CISSP Confusing Topics

dpathidpathi Member Posts: 23 ■□□□□□□□□□
While studying i fund it really hard to find a concrete answer to the following topics.

1) Objective of a business continuity program is to continue to operate with most essential functions during a disaster. If business is disrupted disaster recovery kicks in to recover/restore ONLY essential functions or ALL functions according to their priority?

2) Say SLE (10) = EF(5) * AV(2)
ALE (30) = SLE (10) * ARO (3)

When you apply a control the ALE will come down. Is it because the control reduces the EF or the ARO?

(SYBEX Official study guide says its ARO but i thought its EF)

3) In which OSI layer SSL VPN operates. Transport or Application?

Comments

  • shiju_vshiju_v Member Posts: 8 ■□□□□□□□□□
    "Objective of a business continuity program is to continue to operate with most essential functions during a disaster. If business is disrupted disaster recovery kicks in to recover/restore ONLY essential functions or ALL functions according to their priority?"


    Recovering/restoring ONLY essential functions or ALL functions according to their priority is based on the choice the business makes, based on value of the service, cost of DRP associated with that, how much the business can afford, etc. There is no rule that all functions should be covered.


    "When you apply a control the ALE will come down. Is it because the control reduces the EF or the ARO?" .... I believe you can work on reducing the Exposure Factor or the Annual Rate of Occurrence, or both.
  • dpathidpathi Member Posts: 23 ■□□□□□□□□□
    Thx any idea about the 3rd question.
  • OctalDumpOctalDump Member Posts: 1,722
    1) The business decides which functions to include in DR. Calling them essential is a bit circular reasoning (they are essential because the business has decided to include them in the DR).

    2) Think of types of controls. Preventative controls (eg locks on the doors, making it harder and thus less likely for someone to break in) seek to reduce the chances of the event happening (ARO), Compensative (failover system) and Corrective (backup and restore procedure) reduce the impact (EF) by providing a way to more quickly restore function or limit loss of function. So controls can do both.

    3) This is tricky, because a VPN tunnels lower levels over higher levels. In this case though, SSL isn't just at Transport level (the function isn't just in the protocol header), since the data within is encrypted with an SSL function requiring an application to encode/decode. However, I've also heard people argue that SSL is at the session or presentation layer.


    This is what I think, though. I could be wrong, so feel free to ignore if it isn't convincing.
    2017 Goals - Something Cisco, Something Linux, Agile PM
Sign In or Register to comment.