According to the CISSP All-in-One Exam Guide, statistical data is the type of network based evidence that contains traffic details of all network sessions in order to detect anomalies. Network based evidence is the data or information that is collected or generated from the network devices, protocols, or services, such as routers, switches, firewalls, proxies, or DNS. Network based evidence can be used for various purposes, such as monitoring, auditing, troubleshooting, or forensics. Statistical data is the type of network based evidence that provides quantitative and qualitative information about the network traffic, such as the volume, frequency, duration, source, destination, protocol, or port of the network sessions. Statistical data can be used to detect anomalies, which are deviations or abnormalities from the normal or expected behavior or pattern of the network traffic, such as spikes, drops, outliers, or trends. Anomalies can indicate potential problems, issues, or incidents on the network, such as performance degradation, misconfiguration, malfunction, or attack. Alert data is not the type of network based evidence that contains traffic details of all network sessions in order to detect anomalies, although it may be a result or outcome of it. Alert data is the type of network based evidence that provides notifications or warnings about the network events or activities that may require attention or action, such as errors, failures, violations, or attacks. Alert data can be generated by various network devices, protocols, or services, such as firewalls, IDS, IPS, or SNMP. Alert data can be used to respond, investigate, or escalate the network events or activities, but it does not provide the traffic details of all network sessions. User data is not the type of network based evidence that contains traffic details of all network sessions in order to detect anomalies, although it may be a source or input of it. User data is the type of network based evidence that provides information about the users or processes that access or use the network resources or services, such as the identity, role, or activity of the users or processes. User data can be collected or generated by various network devices, protocols, or services, such as authentication servers, proxies, or logs. User data can be used to identify, authenticate, authorize, or audit the users or processes, but it does not provide the traffic details of all network sessions. Content data is not the type of network based evidence that contains traffic details of all network sessions in order to detect anomalies, although it may be a part or component of it.
Content data is the type of network based evidence that provides information about the data or information that is transmitted or received over the network, such as the type, format, or value of the data or information.
Content data can be collected or generated by various network devices, protocols, or services, such as packet capture, encryption, or compression. Content data can be used to protect, analyze, or manipulate the data or information, but it does not provide the traffic details of all network sessions.

Detective/Technical measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

Explanation/Reference:
Explanation:
Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand its own.
Incorrect Answers:
A: Circumstantial evidence can prove an intermediate fact, but not a direct fact by itself. The intermediate fact can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact.
C: Opinion evidence would be the opinion of a witness, but the opinion rule dictates that the witness must testify to only the facts of the issue and not her opinion of the facts.
D: Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witness's testimony, and copies of original documents are placed in the secondary evidence category.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1055

The best practice for testing a Business Continuity Plan (BCP) is to test it when the environment changes, such as when there are new business processes, technologies, threats, or regulations. This ensures that the BCP is updated, relevant, and effective for the current situation. Testing the BCP before the IT audit, after installation of security patches, or after implementation of system patches are not the best practices, as they may not reflect the actual changes in the business environment or the potential disruptions that may occur. References: 5: Comprehensive Guide to Business Continuity Testing67: Maximizing Your BCP Testing Efforts: Best Practices8