss of public confidence or credibility, or incurring public mbarrassment During the vulnerability assessment, critical support areas must be defined in order to assess the impact of a disruptive event. A critical support area is defined as a business unit or function that must be present to sustain continuity of the business processes, maintain life safety, or avoid public relations embarrassment. Critical support areas could include the following: -Telecommunications, data communications, or information technology areas -Physical infrastructure or plant facilities, transportation services -Accounting, payroll, transaction processing, customer service, purchasing The granular elements of these critical support areas will also need to be identified. By granular elements we mean the personnel, resources, and services the critical support areas need to maintain business continuity Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4628-4632). Auerbach Publications. Kindle Edition. KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 277.