Electronic vaulting

Explanation: Electronic vaulting refers to the transfer of backup data to an off-site location.
This is primarily a batch process of dumping backup data through communications lines to
a server at an alternate location.
Electronic vaulting is accomplished by backing up system data over a network. The backup
location is usually at a separate geographical location known as the vault site. Vaulting can
be used as a mirror or a backup mechanism using the standard incremental or differential
backup cycle. Changes to the host system are sent to the vault server in real-time when the
backup method is implemented as a mirror. If vaulting updates are recorded in real-time,
then it will be necessary to perform regular backups at the off-site location to provide
recovery services due to inadvertent or malicious alterations to user or system data.
The following are incorrect answers:
Remote journaling refers to the parallel processing of transactions to an alternate site (as
opposed to a batch dump process). Journaling is a technique used by database
management systems to provide redundancy for their transactions. When a transaction is
completed, the database management system duplicates the journal entry at a remote
location. The journal provides sufficient detail for the transaction to be replayed on the
remote system. This provides for database recovery in the event that the database
becomes corrupted or unavailable.
Database shadowing uses the live processing of remote journaling, but creates even more
redundancy by duplicating the database sets to multiple servers. There are also additional
redundancy options available within application and database software platforms. For
example, database shadowing may be used where a database management system
updates records in multiple locations. This technique updates an entire copy of the
database at a remote location.
Data clustering refers to the classification of data into groups (clusters). Clustering may
also be used, although it should not be confused with redundancy. In clustering, two or
more “partners” are joined into the cluster and may all provide service at the same time.
For example, in an active–active pair, both systems may provide services at any time. In
the case of a failure, the remaining partners may continue to provide service but at a
decreased capacity.The following resource(s) were used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 20403-20407 and 20411-20414 and 20375-20377
and 20280-20283). Auerbach Publications. Kindle Edition.

The Business Impact Analysis (BIA)

The Business Assessment is divided into two components. Risk Assessment
(RA) and Business Impact Analysis (BIA). Risk Assessment is designed to evaluate
existing exposures from the organization's environment, whereas the BIA assesses
potential loss that could be caused by a disaster. The Business Continuity Plan's goal is to
reduce the risk of financial loss by improving the ability to recover and restore operations
efficiently and effectively.
Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity
Planning, John Wiley & Sons, 2001 (page 57).
And: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity
Planning and Disaster Recovery Planning (page 276).

Every organization must have a disaster recovery plan

It is possible that an organization may not need a disaster recovery plan. An
organization may not have any critical processing areas or system and they would be able
to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business
functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING
which is the keywork in the question would also include steps that happen before you use
the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot
that has to happen before the plan would be actually used in a real disaster scenario. Plan
for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT:
Below is a great article on who legally needs a plan which is very much in line with this
question. Does EVERY company needs a plan? The legal answer is NO. Some
companies, industries, will be required according to laws or regulations to have a plan. A
blank statement saying: All companies MUST have a plan would not be accurate. The
article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been
defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:So Who, Legally, MUST Plan?
With the caveats above, let’s cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member’s existing relationships with other broker-dealers and counter-parties. Thebusiness continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism.
I have not changed my mind in that regard and urge caution.You might also want to consider what the liability of a telephone company is if it does havea disaster that causes loss to your organization. In three words: It’s not much. The following
is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company’s liability, if any, for its gross negligence or willful misconduct is
not limited by this tariff. With respect to any other claim or suit, by a customer or any
others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or
defects in transmission occurring in the course of furnishing services hereunder, the
Telephone Company’s liability, if any, shall not exceed an amount equivalent to the
proportionate charge to the customer for the period of service during which such mistake,
omission, interruption, delay, error or defect in transmission or service occurs and
continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996,
Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also
known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled
Administrative Simplification, requiring "Improved efficiency in healthcare delivery by
standardizing electronic data interchange, and protection of confidentiality and security of
health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to
publish new rules that will ensure security standards protecting the confidentiality and
integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a
uniform level of protection of all health information that is housed or transmitted
electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and
availability of all electronic protected health information (ePHI) that the covered entity
creates, receives, maintains, or transmits. It also requires entities to protect against any
reasonably anticipated threats or hazards to the security or integrity of ePHI, protect
against any reasonably anticipated uses or disclosures of such information that are not
permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures,
safeguarding physical access to ePHI, and ensuring that technical security measures are in
place to protect networks, computers and other electronic devices.
Companies with More than 10 EmployeesThe United States Department of Labor has adopted numerous rules and regulations in
regard to workplace safety as part of the Occupational Safety and Health Act. For example,
29 USC 654 specifically requires:
(a) Each employer:
(1) shall furnish to each of his employees employment and a place of employment which
are free from recognized hazards that are causing or are likely to cause death or serious
physical harm to his employees;
(2) shall comply with occupational safety and health standards promulgated under this Act.
(b) Each employee shall comply with occupational safety and health standards and all
rules, regulations, and orders issued pursuant to this Act which are applicable to his own
actions and conduct.
Other Considerations or Expensive Research QUESTION NO: s for Lawyers (Sorry,
Eddie!)
The Foreign Corrupt Practices Act of 1977
Internal Revenue Service (IRS) Law for Protecting Taxpayer Information
Food and Drug Administration (FDA) Mandated Requirements
Homeland Security and Terrorist Prevention
Pandemic (Bird Flu) Prevention
ISO 9000 Certification
Requirements for Radio and TV Broadcasters
Contract Obligations to Customers
Document Protection and Retention Laws
Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements
in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this
article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more
information on the legal aspects of recovery planning, Eddie can be contacted at my
company or via email at mailto:mempope@tellawcomlabs.com. (Eddie cannot, of course,
give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasonswhy we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at:
http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity
Planning and Disaster Recovery Planning (page 281).

list of successful and unsuccessful activities.

After a test has been performed the most useful test results for
manangement would be knowing what worked and what didn't so that they could correct
the mistakes where needed.
The following answers are incorrect:
elapsed time to perform various activities. This is incorrect because it is not the best
answer, these results are not as useful as list of successful and unsuccessful activities
would be to managment.
amount of work completed. This is incorrect because it is not the best answer, these results
are not as useful as list of successful and unsuccessful activities would be to managment.
description of each activity. This is incorrect because it is not the best answer, these resultsare not as useful as list of successful and unsuccessful activities would be to managment.

Contact information for all personnel.

Why is this the correct answer? Simply because it is WRONG, you would
have contact information for your emergency personnel within the plan but NOT for ALL of
your personnel. Be careful of words such as ALL.
According to NIST's Special publication 800-34, contingency plan appendices provide key
details not contained in the main body of the plan. The appendices should reflect the
specific technical, operational, and management contingency requirements of the given
system. Contact information for recovery team personnel (not all personnel) and for vendor
should be included, as well as detailed system requirements to allow for supporting of
system operations. The Business Impact Analysis (BIA) should also be included as an
appendix for reference should the plan be activated.
Reference(s) used for this question:
SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST
Special Publication 800-34, Contingency Planning Guide for Information Technology
Systems

 It prioritizes the risks and identifies areas for immediate improvement in addressing the
vulnerabilities.

The main advantage of the qualitative impact analysis is that it prioritizes the
risks and identifies areas for immediate improvement in addressing the vulnerabilities. It
does not provide specific quantifiable measurements of the magnitude of the impacts,
therefore making a cost-analysis of any recommended controls difficult. Since it involves a
consensus of export and some guesswork based on the experience of Subject Matter
Experts (SME's), it can not be easily automated.
Reference used for this question:
STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide
for Information Technology Systems, 2001 (page 23).

Threat analysis

Threat analysis is the examination of threat sources against system
vulnerabilities to determine the threats for a particular system in a particular operational
environment.
The following answers are incorrect:
Risk analysis is the process of identifying the risks to system security and determining the
probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact.
Risk analysis is synonymous with risk assessment and part of risk management, which is
the ongoing process of assessing the risk to mission/business as part of a risk-based
approach used to determine adequate security for a system by analyzing the threats and
vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an
acceptable level or risk.
Due Diligence is identifying possible risks that could affect a company based on best
practices and standards.
Reference(s) used for this question:
STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST
Special Publication 800-27, Engineering Principles for Information Technology Security (A
Baseline for Achieving Security), June 2001 (page B-3).

Tape Array.

A Tape Array is a large hardware/software backup system based on the
RAID technology.
There is a misconception that RAID can only be used with Disks.
All large storage vendor from HP, to EMC, to Compaq have Tape Array based on RAID
technology they offer.
This is a VERY common type of storage at an affordable price as well.So RAID is not exclusively for DISKS. Often time this is referred to as Tape Librairies or
simply RAIT.
RAIT (redundant array of independent tapes) is similar to RAID, but uses tape drives
instead of disk drives. Tape storage is the lowest-cost option for very large amounts of
data, but is very slow compared to disk storage. As in RAID 1 striping, in RAIT, data are
striped in parallel to multiple tape drives, with or without a redundant parity drive. This
provides the high capacity at low cost typical of tape storage, with higher-than-usual tape
data transfer rates and optional data integrity.
References:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 70.
and
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1271). McGraw-
Hill. Kindle Edition.

Recovery Point Objective

The recovery point objective (RPO) is the maximum acceptable level of data
loss following an unplanned “event”, like a disaster (natural or man-made), act of crime or
terrorism, or any other business or technical disruption that could cause such data loss.
The RPO represents the point in time, prior to such an event or incident, to which lost data
can be recovered (given the most recent backup copy of the data).
The recovery time objective (RTO) is a period of time within which business and / or
technology capabilities must be restored following an unplanned event or disaster. TheRTO is a function of the extent to which the interruption disrupts normal operations and the
amount of revenue lost per unit of time as a result of the disaster.
These factors in turn depend on the affected equipment and application(s). Both of these
numbers represent key targets that are set by key businesses during business continuity
and disaster recovery planning; these targets in turn drive the technology and
implementation choices for business resumption services, backup / recovery / archival
services, and recovery facilities and procedures.
Many organizations put the cart before the horse in selecting and deploying technologies
before understanding the business needs as expressed in RPO and RTO; IT departments
later bear the brunt of user complaints that their service expectations are not being met.
Defining the RPO and RTO can avoid that pitfall, and in doing so can also make for a
compelling business case for recovery technology spending and staffing.
For the CISSP candidate studying for the exam, there are no such objectives for "point of
time," and "critical time." Those two answers are simply detracters.
Reference:
http://www.wikibon.org/Recovery_point_objective_/_recovery_time_objective_strategy

Incremental Backup

Incremental backups only backup changed data (changes archive bit to not
backup again if not changed).
Although the incremental backup is fastest to backup, it is usually more time consuming for
the restore process  In some cases, the window available for backup may not be long enough to backup all the
data on the system during each backup. In that case, differential or incremental backups
may be more appropriate.
In an incremental backup, only the files that changed since the last backup will be backed
up.
In a differential backup, only the files that changed since the last full backup will be backed
up.
In general, differentials require more space than incremental backups while incremental
backups are faster to perform. On the other hand, restoring data from incremental backups
requires more time than differential backups. To restore from incremental backups, the last
full backup and all of the incremental backups performed are combined. In contrast,
restoring from a differential backup requires only the last full backup and the latest
differential.
The following are incorrect answers:
Differential backups backup all data since the last full backup (does not reset archive bit)
Full backups backup all selected data, regardless of archive bit, and resets the archive bit.
Disk mirroring is not considered as a backup type.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 20385-20390). Auerbach Publications. Kindle
Edition.
and
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
chapter 9: Disaster Recovery and Business continuity (page 618).

Circumstantial evidence

Circumstantial evidence is defined as inference of information from other,
intermediate, relevant facts. Secondary evidence is a copy of evidence or oral description
of its contents. Conclusive evidence is incontrovertible and overrides all other evidence and
hearsay evidence is evidence that is not based on personal, first-hand knowledge of the
witness, but was obtained from another source. Computer-generated records normally fall
under the category of hearsay evidence.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law,
Investigation, and Ethics (page 310).

Risk Acceptance

A deviation from an organization-wide security policy requires you to manage
the risk. If you deviate from the security policy then you are required to accept the risks that
might occur.
In some cases, it may be prudent for an organization to simply accept the risk that is
presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s),
typically based on a business decision that may also weigh the cost versus the benefit of
dealing with the risk in another way.
The OIG defines Risk Management as: This term characterizes the overall process.
The first phase of risk assessment includes identifying risks, risk-reducing measures, and
the budgetary impact of implementing decisions related to the acceptance, avoidance, or
transfer of risk.The second phase of risk management includes the process of assigning priority to,
budgeting, implementing, and maintaining appropriate risk-reducing measures.
Risk management is a continuous process of ever-increasing complexity. It is how we
evaluate the impact of exposures and respond to them. Risk management minimizes loss
to information assets due to undesirable events through identification, measurement, and
control. It encompasses the overall security review, risk analysis, selection and evaluation
of safeguards, cost–benefit analysis, management decision, and safeguard identification
and implementation, along with ongoing effectiveness review.
Risk management provides a mechanism to the organization to ensure that executive
management knows current risks, and informed decisions can be made to use one of the
risk management principles: risk avoidance, risk transfer, risk mitigation, or risk
acceptance.
The 4 ways of dealing with risks are: Avoidance, Transfer, Mitigation, Acceptance
The following answers are incorrect:
Risk assignment. Is incorrect because it is a distractor, assignment is not one of the ways
to manage risk.
Risk reduction. Is incorrect because there was a deviation of the security policy. You could
have some additional exposure by the fact that you deviated from the policy.
Risk containment. Is incorrect because it is a distractor, containment is not one of the ways
to manage risk.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 8882-8886). Auerbach Publications. Kindle
Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 10206-10208). Auerbach Publications. Kindle
Edition.