CISA PT 4: INFO SYS OPERATIONS AND BUSINESS RESILIENCE
what is the first step of the business continuity plan process?
1. Consider possible threats consider possible threats, which include natural (e.g., fires, floods, and earthquakes), technical (e.g., hardware/software failure, power disruption, and communications interference), and human (e.g., riots, strikes, disgruntled employees, and sabotage) threats.
What is the correct business continuity plan sequence?
1. Consider possible threats 2. Assess potential impacts 3. Evaluate critical needs 4. Establish recovery priorities
What are reliable disaster recovery alternatives?
1. Shared facilities include hot/cold/warm sites. 2. Service bureaus provide contingency services and use them primarily for production processing. All the processing is completed in a time-shared environment, supported by batch and interactive programming systems. 3. Mirrored sites are fully redundant with real-time data replication from the primary site.
what is the last step of the business continuity plan process?
4th (last) - Establish recovery priorities establish priorities for recovery based on critical needs.
What test is conducted of team members role-play a disaster scenario, execute the plan on paper, discuss their roles, review each step to evaluate its effectiveness, and discuss the appropriate responses to the disaster. This test is not sufficient to test the viability of the plan.
Structured-Walk Through
Term: What type of interface has Data is transferred between two systems, both internally within an organization or externally to other organizations. System-to-system interfaces are increasingly being used to transfer data to specialized tools for further analysis and insights through data mining.
System-System
Which of the following is least reliable of disaster recovery alternatives? a. Mutual aid agreements (Reciprocal Agreements) b. Service bureaus c. Mirrored sites d. Shared facilities
a. Mutual aid agreements (Reciprocal Agreements)
Which of the following is the relevant predetermined criteria to activate an organization's business continuity plan? A. Duration of the disruption B. Type of disruption C. Probability of the disruption D. Cause of the disruption
A. Duration of the disruption
Which of the follow.ing is a category of system interface? A system interface is a group of interrelated elements, including hardware and software, that interact through one or more computers. System interfaces refer to moving data output from one application as data input to another, with minimal human interaction. Interfaces that involve humans are user interfaces. A. System-to-system B. Partner-to-partner C. Person-to-person D. All of the answer choices are correct.
D. All of the answer choices are correct.
What test is used in software development and maintenance.
Regression test
What test is conducted after the preparedness test. In a full-interruption test, operations are shut down at the primary site and relocated to the recovery site following the recovery plan; this is the most rigorous form of testing. Full-interruption tests are difficult to arrange, expensive, and possibly disruptive.
The Full Interruption Test
Which of the following alternate computing backup facilities is intended to serve an organization with sustained destruction from a disaster? a. Cold sites b. Reciprocal agreements c. Hot sites d. Service bureaus
c. Hot sites Hot sites are where an organization provides fully equipped computer facilities for use in the event one of its subscribers/customers suffers a computer disaster.
What are drawbacks of Reciprocal agreement (Mutual Aid)?
1. The agreements are difficult to enforce. The organizations might trust each other to provide support in the event of a disaster; however, disagreement may arise at the time the plan is activated. 2. There may be difficulty maintaining hardware and software compatibility among the cooperating organizations. 3. Cooperating organizations should be in relative proximity to each other. However, proximity means that both organizations may be vulnerable to the same threats. 4. Security and privacy concerns often prevent businesses from putting their data in the hands of other organizations, such as in the handling of healthcare or financial data.
what is the second step of the business continuity plan process?
2. Assess Potential Impacts assess the impacts of the loss of information and services from internal and external sources. This includes impacts on financial conditions, competitive position, customer confidence, legal/regulatory requirements, and cost analysis needed to minimize exposure.
what is the third step of the business continuity plan process?
3. Evaluate critical needs This evaluation should also consider time frames in which a specific function becomes critical. This includes functional operations, key personnel, information, processing systems, documentation, vital records, and policies and procedures.
Which of the following ensures the greatest success in completing the development of business continuity and disaster recovery plans? A. Appointing a project manager with senior management support B. Defining individual roles C. Defining operational activities D. Assigning individual responsibility
A. Appointing a project manager with senior management support
An IS auditor is reviewing the organization's payroll system and notes that data for terminated employees was stored for three years. The organization's data retention policy requires that terminated employees' data be disposed of every 12 months. What is the MOST significant concern for the IS auditor? A. Data confidentiality B. Excessive data storage costs C. System performance D. Data integrity
A. Data confidentiality Data for terminated employees is no longer required and retaining it for an excessive period increases the risk of a data breach.
Which of the following is done after the risk analysis in the disaster recovery planning process? A. Development of test procedures B. Assessment of threat impact on the organization C. Prioritization of applications D. Development of recovery scenarios
A. Development of test procedures Test procedures are detailed instructions that are usually not considered during a risk analysis exercise. Risk analysis is the initial phase of the disaster planning process, while testing comes after developing and documenting the plan.
What should be the last step in a risk assessment process performed as part of a business continuity plan? A. Establish recovery priorities B. Consider possible threats C. Evaluate critical needs D. Assess potential impacts
A. Establish recovery priorities
The best contingency plan maintenance approach to ensure the currency of the plan is to incorporate it into: A. change management procedures. B. hardware upgrades. C. revision procedures. D. software upgrades.
A. change management procedures.
Which of the following statements is FALSE about the error log in incident management? A. Segregation of duties can help maintain the integrity of the error log. B. End users should not be granted access to the error log. C. Unresolved problems must be reported to senior IT management. D. Only IT personnel should be able to make updates to the error log.
B. End users should not be granted access to the error log. (FALSE) Explanation: End users should be able to make an entry into the error log, but updating the error log should be restricted to specific IT personnel.
Which audit procedure should an IS auditor conduct to test job scheduling and the monitoring process performed by a third-party organization? A. Review job monitoring procedures, including whether automated alerts are sent following successful job completion and when a job has failed. B. Review service-level agreements (SLAs) with third parties. C. Review job scheduling software to determine whether high-priority jobs (across all key applications) have been scheduled. D. Examine IT troubleshooting procedures to investigate and resolve failed job runs.
B. Review service-level agreements (SLAs) with third parties.
An IS auditor observed several application errors resulting in an outage. After inquiring with IT, the IS auditor learned that the errors occurred after a patch was installed. Which of the following is the PRIMARY reason for the program errors? A. Systems should always be backed up before implementation. B. The change management process was not followed. C. Patches must be tested before installation. D. Patches must be implemented by system administrators only.
B. The change management process was not followed. The change management process includes procedures for testing and deploying changes before installation, and would have reasonably prevented the application errors.
When auditing the business continuity planning process, the IS auditor should examine which of the following scenarios most critically? A. Most likely B. Worst-case scenario C. Optimistic best-case scenario D. All possible cases
B. Worst-case scenario The IS auditor should ensure that the existing contingency and disaster recovery plans are updated and incorporated into the business continuity plan. The IS auditor should examine the worst-case scenario to ensure that a feasible backup strategy can be successfully implemented.
Once system backup schedules and proper controls are in place, the disaster recovery coordinator needs to arrange, among other activities, periodic reviews of the offsite storage program and the backup computer vendor facilities. An important area to review is: A. the vendor's capacity plans. B. adherence to data file or document classification criteria. C. compliance with the vendor's financial audit requirements. D. the vendor's strategic plans.
B. adherence to data file or document classification criteria. Explanation: "adherence to data file or document classification criteria." The difficult aspect of a disaster recovery plan is keeping it up to date with all the changes that occur. Depending on how frequently the organization's systems and procedures change, a review of the offsite vendor and backup computer vendor facilities should be conducted once a quarter or semiannually to verify that adherence to data file or document classification criteria is being met.
The major purpose of change management implementation is to: A. develop tools to implement the change. B. allocate resources to implement the change. C. facilitate change agents in the organization. D. address people's concerns about the change.
B. allocate resources to implement the change.
Determining the criticality of an application system in the production environment is important to allocate scarce resources to highly critical systems. The best way to accomplish this objective is to: A. ask the internal and external auditors during their routine audit work. B. ask the end users how they would continue their operations if the system were unavailable for a specified time period. C. ask the application programmer who is developing and/or maintaining the system. D. ask the computer operators who are running day-to-day production jobs.
B. ask the end users how they would continue their operations if the system were unavailable for a specified time period. Application systems are designed to provide data and information to end users, the users are in the best position to assess the value or usefulness of the system to their business operations.
Rank the following objectives of a disaster recovery plan (DRP) from most to least important. 1. Minimizing the disaster's financial impact on the organization 2. Reducing physical damage to the organization's property, equipment, and data 3. Limiting the extent of the damage and thus preventing an escalation of the disaster 4. Protecting the organization's employees and the public A. 1, 2, 3, and 4 B. 3, 2, 1, and 4 C. 4, 3, 1, and 2 D. 4, 2, 1, and 3
C. 4, 3, 1, and 2 The health and safety of employees and the public should be the first concern during a disaster situation. The second concern should be limiting the extent of the damage and limiting or containing the disaster. The third concern is to minimize the disaster's economic and financial impact on the organization regarding revenues and sales. Finally, the fourth concern should be to reduce physical damage to property, equipment, and data.
Which of the following risks is RFID technology subject to? A. Malicious code B. Internal risk C. Business intelligence risk D. Session hijacking
C. Business intelligence risk Radio frequency identification (RFID)-generated information can be at risk of unauthorized access, such as competitors who will use the information against the organization's interests. Thus, RFID technology imposes risks, including business process risk, business intelligence risk, privacy risk, and externality risk.
Which of the following is the most important focus of an IS contingency plan? A. Minimizing financial losses on third-party contractors B. Minimizing physical damage to plant and equipment C. Ensuring a timely resumption of critical services D. Replacing the need for insurance
C. Ensuring a timely resumption of critical services The contingency plan should be a coordinated effort with the objectives of minimizing disruptions of service to the organization, employees, and its customers, minimizing financial losses, and ensuring a timely resumption of operations in the event of a disaster.
Kelly is conducting a business impact assessment for her organization. What metric provides important information about the amount of time the organization may be without service before causing irreparable harm? A. RPO B. RTO C. MTD D. SDO
C. MTD (maximum tolerable downtime) indicates the longest period a business function can be unavailable before causing severe damage to the business. MTD is a useful metric to determine the level of business continuity resources to assign to a particular function. This measure is sometimes called maximum tolerable outage (MTO).
Which of the following database models contains basic entities that have data structures and operations? A. Relational B. Hierarchical C. Object-oriented D. Network
C. Object-oriented An object-oriented database management system contains objects which are basic entities that have data structures and operations. Every object has an object ID that is a unique, system-provided identifier. Classes describe generic object types.
A large organization has developed a disaster recovery plan for its several offices dispersed across a broad regional area. Which of the following is the MOST cost-effective test of the disaster recovery plan? A. Structured walk-through B. Full-interruption test C. Preparedness test D. Regression test
C. Preparedness test Each local office/area executes this test to validate the adequacy of the preparedness of regional operations for disaster recovery.
Strategies for processing capability are needed to recover from a disaster. Which of the following recovery strategies has the greatest chance of failure due to systems and personnel changes? A. Redundant site B. Hot site C. Reciprocal agreement D. Cold site
C. Reciprocal agreement (Mutual Aid Agreement) this alternative has the greatest possibility of failure due to problems in keeping agreements and plans up to date as systems and personnel change.
Which of the following is the most important criterion when selecting individuals to be part of the organization's disaster recovery plan (DRP)? A. Consulting experience with clients or customers in the same industry. B. Consulting background with hardware and software vendors. C. Technical knowledge of IS operating systems, databases, and telecommunications. D. Broad perspective of the organization and ability to recognize all of the possible consequences of a disaster.
D. Broad perspective of the organization and ability to recognize all of the possible consequences of a disaster. The mix and composition of the disaster recovery team are important because they require appropriate and competent people to develop, test, and maintain the plan.
Which of the following controls acts both as a preventive measure and a recovery measure? A. Visitor logs B. Passwords C. Backups D. Contingency plans
D. Contingency plans Contingency plans have a dual purpose in that they function as both preventive and recovery controls. Developing a contingency plan and testing the plan acts as a preventive control while restoring damaged or lost files is a recovery control.
An organization is concerned about the number of users using application software at any given time. At present, management does not have an accurate estimate of how many users use an application system. What is the MOST effective method to help restrict the number of licenses required for the application? A. Request external auditors to scan for unnecessary software licenses. B. Conduct periodic internal audits to identify unneeded software licenses. C. Communicate to all business unit heads that only authorized staff should use the software. D. Implement metering software on the local area network (LAN).
D. Implement metering software on the local area network (LAN). Metering software monitors applications and therefore is a valuable tool to manage capacity requirements for applications, i.e., to determine how many user licenses need to be purchased for the application. If additional licenses are needed, the software alerts IS management and additional licenses can be purchased accordingly.
Which of the following is MOST appropriate to implement an incremental backup scheme? A. Online cloud media are preferred. B. A random selection of backup sets is required. C. Reduced recovery time for critical data D. Limited media capacity
D. Limited media capacity An incremental backup focuses only on backing up data sets (files and folders) that have changed since the last incremental or full backup, therefore minimizing media storage.
Alex, an IS auditor, is reviewing the patch management process at an organization. Which of the following is the BEST procedure for Alex to validate that the latest vendor security patches are installed on all production servers? A. Validate that automatic updates are pushed to production servers. B. Select a sample of servers and ensure that the latest patches are installed. C. Obtain and review the change management tickets for critical production servers. D. Scan the production servers using an automated tool.
D. Scan the production servers using an automated tool.
Which of the following is most critical for disaster recovery planning? A. The location and security of user data B. Detail steps for noncritical systems C. A hot site with the mainframe equipment D. The safety of employees
D. The safety of employees
What does RPO mean
Recovery Point Objective defined level of recovery determined based on the acceptable data loss in case of interruption of operations. The RPO designates the earliest point in time that it is acceptable to recover the data.
Which of the following reports should IS management use to manage network-connected equipment resources? a. Utilization reports b. Asset management reports c. Availability reports d. Hardware error reports
a. Utilization reports
During an audit of the payroll department, Candace, an IS auditor, is notified of a verbal agreement between the IT and payroll departments for the level of IT services expected. What should Candace do FIRST? a. Validate the agreement's content with both departments. b. Put the audit on hold until the agreement is documented. c. Create a service-level agreement (SLA) for both of the departments. d. Report the absence of a documented agreement to senior management.
a. Validate the agreement's content with both departments.
Which of the following is the most important objective of disaster recovery planning? a. Establishing temporary business operations b. Restoring business services c. Minimizing the impact of a disaster d. Preventing business operation interruption
b. Restoring business services
Jennifer, an IS auditor, is reviewing a hardware maintenance program. Which of the following should Jennifer assess? a. Whether it follows historical trends b. Approval of the IT steering committee c. Conformity with vendor maintenance specifications d. The schedule of all unplanned maintenance
c. Conformity with vendor maintenance specifications Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against vendor-provided specifications.
IT recently installed a vendor patch that caused a critical application to crash, resulting in significant downtime. What should the IS auditor do to reduce the likelihood of this happening again? a. Test the patch before deploying it into production. b. Install the patch as per the vendor instructions. c. Obtain and review the organization's change management policy. d. Approve the patch after a thorough risk assessment.
c. Obtain and review the organization's change management policy
Which of the following is the FIRST step in incident management? a. Creating the incident record b. Incident analysis c. Reporting an incident d. Assigning severity levels
c. Reporting an incident first step in incident management is reporting an incident. The user first reports a problem to the help desk, which initiates the next steps in the incident management process.
Which of the following statements is TRUE about system interfaces? a. System interfaces move data with significant human interaction. b. System interfaces move data input from one application to another. c. System interfaces move data output from one application to another. d. None of the answer choices are correct.
c. System interfaces move data output from one application to another. There is minimal human interaction
When should a hot site be considered as a recovery strategy? A. The maximum tolerable downtime is long. b. The recovery time objective is high. c. The recovery point objective is high. d. The disaster downtime tolerance is low.
d. The disaster downtime tolerance is low. The hot site should be considered and implemented when the business acceptance of the nonavailability of IT facilities is low.
What does RTO mean?
recovery time objective (RTO) is determined based on the acceptable downtime or target time in case of a disruption of business operations and systems. The RTO indicates the earliest point in time that business operations and IT systems should recover and resume after a disaster. RTOs are measured when the business resumes use, not when IT restores systems.
What does SDO mean?
service delivery objective (SDO) is the level of services to be reached during the alternate process mode until the original/normal situation is restored. SDO is related to business needs.
An organization's IT department is concerned that unauthorized software from the mirroring server will be copied to the production server. Which of the following controls can MOST effectively minimize this risk? A. Review the version control system. B. Review the access log of the mirroring server. C. Ensure developers cannot access the mirroring server. D. Manually move the software from the mirroring server to the production server.
A. Review the version control system. Explanation: The (VCS) Version Control System includes an audit trail allowing management to track changes made to the source code. The VCS provides control over source code and ensures that only authorized staff from the development team can access the source code. IT should review the VCS regularly to identify which software versions were deployed to production.
Which of the following disaster recovery planning tools is most effective to protect an organization against the failure of a critical software vendor to provide appropriate support for its products? A. Differential backups B. An escrow agreement C. Business impact analysis D. Incremental backups
B. An escrow agreement
Which of the following computer backup alternative sites is the least expensive method and the most difficult to test? A. Warm site B. Cold site C. Mobile hot site D. Service bureaus
B. Cold site A cold site is an empty shell facility with basic infrastructure. It includes data communication systems, security systems, air conditioning, humidity controls, raised floors, storage and office space, and electrical power. In the event of a disaster, the computer vendor delivers the required hardware and equipment to the empty shell facility. Usually, empty shell facilities also provide offsite storage of computer files (programs and data), documentation, supplies, source documents, and input forms. The cold site is the least expensive method of backup site but the most difficult and expensive to test.
Which of the following file backup strategies is preferred when an efficient and continuous availability is required? A. Differential B. Incremental C. Full D. Grandfather-father-son
B. Incremental
Which of the following is the correct sequence of events when surviving a disaster? A. Respond, plan, test, recover, and continue B. Plan, test, respond, recover, and continue C. Respond, recover, plan, continue, and test D. Plan, respond, recover, test, and continue
B. Plan, test, respond, recover, and continue
An IS auditor is reviewing the patch management process at a small start-up organization. Which of the following is the LEAST concern for the IS auditor? A. A patch management policy is not formally documented. B. Risk assessment is not performed before patch installation. C. Critical vendor patches are applied without testing. D. IT trainees are responsible for testing and installing patches.
B. Risk assessment is not performed before patch installation.
Which of the following is the MOST critical factor for an effective business continuity plan (BCP)? A. The document is distributed to all relevant stakeholders. B. Internal audit department review C. Planning involves all business representatives. D. Senior management approval
C. Planning involves all business representatives.
Which of the following helps the organization determine the maximum acceptable downtime possible for processes and applications? A. Disaster recovery plan B. Risk assessment C. Business continuity plan D. Business impact assessment
D. Business impact assessment (BIA) The results of the BIA provide the organization with quantitative measures (e.g., maximum tolerable downtime (MTD)) and parameters that enable the business to prioritize the commitment of business continuity resources to the risk exposures encountering the overall organization.
Term: What type of interface involves two organizations (partners) continuously exchanging data back and forth between their systems regularly.
Partner-Partner
Term: What type of interface transfers can be as simple as sending an email communication. Person-to-person transfers are typically more challenging to capture, secure, and control.
Person-Person