CCNA Business Continuity, DR & Incident Response Questions

10 of 85 questions · Page 2/2 · Business Continuity, DR & Incident Response · Answers revealed

76
MCQhard

In a cloud environment, the security team discovers that a misconfigured S3 bucket has made customer data publicly accessible. After securing the bucket, what is the most important next step?

A.Delete the data
B.Review logs to determine access
C.Notify affected customers
D.Change the bucket policy
AnswerC

Breach notification is legally required in many jurisdictions and prioritizes customer protection.

Why this answer

Option C is correct because after securing a misconfigured S3 bucket that exposed customer data, the most important next step is to notify affected customers. This aligns with incident response best practices and regulatory requirements (e.g., GDPR, HIPAA) that mandate timely disclosure of data breaches to impacted individuals. Without notification, the organization may face legal penalties and loss of trust, even if the data is now secure.

Exam trap

ISC2 often tests the misconception that technical remediation (e.g., changing policies or deleting data) is the most important step, when in fact incident response frameworks prioritize communication and legal/regulatory obligations over purely technical actions.

How to eliminate wrong answers

Option A is wrong because deleting the data would destroy evidence needed for forensic analysis and could violate data retention policies; the data should be preserved for investigation. Option B is wrong because while reviewing logs is important, it is not the most critical next step—notification takes precedence to comply with breach notification laws and ethical obligations. Option D is wrong because changing the bucket policy is already part of securing the bucket, which was completed before this step; the question states the bucket has already been secured, so repeating this action is unnecessary and does not address the exposure.

77
MCQhard

Refer to the exhibit. A DBA is investigating a replication issue. What should be the FIRST action?

A.Restore table from backup
B.Verify data integrity on primary
C.Reseed replication
D.Fail over to standby
AnswerB

Check primary data to ensure it is not corrupted before taking further action.

Why this answer

Checksum mismatch indicates data corruption on one side. The first step is to verify data integrity on the primary to determine which copy is correct.

78
MCQmedium

A primary data center is destroyed. The disaster recovery plan calls for activation of a hot standby site. If the RTO is 2 hours, what is the expected recovery time?

A.Exactly 2 hours
B.More than 2 hours
C.Unknown, depends on the disaster
D.Less than 2 hours
AnswerD

Hot sites are designed to achieve RTOs; recovery is expected within the target.

Why this answer

The RTO (Recovery Time Objective) defines the maximum acceptable downtime, not the guaranteed recovery time. A hot standby site is fully operational and synchronized, so recovery can be completed in less than the RTO if the disaster does not cause additional complications. Option D is correct because the expected recovery time should be less than the 2-hour RTO, assuming the hot site functions as designed.

Exam trap

ISC2 often tests the misconception that RTO is a guaranteed recovery time rather than a maximum allowable downtime, leading candidates to incorrectly choose 'Exactly 2 hours' or 'More than 2 hours' when the correct answer is that recovery should be faster than the RTO.

How to eliminate wrong answers

Option A is wrong because the RTO is a target, not a precise prediction; actual recovery time depends on factors like data synchronization lag and failover automation, so it is not guaranteed to be exactly 2 hours. Option B is wrong because a properly configured hot standby site should recover in less than the RTO, not more; exceeding the RTO would mean the DR plan fails its objective. Option C is wrong because while the disaster type can affect recovery, the question asks for the expected recovery time under the assumption the hot standby site is activated per the DR plan, and the RTO defines the maximum allowable time, so the expectation is that recovery completes within that window.

79
Multi-Selecthard

Which TWO actions are appropriate during the identification phase of incident response?

Select 2 answers
A.Conduct a post-mortem analysis.
B.Correlate alerts from multiple sources.
C.Review system logs for anomalies.
D.Restore data from backups.
E.Disconnect affected systems from the network.
AnswersB, C

Alert correlation aids in identifying incidents.

Why this answer

During the identification phase of incident response, the goal is to detect and confirm that an incident is occurring. Correlating alerts from multiple sources (e.g., IDS/IPS logs, firewall logs, and endpoint detection) helps reduce false positives and provides a clearer picture of the attack chain. Reviewing system logs for anomalies is a core detection technique that can reveal indicators of compromise (IoCs) such as unusual process execution or failed login bursts.

Exam trap

ISC2 often tests the distinction between identification and containment, so the trap here is that candidates mistake disconnecting systems (a containment step) for an identification action, when in fact identification must occur first to confirm the incident.

80
Multi-Selectmedium

A company is developing a business continuity plan (BCP). Which TWO of the following are essential components that must be included in a BCP?

Select 2 answers
A.Asset inventory
B.Vulnerability assessment
C.Business Impact Analysis (BIA)
D.Recovery Time Objective (RTO)
E.Network diagram
AnswersC, D

BIA is essential as it identifies critical processes, dependencies, and resource requirements for recovery.

Why this answer

A Business Impact Analysis (BIA) is essential in a BCP because it identifies critical business functions, their dependencies, and the impact of disruptions. It quantifies the financial and operational consequences of downtime, directly informing the selection of recovery strategies and resource allocation. Without a BIA, the BCP lacks a data-driven foundation for prioritizing recovery efforts.

Exam trap

ISC2 often tests the distinction between components that are 'essential' to the BCP itself versus supporting documents or risk management activities, causing candidates to select asset inventory or vulnerability assessment as core BCP elements.

81
Multi-Selectmedium

Which TWO are true about a differential backup? (Select two.)

Select 2 answers
A.It copies files changed since the last backup of any type
B.It requires a full backup to be restored first
C.It copies files changed since the last full backup
D.It resets the archive bit on backed-up files
E.It is faster to restore than a full backup
AnswersB, C

The full backup must be restored before applying the differential.

Why this answer

A differential backup copies all files that have changed since the last full backup. Because it does not contain the complete data set, you must first restore the most recent full backup and then apply the differential backup on top of it to recover the system. This makes option B correct.

Exam trap

ISC2 often tests the distinction between differential and incremental backups by making candidates confuse 'changed since last full' (differential) with 'changed since last backup of any type' (incremental), and by implying that differential backups reset the archive bit when they do not.

82
Multi-Selecthard

Which THREE are differences between a hot site and a cold site? (Select three.)

Select 3 answers
A.Hot site is more expensive to maintain
B.Cold site has pre-installed software and applications
C.Hot site has real-time data synchronization
D.Both have the same recovery time objective (RTO)
E.Cold site has no hardware or infrastructure installed
AnswersA, C, E

Hot sites require constant replication and active hardware, increasing costs.

Why this answer

A hot site is a fully operational, mirrored environment with real-time data synchronization, pre-installed hardware, and active network connectivity, making it significantly more expensive to maintain due to ongoing costs for power, cooling, bandwidth, and dedicated staff. In contrast, a cold site is a bare facility with no active infrastructure, requiring manual setup and provisioning before recovery can begin. The higher cost of a hot site is justified by its near-zero Recovery Time Objective (RTO), whereas a cold site's lower cost reflects its much longer RTO.

Exam trap

ISC2 often tests the misconception that a cold site has some pre-installed infrastructure or software, when in fact it is a completely empty facility with only power and cooling, and that RTO is identical across site types, whereas RTO is a key differentiator between hot, warm, and cold sites.

83
MCQmedium

After a security incident has been contained and eradicated, which of the following should be done to improve future incident response?

A.Conduct a post-incident review
B.Reinstall the operating system
C.Disable the affected user accounts
D.Delete all incident-related logs
AnswerA

The review captures lessons learned and updates procedures.

Why this answer

A post-incident review (lessons learned) helps identify improvements to prevent recurrence and enhance response.

84
MCQhard

During an incident, the IR team identifies that the root cause is a zero-day vulnerability. Which of the following is the best immediate action?

A.Report to CERT/CC
B.Rebuild all affected systems
C.Apply a vendor patch
D.Implement compensating controls
AnswerD

Compensating controls reduce risk by blocking or detecting exploitation of the vulnerability.

Why this answer

When a zero-day vulnerability is the root cause, no vendor patch exists yet (option C is impossible). Rebuilding systems (option B) without addressing the vulnerability leaves them re-exposed. The best immediate action is to implement compensating controls—such as firewall rules, IDS/IPS signatures, or application-layer filtering—to mitigate the risk until a permanent fix is available.

This aligns with incident response containment strategies that prioritize reducing impact while preserving forensic evidence.

Exam trap

ISC2 often tests the misconception that 'rebuilding systems' or 'applying a patch' are immediate actions for a zero-day, when in reality the absence of a patch and the need for containment make compensating controls the only viable first step.

How to eliminate wrong answers

Option A is wrong because reporting to CERT/CC is a post-incident coordination step, not an immediate containment action; it does not stop the ongoing attack. Option B is wrong because rebuilding affected systems without first containing the vulnerability will result in immediate re-infection, as the zero-day exploit vector remains active. Option C is wrong because a zero-day vulnerability, by definition, has no vendor patch available at the time of discovery; applying a non-existent patch is impossible.

85
MCQmedium

A small business with limited budget wants to ensure critical business functions can resume within 24 hours of a disaster. Their data changes infrequently. Which recovery solution is MOST cost-effective?

A.Warm site with daily backups
B.Cloud backup with instant restore
C.Cold site with monthly backups
D.Hot site with real-time replication
AnswerB

Cost-effective and can meet RTO if restore time is fast.

Why this answer

Cloud backup with instant restore (Option B) is the most cost-effective solution because the business has a limited budget, data changes infrequently, and the RTO is 24 hours. Cloud backup eliminates the need for maintaining physical infrastructure, and instant restore from cloud snapshots can meet the 24-hour RTO without the high costs of a warm or hot site.

Exam trap

ISC2 often tests the misconception that a warm site is the 'middle ground' for cost and recovery, but they ignore that cloud backup can achieve the same RTO at a fraction of the cost when data changes infrequently.

How to eliminate wrong answers

Option A is wrong because a warm site requires pre-configured hardware and ongoing maintenance costs, which exceed a limited budget, and daily backups are overkill for infrequently changing data. Option C is wrong because a cold site with monthly backups cannot meet the 24-hour RTO, as provisioning hardware and restoring from month-old backups would take significantly longer. Option D is wrong because a hot site with real-time replication is the most expensive solution, designed for near-zero RTO and RPO, which is unnecessary for infrequently changing data and a 24-hour RTO.

← PreviousPage 2 of 2 · 85 questions total

Ready to test yourself?

Try a timed practice session using only Business Continuity, DR & Incident Response questions.