CISSP (Chapter 8 - Business Continuity and Disaster Recovery)

Question 1

What action should take place to restore a system and its data files after a system failure?
A. Restore from storage media backup.
B. Perform a parallel test.
C. Implement recovery procedures.
D. Perform a walk-through test.

Answer 1

C. In this and similar situations, recovery procedures should be followed, which most likely include recovering data from the backup media. Recovery procedures could include proper steps for rebuilding a system from the beginning, applying the necessary patches and configurations, and ensuring that what needs to take place to ensure productivity is not affected. Some type of redundant system may need to be put into place.

Question 2

What is one of the first steps in developing a business continuity plan?
A. Identify a backup solution.
B. Perform a simulation test.
C. Perform a business impact analysis.
D. Develop a business resumption plan.

Answer 2

C. A business impact analysis includes identifying critical systems and functions of a company and interviewing representatives from each department. Once management’s support is solidified, a business impact analysis needs to be performed to identify the threats the company faces and the potential costs of these threats.

Question 3

How often should a business continuity plan be tested?
A. At least every ten years
B. Only when the infrastructure or environment changes
C. At least every two years
D. Whenever there are significant changes in the organization and annually

Answer 3

D. The plans should be tested if there have been substantial changes to the company or the environment. They should also be tested at least once a year.

Question 4

During a recovery procedure test, one important step is to maintain records of important events that happen during the test. What other step is just as important?
A. Schedule another test to address issues that were identified during that procedure.
B. Make sure someone is prepared to talk to the media with the appropriate responses.
C. Report the events to management.
D. Identify essential business functions.

Answer 4

C. When recovery procedures are carried out, the outcome of those procedures should be reported to the individuals who are responsible for this type of activity, which is usually some level of management. If the procedures worked properly, management should know it, and if problems were encountered, management should definitely be made aware of them. Members of management are the ones who are responsible overall for fixing the recovery system and will be the ones to delegate this work and provide the necessary funding and resources.

Question 5

Which of the following actions is least important when quantifying risks associated with a potential disaster?

A. Gathering information from agencies that report the probability of certain natural disasters taking place in that area
B. Identifying the company’s key functions and business requirements
C. Identifying critical systems that support the company’s operations
D. Estimating the potential loss and impact the company would face based on how long the outage lasted

Answer 5

A. The question asked you about quantifying the risks, which means to calculate the potential business impact of specific disasters. The core components of a business impact analysis are
• Identifying the company’s key functions and business requirements
• Identifying critical systems that support the company’s operations
• Estimating the potential loss and impact the company would face based on how long the outage lasted
Gathering information from agencies that report the probability of certain natural disasters taking place in that area is an important piece in determining the probability of these threats, but it is considered least necessary when quantifying the potential damage that could be experienced.

Question 6

The purpose of initiating emergency procedures right after a disaster takes place is to prevent loss of life and injuries, and to _______________.
A. Secure the area to ensure that no looting or fraud takes place
B. Mitigate further damage
C. Protect evidence and clues
D. Investigate the extent of the damages

Answer 6

B. The main goal of disaster recovery and business continuity plans is to mitigate all risks that could be experienced by a company. Emergency procedures first need to be carried out to protect human life, and then other procedures need to be executed to reduce the damage from further threats.

Question 7

Which of the following is the best way to ensure that the company’s backup tapes can be restored and used at a warm site?
A. Retrieve the tapes from the offsite facility, and verify that the equipment at the original site can read them.
B. Ask the offsite vendor to test them, and label the ones that were properly read.
C. Test them on the vendor’s machine, which won’t be used during an emergency.
D. Inventory each tape kept at the vendor’s site twice a month.

Answer 7

A. A warm site is a facility that will not be fully equipped with the company’s main systems. The goal of using a warm site is that, if a disaster takes place, the company will bring its systems with it to the warm site. If the company cannot bring the systems with it because they are damaged, the company must purchase new systems that are exactly like the original systems. So, to properly test backups, the company needs to test them by recovering the data on its original systems at its main site.

Question 8

Which best describes a hot-site facility versus a warm- or cold-site facility?
A. A site that has disk drives, controllers, and tape drives
B. A site that has all necessary PCs, servers, and telecommunications
C. A site that has wiring, central air-conditioning, and raised flooring
D. A mobile site that can be brought to the company’s parking lot

Answer 8

B. A hot site is a facility that is fully equipped and properly configured so that it can be up and running within hours to get a company back into production. Answer B gives the best definition of a fully functionally environment.

Question 9

Which is the best description of remote journaling?
A. Backing up bulk data to an offsite facility
B. Backing up transaction logs to an offsite facility
C. Capturing and saving transactions to two mirrored servers in-house
D. Capturing and saving transactions to different media types

Answer 9

B. Remote journaling is a technology used to transmit data to an offsite facility, but this usually only includes moving the journal or transaction
logs to the offsite facility, not the actual files.

Question 10

Which of the following is something that should be required of an offsite backup facility that stores backed-up media for companies?
A. The facility should be within 10 to 15 minutes of the original facility to ensure easy access.
B. The facility should contain all necessary PCs and servers and should have raised flooring.
C. The facility should be protected by an armed guard.
D. The facility should protect against unauthorized access and entry.

Answer 10

D. This question addresses a facility that is used to store backed-up data; it is not talking about an offsite facility used for disaster recovery purposes. The facility should not be only 10 to 15 minutes away, because some types of disasters could destroy both the company’s main facility and this facility if they are that close together, in which case the company would lose all of its information. The facility should have the same security standards as the company’s security, including protection against unauthorized access.

Question 11

Which item will a business impact analysis not identify?
A. Whether the company is best suited for a parallel or full-interrupt test
B. What areas would suffer the greatest operational and financial loss in the event of a particular disaster or disruption
C. What systems are critical for the company and must be highly protected
D. What amount of outage time a company can endure before it is permanently crippled

Answer 11

A. All the other answers address the main components of a business impact analysis. Determining the best type of exercise or drill to carry out is not covered under this type of analysis

Question 12

Which areas of a company are recovery plans recommended for?
A. The most important operational and financial areas
B. The areas that house the critical systems
C. All areas
D. The areas that the company cannot survive without

Answer 12

C. It is best if every department within the company has its own contingency plan and procedures in place. These individual plans would “roll up” into the overall enterprise BCP.

Question 13

Who has the final approval of the business continuity plan?
A. The planning committee
B. Each representative of each department
C. Management
D. External authority

Answer 13

C. Management really has the final approval over everything within a company, including these plans.

Question 14

Which is the proper sequence of steps followed in business continuity management?
A. Project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance
B. Strategy development, project initiation, business impact analysis, plan development, implementation, testing, and maintenance
C. Implementation and testing, project initiation, strategy development, business impact analysis, and plan development
D. Plan development, project initiation, strategy development, business impact analysis, implementation, testing, and maintenance

Answer 14

A. These steps outline the processes that should take place in the correct order from beginning to end in business continuity management.

Question 15

What is the most crucial requirement in developing a business continuity plan?
A. Business impact analysis
B. Implementation, testing, and following through
C. Participation from each and every department
D. Management support

Answer 15

D. Management’s support is the first thing to obtain before putting any real effort into developing these plans. Without management’s support, the effort will not receive the necessary attention, resources, funds, or enforcement.

Question 16

During development, testing, and maintenance of the continuity plan, a high degree of interaction and communications is crucial to the process. Why?
A. This is a regulatory requirement of the process.
B. The more people who talk about it and are involved, the more awareness will increase.
C. This is not crucial to the plan and should not be interactive because it will most likely affect operations.
D. Management will more likely support it.

Answer 16

B. Communication not only spreads awareness of these plans and their contents, but also allows more people to discuss the possible threats and solutions, which may lead to ideas that the original team did not consider.

Question 17

To get proper management support and approval of the plan, a business case must be made. Which of the following is least important to this business case?
A. Regulatory and legal requirements
B. Company vulnerabilities to disasters and disruptions
C. How other companies are dealing with these issues
D. The impact the company can endure if a disaster hits

Answer 17

C. The other three answers are key components when building a business case. Although it is a good idea to investigate and learn about how other companies are dealing with similar issues, it is the least important of the four items listed.

Question 18

Which of the following describes a parallel test?
A. It is performed to ensure that operations performed at the alternate site also give the same results as at the primary site.
B. All departments receive a copy of the disaster recovery plan and walk through it.
C. Representatives from each department come together and go through the test collectively.
D. Normal operations are shut down.

Answer 18

A. In a parallel test, some systems are run at the alternate site, and the results are compared with how processing takes place at the primary site. This is to ensure that the systems work in that area and productivity is not affected. This also extends the previous test and allows the team to walk through the steps of setting up and configuring systems at the offsite facility.

Question 19

Which of the following describes a structured walk-through test?
A. It is performed to ensure that critical systems will run at the alternate site.
B. All departments receive a copy of the disaster recovery plan and walk through it.
C. Representatives from each department come together and review the steps of the test collectively without actually performing those steps.
D. Normal operations are shut down.

Answer 19

C. During a structured walk-through test, functional representatives review the plan to ensure its accuracy and that it correctly and accurately reflects the company’s recovery strategy.

Question 20

When is the emergency actually over for a company?
A. When all people are safe and accounted for
B. When all operations and people are moved back into the
primary site
C. When operations are safely moved to the offsite facility
D. When a civil official declares that all is safe

Answer 20

B. The emergency is not actually over until the company moves back into its primary site. The company is still vulnerable and at risk while it is operating in an altered or crippled state. This state of vulnerability is not over until the company is operating in the way it was prior to the disaster. Of course, this may mean that the primary site has to be totally rebuilt if it was destroyed

Question 21

Which of the following does not describe a reciprocal agreement?
A. The agreement is enforceable.
B. It is a cheap solution.
C. It may be able to be implemented right after a disaster.
D. It could overwhelm a current data processing site.

Answer 21

A. A reciprocal agreement is not enforceable, meaning that the company that agreed to let the damaged company work out of its facility can decide not to allow this to take place. A reciprocal agreement is a better secondary backup option if the original plan falls through.

Question 22

Which of the following describes a cold site?
A. Fully equipped and operational in a few hours
B. Partially equipped with data processing equipment
C. Expensive and fully configured
D. Provides environmental measures but no equipment

Answer 22

D. A cold site only provides environmental measures—wiring, air conditioning, raised floors—basically a shell of a building and no more.

Question 23

Which of the following best describes what a disaster recovery plan
should contain?
A. Hardware, software, people, emergency procedures, recovery procedures
B. People, hardware, offsite facility
C. Software, media interaction, people, hardware, management issues
D. Hardware, emergency procedures, software, identified risk

Answer 23

A. The recovery plan should contain information about how to deal with people, hardware, software, emergency procedures, recovery procedures, facility issues, and supplies.

Question 24

Which of the following is not an advantage of a hot site?
A. Offers many hardware and software choices.
B. Is readily available.
C. Can be up and running in hours.
D. Annual testing is available.

Answer 24

A. Because hot sites are fully equipped, they do not allow for a lot of different hardware and software choices. The subscription service offers basic software and hardware products, and does not usually offer a wide range of proprietary items

Question 25

Disaster recovery plans can stay updated by doing any of the
following except:
A. Making disaster recovery a part of every business decision
B. Making sure it is part of employees’ job descriptions
C. Performing regular drills that use the plan
D. Making copies of the plan and storing them in an offsite facility

Answer 25

D. The plan should be part of normal business activities. A lot of time and resources go into creating disaster recovery plans, after which they are usually stored away and forgotten. They need to be updated continuously as the environment changes to ensure that the company can properly react to any type of disaster or disruption

Question 26

Business continuity planning needs to provide several types of functionalities and protection types for an organization. Which of the following is not one of these items?

i. Provide an immediate and appropriate response to emergency situations
ii. Protect lives and ensure safety
iii. Reduce business conflicts
iv. Resume critical business functions
v. Work with outside vendors during the recovery period
vi. Reduce confusion during a crisis
vii. Ensure survivability of the business
viii. Get “up and running” quickly after a disaster

A. ii, iii, vii
B. ii, iii, v, vi
C. iii
D. i, ii

Answer 26

C. Preplanned procedures allow an organization to

i. Provide an immediate and appropriate response to emergency situations
ii. Protect lives and ensure safety
iii. Reduce business impact
iv. Resume critical business functions
v. Work with outside vendors during the recovery period
vi. Reduce confusion during a crisis
vii. Ensure survivability of the business
viii. Get “up and running” quickly after a disaster

Question 27

Which of the following have incorrect definition mapping when it comes to disaster recovery steps?
i. Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP and that assigns authority to the necessary roles to carry out these tasks.
Chapter 8: Business Continuity and Disaster Recovery
971
ii. Conduct the BIA. Identify critical functions and systems, and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and calculate risks.
iii. Identify preventive controls. Once threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner.
iv. Develop recovery strategies. Write procedures and guidelines for how the organization can still stay functional in a crippled state.
v. Develop the contingency plan. Formulate methods to ensure systems and critical functions can be brought online quickly.
vi. Test the plan and conduct training and exercises. Test the plan to identify deficiencies in the BCP, and conduct training to properly prepare individuals on their expected tasks.
vii. Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.

A. iii, iv, v
B. ii, vii
C. iv, v
D. iii, iv, v

Answer 27

C. The correct disaster recovery steps and their associated definition mappings are laid out as follows:

i. Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP and that assigns authority to the necessary roles to carry out these tasks.
ii. Conduct the BIA. Identify critical functions and systems, and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and calculate risks.
iii. Identify preventive controls. Once threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner.
iv. Develop recovery strategies. Formulate methods to ensure systems and critical functions can be brought online quickly.
v. Develop the contingency plan. Write procedures and guidelines for how the organization can still stay functional in a crippled state.
vi. Test the plan and conduct training and exercises. Test the plan to identify deficiencies in the BCP, and conduct training to properly prepare individuals on their expected tasks.
vii. Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.

Question 28

Sam is a manager who is responsible for overseeing the development and the approval of the business continuity plan. He needs to make sure that his team is creating correct and all-inclusive loss criteria when it comes to potential business impacts. Which of the following is not a negative characteristic or value that is commonly included in the criteria?

i. Loss in reputation and public confidence
ii. Loss of competitive advantages
iii. Decrease in operational expenses
iv. Violations of contract agreements
v. Violations of legal and regulatory requirements
vi. Delayed income costs
vii. Loss in revenue
viii. Loss in productivity

A. i, vii, viii
B. iii, v, vi
C. iii
D. vi

Answer 28

C. Loss criteria must be applied to the individual threats that were identified. The criteria should include at least the following:
• Loss in reputation and public confidence
• Loss of competitive advantages
• Increase in operational expenses
• Violations of contract agreements
• Violations of legal and regulatory requirements
• Delayed income costs
• Loss in revenue
• Loss in productivity

Question 29

Which of the following best describes the relationship between high-availability and disaster recovery techniques and technologies?
A. High-availability technologies and processes are commonly put into place so that if a disaster does take place, either availability of the critical functions continues or the delay of getting them back online and running is low.
B. High availability deals with asynchronous replication and recovery time objective requirements, which increases disaster recovery performance.
C. High availability deals with synchronous replication and recovery point objective requirements, which increases disaster recovery performance.
D. Disaster recovery technologies and processes are put into place to provide high-availability service levels.

Answer 29

A. High availability and disaster recovery are not the same, but they have a relationship. High-availability technologies and processes are commonly put into place so that if a disaster does take place, either availability of the critical functions continues or the delay of getting them back online and running is low.

Question 30

Susan is the new BCM coordinator and needs to identify various preventive and recovery solutions her company should implement for BCP\DRP efforts. She and her team have carried out an impact analysis and found out that the company’s order processing functionality cannot be out of operation for more than 15 hours. She has calculated that the order processing systems and applications must be brought back online within eight hours after a disruption. The analysis efforts have also indicated that the data that are restored cannot be older than five minutes of current real-time data. Which of the following best describes the metrics and their corresponding values that Susan’s team has derived?
A. MTD of the order processing functionality is 15 hours. RPO value is
8 hours. WRT value is 7 hours. RTO value is 5 minutes.
B. MTD of the order processing functionality is 15 hours. RTO value is
8 hours. WRT value is 7 hours. RPO value is 5 minutes.
C. MTD of the order processing functionality is 15 hours. RTO value is
7 hours. WRT value is 8 hours. RPO value is 5 minutes.
D. MTD of the order processing functionality is 8 hours. RTO value is
15 hours. WRT value is 7 hours. RPO value is 5 minutes.

Answer 30

B. The order processing functionality as a whole has to be up and running within 15 hours, which is the maximum tolerable downtime (MTD). The systems and applications have to be up and running in eight hours, which is the Recovery Time Objective (RTO). RTO deals with technology, but we still need processes and people in place to run the technology. Work Recovery Time (WRT) is the remainder of the overall MTD value. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with restoring data, testing processes, and then making everything “live” for production purposes. The data that are restored for this function can only
be five minutes old; thus, the Recovery Point Objective (RPO) has the value
of five minutes.