Our first question. Which one of the following steps is not typically possible following an incident that has occurred? Is this containment, preparation, eradication, or recovery? Containment is something that we do when we think about the stages, when we detect an incident we want to contain, we want to eradicate, and we want to recover. Those three things jump out at us. Responses 1, 3, and 4 jump out as being necessary. Preparation is something that is very hard to do after we have invoked our incident response, after we've got an incident has occurred. This is why it's important to invest. Preparation is not typically possible once an incident occurs, preparation is an investment that is realized once an adverse event occurs, we can think of it almost as like being an insurance policy. It has a cost that it pays back when something bad happens. Without an effective, and current plan, organizations often have to improvise their response and that is a fairly terrible situation to be in. Containment, eradication, and recovery are aspects of incident response. That part of that diagram we saw in our first module of the chapter. Question 2 then, who should be included as part of a response team in a business continuity plan? Is this the IT team, the security operations center, front-line services, or any function that is required as part of the response. Right now, what I'd suggest is if you think about an exam technique, in the exam, you are looking for the best response, not something that's correct, but the best of the offered responses. Because lots of the responses, under certain circumstances, may be correct or maybe partially correct. What we're looking for is the best answer. The IT team, should they be included? Well, usually they are, usually there are a fundamental part of the team, but they don't have to be. The Security Operations Center, again, I would say it would be very unusual not to see the security team. Similarly, some front-line services, we may want to be part of the response team. But the correct answer far away, the best answer. Hopefully you see this is that any function that is needed, we need to determine who is needed within our plans, and to make sure they're included appropriately. The IT team, the security operation center are two really good examples of teams that would ordinarily be included. But the best answer is those that are needed, any function that is required. These should be included as part of the critical response path. The exact composition of team varies between organizations, and it should. The other responses are good examples of areas that may be represented. The IT team, the security operation centers, and some front-line services are typically involved, but not always. Question 3 then, as the security manager for an organization, you have been asked who is best placed to sign off on the newly drafted disaster recovery plan. Who would you suggest? Is this a member of the senior management teams such as the CIO or the CEO? Is this all areas affected by the plan that they should individually sign that plan? Is it that the author of the document should sign it to enforce accountability? The person wrote the document, they should sign their name to it or is it the Security Manager? As the Security Manager, you are best placed to do this. What we think about is something we touched on in the first chapter. Policies, high-level statements, they need signing by somebody with the rightful authority, the right accountability, who's going to be responsible for this. The correct answer here is a member of the senior management team. A disaster recovery plan would usually be signed off by a member of the senior management team. This team is best place to accept the cost, the risks, the outcomes. What we're doing is creating a strategic set of documents that determine how the organization responds financially, the investment it makes. These are big strategic decisions. They should be made by the senior management team. The recommendations though, might come from some of those other areas, and I would say security are a really good source of some of those recommendations. But ultimately, these recommendations are accepted or not by the senior management team. It's asking who's going to sign it off, not who's going to make recommendations. The author of the document is responsible for creating it, doesn't have the authority to improve it. Just the fact that they've authored the document, they're accountable for its contents doesn't mean that it's agreed. The actual change of strategy is a senior decision. Good engagement when drafting the plan should mean that that second response is covered off. We should make sure that other areas are consulted appropriately, including IT security, and maybe different business units. Question 4 then. At a minimum, how often should a business continuity or disaster recovery plan be reviewed? I would say the key word here is minimum. There may be regulatory requirements. They may say quarterly every six weeks, every four weeks, whatever. But usually, what we're looking for is a regular update partly because people change, those telephone numbers change. Just to reflect some of that organic change in the organization, changes to threats, changes to vulnerabilities, an annual plan is a reasonable minimum. An annual process is usually accepted as the minimum, and it is asking for the minimum. Plans should be reviewed on a regular basis while it is possible to review documents more frequently than an annual basis. The question is specifically asking for the minimum acceptable timeframe. Informal reviews are sufficient. That's a response that may or may not suffice for different organizations. It may or may not be acceptable. But again, it falls into that may category. It's not the best answer by any means. Is it that it doesn't require a formal review process? Well, I would say that's not the case, and certainly not the case for all industries. Some people may need to do it quarterly, but it's asking for the minimum, and the minimum is usually considered to be annually. Just to update changed content as a basic or to confirm that the content is still relevant. Question 5, an uninterruptible power supply, a UPS, provides power to one or more devices in the event of the loss of main power. Now, even if you didn't know what a UPS was, that sentence is just telling you it provides a service when the primary service isn't available. From that, we can figure out the correct response. Which of the plans below does it most closely aligned with? Is this an example of business continuity, an example of disaster recovery? Is it incident response or is it all of the above? Well, the clue is in the question. An uninterruptible power supply is making sure you don't get interrupted. If you're not being interrupted, you can continue your business, business continuity. If you have a surge of power or your electrical power goes offline, a UPS will give you a period of continuity. It's some batteries connected together to provide power in the loss of mains power. This is business continuity. Ensuring that you can continue operations. A UPS best addresses business continuities, the primary power source is disrupted. The UPS provides an alternate power source to allow for continuity of operations while a recovery response is initiated. A UPS would not be integral to disaster recovery or other forms of incident response. Fantastic. I hope you enjoyed Chapter 2, and I look forward to seeing you in our next chapter, Chapter 3.
