Business Continuity
8. Which of the following would be considered an external risk factor? a. Supply chain for goods and services b. Disgruntled employees c. Employee drug screening d. Clean desk policy procedures
a
1. In order for a business continuity awareness and training program to be successful, which element is essential? a. Use of one main motivational technique b. Leadership support and participation c. Funding from each of the partners who benefit d. Use of an outside consultant
b
2. Which of the following statements describe mitigation? a. Reducing risk b. Eliminating the threat c. Eliminating vulnerability d. Removing impact
a
39. The objective of awareness and training programs is to: a. Ensure all employees have the opportunity to participate in all phases of the entity's business continuity program b. Ensure that personnel are able to respond to incidents in a calm and efficient manner c. Recruit team leaders and members for the more specialized training sessions that will ensure the entity can recover from disaster incidents d. Introduce business continuity terms into the entity to lessen confusion during plan development
b
4. A presentation to leadership on recovery strategies should include: a. A variety of options and alternatives to choose b. A report on the strategies to be confirmed by leadership c. A thorough report that covers all possible alternatives d. A report on the strategies you have implemented
b
Business Interruption Insurance
covers loss of income that a business suffers after a disaster
9. Which of the following would be considered a control? a. Loss of access to facilities b. A tornado c. Lack of fire suppression systems d. UPS/generators
d
4. Program audits and plan reviews include: a. An assessment of the awareness training and program b. An assessment of the change control process c. An assessment of the exercise/test program d. An assessment of the business continuity plan documentation e. All of the above
e
escalation
the process by which event related information is communicated upwards through an organization's established chain of command
48. Which of the following plans is best used to provide information to the public through the media? a. Crisis communication plan b. Incident response plan c. Business continuity plan d. Disaster recovery plan
a
49. Who should communicate information to the media during or after a disaster on behalf of the entity? a. A trained spokesperson b. The incident response team leader c. The business continuity professional d. The head of operations
a
1. What is the result of conducting a business impact analysis? a. The identification of the essential functions, processes, operations, their critical dependencies, and gaps b. To gain leadership's approval for the recovery strategies c. The implementation of the technology and workspace needs in a recovery d. The identification of threats from sabotage and/or terrorism and the implementation of controls to eliminate those threats
a
1. When assessing strategies, what is the MOST important element? a. Meeting the RTOs and filling gaps as identified in the BIA b. Comparing the internal and external solutions c. Assessing the risk of each strategy d. The cost effectiveness of the strategy
a
17. Which of the following is an objective of developing business continuity strategies? a. Reduce deficiencies as identified during the risk assessment and business impact analysis processes b. Develop business continuity and disaster recovery plans meeting the requirements of the risk assessment and business impact analysis c. Develop scenarios for business continuity exercises and tests d. Verify critical recovery resources are implemented and functioning properly
a
18. Which of the following would be considered a technology recovery strategy? a. Hot site b. Manual workaround procedures c. Workspace recovery area d. Supplier service level agreements
a
19. What is the purpose of conducting a cost/benefit analysis? a. To compare the cost of the strategy with loss that may occur during an event b. It is required for DRI certification c. Leadership requires this information d. It is a requirement for the budget
a
2. It is the role of the business continuity professional to design exercises/tests that: a. Will bring the most benefit and cause the least disruption to the normal operations b. Will uncover the points of failure to report to audit and leadership c. Assure leadership that the strategies are adequate d. Satisfy the exercise/test requirements of the auditors
a
21. Which gap would you expect to be identified in the business impact analysis? a. Actual recovery capability and recovery time objective b. Business continuity project schedule issues c. Insufficient project staffing d. Underfunded budget for business continuity
a
25. Escalation procedures take place directly after what activity? a. Assessment b. Evacuation c. Declaration d. Shelter-in-place
a
29. Which of the following is an objective of the Business Impact Analysis? a. Ascertain any gaps between the entity's requirements and its ability to deliver against those requirements b. Assess risks to determine the potential impacts to the entity c. Develop cost-effective strategies that enable the entity to effectively recover from disaster incidents d. Document plans to be used during an incident that will enable the entity to continue to function
a
3. What is the objective of tracking program progress? a. To report to leadership on the status of the business continuity program on a regular basis b. To conduct meetings to ensure that all members of the entity share responsibility in the project plan c. To involve all internal personnel in developing and adjusting scope d. To validate that the planning team is sticking to the project plan
a
3. What phrase best describes the reason for establishing recovery time objectives? a. To establish the timeframe in which processes must be restored to prevent an unacceptable impact to the entity b. To determine the level of risk and potential loss that leadership is willing to accept following an even c. To determine the point in time when the entity's EOC must be opened after a disaster is declared d. To determine the point in time in which transactions and data must be recovered after an outage
a
3. Which of the following is NOT an example of a control? a. Utility power b. Generator c. Preventive Maintenance d. Access Control
a
3. Which target audience would benefit the entity most from a presentation on the current state of the awareness and training program? a. Leadership b. Any new employees c. All of the staff d. The line management
a
31. In which section of the business continuity plan should the disaster declaration guidelines be documented? a. Incident response b. Critical key processes c. Overview d. Disaster recovery procedures
a
34. The objective of disaster recovery plans is to: a. Restore technology b. Provide emergency aid c. Provide overall governance for business continuity d. Act as a control mechanism for incident management
a
4. What is the best way to provide for plan distribution and security? a. The plan should be distributed entity-wide to interested parties documented on the plan distribution list b. Leadership should make all distribution decisions c. The plan document should be classified and not distributed d. The plan document should be an open document so that it is readily available during an emergency
a
4. What is the desired result of the business impact analysis presentation to leadership? a. Obtaining leadership's approval for the relative ranking of processes, their RTOs, and resource gaps b. Obtaining leadership's approval for implementing recovery strategies c. Obtaining leadership's approval for implementing additional controls d. Obtaining leadership's approval on reducing the recovery time objective for identified processes
a
4. What should be the initial scope of the business continuity program? a. Entire entity b. IT / information systems c. Financial department d. Critical business units
a
1. What are the primary objectives of conducting a risk assessment? a. Identifying the leadership's responsibilities for protecting the entity from loss and how effective they have been b. To understand the entity's exposure to loss and evaluate the effectiveness of controls and safeguards c. To identify the impact that insufficient backup policies have on the ability to recover operations and technology d. To implement controls and remove the primary risks to the entity
b
1. What is the first step when determining if a disaster should be declared? a. Determining that the duration of impact from the incident is expected to be less than the RTO b. Determining that the duration of the impact from the incident is expected to be greater than the RTO c. Assessing whether the losses from the incident will be more than $1 million d. Assessing whether the losses from the incident will be less than $1 million
b
1. What is the name of the plan used to recover the technology for the entity? a. The crisis management plan b. The disaster recovery plan c. The incident response plan d. The business unit plan
b
1. Who should participate in an exercise/test? a. Those who have not performed well in previous exercises/tests b. Those who have been assigned to participate in the exercise/test c. Only the members of the incident response team d. Those teams which have not identified an alternate leader
b
12. Which of the following is an example of a qualitative impact? a. Loss of sales b. Loss of reputation c. Loss of revenue due to penalties d. Extra expense
b
16. What is the primary purpose of conducting the risk assessment and business impact analysis? a. Establish the organizational structure b. Provide data to be used in determining strategies c. Decrease the chances of problems occurring during an incident d. Ensure employee safety
b
2. In developing awareness and training programs, what must be done first? a. Identify the challenges and motivations to specific behaviors b. Establish objectives of the program c. Determine the business continuity awareness and training needs of the entity d. Overcome any skepticism about the benefits of business continuity
b
2. What is the incident command system? a. A tool used to communicate with the private sector during a disaster b. An organizational structure to manage information, logistics, and communications during an event or emergency c. A system used by the fire services in California to put out wild fires d. A tool used only by the public sector to respond to emergencies in the community such as fires, floods, and natural disasters
b
2. Which of the following is a viable strategy for manufacturing continuity? a. Selecting a viable warm site b. Developing effective surviving site strategy c. Developing work from home procedures d. Identifying strategies that meet RPO requirements
b
2. Which team is responsible for defining the objectives, structure, policies and charter for the business continuity program? a. Functional recovery teams b. Steering committee c. Incident response team d. Damage assessment team
b
27. Which of the following is a protective action that may be an alternative to evacuation? a. Situational notification to personnel b. Establishing procedures for shelter-in-place c. Creating trauma counseling procedures d. Coordinating response activities with incident response providers
b
3. What is a primary purpose of a plan exercise/test? a. To ensures a successful recovery b. To familiarize plan participants with their roles and responsibilities c. To ensure that the plan has been properly exercised/tested d. To identify people who are not familiar with the plan document
b
3. What is the most critical element to the success of the business continuity planning effort? a. The policy statement written by the business continuity professional b. Leadership commitment c. The business impact analysis d. Documenting all changes
b
38. When establishing a business continuity awareness and training program, the professional should: a. Develop custom software to use as the means of communications b. Identify, develop or acquire awareness and training tools and resources c. Create dedicated staff that will oversee all communications d. Create a relationship with media outlets
b
4. Which team provides resources and support to the business continuity program? a. Incident response team b. Steering committee c. Business continuity development team d. Technology recovery team
b
42. A maintenance program for updating the plan must include: a. The software tool that automatically makes the updates b. Procedures that define the frequency of plan updates c. Procedures to facilitate IT signoff on all changes d. The names of the individuals responsible for approving all changes
b
50. The fire department is responsible for: a. Protecting your vital records b. Stabilizing the event and protecting lives c. Listening to leadership's commands d. Cleanup after the fire is extinguished
b
6. Shifting production from one manufacturing site to another is an example of: a. Using excess inventory b. Utilizing excess capacity c. Reducing production output d. Prioritizing customer allocations
b
7. Supply chain interruptions may prevent an entity's ability to do what? a. Keep employees safe b. Deliver goods and services to customers c. Do walk-through testing d. Create emergency response plans
b
1. What information should be presented to leadership about the need for business continuity? a. Mechanisms for exercising and auditing b. The schedule for reporting progress c. Legal and regulatory requirements d. The entity's increasing reliance on technology to conduct operations
c
1. What is the business continuity professional's role in public/private partnerships? a. To work with the local emergency manager to ensure that the entity's evacuation plan is executable b. To work to ensure that all confidential information is kept confidential c. To work with any external agency that may be involved with incidents concerning the entity d. To not interact with the public sector - that is the role of the local incident response personnel
c
11. Which of the following is an objective of a business impact analysis? a. To calculate the probability of disruptions to the entity b. To evaluate the effectiveness of existing controls and safeguards c. To identify and prioritize the recovery of an entity's functions and processes d. To develop preparations and procedures for responding to a disaster
c
13. Which of the following is an example of a quantitative impact? a. Lower level of customer service b. A disruption of quality assurance c. Loss of sales d. Lower employee moral
c
2. What is the name of the plan that includes information about life safety procedures? a. The disaster recovery plan b. The business unit plan c. The incident response plan d. The crisis management plan
c
2. What is the value of a business continuity policy statement? a. It forces middle management to comply with senior directives b. It shows employees how to do their part in the planning process c. It shows leadership's support for the business continuity planning process d. It provides leadership a direction in which to make future decisions
c
2. What phrase best describes the reason for establishing recovery point objectives? a. To establish the time frame in which processes must be restored to prevent an unacceptable impact to the entity b. To determine the level of risk and potential loss that leadership is willing to accept c. To determine the amount of data that will be lost in the event of the data destruction of a storage device d. To obtain a qualitative estimate of the impact of a threat
c
2. When an incident occurs, what is the first response activity that should occur? a. The implementation of damage assessment procedures b. The implementation of disaster declaration procedures c. The notification of key personnel d. Evacuation
c
2. When communicating with the news media, it is most important to: a. Wait until you are contacted by the media to ensure that all of the information is compiled and accurate b. Refrain from speculating c. Tell the truth d. Refrain from discussing "what we do not know" until the facts are known
c
20. Which of the following is a viable option for manufacturing continuity? a. Commercial hot site b. Manual workaround procedures c. Shifting production to another site d. Business recovery center
c
22. Which of the following describes contingent business interruption insurance? a. Insurance that pays for the extra expense of maintaining operations after an accident b. Insurance that provides protection for the loss of profits and continuing fixed expenses resulting from a break in commercial activities c. Insurance that reimburses lost profits and extra expenses resulting from a supply chain interruption d. Insurance in which no risk is transferred to the provider
c
23. Which of the following is an objective of Coordination with External Agencies? a. Develop response procedures for both private and public entities b. During a disaster, assist in the implementation of response and alternate operating strategies for public entities c. Establish policies and procedures to coordinate incident response activities with public entities d. Establish the environment of incident response activities for public entities
c
3. What is NOT a responsibility of the business continuity professional? a. To identify applicable laws and regulations governing incident response b. To identify and coordinate agencies supporting business continuity and disaster recovery c. To communicate with the media and interested parties during a crisis d. To periodically review the public sector response procedures to ensure compliance with continuity
c
3. What is the purpose of the crisis communication plan? a. It manages employee safety procedures b. It manages the awareness planning c. It establishes the structure for managing communications d. It manages the role of leadership in responding to the event
c
3. When evaluating RFP responses, it is important to: a. Focus only on the costs identified b. Select the vendors who respond after the designated date for reply c. Compare the responses by their ability to meet the RTO d. Look primarily at vendors who service only customers in your regional area
c
30. A plan that documents recovery teams, alternative ways to conduct business, communication processes and procedures is called what? a. Risk and vulnerability assessment b. Crisis communications and management plan c. Business continuity plan d. Disaster recovery plan
c
36. Which plan documents declaration procedures to initiate recovery operations at an alternate location? a. Incident management plan b. Crisis management and communication plan c. Recovery site activation plan d. Operational / recovery plan
c
37. What should be the objective of a sustained approach to training and awareness? a. Long-term behavior will change with a short and focused approach b. Job security for the trainer c. Regularly managing the awareness and training program reinforces knowledge and capability d. Change is resisted, training is not
c
4. What is the primary purpose of developing an awareness and training program? a. To tell employees where to find the plan in an emergency b. To hold employees accountable for their part of the plan c. To increase understanding of preparation for and responsiveness to emergencies d. To reduce the risks to the entity during an emergency
c
44. At a minimum, how often should a business continuity plan be updated? a. Once a month as required by regulations b. When leadership directs the update c. Annually d. Once every two years
c
46. After the completion of an exercise/test, documenting which process will provide information for improving the plan? a. Contact lists b. Media activities surrounding the exercise/test c. Lessons learned d. Objectives of the exercise/test
c
5. Articles of incorporation, entity charter and entity accounting records, are examples of what a. Government tax reporting requirements b. Database files that are safe-stored c. Vital records d. Information available to shareholders only
c
5. What needs to occur first in establishing a business continuity program? a. Develop a detailed project plan b. Identify project objectives and risks c. Gain leadership commitment to program d. Establish framework of project
c
1. Which of the following statements is true? a. Conforming to a standard is mandatory b. Complying with a regulation is voluntary c. Auditors do not assess business continuity programs against regulations d. Auditors assess business continuity programs against standards and regulations
d
10. Determining cyber threats to the entity is part of the: a. Business continuity plan b. Disaster recovery plan c. Business impact analysis d. Risk assessment
d
14. Which of the following is NOT a result of conducting a business impact analysis? a. Identifies all essential entity functions and operations and their critical dependencies b. Determines when the exposures and impacts begin and how they escalate over time c. Identifies the technology and workspace needs as well as potential unbudgeted expenses d. Identifies threats from sabotage and/or terrorism and how to reduce those threats using cost-effective controls
d
15. Data gaps occur: a. When the system data is current b. During a data restoration, when the system data has been fully backed up c. In a fully mirrored environment d. When the data backup is not identical to the system data at the time of a system disruption incident
d
24. A single source supplier is: a. The only supplier who can provide a specific product or service b. One of several suppliers who will provide the entity with a given product or service c. An agency that is chartered with helping the entity find the lowest cost provider d. A supplier chosen to be the only provider of a given product or service
d
26. What is the primary purpose of incident response procedures and plans? a. Prevent/limit degradation to critical functions and services b. Assure owners/investors that the entity is stable and all critical functions are recoverable c. Continuation of the mission and objectives of the entity d. Minimize the exposure to loss of life and property
d
28. The emergency operations center provides: a. A site for public agencies to manage the incident b. A location for an evacuation rally point c. A site for stabilizing the incident d. A facility for the crisis management team to provide communications and resource support
d
3. What is the purpose of incident response procedures? a. Limiting the degradation to critical functions and services b. Assuring the shareholders that the entity is stable and that all critical functions are recoverable c. The continuation of the mission and objectives of the entity d. Ensure that incident response is coordinated with outside organizations in a timely and effective manner when appropriate
d
3. Which of the following would be considered an operational recovery plan? a. Crisis management plan b. Evacuation plan c. Shelter-in-place plan d. None of the above
d
32. Which components must be present in order to document the business continuity plan? a. A schedule of tests/exercises for the coming year b. An approved budget c. Audit approval of the document outline d. An approved strategy
d
33. A crisis management and communications plan provides for: a. Immediate notification at the time of an incident b. An orderly transition of authority from one person to the next person in the delegation of authority chain c. Audit approval of the document outline d. Documented procedures for providing information to interested parties throughout the duration of an event
d
35. Plan appendices contain: a. Plan glossary b. Travel directions c. Vendor lists d. All of the above
d
4. What is an objective of performing a risk assessment? a. To eliminate vulnerabilities that can adversely affect an entity's resources b. To remove any potential threats to an entity's operational functions c. To eliminate the impact of the threats to the entity d. To identify risks that can adversely affect an entity's resources
d
4. What is the primary role of external agencies responding to an event? a. To minimize damage and provide security support b. To retrieve vital records from off-site storage c. To coordinate activities between public and private sector entities d. To stabilize the incident and provide for life safety
d
4. What is the role of the business continuity professional in crisis communication? a. To communicate with the media during the event b. To communicate with the internal interested parties during the event c. To advise the planning team on entity communication strategies d. To design, develop, and implement a crisis communications plan
d
40. Presenting the business impact analysis report to leadership concerning restoration of operating functions is designed to: a. Demonstrate project team accomplishments b. Secure additional funding c. Seek strategy advice from leadership d. Ensure that leadership accepts recovery time objective findings
d
41. In order for scenarios to be effective during an exercise/test, they need to: a. Have a single business function focus b. Concentrate only on IT functions c. Be complex enough to make it difficult to solve d. Be realistic enough to engage participants
d
43. Which of the following is an example of a second-party assessment? a. A self-assessment conducted by the business continuity planner b. An assessment conducted by the entity's internal audit group c. A regulatory audit conducted by a government agency d. An assessment conducted by a customer
d
47. A hot site exercise/test would be an example of: a. A strategy employed for manufacturing production exercise/test b. A notification tool exercise/test c. An emergency operations center exercise/test d. An alternate recovery site exercise/test
d
Contingent Business Interruption Insurance
insurance that reimburses lost profits and extra expenses resulting in supply chain interruption
extra expense insurance
provides funds for reasonable and necessary costs a business may incur if business operations are interrupted