Information Security and Assurance - C725 - Chapter 6

What is the most common cause of unplanned downtime?

Hardware Failure

What label applied to a standby facility that is ready to take over for the primary facility as soon as notice is received that the primary facility has gone down?

Hot Site

What are five steps of the business impact assessment process?

Identification of Priorities, Risk Identification, Likehood Assessment, Impact Assessment and resource prioritization.

BCP should include the following:

Prioritizing critical business processes Calculating the value and cost of continuing important business processes Assessing the cost to the business if critical services were disrupted

What is the typical time estimate to activate a warm site from the time a disaster is declared?

12 hours Warm sites typically take about 12 hours to activate from the time a disaster is declared. This is compared to the relatively instantaneous activation of a hot site and the lengthy time (at least a week) required to bring a cold site to operational status.

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the annualized loss expectancy?

135,000

Question 6 : You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?

2,700,000

Question 9 : According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity?

80 percent Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option B.

Hot Sites

A hot-site facility assumes the entire burden of providing backup computing services for the customer. This includes hosting the application software and data in a so-called mirror site. The vendor should be prepared to assume all responsibility for processing transactions for the customer, with little to no interruption of service. The vendor is responsible for maintaining the facility, including all environmental controls, such as heating, air conditioning, and power; hardware, including servers and printers; data backups; and all other services associated with a data processing center. Although a hot-site facility offers several advantages, most importantly providing uninterrupted service in a relatively quick time, it can also be the most expensive solution as a DRP. In addition, the hot site poses some security risk because the data is now stored, backed up, and theoretically accessible to a third party. Still, for companies that can afford a hot-site facility, this is the most attractive solution.

What type of mitigation provision is utilized when redundant communications links are installed?

Alternative systems This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

Warm Sites

As you might suspect, the warm-site facility is a compromise between the services offered by hot- and cold-site vendors. A warm-site facility provides the building and environmental services previously mentioned, with the addition of the hardware and communication links already established. However, the customer's applications are not installed, nor are workstations provided. In this case, the customer restores application software from backups using workstations it provides. Warm sites are cheaper than hot sites but require more effort. On the other hand, they are more expensive than cold-site facilities but are less labor intensive and more likely to be effective in a disaster. An important part of the BCP is determining the constraints, both financial and operational, under which the company is working and choosing the most realistic solution that meets the minimal needs of the BCP.

Anticipating, planning for, and preventing problems is generally less costly than simply reacting to them after they occur.

At a minimum, outages to IT systems can cost millions of dollars in lost revenue, lost productivity, and lost resources because of legal issues. According to the Gartner Group, "two out of every five enterprises that experience a disaster go out of business within five years." Failing to plan is indeed planning to fail when it comes to business and IT operations. At the extreme, a sustained outage can threaten the viability of an organization.

What business continuity planning technique can help you prepare the business unit prioritization task of disaster recovery planning?

Business impact assessment During the business impact assessment phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the DRP business unit prioritization.

What is the first step that individuals responsible for the development of a business continuity plan should perform?

Business organization analysis The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.

What does BCP stand for and what does it mean?

Bussiness Continuity Planning- is the preventative practice of establishing and planning for threats of business flow, including natural and unnatural risk and threats to daily operations.

What backup media may be appropriate for personal backups but not for network backups?

CD, DVD, Blue Ray, flash drive. These are similar types of smaller capacity storage mechanism are useful for holding smaller amount of data than when compared to enterprise options such as multi terabyte hard drive and tapes.

Which one of the following storage locations provides a good option when the organization does not know where it will be when it tries to recover operations?

Cloud computing Cloud computing services provide an excellent location for backup storage because they are accessible from any location.

Question 15 : Which one of the following alternative processing sites takes the longest time to activate?

Cold site

Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites?

Current data Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm sites require the restoration of data from backup.

What type of backup involves always storing copies of all files modified since the most recent full backup?

Differential backups

What process brings order to the chaotic events surrounding the interruption of an organization's normal activities by an emergency.

Disaster Recovery Planning (DRP)

What does DRP stand for and what does it mean?

Disaster Recovery Planning is the process of establishing and executing recovery actions as part of an emergency responses following a disaster.

What type of plan addresses the technical controls associated with alternate processing facilities, backups, and fault tolerance?

Disaster recovery plan. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

What is the term used to describe the responsibility of a firm's officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability?

Due diligence

What happens without BCP?

Eighty percent of businesses without a recovery plan either close or never reopen within 18 months. Seventy percent of companies go out of business after a major data loss. Eighty percent of companies lacking a business continuity plan fail within 2 years. Sixty percent of companies that lose their data shut down within 6 months of a disaster.

What is the first thing you should do when a disaster Strikes?

Ensure the people are safe.

Question 1 : What type of document will help public relations specialists and other individuals who need a high-level summary of disaster recovery efforts while they are under way?

Executive summary The executive summary provides a high-level view of the entire organization's disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.

What organization sponsors the National Flood Instance Program and is a good source of historical flood information?

FEMA - Federal Emergency Management Agency

What is used to provide fault tolerance for a server?

Failover Cluster

True/False. There is an accepted standards document defining the requirements for an electronic vaulting solution

False

Which one of the following disaster types is not usually covered by standard business or homeowner's insurance?

Flood Most general business insurance and homeowner's insurance policies do not provide any protection against the risk of flooding or flash floods. If floods pose a risk to your organization, you should consider purchasing supplemental flood insurance under FEMA's National Flood Insurance Program.

What are the three major types of file system backup?

Full Backups, INcremental and Differential backups

What forms of backup always set the archive bit to 0?

Full and Incremental

What combination of backup strategies provides the fastest backup creation time?

Full backups and incremental backups Any backup strategy must include full backups at some point in the process. Incremental backups are created faster than differential backups because of the number of files it is necessary to back up each time.

What is used to provide long-term fault tolerance for a power fialure?

Generator

What are some examples of alternate processing facilities that should be considered when designing a DRP?

Hot, Warm and Cold Sites, Mobile Sites, service bureaus, multiple sites and reciprocal agreement.

What are the three major options for alternative processing sites?

Hot, Warm and Cold sites

What term describes damage resulting from arson, human error, acts of terrorism, or power outages and another utility failures?

Man-Made disasters.

What resource is in greatest demand during the BCP testing, training and maintenance process?

Manpower

How might you describe a site housed in self-contained transportable unit with all the control hardware and software elements necessary to establish an operational safe computing environment?

Mobile Site

What type of recovery site is particularly suited to workgroup recovery options?

Mobile Site

What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment?

Monetary

Which of the following is considered the main disadvantage of using multiple centers as a recovery site?

Multiple centers are more difficult to administer than other types of recovery sites. Although less costly than a hot site, administering multiple centers could be a burdensome chore and cost-prohibitive.

What term describes damage from disruptive and irresistible forces of natures?

Natural Disaster

Type of Disruptive Events - Natural Events:

Natural events capable of disrupting a business include these: Earthquakes, fires, floods, mudslides, snow, ice, lightning, hurricanes, and tornadoes Explosions, chemical fires, hazardous waste spills, and smoke and water damage Power outages caused by utility failures, high heat and humidity, and solar flares

Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment?

Negative publicity It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.

What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site?

Parallel test Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center.

Question 15 : Which resource should you protect first when designing continuity plan provisions and processes?

People The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees

Question : The scope definition of the BCP should include all of the following except:

Performing a dry run of emergency fire and medical evacuation procedures The formal implementation of the BCP requires a close examination of business practices and services that constitute the boundaries and define the scope of the plan.

What form of backups, when used to restore date, will always result in some amount of data loss?

Periodic Backups

What is number one priority of disaster response?

Personnel Safety

Which one of the following is an example of a man-made disaster?

Power outage

What type of decision making is mainly concerned with metrics such as dollar values and downtime?

Quantative

Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a "safety net" in the event a developer goes out of business or fails to honor the terms of a service agreement.

RAID

What kind of strategy defining practices, policies and procedures to restore a business to normal operation in the wake of some kind of outage or disaster?

Recovery Strategy

What disaster recovery principle best protects your organization against hardware failure?

Redundancy Redundant systems/components provide protection against the failure of one particular piece of hardware.

What is used to provide fault tolerance for disk subsystem?

Redundant array of independent disk (RAID).

What type of database backup strategy involves maintenance of a live backup server at the remote site?

Remote mirroring Remote mirroring is the only backup option in which a live backup server at a remote site maintains a bit-for-bit copy of the contents of the primary server, synchronized as closely as the latency in the link between primary and remote systems will allow.

In which one of the following database recovery techniques is an exact, up-to-date copy of the database maintained at an alternative location?

Remote mirroring When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up-to-date by executing all transactions on both the primary and remote site at the same time.

Question 4 : What is the end goal of disaster recovery planning?

Restoring normal business activity Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off.

What is the formula for computing single loss expectancy

SLE = AV x EF [Single Loss Expectancy = Asset Value x Exposure Factor]

What is the formula used to compute the single loss expectancy for a risk scenario?

SLE = AV × EF

What roles can a service bureau play in disaster recovery?

Service bureaus lease computer time via contractual agreement and cam meet an organization's entire IT needs in the event of disaster or catastrophic failure.

Making Additional Arrangements

Several other arrangements can afford a company more options with business continuity planning: Multiple centers: Processing is distributed across multiple sites that are in-house or part of a shared-site agreement. As with distributed networks, a multiple center arrangement spreads the processing across sites and offers redundancy in processing as an added safeguard. Although less costly than a hot site, administering multiple centers could be a burdensome chore and cost-prohibitive. Service bureaus: Known for their quick response but high cost, service bureaus provide backup processing services at a remote location. Service bureaus also perform primary application processing such as payroll systems and have extra capacity available for DRP services. Mobile units: In this scenario, a third-party vendor provides a data processing center on wheels, complete with air conditioning and power systems. The cloud: Using the cloud for virtualized storage of applications and their data, the customer (especially medium-size organizations that can't afford an expensive DRP) finds its data backed up and available for immediate recove

What are Shared-Site Agreements?

Shared-site agreements are arrangements between companies with similar (if not identical) data processing centers. This compatibility in hardware, software, and services allows companies that enter into an agreement to back up each other when one partner has an emergency. Instead of having to build an entire infrastructure to back up its applications and data, Company A enters into an agreement with Company B to share resources in case of a disaster. Such an arrangement can save substantial time and money because the computers and software already exist and do not have to be procured. In theory, when Company A loses its data processing center resources, a figurative switch flips and it begins to run its applications on Company B's computers as if nothing had happened. Despite the advantages of reduced costs, this scenario encounters problems. First, the data centers must be highly compatible in terms of the hardware and software they run. In fact, if Company A is not a subsidiary of Company B or they aren't regional offices of the same corporation, a shared-site agreement is difficult to implement. If the companies are not part of the same corporate charter, other difficulties arise, such as assured data security, privacy protection, and data synchronization. Shared-site agreements are feasible when companies are closely related and share common processing platforms, but the challenges are greater when this is not the case.

Question : Which of the following is considered the most extensive type of disaster recovery testing?

Simulation The simulation test is important so that employees know what to do when a disaster actually occurs.

What can be used to protect a company against the failure of a developer provide adequate support?

Software Escrow agreement

What disaster recovery planning tool can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products?

Software escrow agreement Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a "safety net" in the event a developer goes out of business or fails to honor the terms of a service agreement.

Question 14 : Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?

Strategy development The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.

Type of Disruptive Events - Man made

Strikes, work stoppages, and walkouts Sabotage, burglary, and other forms of hostile activity Massive failure of technology, including utility and communication failure caused by human intervention or error

What is the system resilience?

System resilience ref to ability of a system to maintain an acceptable level of service during an adverse event. This could be a hardware fault managed by fault-tolerant components. or it could be an attack managed by other controls such as effective intrusion detection and prevention systems.

True or False? Senior management should be included int he BCP process from the beggining

TRUE

Testing Disaster Recovery Planning:

Testing the plan not only shows that the plan is viable, but also prepares personnel for a disaster by teaching them their responsibilities, removing all uncertainty, and thus mitigating risk.

Creating Business Impact Analysis

The BIA identifies the risks that specific threats pose to the business, quantifies the risks, establishes priorities, and performs a cost/benefit analysis for countering risks. In pursuit of these goals, these are the three most important steps: Prioritize the business processes, most likely at the department level, possibly using a scoring system to assign a weight or value to each process. For example, in a manufacturing environment, processes such as materials receipt, inventory, production, shipping, and accounting deserve consideration. This makes the task of prioritizing easier and hopefully less subjective, assuming that all business units accept the scoring method. This approach gives prioritization more objective scientific validity. After critical processes have been identified and prioritized, determine how long each process can be down before business continuity is seriously compromised. Keep in mind that processes usually are interrelated and might need to be grouped together to assess downtime tolerance. Identify the resources required to support the most critical processes. What equipment, which people, and how much money beyond normal operating costs do you need to maintain critical ("life support" in industry jargon) systems?

Difference between BCP and DRP

The business continuity plan (BCP) describes the critical processes, procedures, and personnel that must be protected in the event of an emergency (preventative) and The disaster recovery plan (DRP) describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations (reactive).

Identifying Recovery Strategies

The function of the DRP is to identify the exact strategy for recovering those processes, specifically IT systems and services that are struck by a disaster. Because information technology is critical to almost every business these days and is the focus of this text, you need to understand several disaster recovery strategies that are available to an organization.

What does the term "100-year flood plain" mean to emergency preparedness officials?

The odds of a flood at this level are 1 in 100 in any given year. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

Defining scope of BCP:

The project team must make a business case for continuity planning, especially when the BCP is not mandatory. Team members must compare the cost of implementing the BCP with the benefits derived from meeting its objectives. Identifying critical business processes and requirements for continuing to operate during an emergency. Assessing risks to the business if critical services are discontinued. This process is sometimes referred to as business impact analysis. Prioritizing those processes and assigning a value to each process. Which processes are absolutely critical and must be kept "online" without interruption? For example, keeping a continuous supply of power in a hospital emergency room is obviously more important than ensuring power in the employee cafeteria. Determining the cost of continuous operation and the value ascribed to each service. Establishing the priority of restoring critical services. Which must be restored within the hour? the day? the week? Which services cannot withstand any interruption? After executive management has approved the concept of the BCP and the BCP team has identified the scope and definition of the project, the team must establish the rules of engagement. This involves identifying the roles and responsibilities of the project team members and establishing the means of communication and the mechanisms for tracking progress.

Question : Which of the following statements best describes the purpose of the BIA?

The purpose of the BIA is to define a strategy that minimizes the effect of disturbances and to allow for the resumption of business processes. The BIA identifies the risks that specific threats pose to the business, quantifies the risks, establishes priorities, and performs a cost/benefit analysis for countering risks.

Steps to take when creating Business Continuity Planning (BCP):

They must identify the scope and boundaries of the business continuity plan while communicating the importance of such a plan throughout the organization. What critical aspects of the business must be considered as part of the plan? This step typically involves an audit analysis of the organization's assets, including people, facilities, applications, and IT systems, along with a risk analysis that identifies the types of threats to the organization, both man-made and natural. Using the results of this thorough analysis, they must create the business impact assessment (BIA). The BIA measures the operating and financial loss to the organization from a disruption to critical business functions (you get a more thorough explanation of the BIA later in this lesson). When the BIA is complete, those responsible for creating the plan must sell the concept of the BCP to key senior management and obtain organizational and financial commitment. Without the support of top management, the BCP remains an abstraction—mere words on a page. The presenters must be prepared to answer questions such as whether the BCP is cost-effective and practical. If the cost of implementing the plan outweighs the benefit derived from it, the BCP must be reviewed and modified where appropriate. If the plan is too cumbersome and impractical to implement, its chances of success are slim. After the BCP has gained the approval of upper management personnel who have signed off on the plan and released the necessary resources to implement it, each department needs to understand its role in the plan and support and help maintain it. This happens through a thorough examination of best practices within the organization and the tasks, processes, roles, and resources needed to meet the stated objectives of the continuity plan. Finally, the BCP project team must implement the plan. This includes the necessary training, testing, and ongoing review and support of the BCP in both financial and practical terms. Business processes are rarely static, and the project team must ensure that the BCP adapts to changes within the organization.

What is the goal of business continuity planning (BCP)?

To ensure the continuous of a business in the face of an emergency salutation.

True/False. Organizations participating in a mutual assistance agreement are typically location in the same geographic regions

True

What is used to provide short-term fault tolerance for a power supply/>

UPS

Cold Sites

Unlike the hot site, the cold site provides facilities (including power, air conditioning, heat, and other environmental systems) necessary to run a data processing center without any of the computer hardware or software. The customer must deliver the hardware and software necessary to bring up the site. The cold site is a cheaper solution than a hot site, but you get what you pay for. When you consider the logistical problems of moving hardware that is highly sensitive to both temperature fluctuations and movement and then quickly installing software on it, you will appreciate the challenges that a cold-site facility poses. In the event of a true disaster, when a company cannot afford to suffer a protracted outage, the cold-site alternative, although economically feasible, might give the customer the illusion of security, even if it is not grounded in reality. Unfortunately, this lesson may be learned the hard way.

5 Methods of DRP planning

Walk-throughs: Members of the key business units meet to trace their steps through the plan, looking for omissions and inaccuracies. Simulations: During a practice session, critical personnel meet to perform a dry run of the emergency, mimicking the response to a true emergency as closely as possible. Checklists: In a more passive type of testing, members of the key departments check off the tasks for which they are responsible and report on the accuracy of the checklist. This is typically a first step toward a more comprehensive test. Parallel testing: The backup processing occurs in parallel with production services that never stop. This is a familiar process for those who have installed complex computer systems that run in parallel with the existing production system until the new system proves to be stable. An example of this is when a company installs a new payroll system: Until the new system is deemed ready for full cut-over, the two systems operate in parallel . Full interruption: Also known as the true/false test, production systems are stopped as if a disaster occurred to see how the backup services perform. They either work (true) or fail (false), in which case the lesson learned can be as painful as a true disaster.

Define a fail-open system

a fail-open system will fail in an open state, granting all access.

Define a fail-secure system

a fail-secure system will default to a secure state in the event of a failure, blocking all access.

DRP Alternate Sites forms

a hot site, a warm site, or a cold site.

What is QoS?

controls protect the integrity of data networks under load. Many factors contribute to the qos of the end users experience, and QoS attempts to manage all those factors.

What is Disaster Recovery Plan (DRP)?

describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations. For example, one credit card company's mission-critical system is the authorization system for charge requests at the point of sale; without this capability, the company could not generate revenue and would be out of business in a matter of days or weeks.

What is Business Continuity Plan (BCP)?

it describes the critical processes, procedures, and personnel that must be protected in the event of an emergency. The corresponding business impact analysis (BIA) evaluates risks to the organization and prioritizes the systems in use for purposes of recovery. Mission-critical systems—systems that are essential for the ongoing operation of the business—are at the top of the list, followed by less critical systems and then "nice to have" systems that are nonessential for the business to remain in business.

Business Impact Analysis (BIA) is..

it evaluates risks to the organization and prioritizes the systems in use for purposes of recovery. Mission-critical systems—systems that are essential for the ongoing operation of the business—are at the top of the list, followed by less critical systems and then "nice to have" systems that are nonessential for the business to remain in business.

What are the rules of engagement?

it involves identifying the roles and responsibilities of the project team members and establishing the means of communication and the mechanisms for tracking progress.

It is sometimes useful to separate disaster ........tasks from disaster....... tasks

recover .....restoration

What is the common goal of BCP (Bus Cont Plan) and DRP (Disas Rec Pla)?

they share the common goal of keeping a business running in case of an emergency or interruptions. Both the BCP and DRP strive to prevent costly disruptions in critical business processes after disaster strikes.

What is failover cluster?

two or more servers and if one of the servers fails another one in the cluster can take over the load in automatic process.

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?

750,000

Steps in BCP are:

1)identify the scope of the BCP 2)create the BIA 3)write the BCP 4)obtain signoff of the tested BCP

DRP using alternate Sites:

A company seeking DRP assistance can also use a third-party vendor to provide emergency backup services. Instead of entering into a reciprocal agreement with another business, the company uses the services of a vendor whose business it is to provide DRP services. You might be wondering who provides backup services for the third-party vendor. The vendor is responsible for providing backup services if the company experiences a critical failure in its systems. These alternate-site services providers are the most commonly used form of DRP assistance and generally take one of three forms: a hot site, a warm site, or a cold site.

Question 20 : Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year?

ALE The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation

What is the formula for computing annualized loss expectancy?

ALE=SLE x ARO Single Loss Expectancy x Annual Rate of Occurrence

What are the two possible responses to a risk?

Acceptance and mitigation

What feature of insurance can improve your ability to replace lost or damaged assets?

Actual Cost Value (ACV)

According to the Gartner Group, which of the following statements is true?

Approximately 40 percent of businesses experiencing a disaster of some sort go out of business.

When a disaster strikes but your ability to perform work tasks is only threatened, not actually interrupted, when response should be used?

BCP

What is a false statement regarding BCP and DRP?

Both plans describe preventative, not reactive, security procedures.

Once the BCP team is selected, what should be the first item placed on the agenda?

Business Organization analysis

What is the most common document type used for emergency response plan

Checklists

Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance?

Chief executive officer You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer is the highest ranking.

What label applies to partial standby facility for which power and other infrastructure elements are available, but for which no operational computing facilities are supplied in advance of disaster?

Cold Site

Provide two examples of devices that might be used to harden a system

Computer-safe fire suppression system and uninterruptible power supplies

Name some of the natural Disasters

Earthquake, flood, storms, tornado and firewas

What are some of the elements that should be included in emergency response guidelines?

Immediate response procedures, notification procedures, and secondary response procedures.

Goals of Disaster Recovery Planning (DRP) are:

Keeping the computers running. Computer services are an integral part of most businesses, especially those such as Internet service providers, where these services are the business. Meeting formal and informal service-level agreements (SLAs) with customers and suppliers. Being proactive rather than reactive. A carefully rehearsed DRP must be second nature to critical personnel. The DRP should include a comprehensive checklist of activities to perform through practice runs to make sure the people who are responsible for recovery are not caught by surprise.

What are some of the qualitative factors that must be taken into account when assessing the cost of disaster?

Loss of goodwill among client base, loss of employees after prologned downtime, social/ethical responsibilities to the community and negative publicity

What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?

MTD

What Business Impact Analysis/Assessment variable is used to describe the longest period of time a resource can be unavailable without causing irreparable harm to the business?

MTD - Maximum tolerable downtime

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

Provisions and processes In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

Question : Which of the following statements best explains why the BCP is important?

The BCP is important because it minimizes disruption in business continuity. The BCP reduces the risk to the business in case of a disruption in the continuity of business.

Why is BCP is so important?

The BCP reduces the risk to the business in case of a disruption in the continuity of business (you get more on exactly what these disruptions can be shortly). hey are chartered with protecting shareholder investments while meeting federal and state legal requirements. They also have to worry about public image. Any significant disruption in business will quickly drive away partners, investors, and consumers. You may have heard the phrase "due diligence" in the workplace or in your coursework. Although the phrase has no precise definition, the intent is that a business will act responsibly and protect its assets according to generally accepted business practices and management. In fulfilling this responsibility, being proactive is preferable to being reactive.

What label applies to a site that is already provisioned with hardware and software to take over the primary facility, but that needs to obtain and install a backup or image of client-specific data before gonging online?

Warm Site

What type of disaster recovery separates recovery sites by business teams?

Workgroup Recovery