IS and Comm F - Disaster Recovery and Business Continuity

Question 1

In the annual review of the data center of a nationwide mortgage servicing company, the IA manager was concerned about the data center not having an adequate contingency plan. The audit manager was especially concerned because the data center was located close to a river that occasionally flooded and in the vicinity of a major railroad and a major highway. Mgmt acted on the internal auditor’s recommendation to prepare a contingency plan. The most critical aspect of the plan would be to provide for

Answer 1

continuation of mortgage servicing

Question 2

Risk assessments, recovery plans for data systems, and implementation of safeguards are all components of

Answer 2

a disaster recovery plan

Question 3

The disaster recovery plan for a firm’s data processing function should categorize systems according to their

Answer 3

priority

Question 4

The best evidence that a contingency plan is effective is to have

Answer 4

successful testing of the plan

Question 5

Due to the ever changing nature of LANs, a disaster recovery plan would require

Answer 5

frequent updating

Question 6

Advances in disaster recovery systems has the _____ effect in driving the changes that are currently occurring in the workplace

Answer 6

least

Question 7

Technological changes in the workplace are most affected by advances in

Answer 7

computer technology, computer applications, and computer availability

Question 8

To prevent interruptions in IS operation, _______ and ______ controls are typically included in an organization’s disaster recovery plan

Answer 8

backup and downtime

Question 9

A routine part of an organization’s disaster recover plan should require the ongoing prep of

Answer 9

backup files

Question 10

The mgmt activity ___________ is essential to ensure continuity of operations in the event a disaster or catastrophe impairs IS processing

Answer 10

contingency planning

Question 11

Cold site is

Answer 11

a location the provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization

Question 12

Hot site is

Answer 12

a completely operational data processing facility configured to meet the user’s requirements that can be made available to a disaster-stricken organization on short notice

Question 13

Closed loop verification is

Answer 13

a mechanism whereby one party verifies the purported identify of another party by requiring them to supply a copy of a token transmitted to that identity

Question 14

Authentication validation is

Answer 14

a process of ensuring that proper parties are allowed to access the system

Question 15

Segregation of control testing is

Answer 15

a policy to prevent individuals from accessing software or data without the collusion of another party

Question 16

A company switches all processing to an alternate site and staff members report to the alternate site to verify that they are able to connect to all major systems and perform all core business processes from the alternate site. This is an example of

Answer 16

disaster recovery planning

Question 17

The performance audit report of an IT department indicated that the dept lacked a DRP. The first step mgmt should take is

Answer 17

prepare a stmt of responsibilities for tasks included in a DRP

Question 18

Fraud detection in a computer environment could be detected by

Answer 18

reviewing system access logs

Question 19

Fraud prevention in a computer environment can be carried out by

Answer 19

data encryption and fraud-awareness training

Question 20

Validity checks are

Answer 20

a way to ensure data entry input is correct

Question 21

When an IT director collects the names and locations of key vendors, current hardware configuration, names of team members, an an alternative processing location, he is most likely preparing

Answer 21

a disaster recovery plan (DRP)

Question 22

The best approach to avoid having a data center identified as a terrorist target is to

Answer 22

establish and maintain as low a profile as possible for the data center

Question 23

An example of a procedure most likely to be included in a DRP is

Answer 23

to store duplicate copies of files in a location away from the computer center

Question 24

Disaster plans must include all of the following factors:

Answer 24

• backup for programs and data
• alternative processing site
• off-site storage of backup
• identification of critical apps
• method for testing the plan

Question 25

When a company decentralizes operations from HQ but doesn’t update their contingency plan that was in place prior to the decentralization, then the plan is likely to be out of date because of

Answer 25

changes in equipment, data, and software

Question 26

An adequate DRP includes:

Answer 26

• regular testing with a simulated disaster
• a plan coordinator responsible for implementing the plan
• specific assignments for individuals and teams
• constant revision and improvement

Question 27

A total interruption of processing throughout a distributed IT system can be minimized through the use of

Answer 27

fail-soft protection

Question 28

Fail-soft protection is

Answer 28

the capability to continue processing at all sites except a nonfunctioning one

Question 29

A copy of the accounting system data backup of year-end information should be stored at

Answer 29

a secure off-site location

Question 30

A well developed DRP includes provisions for

Answer 30

minimizing disruptions and loss from a disaster as well as providing insurance to replace equipment and compensate for business interruptions

Question 31

The DRP for an IT department should include

Answer 31

identification of critical applications

Question 32

A DRP needs to include:

Answer 32

• recovery priorities
• insurance
• specific assignments for EE and depts
• backup facilities
• periodic testing of the recovery plan
• complete documentation of recovery plan (stored off site)

Question 33

Each day after all processing is finished a bank performs a backup of its online deposit files and retains it for seven days. Copies of each day’s transaction files are not retained. This approach is

Answer 33

risky, in that restoring from the most recent backup file would omit subsequent transactions

Question 34

Threat is

Answer 34

any event that could damage or harm an IS

Question 35

Exposure is

Answer 35

the potential dollar loss that could result should a threat occur

Question 36

Risk is

Answer 36

the likelihood of probability that a threat will actually occur

Question 37

A nationwide mortgage servicing company is located near a river. Even through floodwaters might not reach the data center, being located adjacent to a river is associated with the risk that in the event of a significant flood

Answer 37

EE might be unable to report to work

Question 38

With respect to backup procedures for master files that are magnetic tape as opposed to master files on magnetic disk:

Answer 38

a separate backup run is required for disk while the prior master on magnetic tape serves as a backup

Question 39

Reciprocal processing agreement is

Answer 39

whereby each party agrees to allow another to use its site, facilities, resources, etc. after a disaster

Question 40

A reciprocal processing agreement is least likely to be used in

Answer 40

online teleprocessing facilities

Question 41

A reciprocal processing agreement is most often to be used for

Answer 41

small systems, large batch operations, and small batch operations

Question 42

Good planning will help an organization restore computer operations after a processing outage. Good recovery planning should ensure that

Answer 42

backup/restart procedures have been built into job streams and programs

Question 43

A disaster recovery alternate site configured to meet user data processing requirements, including the appropriate hardware, is called

Answer 43

a hot site

Question 44

A hot site is _______ than a cold site

Answer 44

more costly

Question 45

A disaster recovery alternate site that includes power, a/c, and support systems but does not have computers installed is called

Answer 45

a cold site

Question 46

Cold site users

Answer 46

rely on their computer vendors for prompt delivery of equipment and software if an emergency occurs

Question 47

A crucial aspect of recovery planning for the company is ensuring that _______ and _______ are incorporated in the plans because such changes have the potential to make the recovery plans inapplicable

Answer 47

organization and operational changes

Question 48

A data and program backup procedure in which files are electronically transferred to a remote location is

Answer 48

electronic vaulting

Question 49

A company’s mgmt is aware that is cannot foresee every contingency even with the best planning. Mgmt believes that a more thorough recovery plan increases the ability to resume operations quickly after an interruption and thus to

Answer 49

fulfill its obligations to customers

Question 50

Warm site is

Answer 50

a data processing facility with the equipment to meet the user’s requirements that is not currently operational

Question 51

A _____ site has been identified and maintained by the organization as a data processing disaster recovery site but has not been stocked with equipment

Answer 51

cold

Question 52

A company has significant e-commerce presence and self-hosts its website. to assure continuity in the event of a natural disaster, the firm should adopt the

Answer 52

establishment of an off-site mirrored web server

Question 53

An organization can have an arrangement with its computer hardware vendor to have a fully operational facility available that is configured to the user’s specific needs. This is best known as

Answer 53

a hot site

Question 54

After a fire destroys the corporate HQ and largest manufacturing site, plans for _______ would help the organization ensure a timely recovery

Answer 54

business continuity

Question 55

An effective DRP should address

Answer 55

damages, losses, and disruptions

Question 56

______ is necessary to determine what would constitute a disaster for an organization

Answer 56

Risk analysis

Question 57

Contingency planning strategies to react to a disaster include

Answer 57

• system backup analysis
• vendor supply agreement analysis
• contingent facility contract analysis

Question 58

Companies face the following types of threats:

Answer 58

• strategic
• operating
• financial
• information

Question 59

Strategic threat is

Answer 59

doing the wrong things

Question 60

Operating threat is

Answer 60

doing the rights things but in the wrong way

Question 61

Financial threat is

Answer 61

the loss, waste, or theft or financial resources or incurring inappropriate liabilities

Question 62

Information threat is

Answer 62

incorrect input data, faulty or irrelevant stored info, an unreliable system, and incorrect or misleading reports

Question 63

A hot site is best described by a

Answer 63

location that is equipped with a redundant hardware and software configuration

Question 64

Objectives of disaster recovery do not include

Answer 64

performing regular preventive maintenance on key system components

Question 65

Greater reliance of mgmt on IS increases the exposure to

Answer 65

business interruption

Question 66

A large property insurance company has regional centers that customers call to report claims. Although the regional centers are not located in areas known to be prone to natural disasters, the company needs a disaster recovery plan that would restore call answering capacity in the event of a disaster or other extended loss of service. The best plan for restoring capacity in the event of a disaster would be to reroute call traffic to:

Answer 66

non-affected regional centers