$6.$ Many issues are involved when planning for a third party to perform services involving data storage, backup and restore, and destruction or processing services for your company. Which of the following statements is not correct with regard to such planning or to your actual conduct of operations with that third party? $($Choose all that apply.$)$ A$.$ Your data protection responsibilities remain with you; you need to be able to actively verify that such third parties are doing what you$$ve contracted with them to do$.$ Otherwise, you are blindly trusting them. B$.$ Your contracts with these third parties should use a shared responsibility model to clearly delineate which party has which responsibilities; this will, in most cases, hold you harmless when the third party goes outside of the contract C$.$ Since third parties are by definition on a contract with you, as your subcontractor, you are not liable or responsible for mistakes they make in performing their duties. D$.$ What your third party providers, subcontractors, or employees $($for that matter$)$ do in your name and in your service, you are ultimately responsible for. $7.$ Which statements about the role$($s$)$ of archiving, backup, and restore in meeting information security needs are most correct? $($Choose all that apply.$)$ A$.$ These each contribute to availability in similar ways. B$.$ These each contribute to availability and nonrepudiation. C$.$ As part of an incident response or disaster recovery plan, prompt restore to a known good data configuration may prevent other data from being compromised or breached, thus contributing to confidentiality. D$.$ These have no role to play in achieving authentication needs. $8.$ How does securing a virtual machine differ from securing a physical computer system? $($Choose all that apply.$)$ A$.$ The basic tasks of defining the needs, configuring system capabilities in support of those needs, and then operationally deploying the VM are conceptually the same as when deploying the same OS and apps on a desktop or laptop. You use many of the same tools, OS features, and utilities. B$.$ VMs cannot run without some kind of software$-$defined network and a hypervisor, which bring many more complex security concerns that administrators need to deal with to achieve required information security performance. C$.$ VMs can access any resource on the bare metal machine that is hosting them through the hypervisor, which requires administrators to take many extra precautions to prevent security breaches. D$.$ The bare metal server, host OS $($if used$),$ and hypervisor provide none of the security features you$$ll need to configure to keep other system users, processes, and data, and those in each VM$,$ safe, secure$,$ and protected from each other.Review Questions $4739.$ Why is endpoint security so important to an organization? A$.$ Users, who interact with organizational IT infrastructures and information at the endpoints, are notoriously difficult to control; if we can better control and secure the endpoints themselves, then we can prevent most end user$$introduced security problems. B$.$ Endpoints are where information turns into action, and that action produces value; on the way into the system, it is where action produces valuable information. This is where business actually gets done and work accomplished. Without the endpoints, the system is meaningless. C$.$ Endpoints are what most users and customers see, and if endpoints are not secure$,$ users and customers will not engage with our security programs and help us keep the system safe. D$.$ While endpoints are where many users do information work, organizational managers and leaders draw their decision support at the systems level, and not from an endpoint device such as a smartphone. Data quality and software quality processes need to ensure that once data enters the system from an endpoint, it is then protected to meet CIANA needs throughout its life. $10.$ Jayne$$s company is considering the use of IoT devices as part of its buildings, grounds, and facilities maintenance tasks. Which statements give Jayne sound advice to consider for this project? A$.$ Since IoT devices can easily be configured, updated, or patched, they are just as capable of being secure as are laptops, desktops, or smartphones. B$.$ Functions that change frequently are well suited to IoT devices. C$.$ Typical IoT devices are best suited to use where security or human safety are a primary concern. D$.$ It may be better to consider industrial process control modules, rather than IoT devices, to interact with machinery, such as pumps and landscaping equipment. $11.$ Which statements about continuity and resilience are correct? $($Choose all that apply.$)$ A$.$ Continuity measures a system$$s ability to deal with events the designers didn$$t anticipate. B$.$ Continuity and resilience are basically the same idea, since they both deal with how systems handle errors, component or subsystem failures, or abnormal operational commands from users or other system elements. C$.$ Resilie