[Free] New Updated (October) ISC SSCP Real Exam 571-580

Ensurepass

 

QUESTION 571

Which one of the following is NOT one of the outcomes of a vulnerability assessment?

 

A.

Quantative loss assessment

B.

Qualitative loss assessment

C.

Formal approval of BCP scope and initiation document

D.

Defining critical support areas

 

Correct Answer: C

Explanation:

When seeking to determine the security position of an organization, the security professional will eventually turn to a vulnerability assessment to help identify specific areas of weakness that need to be addressed. A vulnerability assessment is the use of various tools and analysis methodologies to determine where a particular system or process may be susceptible to attack or misuse. Most vu
lnerability assessments concentrate on technical vulnerabilities in systems or applications, but the assessment process is equally as effective when examining physical or administrative business processes.

 

The vulnerability assessment is often part of a BIA. It is similar to a Risk Assessment in that there is a quantitative (financial) section and a qualitative (operational) section. It differs in that i t is smaller than a full risk assessment and is focused on providing information that is used solely for the business continuity plan or disaster recovery plan.

 

A function of a vulnerability assessment is to conduct a loss impact analysis. Because there will be two parts to the assessment, a financial assessment and an operational assessment, it will be necessary to define loss criteria both quantitatively and qualitatively.

 

Quantitative loss criteria may be defined as follows:

 

Incurring financial losses from loss of revenue, capital expenditure, or personal liability resolution.

The additional operational expenses incurred due to the disruptive event Incurring financial loss from resolution of violation of contract agreements Incurring financial loss from resolution of violation of regulatory or compliance requirements

 

Qualitative loss criteria may consist of the following:

 

The loss of competitive advantage or market share

The loss of public confidence or credibility, or incurring public mbarrassment

 

During the vulnerability assessment, critical support areas must be defined in order to assess the impact of a disruptive event. A critical support area is defined as a business unit or function that must be present to sustain continuity of the business processes, maintain life safety, or avoid public relations embarrassment.

 

Critical support areas could include the following:

 

Telecommunications, data communications, or information technology areas Physical infrastructure or plant facilities, transportation services Accounting, payroll, transaction processing, customer service, purchasing

 

The granular elements of these critical support areas will also need to be identified. By granular elements we mean the personnel, resources, and services the critical support areas need to maintain business continuity

 

Reference(s) used for this question:

 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4628-4632). Auerbach Publications. Kindle Edition.

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 277.

 

 

QUESTION 572

Controls are implemented to:

 

A.

eliminate risk and reduce the potential for loss

B.

mitigate risk and eliminate the potential for loss

C.

mitigate risk and reduce the potential for loss

D.

eliminate risk and eliminate the potential for loss

 

Correct Answer: C

Explanation:

Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks.

It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.

QUESTION 573

Which of the following statements pertaining to disaster recovery planning is incorrect?

 

A.

Every organization must have a disaster recovery plan

B.

A disaster recovery plan contains actions to be taken before, during and after a disruptive event.

C.

The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs.

D.

A disaster recovery plan should cover return from alternate facilities to primary facilities.

 

Correct Answer: A

Explanation:

It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.

 

Remember that DRP is related to systems needed to support your most critical business functions.

 

The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.

 

To be effective, the plan would certainly cover before, during, and after the disaster actions.

 

It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.

 

All other statements are true.

 

NOTE FROM CLEMENT:

Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.

 

Some companies such as utilities, power, etc… might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very complex and varies in different countries. Always talk to your lawyer to ensure you follow the law of the land 🙂

 

Read the details below:

 

So Who, Legally, MUST Plan?

With the caveats above, let’s cover a few of the common laws where there is a duty to have a disaster recovery plan. I will try to include the basis for that requirement, where there is an implied mandate to do so, and what the difference is between the two Banks and Financial Institutions MUST Have a Plan

 

The Federal Financial Institutions Examination Council (Council) was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination Council (the Council).

 

The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to make recommendations to promote uniformity in the supervision of financial institutions. In other words, every bank, savings and loan, credit union, and other financial institution is governed by the principles adopted by the Council.

 

In March of 2003, the Council released its Business Continuity Planning handbook designed to provide guidance and examination procedures for examiners in evaluating financial institution and service provider risk-management processes.

 

Stockbrokers MUST Have a Plan

The National Association of Securities Dealers (NASD) has adopted rules that req
uire all its members to have business continuity plans. The NASD oversees the activities of more than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770 registered securities representatives.

 

As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which are specified in Rule 3510, begin with the following:

 

3510. Business Continuity Plans. (a) Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedures must address the member’s existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available promptly upon request to NASD staff.

 

NOTE:

The rules apply to every company that deals in securities, such as brokers, dealers, and their representatives, it does NOT apply to the listed companies themselves.

Electric Utilities WILL Need a Plan

 

The disaster recovery function relating to the electric utility grid is presently undergoing a change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only coordinate volunteer efforts between utilities. This has changed with the adoption of Title XII of the Energy Policy Act of 2005 (16 U.S.C.824o). That new law authorizes the FERC to create an Electric Reliability Organization (ERO). The ERO will have the capability to adopt and enforce reliability standards for “all users, owners, and operators of the bulk power system” in the United States. At this time, FERC is in the process of finalizing the rules for the creation of the ERO. Once the ERO is created, it will begin the process of establishing reliability standards.

 

It is very safe to assume that the ERO will adopt standards for service restoration and disaster recovery, particularly after such widespread disasters as Hurricane Katrina. Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT

 

Telecommunications utilities are governed on the federal level by the Federal Communications Commission (FCC) for interstate services and by state Public Utility Commissions (PUCs) for services within the state.

 

The FCC has created the Network Reliability and Interoperability Council (NRIC). The role of the NRIC is to develop recommendations for the FCC and the telecommunications industry to “insure [sic] optimal reliability, security, interoperability and interconnectivity of, and accessibility to, public communications networks and the internet.” The NRIC members are senior representatives of providers and users of telecommunications services and products, including telecommunications carriers, the satellite, cable television, wireless and computer industries, trade associations, labor and consumer representatives, manufacturers, research organizations, and government-related organizations.

 

There is no explicit provision that we could find that says telecommunications carriers must have a Disaster Recovery Plan. As I have stated frequently in this series of articles on disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.

 

You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It’s not much. The following is the statement used in most telephone company tariffs with regard to its liability:

 

The Telephone Company’s liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company’s liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)

 

All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring “Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards.”

 

The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present, or future.

 

The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.

 

The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.

 

Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices.

Companies with More than 10 Employees

 

The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:

 

(a) Each employer:

 

(1) shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;

(2) shall comply with occupational safety and health standards promulgated under this Act.

 

(b) Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.

 

Other Considerations or Expensive Research QUESTION NO: s for Lawyers (Sorry, Eddie!)

 

The Foreign Corrupt Practices Act of 1977

Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention

Pandemic (Bird Flu) Prevention

ISO 9000 Certification

Requirements for Radio and TV Broadcasters

Contract Obligations to Customers

Document Protection and Retention Laws

Personal Identity Theft…and MORE!

 

Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!

 

I would like to thank my good friend, Eddie

M.Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:mempope@tellawcomlabs.com. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)

 

I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck

 

See original article at:

http://www.informit.com/articles/article.aspx?p=777896

See another interesting article on the subject at:

http://www.informit.com/articles/article.aspx?p=677910&seqNum=1

 

References used for this question:

KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).

 

 

QUESTION 574

The absence of a safeguard, or a weakness in a system that may possibly be exploited is called a(n)?

 

A.

Threat

B.

Exposure

C.

Vulnerability

D.

Risk

 

Correct Answer: C

Explanation:

A vulnerability is a weakness in a system that can be exploited by a threat.

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 237.

QUESTION 575

When first analyzing an intrusion that has just been detected and confirming that it is a true positive, which of the following actions should be done as a first step if you wish to prosecute the attacker in court?

 

A.

Back up the compromised systems.

B.

Identify the attacks used to gain access.

C.

Capture and record system information.

D.

Isolate the compromised systems.

 

Correct Answer: C

Explanation:

When an intrusion has been detected and confirmed, if you wish to prosecute the attacker in court, the following actions should be performed in the following order:

 

Capture and record system information and evidence that may be lost, modified, or not captured during the execution of a backup procedure. Start with the most volative memory areas first.

Make at least two full backups of the compromised systems, using hardware-write- protectable or write-once media. A first backup may be used to re-install the compromised system for further analysis and the second one should be preserved in a secure location to preserve the chain of custody of evidence.

 

Isolate the compromised systems.

Search for signs of intrusions on other systems.

Examine logs in order to gather more information and better identify other systems to which the intruder might have gained access.

Search through logs of compromised systems for information that would reveal the kind of attacks used to gain access.

Identify what the intruder did, for example by analyzing various log files, comparing checksums of known, trusted files to those on the compromised machine and by using other intrusion analysis tools.

 

Regardless of the exact steps being followed, if you wish to prosecute in a court of law it means you MUST capture the evidence as a first step before it could be lost or contaminated. You always start with the most volatile evidence first.

 

NOTE:

I have received feedback saying that some other steps may be done such as Disconnecting the system from the network or shutting down the system. This is true. However, those are not choices listed within the 4 choices attached to this question, you MUST avoid changing the question. You must stick to the four choices presented and pick which one is the best out of the four presented.

 

In real life, Forensic is not always black or white. There are many shades of grey. In real life you would have to consult your system policy (if you have one), get your Computer Incident team involved, and talk to your forensic expert and then decide what is the best course of action.

 

Reference(s) Used for this question:

 

http://www.newyorkcomputerforensics.com/learn/forensics_process.php

and ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison- Wesley, 2001, Chapter 7: Responding to Intrusions (pages 273-277).

 

 

 

QUESTION 576

A business continuity plan should list and prioritize the services that need to be brought back after a disaster strikes. Which of the following services is more likely to be of primary concern in the context of what your Disaster Recove
ry Plan would include?

 

A.

Marketing/Public relations

B.

Data/Telecomm/IS facilities

C.

IS Operations

D.

Facilities security

 

Correct Answer: B

Explanation:

The main concern when recovering after a disaster is data, telecomm and IS facilities. Other services, in descending priority order are: IS operations, IS support services, market structure, marketing/public relations, customer service & systems support, market regulation/surveillance, listing, application development, accounting services, facilities, human resources, facilities security, legal and Office of the Secretary, national sales.

Source: BARNES, James C.& ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 129).

 

 

QUESTION 577

For which areas of the enterprise are business continuity plans required?

 

A.

All areas of the enterprise.

B.

The financial and information processing areas of the enterprise.

C.

The operating areas of the enterprise.

D.

The marketing, finance, and information processing areas.

 

Correct Answer: A

Explanation:

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

 

 

QUESTION 578

What is called an event or activity that has the potential to cause harm to the information systems or networks?

 

A.

Vulnerability

B.

Threat agent

C.

Weakness

D.

Threat

 

Correct Answer: D

Explanation:

Source: KRUTZ, Ronald L.& VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.

 

 

QUESTION 579

Which of the following cannot be undertaken in conjunction or while computer incident handling is ongoing?

 

A.

System development activity

B.

Help-desk function

C.

System Imaging

D.

Risk management process

 

Correct Answer: A

Explanation:

If Incident Handling is underway an incident has potentially been identified. At that point all use of the system should stop because the system can no longer be trusted and any changes could contaminate the evidence. This would include all System Development Activity.

 

Every organization should have plans and procedures in place that deals with Incident Handling.

 

Employees should be instructed what steps are to be taken as soon as an incident occurs and how to report it. It is important that all parties involved are aware of these steps to protect not only any possible evidence but also to prevent any additional harm.

 

It is quite possible that the fraudster has planted malicous code that could cause destruction or even a Trojan Horse with a back door into the system. As soon as an incident has been identified the system can no longer be trusted and all use of the system should cease.

 

Shon Harris in her latest book mentions:

 

Although we commonly use the terms “event” and “incident” interchangeably, there are subtle differences between the two. An event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of events that negatively affects the company and/ or impacts its security posture. This is why we call reacting to these issues “incident response” (or “incident handling”), because something is negatively affecting the company and causing a security breach.

 

Many types of incidents (virus, insider attack, terrorist attacks, and so on) exist, and sometimes it is just human error. Indeed, many incident response individuals have received a frantic call in the middle of the night because a system is acting “weird.” The reasons could be that a deployed patch broke something, someone misconfigured a device, or the administrator just learned a new scripting language and rolled out some code that caused mayhem and confusion.

 

When a company endures a computer crime, it should leave the environment and evidence unaltered and contact whomever has been delegated to investigate these types of situations. Someone who is unfamiliar with the proper process of collecting data and evidence from a crime scene could instead destroy that evidence, and thus all hope of prosecuting individuals, and achieving a conviction would be lost.

 

Companies should have procedures for many issues in computer security such as enforcement procedures, disaster recovery and continuity procedures, and backup procedures. It is also necessary to have a procedure for dealing with computer incidents because they have become an increasingly important issue of today’s information security departments. This is a direct result of attacks against networks and information systems increasing annually. Even though we don’t have specific numbers due to a lack of universal reporting and reporting in general, it is clear that the volume of attacks is increasing.

 

Just think about all the spam, phishing scams, malware, distributed denial-of-service, and other attacks you see on your own network and hear about in
the news. Unfortunately, many companies are at a loss as to who to call or what to do right after they have been the victim of a cybercrime. Therefore, all companies should have an incident response policy that indicates who has the authority to initiate an incident response, with supporting procedures set up before an incident takes place.

This policy should be managed by the legal department and security department. They need to work together to make sure the technical security issues are covered and the legal issues that surround criminal activities are properly dealt with. The incident response policy should be clear and concise. For example, it should indicate if systems can be taken offline to try to save evidence or if systems have to continue functioning at the risk of destroying evidence. Each system and functionality should have a priority assigned to it. For instance, if the file server is infected, it should be removed from the network, but not shut down. However, if the mail server is infected, it should not be removed from the network or shut down because of the priority the company attributes to the mail server over the file server. Tradeoffs and decisions will have to be made, but it is better to think through these issues before the situation occurs, because better logic is usually possible before a crisis, when there’s less emotion and chaos.

 

The Australian Computer Emergency Response Team’s General Guidelines for Computer Forensics:

 

Keep the handling and corruption of original data to a minimum.

Document all actions and explain changes.

Follow the Five Rules for Evidence (Admissible, Authentic, Complete, Accurate, Convincing).

Bring in more experienced help when handling and/ or analyzing the evidence is beyond your knowledge, skills, or abilities.

Adhere to your organization’s security policy and obtain written permission to conduct a forensics investigation.

Capture as accurate an image of the system( s) as possible while working quickly.

Be ready to testify in a court of law.

Make certain your actions are repeatable.

Prioritize your actions, beginning with volatile and proceeding to persistent evidence. Do not run any programs on the system( s) that are potential evidence. Act ethically and in good faith while conducting a forensics investigation, and do not attempt to do any harm.

 

The following answers are incorrect:

 

help-desk function. Is incorrect because during an incident, employees need to be able to communicate with a central source. It is most likely that would be the help-desk. Also the help-desk would need to be able to communicate with the employees to keep them informed.

 

system imaging. Is incorrect because once an incident has occured you should perform a capture of evidence starting with the most volatile data and imaging would be doen using bit for bit copy of storage medias to protect the evidence.

 

risk management process. Is incorrect because incident handling is part of risk management, and should continue.

 

Reference(s) used for this question:

 

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 21468-21476). McGraw-Hill. Kindle Edition.

Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 21096-21121). McGraw-Hill. Kindle Edition.

NIST Computer Security incident handling http://csrc.nist.gov/publications/nistpubs/800- 12/800-12-html/chapter12.html

 

 

 

 

 

 

QUESTION 580

If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be compensated based on:

 

A.


Value of item on the date of loss

B.

Replacement with a new item for the old one regardless of condition of lost item

C.

Value of item one month before the loss

D.

Value of item on the date of loss plus 10 percent

 

Correct Answer: A

Explanation:

This is called the Actual Cash Value (ACV) or Actual Cost Valuation (ACV)

 

All of the other answers were only detractors. Below you have an explanation of the different types of valuation you could use. It is VERY important for you to validate with your insurer which one applies to you as you could have some very surprising finding the day you have a disaster that takes place.

 

Replacement Cost

Property replacement cost insurance promises to replace old with new. Generally, replacement of a building must be done on the same premises and used for the same purpose, using materials comparable to the quality of the materials in the damaged or destroyed property.

 

There are some other limitations to this promise. For example, the cost of repairs or replacement for buildings doesn’t inclu
de the increased cost associated with building codes or other laws controlling how buildings must be built today. An endorsement adding coverage for the operation of Building Codes and the increased costs associated with complying with them is available separately — usually for additional premium.

In addition, some insurance underwriters will only cover certain property on a depreciated value (actual cash value — ACV) basis even when attached to the building. This includes awnings and floor coverings, appliances for refrigerating, ventilating, cooking, dishwashing, and laundering. Depreciated value also applies to outdoor equipment or furniture.

 

Actual Cash Value (ACV)

The ACV is the default valuation clause for commercial property insurance. It is also known as depreciated value, but this is not the same as accounting depreciated value. The actual cash value is determined by first calculating the replacement value of the property. The next step involves estimating the amount to be subtracted, which reflects the building’s age, wear, and tear.

 

This amount deducted from the replacement value is known as depreciation. The amount of depreciation is reduced by inflation (increased cost of replacing the property); regular maintenance; and repair (new roofs, new electrical systems, etc.) because these factors reduce the effective age of the buildings.

 

The amount of depreciation applicable is somewhat subjective and certainly subject to negotiation. In fact, there is often disagreement and a degree of uncertainty over the amount of depreciation applicable to a particular building.

 

Given this reality, property owners should not leave the determination of depreciation to chance or wait until suffering

a property loss to be concerned about it. Every three to five years, property owners should obtain a professional appraisal of the replacement value and depreciated value of the buildings.

 

The ACV valuation is an option for directors to consider when certain buildings are in need of repair, or budget constraints prevent insuring all of your facilities on a replacement cost basis. There are other valuation options for property owners to consider as well.

 

Functional Replacement Cost

This valuation method has been available for some time but has not been widely used. It is beginning to show up on property insurance policies imposed by underwriters with concerns about older, buildings. It can also be used for buildings, which are functionally obsolete.

 

This method provides for the replacement of a building with similar property that performs the same function, using less costly material. The endorsement includes coverage for building codes automatically.

 

In the event of a loss, the insurance company pays the smallest of four payment options.

 

1. In the event of a total loss, the insurer could pay the limit of insurance on the building or the cost to replace the building on the same (or different) site with a payment that is “functionally equivalent.”

 

2. In the event of a partial loss, the insurance company could pay the cost to repair or replace the damaged portion in the same architectural style with less costly material (if available).

 

3. The insurance company could also pay the amount actually spent to demolish the undamaged portion of the building and clear the site if necessary.

 

4. The fourth payment option is to pay the amount actually spent to repair, or replace the building using less costly materials, if available (Hillman and McCracken 1997).

 

Unlike the replacement cost valuation method, which excluded certain fixtures and personal property used to service the premises, this endorsement provides functional replacement cost coverage for these items (awnings, floor coverings, appliances, etc.) (Hillman nd McCracken 1997).

 

As in the standard replacement cost value option, the insured can elect not to repair or replace the property. Under these circumstances the company pays the smallest of the following:

 

1. The Limit of Liability

 

2. The “market value” (not including the value of the land) at the time of the loss. The endorsement defines “market value” as the price which the property might be expected to realize if ffered for sale in fair market.”

 


3. A modified form of ACV (the amount to repair or replace on he same site with less costly material and in the same architectural tyle, less depreciation) (Hillman and McCracken 1997).

 

Agreed Value or Agreed Amount

Agreed value or agreed amount is not a valuation method. Instead, his term refers to a waiver of the coinsurance clause in the property insurance policy. Availability of this coverage feature varies among insurers but, it is usually available only when the underwriter has proof (an independent appraisal, or compliance with an insurance company valuation model) of the value of your property.

 

When do I get paid?

 

Generally, the insurance company will not pay a replacement cost settlement until the property that was damaged or destroyed is actually repaired or replaced as soon as reasonably possible after the loss.

 

Under no circumstances will the insurance company pay more than your limit of insurance or more than the actual amount you spend to repair or replace the damaged property if this amount is less than the limit of insurance.

 

Replacement cost insurance terms give the insured the option of settling the loss on an ACV basis. This option may be exercised if you don’t plan to replace the building or if you are faced with a significant coinsurance penalty on a replacement cost settlement.

 

References:

http://www.schirickinsurance.com/resources/value2005.pdf

TIPTON, Harold F.& KRAUSE, MICKI Information Security Management Handbook, 4th Edition, Volume 1 Property Insurance overview, Page 587.

Free VCE & PDF File for ISC SSCP Real Exam

Instant Access to Free VCE Files: ISC | ISC | SAP …
Instant Access to Free PDF Files: ISC | ISC | SAP …

This entry was posted in SSCP Real Exam (October) and tagged , , , , , , . Bookmark the permalink.