causing irreparable harm to the organization. What measure is he seeking to determine?SLEEFMTDARO8 You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy (SLE) of your shipping facility to avalanches?$3 million$2,700,000$270,000$135,000
9 Referring to the scenario in question 8, what is the annualized loss expectancy?$3 million$2,700,000$270,000$135,000
10 You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers, who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?$750,000$1.5 million$7.5 million$15 million
11 Chris is completing the risk acceptance documentation for his organization's business continuity plan. Which one of the following items is Chris least likely to include in this documentation?Listing of risks deemed acceptableListing of future events that might warrant reconsideration of risk acceptance decisionsRisk mitigation controls put in place to address acceptable risksRationale for determining that risks were acceptable
12 Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans?Physical plantInfrastructureFinancialPeople
13 Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment?Loss of a plantDamage to a vehicleNegative publicityPower outage
14 Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?0.01$10 million$100,0000.10
15 Referring to the scenario in question 14, what is the annualized loss expectancy?0.01$10 million$100,0000.10
16 In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?Strategy developmentBusiness impact analysisProvisions and processesResource prioritization
17 Matt is supervising the installation of redundant communications links in response to a finding during his organization's BIA. What type of mitigation provision is Matt overseeing?Hardening systemsDefining systemsReducing systemsAlternative systems
18 Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a disruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance?Business continuity planBusiness impact analysisDisaster recovery planVulnerability assessment
19 Darren is concerned about the risk of a serious power outage affecting his organization's data center. He consults the organization's business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed?20 percent50 percent75 percent100 percent
20 Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance?Vice president of business operationsChief information officerChief executive officerBusiness continuity manager
Chapter 4 Laws, Regulations, and Compliance
THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 1.0: Security and Risk Management1.4 Determine compliance and other requirements1.4.1 Contractual, legal, industry standards, and regulatory requirements1.4.2 Privacy requirements1.5 Understand legal and regulatory issues that pertain to information security in a holistic context1.5.1 Cybercrimes and data breaches1.5.2 Licensing and Intellectual Property (IP) requirements1.5.3 Import/export controls1.5.4 Transborder data flow1.5.5 Privacy
The world of compliance is a legal and regulatory jungle for information technology and cybersecurity professionals. National, state, and local governments have all passed overlapping laws regulating different components of cybersecurity in a patchwork manner. This leads to an incredibly confusing landscape for security professionals, who must reconcile the laws of multiple jurisdictions. Things become even more complicated for multinational companies, which must navigate the variations between international law as well.
Law enforcement agencies have tackled the issue of cybercrime with gusto in recent years. The legislative branches of governments around the world have at least attempted to address issues of cybercrime. Many law enforcement agencies have full-time, well-trained computer crime investigators with advanced security training. Those who don't usually know where to turn when they require this sort of experience.
In this chapter, we'll cover the various types of laws that deal with computer security issues. We'll examine the legal issues surrounding computer crime, privacy, intellectual property, and a number of other related topics. We'll also cover basic investigative techniques, including the pros and cons of calling in assistance from law enforcement.
Categories of Laws
Three main categories of laws play a role in the U.S. legal system. Each is used to cover a variety of circumstances, and the penalties for violating laws in the different categories vary widely. In the following sections, you'll learn how criminal law, civil law, and administrative law interact to form the complex web of our justice system.
Criminal Law
Criminal law forms the bedrock of the body of laws that preserve the peace and keep our society safe. Many high-profile court cases involve matters of criminal law; these are the laws that the police and other law enforcement agencies concern themselves with. Criminal law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating criminal statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences.
Don't Underestimate Technology Crime Investigators
A good friend of one of the authors is a technology crime investigator for the local police department. He often receives cases of computer abuse involving threatening emails and website postings.
Recently, he shared a story about a bomb threat that had been emailed to a local high school. The perpetrator sent a threatening note to the school principal declaring that the bomb
