Disaster Recovery and Planning

Questions and Answers

PDF Questions PDF Answers

What is the primary purpose of the principle of least privilege?

To give users unrestricted access to all system functionalities

To allow administrators to perform tasks without restrictions

To prevent all forms of user access to sensitive information

To ensure subjects have only the necessary rights for their functions (correct)

What does least user access (LUA) recommend for typical user accounts?

Users should frequently switch to higher privilege accounts

Users should log onto workstations using limited user accounts (correct)

Users should work under administrative accounts at all times

Users should not have any access to their files or programs

What is a significant risk of allowing users to have administrative rights on workstations?

Better control over system functionalities

Increased potential for malware and misconfigurations (correct)

Improved performance of administrative tasks

Enhanced security for user data

Which of the following is a responsibility of an administrator?

Creating user accounts and assigning privileges

Which account type has the least access and is restricted to specific programs and data?

Guest

What is the primary goal of access control systems?

To organize who has access to specific resources

Which of the following statements best describes business continuity plans?

Strategies to ensure critical business functions continue during disasters

What triggers the implementation of disaster recovery plans?

Failing business continuity plans in response to disasters

Access control strategies are primarily designed to address which of the following?

Business challenges and security risks

Which of the following is NOT a goal of access control systems?

To enhance productivity by speeding up access

Which component is critical for the implementation of effective access controls?

Identity management techniques

In the context of business continuity, what is the primary focus of disaster recovery plans?

Restoring business operations as quickly as possible after a failure

What is an essential factor to consider when designing an access control system?

The specific needs of the business

What is one purpose of strong password policies in technological access controls?

To ensure only authorized access to data

Which physical security measure helps maintain the safety of facilities?

Locking key facilities at all times

How can employee training help mitigate security risks?

By teaching employees about social engineering tactics

What is the primary goal of administrative policies regarding lost or stolen ID badges?

To prevent unauthorized access to sensitive information

Which of the following is a strategy for risk avoidance in security management?

Implementing thorough security measures

Which type of disasters can be minimized through careful planning and strong access controls?

Preventable disasters

What is a key objective of disaster recovery procedures?

To restore essential business operations quickly

Which access control principle refers to limiting access to only those who genuinely need it?

Need to know

What should be done when customer-facing websites are down after a disaster?

Inform employees of the situation

What is an important measure to ensure first responders access crucial information during a disaster?

Establish a mechanism for authorized access

What access capability should a system allow customers in their accounts?

Create and update their own account information

What is a potential solution for offline servers due to disasters?

Backup systems to offsite servers

Which of the following is NOT a concern addressed in disaster recovery planning?

Unanticipated market competition

What does risk avoidance entail?

Avoiding an activity that carries some elements of risk

Which of the following best describes risk acceptance?

It entails acknowledging risks and proceeding with necessary activities.

What does risk transference involve?

Shifting the negative consequences of risk to another organization.

How is risk defined in the context provided?

The potential for loss or damage when a threat exploits a vulnerability.

What constitutes a vulnerability?

Any weakness in a system that can be exploited.

Which of the following best describes a threat?

A potential attack on a system.

What is the primary goal of risk mitigation?

To minimize the probability and consequences of risks.

Which of the following components is NOT considered essential in information security?

Risk avoidance

Study Notes

Disaster Recovery and Planning

• Some disasters, like earthquakes, are unavoidable, while others can be controlled or minimized with proper planning and access control.
• Access controls are essential after disasters to manage who can access information and resources.
• Effective disaster recovery involves restoring business functionality swiftly and reassuring customers of stability.

Disaster Recovery Concerns and Solutions

• Key personnel access may be limited during disasters; alternate facilities can mitigate this issue.
• Offline servers highlight the need for backup systems hosted offsite.
• Customer-facing websites may go down, necessitating clear communication with employees and customers.
• Damaged infrastructure demands an authorization mechanism for first responders.
• Power outages require protocol and training in disaster recovery procedures.

Customer Access to Data

• Customers should have the ability to manage their accounts and place orders while ensuring privacy and security.
• The principle of "need to know" and the concept of "least privilege" reinforce that access to sensitive data should be restricted to necessary personnel only.

Access Control Systems

• Goals include preventing unauthorized access, organizing permissions, and fulfilling business requirements.
• Authentication solutions must be appropriate for the IT infrastructure to address business challenges effectively.

Business Continuity and Disaster Recovery

• Business continuity ensures essential operations persist amid crises.
• Plans aim to mitigate risks, while disaster recovery plans are enacted when continuity efforts fail, focusing on quick restoration of business activities.

Creating a Business Continuity Plan

• Implement strong password policies and utilize intrusion detection systems alongside firewalls for tech security.
• Physically secure locations with locked facilities and escorted access for visitors.

Administrative Policies and Training

• Established policies are necessary for handling lost ID badges and acceptable use.
• Employee training is vital to recognize and combat social engineering threats, reinforcing security awareness.

Risk Management

• Different strategies:
  • Risk avoidance eliminates activities that carry risk.
  • Risk acceptance involves proceeding despite risks.
  • Risk transference shifts potential negative consequences to another party.
  • Risk mitigation focuses on reducing both the likelihood and impact of risks.

Understanding Vulnerability, Threat, and Risk

• A vulnerability is a system weakness, while a threat is a possible attack.
• Risk occurs when a threat is poised to exploit a vulnerability.

Principles of User Access

• The "least privilege" principle ensures users receive only the necessary access to perform their functions.
• Users should generally operate under limited accounts, using administrative access only for specific tasks.

Administrative Risks

• Using privileged accounts on workstations increases the threat of malware attacks and misconfigurations.

User Roles

• Administrator: Manages user accounts, installs software, and conducts system maintenance.
• User: Can run programs, view logs, and manage their data.
• Guest: A restricted account that allows limited program access and data viewing.

Input/Output Controls

• Essential for managing data flows and ensuring integrity, confidentiality, and availability of information.

Description

This quiz explores the critical elements of disaster recovery and planning, including the importance of access controls, alternative facilities for key personnel, and the management of customer access during crises. Learn how to effectively restore business functionality and communicate with stakeholders after a disaster.