Integrating Incident Response with Business Continuity
C is the correct answer. Justification Although the current recovery facility cannot satisfy the maximum tolerable outage (MTO), that does not change the MTO. The organization should document an inability to meet the MTO and continue developing a new facility that will satisfy the objective. The recovery point objective (RPO) is not affected by the stated deficiencies in the current recovery facility. The service delivery objective (SDO) reflects a commitment to internal customers to meet certain performance standards. To be realistic, the objective must be changed to reflect the operating capabilities of the current recovery facility. The MTO must be at least as great as the allowable interruption window (AIW). Therefore, it is possible that exceeding the MTO will result in not being able to meet the AIW, which will result in unacceptable damage to the organization. However, as with the MTO, the inability to meet the AIW does make the associated damage acceptable, so changing the AIW would not be appropriate.
An organization decides its old recovery facility is no longer adequate because it is not capable of operation for an extended period. The organization decides to build a new facility in another location that would address the major shortcomings of the old site and provide more space for possible future expansion. Until the new facility is completed, which of the following objectives for recovery will have to be changed? Maximum tolerable outage Recovery point objective Service delivery objective Allowable interruption window
A is the correct answer. Justification A business impact analysis (BIA) ensures that operations are prioritized correctly for recovery in case of a disaster. An organization risk assessment would not support prioritization of system recovery. A business process map would not support prioritization of system recovery. A threat statement would not support prioritization of system recovery.
An organization's chief information security officer would like to ensure that operations are prioritized correctly for recovery in case of a disaster. Which of the following would be the BEST to use? A business impact analysis An organization risk assessment A business process map A threat statement
A is the correct answer. Justification A periodic business impact analysis (BIA) can help compensate for changes in the needs of the business for recovery during a disaster. Assigning new applications a higher degree of importance and scheduling them for recovery first is an incorrect assumption regarding the automatic importance of a new program. Developing a help desk ticket process that allows departments to request recovery of software during a disaster is not an appropriate recovery procedure because it allows individual business units to make unilateral decisions without consideration of broader implications. The risk assessment may not include the BIA.
During a business continuity plan test, one department discovered that its new software application was not going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by: conducting a periodic and event-driven business impact analysis to determine the needs of the business during a recovery. assigning new applications a higher degree of importance and scheduling them for recovery first. developing a help-desk ticket process that allows departments to request recovery of software during a disaster. conducting a thorough risk assessment prior to purchasing the software.
D is the correct answer. Justification Proximity to hazards is not a primary consideration in conducting a business impact analysis. Proximity to hazards is not a primary consideration in conducting a table-top business continuity test. Proximity to hazards is not a primary consideration in developing disaster recovery metrics. Proximity to the primary site, the scope of potential hazards, and their possible impact on the recovery site are important considerations when selecting the location of a recovery site.
Proximity factors must be considered when: conducting a business impact analysis. conducting a table-top business continuity test. developing disaster recovery metrics. selecting an alternate recovery site.
A is the correct answer. Justification The recovery point objective (RPO) is determined based on the acceptable data loss in the case of disruption of operations. RPOs effectively quantify the permissible amount of data loss in the case of interruption. RPO cannot be used to determine allowable down time. RPO does not set the baseline for operational resiliency. RPO will determine the required frequency and type of backup. The shorter the RPO, the more frequent the backups.
Recovery point objectives can be used to determine which of the following? Maximum tolerable period of data loss Maximum tolerable downtime Baseline for operational resiliency Time to restore backups
A is the correct answer. Justification The main variable affecting the ability to operate in the recovery site is adequate resource availability such as diesel fuel to operate generators. Although resources would be taken into account during initial calculation of the maximum tolerable outage (MTO), circumstances associated with disaster recovery frequently have unexpected impacts on availability of resources. As a result, the expectations may not be met during real-world events. The operational capabilities of the recovery site would have been predetermined and factored into the MTO. Long haul diversity does not affect MTO. Last mile protection does not affect MTO.
The PRIMARY factor determining maximum tolerable outage is: available resources. operational capabilities. long haul network diversity. last mile protection.
A is the correct answer. Justification It is important to prevent a disaster that could affect both sites, and ensuring that the primary and offsite facilities are not subject to the same environmental disasters addresses this concern. The distance between sites may be important in cases of widespread disasters; however, this is covered by ensuring that the same environmental disasters do not affect the primary and offsite facilities. The costs are a secondary criterion to selection. A cost-effective media transport service may be a consideration but is not the main concern.
The PRIMARY selection criterion for an offsite media storage facility is: that the primary and offsite facilities not be subject to the same environmental disasters. that the offsite storage facility be in close proximity to the primary site. the overall storage and maintenance costs of the offsite facility. the availability of cost-effective media transportation services.
B is the correct answer. Justification Disaster declaration is independent of this processing checkpoint. The recovery point objective is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Restoration of the system can occur at a later date. After-image processing can occur at a later date.
The recovery point objective requires which of the following? Disaster declaration Before-image restoration System restoration After-image processing
C is the correct answer. Justification Disaster declaration occurs at the beginning of this period. Recovery of the backups occurs shortly after the beginning of this period. The recovery time objective (RTO) is based on the amount of time required to restore a system. Return to business as usual processing occurs significantly later than the RTO. RTO is an "objective," and full restoration may or may not coincide with the RTO. RTO can be the minimum acceptable operational level, far short of normal operations.
The recovery time objective is reached at which of the following milestones? Disaster declaration Recovery of the backups Restoration of the system Return to business as usual processing
D is the correct answer. Justification Senior management should select the most appropriate strategy from the alternatives provided. All recovery strategies have associated costs, including costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive. The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not necessarily cover all applications. A recovery strategy identifies the best way to recover a system in case of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan.
What is the PRIMARY basis for a detailed business continuity plan? Consideration of different alternatives The solution that is least expensive Strategies that cover all applications Strategies validated by senior management
B is the correct answer. Justification Regulatory requirements may not be consistent with business requirements. The criticality to business should always drive the decision. The financial value of an asset may not correspond to its business value and is irrelevant. While a consideration, IT resource availability is not a primary factor.
What is the PRIMARY consideration when defining recovery time objectives for information assets? Regulatory requirements Business requirements Financial value IT resource availability
C is the correct answer. Justification The service delivery objective is the required level of functionality that must be supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal or acceptable operations defined by the service level objective. The RTO must be shorter than the AIW. The length of the allowable interruption window (AIW) is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services/applications. AIW is generally based on the downtime before the organization suffers major financial damage. The technical implementation of the disaster recovery site will be based on this constraint, especially the choice between a mirrored, hot, warm or cold site. Maximum tolerable outage is the amount of time the organization can operate in alternate mode based on various factors such as accessibility and performance levels.
What is the PRIMARY factor that should be taken into consideration when designing the technical solution for a disaster recovery site? Services delivery objective Recovery time objective Allowable interruption window Maximum tolerable outage
B is the correct answer. Justification The volume of data will be used to determine the capacity of the backup solution. The recovery point objective defines the maximum loss of data acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy—frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring). The recovery time objective—the time between disaster and return to normal operation—will not have any impact on the backup strategy. The availability to restore backups in a time frame consistent with the interruption window will have to be checked and will influence the strategy (e.g., full backup versus incremental), but this will not be the primary factor.
What is the PRIMARY factor to be taken into account when designing a backup strategy that will be consistent with a disaster recovery strategy? Volume of sensitive data Recovery point objective Recovery time objective Interruption window
C is the correct answer. Justification The business continuity coordinator will not be able to provide the correct level of detailed knowledge. The information security manager will not have the level of detailed knowledge needed. Business process owners are in the best position to understand the true impact on the business that a system outage would create. IT management would not be able to provide the required level of detailed knowledge.
When performing a business impact analysis, which of the following should calculate the recovery time and cost estimates? Business continuity coordinator Information security manager Business process owners IT management
D is the correct answer. Justification Recovery time objective (RTO) may only address a part of requirements to ensure end-to-end business operations at the alternate site. Functional delegation may be of secondary importance to assure the process availability at the alternate site. Staff availability is important only to the extent that it impacts process availability at the alternate site. Until end-to-end transaction flow is established, recovery is not complete. Whether or not the RTO has been met is less important than achieving full recovery.
Which of the following choices is MOST important to verify to ensure the availability of key business processes at an alternate site? Recovery time objective Functional delegation matrix Staff availability to the site End-to-end transaction flow
D is the correct answer. Justification Technical recovery plans are associated with infrastructure disaster recovery. Network redundancy is associated with infrastructure disaster recovery. Equipment needs is associated with infrastructure disaster recovery. Of the choices, only recovery time objectives directly relate to business continuity.
Which of the following is MOST closely associated with a business continuity program? Confirming that detailed technical recovery plans exist Periodically testing network redundancy Updating the hot site equipment configuration every quarter Developing recovery time objectives for critical functions
A is the correct answer. Justification Location is critical since the recover site must not be subject to the same disaster as the primary site and then cost is the second main consideration. The cost of losing critical systems is not affected by a buy or build choice. Infrastructure complexity and system sensitivity is the same whether in a third-party facility or not. Criticality is the same regardless of the alternate site choice.
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site? Cost to build a redundant processing facility and location Daily cost of losing critical systems and recovery time objectives Infrastructure complexity and system sensitivity Criticality results from the business impact analysis
C is the correct answer. Justification Quarterly updates do not establish that a plan meets the organization's needs. Automated surveys is a method that could be used during testing but, on its own, is not sufficient. Cross-departmental testing of a plan with varied scenarios is most effective in determining the validity of a business continuity plan (BCP). Face-to-face meetings is a method that could be used during testing but, on its own, is not sufficient.
Which of the following is the MOST effective method to ensure that a business continuity plan (BCP) meets an organization's needs? Require quarterly updating of the BCP. Automate the survey of plan owners to obtain input to the plan. Periodically test the cross-departmental plan with varied scenarios. Conduct face-to-face meetings with management for discussion and analysis.
A is the correct answer. Justification A business impact analysis (BIA) provides results, such as impact from a security incident and required response times. The BIA is the most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident. Risk assessment is a very important process for the creation of a business continuity plan. Risk assessment provides information on the likelihood of occurrence of security incidents and assists in the selection of countermeasures but not in the prioritization. A vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process. Business process mapping facilitates the creation of the plan by providing mapping guidance on actions after the decision on critical business processes has been made—translating business prioritization to IT prioritization. Business process mapping does not help in making a decision but in implementing a decision.
Which of the following processes is critical for deciding prioritization of actions in a business continuity plan? Business impact analysis Risk assessment Vulnerability assessment Business process mapping
A is the correct answer. Justification Consistent achievement of recovery time objectives during testing provides the most objective evidence that business continuity plan/disaster recovery plan (BCP/DRP) objectives have been achieved. Objective testing of the BCP/DRP will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning. If the recovery point objective is inadequate, the objectives of BCPs have not been achieved. Mere valuation and assignment of information assets to owners (according to the BCP/DRP) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved? The recovery time objective was not exceeded during testing Objective testing of the business continuity/disaster recovery plan has been carried out consistently The recovery point objective was proved inadequate by disaster recovery plan testing Information assets have been valued and assigned to owners per the business continuity plan/disaster recovery plan
C is the correct answer. Justification A hot site is incorrect because it is a site kept fully equipped with processing capabilities and other services by the vendor. A redundant site is incorrect because it is a site equipped and configured exactly like the primary site. A reciprocal arrangement is an agreement that allows two organizations to back up each other during a disaster. This approach sounds desirable, but it has the greatest chance of failure due to problems in keeping agreements and plans up to date and providing adequate processing capacity. A cold site is incorrect because it is a building that has a basic environment such as electrical wiring, air conditioning, flooring, etc., and is ready to receive equipment in order to operate.
Which of the following recovery strategies has the GREATEST chance of failure? Hot site Redundant site Reciprocal arrangement Cold site
A is the correct answer. Justification The BIA will help determine the recovery time objective and recovery point objective for the enterprise. This information will drive the decision on the requirements for an alternate site. Natural disasters are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery. While a benchmark could provide useful information, the decision should be based on a BIA, which considers factors specific to the enterprise. Regulatory requirements are just one of many factors that an enterprise must consider when it decides whether to pursue an alternate site for disaster recovery.
Which of the following should be the PRIMARY basis for making a decision to establish an alternate site for disaster recovery? A business impact analysis, which identifies the requirements for continuous availability of critical business processes Adequate distance between the primary site and the alternate site so that the same disaster does not simultaneously impact both sites A benchmarking analysis of similarly situated enterprises in the same geographic region to demonstrate due diligence Differences between the regulatory requirements applicable at the primary site and those at the alternate site
A is the correct answer. Justification Recovery time objective is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to an acceptable level. Maximum tolerable outage is the maximum time for which an organization can operate in alternate mode. Recovery point objectives relate to the age of the data required for recovery. Service delivery objectives are the levels of service required for acceptable operations.
Which of the following would a security manager establish to determine the target for restoration of normal processing? Recovery time objective Maximum tolerable outage Recovery point objectives Services delivery objectives
B is the correct answer. Justification It would be inappropriate for a business continuity coordinator to determine the RPO because he/she is not directly responsible for the data or the operation. The recovery point objective (RPO) is the processing checkpoint to which systems are recovered. In addition to data owners, the chief operations officer is the most knowledgeable person to make this decision. It would be inappropriate for the information security manager to determine the RPO because he/she is not directly responsible for the data or the operation. It would be inappropriate for internal audit to determine the RPO because they are not responsible for the data or the operation.
Who would be in the BEST position to determine the recovery point objective for business applications? Business continuity coordinator Chief operations officer Information security manager Internal audit