CISSP-Topic 9, Business Continuity Planning
The environment that must be protected includes all personnel, equipment, data, communication devices, power supply and wiring. The necessary level of protection depends on the value of data, the computer systems, and the company assets within the facility. The value of these items can be determined by what type of analysis? A. Critical-channel analysis B. Critical-route analysis C. Critical-path analysis D. Critical-conduit analysis
Answer: C "The environment that must be protected through physical security controls includes all personnel, equipment, data, communication devices, power supplies, and wiring. The necessary level of protection depends on the value of the data, the computer systems, and the company assets within the facility. The value of these items can be determined by a critical-path analysis, which lists each piece of the infrastructure and what is necessary to keep those pieces healthy and operational."
A Business Impact Analysis (BIA) does not: A. Recommend the appropriate recovery solution B. Determine critical and necessary business functions and their resource dependencies C. Identify critical computer applications and the associated outage tolerance D. Estimate the financial and operation impact of a disruption
Answer: A
Classification of information systems is essential in business continuity planning. Which of the following system types can not be replaced by manual methods? A. Critical System B. Vital System C. Sensitive System D. Non-critical system
Answer: A
Most of unplanned downtime of information systems is attributed to which of the following? A. Hardware failure B. Natural disaster C. Human error D. Software failure
Answer: A
What is a disaster recovery plan for a company's computer system usually focused on? A. Alternative procedures to process transactions B. The probability that a disaster will occur C. Strategic long-range planning D. Availability of compatible equipment at a hot site
Answer: A
What is a hot-site facility? A. A site with pre-installed computers, raised flooring, air conditioning, telecommunications, and networking equipment, and UPS B. A site is which space is reserved with pre-installed wiring and raised floors C. A site with raised flooring, air conditioning, telecommunications, and networking equipment, and UPS D. A site with ready made work space with telecommunications equipment, LANs, PCs, and terminals with work groups
Answer: A
Which of the following focuses on sustaining an organizations business functions during and after a disruption? A. Business continuity plan B. Business recovery plan C. Continuity of operations plan D. Disaster recovery plan
Answer: A
Which of the following is NOT a major element of Business Continuity Planning? A. Creation of a BCP committee B. Business Impact Assessment (BIA) C. Business Continuity Plan Development D. Scope plan initiation
Answer: A
Which of the following is the most important consideration in locating an alternate computing facility during the development of a disaster recovery plan? A. it is unlikely to be affected by the same contingency B. it is close enough to become operation quickly C. is it close enough to serve it's users D. it is convenient to airports and hotels
Answer: A
Which of the following statements pertaining to dealing with the media after a disaster occurred and disturbed the organization's activities is incorrect? A. The CEO should always be the spokesperson for the company during a disaster B. The disaster recovery plan must include how the media is to be handled during the disaster C. The organization's spokesperson should report bad news before the press gets ahold of it through another channel D. An emergency press conference site should be planned ahead
Answer: A
Which of the following steps should be performed first in a business impact analysis (BIA)? A. Identify all business units within the organization B. Evaluate the impact of the disruptive events C. Estimate the Recovery Time Objectives (RTO) D. Evaluate the criticality of business functions
Answer: A
Which of the following steps is NOT one of the four steps of a Business Impact Analysis (BIA)? A. Notifying senior management B. Gathering the needed assessment materials C. Performing the vulnerability assessment D. Analyzing the information compiled
Answer: A "A BIA generally takes the form of these four steps: see book.
The underlying reason for creating a disaster planning and recover strategy is to A. Mitigate risks associated with disaster. B. Enable a business to continue functioning without impact. C. Protect the organization's people, place and processes. D. Minimize financial profile.
Answer: A "Disaster recovery has the goal of minimizing the effects of a disaster and taking the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner."
Which of the following steps should be performed first in a business impact analysis (BIA)? A. Identify all business units within an organization B. Evaluate the impact of disruptive events C. Estimate the Recovery Time Objectives (RTO) D. Evaluate the criticality of business functions
Answer: A "The initial step of the BIA is identifying which business units are critical to continuing an acceptable level of operations."
Which one the following is the primary goal of Business Continuity Planning? A. Sustain the organization. B. Recover from a major data center outage. C. Test the ability to prevent major outages. D. Satisfy audit requirements.
Answer: A Simply put, business continuity plans are created to prevent interruptions to normal business activity.
A business continuity plan should list and prioritize the services that need to be brought back after a disaster strikes. Which of the following services is more likely to be of primary concern? A. Marketing/Public Relations B. Data/Telecomm/IS facilities C. IS Operations D. Facilities security
Answer: B
A business continuity plan should list and prioritize the services that need to be brought back after a disaster strikes. Which of the following services is more likely to be of primary concern? A. Marketing/Public relations B. Data/Telecomm/IS facilities C. IS Operations D. Facilities security
Answer: B
A contingency plan should address: A. Potential risks B. Residual risks C. Identified risks D. All of the above
Answer: B
Business Continuity Plan development depends most on: A. Directives of Senior Management B. Business Impact Analysis (BIA) C. Scope and Plan Initiation D. Skills of BCP committee
Answer: B
Failure of a contingency plan is usually: A. A technical failure B. A management failure C. Because of a lack of awareness D. Because of a lack of training
Answer: B
Organizations should not view disaster recovery as which of the following? A. committed expense B. discretionary expense C. enforcement of legal statues D. compliance with regulations
Answer: B
The first step in contingency planning is to perform: A. A hardware backup B. A data backup C. An operating system software backup D. An application software backup
Answer: B
What assesses potential loss that could be caused by a disaster? A. The Business Assessment (BA) B. The Business Impact Analysis (BIA) C. The Risk Assessment (RA) D. The Business Continuity Plan (BCP)
Answer: B
What is not a benefit of Cold Sites? A. No resource contention with other organization B. Quick Recovery C. Geographical location that is not affected by the same disaster D. low cost
Answer: B
What is the most critical piece to disaster recovery and continuity planning? A. Security Policy B. Management Support C. Availability of backup information processing facilities D. Staff training
Answer: B
When preparing a business continuity plan, who of the following is responsible for identifying and prioritizing time-critical systems? A. Executive management staff B. Senior business unit management C. BCP committee D. Functional business units
Answer: B
Which of the following could lead to the conclusion that a disaster recovery plan may not be operational within the timeframe the business needs to recover? A. )The alternate site is a warm site B. Critical recovery priority levels are not defined C. Offsite backups are located away from the alternate site D. The alternate site is located 70 miles away from the primary site
Answer: B
Which of the following is an advantage of the use of hot sites as a backup alternative? A. The costs associated with hot sites are low B. Hot sites can be made ready for operation within a short period of time C. Hot sites can be used for an extended amount of time D. Hot sites do not require that equipment and systems software be compatible with the primary installation being backed up
Answer: B
Which of the following recovery plan test results would be most useful to management? A. elapsed time to perform various activities B. list of successful and unsuccessful activities C. amount of work completed D. description of each activity
Answer: B
Which of the following statement pertaining to the maintenance of an IT contingency plan is incorrect? A. The plan should be reviewed at least once a year for accuracy and completeness B. The Contingency Planning Coordinator should make sure that every employee gets an up-todate copy of the plan C. Strict version control should be maintained D. Copies of the plan should be provided to recovery personnel for storage at home and office
Answer: B
Which primary element of BCP includes carrying out vulnerability analysis? A. Scope and Plan Initiation B. Business Impact Assessment C. Business Continuity Plan Development D. Plan Approval and Implementation
Answer: B
What methodology is commonly used in Business Continuity Program? A. Work Group Recovery B. Business Impact Analysis C. Qualitative Risk Analysis D. Quantitative Risk Analysis
Answer: B A BIA is performed at the beginning of disaster recovery and continuity planning to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption. It identifies the company's critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of disaster or disruption.
System reliability s increased by: A. A lower MTBF and a lower MTTR B. A higher MTBF and a lower MTTR C. A lower MTBF and a higher MTTR D. A higher MTBF and a higher MTTR
Answer: B One prefers to have a higher MTBF and a lower MTTR. "Each device has a mean time between failure (MTBF) and a mean time to repair (MTTR). The MTBF estimate is used to determine the expected lifetime of a device or when an element within that device is expected to give out. The MTTR value is used to estimate the time it will take to repair the device and get it back into production."
Which of the following is used to help business units understand the impact of a disruptive event? A. A risk analysis B. A Business Impact assessment C. A Vulnerability assessment D. A disaster recovery plan
Answer: B Reference: "The purpose of a BIA is to create a document to be used to help understand what impact a disruptive event would have on the business."
To mitigate the impact of a software vendor going out of business, a company that uses vendor software should require which one of the following? A. Detailed credit investigation prior to acquisition. B. Source code held in escrow. C. Standby contracts with other vendors. D. Substantial penalties for breech of contract.'
Answer: B The original answer was C however this is incorrect for this case. SLA and standby are good ideas but in this case B is right. "A software escrow arrangement is a unique tool used to protect a company against the failure of a software developer to provide adequate support for its products or against the possibility that the developer will go out of business and no technical support will be available for the product....Under a software escrow agreement, the developer provides copies of the application source code to an independent third-party organization. The third party then maintains updated backup copies of the source code in a secure fashion. The agreement between the end user and the developer specifies "trigger events", such as the failure of the developer to meet terms of a service level agreement (SLA) or the liquidation of the developer's firm."
During the course of a Business Impact Analysis (BIA) you will less likely: A. Estimate the financial and operational impact of a disruption B. Identify regulatory exposure C. Determine if functions Recovery Time Objective (RTO) D. Determine the impact upon the organizations market share and corporate image
Answer: C
During the testing of the business continuity plan (BCP), which of the following methods of results analysis provides the BEST assurance that the plan is workable? A. Measurement of accuracy B. Elapsed time for completion of critical tasks C. Quantitatively measuring the results of the test D. Evaluation of the observed test results
Answer: C
Similarity between all recovery plans is: A. They need extensive testing B. They need to be developed by business continuity experts C. They become obsolete quickly D. The create employment opportunities
Answer: C
What are the four domains of communication in the disaster planning and recovery process? A. Plan manual, plan communication, primer for survival, warning and alarms B. Plan communication, primer for survival, escalation, declaration C. Plan manual, warning and alarm, declaration, primer for survival D. Primer for survival, escalation, plan communication, warning and alarm
Answer: C
What is not one of the drawbacks of a hot site? A. Need Security controls, as it usually contain mirror copies of live production data B. Full redundancy in hardware, software, communication lines, and applications lines is very expensive C. The hot sites are available immediately or within maximum allowable downtime (MTD) D. They are administratively resource intensive, as transaction redundancy controls need to be implemented to keep data up-to-date
Answer: C
Which of the following is not a direct benefit of successful Disaster Recovery Planning? A. Maintain Nance of Business Continuity B. Protection of Critical Data C. Increase in IS performance D. Minimized Impact of a disaster
Answer: C
Which of the following will a Business Impact Analysis (BIA) NOT identify? A. Areas that would suffer the greatest financial or operation loss in the event of a disaster B. Systems critical to the survival of the enterprise C. The names of individuals to be contacted during a disaster D. The outage time that can be tolerated by the enterprise as a result of a disaster
Answer: C
Which one of the following is a core infrastructure and service element of Business Continuity Planning (BCP) required to effectively support the business processes of an organization? A. Internal and external support functions. B. The change management process. C. The risk management process. D. Backup and restoration functions.
Answer: C
Who should direct short-term recovery actions immediately following a disaster? A. Chief Information Officer B. Chief Operating Officer C. Disaster Recovery Manager D. Chief Executive Officer
Answer: C
Which of the following are PRIMARY elements that are required when designing a Disaster Recovery Plan (DRP)? A. Back-up procedures, off-site storage, and data recover. B. Steering committee, emergency response team, and reconstruction team. C. Impact assessment, recover strategy, and testing. D. Insurance coverage, alternate site, and manual procedures.
Answer: C The most critical piece to disaster recovery and continuity planning is management support. They must be convinced of its necessity. Therefore, a business case must be made to obtain this support. The business case can include current vulnerabilities, regulatory and legal obligations, current status of recovery plans, and recommendations. Management will mostly concerned with cost/benefit issues, so several preliminary numbers will need to be gathered and potential losses estimated. There are four major elements of the BCP process Scope and Plan Initiation - this phase marks the beginning of the BCP process. IT entails creating the scope and other elements needed to define the parameters of the plan. Business Impact Assessment - A BIA is a process used to help business units understand the impact of a disruptive event. This phase includes the execution of a vulnerability assessment Business Continuity Plan Development - This term refers to using the information collection in the BIA to develop the actual business continuity plan. This process includes the areas of plan implementation, plan testing, and ongoing plan maintenance. Plan Approval and Implementation - This process involves getting the final senior management signoff, creating enterprise-wide awareness of the plan, and implementing a maintenance procedure for updating the plan as needed.
Which of the following teams should not be included in an organization's contingency plan? A. Damage assessment team B. Hardware salvage team C. Tiger team D. Legal affairs team
Answer: C Tiger is an algorithm
Scheduled tests of application contingency plans should be based on the A. Size and complexity of the application. B. Number of changes to the application. C. Criticality of the application. D. Reliability of the application.
Answer: C Time sensitivity and mission criticality in conjunction with budgetary limitations, level of threat and degree of risk will be major factors in the development of recommended strategies. Note: All though not directly answering the question a little inference lead to this "Priorities - It is extremely important to know what is critical versus nice to have... It is necessary to know which department must come online first, which second, and so on...It maybe more necessary to ensure that the database is up and running before working to bring the file server online."
Contracts and agreements are unenforceable in which of the following alternate back facilities? A. hot site B. warm site C. cold site D. reciprocal agreement
Answer: D
Emergency actions are taken at the incipient stage of a disaster with the objectives of preventing injuries or loss of life and of: A. determining the extent of property damage B. protecting evidence C. preventing looting and further damage D. mitigating the damage to avoid the need for recovery
Answer: D
Prior to a live disaster test, which of the following is most important? A. Restore all files in preparation for the test B. Document expected findings C. Arrange physical security for the test site D. Conduct a successful structured walk-through
Answer: D
What is the MAIN purpose of periodically testing off-site hardware backup facilities? A. To eliminate the need to develop detailed contingency plans B. To ensure that program and system documentation remains current C. To ensure the integrity of the data in the database D. To ensure the continued compatibility of the contingency facilities
Answer: D
Which disaster recovery plan test involves functional representatives meeting to review the plan in detail? A. Simulation test B. Checklist test C. Parallel test D. Structured walkthrough test
Answer: D
Which is not one of the primary goals of BIA? A. Criticality Prioritization B. Down time estimation C. Determining requirements for critical business functions D. Deciding on various test to be performed to validate Business Continuity Plan
Answer: D
Which of the following alternative business recovery strategies would be LEAST appropriate in a large database and on-line communications network environment where the critical business continuity period is 7 days? A. Hot site B. Warm site C. Duplicate information processing facilities D. Reciprocal agreement
Answer: D
Which of the following computer recovery sites is the least expensive and the most difficulty to test? A. non-mobile hot site B. mobile hot site C. warm site D. cold site
Answer: D
Which of the following server contingency solutions offers the highest availability? A. System backups B. Electronic vaulting/remote journaling C. Redundant arrays of independent disks (RAID) D. Load balancing/disk replication
Answer: D
Which of the following statements pertaining to disaster recovery is incorrect? A. A recovery team's primary task is to get the pre-defined critical business functions at the alternate backup processing site. B. A salvage team's task is to ensure that the primary site returns to normal processing conditions C. The disaster recovery plan should include how the company will return from the alternate site to the primary site D. When returning to the primary site, the most critical applications should be brought back first
Answer: D
Which of the following tasks is not usually part of a Business Impact Analysis (BIA)? A. Identify the type and quantity of resources required for recovery B. Identify the critical processes and the dependencies between them C. Identify organizational risks D. Develop a mission statement
Answer: D
What is the PRIMARY reason that reciprocal agreements between independent organizations for backup processing capability are seldom used? A. Lack of successful recoveries using reciprocal agreements. B. Legal liability of the host site in the event that the recovery fails. C. Dissimilar equipment used by disaster recovery organization members. D. Difficulty in enforcing the reciprocal agreement.
Answer: D "Reciprocal agreements are at best a secondary option for disaster protection. The agreements are not enforceable, so there is no guarantee that this facility will really be available to the company in a time of need."
Which one of the following processing alternatives involves a ready-to-use computing facility with telecommunications equipment, but not computers? A. Company-owned hot site B. Commercial hot site C. Cold site D. Warm site
Answer: D "Warm Site - These facilities are usually partially configured with some equipment, but not the actual computers
Which of the following business continuity stages ensures the continuity strategy remains visible? A. Backup, Recover and Restoration B. Testing Strategy Development C. Post Recovery Transition Data Development D. Implementation, Testing and Maintenance
Answer: D Once the strategies have been decided upon, they need to be documented and put into place. This moves the efforts from a purely planning stage to an actual implementation and action phase...The disaster recovery and continuity plan should be tested periodically because an environment continually changes and each time it is tested, more improvements may be uncovered...The plan's maintenance can be incorporated into change management procedures so that any changes in the environment will be sure to be reflected in the plan itself.
Which of the following is less likely to accompany a contingency plan, either within the plan itself or in the form of an appendix? A. Contact information for all personnel B. Vendor contract information, including offsite storage and alternate site C. Equipment ad system requirements lists of hardware, software, firmware, and other resources required to support system operations D. The Business Impact Analysis
Answer: D You use the BIA as a guideline to create the contingency plan.