Contain and repair any damage caused by an event.

This is the PRIMARY goal of an incident handling process.
The other answers are incorrect because :
Successfully retrieve all evidence that can be used to prosecute is more often used in
identifying weaknesses than in prosecuting.
Improve the company's ability to be prepared for threats and disasters is more appropriate
for a disaster recovery plan.
Improve the company's disaster recovery plan is also more appropriate for disaster
recovery plan.
Reference : Shon Harris AIO v3 , Chapter - 10 : Law, Investigation, and Ethics , Page :
727-728

 Exclusionary rule

The exclusionary rule mentions that evidence must be gathered legally or it
can't be used.
The principle based on federal Constitutional Law that evidence illegally seized by law
enforcement officers in violation of a suspect's right to be free from unreasonable searches
and seizures cannot be used against the suspect in a criminal prosecution.
The exclusionary rule is designed to exclude evidence obtained in violation of a criminal
defendant's Fourth Amendment rights. The Fourth Amendment protects against
unreasonable searches and seizures by law enforcement personnel. If the search of a
criminal suspect is unreasonable, the evidence obtained in the search will be excluded
from trial.
The exclusionary rule is a court-made rule. This means that it was created not in statutes
passed by legislative bodies but rather by the U.S. Supreme Court. The exclusionary rule
applies in federal courts by virtue of the Fourth Amendment. The Court has ruled that it
applies in state courts although the due process clause of the Fourteenth Amendment.(The
Bill of Rights—the first ten amendments— applies to actions by the federal government.
The Fourteenth Amendment, the Court has held, makes most of the protections in the Bill
of Rights applicable to actions by the states.)
The exclusionary rule has been in existence since the early 1900s. Before the rule was
fashioned, any evidence was admissible in a criminal trial if the judge found the evidence to
be relevant. The manner in which the evidence had been seized was not an issue. This
began to change in 1914, when the U.S. Supreme Court devised a way to enforce the
Fourth Amendment. In Weeks v. United States, 232 U.S. 383, 34 S. Ct. 341, 58 L. Ed. 652
(1914), a federal agent had conducted a warrantless search for evidence of gambling at the
home of Fremont Weeks. The evidence seized in the search was used at trial, and Weeks
was convicted. On appeal, the Court held that the Fourth Amendment barred the use of
evidence secured through a warrantless search. Weeks's conviction was reversed, and
thus was born the exclusionary rule.
The best evidence rule concerns limiting potential for alteration. The best evidence rule is a
common law rule of evidence which can be traced back at least as far as the 18th century.
In Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no
evidence was admissible unless it was "the best that the nature of the case will allow". The
general rule is that secondary evidence, such as a copy or facsimile, will be not admissible
if an original document exists, and is not unavailable due to destruction or other
circumstances indicating unavailability.The rationale for the best evidence rule can be understood from the context in which it
arose: in the eighteenth century a copy was usually made by hand by a clerk (or even a
litigant). The best evidence rule was predicated on the assumption that, if the original was
not produced, there was a significant chance of error or fraud in relying on such a copy.
The hearsay rule concerns computer-generated evidence, which is considered secondhand
evidence.
Hearsay is information gathered by one person from another concerning some event,
condition, or thing of which the first person had no direct experience. When submitted as
evidence, such statements are called hearsay evidence. As a legal term, "hearsay" can
also have the narrower meaning of the use of such information as evidence to prove the
truth of what is asserted. Such use of "hearsay evidence" in court is generally not allowed.
This prohibition is called the hearsay rule.
For example, a witness says "Susan told me Tom was in town". Since the witness did not
see Tom in town, the statement would be hearsay evidence to the fact that Tom was in
town, and not admissible. However, it would be admissible as evidence that Susan said
Tom was in town, and on the issue of her knowledge of whether he was in town.
Hearsay evidence has many exception rules. For the purpose of the exam you must be
familiar with the business records exception rule to the Hearsay Evidence. The business
records created during the ordinary course of business are considered reliable and can
usually be brought in under this exception if the proper foundation is laid when the records
are introduced into evidence. Depending on which jurisdiction the case is in, either the
records custodian or someone with knowledge of the records must lay a foundation for the
records. Logs that are collected as part of a document business process being carried at
regular interval would fall under this exception. They could be presented in court and not be
considered Hearsay.
Investigation rule is a detractor.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 9.
and
The FREE Online Law Dictionary at: http://legaldictionary.
thefreedictionary.com/Exclusionary+Rule
and
Wikipedia has a nice article on this subject at: http://en.wikipedia.org/wiki/Exclusionary_rule
and
http://en.wikipedia.org/wiki/Hearsay_in_United_States_law#Hearsay_exceptions

Because it is used to identify the state of the system.

A memory dump can be admitted as evidence if it acts merely as a statement
of fact. A system dump is not considered hearsay because it is used to identify the state of
the system, not the truth of the contents. The exclusionary rule mentions that evidence
must be gathered legally or it can't be used. This choice is a distracter.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law,
Investigation, and Ethics (page 187).

Formal approval of BCP scope and initiation document

When seeking to determine the security position of an organization, the
security professional will eventually turn to a vulnerability assessment to help identify
specific areas of weakness that need to be addressed. A vulnerability assessment is the
use of various tools and analysis methodologies to determine where a particular system or
process may be susceptible to attack or misuse. Most vulnerability assessments
concentrate on technical vulnerabilities in systems or applications, but the assessment process is equally as effective when examining physical or administrative business
processes.
The vulnerability assessment is often part of a BIA. It is similar to a Risk Assessment in that
there is a quantitative (financial) section and a qualitative (operational) section. It differs in
that i t is smaller than a full risk assessment and is focused on providing information that is
used solely for the business continuity plan or disaster recovery plan.
A function of a vulnerability assessment is to conduct a loss impact analysis. Because
there will be two parts to the assessment, a financial assessment and an operational
assessment, it will be necessary to define loss criteria both quantitatively and qualitatively.
Quantitative loss criteria may be defined as follows:
Incurring financial losses from loss of revenue, capital expenditure, or personal liability
resolution
The additional operational expenses incurred due to the disruptive event
Incurring financial loss from resolution of violation of contract agreements
Incurring financial loss from resolution of violation of regulatory or compliance requirements
Qualitative loss criteria may consist of the following:
The loss of competitive advantage or market share
The loss of public confidence or credibility, or incurring public mbarrassment
During the vulnerability assessment, critical support areas must be defined in order to
assess the impact of a disruptive event. A critical support area is defined as a business unit
or function that must be present to sustain continuity of the business processes, maintain
life safety, or avoid public relations embarrassment.
Critical support areas could include the following:
Telecommunications, data communications, or information technology areas
Physical infrastructure or plant facilities, transportation services
Accounting, payroll, transaction processing, customer service, purchasing
The granular elements of these critical support areas will also need to be identified. By
granular elements we mean the personnel, resources, and services the critical support
areas need to maintain business continuity Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 4628-4632). Auerbach Publications. Kindle
Edition.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Page 277.

Availability of the CIA triad

The Information Technology (IT) department plays a very important role in
identifying and protecting the company's internal and external information dependencies.
Also, the information technology elements of the BCP should address several vital issue,
including:
Ensuring that the company employs sufficient physical security mechanisms to preserve
vital network and hardware components. including file and print servers.
Ensuring that the organization uses sufficient logical security methodologies
(authentication, authorization, etc.) for sensitive data.
Reference: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, page 279.

Tiger team

According to NIST's Special publication 800-34, a capable recovery strategy
will require some or all of the following functional groups: Senior management official,
management team, damage assessment team, operating system administration team,
systems software team, server recovery team, LAN/WAN recovery team, database
recovery team, network operations recovery team, telecommunications team, hardware
salvage team, alternate site recovery coordination team, original site restoration/salvage
coordination team, test team, administrative support team, transportation and relocation
team, media relations team, legal affairs team, physical/personal security team,
procurements team. Ideally, these teams would be staffed with the personnel responsible
for the same or similar operation under normal conditions. A tiger team, originally a U.S.
military jargon term, defines a team (of sneakers) whose purpose is to penetrate security,
and thus test security measures. Used today for teams performing ethical hacking.
Source: SWANSON, Marianne, & al., National Institute of Standards and Technology
(NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information
Technology Systems, December 2001 (page 23).

differential backup method

The Differential Backup Method is additive because the time and tape space
required for each night's backup grows during the week as it copies the day's changed files
and the previous days' changed files up to the last full backup.
Archive Bits
Unless you've done a lot of backups in your time you've probably never heard of an Archive
Bit. An archive bit is, essentially, a tag that is attached to every file. In actuality, it is a
binary digit that is set on or off in the file, but that's crummy technical jargon that doesn't
really tell us anything. For the sake of our discussion, just think of it as the flag on a mail
box. If the flag is up, it means the file has been changed. If it's down, then the file is
unchanged.
Archive bits let the backup software know what needs to be backed up. The differential and
incremental backup types rely on the archive bit to direct them.
Backup Types
Full or Normal
The "Full" or "normal" backup type is the most standard. This is the backup type that you
would use if you wanted to backup every file in a given folder or drive. It backs up
everything you direct it to regardless of what the archive bit says. It also resets all archive
bits (puts the flags down). Most backup software, including the built-in Windows backup
software, lets you select down to the individual file that you want backed up. You can also
choose to backup things like the "system state".
Incremental
When you schedule an incremental backup, you are in essence instructing the software to
only backup files that have been changed, or files that have their flag up. After the
incremental backup of that file has occured, that flag will go back down. If you perform a
normal backup on Monday, then an incremental backup on Wednesday, the only files that
will be backed up are those that have changed since Monday. If on Thursday someone
deletes a file by accident, in order to get it back you will have to restore the full backup from
Monday, followed by the Incremental backup from Wednesday.
Differential
Differential backups are similar to incremental backups in that they only backup files with
their archive bit, or flag, up. However, when a differential backup occurs it does not reset
those archive bits which means, if the following day, another differential backup occurs, it
will back up that file again regardless of whether that file has been changed or not. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.
And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne,
2002, chapter 9: Disaster Recovery and Business continuity (pages 617-619).
And: http://www.brighthub.com/computing/windows-platform/articles/24531.aspx

 Vulnerability

A vulnerability is a weakness in a system that can be exploited by a threat.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 237.

Methods

To understand the whys in crime, many times it is necessary to understand the Motivations, Opportunities, and Means (MOM). Motivations are the who and why of a
crime. Opportunities are the where and when of a crime, and Means pertains to the
capabilities a criminal would need to be successful. Methods is not a component of MOM.

Management support

The keyword is ' MOST CRITICAL ' and the correct answer is ' Management
Support ' as the management must be convinced of its necessity and that's why a business
case must be made. The decision of how a company should recover from any disaster is
purely a business decision and should be treated as so.
The other answers are incorrect because :
Security policy is incorrect as it is not the MOST CRITICAL piece.
Availability of backup information processing facilities is incorrect as this comes once the
organization has BCP Plans in place and for a BCP Plan , management support must be
there.
Staff training comes after the plans are in place with the support from management.
Reference : Shon Harris , AIO v3 , Chapter-9: Business Continuity Planning , Page : 697.

Differential backup method

A differential backup is a partial backup that copies a selected file to tape
only if the archive bit for that file is turned on, indicating that it has changed since the last
full backup. A differential backup leaves the archive bits unchanged on the files it copies.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 69).
Also see: http://e-articles.info/e/a/title/Backup-Types/
Backup software can use or ignore the archive bit in determining which files to back up,
and can either turn the archive bit off or leave it unchanged when the backup is complete.
How the archive bit is used and manipulated determines what type of backup is done, as
follows
Full backup
A full backup, which Microsoft calls a normal backup, backs up every selected file,
regardless of the status of the archive bit. When the backup completes, the backup
software turns off the archive bit for every file that was backed up. Note that "full" is a
misnomer because a full backup backs up only the files you have selected, which may be
as little as one directory or even a single file, so in that sense Microsoft's terminology is
actually more accurate. Given the choice, full backup is the method to use because all files
are on one tape, which makes it much easier to retrieve files from tape when necessary.
Relative to partial backups, full backups also increase redundancy because all files are on
all tapes. That means that if one tape fails, you may still be able to retrieve a given file from
another tape.
Differential backup
A differential backup is a partial backup that copies a selected file to tape only if the archive
bit for that file is turned on, indicating that it has changed since the last full backup. A
differential backup leaves the archive bits unchanged on the files it copies. Accordingly,
any differential backup set contains all files that have changed since the last full backup. A
differential backup set run soon after a full backup will contain relatively few files. One run
soon before the next full backup is due will contain many files, including those contained on
all previous differential backup sets since the last full backup. When you use differential backup, a complete backup set comprises only two tapes or tape sets: the tape that
contains the last full backup and the tape that contains the most recent differential backup.
Incremental backup
An incremental backup is another form of partial backup. Like differential backups,
Incremental Backups copy a selected file to tape only if the archive bit for that file is turned
on. Unlike the differential backup, however, the incremental backup clears the archive bits
for the files it backs up. An incremental backup set therefore contains only files that have
changed since the last full backup or the last incremental backup. If you run an incremental
backup daily, files changed on Monday are on the Monday tape, files changed on Tuesday
are on the Tuesday tape, and so forth. When you use an incremental backup scheme, a
complete backup set comprises the tape that contains the last full backup and all of the
tapes that contain every incremental backup done since the last normal backup. The only
advantages of incremental backups are that they minimize backup time and keep multiple
versions of files that change frequently. The disadvantages are that backed-up files are
scattered across multiple tapes, making it difficult to locate any particular file you need to
restore, and that there is no redundancy. That is, each file is stored only on one tape.
Full copy backup
A full copy backup (which Microsoft calls a copy backup) is identical to a full backup except
for the last step. The full backup finishes by turning off the archive bit on all files that have
been backed up. The full copy backup instead leaves the archive bits unchanged. The full
copy backup is useful only if you are using a combination of full backups and incremental
or differential partial backups. The full copy backup allows you to make a duplicate "full"
backup—e.g., for storage offsite, without altering the state of the hard drive you are backing
up, which would destroy the integrity of the partial backup rotation.
Some Microsoft backup software provides a bizarre backup method Microsoft calls a daily
copy backup. This method ignores the archive bit entirely and instead depends on the dateand
timestamp of files to determine which files should be backed up. The problem is, it's
quite possible for software to change a file without changing the date- and timestamp, or to
change the date- and timestamp without changing the contents of the file. For this reason,
we regard the daily copy backup as entirely unreliable and recommend you avoid using it.

 Be cost-effective.

Computer security should be first and foremost cost-effective.
As for any organization, there is a need to measure their cost-effectiveness, to justify
budget usage and provide supportive arguments for their next budget claim. But
organizations often have difficulties to accurately measure the effectiveness and the cost of
their information security activities.
The classical financial approach for ROI calculation is not particularly appropriate for
measuring security-related initiatives: Security is not generally an investment that results in
a profit. Security is more about loss prevention. In other terms, when you invest in security,
you don’t expect benefits; you expect to reduce the risks threatening your assets.
The concept of the ROI calculation applies to every investment. Security is no exception.
Executive decision-makers want to know the impact security is having on the bottom line.
In order to know how much they should spend on security, they need to know how much is
the lack of security costing to the business and what
are the most cost-effective solutions.
Applied to security, a Return On Security Investment (ROSI) calculation can provide
quantitative answers to essential financial questions:
Is an organization paying too much for its security?
What financial impact on productivity could have lack of security?
When is the security investment enough?
Is this security product/organisation beneficial?
The following are other concerns about computer security but not the first and foremost:
The costs and benefits of security should be carefully examined in both monetary and nonmonetary
terms to ensure that the cost of controls does not exceed expected benefits.
Security should be appropriate and proportionate to the value of and degree of reliance on
the IT systems and to the severity, probability, and extent of potential harm.
Requirements for security vary, depending upon the particular IT system. Therefore it does
not make sense for computer security to cover all identified risks when the cost of the measures exceeds the value of the systems they are protecting.
Reference(s) used for this question:
SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and
Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and
Practices for Securing Information Technology Systems, September 1996 (page 6).
and
http://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-securityinvestment