Chapter 5 IT Service Management and Continuity – CISA Certified Information Systems Auditor Practice Exams

CHAPTER 5

IT Service Management and Continuity

This chapter covers CISA Domain 4, “Information Systems Operations and Business Resilience” and includes questions from the following topics:

•   Information systems operations

•   Information systems hardware

•   Information systems architecture and software

•   Network infrastructure, technologies, models, and protocols

•   Business continuity and disaster recovery planning

•   Auditing infrastructure, operations, and business continuity and disaster recovery planning

The topics in this chapter represent 23 percent of the CISA examination.

IT organizations are effective if their operations are effective. Management needs to be in control of information systems operations, which means that all aspects of operations need to be measured, those measurements and reports reviewed, and management-directed changes carried out to ensure continuous improvement.

IT organizations are service organizations—they exist to serve the organization and support its business processes. IT’s service management operations need to be well designed, adequately measured, and reviewed by management.

In the age of digital transformation (DX), organizations are more dependent than ever before on information technology for execution of core business processes. This, in turn, changes the business resilience conversation and increases the emphasis on business continuity and disaster recovery planning, which has moved to this domain in the 2019 CISA job practice.

In addition to being familiar with IT business processes, IS auditors need to have a keen understanding of the workings of computer hardware, operating systems, and network communications technology. This knowledge will help the auditor better understand many aspects of service management and operations.

Q QUESTIONS

1.   A device that forwards packets to their destination based on their destination IP address is known as a:

A.   Bridge

B.   Gateway

C.   Router

D.   Switch

2.   A security manager is planning to implement a first-time use of a vulnerability scanning tool in an organization. What method should the security manager use to confirm that all assets are scanned?

A.   Compare the scan results with the accounting department asset inventory.

B.   Compare the scan results with the contents of the CMDB.

C.   Compare the scan results with a discovery scan performed by the vulnerability scanning tool.

D.   Compare the scan results with the latest network diagram.

3.   Which of the following methods should be used to create a point-in-time copy of a large production database?

A.   Storage system snapshot

B.   Storage system replication

C.   E-vaulting

D.   Export to a flat file that is backed up to tape

4.   All of the following protocols are used for federated authentication except:

A.   OAuth

B.   SAML

C.   WSDL

D.   HMAC

5.   What is typically the most significant risk associated with end users being local administrators on their workstations?

A.   End users will have access to all confidential information.

B.   End users can install unauthorized software.

C.   Malware can run at the highest privilege level.

D.   End users can use tools to crack all domain passwords.

6.   Which of the following persons is best suited to approve users’ access to sensitive data in a customer database?

A.   Customer service manager

B.   IT service desk personnel

C.   Information security manager

D.   IT manager

7.   An organization is planning a new SaaS service offering and is uncertain about the resources required to support the service. How should the organization proceed?

A.   Calculate projected performance using CMMI tools.

B.   Calculate projected performance using Zachman tools.

C.   Measure actual performance metrics in production.

D.   Build a working prototype and perform load tests.

8.   What is the best definition of a problem in ITIL-based service management?

A.   Chronic exceptions in audits of IT systems

B.   The same incident that occurs repeatedly

C.   Repeated unscheduled downtime

D.   Unscheduled downtime that exceeds SLAs

9.   Which of the following is the best relationship between system security and the use of vulnerability scanning tools?

A.   Vulnerability scanning is performed proactively, and it drives the security patching and hardening functions.

B.   Vulnerability scanning is performed proactively, and it drives the security patching function.

C.   Patching and hardening are performed proactively, and vulnerability scanning is used to verify their effectiveness.

D.   Patching is performed proactively, and vulnerability scanning is used to verify its effectiveness.

10.   A SaaS provider and a customer are having a dispute about the availability of service, quality of service, and issue resolution provided by the SaaS provider. What type of a legal agreement should the parties add to their contract to better define these problems and their resolution?

A.   Pricing table

B.   Exit clause

C.   Performance addendum

D.   Service level agreement

11.   What is the purpose of a business impact analysis?

A.   It defines the most critical business processes.

B.   It defines the most critical IT applications.

C.   It defines the most critical service providers.

D.   It defines the disaster recovery plan.

12.   An IT architect needs to increase the resilience of a single application server. Which of the following choices will least benefit the server’s resilience?

A.   Active-active cluster

B.   Active-passive cluster

C.   Geo-cluster

D.   Redundant power supply

13.   Which of the following backup schemes best protects an organization from ransomware?

A.   Storage system replication

B.   Storage system mirroring

C.   Storage system snapshots

D.   RAID-5

14.   A mail order organization wants to develop procedures to be followed in the event that the main office building cannot be occupied, so that customer orders can still be fulfilled. What kind of a plan does the organization need to develop?

A.   Business impact analysis

B.   Business continuity plan

C.   Disaster recovery plan

D.   Emergency evacuation plan

15.   An IT department is planning on implementing disaster recovery capabilities in some of its business systems. What means should be used to determine which applications require DR capabilities and to what level of recoverability?

A.   Business continuity plan

B.   Disaster recovery plan

C.   Risk assessment

D.   Business impact analysis

16.   Which of the following is the most compelling reason for an organization to not automate its data purging jobs in support of data retention policies?

A.   DR planning

B.   Referential integrity

C.   Privacy breaches

D.   Legal holds

17.   Which of the following schemes is most likely to be successful for workstations used by a mobile workforce?

A.   Automated patching followed by a system restart that the end user can control

B.   Automated patching and restarts

C.   End-user-initiated patching and restarts

D.   Applying only those patches not requiring a system restart

18.   An IT department completed a data discovery assessment and found that numerous users were saving files containing sensitive information on organization-wide readable file shares. Which of the following is the best remediation for this matter?

A.   Remove the offending files from the org-wide share.

B.   Announce to users that the org-wide readable share is not for sensitive data.

C.   Change the org-wide readable share to read-only for most users.

D.   Change the org-wide readable share to write-only for most users.

19.   For which users or groups should the SQL listener on a database management system be accessible?

A.   For the application accounts only

B.   For the application and DBA accounts only

C.   For DBA accounts only

D.   For DBA accounts plus all users of the application

20.   An organization’s financial accounting system crashes every Friday night after backups have completed. In ITIL terms, what process should be invoked?

A.   Problem management

B.   Incident management

C.   Capacity management

D.   Business continuity management

21.   An IT organization is investigating a problem in its change management process whereby many changes have to be backed out because they could not be completed or because verifications failed. Which is the best remedy for this situation?

A.   Increase the size of change windows.

B.   Require a separate person to verify changes.

C.   Require change requests to have better backout procedures.

D.   Require more rigorous testing in a test environment prior to scheduling changes in production.

22.   Which language is used to change the schema in a database management system?

A.   DDL

B.   SQL

C.   Stored procedures

D.   JCL

23.   A DBA has been asked to limit the tables, rows, or columns that are visible to some users with direct database access. Which solution would best fulfill this request?

A.   Create alternative user accounts.

B.   Move those users into different AD groups.

C.   Create one or more views.

D.   Change the schema for those users.

24.   An organization’s IT department developed DR capabilities for some business applications prior to a BIA ever being performed. Now that a BIA has been performed, it has been determined that some IT applications’ DR capabilities exceed what is called for in the BIA and that other applications fall short. What should be done to remedy this?

A.   Redo the BIA, using existing DR capabilities as inputs.

B.   Make no changes, as this is the expected result.

C.   Change IT application DR capabilities to align with the BIA.

D.   Change the BIA to align with IT application DR capabilities.

25.   What is the purpose of hot-pluggable drives in a storage system?

A.   Ability to replace drives that have crashed or overheated

B.   Ability to replace drives while the storage system is still running

C.   Ability to replace drives without the risk of harm to personnel

D.   Ability to install additional drives without powering down the system

26.   What is the primary purpose for data restoration testing?

A.   To meet regulatory requirements

B.   To prove that bare-metal restores can be performed

C.   To see how long it takes to restore data from backup

D.   To ensure that backups are actually being performed

27.   Which of the following should approve RTO and RPO targets?

A.   Senior business executives

B.   Board of directors

C.   CISO

D.   CIO

28.   An organization has developed its first-ever disaster recovery plan. What is the best choice for the first round of testing of the plan?

A.   Cutover test

B.   Walkthrough

C.   Simulation

D.   Parallel test

29.   Which of the following best describes the purpose of a hypervisor?

A.   It creates and manages virtual desktops.

B.   It creates and manages containers.

C.   It installs software on virtual machines.

D.   It creates and manages virtual machines.

30.   Which of the following best fits the definition of a set of structured tables with indexes, primary keys, and foreign keys?

A.   Hierarchical database

B.   Object database

C.   Relational database

D.   Network database

31.   An organization uses its vulnerability scanning tool as its de facto asset management system. What is the biggest risk associated with this approach?

A.   Network engineers could build new IP networks not included in the scanning tool’s configuration.

B.   System engineers could implement new servers that the scanning tool won’t see.

C.   System engineers could implement new virtual machines that the scanning tool won’t see.

D.   IP source routing could prevent the scanning tool from seeing all networks.

32.   Which of the following systems should be used for populating the IT asset database in an elastic cloud environment?

A.   Hypervisor

B.   Vulnerability scanning tool

C.   Patch management tool

D.   CMDB

33.   What is a typical frequency for running a job that checks Active Directory for unused user accounts?

A.   Every hour

B.   Every 24 hours

C.   Every 7 days

D.   Every 90 days

34.   The system interface standard that includes process control, IPC, and shared memory is known as:

A.   Unix

B.   POSIX

C.   ActiveX

D.   Ultrix

35.   An environment consisting of centralized servers running end-user operating systems that display on users’ computers is known as:

A.   Hosted hypervisor

B.   Bare-metal hypervisor

C.   Virtual desktop infrastructure

D.   Reverse Telnet

36.   A data privacy officer recently commissioned a data discovery exercise to understand the extent to which sensitive data is present on the company’s world-readable file share. The exercise revealed that dozens of files containing large volumes of highly sensitive data were present on the file share. What is the best first step the data privacy officer should take?

A.   Remove all instances of files containing large volumes of highly sensitive data.

B.   Investigate each instance to see whether any files are a part of business processes.

C.   Sanction the users who placed the files there for violations of internal privacy policy.

D.   Do nothing, as this is an acceptable practice for files of this type.

37.   A new IT manager is making improvements in the organization’s management of unplanned outages. The IT manager has built a new process where repeated cases of similar outages are analyzed in order to identify their cause. What process has the IT manager created?

A.   Problem management

B.   Incident management

C.   Root cause analysis

D.   Security event management

38.   A new IT manager is making improvements in the organization’s management of the detailed settings on servers and network devices. The process that the IT manager has made is a part of:

A.   Vulnerability management

B.   System hardening

C.   Configuration management

D.   Performance management

39.   A new IT manager is making improvements in the organization’s management of the detailed settings on servers and network devices. The process includes the creation of a repository for storing details about this information. This repository is known as:

A.   An asset management database

B.   A vulnerability management database

C.   A configuration management database

D.   A system hardening standard

40.   A new IT manager is making improvements to the organization’s need to make its systems and devices more resilient to attacks. The IT manager should update:

A.   The vulnerability management process

B.   The system and device hardening standard

C.   The configuration management database

D.   The security incident response plan

41.   A customer of a SaaS provider is complaining about the SaaS provider’s lack of responsiveness in resolving security issues. What portion of the contract should the customer refer to when lodging a formal complaint?

A.   Service description

B.   System availability

C.   Service level agreement

D.   Security controls

42.   Computer code that is found within the contents of a database is known as a:

A.   Blob

B.   Function

C.   Stored procedure

D.   Subroutine

43.   An organization is starting its first-ever effort to develop a business continuity and disaster recovery plan. What is the best first step to perform in this effort?

A.   Criticality analysis

B.   Business impact analysis

C.   Setting recovery targets

D.   Selecting a DR site

44.   What is the purpose for connecting two redundant power supplies to separate electrical circuits?

A.   System resilience in case one electrical circuit fails

B.   To balance electrical load between the circuits

C.   To balance the phasing between the circuits

D.   To avoid overloading a single electrical circuit

45.   An IT organization is modernizing its tape backup system by replacing its tape library system with a storage array, while keeping its tape backup software system. What has the organization implemented?

A.   E-vaulting

B.   S-vaulting

C.   Virtual tape library

D.   Mirroring

46.   An IT organization is modernizing its tape backup system by sending data to a cloud storage provider. What has the organization implemented?

A.   Replication

B.   Mirroring

C.   Virtual tape library

D.   E-vaulting

47.   A city government department that accepts payments for water use has developed a procedure to be followed when the IT application for processing payments is unavailable. What type of procedure has been developed?

A.   Business continuity plan

B.   Disaster recovery plan

C.   Business impact analysis

D.   Backout plan

48.   A city government IT department has developed a procedure to be followed when the primary application for accepting water usage payments has been incapacitated. The procedure calls for the initiation of a secondary application in a different data center. What type of procedure has been developed?

A.   Business continuity plan

B.   Backout plan

C.   Security incident response plan

D.   Disaster recovery plan

49.   What is the most important factor to consider in the development of a disaster recovery plan?

A.   The safety of personnel

B.   The availability of critical data

C.   Notification of civil authorities

D.   The continuity of critical operations

50.   An SSD is most commonly used as:

A.   Backup storage

B.   Removable storage

C.   Main storage

D.   Secondary storage

51.   The phrase “you can’t protect what you don’t know about” refers to which key IT process?

A.   Vulnerability management

B.   License management

C.   Patching

D.   Asset management

52.   The SOAP protocol is related to:

A.   The patch management process

B.   The exchange of data through an API

C.   The vulnerability management process

D.   Memory garbage collection

53.   Restricting USB attached storage on end-user workstations addresses all of the following except:

A.   Leakage of intellectual property

B.   Malware infection

C.   System capacity management

D.   Personal use of a workstation

54.   The primary purpose of a dynamic DLP system is:

A.   To detect unauthorized personal use of a workstation

B.   To detect unauthorized use of personal web mail

C.   To control unauthorized access to sensitive information

D.   To control unauthorized movement of sensitive information

55.   What is the suitability for the use of a SIEM to alert personnel of system capacity and performance issues?

A.   If syslog events are generated, use cases related to performance and capacity can be developed.

B.   A SIEM can only be used to alert personnel of security events.

C.   Use cases for non-security-related events do not function on a SIEM.

D.   Alerts for non-security-related events do not function on a SIEM.

56.   After analyzing events and incidents from the past year, an analyst has declared the existence of a problem. To what is the analyst referring?

A.   One or more controls are in a state of failure.

B.   The analyst is unable to access all incident data for the entire year.

C.   One or more high-criticality incidents have occurred.

D.   A specific type of incident is recurring.

57.   A DBA has determined that it is not feasible to directly back up a large database. What is the best remedy for this?

A.   Defragment the database to permit a linear backup.

B.   Change the database to read-only during a backup to preserve integrity.

C.   Compress the database to recover free space.

D.   Export the database to a flat file and back up the flat file.

58.   What is the feasibility for using the results of a BIA in the creation of a system classification plan?

A.   A BIA will indicate sensitivity of specific data that is associated with critical business processes.

B.   A BIA will indicate operational criticality of specific data that is associated with critical business processes.

C.   A BIA does not correlate to specific information systems.

D.   A BIA does not correlate to specific data sets.

59.   A system engineer is reviewing critical systems in a data center and mapping them to individual electrical circuits. The engineer identified a system with two power supplies that are connected to the same plug strip. What should the engineer conclude from this?

A.   It is an acceptable practice to connect both power supplies to the same circuit.

B.   It is an acceptable practice to connect both power supplies to the same plug strip.

C.   The two power supplies should not be connected to the same circuit.

D.   The two power supplies should not be connected to the same plug strip.

60.   An IT architect is proposing a plan for improving the resilience of critical data in the organization. The architect proposes that applications be altered so that they confirm that transactions have been successfully written to two different storage systems. What scheme has been proposed?

A.   Journaling

B.   Mirroring

C.   Data replication

D.   Two-phase commit

61.   A department has completed a review of its business continuity plan through a moderated discussion that followed a specific, scripted disaster scenario. What kind of a review was performed?

A.   Walkthrough

B.   Simulation

C.   Parallel test

D.   Peer review

62.   What is the purpose of salvage operations in a disaster recovery plan?

A.   To identify the damage to, and recoverability of, critical equipment and assets

B.   To determine the scrap value of critical equipment and assets

C.   To ensure that all personnel are accounted for

D.   To identify business processes that can be resumed

63.   RAM is most commonly used as:

A.   Secondary storage

B.   Main storage

C.   Virtual disk

D.   CPU instruction cache

64.   All of the following are valid reasons for removing end users’ local administrators privileges on their workstations except:

A.   To reduce malware attack impact

B.   To prevent the use of personal web mail

C.   To prevent installation of unauthorized software

D.   To reduce the number of service desk support calls

65.   The primary mission of data governance is:

A.   To ensure the availability of sensitive and critical information

B.   To ensure the integrity of sensitive and critical information

C.   To control and monitor all uses of sensitive or critical information

D.   To ensure compliance with applicable privacy laws

66.   Many of the backout plans in the records of a change control process simply read, “Reverse previous steps.” What conclusion can be drawn from this?

A.   Backout plans are only relevant for emergency changes.

B.   Backout plans are not a part of a change management process.

C.   Backout plans are adequate.

D.   Backout plans are not as rigorous as they should be.

67.   The purpose of a business impact analysis (BIA) is primarily:

A.   To calculate risk in a risk assessment

B.   To determine the impact of a breach

C.   To determine process criticalities

D.   To determine process dependencies

68.   The purpose for pre-writing public statements describing the impact, response, and recovery from a disaster include all of the following except:

A.   During a disaster is not a good time to write such statements from scratch.

B.   Key personnel who would write such statements may not be available.

C.   Such public statements can be issued more quickly.

D.   Pre-written public statements are required by regulation.

QUICK ANSWER KEY

1. C

2. B

3. A

4. C

5. C

6. A

7. D

8. B

9. C

10. D

11. A

12. D

13. C

14. B

15. D

16. D

17. A

18. C

19. B

20. A

21. D

22. A

23. C

24. C

25. B

26. D

27. A

28. B

29. D

30. C

31. A

32. A

33. D

34. B

35. C

36. B

37. A

38. C

39. C

40. B

41. C

42. C

43. B

44. A

45. C

46. D

47. A

48. D

49. A

50. D

51. D

52. B

53. C

54. D

55. A

56. D

57. D

58. B

59. C

60. D

61. B

62. A

63. B

64. B

65. C

66. D

67. D

68. D

ANSWERS A

1.   A device that forwards packets to their destination based on their destination IP address is known as a:

A.   Bridge

B.   Gateway

C.   Router

D.   Switch

  C. A router is a network device that forwards packets towards their destination.

  A is incorrect because a bridge forwards all packets regardless of their destination.

  B is incorrect because a gateway is an application-layer device that transforms packets from one protocol to another.

  D is incorrect because a switch forwards packets based on their MAC or IP address.

2.   A security manager is planning to implement a first-time use of a vulnerability scanning tool in an organization. What method should the security manager use to confirm that all assets are scanned?

A.   Compare the scan results with the accounting department asset inventory.

B.   Compare the scan results with the contents of the CMDB.

C.   Compare the scan results with a discovery scan performed by the vulnerability scanning tool.

D.   Compare the scan results with the latest network diagram.

  B. The best option to confirm that a vulnerability scan is catching all known assets is to compare it with a well-managed configuration management database (CMDB). In organizations lacking a CMDB, reconciliation of the scan results can be performed against other tools such as configuration management tools, anti-malware tools, or network management tools.

  A is incorrect because business asset inventories are not regarded as accurately reflecting all working systems in an environment. Further, a business asset inventory will not account for virtual machines.

  C is incorrect because a discovery scan will only find what is present on the network at the time the scan is performed. Assets that are not running at the time of the scan, and assets not reachable because of network ACLs, will not be identified in the discovery scan. Further, unauthorized devices will show up in a discovery scan.

  D is incorrect because network diagrams often do not include every individual device in an environment.

3.   Which of the following methods should be used to create a point-in-time copy of a large production database?

A.   Storage system snapshot

B.   Storage system replication

C.   E-vaulting

D.   Export to a flat file that is backed up to tape

  A. A storage system snapshot is nearly instantaneous and is the best method for producing a “point-in-time” backup of a large database.

  B is incorrect because replication is not used to create a backup copy, but rather a live second copy of a data set.

  C is incorrect because e-vaulting does not necessarily create a point-in-time backup.

  D is incorrect because an export to a flat file and backup to tape would not be a point-in-time backup unless the database management system was quiesced.

4.   All of the following protocols are used for federated authentication except:

A.   OAuth

B.   SAML

C.   WSDL

D.   HMAC

  C. WSDL is a protocol used to describe the functionality of a web service.

  A is incorrect because OAuth is a protocol found in federated authentication.

  B is incorrect because SAML is a protocol found in federated authentication.

  D is incorrect because HMAC is a protocol found in federated authentication, although it has fallen out of common use.

5.   What is typically the most significant risk associated with end users being local administrators on their workstations?

A.   End users will have access to all confidential information.

B.   End users can install unauthorized software.

C.   Malware can run at the highest privilege level.

D.   End users can use tools to crack all domain passwords.

  C. If malware is introduced by the end user in a phishing or watering hole attack, the malware will run as an administrator, which is the highest privilege level on the system. Malware would have access to all files, data, and devices on the machine.

  A is incorrect because local administrative privileges should not ever result in end users having access to data on other systems.

  B is incorrect. While it is correct that end users who are local administrators can install software, this is generally not as severe a risk as a malware infection.

  D is incorrect because end users should not be able to access the encrypted password file for all users in the organization.

6.   Which of the following persons is best suited to approve users’ access to sensitive data in a customer database?

A.   Customer service manager

B.   IT service desk personnel

C.   Information security manager

D.   IT manager

  A. The customer service manager is the best available choice because a business leader is almost always more familiar with business processes than are IT and information security personnel. Further, because the customer service manager is responsible for customer service, this is the person who should be specifying which persons in the organization are permitted to access customer service data.

  B, C, and D are incorrect. These all are IT and IT security–related personnel who are not going to be as familiar with business unit or business department operations as the leaders of business units or business departments.

7.   An organization is planning a new SaaS service offering and is uncertain about the resources required to support the service. How should the organization proceed?

A.   Calculate projected performance using CMMI tools.

B.   Calculate projected performance using Zachman tools.

C.   Measure actual performance metrics in production.

D.   Build a working prototype and perform load tests.

  D. The best choice here is to build a prototype system that closely resembles the network, computing, and database activities and perform load testing. This will give the organization an idea of the capacity of the planned system. But because this technique is imperfect, load tests should be performed throughout the development process.

  A is incorrect because CMMI tools are used to measure process maturity, not system performance.

  B is incorrect because Zachman tools are used to develop an enterprise architecture, not system performance.

  C is incorrect because, while this technique will provide the most accurate data, it is better to get estimates earlier in the development process so that changes in architecture, coding, or business models can be made prior to completion of the project.

8.   What is the best definition of a problem in ITIL-based service management?

A.   Chronic exceptions in audits of IT systems

B.   The same incident that occurs repeatedly

C.   Repeated unscheduled downtime

D.   Unscheduled downtime that exceeds SLAs

  B. The definition of a problem in ITIL is a recurrence of the same type of incident. This indicates that there is something wrong with a business process or information system that needs to be corrected.

  A is incorrect because this is too narrow a definition. A problem can indeed be caused by repeated audit exceptions, but also with many other types of incidents.

  C is incorrect because this is too narrow a definition. A problem can definitely be behind repeated downtime incidents, but also other types of incidents.

  D is incorrect because this is too narrow a definition. Downtime that exceeds SLAs is indeed a problem, but many other types of chronic incidents also fit the definition of a problem in ITIL.

9.   Which of the following is the best relationship between system security and the use of vulnerability scanning tools?

A.   Vulnerability scanning is performed proactively, and it drives the security patching and hardening functions.

B.   Vulnerability scanning is performed proactively, and it drives the security patching function.

C.   Patching and hardening are performed proactively, and vulnerability scanning is used to verify their effectiveness.

D.   Patching is performed proactively, and vulnerability scanning is used to verify its effectiveness.

  C. The best use of vulnerability scanning is its functioning as a quality assurance activity, to ensure that security patching and system hardening are being performed effectively.

  A is incorrect because system security should not be driven by the vulnerability scanning function. Instead, system security should be proactively performed, with vulnerability scanning serving as a means for verifying that they are effective.

  B is incorrect because system security should not be driven by vulnerability scanning. Instead, patching and hardening should be proactive, with scanning used to verify their effectiveness.

  D is incorrect because system hardening should also be proactive.

10.   A SaaS provider and a customer are having a dispute about the availability of service, quality of service, and issue resolution provided by the SaaS provider. What type of a legal agreement should the parties add to their contract to better define these problems and their resolution?

A.   Pricing table

B.   Exit clause

C.   Performance addendum

D.   Service level agreement

  D. A service level agreement (SLA) is used to define the quantity and quality of service to be provided by a service provider to its customers. An SLA can cover issues such as transaction volume, service quality, issue resolution, and service availability.

  A is incorrect because pricing is not the core problem in this example.

  B is incorrect because an exit clause only addresses terms in which the parties can terminate the agreement; it does not address service quality.

  C is incorrect because a performance addendum is not the appropriate term for an agreement that addresses these problems.

11.   What is the purpose of a business impact analysis?

A.   It defines the most critical business processes.

B.   It defines the most critical IT applications.

C.   It defines the most critical service providers.

D.   It defines the disaster recovery plan.

  A. A business impact analysis (BIA) defines the most critical business processes in the organization. The BIA reveals which business processes warrant the development of emergency contingency planning and disaster recovery planning.

  B is incorrect because a BIA does not directly define the most critical IT applications.

  C is incorrect because a BIA does not directly define the most critical service providers; however, a BIA will reveal service providers required by the most critical business processes.

  D is incorrect because the BIA does not define the disaster recovery plan (DRP), but the BIA will help to drive development of the DRP.

12.   An IT architect needs to increase the resilience of a single application server. Which of the following choices will least benefit the server’s resilience?

A.   Active-active cluster

B.   Active-passive cluster

C.   Geo-cluster

D.   Redundant power supply

  D. A redundant power supply only addresses the problem of a power supply failure but does not address other failures such as storage or CPU.

  A, B, and C are incorrect because an active-active cluster, active-passive cluster, and geo-cluster all adequately address the complete failure of a single-server system, through the resumption of services by the other server(s) in the cluster.

13.   Which of the following backup schemes best protects an organization from ransomware?

A.   Storage system replication

B.   Storage system mirroring

C.   Storage system snapshots

D.   RAID-5

  C. Storage system snapshots effectively store the state of a storage system from time to time; if ransomware destroys files in the storage system, the system can be rolled back to a recent snapshot, effectively restoring damaged files.

  A is incorrect because replication will effectively replicate the damaging effects of ransomware from the primary storage system to other storage systems through their replication.

  B is incorrect because mirroring will effectively replicate the damaging effects of ransomware from primary storage to mirrored storage.

  D is incorrect because RAID-5 is used to improve storage system performance and would effectively allow ransomware to damage files more quickly.

14.   A mail order organization wants to develop procedures to be followed in the event that the main office building cannot be occupied, so that customer orders can still be fulfilled. What kind of a plan does the organization need to develop?

A.   Business impact analysis

B.   Business continuity plan

C.   Disaster recovery plan

D.   Emergency evacuation plan

  B. A business continuity plan is the document that describes procedures to be followed when events such as local and regional disasters prevent normal business operations.

  A is incorrect because a business impact analysis is used to determine which business processes are most critical and warrant the development of business continuity plans.

  C is incorrect because a disaster recovery plan is used to survey damage and salvage business equipment, as well as direct the initiation of procedures to activate alternative resources, such as IT systems in alternative locations if IT equipment in primary locations is inoperable.

  D is incorrect because an emergency evacuation plan, while important during disasters, does not contribute to the ability for an organization to continue the fulfillment of customer orders.

15.   An IT department is planning on implementing disaster recovery capabilities in some of its business systems. What means should be used to determine which applications require DR capabilities and to what level of recoverability?

A.   Business continuity plan

B.   Disaster recovery plan

C.   Risk assessment

D.   Business impact analysis

  D. A business impact analysis (BIA) is used to determine which business processes are most critical, and this leads to the development of recovery objectives, which in turn leads to the development of DR capabilities that meet those objectives.

  A is incorrect because, while a business continuity plan and a disaster recovery plan are closely related, the BIA is the tool that defines which business processes warrant the development of supporting DR capabilities.

  B is incorrect because a DR plan does not define which systems are to be covered or what recovery targets are to be met.

  C is incorrect because a risk assessment, while valuable, does not define which business processes warrant the development of DR plans.

16.   Which of the following is the most compelling reason for an organization to not automate its data purging jobs in support of data retention policies?

A.   DR planning

B.   Referential integrity

C.   Privacy breaches

D.   Legal holds

  D. Legal holds in most organizations are manual processes and involve the cessation of data purging for arbitrary sets of information. A better approach would be a manually initiated data purging process that is started only after it is determined that no legal holds exist for the data to be purged.

  A is incorrect because DR planning has little or no bearing on automatic purging of stale data.

  B is incorrect because referential integrity is a matter that can often be solved through structured data removal, but it’s not relevant to the automated starting of purge jobs.

  C is incorrect because privacy breaches on their own should have no bearing on the automatic purging of data.

17.   Which of the following schemes is most likely to be successful for workstations used by a mobile workforce?

A.   Automated patching followed by a system restart that the end user can control

B.   Automated patching and restarts

C.   End-user-initiated patching and restarts

D.   Applying only those patches not requiring a system restart

  A. Automated patching, together with giving end users some control over restarts, is most likely to be successful, as this gives users an option to defer restarts (for a while) so that important work is not interrupted.

  B is incorrect because automated restarts are likely to disrupt critical business activities (such as an executive presentation) from time to time.

  C is incorrect because end users are not inclined or likely to be diligent about initiating patching jobs.

  D is incorrect because this plan will result in the absence of many critical patches, which could lead to an increased frequency and impact of malware attacks.

18.   An IT department completed a data discovery assessment and found that numerous users were saving files containing sensitive information on organization-wide readable file shares. Which of the following is the best remediation for this matter?

A.   Remove the offending files from the org-wide share.

B.   Announce to users that the org-wide readable share is not for sensitive data.

C.   Change the org-wide readable share to read-only for most users.

D.   Change the org-wide readable share to write-only for most users.

  C. In most organizations, few people truly need to write to the organization-wide readable share (for example, HR, legal, and IT). This will drive users to using department shares for saving sensitive data, which will result in lower risk to the business since sensitive data would then be readable only by personnel in their respective departments instead of the entire organization. Further improvement opportunities may be found after that.

  A is incorrect because simply removing the files containing sensitive information is not likely to solve the problem, as similar files may soon reappear.

  B is incorrect because many users typically ignore such reminders, and many do not read them at all.

  D is incorrect because making the share write-only would result in the org-wide share being unreadable.

19.   For which users or groups should the SQL listener on a database management system be accessible?

A.   For the application accounts only

B.   For the application and DBA accounts only

C.   For DBA accounts only

D.   For DBA accounts plus all users of the application

  B. Applications that need to access the database need to be able to access the SQL listener on a database server, as do DBAs who need to perform maintenance on the system.

  A is incorrect because this would deprive the DBA from being able to access the SQL listener.

  C is incorrect because this would deprive applications that need to access the database management system.

  D is incorrect because application end users should not be given direct access to the SQL listener. Instead, capabilities in the application should be provided that give users the access they need.

20.   An organization’s financial accounting system crashes every Friday night after backups have completed. In ITIL terms, what process should be invoked?

A.   Problem management

B.   Incident management

C.   Capacity management

D.   Business continuity management

  A. Problem management is the correct ITIL process to be invoked when similar incidents are recurring.

  B is incorrect because incident management is used to manage individual incidents, but not the recurrence of similar incidents.

  C is incorrect because capacity management is not the correct response, unless problem management reveals that the crashes are occurring as a result of a capacity issue.

  D is incorrect because business continuity management is concerned with the continuation of business processes during disasters.

21.   An IT organization is investigating a problem in its change management process whereby many changes have to be backed out because they could not be completed or because verifications failed. Which is the best remedy for this situation?

A.   Increase the size of change windows.

B.   Require a separate person to verify changes.

C.   Require change requests to have better backout procedures.

D.   Require more rigorous testing in a test environment prior to scheduling changes in production.

  D. Repeated implementation failures should first call for more rigorous testing in a test or staging environment in order to iron out any issues that may occur when changes are applied in production environments.

  A is incorrect because the problem does not appear to be one where there is insufficient time to implement changes.

  B is incorrect because using a different person to verify changes does not appear to be at the heart of the issue.

  C is incorrect because improved backout procedures are not likely the remedy for failed implementations.

22.   Which language is used to change the schema in a database management system?

A.   DDL

B.   SQL

C.   Stored procedures

D.   JCL

  A. DDL, or Data Definition Language, is most commonly used to change the schema (or architecture of a database) in a database management system.

  B is incorrect because SQL is not often used to change the schema of a DBMS.

  C is incorrect because stored procedures play a different role in a database management system.

  D is incorrect because JCL is a batch control language on mainframe computers.

23.   A DBA has been asked to limit the tables, rows, or columns that are visible to some users with direct database access. Which solution would best fulfill this request?

A.   Create alternative user accounts.

B.   Move those users into different AD groups.

C.   Create one or more views.

D.   Change the schema for those users.

  C. A view provides the appearance of virtual tables that are parts of real tables.

  A is incorrect because creating alternative user accounts is not the best solution for this request.

  B is incorrect because access permissions may not fully fulfill this request.

  D is incorrect because it’s not possible to change the schema for users, other than creating one or more views.

24.   An organization’s IT department developed DR capabilities for some business applications prior to a BIA ever being performed. Now that a BIA has been performed, it has been determined that some IT applications’ DR capabilities exceed what is called for in the BIA and that other applications fall short. What should be done to remedy this?

A.   Redo the BIA, using existing DR capabilities as inputs.

B.   Make no changes, as this is the expected result.

C.   Change IT application DR capabilities to align with the BIA.

D.   Change the BIA to align with IT application DR capabilities.

  C. DR capabilities need to align with the results of the BIA, including established recovery objectives.

  A is incorrect because the BIA does not need to be redone. It is the IT DR capabilities that require adjustment.

  B is incorrect because this misalignment between the BIA and DR capabilities is not an expected result.

  D is incorrect because the BIA should not be changed to align with DR capabilities. It is the reverse that should be performed.

25.   What is the purpose of hot-pluggable drives in a storage system?

A.   Ability to replace drives that have crashed or overheated

B.   Ability to replace drives while the storage system is still running

C.   Ability to replace drives without the risk of harm to personnel

D.   Ability to install additional drives without powering down the system

  B. The term “hot-pluggable drives” refers to the ability to remove and replace drives in a storage system while the system is still running. Together with RAID capabilities, there would be no interruption in the storage system’s ability to read and write data to the drives.

  A is incorrect because this reason is too limited: while hot-pluggable drives would indeed permit personnel to replace drives that have crashed or overheated, they also permit personnel to remove and replace them for any reason.

  C is incorrect because this is not the definition of hot-pluggable drives.

  D is incorrect because this definition is too limiting: while it is true that hot-pluggable drives permit additional drives to be added to the system, they also permit faulty drives to be removed and replaced.

26.   What is the primary purpose for data restoration testing?

A.   To meet regulatory requirements

B.   To prove that bare-metal restores can be performed

C.   To see how long it takes to restore data from backup

D.   To ensure that backups are actually being performed

  D. Restoration testing proves that data is actually being written to backup media. It also demonstrates that personnel know how to restore data.

  A is incorrect because regulatory requirements are a minor consideration here.

  B is incorrect because restoration testing does not necessarily test bare-metal restores.

  C is incorrect because the time required to restore data is not a major consideration.

27.   Which of the following should approve RTO and RPO targets?

A.   Senior business executives

B.   Board of directors

C.   CISO

D.   CIO

  A. Senior business executives should approve RTO and RPO targets. As business leaders, senior executives are in the best position to decide how much downtime the organization will tolerate in the event of a minor or major disaster. Further, senior executives are going to be in the best position to fund and provide resources for IT to implement DR capabilities to meet these objectives.

  B is incorrect because the board of directors does not usually become involved in operational matters.

  C is incorrect because the CISO is responsible for cybersecurity, not business resilience related to disasters.

  D is incorrect because the CIO is responsible for implementing DR capabilities to support RPO and RTO targets, but does not select the targets.

28.   An organization has developed its first-ever disaster recovery plan. What is the best choice for the first round of testing of the plan?

A.   Cutover test

B.   Walkthrough

C.   Simulation

D.   Parallel test

  B. The best choice here is for participants to walk through the plan and discuss all of the steps in detail.

  A is incorrect because a cutover test is the highest-risk test available and should be performed only after successful walkthroughs, simulations, and parallel tests.

  C is incorrect because a simulation should be performed after walkthroughs have identified improvement areas.

  D is incorrect because a parallel test should not be performed until at least a walkthrough and simulation have first been performed.

29.   Which of the following best describes the purpose of a hypervisor?

A.   It creates and manages virtual desktops.

B.   It creates and manages containers.

C.   It installs software on virtual machines.

D.   It creates and manages virtual machines.

  D. A hypervisor, whether hosted or bare-metal, is used to create, manage, and run virtual machines.

  A is incorrect because a hypervisor is not typically used to create virtual desktops.

  B is incorrect because a hypervisor is not used to create containers.

  C is incorrect because hypervisors are not used to install software on virtual machines.

30.   Which of the following best fits the definition of a set of structured tables with indexes, primary keys, and foreign keys?

A.   Hierarchical database

B.   Object database

C.   Relational database

D.   Network database

  C. A relational database is one with structured tables containing rows and columns, with indexes, primary keys, and foreign keys.

  A is incorrect because a hierarchical database has a different structure than the one described.

  B is incorrect because an object database has a different structure than the one described.

  D is incorrect because a network database has a different structure than the one described.

31.   An organization uses its vulnerability scanning tool as its de facto asset management system. What is the biggest risk associated with this approach?

A.   Network engineers could build new IP networks not included in the scanning tool’s configuration.

B.   System engineers could implement new servers that the scanning tool won’t see.

C.   System engineers could implement new virtual machines that the scanning tool won’t see.

D.   IP source routing could prevent the scanning tool from seeing all networks.

  A. The biggest risk of using a vulnerability scanning tool as a tool for tracking assets is that these tools are generally configured to scan a list of IP networks. If a network engineer creates a new IP network and does not inform the personnel who manage the scanning tool, the tool won’t detect the new IP network or any systems and devices that reside in it.

  B is incorrect because vulnerability scanning tools generally scan IP networks and would generally detect new systems and devices automatically.

  C is incorrect because new virtual machines should be detected, provided they reside on an existing IP network and are active.

  D is incorrect because IP source routing would not necessarily interfere with a vulnerability scanning tool’s operation.

32.   Which of the following systems should be used for populating the IT asset database in an elastic cloud environment?

A.   Hypervisor

B.   Vulnerability scanning tool

C.   Patch management tool

D.   CMDB

  A. The hypervisor is the system that manages the creation and use of virtual machines in an environment where virtual machines are created dynamically to support workload.

  B is incorrect because a vulnerability scanning tool is only going to detect virtual machines that are active during the scan.

  C is incorrect because the patch management tool may not be automatically aware of new virtual machines.

  D is incorrect because the CMDB is an IT asset database.

33.   What is a typical frequency for running a job that checks Active Directory for unused user accounts?

A.   Every hour

B.   Every 24 hours

C.   Every 7 days

D.   Every 90 days

  D. Ninety days is the most typical interval for checking for dormant user accounts.

  A is incorrect because checking for dormant user accounts every hour is excessive.

  B is incorrect because checking for dormant user accounts every day is excessive.

  C is incorrect because checking for dormant user accounts every week is excessive.

34.   The system interface standard that includes process control, IPC, and shared memory is known as:

A.   Unix

B.   POSIX

C.   ActiveX

D.   Ultrix

  B. POSIX is the system interface standard that includes several components, such as process control, interprocess communication (IPC), named pipes, and files and file systems.

  A is incorrect because Unix is not an interface standard, but an operating system.

  C is incorrect because ActiveX does not include all of these components.

  D is incorrect because Ultrix is not an interface standard, but an operating system.

35.   An environment consisting of centralized servers running end-user operating systems that display on users’ computers is known as:

A.   Hosted hypervisor

B.   Bare-metal hypervisor

C.   Virtual desktop infrastructure

D.   Reverse Telnet

  C. A virtual desktop infrastructure (VDI) consists of one or more centralized servers that run end-user desktop operating systems that display on users’ computers.

  A is incorrect because a hosted hypervisor does not match the environment description.

  B is incorrect because a bare-metal hypervisor does not match the environment description.

  D is incorrect because reverse Telnet does not describe the environment description.

36.   A data privacy officer recently commissioned a data discovery exercise to understand the extent to which sensitive data is present on the company’s world-readable file share. The exercise revealed that dozens of files containing large volumes of highly sensitive data were present on the file share. What is the best first step the data privacy officer should take?

A.   Remove all instances of files containing large volumes of highly sensitive data.

B.   Investigate each instance to see whether any files are a part of business processes.

C.   Sanction the users who placed the files there for violations of internal privacy policy.

D.   Do nothing, as this is an acceptable practice for files of this type.

  B. The most prudent move is for the DPO to investigate the files that were found to better understand why they are there. Possibly, some are part of vital business processes (which, in many cases, would need to be adjusted to avoid exposing the information).

  A is incorrect because removing all files may inadvertently disrupt an existing important business process (which may need to be adjusted to avoid exposing this data).

  C is incorrect because there may be some legitimate files among those that were found.

  D is incorrect because inaction would unnecessarily expose the organization to potential privacy violations. Files containing large volumes of sensitive information probably should not be present on file shares readable by the entire organization.

37.   A new IT manager is making improvements in the organization’s management of unplanned outages. The IT manager has built a new process where repeated cases of similar outages are analyzed in order to identify their cause. What process has the IT manager created?

A.   Problem management

B.   Incident management

C.   Root cause analysis

D.   Security event management

  A. Analysis of repeated incidents is known as problem management.

  B is incorrect because incident management is the management of individual incidents.

  C is incorrect. While root cause analysis may be a part of the process described, the overall process is better known as problem management.

  D is incorrect because security event management is concerned with the response to security events and incidents.

38.   A new IT manager is making improvements in the organization’s management of the detailed settings on servers and network devices. The process that the IT manager has made is a part of:

A.   Vulnerability management

B.   System hardening

C.   Configuration management

D.   Performance management

  C. The IT manager is making improvements to the configuration management process.

  A is incorrect because vulnerability management is the process of identifying and mitigating vulnerabilities on systems and devices.

  B is incorrect because system hardening is the process of making systems more resistant to attack.

  D is incorrect because performance management is concerned with improving the efficiency of systems.

39.   A new IT manager is making improvements in the organization’s management of the detailed settings on servers and network devices. The process includes the creation of a repository for storing details about this information. This repository is known as:

A.   An asset management database

B.   A vulnerability management database

C.   A configuration management database

D.   A system hardening standard

  C. A repository containing the configuration of systems is known as a configuration management database (CMDB).

  A is incorrect because an asset management database is going to contain basic information about an organization’s assets.

  B is incorrect because a vulnerability management database (which is not a common term) might contain information about vulnerabilities in systems and devices.

  D is incorrect because a system hardening standard specifies the configuration for making systems more resistant to attack.

40.   A new IT manager is making improvements to the organization’s need to make its systems and devices more resilient to attacks. The IT manager should update:

A.   The vulnerability management process

B.   The system and device hardening standard

C.   The configuration management database

D.   The security incident response plan

  B. A system and device hardening standard specifies the configurations to be used to make systems and devices more resistant to attack.

  A is incorrect because a vulnerability management process is concerned with techniques used to identify and remediate vulnerabilities on systems and devices.

  C is incorrect because a configuration management database contains information about the configuration of systems and devices.

  D is incorrect because a security incident response plan contains procedures to follow when a security incident occurs.

41.   A customer of a SaaS provider is complaining about the SaaS provider’s lack of responsiveness in resolving security issues. What portion of the contract should the customer refer to when lodging a formal complaint?

A.   Service description

B.   System availability

C.   Service level agreement

D.   Security controls

  C. A service level agreement (SLA) defines terms of responsiveness to various types of services and service issues.

  A is incorrect because a service description is more likely to describe services rendered, but not about resolving security issues.

  B is incorrect because this is not an issue about system availability.

  D is incorrect because this is not a matter of security controls, but of service levels.

42.   Computer code that is found within the contents of a database is known as a:

A.   Blob

B.   Function

C.   Stored procedure

D.   Subroutine

  C. A stored procedure is computer code that is stored in a database and executed when called.

  A is incorrect because a blob, or binary large object, does not typically store code, but instead is usually a video, image, or audio recording.

  B is incorrect because a function is a segment of a computer program.

  D is incorrect because a subroutine is a segment of a computer program.

43.   An organization is starting its first-ever effort to develop a business continuity and disaster recovery plan. What is the best first step to perform in this effort?

A.   Criticality analysis

B.   Business impact analysis

C.   Setting recovery targets

D.   Selecting a DR site

  B. A business impact analysis (BIA) is used to enumerate business processes and their dependencies upon other processes, assets, personnel, and service providers.

  A is incorrect. A criticality analysis is performed after the business impact analysis to determine the criticality of business processes identified in the BIA.

  C is incorrect because recovery targets are established after the maximum tolerable downtime (MTD) and BIA are completed.

  D is incorrect because a DR site is not selected until the BIA, CA, and recovery targets are established.

44.   What is the purpose for connecting two redundant power supplies to separate electrical circuits?

A.   System resilience in case one electrical circuit fails

B.   To balance electrical load between the circuits

C.   To balance the phasing between the circuits

D.   To avoid overloading a single electrical circuit

  A. A system with redundant power supplies will be more resilient if the power supplies are connected to separate electrical circuits (and even more resilient if the circuits lead to separate PDUs, UPSs, electrical feeds, and generators). In the event of a failure in any of these components, the others will still supply power to the system.

  B is incorrect because this is not a primary purpose for connecting power supplies to separate circuits.

  C is incorrect because this is not a primary purpose for connecting power supplies to separate circuits.

  D is incorrect because circuit loading is not usually performed using this technique.

45.   An IT organization is modernizing its tape backup system by replacing its tape library system with a storage array, while keeping its tape backup software system. What has the organization implemented?

A.   E-vaulting

B.   S-vaulting

C.   Virtual tape library

D.   Mirroring

  C. A virtual tape library (VTL) is a storage system that emulates a tape library system. A VTL is used when an organization wishes to retain its tape backup software platform while modernizing the actual backup storage.

  A is incorrect because e-vaulting is the practice of sending backup data to a cloud storage provider.

  B is incorrect because s-vaulting is not a valid term.

  D is incorrect because mirroring involves real-time duplication of data stored on a primary storage system to a secondary or tertiary storage system.

46.   An IT organization is modernizing its tape backup system by sending data to a cloud storage provider. What has the organization implemented?

A.   Replication

B.   Mirroring

C.   Virtual tape library

D.   E-vaulting

  D. E-vaulting is the process of backing up data to a cloud storage provider using backup software created for that purpose.

  A is incorrect because replication is the near-real-time copying of disk storage transactions from a primary storage system to a secondary storage system.

  B is incorrect because mirroring is a block-by-block duplication of data stored on a primary storage system onto a secondary storage system.

  C is incorrect because a virtual tape library (VTL) is a disk-based storage system that emulates a tape library system.

47.   A city government department that accepts payments for water use has developed a procedure to be followed when the IT application for processing payments is unavailable. What type of procedure has been developed?

A.   Business continuity plan

B.   Disaster recovery plan

C.   Business impact analysis

D.   Backout plan

  A. The procedure developed is a business continuity plan, which is an emergency operations procedure to be followed when one or more critical assets required for the business-as-usual procedure are unavailable.

  B is incorrect because a disaster recovery plan is a set of procedures to be followed to assess damage and restore operation of critical assets such as IT systems and other business equipment.

  C is incorrect because a business impact analysis is a study to enumerate critical business processes and their dependencies.

  D is incorrect because a backout plan is a procedure in the change management process used to restore a system to its pre-changed state in the event that the change was unsuccessful.

48.   A city government IT department has developed a procedure to be followed when the primary application for accepting water usage payments has been incapacitated. The procedure calls for the initiation of a secondary application in a different data center. What type of procedure has been developed?

A.   Business continuity plan

B.   Backout plan

C.   Security incident response plan

D.   Disaster recovery plan

  D. The procedure created is a disaster recovery plan.

  A is incorrect because a business continuity plan is a business-level procedure to be followed in the event that critical assets or personnel are unavailable to continue operations of important business processes.

  B is incorrect because a backout plan is a procedure in the change management process used to restore a system to its pre-changed state in the event that the change was unsuccessful.

  C is incorrect because a security incident response plan is a procedure to be followed in the event of a security incident or breach.

49.   What is the most important factor to consider in the development of a disaster recovery plan?

A.   The safety of personnel

B.   The availability of critical data

C.   Notification of civil authorities

D.   The continuity of critical operations

  A. The safety of personnel should always be the highest priority in any disaster recovery plan.

  B is incorrect because the availability of critical data, while important, is less critical than the safety of personnel.

  C is incorrect because the notification of civil authorities is important, but less important than the safety of personnel.

  D is incorrect because the continuity of critical operations is key to the resilience of the organization, but less important than the safety of personnel.

50.   An SSD is most commonly used as:

A.   Backup storage

B.   Removable storage

C.   Main storage

D.   Secondary storage

  D. Solid-state drives (SSDs) are most commonly used as secondary storage. Prior to SSDs, hard-disk drives (HDDs) were used as secondary storage.

  A is incorrect because SSDs are not most commonly used as backup storage.

  B is incorrect because SSDs are not most commonly used as removable storage.

  C is incorrect because RAM (random access memory) is used as a system’s main storage.

51.   The phrase “you can’t protect what you don’t know about” refers to which key IT process?

A.   Vulnerability management

B.   License management

C.   Patching

D.   Asset management

  D. Asset management is a critical process that other processes, such as vulnerability management, patch management, and license management, depend upon. It is the author’s opinion that asset management is the #1 control objective in the CIS Critical Controls for this reason.

  A is incorrect because vulnerability management is dependent upon sound asset management to ensure that all assets are identified and their vulnerabilities remediated timely.

  B is incorrect because license management is not related to the protection of assets.

  C is incorrect because patching is dependent upon vulnerability management and asset management.

52.   The SOAP protocol is related to:

A.   The patch management process

B.   The exchange of data through an API

C.   The vulnerability management process

D.   Memory garbage collection

  B. SOAP, or Simple Object Access Protocol, is a network API for exchanging data between systems over a network.

  A is incorrect because SOAP is not related to the patch management process.

  C is incorrect because SOAP is not related to the vulnerability management process.

  D is incorrect because SOAP is not related to memory garbage collection.

53.   Restricting USB attached storage on end-user workstations addresses all of the following except:

A.   Leakage of intellectual property

B.   Malware infection

C.   System capacity management

D.   Personal use of a workstation

  C. Restrictions of USB storage often address leakage of intellectual property or personally sensitive information, malware infection, and personal uses of a workstation. Restricting USB has little or nothing to do with system capacity management.

  A is incorrect because leakage of intellectual property is often a primary reason for restricting USB attached storage on workstations.

  B is incorrect because malware control is often a primary reason for restricting USB attached storage.

  D is incorrect because personal use of a workstation is sometimes a reason for restricting the use of USB attached storage—for example, to prevent a user from downloading personal documents onto a work-related computer.

54.   The primary purpose of a dynamic DLP system is:

A.   To detect unauthorized personal use of a workstation

B.   To detect unauthorized use of personal web mail

C.   To control unauthorized access to sensitive information

D.   To control unauthorized movement of sensitive information

  D. The main purpose of dynamic DLP (data loss prevention) is the unauthorized movement of sensitive information. For example, a dynamic DLP solution can prevent sensitive information from being stored on an external USB attached storage device or transmitted through e-mail.

  A is incorrect because a dynamic DLP solution is not used to detect personal use of a workstation.

  B is incorrect because a primary purpose of dynamic DLP is not to detect or block personal web mail. However, a dynamic DLP system can prevent the transmission of sensitive data via personal web mail.

  C is incorrect because system access controls are more commonly used to prevent unauthorized access to sensitive information.

55.   What is the suitability for the use of a SIEM to alert personnel of system capacity and performance issues?

A.   If syslog events are generated, use cases related to performance and capacity can be developed.

B.   A SIEM can only be used to alert personnel of security events.

C.   Use cases for non-security-related events do not function on a SIEM.

D.   Alerts for non-security-related events do not function on a SIEM.

  A. A SIEM is a general-purpose system used to ingest log data from systems and devices and to create alerts when specific types of log entries are received. There is no limit to the types of log data and alerts that can be employed in a SIEM.

  B is incorrect because a SIEM can be used for security and non-security events.

  C is incorrect because a SIEM can be used for security and non-security events.

  D is incorrect because a SIEM can generate alerts for any type of event. However, for non-security-related events, an administrator may need to develop a custom use case to detect a non-security-related event and generate an alert for it.

56.   After analyzing events and incidents from the past year, an analyst has declared the existence of a problem. To what is the analyst referring?

A.   One or more controls are in a state of failure.

B.   The analyst is unable to access all incident data for the entire year.

C.   One or more high-criticality incidents have occurred.

D.   A specific type of incident is recurring.

  D. In ITIL terminology, a problem is an incident that keeps occurring. This means that there is some root cause for these incidents that needs to be investigated, and a plan needs to be developed to eliminate the root cause so that the incidents no longer occur.

  A is incorrect because a problem, in ITIL terminology, does not specifically indicate a control failure.

  B is incorrect because a problem, in ITIL terminology, does not indicate an inability to access historical event data.

  C is incorrect because a problem in ITIL terminology does not indicate the severity of incidents that are occurring, but only that similar incidents that are all potentially related to a single root cause are occurring.

57.   A DBA has determined that it is not feasible to directly back up a large database. What is the best remedy for this?

A.   Defragment the database to permit a linear backup.

B.   Change the database to read-only during a backup to preserve integrity.

C.   Compress the database to recover free space.

D.   Export the database to a flat file and back up the flat file.

  D. The best remedy when a database cannot be directly backed up is the creation of an export, which itself can be backed up.

  A is incorrect because defragmentation of a database is not a common operation.

  B is incorrect because changing a database to read-only would certainly disrupt business operations.

  C is incorrect because compression of a database is not a common practice.

58.   What is the feasibility for using the results of a BIA in the creation of a system classification plan?

A.   A BIA will indicate sensitivity of specific data that is associated with critical business processes.

B.   A BIA will indicate operational criticality of specific data that is associated with critical business processes.

C.   A BIA does not correlate to specific information systems.

D.   A BIA does not correlate to specific data sets.

  B. A BIA identifies critical business processes in an organization, including the organization’s dependencies upon IT systems and their data sets. Critical processes can be mapped to the systems they depend upon, which can contribute to system classification.

  A is incorrect because a BIA does not typically identify data by sensitivity, but instead identifies data by operational criticality.

  C is incorrect because a BIA does in fact correlate business processes to information systems.

  D is incorrect because a BIA does in fact correlate business processes to specific data sets.

59.   A system engineer is reviewing critical systems in a data center and mapping them to individual electrical circuits. The engineer identified a system with two power supplies that are connected to the same plug strip. What should the engineer conclude from this?

A.   It is an acceptable practice to connect both power supplies to the same circuit.

B.   It is an acceptable practice to connect both power supplies to the same plug strip.

C.   The two power supplies should not be connected to the same circuit.

D.   The two power supplies should not be connected to the same plug strip.

  C. The main issue at stake here is that the power supplies are both connected to the same electrical circuit. If the electrical circuit fails, the system will be powered down. A better practice is to connect the two power supplies to separate circuits.

  A and B are incorrect because it is not a recommended practice to connect both power supplies to the same plug strip or the same circuit. The plug strip and electrical circuit represent a single failure path, somewhat negating the purpose of multiple power supplies.

  D is incorrect because the bigger issue is not whether the power supplies are connected to the same plug strip, but that they are connected to the same circuit.

60.   An IT architect is proposing a plan for improving the resilience of critical data in the organization. The architect proposes that applications be altered so that they confirm that transactions have been successfully written to two different storage systems. What scheme has been proposed?

A.   Journaling

B.   Mirroring

C.   Data replication

D.   Two-phase commit

  D. Two-phase commit is the act of writing a transaction to separate storage systems and not completing the transaction until confirmation of successful write operations has been received.

  A is incorrect because journaling is the process of recording storage transactions in another part of a file system for redundancy and integrity purposes.

  B is incorrect because mirroring is a storage system function that applications are unaware of.

  C is incorrect because data replication is a storage system function that applications are unaware of.

61.   A department has completed a review of its business continuity plan through a moderated discussion that followed a specific, scripted disaster scenario. What kind of a review was performed?

A.   Walkthrough

B.   Simulation

C.   Parallel test

D.   Peer review

  B. A simulation is a type of review where a moderator reveals a realistic scenario, and test participants talk through the steps they would be taking should an actual disaster of this type be occurring. A simulation is more realistic than a walkthrough, as it helps to bring a disaster to life.

  A is incorrect because a walkthrough does not attempt to simulate a disaster scenario.

  C is incorrect because a parallel test involves the actual deployment of business continuity procedures to see whether they can be operated properly.

  D is incorrect because a peer review involves other personnel, possibly those in another organization.

62.   What is the purpose of salvage operations in a disaster recovery plan?

A.   To identify the damage to, and recoverability of, critical equipment and assets

B.   To determine the scrap value of critical equipment and assets

C.   To ensure that all personnel are accounted for

D.   To identify business processes that can be resumed

  A. The primary purpose of salvage is to determine the extent of damage of critical business equipment and to determine what is still functional, which assets can be repaired, and which are damaged beyond repair.

  B is incorrect because the primary purpose of salvage is to determine the extent of damage of critical business equipment and to determine what is still functional, which assets can be repaired, and which are damaged beyond repair. A secondary purpose is to determine whether the equipment that is damaged beyond repair can be scrapped.

  C is incorrect because the purpose of salvage is related to business equipment, not personnel.

  D is incorrect because the purpose of salvage is related to business equipment, not business processes.

63.   RAM is most commonly used as:

A.   Secondary storage

B.   Main storage

C.   Virtual disk

D.   CPU instruction cache

  B. RAM, or random access memory, is the primary technology used for a computer’s main storage.

  A is incorrect because SSDs and HDDs are most commonly used for secondary storage.

  C is incorrect because a virtual disk is a secondary use of RAM, not a primary use.

  D is incorrect because a CPU has its own instruction cache built in.

64.   All of the following are valid reasons for removing end users’ local administrators privileges on their workstations except:

A.   To reduce malware attack impact

B.   To prevent the use of personal web mail

C.   To prevent installation of unauthorized software

D.   To reduce the number of service desk support calls

  B. Removing local administrator access from an end user would not impact a user’s ability to access personal web mail in most cases.

  A, C, and D are incorrect because these are primary reasons for removing local administrator privileges from end users.

65.   The primary mission of data governance is:

A.   To ensure the availability of sensitive and critical information

B.   To ensure the integrity of sensitive and critical information

C.   To control and monitor all uses of sensitive or critical information

D.   To ensure compliance with applicable privacy laws

  C. The primary mission of data governance is the control and monitoring of all uses of sensitive and/or critical information in an organization, both in structured and unstructured storage.

  A is incorrect because data governance is not primarily concerned with the availability of information.

  B is incorrect because data governance is not primarily concerned with the integrity of information.

  D is incorrect because compliance with applicable laws should be an outcome of data governance, but not its main purpose.

66.   Many of the backout plans in the records of a change control process simply read, “Reverse previous steps.” What conclusion can be drawn from this?

A.   Backout plans are only relevant for emergency changes.

B.   Backout plans are not a part of a change management process.

C.   Backout plans are adequate.

D.   Backout plans are not as rigorous as they should be.

  D. “Reverse previous steps” is wholly inadequate for most changes, as this represents unpreparedness for situations where changes are unsuccessful.

  A is incorrect because backout plans are needed for all changes.

  B is incorrect because backout plans are a key part of a change management process.

  C is incorrect because a backout plan that states simply “reverse previous steps” is not adequate. Complex changes may not be so easily reversed.

67.   The purpose of a business impact analysis (BIA) is primarily:

A.   To calculate risk in a risk assessment

B.   To determine the impact of a breach

C.   To determine process criticalities

D.   To determine process dependencies

  D. The purpose of business impact analysis (BIA) is to determine the dependencies of business processes—what assets, staff, and outside parties are required to sustain a process. Subsequent to a BIA is the criticality assessment (CA), which determines the criticality of business processes analyzed in the BIA.

  A is incorrect because a BIA is not used in a general risk assessment.

  B is incorrect because a BIA is not used in a breach assessment.

  C is incorrect because it is the criticality assessment (CA) that is used to determine process criticality, once the BIA itself has been completed.

68.   The purpose for pre-writing public statements describing the impact, response, and recovery from a disaster include all of the following except:

A.   During a disaster is not a good time to write such statements from scratch.

B.   Key personnel who would write such statements may not be available.

C.   Such public statements can be issued more quickly.

D.   Pre-written public statements are required by regulation.

  D. Few, if any, regulations require organizations to pre-write their public statements describing a disaster and the details about impact, response, and recovery.

  A, B, and C are incorrect because these are some of the advantages of writing out the templates for such statements in advance.