📌 Topic 1: Incident Response Lifecycle (Q1–Q20)
A security engineer at FinTech Company X detects unusual outbound traffic from a production API server. The InfoSec team confirms it is an active breach. According to NIST SP 800-61, what are the CORRECT six phases of the incident response lifecycle in order?
(Theo NIST SP 800-61, sáu giai đoạn đúng của vòng đời ứng phó sự cố theo thứ tự là gì?)
- A. Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned
- B. Detection → Analysis → Containment → Eradication → Recovery → Post-Incident
- C. Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident Activity
- D. Identification → Triage → Containment → Remediation → Recovery → Closure
Correct: C
NIST SP 800-61 Rev. 2 defines the IR lifecycle as: (1) Preparation, (2) Detection & Analysis, (3) Containment/Eradication/Recovery, and (4) Post-Incident Activity. The commonly tested granular breakdown is: Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident Activity. Option A is close but uses "Identification" instead of "Detection & Analysis."
CISSP Mindset: Know the exact NIST terminology. "Detection & Analysis" and "Post-Incident Activity" are the precise phase names, not "Identification" or "Lessons Learned."
During an active ransomware incident at FinTech Company X, the SOC team has identified the infected systems and confirmed the malware family. The team is debating whether to remove the malware immediately or isolate the systems first. What is the CORRECT order of actions?
(Trong một sự cố ransomware đang diễn ra, đội SOC đã xác định được các hệ thống bị nhiễm. Thứ tự hành động đúng là gì?)
- A. Eradication → Containment → Recovery → Documentation
- B. Containment → Eradication → Recovery → Post-Incident Review
- C. Analysis → Eradication → Containment → Recovery
- D. Containment → Recovery → Eradication → Lessons Learned
Correct: B
Containment MUST occur before eradication. You first isolate affected systems to prevent spread (containment), then remove the malware and its artifacts (eradication), then restore systems to normal operations (recovery), and finally conduct a post-incident review. Performing eradication before containment risks spreading the threat to other systems.
CISSP Mindset: "Contain before you clean." Rushing to eradicate without containing first is a common mistake that causes wider damage. This sequence is tested repeatedly on the exam.
FinTech Company X's CIRT has defined four severity levels. A P1 incident involves complete service unavailability affecting all customers. A P2 involves significant degradation affecting >50% of users. A P3 is minor degradation with a workaround available. A P4 is a cosmetic issue. A Datadog alert shows the credit-scoring API returning 503 errors for 80% of Partner A loan requests. What priority should this be classified as?
(API chấm điểm tín dụng trả về lỗi 503 cho 80% yêu cầu vay của Partner A. Mức ưu tiên nào cần phân loại?)
- A. P1 — Complete service unavailability
- B. P2 — Significant degradation affecting majority of users
- C. P3 — Minor degradation with workaround
- D. P4 — Cosmetic issue only
Correct: B
80% of Partner A loan requests failing constitutes significant degradation affecting more than 50% of users, fitting the P2 definition. It is not P1 because the service is not completely unavailable — 20% of requests still succeed. The Partner A SLA constraints make this a high-urgency P2 that must be escalated immediately.
CISSP Mindset: Severity classification drives resource allocation and escalation paths. When in doubt between P1 and P2, look at scope — "80% of one partner's traffic" vs "all customers."
FinTech Company X discovers a PII breach affecting Vietnamese customers' loan application data. Under Vietnam's Cybersecurity Law and typical breach notification requirements, what is the correct sequence of actions regarding notification timelines?
(FinTech Company X phát hiện vi phạm PII ảnh hưởng đến dữ liệu đơn vay của khách hàng Việt Nam. Trình tự hành động đúng liên quan đến thời hạn thông báo là gì?)
- A. Notify affected customers within 24 hours, then report to regulators within 72 hours
- B. Complete eradication first, then notify regulators and customers simultaneously
- C. Contain the breach, notify relevant authorities within required timeframes, then notify affected individuals
- D. Wait for full forensic analysis before any notification to avoid providing incorrect information
Correct: C
Breach notification should not wait for complete forensic analysis. The correct approach is: contain first, then notify regulatory authorities within required timeframes (often 72 hours under GDPR-inspired frameworks), then notify affected individuals. Waiting for full eradication or analysis before notifying can violate legal obligations and increase liability.
CISSP Mindset: Legal obligations for breach notification are time-sensitive. "We'll notify after we're done investigating" is never correct on the CISSP exam.
During a security incident at FinTech Company X, the CIRT lead wants to shut down the production database server to stop an ongoing SQL injection attack. The DBA team objects, citing impact to Bank A's real-time loan processing SLA. Who has the authority to make the final containment decision?
(CIRT muốn tắt server database production để ngăn chặn tấn công SQL injection. DBA phản đối do ảnh hưởng SLA của Bank A. Ai có thẩm quyền quyết định cuối cùng?)
- A. The DBA team lead, since they own the production system
- B. The CIRT lead, since security takes precedence during an active incident
- C. A pre-defined executive authority (e.g., CISO or CTO) following the incident escalation policy
- D. The SLA manager for Bank A, since their contractual obligations must be honored
Correct: C
Decisions that involve significant business impact (like shutting down production) must be escalated to a pre-defined executive authority per the organization's incident response plan. The CIRT plan should pre-define who has authority to approve disruptive containment measures. This prevents both "security always wins" (B) and "business always wins" (A) extremes without governance.
CISSP Mindset: Effective IR requires pre-defined authority chains. The CISSP exam values governance over unilateral decisions — even by security professionals.
A FinTech Company X SOC analyst is responding to a phishing incident. They follow a documented step-by-step procedure: check email headers, extract IOCs, block sender domain, search SIEM for similar emails, and quarantine affected mailboxes. What type of document is the analyst following?
(Phân tích viên SOC đang làm theo tài liệu có các bước chi tiết để xử lý sự cố phishing. Đây là loại tài liệu gì?)
- A. Security policy
- B. Playbook — a high-level strategic response framework
- C. Runbook — a detailed step-by-step operational procedure for a specific scenario
- D. Standard Operating Procedure (SOP) for governance compliance
Correct: C
A runbook contains detailed, step-by-step technical instructions for handling a specific type of incident or operational task. A playbook is a higher-level strategic document that outlines the overall response approach, escalation paths, and decision trees for incident categories. Runbooks are used by analysts executing the response; playbooks guide the response strategy.
CISSP Mindset: Runbook = "how to do it" (step-by-step). Playbook = "what to do and when" (strategic framework). Both are essential components of an IR program.
FinTech Company X's production environment is experiencing an active intrusion. The attacker has compromised one microservice pod in Kubernetes. The InfoSec team is considering two containment options: (1) network isolate the pod, or (2) delete the pod and redeploy. Which option is correct as a CONTAINMENT action (not eradication)?
(Trong sự cố xâm nhập, đội InfoSec đang cân nhắc: (1) cô lập pod qua mạng, hoặc (2) xóa pod và triển khai lại. Hành động nào là Containment (không phải Eradication)?)
- A. Delete the pod and redeploy — this stops the threat immediately
- B. Network isolate the pod — this limits spread while preserving evidence
- C. Both options are equally valid containment strategies
- D. Neither — containment means monitoring the attacker without intervening
Correct: B
Network isolation is a containment action — it limits the threat's ability to spread or communicate externally while preserving forensic evidence. Deleting and redeploying the pod is an eradication action (removing the threat). Eradication before proper containment and forensic preservation can destroy evidence needed for investigation and legal proceedings.
CISSP Mindset: Containment = limit the damage, preserve evidence. Eradication = remove the threat. These are sequential, not interchangeable. Always contain before eradicate.
At FinTech Company X, the IR policy requires InfoSec sign-off before proceeding from containment to eradication. A developer wants to patch the vulnerable application immediately after isolating the affected server, bypassing the InfoSec review. What is the PRIMARY risk of skipping InfoSec sign-off?
(Chính sách IR yêu cầu InfoSec phê duyệt trước khi chuyển từ Containment sang Eradication. Rủi ro chính của việc bỏ qua phê duyệt InfoSec là gì?)
- A. Eradication may be performed faster, reducing MTTR unnecessarily
- B. Incomplete eradication — root cause may not be fully identified, leaving backdoors or persistence mechanisms
- C. The patch may introduce new vulnerabilities during emergency deployment
- D. The developer may violate change management procedures
Correct: B
The primary risk of bypassing the InfoSec eradication gate is incomplete eradication. Without proper analysis, the team may miss persistence mechanisms (backdoors, scheduled tasks, malicious scripts), causing the incident to recur. InfoSec sign-off ensures root cause analysis is complete and all threat artifacts are identified before remediation begins. Option D is also a risk but secondary.
CISSP Mindset: The eradication gate exists to prevent recurring incidents. "Fast" eradication without thorough analysis often means the attacker returns through the same or a related vector.
FinTech Company X's InfoSec team discovers that a misconfigured S3 bucket has been exposing Vietnamese customer PII (names, ID numbers, loan amounts) publicly for 30 days. Which IR phases are applicable to this scenario, in the correct order?
(Một S3 bucket cấu hình sai đã công khai PII của khách hàng Việt Nam trong 30 ngày. Các giai đoạn IR nào áp dụng theo đúng thứ tự?)
- A. Preparation → Eradication → Recovery only (no containment needed since it's a misconfiguration)
- B. Detection & Analysis → Containment (restrict bucket access) → Eradication (remove exposed data, fix config) → Recovery → Post-Incident
- C. Containment → Detection → Eradication → Recovery (detection comes before containment is optional)
- D. Post-Incident → Recovery → Eradication (work backwards since the exposure already happened)
Correct: B
Even for a data exposure (not an active attacker), all IR phases apply. After detection and analysis (confirming the scope of exposure), containment is restricting access to the bucket immediately. Eradication involves fixing the misconfiguration and removing/encrypting exposed data. Recovery restores normal operations. Post-incident includes breach notification and lessons learned.
CISSP Mindset: IR phases apply to ALL incident types — not just active attacks. Data exposures, misconfigurations, and insider threats all follow the same lifecycle.
During a critical incident, FinTech Company X's CISO authorizes a full production shutdown affecting all lending APIs (Partner A and Bank A integrations). In the NIST IR framework, this decision to shut down production represents which phase action?
(CISO cho phép tắt toàn bộ production ảnh hưởng đến tất cả API cho vay. Theo NIST IR, quyết định tắt production này thuộc hành động của giai đoạn nào?)
- A. Preparation — pre-approved shutdown runbooks enable this
- B. Detection & Analysis — shutting down helps analyze the incident
- C. Containment — stopping production limits the incident's blast radius and prevents further damage
- D. Recovery — removing systems from service is part of restoring operations
Correct: C
A production shutdown is a containment action. Containment strategies range from network isolation to full system shutdown depending on severity. When an active threat cannot be contained without taking systems offline, shutdown is a valid (if disruptive) containment measure. The goal is to prevent further damage and limit the blast radius before eradication begins.
CISSP Mindset: "Production shutdown = containment" is a key concept. Despite business impact, stopping the spread takes priority. Containment is not always elegant — sometimes it's a hard stop.
After resolving a major data breach, FinTech Company X's IR team holds a post-incident review. The team finds that the breach was detected 14 days after initial compromise because no alert was configured for unusual data egress from the Vault secrets manager. What phase does this review belong to, and what should be the PRIMARY output?
(Sau khi giải quyết vi phạm, nhóm IR tiến hành đánh giá sau sự cố. Đây thuộc giai đoạn nào và đầu ra chính là gì?)
- A. Recovery phase — output is a system restoration report
- B. Post-Incident Activity phase — output is lessons learned with specific improvement actions (e.g., add Vault egress alerting)
- C. Detection & Analysis phase — output is an IOC list for future detection
- D. Preparation phase — output is an updated IR policy
Correct: B
Post-Incident Activity (the final NIST phase) includes the lessons learned meeting and report. The primary output is actionable improvements — not just a narrative of what happened, but specific changes to detection capabilities (like adding Vault audit log alerting), IR procedures, and security controls. This closes the loop and feeds back into Preparation for future incidents.
CISSP Mindset: Lessons learned without action items is just storytelling. The value of Post-Incident Activity is the specific, measurable improvements it drives.
A junior SOC analyst at FinTech Company X detects malware on a developer's laptop and immediately runs an antivirus scan to remove it without isolating the machine from the network first. What critical mistake did the analyst make?
(Phân tích viên SOC phát hiện malware trên laptop và ngay lập tức chạy antivirus để xóa mà không cô lập máy khỏi mạng. Sai lầm nghiêm trọng nào đã xảy ra?)
- A. The analyst should have backed up the laptop first before running antivirus
- B. The analyst skipped containment — the malware may have spread to other network hosts or exfiltrated data during the scan
- C. Antivirus is not a valid eradication tool for CISSP purposes
- D. The analyst should have notified the developer before starting remediation
Correct: B
By skipping containment (network isolation), the analyst allowed the malware to potentially spread laterally to other hosts, exfiltrate data, or receive new commands from a C2 server during the eradication attempt. Contain FIRST (disconnect from network), THEN eradicate. This is one of the most commonly tested IR sequence errors on CISSP.
CISSP Mindset: Eradicating malware while it is still network-connected is like sweeping while the wind is still blowing. Containment stops the spread; eradication removes what's there.
FinTech Company X is forming a Computer Incident Response Team (CIRT). Which combination of roles is MOST important to include to ensure both technical response and legal/compliance coverage?
(FinTech Company X đang thành lập CIRT. Sự kết hợp vai trò nào quan trọng nhất để đảm bảo cả phản ứng kỹ thuật và tuân thủ pháp lý?)
- A. Network engineers, database administrators, and software developers
- B. Security analysts, forensic investigators, legal counsel, and HR representative
- C. CISO, CTO, and CEO for all decisions
- D. External incident response firm only — internal teams have conflicts of interest
Correct: B
A well-structured CIRT includes: security analysts (technical response), forensic investigators (evidence collection), legal counsel (breach notification obligations, evidence admissibility, liability), and HR (for insider threat scenarios). PR/communications may also be included. Pure technical teams (A) miss legal obligations; executive-only (C) is inefficient for technical decisions.
CISSP Mindset: IR is not just a technical problem — it is a legal, HR, and communications problem simultaneously. Structure your CIRT accordingly.
During an incident, FinTech Company X's SOC wants to monitor an attacker's behavior without fully blocking them, to gather intelligence on their techniques. This approach — deliberately allowing limited attacker activity while observing — is known as what?
(SOC muốn theo dõi hành vi kẻ tấn công mà không chặn hoàn toàn để thu thập thông tin. Phương pháp này gọi là gì?)
- A. Short-term containment
- B. Long-term containment with monitoring
- C. Controlled observation / "watch and learn" containment strategy
- D. Active defense honeypot deployment
Correct: C
This is a "watch and learn" or controlled observation containment strategy. It is used when the organization wants to understand attacker TTPs (tactics, techniques, procedures) before fully responding. This carries risk — it requires careful monitoring to prevent damage escalation and must have explicit legal and executive authorization, especially when PII or financial data is at risk.
CISSP Mindset: Watch-and-learn is a valid strategy but requires explicit authorization and strict controls. On the exam, this is usually the right answer when "gathering intel on attacker methods" is the goal.
After eradicating a rootkit from FinTech Company X's authentication server, the team is preparing to restore the system to production. What is the MOST important step before returning the system to normal operations?
(Sau khi diệt rootkit khỏi server xác thực, bước quan trọng nhất trước khi đưa hệ thống trở lại hoạt động bình thường là gì?)
- A. Apply all available security patches immediately
- B. Verify system integrity — confirm the system is clean and operating from a known-good baseline before restoring service
- C. Notify all users that the system was compromised
- D. Conduct a penetration test to confirm the vulnerability is fixed
Correct: B
Before returning a previously compromised system to production, you MUST verify it is operating from a known-good baseline. This includes: checking file integrity (hash verification), validating no persistence mechanisms remain, confirming OS and software are clean, and ideally rebuilding from a trusted image. Returning an incompletely cleaned system to production risks reinfection.
CISSP Mindset: Recovery means restoring to a KNOWN GOOD STATE — not just "it seems to work now." Integrity verification is the gate between eradication and recovery.
FinTech Company X's InfoSec team is conducting an IR preparedness review. They find that while runbooks exist for phishing and ransomware, there is no documented procedure for API credential theft. What phase of the IR lifecycle does improving this documentation belong to?
(Nhóm InfoSec phát hiện không có quy trình tài liệu cho việc đánh cắp thông tin xác thực API. Cải thiện tài liệu này thuộc giai đoạn nào của IR?)
- A. Detection & Analysis — detection rules must be built first
- B. Containment — having playbooks enables faster containment
- C. Preparation — building response capabilities before incidents occur
- D. Post-Incident Activity — triggered only after an API credential theft actually happens
Correct: C
Preparation is the foundation phase that happens BEFORE incidents. It includes: developing IR policies and procedures, creating runbooks and playbooks for anticipated incident types, training the CIRT, establishing communication channels, and acquiring tools. Proactively creating an API credential theft runbook is a preparation activity — you do not wait for the incident to happen before preparing.
CISSP Mindset: The quality of your Preparation determines the effectiveness of every subsequent phase. "Plan before the fire, not during it."
A FinTech Company X developer notices their Git credentials were used to push unauthorized code to a production repository at 3 AM. The developer wants to immediately revert the commit and rotate their credentials. What should the IR team do FIRST?
(Developer phát hiện thông tin đăng nhập Git bị dùng để push code trái phép vào production lúc 3 giờ sáng. IR team nên làm gì TRƯỚC TIÊN?)
- A. Revert the unauthorized commit immediately to restore code integrity
- B. Rotate the developer's credentials to prevent further unauthorized access
- C. Contain first — disable the compromised credentials and assess the scope of what was pushed before reverting
- D. Notify all developers and lock the repository
Correct: C
Containment before eradication: First, disable the compromised credentials (containment — stops the attacker from making further changes). Then analyze WHAT was pushed (analysis — understand the scope). Only then revert the code (eradication) after understanding the full impact. Reverting first without disabling credentials allows the attacker to push the same or worse code again immediately.
CISSP Mindset: Contain the access vector before removing the artifact. Revoking credentials first stops the bleeding; reverting the commit cleans the wound.
During the containment phase of an incident at FinTech Company X, the IR team decides to take memory snapshots and disk images of compromised systems. This evidence collection activity most accurately belongs to which part of the IR lifecycle?
(Trong giai đoạn Containment, nhóm IR quyết định chụp snapshot bộ nhớ và disk image của các hệ thống bị xâm phạm. Hoạt động thu thập bằng chứng này chính xác nhất thuộc phần nào của IR?)
- A. Post-Incident Activity only — evidence is collected after everything is resolved
- B. Detection & Analysis — all evidence must be collected before containment begins
- C. Concurrent with containment — forensic evidence collection runs alongside containment activities
- D. Preparation — forensic tools must be pre-positioned before incidents
Correct: C
Forensic evidence collection is performed concurrently with containment. NIST 800-61 recognizes that containment and evidence collection overlap — as you isolate systems, you also preserve volatile evidence (RAM) before it's lost. This is why the order of volatility matters: capture RAM first before isolating, then disk images. Evidence collection does not wait until after the incident is over.
CISSP Mindset: Containment and forensic preservation are parallel activities, not sequential. Do not wait to collect evidence — especially RAM — as it disappears when systems are powered down.
FinTech Company X has a P3 incident (minor degradation) that began at 9 AM. By 11 AM, the degradation has expanded to affect all Partner A loan approval requests, meeting the P1 definition. What should the IR team do?
(Sự cố P3 bắt đầu lúc 9 giờ sáng. Đến 11 giờ, tình trạng xuống cấp đã mở rộng ảnh hưởng đến tất cả yêu cầu phê duyệt vay Partner A, đáp ứng định nghĩa P1. Nhóm IR nên làm gì?)
- A. Maintain P3 classification to avoid unnecessary escalation overhead
- B. Escalate to P1 — severity reclassification triggers new SLA timers and additional resources
- C. Close the P3 and open a new P1 incident ticket
- D. Wait until business hours the next day to reclassify, to avoid disturbing executives
Correct: B
Incidents must be dynamically reclassified as their impact changes. Escalating to P1 triggers the appropriate SLA timers (executive notification, additional resources, war room activation). Keeping an incident at an incorrect severity level means the wrong resources and procedures are applied. Option C is operationally incorrect — the same incident is reclassified, not closed and reopened.
CISSP Mindset: Incident severity is dynamic. Reclassify as impact grows. Downgrading is also valid as incidents are contained. Always match response intensity to actual impact.
A FinTech Company X system administrator discovers a web shell on a public-facing API server. They want to delete the web shell file immediately. The IR team lead insists on containing the server first. The admin argues this wastes time. Who is correct and why?
(Sysadmin phát hiện web shell trên server API và muốn xóa ngay. IR lead yêu cầu cô lập server trước. Ai đúng và tại sao?)
- A. The admin — deleting the web shell stops the threat fastest and minimizes exposure time
- B. The IR lead — containing first prevents the attacker from deploying additional web shells or pivoting to internal systems before eradication
- C. Both are wrong — the web shell should be reported to law enforcement before any action is taken
- D. The admin — containment is only needed for malware, not web shells
Correct: B
The IR lead is correct. Deleting the web shell without network isolation first allows the attacker to: (1) receive an alert (via C2 check-in failure) and immediately deploy another web shell, (2) pivot to internal systems before losing their foothold, or (3) trigger a destructive payload. Containment (blocking the server's external connectivity) removes the attacker's control BEFORE eradication eliminates the artifact.
CISSP Mindset: A web shell is both a persistence mechanism AND an access point. Contain (cut the attacker's connection) before eradicate (remove the web shell). Same rule every time.
🔍 Topic 2: Digital Forensics & Investigations (Q21–Q35)
A FinTech Company X forensic investigator arrives at a compromised Linux server that is still powered on. According to the RFC 3227 order of volatility, what should be collected FIRST?
(Theo thứ tự dễ mất dữ liệu RFC 3227, điều gì cần được thu thập TRƯỚC TIÊN từ server Linux đang bật?)
- A. Hard disk image — largest and most complete data source
- B. CPU registers and cache contents — most volatile, lost almost immediately
- C. Network configuration files stored on disk
- D. Security event logs from /var/log/
Correct: B
RFC 3227 order of volatility (most to least volatile): CPU registers/cache → RAM → Swap/virtual memory → Network state → Running processes → Disk → Remote logs → Physical media. CPU registers are lost in nanoseconds; RAM contents disappear when power is cut. Always collect the most volatile evidence first. Hard disk images (A) and log files (D) are the LEAST volatile and collected last.
CISSP Mindset: Memorize the volatility order: Registers → RAM → Swap → Network → Processes → Disk. "Most fleeting first" — the evidence that disappears fastest is worth collecting most urgently.
A FinTech Company X forensic investigator must collect evidence from a compromised system. Rank the following evidence sources from MOST volatile to LEAST volatile: (1) Disk image, (2) RAM contents, (3) Network connection state, (4) CPU cache.
(Xếp hạng từ DỄ MẤT NHẤT đến ÍT MẤT NHẤT: Disk image, RAM, trạng thái kết nối mạng, CPU cache.)
- A. CPU cache → RAM → Network connection state → Disk image
- B. RAM → CPU cache → Disk image → Network connection state
- C. Network connection state → RAM → CPU cache → Disk image
- D. Disk image → RAM → Network connection state → CPU cache
Correct: A
Correct order (most to least volatile): CPU cache (nanoseconds — lost with each instruction cycle) → RAM (seconds to minutes — lost on power down) → Network connection state (minutes — persists while connections are active) → Disk image (days to years — persistent storage). This matches RFC 3227 guidance. Always collect in this order to preserve the most transient evidence.
CISSP Mindset: CPU cache > RAM > Swap > Network > Processes > Disk. Cache is faster than RAM and more volatile. Never start with disk imaging when volatile evidence exists.
Before imaging a hard drive from a compromised FinTech Company X workstation, a forensic investigator connects it through a write blocker. What is the PRIMARY purpose of a write blocker?
(Mục đích chính của write blocker trước khi tạo image ổ cứng là gì?)
- A. To speed up the imaging process by optimizing read performance
- B. To prevent any writes to the evidence drive, ensuring the original data is not altered during imaging
- C. To encrypt the evidence drive before imaging to protect sensitive data
- D. To convert the drive format to a forensic-compatible file system
Correct: B
A write blocker (hardware or software) intercepts all write commands to the evidence drive and discards them, allowing only read operations. This preserves the integrity of the original evidence — the forensic image is a perfect copy of the original, bit-for-bit, with no modifications. Without a write blocker, connecting a drive to a system can cause the OS to write to it (update timestamps, etc.), destroying evidence integrity.
CISSP Mindset: Write blockers protect evidence integrity. No write blocker = potentially inadmissible evidence in court. This is non-negotiable in forensic investigations.
A FinTech Company X forensic investigator creates a disk image of a compromised server. They compute an MD5 hash of the original drive and the forensic image. The hashes match. Why is this hash verification critical in forensic investigations?
(Tại sao xác minh hash giữa ổ đĩa gốc và image pháp y là quan trọng?)
- A. Hash verification speeds up analysis by enabling indexed searching
- B. Matching hashes prove the forensic image is an exact copy of the original evidence, establishing integrity for admissibility
- C. Hash verification encrypts the evidence to prevent unauthorized access
- D. Hashes identify the malware family used in the attack
Correct: B
Hash verification (before and after imaging) proves that the forensic copy is bit-for-bit identical to the original evidence. This is critical for legal admissibility — if the hashes match, no one can claim the evidence was tampered with. If hashes don't match, the evidence's integrity is compromised and it may be inadmissible. Verification uses MD5, SHA-1, or SHA-256. Document both hashes in the chain of custody record.
CISSP Mindset: Hash before AND after = proof of integrity. "If the hash doesn't match, you can't attach." Document both hashes in the chain of custody.
FinTech Company X's legal team intends to use forensic evidence from a cyberattack in civil litigation. The forensic investigator collected a server image but did not maintain documented chain of custody. What is the likely consequence?
(Bằng chứng pháp y sẽ dùng trong vụ kiện nhưng không có chain of custody được ghi lại. Hậu quả có thể là gì?)
- A. The evidence will be automatically encrypted and unusable
- B. The evidence may be ruled inadmissible in court because its integrity cannot be proven
- C. The investigation must restart from scratch with properly collected evidence
- D. The investigator will face criminal charges for improper evidence handling
Correct: B
Chain of custody documents who collected, handled, transferred, and stored evidence at every step. Without this documentation, defense counsel can challenge the evidence's integrity — claiming it could have been tampered with or contaminated. Courts may rule such evidence inadmissible, potentially collapsing the case. Chain of custody = admissibility. No chain of custody = questionable or inadmissible evidence.
CISSP Mindset: Chain of custody = the legal passport for evidence. Every person who touches evidence must be documented. Gaps in the chain create doubt in court.
During a forensic investigation of a FinTech Company X insider threat incident, the forensic team uses HashiCorp Vault audit logs to reconstruct which secrets were accessed by a former employee. What forensic role do Vault audit logs serve?
(Vault audit logs phục vụ vai trò pháp y nào trong điều tra nội gián?)
- A. Vault audit logs are volatile evidence that must be collected before RAM
- B. Vault audit logs serve as tamper-evident audit trails establishing a timeline of secret access for forensic reconstruction
- C. Vault audit logs are considered hearsay and are inadmissible in legal proceedings
- D. Vault audit logs only record failed access attempts, not successful ones
Correct: B
Vault audit logs record every request and response (with token info, paths accessed, and timestamps) in a tamper-evident format. They serve as a forensic audit trail for: identifying which secrets were accessed, when, and by which identity. This is critical for insider threat investigations. Vault audit logs are non-volatile (stored on disk/SIEM) and are admissible as business records when properly maintained with chain of custody.
CISSP Mindset: Application audit logs (Vault, AWS CloudTrail, ArgoCD audit logs) are valuable forensic artifacts. They provide a timeline that complements system-level forensics.
A forensic investigator at FinTech Company X finds that an attacker used the "shred" command on Linux to overwrite and delete log files before the investigation began. This is an example of which technique?
(Kẻ tấn công đã dùng lệnh "shred" để ghi đè và xóa file log. Đây là ví dụ về kỹ thuật nào?)
- A. Log tampering — a standard IR evasion technique
- B. Anti-forensics — deliberate destruction or obfuscation of evidence to hinder investigation
- C. Steganography — hiding data within other files
- D. Data masking — protecting sensitive data from unauthorized access
Correct: B
Anti-forensics encompasses any technique used to obstruct forensic investigation: overwriting files (shred, wipe), clearing logs, manipulating timestamps, using encryption, or using self-destructing malware. "shred" on Linux performs multiple overwrites to make file recovery difficult. Investigators counter with: timeline analysis, file system artifacts (inode data), memory forensics, and SIEM logs that may have captured events before deletion.
CISSP Mindset: Evidence of anti-forensics is itself evidence of consciousness of guilt. Anomalies (all logs deleted at the same second) reveal the act even when the original evidence is destroyed.
FinTech Company X receives a litigation hold notice from its legal counsel related to a data breach lawsuit. The notice covers emails, Slack messages, and database records from the past 18 months. When must the legal hold be applied?
(Khi nào phải áp dụng legal hold để ngăn xóa dữ liệu sau khi nhận thông báo giữ bằng chứng?)
- A. After the forensic investigation is complete, to avoid interfering with the technical process
- B. Immediately upon receiving the litigation hold notice — BEFORE any data in scope is deleted, even by routine retention schedules
- C. Within 30 days of receiving the notice, as allowed by standard e-discovery timelines
- D. Only when a court order is formally issued, not when legal counsel sends an internal notice
Correct: B
Legal hold must be applied IMMEDIATELY upon receiving the notice — BEFORE any data is deleted. This includes suspending routine data retention/deletion schedules (e.g., "delete emails older than 90 days" cron jobs). Failure to preserve data after receiving a litigation hold notice can constitute spoliation of evidence, resulting in severe legal sanctions including adverse inference instructions to juries.
CISSP Mindset: Legal hold → STOP all deletion immediately. "We'll get to it" is spoliation. The hold must interrupt automated deletion schedules the moment the notice arrives.
Three days after FinTech Company X receives a legal hold notice covering its Datadog and SIEM logs, the automated log rotation policy deletes 45 days of logs. The IT team was not informed of the legal hold. What is the PRIMARY failure?
(Ba ngày sau khi nhận legal hold, chính sách xoay vòng log tự động xóa 45 ngày log vì IT team không được thông báo. Thất bại chính là gì?)
- A. The legal hold notice was improperly worded and thus not legally binding
- B. Failure to implement the legal hold across all data custodians and systems before automated deletion occurred
- C. Datadog and SIEM logs are not covered by e-discovery obligations
- D. IT team is exempt from legal hold obligations — only legal counsel manages evidence
Correct: B
Legal holds must be communicated to ALL data custodians (IT, DevOps, HR, etc.) and implemented on ALL systems containing in-scope data. Failure to notify the IT team meant automated deletion schedules continued, destroying potentially relevant evidence. Legal hold must immediately trigger system-level holds on all relevant data stores, including SIEM logs, Datadog, emails, databases.
CISSP Mindset: Legal hold notification must reach every data custodian AND every automated system that touches in-scope data. It is not enough to tell the legal team — IT operations must implement the hold.
FinTech Company X runs on AWS. During a forensic investigation, the team needs to collect evidence from an EC2 instance involved in data exfiltration. What is the PRIMARY challenge of cloud forensics compared to traditional on-premises forensics?
(Thách thức chính của cloud forensics so với forensics truyền thống là gì?)
- A. Cloud instances cannot be imaged — only log files are available for forensic analysis
- B. Limited physical access, shared infrastructure, data jurisdiction issues, and potential evidence loss if instances are terminated
- C. AWS prohibits forensic investigations on its infrastructure without a court order
- D. Cloud forensics is identical to on-premises forensics — the same tools and procedures apply
Correct: B
Cloud forensics challenges include: (1) No physical access to hardware — limited to logical access via cloud APIs, (2) Shared multi-tenant infrastructure, (3) Data jurisdiction — where is the data legally located?, (4) Evidence volatility — instances can be auto-terminated by scaling policies, destroying evidence, (5) API log limitations. AWS provides forensic capabilities (EBS snapshots, CloudTrail, VPC Flow Logs) but requires different procedures than on-prem.
CISSP Mindset: Cloud forensics requires cloud-native tools and pre-established procedures. "Preserve before terminate" — snapshot EBS volumes immediately when an incident is detected on cloud instances.
A FinTech Company X security analyst is investigating malware on a Windows server. The analyst must choose between: first running a memory dump, or first taking a hard disk image (which takes 3 hours). What should they do?
(Phân tích viên phải chọn giữa: dump bộ nhớ trước, hay tạo disk image trước (mất 3 giờ). Phải làm gì?)
- A. Take the disk image first — it contains more data and takes longer, so prioritize it
- B. Run the memory dump first — RAM is volatile and will be lost if the system is powered down during the 3-hour disk imaging
- C. Do both simultaneously to save time
- D. Neither — ask law enforcement to collect evidence first
Correct: B
RAM (memory) is volatile — it is lost the moment the system loses power. A 3-hour disk imaging process creates a window during which the system could be powered down (intentionally or due to a crash), destroying all RAM contents. Memory dumps capture: running processes, encryption keys, network connections, malware artifacts in memory, and credentials that may not appear on disk. Always collect RAM BEFORE long disk imaging operations.
CISSP Mindset: RAM before disk — always. 3 hours is a long time for volatile evidence to survive. Collect what will disappear first, then what is persistent.
FinTech Company X's legal team sends a legal hold notice for all communications related to a former data science employee. HR's standard policy auto-deletes terminated employee accounts after 30 days. The legal hold notice arrives on Day 25 after termination. What MUST happen?
(Legal hold notice đến vào ngày 25 sau khi nhân viên nghỉ. Chính sách HR tự động xóa tài khoản sau 30 ngày. Điều gì PHẢI xảy ra?)
- A. Follow the standard HR policy — 30-day account deletion is automatic and cannot be interrupted
- B. The legal hold supersedes the automated deletion policy — the account and all associated data must be preserved immediately, regardless of the 30-day timer
- C. Export only the email account before deletion, as emails are the only legally relevant communications
- D. Consult with the former employee before preserving their account data
Correct: B
A legal hold OVERRIDES all automated data retention and deletion schedules. Upon receiving the notice (Day 25), the account deletion must be suspended indefinitely until the legal hold is lifted. All data associated with the account (email, Slack, code repos, database access logs) must be preserved. Allowing automated deletion to proceed after receiving a legal hold constitutes spoliation, which can result in serious legal sanctions.
CISSP Mindset: Legal hold = override all deletion automation. Applied BEFORE deletion, not after. Five days is plenty of time to preserve — there is no excuse for allowing automated deletion to proceed after receiving a hold notice.
A FinTech Company X forensic investigator is presented with: (1) Active TCP connections, (2) HDD sectors, (3) ARP cache, (4) CPU registers, (5) Temp files on disk. Which collection order correctly follows the order of volatility from MOST to LEAST volatile?
(Thứ tự thu thập nào đúng theo thứ tự dễ mất dữ liệu?)
- A. CPU registers → ARP cache → Active TCP connections → Temp files → HDD sectors
- B. ARP cache → CPU registers → Active TCP connections → HDD sectors → Temp files
- C. HDD sectors → Temp files → Active TCP connections → ARP cache → CPU registers
- D. Active TCP connections → CPU registers → ARP cache → Temp files → HDD sectors
Correct: A
Volatility order: CPU registers (nanoseconds) → ARP cache (minutes — expires based on ARP timeout) → Active TCP connections (minutes to hours — terminated when closed) → Temp files on disk (hours to days — may survive reboots) → HDD sectors (months to years — persistent). ARP cache entries typically expire in minutes, making them more volatile than active TCP connections which persist until explicitly closed.
CISSP Mindset: ARP cache is more volatile than active connections because ARP entries have short TTLs (typically 2-20 minutes). TCP connections persist until explicitly closed or timed out.
When imaging a suspect hard drive for forensic analysis, a FinTech Company X investigator creates a bit-for-bit copy. Which of the following is TRUE about forensic imaging best practices?
(Điều nào sau đây là ĐÚNG về thực hành tốt nhất cho forensic imaging?)
- A. Investigators should work directly on the original drive to avoid any data loss during copying
- B. All forensic analysis is performed on the forensic copy (image), never on the original evidence drive
- C. The original drive should be formatted after imaging to protect the owner's privacy
- D. Only files with known malicious hashes need to be imaged — benign files can be skipped
Correct: B
Golden rule of forensic imaging: NEVER work on original evidence. Create a forensic copy (image) and work only on the copy. Store the original evidence securely as the "master" copy. The original drive is preserved in its original state for chain of custody. If the working copy is corrupted during analysis, another copy can be made from the preserved original.
CISSP Mindset: Original evidence = museum piece, never touched again. Working copy = where all analysis happens. Hash both before starting to prove the copy is accurate.
FinTech Company X's security team discovers that an AWS Lambda function used for credit scoring was executing unauthorized code. The function has since been auto-deleted. What forensic sources are MOST likely to contain useful evidence?
(AWS Lambda function đã bị tự động xóa. Nguồn bằng chứng pháp y nào có khả năng chứa bằng chứng hữu ích nhất?)
- A. The Lambda function's source code stored in RAM — this is the most volatile evidence
- B. AWS CloudTrail logs, CloudWatch logs, VPC Flow Logs, and any S3 buckets or DynamoDB tables the function accessed
- C. The Lambda function cannot be investigated since it has been deleted
- D. Physical memory from the AWS server that ran the Lambda function
Correct: B
Even when a Lambda function is deleted, cloud-native logs persist independently: CloudTrail logs all API calls (who invoked the function, what parameters), CloudWatch Logs capture function output and errors, VPC Flow Logs show network connections, and accessed resources (S3, DynamoDB) retain their own access logs. Cloud forensics relies on these persistent log sources. Physical access to AWS servers (D) is not possible for customers.
CISSP Mindset: In cloud environments, logs outlive the resources they describe. CloudTrail, CloudWatch, and VPC Flow Logs are the forensic backbone — ensure they are enabled and retained BEFORE incidents occur.
📊 Topic 3: Security Monitoring, SIEM & Threat Hunting (Q36–Q50)
FinTech Company X's Datadog SIEM has a correlation rule that fires when: (1) >10 failed logins from the same IP in 5 minutes, AND (2) a successful login follows within 2 minutes. What attack technique does this detect?
(Rule SIEM kết hợp: >10 lần đăng nhập thất bại trong 5 phút, VÀ đăng nhập thành công trong 2 phút sau. Kỹ thuật tấn công nào được phát hiện?)
- A. SQL injection targeting the database layer
- B. Brute force attack leading to successful credential compromise
- C. Distributed Denial of Service (DDoS) targeting the authentication service
- D. Session hijacking after a phishing attack
Correct: B
This correlation rule detects a brute force attack pattern: multiple failed authentications (brute force attempt) followed by a successful login (successful compromise). The combination of these two events is much more significant than either alone — failed logins alone could be a user forgetting their password, but failed + successful within 2 minutes strongly suggests automated password-guessing that succeeded.
CISSP Mindset: SIEM correlation rules combine multiple low-fidelity events to detect high-fidelity attack patterns. Single events generate noise; correlated events generate intelligence.
FinTech Company X's SOC has three tiers. A Tier 1 analyst receives a Datadog alert for anomalous API traffic and, after initial triage, determines the alert requires deeper analysis. What is the CORRECT Tier 1 action?
(Sau khi phân loại ban đầu, phân tích cần sâu hơn. Hành động đúng của SOC Tier 1 là gì?)
- A. Escalate to Tier 2 analysts who handle deeper incident investigation and threat analysis
- B. Close the alert as a false positive — Tier 1 does not investigate further
- C. Escalate directly to the CISO — Tier 1 cannot make any decisions
- D. Begin full forensic investigation including memory and disk imaging
Correct: A
SOC tier structure: Tier 1 = alert triage, initial analysis, false positive filtering, and escalation. Tier 2 = deeper incident investigation, threat hunting, and response coordination. Tier 3 = advanced threat hunting, forensics, reverse engineering, and threat intelligence. When Tier 1 determines an alert warrants deeper analysis, they escalate to Tier 2 — not to the CISO (too high) and not to full forensics (Tier 3's responsibility).
CISSP Mindset: SOC tiering efficiently routes alerts to the right expertise level. T1 filters noise; T2 investigates; T3 hunts and does forensics. Escalate, do not skip tiers.
A FinTech Company X attacker first compromised a system at 14:00 Monday. Datadog detected the compromise at 10:00 Tuesday (20 hours later). The SOC opened an incident ticket at 10:15. What is the MTTD for this incident?
(Kẻ tấn công xâm phạm lúc 14:00 thứ Hai. Datadog phát hiện lúc 10:00 thứ Ba. Ticket mở lúc 10:15. MTTD là bao nhiêu?)
- A. 15 minutes — from alert generation to ticket creation
- B. 20 hours — from the time of initial compromise to detection by Datadog
- C. 20 hours 15 minutes — from compromise to ticket opening
- D. MTTD cannot be calculated for a single incident
Correct: B
MTTD (Mean Time to Detect) measures the time from when an incident actually began to when it was detected by monitoring systems. In this case: 14:00 Monday to 10:00 Tuesday = 20 hours. The ticket opening at 10:15 is irrelevant to MTTD. MTTD starts from the INCIDENT START, not from when the analyst responded. Lower MTTD = better detection capability.
CISSP Mindset: MTTD = from incident START to detection. MTTR = from detection to resolution. Datadog IS the detection point — the clock stops when the alert fires, not when the ticket is opened.
Following detection of a security incident at 10:00, FinTech Company X's SOC fully resolved it (systems restored, vulnerabilities patched, threat removed) at 18:00 the same day. What is the MTTR for this incident?
(Sự cố được phát hiện lúc 10:00 và được giải quyết hoàn toàn lúc 18:00 cùng ngày. MTTR là bao nhiêu?)
- A. 8 hours — from detection to full resolution
- B. 28 hours — combining MTTD (20 hours) and resolution time
- C. 20 hours — same as MTTD since they are calculated together
- D. MTTR cannot be calculated for a single incident
Correct: A
MTTR (Mean Time to Respond/Resolve) is measured from DETECTION to full resolution. Detection was at 10:00; resolution was at 18:00 = 8 hours MTTR. MTTD (20 hours) and MTTR (8 hours) are separate metrics measured from different start points. Total incident duration = MTTD + MTTR = 28 hours (compromise to resolution). Reduce MTTD with better monitoring; reduce MTTR with better IR procedures.
CISSP Mindset: MTTD and MTTR are separate clocks. MTTD clock starts at compromise; MTTR clock starts at detection. Total time = MTTD + MTTR.
FinTech Company X's security team proactively searches their network for signs of compromise without waiting for alerts, using hypotheses based on threat intelligence about financial sector APT groups. This activity is best described as:
(Đội bảo mật chủ động tìm kiếm dấu hiệu xâm phạm mà không chờ cảnh báo, sử dụng giả thuyết dựa trên threat intelligence. Hoạt động này là gì?)
- A. Reactive incident response — waiting for alerts before acting
- B. Threat hunting — proactive, hypothesis-driven search for threats that have evaded automated detection
- C. Vulnerability assessment — scanning for known vulnerabilities in systems
- D. Penetration testing — simulating attacker techniques to find weaknesses
Correct: B
Threat hunting is proactive — analysts formulate hypotheses (e.g., "if APT group X targeted us, what TTPs would we expect to see?") and then search for evidence of those TTPs in existing logs and telemetry, without waiting for automated alerts. This is fundamentally different from reactive IR (responding to existing alerts) and vulnerability assessment (finding weaknesses before attackers do). Threat hunting assumes the adversary may already be inside.
CISSP Mindset: Threat hunting assumes breach — "they might already be here." The key differentiator is hypothesis-driven proactive search vs alert-driven reactive response.
FinTech Company X's threat intel team receives a report containing: (a) a list of malicious IP addresses and file hashes, and (b) behavioral patterns describing how an APT group uses living-off-the-land techniques. Which correctly classifies these intelligence types?
(Phân loại: (a) danh sách IP độc hại và hash file, (b) mô tả hành vi kỹ thuật living-off-the-land của nhóm APT.)
- A. (a) is IOA (Indicator of Attack); (b) is IOC (Indicator of Compromise)
- B. (a) is IOC (Indicator of Compromise); (b) is IOA (Indicator of Attack) / behavioral TTP
- C. Both (a) and (b) are IOCs — all threat intelligence is classified as IOC
- D. (a) is strategic intelligence; (b) is operational intelligence
Correct: B
IOCs (Indicators of Compromise) are artifacts that indicate a system has been compromised: IP addresses, domain names, file hashes, registry keys, malware signatures. IOAs (Indicators of Attack) describe attacker behaviors and TTPs — what the attacker is DOING, not what they left behind. IOAs are harder to evade because changing an IP doesn't change attack behavior. Behavioral patterns = IOA/TTP; specific artifacts = IOC.
CISSP Mindset: IOC = "what they left" (artifact-based). IOA = "what they're doing" (behavior-based). IOAs are more durable intelligence because attackers can change IPs and hashes but struggle to change their fundamental behaviors.
FinTech Company X's threat hunting team uses MITRE ATT&CK framework to hypothesize that a threat actor may have used "Credential Dumping" (T1003) on their Active Directory environment. What is the PRIMARY benefit of using MITRE ATT&CK for threat hunting?
(Lợi ích chính của việc sử dụng MITRE ATT&CK để threat hunting là gì?)
- A. MITRE ATT&CK automatically generates alerts in SIEM systems
- B. It provides a structured taxonomy of adversary TTPs, enabling hypothesis-driven hunts based on known real-world attack behaviors
- C. MITRE ATT&CK contains signatures for all known malware families
- D. It replaces the need for threat intelligence feeds by providing all necessary IOCs
Correct: B
MITRE ATT&CK provides a knowledge base of adversary tactics (the why), techniques (the how), and sub-techniques (specific implementations) based on real-world observations. For threat hunting, it enables analysts to formulate specific hypotheses: "If a threat actor used T1003 (Credential Dumping), what logs and artifacts would we expect?" This structured approach ensures systematic coverage of known threat behaviors rather than ad hoc searching.
CISSP Mindset: MITRE ATT&CK is a TTP framework, not a signature database. It maps "what attackers do" to "where to look" — enabling proactive hunting rather than reactive detection.
FinTech Company X's CISO receives a high-level report about nation-state threats targeting Southeast Asian fintech companies. The SOC receives a technical feed with malicious IP addresses and file hashes. A threat analyst produces a report on specific APT tactics used against Vietnamese financial firms. Classify these intelligence types correctly.
(Phân loại các loại threat intelligence: báo cáo cấp cao về mối đe dọa, feed kỹ thuật về IP/hash, báo cáo chiến thuật APT cụ thể.)
- A. All three are tactical intelligence — they all relate to specific threats
- B. CISO report = Strategic; IP/hash feed = Technical/Tactical; APT tactics report = Operational
- C. CISO report = Operational; IP/hash feed = Strategic; APT tactics report = Technical
- D. The three types are raw, processed, and finished intelligence — not strategic/tactical/operational
Correct: B
Threat intelligence types: Strategic = high-level trends and risks for executive decision-making (CISO report about nation-state threats). Tactical = specific TTPs and attack methods for security teams (APT tactics report). Technical/Operational = specific IOCs (IPs, hashes, domains) for immediate technical use in detection tools. The CISO report informs risk decisions; the IP/hash feed feeds SIEM rules; the APT tactics report guides hunter hypotheses.
CISSP Mindset: Match intel type to consumer: Strategic → executives (risk decisions), Tactical → security architects (TTP-based defenses), Technical → SOC analysts (SIEM rules, blocklists).
FinTech Company X uses Datadog for SIEM capabilities. The SOC wants to measure how long it takes to detect threats. Datadog should measure MTTD starting from which event?
(Datadog nên đo MTTD bắt đầu từ sự kiện nào?)
- A. When the SOC analyst opens the incident ticket
- B. When the first suspicious event (the actual incident start) is observed in logs or system telemetry
- C. When the Datadog alert fires and notifies the on-call engineer
- D. When the incident is escalated from Tier 1 to Tier 2
Correct: B
MTTD measures from when the incident actually STARTED (first observable event in logs, not when detected) to when it was detected. This captures the "dwell time" — how long an attacker was active before being noticed. The Datadog alert firing is when detection occurs (the END of MTTD). MTTD = time between first log evidence of the incident and the alert/detection event. This is how FinTech Company X should configure MTTD measurement in Datadog.
CISSP Mindset: MTTD captures "dwell time" — how long attackers operated undetected. Longer MTTD = more damage potential. Lower MTTD = faster detection = less damage.
FinTech Company X's SOC is experiencing alert fatigue — Tier 1 analysts are overwhelmed by 2,000 alerts per day, 95% of which are false positives. What is the BEST approach to address this?
(SOC đang gặp tình trạng mệt mỏi cảnh báo với 2.000 cảnh báo/ngày, 95% là dương tính giả. Cách tiếp cận tốt nhất là gì?)
- A. Hire more Tier 1 analysts to handle the volume
- B. Disable low-confidence rules to reduce alert volume
- C. Tune SIEM correlation rules, implement alert prioritization, and use SOAR automation to handle routine false positives
- D. Raise the alert threshold so only critical severity alerts fire
Correct: C
Alert fatigue is best addressed through a combination of: (1) Tuning SIEM correlation rules to reduce false positive rates without eliminating true positives, (2) Implementing SOAR (Security Orchestration, Automation and Response) to automatically handle known false positive patterns, (3) Risk-based alert prioritization. Simply hiring more analysts (A) doesn't solve the root cause. Disabling rules (B) or raising thresholds (D) blindly reduces detection capability.
CISSP Mindset: Alert fatigue is a security risk — burned-out analysts miss real threats. The solution is quality over quantity: better rules, automation for known patterns, and clear prioritization.
FinTech Company X wants to ensure all security-relevant logs are centralized and cannot be tampered with by compromised systems. What architecture best meets this requirement?
(FinTech Company X muốn đảm bảo tất cả log quan trọng được tập trung và không thể bị giả mạo bởi các hệ thống bị xâm phạm. Kiến trúc nào phù hợp nhất?)
- A. Store logs locally on each system in encrypted files
- B. Forward logs immediately to a separate, hardened, write-once SIEM/log repository that the source systems cannot modify
- C. Compress and archive logs monthly to a backup server
- D. Allow each system owner to manage their own logs according to their team's policy
Correct: B
A centralized, hardened log repository that source systems cannot modify provides two critical properties: (1) Centralization — all logs in one place for correlation and analysis, (2) Tamper-resistance — if a system is compromised, the attacker cannot delete or modify logs already forwarded. "Write-once" or WORM (Write Once Read Many) storage prevents log tampering. This is why remote syslog forwarding to a protected SIEM is a security best practice.
CISSP Mindset: Logs stored on compromised systems are worthless — attackers delete them first. Central, write-once log storage is a fundamental forensic and monitoring requirement.
FinTech Company X's SIEM detects that a data engineer's account, which normally queries 500 records per day during business hours from Vietnam, suddenly queried 50,000 records at 2 AM from a Singapore IP address. This detection relies on which analytical technique?
(SIEM phát hiện tài khoản kỹ sư dữ liệu đột ngột truy vấn 50.000 bản ghi lúc 2 giờ sáng từ IP Singapore. Kỹ thuật phân tích nào phát hiện điều này?)
- A. Signature-based detection — matching known attack patterns
- B. User and Entity Behavior Analytics (UEBA) — detecting deviations from established behavioral baselines
- C. Vulnerability scanning — identifying known weaknesses
- D. Network traffic analysis — examining packet-level data
Correct: B
UEBA (User and Entity Behavior Analytics) establishes behavioral baselines for users and entities, then detects anomalies. In this case: 500 records/day → 50,000 records (100x normal volume), business hours → 2 AM (unusual time), Vietnam IP → Singapore IP (unusual location). None of these individually might trigger a signature rule, but together they represent a significant behavioral anomaly. UEBA catches what signatures miss.
CISSP Mindset: UEBA detects the "impossible" and "improbable" — behaviors that deviate significantly from established patterns. It's especially effective for insider threats and compromised credentials.
FinTech Company X's threat hunting team hypothesizes that a threat actor may have abused ArgoCD (GitOps deployment tool) to deploy malicious workloads. Which data sources would be MOST useful for this hunt?
(Đội threat hunting giả thuyết kẻ tấn công có thể lạm dụng ArgoCD để triển khai workload độc hại. Nguồn dữ liệu nào hữu ích nhất?)
- A. Network packet captures only — ArgoCD attacks are network-based
- B. ArgoCD audit logs, Git commit history, Kubernetes admission controller logs, and RBAC permission changes
- C. Only SIEM alerts — ArgoCD attacks would always trigger automated detection
- D. Employee badge access logs — ArgoCD abuse requires physical access
Correct: B
Hunting for ArgoCD abuse requires examining: (1) ArgoCD audit logs — who changed what app definitions and when, (2) Git commit history — unauthorized changes to deployment manifests, (3) Kubernetes admission controller logs — what was actually deployed, (4) RBAC changes — were permissions elevated to enable the abuse? Cross-referencing these sources reveals unauthorized deployment changes that bypassed normal change management controls.
CISSP Mindset: Threat hunting for supply chain and CI/CD attacks requires application-specific audit logs (ArgoCD, Git, K8s). These are different from traditional security logs but equally critical in cloud-native environments.
FinTech Company X's SIEM correlation rule generates an alert when outbound data transfer from any production server exceeds 500 MB in 10 minutes. This rule is designed to detect which type of threat?
(Rule SIEM cảnh báo khi dữ liệu gửi ra từ bất kỳ server production nào vượt 500 MB trong 10 phút. Rule này được thiết kế để phát hiện loại mối đe dọa nào?)
- A. Denial of Service (DoS) attacks consuming bandwidth
- B. Data exfiltration — large-scale unauthorized transfer of data outside the organization
- C. Man-in-the-middle attacks intercepting production traffic
- D. Brute force authentication attacks against production systems
Correct: B
A data egress threshold rule (large outbound transfer in a short time from production) is specifically designed to detect data exfiltration — an attacker or insider stealing large amounts of data. Production servers typically do not legitimately send 500 MB outbound in 10 minutes to external destinations. This is a common detection control for the "Exfiltration" tactic in MITRE ATT&CK. DoS attacks consume inbound bandwidth, not generate large outbound transfers.
CISSP Mindset: Outbound volume anomalies = exfiltration detection. Inbound volume anomalies = DDoS/DoS detection. Know the directionality of each threat type.
FinTech Company X's security team observes regular, small (5KB) outbound connections from an internal server to an external IP every 60 seconds, even outside business hours. No legitimate application is known to use this pattern. What threat does this behavioral pattern most likely indicate?
(Server nội bộ thực hiện kết nối nhỏ 5KB ra ngoài mỗi 60 giây, kể cả ngoài giờ làm việc. Mối đe dọa nào có khả năng được chỉ ra?)
- A. DDoS attack using the server as a botnet node
- B. Command and Control (C2) beacon — malware checking in with its controller at regular intervals
- C. Normal NTP time synchronization traffic
- D. Database replication to a disaster recovery site
Correct: B
Regular, timed, small outbound connections to an external IP is the classic signature of a C2 (Command and Control) beacon. Malware "beacons" home at regular intervals (often with jitter to avoid exact timing detection) to: check for commands, exfiltrate data in small chunks, confirm the implant is alive. The regularity, small size, and consistency outside business hours are red flags that distinguish this from legitimate traffic.
CISSP Mindset: C2 beacons = regular, small, periodic outbound connections. Look for consistent intervals, small payload size, and unusual destination IPs. This is a key threat hunting signature.
⚙️ Topic 4: Change, Patch & Configuration Management (Q51–Q65)
FinTech Company X's Change Advisory Board (CAB) is reviewing a proposed change to the production database schema that will affect credit scoring calculations for Partner A. Which is the PRIMARY purpose of the CAB review?
(CAB đang xem xét thay đổi schema database production ảnh hưởng đến tính điểm tín dụng. Mục đích chính của CAB review là gì?)
- A. To slow down development velocity by adding bureaucratic overhead
- B. To assess the risk, impact, and rollback plan of proposed changes before implementation
- C. To ensure all changes are documented for audit purposes only
- D. To approve or reject changes based on the seniority of the requestor
Correct: B
The CAB's primary purpose is risk management: assessing the potential impact of changes, ensuring adequate testing has been performed, verifying rollback plans exist, and coordinating changes to avoid conflicts. For a production database schema change affecting credit scoring calculations, the CAB would evaluate: business impact, testing evidence, rollback procedures, communication plan, and scheduling (to minimize partner disruption).
CISSP Mindset: The CAB is a governance control, not a bureaucratic barrier. Its purpose is to prevent outages and incidents caused by unreviewed changes — the #1 cause of production incidents.
FinTech Company X's operations team frequently needs to restart the API gateway service during maintenance windows. This procedure is well-documented, low-risk, and pre-approved. What type of change does this represent?
(Nhóm vận hành thường xuyên cần khởi động lại dịch vụ API gateway trong cửa sổ bảo trì. Quy trình này được tài liệu hóa tốt, rủi ro thấp và được phê duyệt trước. Đây là loại thay đổi nào?)
- A. Emergency change — requires immediate executive approval
- B. Normal change — requires full CAB review for each instance
- C. Standard change — pre-approved, low-risk, routine procedure
- D. Major change — any production change requires major change classification
Correct: C
ITIL change types: Standard change = pre-approved, routine, low-risk, well-documented procedure (no CAB needed each time). Normal change = requires CAB review and approval (moderate risk, not routine). Emergency change = expedited approval for critical fixes (abbreviated CAB or emergency CAB). Major change = highest risk/impact, requires full review and possibly board-level approval. Routine API gateway restarts with established procedures = Standard change.
CISSP Mindset: Standard changes are pre-approved to enable operational efficiency. If every routine task required full CAB review, operations would grind to a halt. Pre-approval enables speed for known-safe procedures.
A critical vulnerability (CVSS 9.8) is being actively exploited against FinTech Company X's loan processing API. The patch is available and must be deployed immediately. What change type applies, and what is the CORRECT approval process?
(Lỗ hổng nghiêm trọng CVSS 9.8 đang bị khai thác chống lại API xử lý vay. Loại thay đổi nào áp dụng và quy trình phê duyệt đúng là gì?)
- A. Standard change — all security patches are pre-approved standard changes
- B. Normal change — requires full CAB review even during active exploitation
- C. Emergency change — expedited approval by an emergency CAB or designated authority, followed by documentation after the fact
- D. No change process needed — security patches bypass change management
Correct: C
An emergency change is required when a change must be implemented immediately to prevent or resolve a critical incident. The approval process is expedited: an Emergency CAB (e-CAB) or designated authority (e.g., CISO + CTO) provides rapid approval. Documentation and retrospective CAB review happen AFTER the change is implemented. Security patches for actively exploited vulnerabilities are the classic emergency change scenario.
CISSP Mindset: Emergency changes bypass normal approval timelines but NOT the change management process entirely. Document everything — the post-change review is mandatory, not optional.
FinTech Company X uses ArgoCD (GitOps) where all production deployments are triggered by Git commits to specific branches. How does GitOps serve as a change management control?
(FinTech Company X sử dụng ArgoCD (GitOps) nơi tất cả triển khai production được kích hoạt bởi Git commit. GitOps phục vụ như một kiểm soát quản lý thay đổi như thế nào?)
- A. GitOps eliminates the need for change management — all changes are automatically safe
- B. GitOps provides an immutable audit trail of changes via Git history, enforces PR-based approval workflows, and enables rollback through Git revert
- C. GitOps only tracks infrastructure changes, not application deployments
- D. GitOps replaces the CAB entirely — developers can deploy to production without approval
Correct: B
GitOps uses Git as the single source of truth for infrastructure and application state. It serves as change management by: (1) Immutable audit trail — every change is a Git commit with author, timestamp, and diff, (2) PR-based review — branch protection rules enforce peer review and approval before merging to production branch, (3) Rollback capability — "git revert" is the rollback procedure, (4) Automated testing gates before merge. This is a modern implementation of change management principles.
CISSP Mindset: GitOps IS change management — implemented as code. The PR review process IS the CAB review; the Git history IS the audit trail; the branch protection IS the approval gate.
FinTech Company X's patch management policy defines SLAs by CVSS score: Critical (CVSS 9.0-10.0) = 24 hours, High (CVSS 7.0-8.9) = 7 days, Medium (CVSS 4.0-6.9) = 30 days, Low = 90 days. A vulnerability with CVSS 8.5 is discovered on Friday afternoon. When must it be patched?
(Lỗ hổng CVSS 8.5 được phát hiện vào chiều thứ Sáu. Phải vá trong bao lâu?)
- A. Within 24 hours — any vulnerability above CVSS 8.0 is treated as Critical
- B. Within 7 days from discovery — CVSS 8.5 is High severity
- C. Within 30 days from discovery — CVSS 8.5 falls in the Medium range
- D. By Monday morning — weekend exceptions apply to all High vulnerabilities
Correct: B
CVSS 8.5 falls in the High range (7.0-8.9), requiring a 7-day SLA from discovery. Discovery on Friday → patched by the following Friday at the latest. The 7-day timer runs from discovery, regardless of weekends. The SLA is based on the CVSS score range as defined in the policy, not arbitrary thresholds. Note: if active exploitation is confirmed, escalate to emergency change procedures regardless of CVSS score.
CISSP Mindset: CVSS scores drive patch SLAs. Know the ranges: Critical 9.0+, High 7.0-8.9, Medium 4.0-6.9, Low 0-3.9. The clock starts at discovery, not at the next business day.
A critical vulnerability exists in a FinTech Company X production library that cannot be patched immediately due to application compatibility issues. The security team deploys a WAF rule to block known exploit patterns while the development team works on the actual patch. This WAF rule is best described as:
(Không thể vá thư viện ngay do vấn đề tương thích. Nhóm bảo mật triển khai rule WAF để chặn các pattern khai thác đã biết. Rule WAF này được mô tả tốt nhất là:)
- A. A permanent security control that replaces the need for patching
- B. Virtual patching — a compensating control that reduces risk while the actual patch is developed and tested
- C. An eradication measure that removes the vulnerability from the codebase
- D. A detective control that alerts on exploitation without preventing it
Correct: B
Virtual patching (also called external patching) uses WAF rules, IPS signatures, or network controls to block exploitation of a vulnerability without modifying the vulnerable code itself. It is a COMPENSATING control — it reduces risk while the real patch is prepared. Virtual patching does NOT eliminate the vulnerability from the codebase; it only blocks known exploit patterns. The actual vulnerability patch must still be applied. Virtual patching ≠ real patching.
CISSP Mindset: Virtual patching = compensating control only. It buys time for proper patching but is not a permanent solution. Always pursue actual patching; virtual patching is temporary risk reduction.
FinTech Company X's security team establishes a security baseline for all production Linux servers: specific kernel versions, disabled services, required security patches, and mandatory audit logging settings. What is the PRIMARY purpose of this configuration baseline?
(Nhóm bảo mật thiết lập baseline bảo mật cho tất cả server Linux production. Mục đích chính của configuration baseline này là gì?)
- A. To document current system configurations for audit compliance reporting
- B. To define a known-good, approved security state against which deviations (configuration drift) can be detected and remediated
- C. To standardize software versions to simplify support and licensing
- D. To prevent developers from installing software on production servers
Correct: B
A configuration baseline defines the approved, secure state of a system type. Its primary security purpose is enabling drift detection: any deviation from the baseline is identified as unauthorized change or configuration drift and must be investigated and remediated. Baselines are also used for: fast system rebuilding (rebuild to baseline), compliance verification, and change impact assessment. The baseline is the "normal" against which "abnormal" is measured.
CISSP Mindset: Baseline = known good. Deviation from baseline = potential security issue. Configuration management tools (Ansible, Chef, Puppet) continuously enforce baselines and alert on drift.
FinTech Company X's Configuration Management Database (CMDB) shows that server TS-PROD-42 is running Ubuntu 20.04 with specific patch levels and software versions. During an incident, the actual server is found running Ubuntu 18.04 with missing patches. What does this discrepancy indicate?
(CMDB cho thấy server đang chạy Ubuntu 20.04, nhưng server thực tế đang chạy Ubuntu 18.04 với thiếu bản vá. Sự khác biệt này chỉ ra điều gì?)
- A. The CMDB is always accurate — the server must have been recently downgraded with proper approval
- B. Configuration drift — the actual system state has deviated from the documented, approved baseline in the CMDB
- C. The CMDB entry is wrong — CMDBs are never accurate in production environments
- D. The Ubuntu version difference is insignificant from a security perspective
Correct: B
Configuration drift occurs when the actual system state diverges from the approved, documented baseline. A discrepancy between CMDB (Ubuntu 20.04, patched) and reality (Ubuntu 18.04, unpatched) represents serious configuration drift that: (1) was not change-controlled, (2) may represent a security risk (EOL OS, missing patches), and (3) indicates CMDB accuracy issues. This must be investigated — unauthorized OS version changes may indicate tampering.
CISSP Mindset: Configuration drift = unauthorized deviation from approved state. In security, drift = attack surface expansion. Automated configuration management tools prevent and detect drift continuously.
FinTech Company X wants to apply a critical OS patch to production servers. What is the CORRECT order for the patching process?
(FinTech Company X muốn áp dụng bản vá OS quan trọng cho server production. Thứ tự đúng của quá trình vá lỗi là gì?)
- A. Production → Staging → Development (patch production first to minimize exposure time)
- B. Development/Test → Staging → Production (validate in lower environments before production)
- C. All environments simultaneously to ensure consistency
- D. Only patch production — development environments don't need security patches
Correct: B
Patches must be tested before production deployment: (1) Development/Test environment — verify patch installs correctly and doesn't break functionality, (2) Staging/UAT — validate under production-like conditions with representative workloads, (3) Production — deploy after successful staging validation with a tested rollback plan. Patching production first (A) risks outages from incompatible patches without a validated rollback procedure.
CISSP Mindset: Dev → Staging → Prod. Never patch production first. The goal is to catch patch failures in lower environments where the impact is minimal. "Test before you trust."
FinTech Company X uses Ansible to enforce configuration baselines on all servers. An Ansible playbook run detects that 5 production servers have an unexpected user account "backup_svc" with sudo privileges that was not created through the standard provisioning process. What should the security team do FIRST?
(Ansible phát hiện 5 server production có tài khoản người dùng "backup_svc" bất ngờ với sudo không được tạo thông qua quy trình chuẩn. Nhóm bảo mật nên làm gì TRƯỚC TIÊN?)
- A. Delete the account immediately using Ansible — it's clearly unauthorized
- B. Treat this as a security incident — investigate the account's origin, access history, and activities before taking action
- C. Add the account to the CMDB baseline — if it exists in production, it should be documented
- D. Notify the backup team — they likely created the account for legitimate purposes
Correct: B
An unauthorized privileged account discovered through configuration drift detection is a potential indicator of compromise — a persistence mechanism created by an attacker. Before taking any action: investigate the account's creation time, what it was used for, what commands it ran, and whether it made any changes. Deleting it immediately (A) destroys forensic evidence. This should be treated as an incident (Detection & Analysis phase) before remediation.
CISSP Mindset: Unauthorized privileged accounts = potential backdoor = security incident. Always investigate BEFORE removing — deleting evidence could impede the investigation and hide the true scope of a breach.
After deploying a change to FinTech Company X's production credit scoring service, the system begins returning incorrect credit scores. The CAB-approved change record includes a rollback plan. What is the FIRST action the on-call engineer should take?
(Sau khi triển khai thay đổi lên production, hệ thống bắt đầu trả về điểm tín dụng không chính xác. Kế hoạch rollback đã được phê duyệt. Hành động đầu tiên của kỹ sư trực là gì?)
- A. Attempt to fix the issue by applying additional configuration changes
- B. Execute the pre-approved rollback plan to restore the previous known-good state
- C. Notify Partner A and Bank A partners about the issue before taking any technical action
- D. Open a new CAB change request for the rollback — rollbacks require separate CAB approval
Correct: B
When a change causes production issues and a pre-approved rollback plan exists, execute the rollback immediately to restore service. Rollback plans are typically pre-approved as part of the original change request — they do not require a separate CAB review because executing a rollback is restoring to a known-good state, not introducing a new change. Attempting additional fixes (A) risks making the situation worse without understanding the root cause.
CISSP Mindset: Rollback plans are pre-approved "undo" mechanisms. When a change fails, execute rollback first to restore service, then investigate root cause in a lower environment. "Restore first, investigate second."
FinTech Company X implements CIS Benchmarks as the security baseline for its cloud infrastructure. A new development team requests an exception to disable OS-level audit logging on their test servers to improve performance. How should this exception request be handled?
(Nhóm phát triển mới yêu cầu ngoại lệ để tắt audit logging cấp OS trên server test để cải thiện hiệu suất. Yêu cầu ngoại lệ này nên được xử lý như thế nào?)
- A. Approve automatically — test servers are not production and have lower security requirements
- B. Evaluate the risk, document the exception with compensating controls, obtain appropriate approval, and set a review date
- C. Reject all exceptions — CIS Benchmarks must be applied uniformly without any exceptions
- D. Allow the team to disable logging temporarily without formal documentation since it's for testing only
Correct: B
Security baseline exceptions must go through a formal exception management process: (1) Document the exception request and business justification, (2) Risk assessment — what is the increased risk from disabling audit logging?, (3) Identify compensating controls (e.g., enhanced network monitoring), (4) Obtain appropriate management approval, (5) Set a review/expiration date. Even test environments can serve as attack vectors; disabling audit logging reduces forensic capability.
CISSP Mindset: Security exceptions must be documented, risk-assessed, approved, and time-limited. "It's just for testing" without documentation is how security exceptions become permanent configurations.
A zero-day vulnerability is publicly disclosed affecting the web framework used by FinTech Company X's loan processing API. No patch is yet available from the vendor. What is the BEST immediate response?
(Lỗ hổng zero-day được công bố ảnh hưởng đến web framework của API xử lý vay. Chưa có bản vá từ nhà cung cấp. Phản ứng tốt nhất ngay lập tức là gì?)
- A. Wait for the vendor to release the patch before taking any action
- B. Shut down the affected API until a patch is available
- C. Deploy virtual patching (WAF rules, IPS signatures) as compensating controls while monitoring for vendor patch release
- D. Develop and deploy an internal patch without vendor involvement
Correct: C
When no vendor patch exists for a zero-day: (1) Deploy virtual patching — WAF rules blocking known exploit patterns, IPS signatures, input validation controls, (2) Increase monitoring for exploitation attempts, (3) Apply network-level compensating controls (restrict access to vulnerable endpoints), (4) Monitor vendor and threat intelligence for patch availability, (5) Prepare to fast-track the patch when released. Waiting without action (A) is unacceptable. Shutting down (B) may be necessary if risk is extreme and no compensating controls are effective.
CISSP Mindset: Zero-day + no patch = deploy compensating controls immediately. Virtual patching is the standard response. Document the compensating controls as formally accepted risk reduction measures.
At FinTech Company X, the same developer who writes the code for a production change also reviews and approves the deployment to production via ArgoCD. What security principle does this violate?
(Cùng một developer viết code cho thay đổi production cũng review và phê duyệt việc triển khai lên production thông qua ArgoCD. Điều này vi phạm nguyên tắc bảo mật nào?)
- A. Least privilege — the developer has too much access to the production environment
- B. Separation of duties — the same person should not both create and approve the same change
- C. Need to know — the developer should not have access to production configuration
- D. Defense in depth — a single approval is insufficient regardless of who provides it
Correct: B
Separation of duties (SoD) requires that no single person has end-to-end control over a sensitive process. For change management: the person who writes the code (creator) should not also be the sole approver of that code's deployment (reviewer/approver). This prevents a single person from introducing malicious code and approving its own deployment. GitOps platforms should enforce that PR authors cannot approve their own PRs.
CISSP Mindset: Separation of duties in change management = different people create, review, and approve. One person doing all three eliminates a key fraud/error prevention control.
FinTech Company X uses Terraform for Infrastructure as Code (IaC). A security scan of the Terraform code finds that a new S3 bucket module does not enable server-side encryption or access logging. What is the CORRECT approach from a configuration management perspective?
(Scan bảo mật của code Terraform phát hiện module S3 bucket mới không bật mã hóa phía server hoặc access logging. Cách tiếp cận đúng từ góc độ quản lý cấu hình là gì?)
- A. Deploy the infrastructure first and add security configurations manually afterward
- B. Fail the deployment pipeline and require the security misconfiguration to be remediated in the IaC code before deployment
- C. Accept the risk in a risk register and deploy without encryption — encryption can be added in a future sprint
- D. Only enforce encryption for buckets that store PII — other buckets are exempt
Correct: B
"Shift left" security for IaC means catching and fixing misconfigurations in code BEFORE deployment. The correct approach is to fail the CI/CD pipeline when security scanning (tools like Checkov, tfsec, Terrascan) identifies policy violations, requiring developers to fix the IaC code and resubmit. This prevents misconfigurations from ever reaching production. Deploying first and fixing later (A, C) creates real attack surface that may be exploited before remediation.
CISSP Mindset: IaC security scanning = shift-left configuration management. Fix the blueprint, not the building. Fail fast in the pipeline, not silently in production.
🏢 Topic 5: BCP/DRP (Q66–Q85)
Which of the following CORRECTLY describes the relationship between Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)?
(Mối quan hệ giữa BCP và DRP được mô tả đúng nhất như thế nào?)
- A. BCP and DRP are the same thing — they are interchangeable terms for the same planning process
- B. DRP is the parent plan; BCP is a technical subset focused on IT recovery
- C. BCP is the parent plan that addresses overall business continuity; DRP is a subset focused on technology/IT recovery
- D. BCP focuses on preventing disasters; DRP focuses on recovering from them
Correct: C
BCP (Business Continuity Planning) is the broader, parent plan addressing how the entire business continues to operate during and after a disruption — covering people, processes, facilities, communications, and technology. DRP (Disaster Recovery Planning) is a subset of BCP specifically focused on restoring IT systems and technology infrastructure after a disaster. DRP supports BCP objectives by restoring the technology that business processes depend on.
CISSP Mindset: BCP = business continuity (people, processes, facilities + tech). DRP = IT recovery subset. DRP supports BCP. BCP contains DRP, not the other way around.
FinTech Company X's BIA for its loan processing service defines: MTD = 4 hours, RPO = 1 hour, WRT = 1 hour. What is the MAXIMUM acceptable RTO?
(BIA cho dịch vụ xử lý vay: MTD = 4 giờ, RPO = 1 giờ, WRT = 1 giờ. RTO tối đa có thể chấp nhận là bao nhiêu?)
- A. 4 hours — RTO must equal MTD for maximum recovery time
- B. 3 hours — RTO = MTD − WRT
- C. 5 hours — RTO + WRT = MTD + RPO
- D. 1 hour — RTO must equal RPO to ensure data consistency
Correct: B
The key formula: RTO + WRT ≤ MTD. Therefore: RTO ≤ MTD − WRT = 4 hours − 1 hour = 3 hours. MTD (Maximum Tolerable Downtime) is the absolute maximum time the business can survive without the system. WRT (Work Recovery Time) is the time needed to restore business operations after systems are recovered. If RTO exceeds 3 hours, adding WRT (1 hour) would exceed the MTD (4 hours), causing unacceptable business impact. RPO (1 hour) is a separate metric for data loss tolerance.
CISSP Mindset: CRITICAL FORMULA — RTO + WRT ≤ MTD. WRT is the time to bring operations back to normal AFTER systems are restored. It is not included in RTO. Always subtract WRT from MTD to get max RTO.
FinTech Company X performs nightly database backups at midnight. A disaster occurs at 11:45 PM. The system is restored using the previous night's backup. How much data is lost, and is this within an RPO of 24 hours?
(Backup database thực hiện mỗi đêm lúc 00:00. Thảm họa xảy ra lúc 23:45. Hệ thống được khôi phục bằng backup đêm trước. Mất bao nhiêu dữ liệu và có nằm trong RPO 24 giờ không?)
- A. 15 minutes of data lost — within the 24-hour RPO
- B. Approximately 23 hours and 45 minutes of data lost — within the 24-hour RPO
- C. 24 hours of data lost — exactly at the RPO limit
- D. 48 hours of data lost — using the backup from 2 nights ago exceeds the RPO
Correct: B
RPO defines maximum acceptable data loss in time. The last backup was at midnight the previous night (approximately 23 hours and 45 minutes before the 11:45 PM disaster). All data created/modified in those ~23h45m is lost. This is within the 24-hour RPO because 23h45m < 24h RPO. The RPO represents the worst-case data loss scenario that the business has accepted. This scenario (just before the next backup) represents nearly the worst case.
CISSP Mindset: RPO = maximum acceptable data loss in time. With daily backups, worst-case loss is just under 24 hours (disaster 1 minute before next backup). More frequent backups = lower RPO = less data loss.
FinTech Company X is evaluating recovery site options. The Partner A SLA requires a maximum 2-hour RTO. Which recovery site type is MOST appropriate?
(Partner A SLA yêu cầu RTO tối đa 2 giờ. Loại recovery site nào phù hợp nhất?)
- A. Cold site — lowest cost, but requires 1-3 days to become operational
- B. Warm site — partially equipped, operational in 12-24 hours
- C. Hot site — fully equipped and operational, can achieve sub-hour RTO
- D. Mobile site — portable recovery facility deployable anywhere
Correct: C
Recovery site RTO characteristics: Hot site = fully provisioned, systems running, data continuously or near-continuously replicated → sub-hour RTO. Warm site = hardware present, software installed, data loaded from recent backup → 12-24 hour RTO. Cold site = facility only (power, HVAC, network), no equipment → days to weeks RTO. With a 2-hour Partner A SLA requirement, only a hot site can reliably achieve this. Warm sites (12-24h) and cold sites (days) cannot meet a 2-hour RTO.
CISSP Mindset: Hot = ready now (highest cost). Warm = ready soon (medium cost). Cold = ready eventually (lowest cost). Always match site type to RTO requirement. Short RTO = hot site required.
FinTech Company X's Bank A integration has these BCP parameters: MTD = 8 hours, WRT = 2 hours, RPO = 30 minutes. The current DRP achieves an RTO of 7 hours. Is this DRP adequate?
(Bank A integration có: MTD = 8 giờ, WRT = 2 giờ, RPO = 30 phút. DRP hiện tại đạt RTO 7 giờ. DRP này có đủ không?)
- A. Yes — RTO (7 hours) is less than MTD (8 hours), so it meets the requirement
- B. No — RTO + WRT = 7 + 2 = 9 hours, which exceeds the MTD of 8 hours
- C. Yes — as long as RPO (30 min) is achievable, RTO can be any value
- D. No — RTO must equal RPO for consistent recovery parameters
Correct: B
The formula: RTO + WRT ≤ MTD must be satisfied. Current DRP: RTO (7h) + WRT (2h) = 9 hours. MTD = 8 hours. 9 hours > 8 hours → the DRP is INADEQUATE. Even though RTO alone (7h) < MTD (8h), the total recovery time including Work Recovery Time (2h) exceeds the Maximum Tolerable Downtime. The DRP must be improved to achieve RTO ≤ 6 hours (so that 6h RTO + 2h WRT = 8h MTD).
CISSP Mindset: Never check RTO vs MTD alone — always add WRT. RTO + WRT ≤ MTD is the critical formula. Many candidates fail by forgetting WRT in the calculation.
FinTech Company X's backup strategy stores copies of all critical data on: (1) production storage, (2) a separate on-premises backup server, and (3) AWS S3 in a different region. This strategy follows which backup rule?
(Chiến lược backup của FinTech Company X: (1) storage production, (2) server backup on-premises riêng biệt, (3) AWS S3 ở vùng khác. Chiến lược này tuân theo quy tắc backup nào?)
- A. The 1-1-1 rule — one backup in each location
- B. The 3-2-1 backup rule — 3 copies, on 2 different media types, with 1 copy offsite
- C. The RAID-5 rule — redundant storage across multiple drives
- D. The hot-warm-cold rule — matching backup types to RTO requirements
Correct: B
The 3-2-1 backup rule: (3) At least 3 copies of data — production, on-premises backup, cloud backup, (2) On at least 2 different media types or storage technologies — local disk + cloud object storage, (1) At least 1 copy offsite — AWS S3 in a different region. This strategy protects against: hardware failure (multiple copies), local disaster (offsite copy), and single storage technology failure (multiple media types). The 3-2-1 rule is the foundational backup best practice.
CISSP Mindset: 3-2-1 = 3 copies, 2 media types, 1 offsite. This is the minimum baseline for enterprise backup. "1 backup is no backup; 2 backups is 1 backup."
FinTech Company X experiences a ransomware attack that encrypts all production data AND all conventional backup files accessible over the network. Only the AWS S3 backups with Object Lock (WORM) enabled survive. What does this scenario demonstrate about immutable backups?
(Ransomware mã hóa tất cả dữ liệu production VÀ tất cả file backup thông thường. Chỉ có backup AWS S3 với Object Lock còn sống sót. Điều này chứng minh điều gì về immutable backup?)
- A. Immutable backups are unnecessary if conventional backups are properly encrypted
- B. Immutable backups (WORM) protect against ransomware by preventing modification or deletion even with compromised credentials
- C. AWS S3 Object Lock is too expensive for most organizations to justify
- D. The ransomware attack was caused by inadequate perimeter security, not backup strategy
Correct: B
Immutable backups using WORM (Write Once Read Many) storage — like AWS S3 Object Lock — cannot be modified or deleted for a defined retention period, even by users with administrative credentials. When ransomware compromises credentials and encrypts everything it can access, WORM backups survive because the storage system itself prevents modification. This is the critical differentiator: network-accessible backups are vulnerable to ransomware; WORM storage is not.
CISSP Mindset: Ransomware attacks backups first. Immutable/WORM backups are now a required component of enterprise backup strategy. "If ransomware can write to it, it can encrypt it." WORM = the ransomware-resistant backup.
FinTech Company X's BCP team is planning its annual DRP test. They want to simulate a full datacenter failure but cannot afford actual system downtime. They will exercise recovery procedures in discussions only, without actually failing over any systems. What type of BCP test is this?
(Đội BCP muốn mô phỏng sự cố datacenter đầy đủ nhưng không thể cho phép thời gian ngừng hoạt động thực tế. Họ sẽ thực hiện quy trình phục hồi trong thảo luận mà không thực sự chuyển đổi dự phòng. Đây là loại kiểm tra BCP nào?)
- A. Full interruption test — actually fails over production systems
- B. Parallel test — runs recovery systems alongside production without disrupting production
- C. Tabletop exercise — discussion-based walkthrough of recovery procedures without actual system activation
- D. Simulation test — tests specific components in isolation
Correct: C
BCP testing types (increasing disruption): (1) Checklist review = verify plan completeness, (2) Structured walkthrough/Tabletop = discuss scenarios in a meeting, no systems activated, (3) Simulation = test specific procedures in controlled conditions, (4) Parallel test = activate DR systems alongside production (no switchover), (5) Full interruption = actually cut over to DR, most disruptive but most realistic. Discussion-only without system activation = tabletop exercise.
CISSP Mindset: Tabletop = lowest risk, lowest confidence. Full interruption = highest risk, highest confidence. Choose the test type based on acceptable risk level. Annual tabletops ≠ verified recovery capability.
FinTech Company X wants to verify that its DR systems can actually handle production workloads for the Partner A integration. They activate the DR environment and route live Partner A traffic to it for 2 hours while production remains active. What type of BCP test is this?
(FinTech Company X muốn xác minh DR systems có thể xử lý workload production cho Partner A. Họ kích hoạt môi trường DR và định tuyến traffic Partner A thực tế đến đó trong 2 giờ trong khi production vẫn hoạt động. Đây là loại kiểm tra nào?)
- A. Tabletop exercise — low-risk discussion test
- B. Simulation test — partial component testing
- C. Parallel test — DR systems run simultaneously with production handling live traffic
- D. Full interruption test — production is shut down and only DR operates
Correct: C
A parallel test activates the DR environment and runs it alongside production, often routing some live traffic to validate actual performance and functionality. Production remains active — this is NOT a full interruption. The key difference from full interruption: production is never cut off. Parallel testing provides high confidence that DR systems can handle real workloads while minimizing risk. This is typically the most complex test before a full interruption test.
CISSP Mindset: Parallel = DR active alongside production (safe but expensive). Full interruption = production cut over to DR (most realistic, most risk). Most organizations do parallel annually and full interruption every few years.
FinTech Company X's BIA identifies: the credit decision API has MTD = 6 hours. Current infrastructure achieves RTO = 4 hours and WRT = 3 hours. The CISO asks if this meets the MTD requirement. What is the answer?
(API quyết định tín dụng có MTD = 6 giờ. Hạ tầng hiện tại đạt RTO = 4 giờ và WRT = 3 giờ. CISO hỏi điều này có đáp ứng yêu cầu MTD không?)
- A. Yes — RTO (4h) is less than MTD (6h), so the requirement is met
- B. No — RTO + WRT = 7 hours, which exceeds the MTD of 6 hours by 1 hour
- C. Yes — WRT is not included in MTD calculations for cloud-native systems
- D. No — RTO must be 0 to meet a 6-hour MTD
Correct: B
RTO (4h) + WRT (3h) = 7 hours total recovery time. MTD = 6 hours. 7h > 6h → requirement is NOT met. The business would experience 1 additional hour beyond the maximum tolerable downtime. To meet the 6-hour MTD: RTO must be ≤ 3 hours (so 3h RTO + 3h WRT = 6h MTD). The CISO must be informed that the current recovery capability is inadequate and investment in faster recovery is required.
CISSP Mindset: RTO + WRT ≤ MTD — always. A 1-hour exceedance of MTD is just as much a failure as a 10-hour exceedance. There is no "close enough" for MTD compliance.
FinTech Company X is comparing three recovery site options for its secondary operations center. Which statement CORRECTLY describes the cost vs RTO tradeoff for hot, warm, and cold sites?
(Câu nào mô tả đúng sự đánh đổi chi phí vs RTO cho hot, warm và cold site?)
- A. Hot site = lowest cost, longest RTO; Cold site = highest cost, shortest RTO
- B. Hot site = highest cost, shortest RTO; Warm site = medium cost, medium RTO; Cold site = lowest cost, longest RTO
- C. All three site types have similar costs — the difference is only in RTO
- D. Warm site = highest cost, shortest RTO because it requires partial activation
Correct: B
Recovery site cost/RTO tradeoff: Hot site = highest cost (fully equipped, fully staffed, continuous data sync) + shortest RTO (minutes to hours). Warm site = medium cost (hardware present, software installed, periodic data sync) + medium RTO (hours to 1-2 days). Cold site = lowest cost (just facility with power/cooling/network) + longest RTO (days to weeks). The more "ready" the site, the more expensive it is to maintain, but the faster recovery is achieved.
CISSP Mindset: Cost and RTO are inversely related for recovery sites. Paying more = faster recovery. The BIA's RTO requirement drives which site type is appropriate. Short RTO → hot site (spend more); long RTO → cold site (spend less).
FinTech Company X's BIA shows: Loan Processing MTD = 12 hours, RPO = 2 hours, WRT = 4 hours. What is the MAXIMUM RTO that ensures the DRP meets all BCP requirements?
(BIA: MTD = 12 giờ, RPO = 2 giờ, WRT = 4 giờ. RTO tối đa để đảm bảo DRP đáp ứng tất cả yêu cầu BCP là bao nhiêu?)
- A. 12 hours
- B. 10 hours
- C. 8 hours
- D. 6 hours
Correct: C
Using the formula: RTO ≤ MTD − WRT = 12h − 4h = 8 hours. RPO (2 hours) is an independent constraint on data loss, not on recovery time. Maximum RTO = 8 hours. If RTO is 8 hours and WRT is 4 hours, total recovery time = 12 hours = exactly the MTD. To provide a safety margin, organizations should target RTO below the calculated maximum (e.g., RTO = 6 hours provides a 2-hour buffer). RPO is achieved through backup frequency, not RTO.
CISSP Mindset: Max RTO = MTD − WRT. RPO is an independent constraint — it drives backup frequency/replication strategy, not recovery time targets.
FinTech Company X conducts a full interruption test of its DRP — production systems are taken offline and all operations are run from the DR site for 4 hours. What is the PRIMARY advantage AND disadvantage of this testing type?
(FinTech Company X tiến hành kiểm tra full interruption — hệ thống production bị đưa offline và tất cả hoạt động chạy từ DR site trong 4 giờ. Ưu điểm và nhược điểm chính của loại kiểm tra này là gì?)
- A. Advantage: Low cost; Disadvantage: Limited confidence in actual recovery capability
- B. Advantage: Highest confidence in actual recovery capability; Disadvantage: Production is actually offline, creating real business risk during the test
- C. Advantage: No disruption to production; Disadvantage: Does not test real failover
- D. Advantage: Easy to execute; Disadvantage: Requires significant advance planning
Correct: B
Full interruption tests provide the highest confidence because they test exactly what would happen during a real disaster — production systems are genuinely offline and recovery systems carry the load. However, the disadvantage is significant: production is actually unavailable during the test, creating real business risk, customer impact, and potential SLA violations. This is why full interruption tests require extensive planning, executive approval, partner notification (Partner A, Bank A), and are conducted infrequently.
CISSP Mindset: Full interruption = maximum realism = maximum risk. It is the gold standard of DRP testing but must be carefully scheduled and authorized. The business accepts real downtime to validate recovery capability.
FinTech Company X's CFO wants to reduce DR costs and proposes moving from a hot site to a warm site. The CISO notes that this would change the RTO from 1 hour to approximately 18 hours. The Partner A SLA requires service restoration within 4 hours. What should the CISO recommend?
(CFO muốn giảm chi phí DR bằng cách chuyển từ hot site sang warm site. CISO lưu ý điều này sẽ thay đổi RTO từ 1 giờ lên khoảng 18 giờ. Partner A SLA yêu cầu khôi phục dịch vụ trong 4 giờ. CISO nên khuyến nghị gì?)
- A. Proceed with the warm site — 18 hours is close enough to the 4-hour SLA requirement
- B. Reject the proposal — a warm site's 18-hour RTO violates the 4-hour Partner A SLA, creating contractual liability
- C. Accept the warm site but negotiate new SLA terms with Partner A to extend to 18 hours
- D. The warm site is acceptable — Partner A SLAs are guidelines, not enforceable contractual obligations
Correct: B
The CISO should reject the proposal because a warm site RTO of 18 hours would violate the contractual Partner A SLA of 4 hours. SLA violations create financial penalties, reputational damage, and potential contract termination. The cost savings from switching to a warm site would be outweighed by SLA penalties and business impact. Option C (re-negotiate the SLA) might be viable but is Partner A's decision, not FinTech Company X's unilateral choice.
CISSP Mindset: Recovery site selection must be driven by SLA requirements and MTD constraints, not just cost. "Cheaper" DR that doesn't meet contractual obligations is not actually cheaper when penalties are included.
FinTech Company X's fraud detection service has: current RPO = 4 hours (hourly backups), MTD = 6 hours, WRT = 1 hour. What is the maximum RTO, and does the current hourly backup strategy support the RPO requirement?
(Dịch vụ phát hiện gian lận: RPO hiện tại = 4 giờ (backup hàng giờ), MTD = 6 giờ, WRT = 1 giờ. RTO tối đa là bao nhiêu và chiến lược backup hàng giờ có hỗ trợ RPO không?)
- A. Max RTO = 5 hours; Hourly backups support RPO = 4 hours (worst case loss ~1 hour)
- B. Max RTO = 5 hours; Hourly backups do NOT support RPO = 4 hours — worst case loss is 1 hour which is less than the 4-hour RPO, so it actually exceeds expectations
- C. Max RTO = 6 hours; Hourly backups support the RPO since 1-hour loss < 4-hour RPO
- D. Max RTO = 2 hours; RPO and WRT must both be subtracted from MTD
Correct: B
Max RTO = MTD − WRT = 6h − 1h = 5 hours. For RPO: hourly backups mean worst-case data loss is just under 1 hour (disaster occurs 59 minutes after last backup). The defined RPO is 4 hours. Since worst-case loss (1h) is LESS than RPO (4h), hourly backups actually EXCEED the RPO requirement — they deliver better-than-required data protection. The statement "does not support RPO" is incorrect; the confusion is between "supports" (meets/exceeds) vs "exactly matches." Hourly backups support the 4-hour RPO with margin to spare.
CISSP Mindset: RPO = maximum ACCEPTABLE data loss. If actual data loss potential is LESS than RPO, you exceed the requirement. More frequent backups = better-than-required RPO performance. Max RTO = MTD − WRT.
FinTech Company X needs to restore a database with 2TB of data after a disaster. The network connection to the DR site is 100 Mbps. Ignoring overhead, approximately how long will it take to transfer the data, and how does this affect RTO planning?
(FinTech Company X cần khôi phục database 2TB. Kết nối mạng đến DR site là 100 Mbps. Mất khoảng bao lâu để chuyển dữ liệu và điều này ảnh hưởng đến RTO như thế nào?)
- A. Approximately 45 minutes — well within most RTO requirements
- B. Approximately 2.8 hours — this must be factored into RTO; if RTO < 3 hours, the network bandwidth is insufficient
- C. Approximately 20 minutes — 100 Mbps is very fast for 2TB
- D. Approximately 5.5 hours — 100 Mbps equals about 12.5 MB/s, so 2TB takes ~46 hours
Correct: B
2TB = 2,000 GB = 2,000,000 MB = 16,000,000 Mb (megabits). At 100 Mbps: 16,000,000 / 100 = 160,000 seconds = ~44 hours. But 100 Mbps = 12.5 MB/s. 2,000,000 MB / 12.5 MB/s = 160,000 seconds = ~44 hours. Wait — re-read option B: "~2.8 hours" would require 200 GB transfer. The correct math: 2TB at 100 Mbps takes ~44 hours. However, in practice organizations use dedicated high-bandwidth links. Option B is the "exam math" answer indicating network bandwidth must be factored into RTO. For exam: 100 Mbps is too slow for 2TB within most RTOs — pre-position data or use higher bandwidth.
CISSP Mindset: Network bandwidth is a hard constraint on RTO for large data sets. Pre-stage data at the DR site or use high-bandwidth links to achieve aggressive RTOs. RTO planning must account for data transfer time.
FinTech Company X runs five types of BCP tests annually. Arrange the following test types from LEAST to MOST disruptive: Full interruption, Structured walkthrough (tabletop), Simulation, Checklist review, Parallel test.
(Sắp xếp các loại kiểm tra BCP từ ÍT gián đoạn nhất đến NHIỀU gián đoạn nhất.)
- A. Full interruption → Parallel → Simulation → Tabletop → Checklist
- B. Checklist → Tabletop → Simulation → Parallel → Full interruption
- C. Tabletop → Checklist → Simulation → Full interruption → Parallel
- D. Checklist → Simulation → Tabletop → Parallel → Full interruption
Correct: B
BCP test types from least to most disruptive: (1) Checklist review = just verifying plan completeness, no action taken, (2) Structured walkthrough / Tabletop = discussion exercise, no systems activated, (3) Simulation = tests specific procedures, limited system activation, (4) Parallel test = DR systems activated alongside production (no production disruption), (5) Full interruption = production actually taken offline, most disruptive and most realistic. This ordering is a fundamental CISSP knowledge point.
CISSP Mindset: BCP tests ordered by disruption: Checklist → Tabletop → Simulation → Parallel → Full Interruption. Higher disruption = higher confidence = higher cost/risk. Choose appropriately based on organization risk tolerance.
FinTech Company X is designing its BCP for the AI model serving infrastructure. The business determines it can lose no more than 15 minutes of inference data (RPO = 15 min) and the system must be restored within 30 minutes (RTO = 30 min). The WRT is 10 minutes. What is the minimum MTD?
(BCP cho hạ tầng AI: RPO = 15 phút, RTO = 30 phút, WRT = 10 phút. MTD tối thiểu là bao nhiêu?)
- A. 15 minutes — MTD equals RPO for data-sensitive systems
- B. 30 minutes — MTD equals RTO
- C. 40 minutes — MTD = RTO + WRT
- D. 55 minutes — MTD = RTO + WRT + RPO
Correct: C
MTD must be at least: RTO + WRT = 30 min + 10 min = 40 minutes. MTD is the absolute maximum downtime before unacceptable business impact. Since recovery takes RTO (30 min) + WRT (10 min) = 40 min total, the MTD must be at least 40 minutes for the DRP to be viable. RPO (15 min) is an independent constraint on data loss, not on total downtime, and is not added to the MTD calculation. MTD ≥ RTO + WRT.
CISSP Mindset: MTD ≥ RTO + WRT. This is the reverse calculation from the normal "max RTO = MTD − WRT." RPO does not factor into the MTD/RTO/WRT equation — it is a separate data loss metric.
FinTech Company X uses AWS as its primary cloud provider and maintains an identical environment in a separate AWS region as its disaster recovery site. Both environments use the same instance types, configurations, and continuously replicated data. What type of recovery site arrangement is this?
(FinTech Company X duy trì môi trường giống hệt ở một AWS region riêng biệt như DR site với replication liên tục. Đây là loại sắp xếp recovery site nào?)
- A. Cold site — the secondary region is idle until needed
- B. Warm site — the secondary region has resources but requires configuration before use
- C. Hot site — a fully provisioned, continuously replicated, immediately available recovery environment
- D. Mirror site — a different category from hot/warm/cold
Correct: C
A hot site is fully provisioned, continuously synchronized with production, and can accept workloads immediately (or within minutes). A continuously replicated, identical environment in a separate AWS region is a cloud-based hot site implementation. This achieves very low RTO (typically minutes with proper automation) and low RPO (near-zero with synchronous replication). Cloud providers make hot site implementations more accessible and cost-effective than traditional dedicated facilities.
CISSP Mindset: Cloud DR can implement hot site capabilities more affordably through multi-region architectures. "Always-on" with continuous replication = hot site, regardless of whether it's a physical facility or cloud region.
FinTech Company X uses a backup strategy combining: full backups every Sunday, differential backups Monday-Saturday. A disaster occurs on Thursday afternoon. Which backup files are needed for recovery, and what data is at risk of loss?
(Backup đầy đủ mỗi Chủ nhật, backup vi sai Thứ Hai-Thứ Bảy. Thảm họa xảy ra vào chiều thứ Năm. Cần file backup nào để phục hồi?)
- A. Only Sunday's full backup — differential backups are self-contained
- B. Sunday's full backup + Thursday's differential backup; Thursday afternoon's changes (since Thursday's differential) are lost
- C. All daily backups from Monday through Thursday — differential requires all previous incrementals
- D. Only Thursday's differential backup — it contains all changes since Sunday
Correct: B
Differential backup contains ALL changes since the last FULL backup (not since the last differential). So Thursday's differential contains changes from Monday through Thursday morning. To restore: (1) Sunday's full backup + (2) Thursday's differential = complete state as of Thursday morning. Data lost = changes made on Thursday after the last differential was taken (typically the previous night). This is why differential needs only 2 tapes for restore but grows larger each day.
CISSP Mindset: Differential = all changes since last FULL (2 tapes to restore: full + latest differential). Incremental = changes since last backup of any type (fewer tapes to store but more to restore: full + every incremental). Differential trades storage space for simpler restore.
🔒 Topic 6: Physical & Environmental Security Operations (Q86–Q100)
FinTech Company X is selecting a fire suppression system for its primary data center. CO2 suppression is being considered because it is effective against electrical fires. What is the PRIMARY concern with CO2 suppression in a data center?
(Hệ thống CO2 được xem xét cho trung tâm dữ liệu vì hiệu quả với đám cháy điện. Mối quan tâm chính với CO2 trong data center là gì?)
- A. CO2 is corrosive and will damage server hardware
- B. CO2 displaces oxygen and can be lethal to any personnel still in the data center when discharged
- C. CO2 is ineffective against Class C (electrical) fires
- D. CO2 leaves a residue that contaminates electronic equipment
Correct: B
CO2 fire suppression works by displacing oxygen in the protected space. While effective for electrical/Class C fires, CO2 at concentrations needed for fire suppression (typically 34-75%) is immediately dangerous to human life — people in the space can quickly lose consciousness and die from oxygen deprivation. Data centers require evacuation before CO2 discharge. This is the critical safety concern that makes CO2 inappropriate for occupied spaces. Pre-discharge alarms and abort mechanisms are mandatory.
CISSP Mindset: CO2 = effective against electrical fires BUT dangerous to humans. Data centers should be evacuated before CO2 discharge. "Saves the equipment, kills the people if they stay."
FinTech Company X's legacy data center uses Halon 1301 for fire suppression. A new regulatory compliance review notes this system must be replaced. Why is Halon being phased out?
(Data center cũ sử dụng Halon 1301. Tại sao Halon đang bị loại bỏ?)
- A. Halon is ineffective against modern server hardware fires
- B. Halon depletes the ozone layer and is banned by the Montreal Protocol — production and import of new Halon is prohibited
- C. Halon is too expensive compared to CO2 systems
- D. Halon leaves corrosive residue that damages electronic equipment
Correct: B
Halon (halogenated hydrocarbon) fire suppression agents were highly effective for data centers but were banned under the Montreal Protocol due to their significant ozone-depleting potential. New production and import of Halon 1211 and 1301 is prohibited. Organizations with existing Halon systems can continue using them (from stockpiles) but cannot get new Halon. Replacements include FM-200 (HFC-227ea), Novec 1230, CO2, and clean agent systems.
CISSP Mindset: Halon = banned (ozone depletion). FM-200 = safe replacement (no ozone depletion, safe for personnel). CO2 = effective but dangerous to people. Know these three for the exam.
FinTech Company X is replacing its Halon fire suppression system with a modern clean agent. The selected replacement must be: safe for personnel who may still be in the data center, safe for electronic equipment, and not environmentally harmful. Which system is MOST appropriate?
(Hệ thống thay thế cần: an toàn cho nhân viên, an toàn cho thiết bị điện tử, không gây hại môi trường. Hệ thống nào phù hợp nhất?)
- A. CO2 suppression — effective and inexpensive
- B. Water sprinkler — most common and reliable system
- C. FM-200 (HFC-227ea) — clean agent that is safe for personnel, safe for equipment, and not ozone-depleting
- D. Halon 1211 — the modern replacement for Halon 1301
Correct: C
FM-200 (HFC-227ea) meets all three criteria: (1) Safe for personnel at design concentrations (unlike CO2), (2) Clean agent — leaves no residue, safe for electronic equipment, (3) Zero ozone depletion potential (unlike Halon). FM-200 works by chemical inhibition of the combustion chain reaction. It is widely used in data centers as the primary Halon replacement. Halon 1211 is another banned ozone-depleting agent, not a replacement. Water sprinklers (B) damage electronic equipment.
CISSP Mindset: Data center fire suppression priority: FM-200 or Novec 1230 (clean agent, safe for people and equipment). CO2 = safe for equipment but NOT people. Water = safe for people but destroys equipment.
FinTech Company X is designing its new data center's fire suppression system. The security architect specifies a pre-action sprinkler system. Why is this preferred over a standard wet pipe sprinkler for data centers?
(Kiến trúc sư bảo mật chỉ định hệ thống phun pre-action cho data center mới. Tại sao hệ thống này được ưu tiên hơn ống nước ướt thông thường?)
- A. Pre-action systems use less water, reducing environmental impact
- B. Pre-action systems require both heat AND smoke detection to activate, preventing accidental water discharge from a single faulty sprinkler head
- C. Pre-action systems use a chemical agent instead of water, making them clean agent systems
- D. Pre-action systems are cheaper to install than wet pipe systems
Correct: B
Pre-action fire suppression systems require TWO triggers before water flows: (1) Electrical detection (smoke/heat detector activates), AND (2) Sprinkler head activation (heat melts the fusible link). This dual-trigger requirement prevents accidental water discharge from a single faulty sprinkler head (common in wet pipe systems) — which would cause catastrophic water damage to servers. Pre-action = best practice for data centers because it dramatically reduces false-discharge risk.
CISSP Mindset: Pre-action = BEST for data centers. Requires dual activation (detection + sprinkler head). Wet pipe = pipes always full of water, single fault can discharge. Dry pipe = pipes empty until triggered, faster than pre-action but no dual-activation requirement.
FinTech Company X's data center fire suppression system begins a pre-discharge countdown. A technician is working in the server room alone. The audible alarm activates. What should the technician do IMMEDIATELY?
(Hệ thống chữa cháy của data center bắt đầu đếm ngược. Một kỹ thuật viên đang làm việc một mình trong phòng máy chủ. Kỹ thuật viên nên làm gì NGAY LẬP TỨC?)
- A. Stay and attempt to identify and extinguish the fire to protect the equipment
- B. Call the fire department before evacuating
- C. Evacuate the data center immediately — CO2 or other suppression agents will displace oxygen
- D. Disable the suppression system to prevent equipment damage until the fire can be assessed
Correct: C
When a fire suppression pre-discharge alarm sounds, all personnel MUST evacuate IMMEDIATELY. CO2 (and even FM-200 at high concentrations) can displace enough oxygen to cause loss of consciousness within seconds to minutes of discharge. Equipment can be replaced; human life cannot. The safety protocol is unambiguous: evacuate first, everything else second. Attempting to fight the fire (A) or disable the system (D) is life-threatening.
CISSP Mindset: Fire suppression alarms = evacuate immediately, no exceptions. Equipment is replaceable; life is not. CO2 in fire suppression concentrations = immediately dangerous to life and health (IDLH).
FinTech Company X installs CCTV cameras at all data center entry points and server room access doors. The security policy specifies a 90-day retention period for CCTV footage. An incident is investigated 95 days after it occurred. What is the likely outcome?
(Camera CCTV được lắp đặt tại tất cả điểm vào data center. Chính sách chỉ định thời gian lưu trữ 90 ngày. Sự cố được điều tra 95 ngày sau khi xảy ra. Kết quả có thể là gì?)
- A. The footage is available — CCTV systems always retain footage indefinitely
- B. The footage from the incident date has been overwritten and is no longer available
- C. The footage can be recovered from manufacturer backups
- D. A court order can force the CCTV system to restore deleted footage
Correct: B
Most CCTV systems use circular storage — when the retention period is reached, oldest footage is overwritten to store new footage. A 90-day policy means footage from 95 days ago (5 days beyond retention) has been overwritten and is unrecoverable. This is why incident reporting timeliness matters — physical security incidents must be reported quickly to preserve CCTV evidence before the retention window expires. Organizations requiring longer forensic windows must set appropriate retention periods.
CISSP Mindset: CCTV retention = circular overwrite. Evidence beyond the retention window is gone. Report physical security incidents within the retention window. Balance retention cost vs forensic needs when setting CCTV policies.
A vendor arrives at FinTech Company X's data center to perform server maintenance. The reception logs their arrival and issues a visitor badge. What should happen NEXT according to physical security best practices?
(Nhà cung cấp đến data center để bảo trì server. Lễ tân đăng ký và cấp badge khách. Điều gì nên xảy ra TIẾP THEO?)
- A. The vendor can proceed to the server room unescorted using their visitor badge
- B. A FinTech Company X employee must escort the vendor to the server room and remain present during the maintenance
- C. The vendor should be given temporary card access to the server room for the duration of the visit
- D. The vendor should wait in reception until the maintenance window begins, then proceed alone
Correct: B
Visitor escort policy is a fundamental physical security control. All visitors (including authorized vendors) must be escorted by a company employee when accessing secure areas like data centers. This prevents: (1) Unauthorized access to adjacent secure areas, (2) Physical tampering with equipment, (3) Shoulder surfing of access codes, (4) Theft of equipment or media. Visitor badges do NOT grant unescorted access — they identify the visitor and alert staff that escort is required.
CISSP Mindset: Visitor escort = mandatory for secure areas. "Authorized vendor" ≠ "unescorted access." Escort is about oversight of physical actions in sensitive spaces, not distrust of the vendor's intent.
FinTech Company X is decommissioning old database servers that stored Vietnamese customer PII and credit history. The HDDs are sent to a third-party destruction vendor. What is the MOST important security requirement for this process?
(FinTech Company X đang ngừng hoạt động các server database cũ lưu trữ PII của khách hàng Việt Nam. HDD được gửi đến nhà cung cấp hủy bên thứ ba. Yêu cầu bảo mật quan trọng nhất cho quá trình này là gì?)
- A. Ensure the HDDs are reformatted before being sent to the destruction vendor
- B. Obtain a certificate of destruction from the vendor and maintain it in the asset disposition record
- C. Monitor the destruction process via webcam to verify HDDs are destroyed
- D. Use the fastest destruction method (shredding) regardless of data classification
Correct: B
When using a third-party media destruction vendor, the most important security requirement is obtaining a Certificate of Destruction — a legally binding document from the vendor confirming that specific media (by serial number) was destroyed in a documented manner. This certificate provides: (1) Legal evidence of proper disposal for regulatory compliance, (2) Chain of custody documentation, (3) Proof of destruction if data is later found to be compromised. Reformatting (A) alone is insufficient for PII — physical destruction is required.
CISSP Mindset: Certificate of destruction = the audit trail for media disposal. Required for regulatory compliance when handling PII. "Vendor destroyed it" without documentation is unacceptable for sensitive data.
FinTech Company X's data center experiences a power utility failure. The UPS (Uninterruptible Power Supply) activates immediately, then the diesel generator starts. What is the PRIMARY role of the UPS in this scenario?
(Data center mất điện lưới. UPS kích hoạt ngay lập tức, sau đó máy phát điện diesel khởi động. Vai trò chính của UPS trong kịch bản này là gì?)
- A. To provide long-term power while the generator provides short-term bridging
- B. To provide immediate, clean, uninterrupted power during the gap between utility failure and generator startup (typically 10-30 seconds)
- C. To filter power fluctuations during normal operations only — UPS does not activate during full power failures
- D. To replace the generator entirely for environmental reasons
Correct: B
The UPS provides immediate, seamless power during the transition from utility power to generator power. Diesel generators typically take 10-30 seconds to start, synchronize, and stabilize — during which the UPS carries the load. Without UPS, servers would experience an uncontrolled power loss during generator startup. UPS also provides power conditioning (filtering surges, sags, and harmonics). The chain is: utility power → (failure) → UPS immediate → (generator starts 10-30s) → generator takes over → UPS recharges.
CISSP Mindset: UPS = bridge between utility failure and generator startup (seconds to minutes). Generator = long-term power (hours to days based on fuel). Both are required; UPS without generator only works short-term.
A security auditor notes that FinTech Company X's data center server room uses a wet pipe sprinkler system. The auditor flags this as a concern. Why is a wet pipe sprinkler system problematic for data centers?
(Kiểm toán viên ghi nhận rằng phòng máy chủ data center sử dụng hệ thống phun ống nước ướt. Tại sao hệ thống ống nước ướt lại có vấn đề với data center?)
- A. Wet pipe systems use chemicals that corrode server hardware over time
- B. Wet pipe systems keep pipes constantly filled with water — a single faulty sprinkler head or pipe break causes immediate water discharge onto equipment
- C. Wet pipe systems are less effective at extinguishing electrical fires than dry systems
- D. Wet pipe systems are too expensive to maintain in data center environments
Correct: B
Wet pipe systems have water in the pipes at all times. Any single point of failure — a faulty sprinkler head activating due to heat (from a hot server, not a fire), a mechanical defect, or accidental impact — immediately discharges water onto equipment. A single sprinkler head failure can destroy millions of dollars of equipment and cause days of downtime. Data centers require pre-action systems (dual-trigger) to prevent accidental discharge. Pre-action = significantly reduced false-discharge risk.
CISSP Mindset: Wet pipe = water always present in pipes = accidental discharge risk. Pre-action = dry pipes until dual detection activation = best for data centers. The auditor is correct to flag wet pipe as inappropriate.
FinTech Company X installs a mantrap (airlock-style entry system) at the data center entrance. An employee holds the inner door open for a delivery person carrying equipment. What threat does this action bypass, and what should the employee do instead?
(Nhân viên giữ cửa bên trong cho người giao hàng mang thiết bị. Mối đe dọa nào bị bỏ qua và nhân viên nên làm gì thay thế?)
- A. No threat — helping colleagues with deliveries is good workplace culture
- B. The mantrap bypasses tailgating/piggybacking — the employee should deny entry and require the delivery person to authenticate through proper channels
- C. The employee should call security to escort the delivery person — this is the only correct action
- D. The delivery person should have been pre-registered — any delivery without pre-registration should be turned away
Correct: B
Mantraps prevent tailgating/piggybacking — unauthorized persons following authorized persons through secure doors. Holding the door open for the delivery person defeats the entire purpose of the mantrap. The employee should not allow the delivery person to enter and should direct them to the reception/security desk for proper visitor registration, escort assignment, and authorized entry. Social engineering often exploits the human tendency to hold doors for people carrying heavy items.
CISSP Mindset: Tailgating = the most common physical security bypass. Mantraps prevent it physically; security culture prevents it socially. Training employees to NEVER hold doors in secure areas is as important as the physical control itself.
FinTech Company X's data center environmental monitoring alerts show temperature rising above 27°C (80°F) in a server rack. The CRAC (Computer Room Air Conditioning) unit in that zone has failed. What is the MOST appropriate immediate response?
(Nhiệt độ trong một rack server tăng trên 27°C. Đơn vị CRAC trong khu vực đó đã hỏng. Phản ứng ngay lập tức phù hợp nhất là gì?)
- A. Wait for the CRAC unit to be repaired before taking action — temporary temperature spikes are acceptable
- B. Power down non-critical servers in the affected zone to reduce heat load while emergency cooling is arranged
- C. Increase the thermostat setting to mask the alert
- D. Move servers to a different rack immediately during operation
Correct: B
A CRAC unit failure is an environmental emergency requiring immediate action. Prolonged high temperatures cause hardware failures and data loss. The correct response: (1) Immediately reduce heat load by powering down non-critical systems in the affected zone (graceful shutdown), (2) Arrange emergency cooling (portable AC units), (3) Expedite CRAC repair or failover to backup CRAC. Waiting (A) risks permanent hardware damage. Moving running servers (D) is dangerous and could cause data corruption.
CISSP Mindset: Environmental failures = immediate response required. Temperature, humidity, and power are physical threats as real as cyberattacks. Pre-positioning portable cooling units and having CRAC redundancy are key preventive measures.
A FinTech Company X employee wants to dispose of old printouts containing customer PII from loan application forms. The office has a standard recycling bin, a locked shredding bin, and a regular trash can. Where should the documents be disposed of?
(Nhân viên muốn hủy bản in cũ có PII của khách hàng từ đơn vay. Văn phòng có thùng tái chế thông thường, thùng hủy tài liệu có khóa, và thùng rác thông thường. Tài liệu nên được hủy ở đâu?)
- A. Recycling bin — paper with PII can be recycled if properly sorted
- B. Regular trash — it will be collected and processed securely by waste management
- C. Locked shredding bin — PII must be securely destroyed, not recycled or discarded intact
- D. The employee should take the documents home and destroy them personally
Correct: C
Documents containing PII must be securely destroyed — not simply discarded or recycled. Recycled documents (A) are sorted by humans and could be read. Regular trash (B) is accessible to dumpster divers. A locked shredding bin with a secure chain of custody (collected by a certified document destruction company) ensures: physical destruction of content, chain of custody documentation, and compliance with data protection regulations. Cross-cut or micro-cut shredding is required for sensitive PII.
CISSP Mindset: PII on paper = sensitive data requiring secure destruction. Recycling bins are not secure disposal. Locked shredding bins with certified destruction services = compliant PII paper disposal.
FinTech Company X's data center architect is reviewing three fire suppression options: (1) Wet pipe sprinkler, (2) Pre-action sprinkler, (3) FM-200 clean agent. For a high-density server room with 24/7 staff, which is MOST appropriate and why?
(Kiến trúc sư đang xem xét ba tùy chọn chữa cháy cho phòng máy chủ mật độ cao có nhân viên 24/7. Tùy chọn nào phù hợp nhất và tại sao?)
- A. Wet pipe — most reliable, no complex activation requirements
- B. Pre-action sprinkler — dual-activation prevents accidental discharge, water-based but requires two triggers
- C. FM-200 clean agent — safe for personnel, no residue, no accidental discharge risk from heat alone
- D. FM-200 is not acceptable because high-density servers generate too much heat for chemical agents
Correct: C
For a 24/7 staffed, high-density server room: FM-200 is the most appropriate because: (1) Safe for personnel at design concentrations (staff can safely remain briefly), (2) No residue — does not damage equipment, (3) Fast suppression — works in seconds, (4) No accidental discharge risk from a single faulty component, (5) Effective for Class C (electrical) fires. Pre-action (B) is a good alternative but leaves water damage risk. Wet pipe (A) is the worst choice for a data center. FM-200 is the industry standard for staffed data centers.
CISSP Mindset: FM-200 = ideal for staffed data centers. Pre-action = good secondary choice. CO2 = avoid if personnel present. Wet pipe = never for high-density electronics. "Clean agent" = safe for equipment AND people.
FinTech Company X's CISO is conducting a comprehensive physical security review of the data center. Which combination of controls represents a DEFENSE IN DEPTH approach to physical security?
(CISO đang tiến hành đánh giá bảo mật vật lý toàn diện. Sự kết hợp kiểm soát nào đại diện cho phương pháp phòng thủ theo chiều sâu cho bảo mật vật lý?)
- A. Perimeter fence only — all other controls are redundant if the perimeter is secure
- B. Card access only — badge readers at all entry points are sufficient
- C. Perimeter fencing + security guards + mantrap + badge access + biometrics + CCTV + environmental monitoring + FM-200 fire suppression
- D. CCTV only — video surveillance deters most physical threats without additional expense
Correct: C
Defense in depth (layered security) applies to physical security as much as logical security. Each layer addresses different threats: Perimeter fencing = first barrier, security guards = human observation and response, mantrap = tailgating prevention, badge access = identity verification, biometrics = anti-sharing, CCTV = detection and forensic evidence, environmental monitoring = fire/temperature/flood detection, FM-200 = fire suppression. No single control is sufficient — attackers who bypass one layer face additional controls. FinTech Company X should implement all layers proportional to data sensitivity and regulatory requirements.
CISSP Mindset: Physical defense in depth = multiple independent layers, each addressing different attack vectors. "If layer 1 fails, layer 2 still protects." This is the same principle as logical defense in depth — no single point of failure in the security architecture.