d. Hardware and software vendors
191. b. The first part of a response mechanism is notification, whether automatic or manual. Besides technical staff, several others must be notified, depending on the nature and scope of the incident. Unfortunately, legal counsel is not always notified or is notified thinking that involvement is not required.
192. Which of the following is not a viable option in the event of an audit processing failure or audit storage capacity being reached?
a. Shut down the information system.
b. Overwrite the oldest-audit records.
c. Stop generating the audit records.
d. Continue processing after notification.
192. d. In the event of an audit processing failure or audit storage capacity being reached, the information system alerts appropriate management officials and takes additional actions such as shutting down the system, overwriting the oldest-audit records, and stopping the generation of audit records. It should not continue processing, either with or without notification because the audit-related data would be lost.
193. Which of the following surveillance techniques is passive in nature?
a. Audit logs
b. Keyboard monitoring
c. Network sniffing
d. Online monitoring
193. a. Audit logs collect data passively on computer journals or files for later review and analysis followed by action. The other three choices are examples of active surveillance techniques where electronic (online) monitoring is done for immediate review and analysis followed by action.
194. A good computer security incident handling capability is closely linked to which of the following?
a. Systems software
b. Applications software
c. Training and awareness program
d. Help desk
194. c. A good incident handling capability is closely linked to an organization’s training and awareness program. It will have educated users about such incidents so users know what to do when they occur. This can increase the likelihood that incidents will be reported early, thus helping to minimize damage. The help desk is a tool to handle incidents. Intruders can use both systems software and applications software to create security incidents.
195. System users seldom consider which of the following?
a. Internet security
b. Residual data security
c. Network security
d. Application system security
195. b. System users seldom consider residual data security as part of their job duties because they think it is the job of computer operations or information security staff. Residual data security means data remanence where corporate spies can scavenge discarded magnetic or paper media to gain access to valuable data. Both system users and system managers usually consider the measures mentioned in the other three choices.
196. Which of the following is not a special privileged user?
a. System administrator
b. Business end-user
c. Security administrator
d. Computer operator
196. b. A special privileged user is defined as an individual who has access to system control, monitoring, or administration functions. A business end-user is a normal system user performing day-to-day and routine tasks required by his job duties, and should not have special privileges as does with the system administrator, security administrator, computer operator, system programmer, system maintainer, network administrator, or desktop administrator. Privileged users have access to a set of access rights on a given system. Privileged access to privileged function should be limited to only few individuals in the IT department and should not be given to or shared with business end-users who are so many.
197. Which of the following is the major consideration when an organization gives its incident response work to an outsourcer?
a. Division of responsibilities
b. Handling incidents at multiple locations
c. Current and future quality of work
d. Lack of organization-specific knowledge
