Chapter 3
What does project scoping and project planning for a BCP entail?
(1) Analysis of the organization with crisis in mind, (2) Approval of senior management, (3) Resource estimation and approval, (4) Legal and regulatory implications for BCP
What are the five steps of the business impact assessment process?
(1) Identification of priorities, (2) Risk Identification, (3) Likelihood assessment, (4) Impact assessment, and (5) Resource prioritization
What are the four steps of the business continuity planning process?
(1) Project scope and planning, (2) Business impact assessment, (3) Continuity planning, and (4) Approval and Implementation. Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency situation.
_____________ represents the number of times a business expects to experience a given disaster each year
Annualized rate of occurrence (ARO)
The most common goal of ______________ is the following: To ensure the continuous operation of the business in the face of an emergency situation
BCP
Who are the necessary members of the business continuity planning team?
BCP team should contain at a minimum, representative from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management.
What types of legal and regulatory requirements face business continuity planners?
Business leaders must exercise due diligence to ensure that shareholders' interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses have contractual obligations to their clients that must be met before and after a disaster.
Why is fully documenting an organization's business continuity plan important?
Committing the plan to writing provides the organization with a written record of the procedures to follow when disaster strikes. It prevents the "It's in my head" syndrome and ensures the orderly progress of events in an emergency.
What is the difference between disaster recovery and business continuity?
Disaster recovery is more tactical in nature. A disaster recovery plan picks up where a business continuity plan left off.
The officers and directors of publicly traded firms have a fiduciary responsibility to exercise ______________________ in the execution of their business continuity duties
Due diligence
What term is used to describe the responsibility of the firm's officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the company's continued viability?
Due diligence
What is the process for developing a continuity strategy?
During the strategy development phase (1), the BCP team determines which risks will be mitigated. In the provisions and processes phase (2), mechanism and procedures that will mitigate the risks are designed. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process.
___________ is the amount of damage that a risk poses to an asset, expressed as a percentage of the asset's value
Exposure Factor (EF)
The _____________ is the maximum length of time a business function can be inoperable without causing irreparable harm to the business
Maximum tolerable downtime (MTD). Also known as Maximum tolerable outage (MTO). Quantitative measure identified during the business impact analysis. Provides valuable information when you're performing both BCP and DRP planning.
Is a business continuity plan a discretionary expense?
No
BCP team selection is part of which element of business continuity planning (which of four elements)?
Project scoping and planning
In which business continuity planning phase task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? (1) Provisions and processes, or (2) Resource prioritization
Provisions and processes
In the ________________ phase of continuity planning, the BCP team designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development phase
Provisions and processes Three categories of assets must be protected: buildings/facilities, and infrastructure
______________ is the amount of time in which you think you can feasibly recover the function in the event of a disruption
Recovery time objective (RTO). The goal of the BCP process is to ensure that your RTOs are less than your MTDs.
Setting priorities, providing staff and financial resources, and arbitrating disputes about criticality (i.e. relative importance) of services are roles of ________________ in the BCP process
Senior management
The ____________ is the monetary loss that is expected each time the risk materializes
Single Loss Expectancy (SLE) Asset Value x Exposure Factor = SLE
The ______________ expresses the criticality of implementing the BCP and outlines the implementation timetable decided on by the BCP team and agreed to by upper management
Statement of Urgency and Timing
The ______________________ reflects the criticality of the BCP to the organization's continued viability
Statement of importance
The __________________ comes from a senior-level executive and can be incorporated into the same letter as the statement of importance. It echoes the sentiment that business continuity is everyone's responsibility.
Statement of organizational responsibility
The _____________________ involves listing the functions considered critical to continued business operations in a prioritized order
Statement of priorities
Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?
Strategy development. It analyzes the prioritized list of risks developed during the BIA and determines which risks will be addressed by the BCP.
How is the business organization analysis performed?
The individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. It is used as the foundation for BCP team selection, and after validation by the BCP team, is used to guide the next stages of BCP development.
True or False: The final step of the BIA (as part of BCP) is to prioritize the allocation of business continuity resources to the various risks identified and assessed in the preceding tasks of the BIA.
True
True or False: The final step of the BCP plan is documentation
True. After obtaining approval from senior management.
A ___________ program states where critical business records will be stored and the procedures for making and storing backup copies of those records
Vital records program Should be included as part of BCP documentation
Should risk acceptance decisions be documented?
Yes