Response

Response is the correct choice. A response would essentially be the action
that is taken once an alarm has been produced by an IDS, but is not a fundamental
component of the alarm.
The following are incorrect answers:
Communications is the component of an alarm that delivers alerts through a variety of
channels such as email, pagers, instant messages and so on.
An Enunciator is the component of an alarm that uses business logic to compose the
content and format of an alert and determine the recipients of that alert.
A sensor is a fundamental component of IDS alarms. A sensor detects an event and
produces an appropriate notification.
Domain: Access Control
Reference:
Official guide to the CISSP CBK. page 203.

Data or Information Owner

The data or information owner also referred to as "Data Owner" would be the
best person. That is the individual or officer who is ultimately responsible for the protection
of the information and can therefore decide what are the adequate security controls
according to the data sensitivity and data criticality. The auditor would be the best person to
determine the adequacy of controls and whether or not they are working as expected by
the owner.
The function of the auditor is to come around periodically and make sure you are doing
what you are supposed to be doing. They ensure the correct controls are in place and are
being maintained securely. The goal of the auditor is to make sure the organization
complies with its own policies and the applicable laws and regulations.
Organizations can have internal auditors and/ or external auditors. The external auditors
commonly work on behalf of a regulatory body to make sure compliance is being met. For
example CobiT, which is a model that most information security auditors follow when
evaluating a security program. While many security professionals fear and dread auditors,
they can be valuable tools in ensuring the overall security of the organization. Their goal is
to find the things you have missed and help you understand how to fix the problem.
The Official ISC2 Guide (OIG) says:
IT auditors determine whether users, owners, custodians, systems, and networks are in
compliance with the security policies, procedures, standards, baselines, designs,
architectures, management direction, and other requirements placed on systems. The
auditors provide independent assurance to the management on the appropriateness of the
security controls. The auditor examines the information systems and determines whether
they are designed, configured, implemented, operated, and managed in a way ensuring
that the organizational objectives are being achieved. The auditors provide top company
management with an independent view of the controls and their effectiveness.
Example:
Bob is the head of payroll. He is therefore the individual with primary responsibility over the
payroll database, and is therefore the information/data owner of the payroll database. In
Bob's department, he has Sally and Richard working for him. Sally is responsible for making changes to the payroll database, for example if someone is hired or gets a raise.
Richard is only responsible for printing paychecks. Given those roles, Sally requires both
read and write access to the payroll database, but Richard requires only read access to it.
Bob communicates these requirements to the system administrators (the "information/data
custodians") and they set the file permissions for Sally's and Richard's user accounts so
that Sally has read/write access, while Richard has only read access.
So in short Bob will determine what controls are required, what is the sensitivily and
criticality of the Data. Bob will communicate this to the custodians who will implement the
requirements on the systems/DB. The auditor would assess if the controls are in fact
providing the level of security the Data Owner expects within the systems/DB. The auditor
does not determine the sensitivity of the data or the crititicality of the data.
The other answers are not correct because:
A "system auditor" is never responsible for anything but auditing... not actually making
control decisions but the auditor would be the best person to determine the adequacy of
controls and then make recommendations.
A "system manager" is really just another name for a system administrator, which is
actually an information custodian as explained above.
A "Data or information user" is responsible for implementing security controls on a day-today
basis as they utilize the information, but not for determining what the controls should
be or if they are adequate.
References:
Official ISC2 Guide to the CISSP CBK, Third Edition , Page 477
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations
294-298). Auerbach Publications. Kindle Edition.
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
3108-3114).
Information Security Glossary
Responsibility for use of information resources

host-based IDS

A host-based IDS can review the system and event logs in order to detect an
attack on the host and to determine if the attack was successful.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

always traced to individuals responsible for observing and recording the data

As per FDA data should be attributable, original, accurate, contemporaneous
and legible. In an automated system attributability could be achieved by a computer system
designed to identify individuals responsible for any input.
Source: U.S. Department of Health and Human Services, Food and Drug Administration,
Guidance for Industry - Computerized Systems Used in Clinical Trials, April 1999, page 1.

Monitor only a limited number of employees.

Monitoring has to be conducted is a lawful manner and applied in a
consistent fashion; thus should be applied uniformly to all employees, not only to a small
number.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law,
Investigation, and Ethics (page 304).

Conducting security awareness and technical training.

Conducting security awareness and technical training to ensure that end
users and system users are aware of the rules of behaviour and their responsibilities in
protecting the organization's mission is an example of a preventive management control,
therefore not an operational control.
Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management
Guide for Information Technology Systems, 2001 (page 37).

signature-based IDS

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

The least critical functions should be moved back first

It's interesting to note that the steps to resume normal processing operations
will be different than the steps of the recovery plan; that is, the least critical work should be
brought back first to the primary site.
The most important point above in the steps would be to move the least critical items or
resources back to the primary site first. This way you can ensure that the site was really
well prepared and that all is working fine.
Before that first step would be done, you would get the green light from the salvage team
that it is fine to move back to the primary site. The first step after getting the green light
would be to move the least critical elements first.
As stated in the Shon Harris book:The least critical functions should be moved back first, so if there are issues in network
configurations or connectivity, or important steps were not carried out, the critical
operations of the company are not negatively affected. Why go through the trouble of
moving the most critical systems and operations to a safe and stable site, only to return it to
a main site that is untested? Let the less critical departments act as the canary. If they
survive, then move over the more critical components of the company.
When it is time for the company to move back into its original site or a new site, the
company enters the reconstitution phase. A company is not out of an emergency state until
it is back in operation at the original primary site or a new site that was constructed to
replace the primary site, because the company is always vulnerable while operating in a
backup facility.
Many logistical issues need to be considered as to when a company must return from the
alternate site to the original site. The following lists a few of these issues:
Ensuring the safety of employees
Ensuring an adequate environment is provided (power, facility infrastructure, water, HVAC)
Ensuring that the necessary equipment and supplies are present and in working order
Ensuring proper communications and connectivity methods are working
Properly testing the new environment
Once the coordinator, management, and salvage team sign off on the readiness of the
facility, the salvage team should carry out the following steps:
Back up data from the alternate site and restore it within the new facility.
Carefully terminate contingency operations.
Securely transport equipment and personnel to the new facility.
All other choices are not the correct answer.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Location
19389). McGraw-Hill. Kindle Edition.
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Page 290.

A business impact analysis

A Business Impact Analysis (BIA) is an assessment of an organization's
business functions to develop an understanding of their criticality, recovery time objectives,
and resources needed.
By going through a Business Impact Analysis, the organization will gain a common
understanding of functions that are critical to its survival.
A risk assessment is an evaluation of the exposures present in an organization's external
and internal environments.
A Business Assessment generally include Business Analysis as a discipline and it has
heavy overlap with requirements analysis sometimes also called requirements engineering,
but focuses on identifying the changes to an organization that are required for it to achieve
strategic goals. These changes include changes to strategies, structures, policies,
processes, and information systems.
A disaster recovery plan is the comprehensive statement of consistent actions to be taken
before, during and after a disruptive event that causes a significant loss of information
systems resources.
Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity
Planning, John Wiley & Sons, 2001 (page 57).

Incremental backup method

The incremental backup method only copies files that have been recently
changed or added. Only files with their archive bit set are backed up. This method is fast
and uses less tape space but has some inherent vulnerabilities, one being that all
incremental backups need to be available and restored from the date of the last full backup
to the desired date should a restore be needed.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 69).

Differential backup method

The differential backup method only copies files that have changed since the
last full backup was performed. It is additive in the fact that it does not reset the archive bit
so all changed or added files are backed up in every differential backup until the next full
backup. The "additive backup method" is not a common backup method.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 69).

Data

The most important point is ALWAYS the data. Everything else can be
replaced or repaired.
Data MUST be backed up, backups must be regularly tested, because once it is truly lost, it
is lost forever.
The goal of disaster recovery is to minimize the effects of a disaster or disruption. It means
taking the necessary steps to ensure that the resources, personnel, and business
processes are able to resume operation in a timely manner . This is different from
continuity planning, which provides methods and procedures for dealing with longer-term
outages and disasters.
The goal of a disaster recovery plan is to handle the disaster and its ramifications right after
the disaster hits; the disaster recovery plan is usually very information technology (IT)–
focused. A disaster recovery plan (DRP) is carried out when everything is still in emergency
mode, and everyone is scrambling to get all critical systems back online.
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 887). McGraw-
Hill. Kindle Edition.
and
Veritas eLearning CD - Introducing Disaster Recovery Planning, Chapter 1