A daily backup is not a backup method, but defines periodicity at which backups are made. There can be daily full, incremental or differential backups. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).

Writing a corporate security policy is normally a task of upper management in an organization. Other tasks would usually be performed by a Computer Incident Response Team. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 64).

The purpose of a tape backup method is to protect and/or restore lost, corrupted, or deleted information, thereby preserving the data integrity and ensuring availability.
All other choices could suffer from corruption and it might not be possible to restore the data without proper backups being done.
This is a tricky question, if the information is lost, corrupted, or deleted only a good backup could be use to restore the information. Any synchronization mechanism would update the mirror copy and the data could not be recovered.
With backups there could be a large gap where your latest data may not be available. You would have to look at your Recovery Point Objective and see if this is acceptable for your company recovery objectives.
The following are incorrect answers:
Mirroring will preserve integrity and restore points in all cases of drive failure. However, if you have corrupted data on the primary set of drives you may get corrupted data on the secondary set as well.
Remote Journaling provides Continuous or periodic synchronized recording of transaction data at a remote location as a backup strategy. (http://www.businessdictionary.com/definition/remote-journaling.html) With journaling there might be a gap of time between the data updates being send in batch at regular interval. So some of the data could be lost.
Database shadowing is synonymous with Mirroring but it only applies to databases, but not to information and data as a whole.
Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 68.

These controls can be used to investigate what happen after the fact. Your IDS may collect information on where the attack came from, what port was use, and other details that could be used in the investigation steps.
“Preventative control” is incorrect. Preventative controls preclude events or actions that might compromise a system or cause a policy violation. An intrusion prevention system would be an example of a preventative control.
“Recovery control” is incorrect. Recover controls include processes used to return the system to a secure state after the occurrence of a security incident. Backups and redundant components are examples of recovery controls.
“Directive controls” is incorrect. Directive controls are administrative instruments such as policies, procedures, guidelines, and aggreements. An acceptable use policy is an example of a directive control.
References: CBK, pp. 646 -647

These are core functions of the incident response process.
“Incident Evaluation” is incorrect. Evaluation of the extent and cause of the incident is a component of the incident response process.
“Incident Recognition” is incorrect. Recognition that an incident has occurred is the precursor to the initiation of the incident response process.
“Incident Protection” is incorrect. This is an almost-right-sounding nonsense answer to distract the unwary.
References CBK, pp. 698 -703

Assigning the values for the inputs to a purely quantitative risk assessment requires both a lot of time and significant experience on the part of the assessors. The most experienced employees or representatives from each of the departments would be involved in the process. It is NOT an easy task if you wish to come up with accurate values.
“It can be automated” is incorrect. There are a number of tools on the market that automate the process of conducting a quantitative risk assessment.
“It involves complex calculations” is incorrect. The calculations are simple for basic scenarios but could become fairly complex for large cases. The formulas have to be applied correctly.
“It requires a high volume of information” is incorrect. Large amounts of information are required in order to develop reasonable and defensible values for the inputs to the quantitative risk assessment.
References:
CBK, pp. 60-61 AIO3, p. 73, 78 The Cissp Prep Guide -Mastering The Ten Domains Of Computer Security -2001, page 24

The cost of a countermeasure should not be greater in cost than the risk it mitigates (ALE). For a quantitative risk assessment, the equation is ALE = ARO x SLE where the SLE is calculated as the product of asset value x exposure factor. An event that happen once every five years would have an ARO of .2 (1 divided by 5).
SLE = Asset Value (AV) x Exposure Fact (EF) SLE = 1,000,000 x .30 = 300,000
ALE = SLE x Annualized Rate of Occurance (ARO) ALE = 300,000 x .2 = 60,000
Know your acronyms: ALE –Annual loss expectancy ARO –Annual rate of occurrence SLE –Single loss expectancy
The following are incorrect answers: $300,000 is incorrect. See the explanation of the correct answer for the correct calculation. $150,000 is incorrect. See the explanation of the correct answer for the correct calculation. $1,500 is incorrect. See the explanation of the correct answer for the correct calculation.
Reference(s) used for this question: Mc Graw Hill, Shon Harris, CISSP All In One (AIO) book, Sixth Edition , Pages 87-88 and Official ISC2 Guide to the CISSP Exam, (OIG), Pages 60-61

This is the basic process of risk management.
Risk is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree.
The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization’s mission, an information risk management (IRM) policy and a delegated IRM team. Once you’ve identified your company’s acceptable level of risk, you need to develop an information risk management policy.
The IRM policy should be a subset of the organization’s overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the acceptable risk and the role of security as a whole in the organization. The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items:
Objectives of IRM team
Level of risk the company will accept and what is considered an acceptable risk (as defined in the previous article)
Formal processes of risk identification
Connection between the IRM policy and the organization’s strategic planning processes
Responsibilities that fall under IRM and the roles that are to fulfill them
Mapping of risk to internal controls
Approach for changing staff behaviors and resource allocation in response to risk analysis
Mapping of risks to performance targets and budgets
Key indicators to monitor the effectiveness of controls
Shon Harris provides a 10,000-foot view of the risk management process below: A big question that companies have to deal with is, “What is enough security?” This can be restated as, “What is our acceptable risk level?” These two questions have an inverse relationship. You can’t know what constitutes enough security unless you know your necessary baseline risk level.
To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company’s acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures.
Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:
Identify company assets
Assign a value to each asset
Identify each asset’s vulnerabilities and associated threats
Calculate the risk for the identified assets
Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.
When we look at information security, there are several types of risk a corporation needs to be aware of and address properly. The following items touch on the major categories: Physical damage Fire, water, vandalism, power loss, and natural disasters
Human interaction Accidental or intentional action or inaction that can disrupt productivity
Equipment malfunction Failure of systems and peripheral devices
Inside and outside attacks Hacking, cracking, and attacking
Misuse of data Sharing trade secrets, fraud, espionage, and theft
Loss of data Intentional or unintentional loss of information through destructive means
Application error Computation errors, input errors, and buffer overflows
The following answers are incorrect:
The process of eliminating the risk is not the best answer as risk cannot be totally eliminated.
The process of assessing the risks is also not the best answer.
The process of transferring risk is also not the best answer and is one of the ways of handling a risk after a risk analysis has been performed.
References: Shon Harris , AIO v3 , Chapter 3: Security Management Practices , Page: 66-68 and http://searchsecurity.techtarget.com/tip/Understanding-risk

Which means the company understands the level of risk it is faced.
The following answers are incorrect because :
Reject the risk is incorrect as it means ignoring the risk which is dangerous. Perform another risk analysis is also incorrect as the existing risk analysis has already shown the results. Reduce the risk is incorrect is applicable after implementing the countermeasures. Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 39

This step is not a part of RISK ANALYSIS. A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure. Choosing the best countermeasure is not part of the risk analysis. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3: Security Management Practices (page 73). HARRIS, Shon, Mike Meyers’ CISSP(R) Certification Passport, 2002, McGraw-Hill, page 12.