Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Good Practice Guidelines > PP6 Validation > Flashcards

PP6 Validation Flashcards

1
Q

Validation is achieved through a combination of the

following three activities:

A
  1. Exercising: A process to train for, test, assess, practise,
    and improve the business continuity capability of the
    organization.
  2. Maintenance: A process to ensure that the organization’s business continuity arrangements and plans are kept relevant, up-to-date, and operationally ready to respond.
  3. Review: A process for assessing the suitability, adequacy, and effectiveness of the business continuity programme and identifying opportunities for improvement.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Exercising aims to achieve various outcomes, including:

A
  1. Evaluating organization’s capability to undertake continuity activities and achieve the expected RTOs.
  2. Validating the business continuity solutions and the assumptions on which they are based.
  3. Verifying that documented procedures in the BC
    plan are relevant, complete, and current.
  4. Verifying the adequacy and practicality of resources that support continuity solutions.
  5. Identifying areas for improvement or missing information.
  6. Validating competency and building confidence in personnel with relevant roles and responsibilities.
  7. Developing team work.
  8. Raising awareness of BC organization as described in PP2.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An exercise programme should ensure the desired level of capability by:

A
  1. Rehearsing all plans.
  2. Verifying all business continuity solutions.
  3. Verifying all information contained in plans.
  4. Exercising all relevant personnel (including alternates).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The exercise programme should include suitable exercising of the following elements:

A
  1. Technical: Do all required systems and equipment work?
  2. Procedures: Are procedures and plans correct?
  3. Logical: Do procedures work together in a logical manner?
  4. Timeliness: Can procedures achieve the required recovery time objective for each activity?
  5. Administrative: Are procedures manageable?
  6. Personnel: Are most suitable individuals involved and do they have required competencies, skills, authority, and experience? Does everyone know their role and responsibility?
  7. Resources: Are right resources identified in appropriate quantities from known and reliable sources?
  8. Information: Is all necessary information available to implement the plan?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An exercise is defined as

A

A process to train for, assess, practice, and improve performance in an organization. (Source: ISO
22301:2012)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The following should be considered in the

exercising process:

A
  1. Define exercise programme goals, objectives, and
    scope.
  2. Review past exercises (plans, resources, and
    activities) to identify areas excluded from
    previous exercises.
  3. Discuss with top management any perceived areas
    of weakness and exercising priorities.
  4. Review and assess current risks and threats.
  5. Decide on types of exercise to be undertaken
  6. Determine a budget for exercise programme.
  7. Check availability of required personnel, facilities, and other resources.
  8. Create an exercise schedule that includes validating BC arrangements of relevant interested parties.
  9. Submit to top management for approval
  10. Identify any training requirements for
    exercise participants or planners, and integrate
    them into the exercise programme
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Five categories of exercises

A
  1. Discussion-based exercises: Simplest to organize and facilitate, least time consuming. Structured events
    where participants explore relevant issues and walk through plans in a low pressure environment.
  2. Scenario exercises: Commonly used discussion based activity, using a relevant scenario with a time frame. Can be a realistic, cost effective and effcient
    method.
  3. Simulation exercises: More elaborate and can involve teams at a strategic, tactical, or operational level.
  4. Live exercises: Range from a small-scale rehearsal of one part of a response, for example, an evacuation, to a full-scale rehearsal of the whole organization, potentially involving interested parties in real time.
  5. Test: Defned as “a unique type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned.” (Source: ISO 22301:2012)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Outcomes of developing an exercise programme are as

follows:

A
  1. A complete exercise programme which defines:
    - The objectives to be achieved.
    - The methods required to achieve the objectives.
    - Defined resource requirements (including budget).
    - Proposed timing, and training requirements.
  2. Improved organizational resilience, with a demonstrable capability to respond to, and recover from, an incident or crisis over time.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Examples of measures that can be used during an exercise are as follows:

A
  1. Can the appropriate personnel initiate the alert, invocation, and escalation process?
  2. Can the on-duty manager activate the callout procedure?
  3. Is the incident manager able to call an initial management meeting?
  4. Have response team members demonstrated effective decisionmaking capabilities?
  5. Have key personnel established and maintained an incident log?
  6. Can a priority system be recovered and restored within the expected recovery time objective?
  7. Can a department resume services from the alternate site using the resources available?
  8. Was the response structure established as defned within the business continuity plan?
  9. Were roles and responsibilities allocated as per the business continuity plan?
  10. Were lines of communication established with interested parties?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Following process can be applied to individual BC exercise:

A
  1. Agree scope, aims, objectives and expected outcome
    of the exercise
  2. Identify exercise planning team and team roles.
  3. Plan and design exercise, including setting budget
    and time frame as well as conducting a risk assessment
    to identify the risks of impact on business as usual tasks,
    where appropriate.
  4. Conduct the exercise.
  5. Assess and report outcome and lessons learned, including a debrief with the participants immediately after the exercise
  6. Follow up to address any issues raised by the exercise and take corrective action as required.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Each inject (indivdual exercise) should consider the following information:

A
  1. Exercise objective.
  2. Designated event time frame.
  3. Event description.
  4. Delivery method of the inject.
  5. Participants or teams who should receive the inject
  6. Expected responses from the participants or teams, reflecting the business continuity plan, where relevant.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Topics for the pre-exercise briefng may include:

A
  1. Exercise aims and objectives.
  2. Roles and responsibilities during the exercise.
  3. Information, communication tools, and technology to be used.
  4. Action in the event of unforeseen circumstances.
  5. Post-exercise activities.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Debriefng should:

A
  1. Respect the rights of the individuals.
  2. Value all participants equally.
  3. Acknowledge identifed issues but focus on opportunities for enhancement.
  4. Follow-up individual, group or organizational understanding and learning.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Ways to obtain information for debrief:

A
  1. Hot debrief: This is held immediately after an exercise, prior to personnel leaving the exercise location.
  2. Formal debrief: This should be held within one week of the exercise taking place and may address wider organizational issues rather than individual or group concerns.
  3. Surveys: These can be issued to obtain feedback from participants. The surveys could contain a rating system that allows respondents to score the effectiveness of the exercise.
  4. Interviews: These should be held within one week of the exercise
  5. Post-exercise report: The results of the debriefng should be used to prepare a post-exercise report including recommendations for improvement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Outcomes of the exercise development and delivery

process are:

A
  1. An exercise plan or brief which outlines the objectives, scope, roles and responsibilities, and approach of how the exercise should be conducted.
  2. Exercise delivery materials and resources required to conduct the exercise.
  3. One or more completed exercises.
  4. A post-exercise report, with recommendations for corrective actions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Outcomes that exercises should seek to achieve include:

A
  1. Confrmation that personnel are familiar with their roles,
    responsibilities, and authority in response to an incident.
  2. Validation of the technical, logistical, and administrative aspects of the business continuity plan.
  3. Validation of suitability of the continuity infrastructure
    (command centres, work areas, technology, and
    telecommunications resources).
  4. Confrmation of the availability of personnel and processes for relocation.
  5. Enhanced awareness of business continuity, crisis management, and emergency response procedures.
  6. An increased awareness of the signifcance of business continuity.
  7. Ideas for further exercises and scenarios relevant to the organization
17
Q

Requirements for maintenance activities can be identified

using the following:

A
  1. Lessons learned through exercising.
  2. Changes to the organization’s structure, products and services, infrastructure, processes, or activities.
  3. Changes to the environment in which the organization operates.
  4. A review or audit.
  5. A real incident, where lessons learned can be incorporated.
  6. Changes or updates in the business continuity management lifecycle, such as the BIA or continuity solutions.
18
Q

Responsibility for undertaking planned maintenance process should be given to an individual or team
who should:

A
  1. Review what has changed since the last update.
  2. Analyse the impacts of any changes.
  3. Agree changes to be made to specific elements of BC programme.
  4. Make the agreed changes as required.
  5. Identify and advise interested parties of any changes
    that have an impact on them.
  6. Assess additional requirements to training, awareness
    and communications, based on changes
  7. Provide training, awareness, and communications
    as required
  8. If plans and documents have changed, distribute
    the new versions as appropriate.
  9. Identify the date for undertaking the next planned
    maintenance, and schedule the maintenance.
19
Q

Impact of any changes should be analysed by

A
  1. Reviewing and challenging any assumptions that have been made.
  2. Determining whether any time objectives have changed, for example, MTPDs or RTOs.
  3. Determining the adequacy and availability of external services that might be required, such as asset restoration, recovery sites and subcontracts.
  4. Reviewing the business continuity arrangements of key suppliers.
20
Q

Outcomes of maintenance of the business continuity

programme include:

A
  1. A documented, planned maintenance schedule.
  2. Regular progress reports.
  3. Effective and up-to-date policies and procedures.
  4. Up to date documentation.
  5. Distribution to appropriate interested parties.
21
Q

There are six basic types of review:

A
  1. Audit (internal and external): A formal, impartial review process that measures an organization’s business continuity programme against a pre-agreed standard.
  2. Self-assessment: An assessment of organization’s programme by those involved in the management and implementation of the BC programme.
  3. Quality Assurance (QA): A process that ensures that various outputs from BC programme meet the defined
    requirements.
  4. Performance appraisal: A review of performance of individuals tasked with roles and responsibilities.
  5. Supplier performance: A review of key supplier’s BC programme or their recovery services.
  6. Management review: A review by top management of
    organization’s BC programme to ensure it aligns
    with organizational objectives.
22
Q

Following criteria can be considered for assessment to

support the review of the organization’s BC programme:

A
  1. Whether programme is up to date and aligned to the
    organization’s: - Governance structure and strategic objectives, - Culture and operating environment, - Technology systems (primarily ICT specifc business
    applications and critical operating systems), - Other prioritised resource dependencies (non-ICT specifc),
    - BC policy
  2. Effective use of resources and procedures.
  3. Alignment and integration of BC programme in relation to other organisational response procedures.
  4. Frequency and effectiveness of training and awareness sessions and whether these enhance the overall level of awareness and understanding of BC.
  5. Assessment of the competency of the individuals assigned roles in BC programme (including alternates).
  6. Frequency and effectiveness of exercising and whether it is used to validate the effectiveness of the business continuity programme.
  7. Performance of the personnel who are directly accountable for management of the BC programme.
23
Q

Audit process should include:

A
  1. Developing an audit plan
  2. Defining the audit scope.
  3. Defining the audit approach.
  4. Reviewing information gathered by the audit activities
  5. Compiling and summarising interview notes,
    questionnaires and other information.
  6. Identifying gaps in content and level of information
    gathered then conducting followup interviews as
    appropriate.
  7. Obtaining and comparing relevant documentation
    relating to the BC programme.
  8. Reference to secondary sources, for example, standards, regulations, and legislation to validate
    preliminary fndings.
  9. Finalising a draft audit report that reflects both the interests of the audit sponsor and the measurements set
    by external sources, for example, regulatory, legal, and industry standards.
  10. Presenting the draft audit report for discussion and approval with key interested parties, incorporating
    recommendations as well as audited responses where
    differences of opinion persist.
  11. Finalising an agreed remedial action plan including time frames to implement the agreed recommendations of the audit report. This should also form a key element
    of the business continuity programme.
  12. Finalising a monitoring process to ensure that the
    audit action plan is implemented within the agreed time
    frame.
24
Q

BC management audit plan should include identifcation of:

A
  1. Audit objectives, which in part should be driven and governed, or restricted by, legal or regulatory requirements. This includes key issues of high priority.
  2. Standard audit framework (where appropriate) which is to be used. The audit framework should be governed or restricted by legal or regulatory requirements.
25
Q

Defnition of the audit scope should include

A
  1. Corporate governance, compliance, or other issues to be audited.
  2. Area, department, or site of the organization to be audited
26
Q

Defnition of the audit approach should include:

A
  1. Auditing activities that should be undertaken, for example, questionnaires, face to face interviews, document reviews, and solution reviews.
  2. An activity timetable and due dates.
  3. Identification of the audit evaluation criteria.
  4. Any requirements for specific subject expertise or outsourced service provider assistance to conduct the audit.
27
Q

Outcomes of a business continuity management audit

include:

A
  1. Independent BC management audit report.
  2. Remedial action plan that is agreed and approved by top management.
  3. Outcome of an unfavourable performance rating, which should be:
    - Acceptance of plans by management as ‘inadequate’.
    - Initiation of a review conducted by a BC professional to assist the team in improving their position.
28
Q

The self assessment process should include:

A
  1. Identifying objectives or measures for BC programme
    against which performance can be assessed.
  2. Reviewing performance against these selected
    objectives or measures.
  3. Identifying trends in performance.
  4. Highlighting areas for improvement.
  5. Developing action plans to improve these
    areas.
  6. Producing a self-assessment report.
29
Q

Objectives or measures to be used in self-assessments

include:

A
  1. Project milestones for the BC programme.
  2. Percentage of plans maintained by the scheduled date.
  3. Percentage of members on response teams involved in an exercise each year.
  4. Number of lessons learned from exercises still not addressed.
    • Extent of completion of the BIAs.
30
Q

Outcomes of self-assessment include:

A
  1. Action plan for improvements.
  2. Improvement in BC programme.
  3. Improvement in organization’s level of resilience
31
Q

Quality Assurance can be undertaken as a continual process on all outputs, or through
periodic sampling. The process involves:

A
  1. Identifying requirements or expectations.
  2. Comparing output to the requirements or
    expectations.
  3. Identifying any shortfall in requirements or
    expectations.
  4. Acting to remedy any shortfall.
32
Q

Organization can use following questions when

comparing BC programme outputs to requirements or expectations and identifying shortfalls:

A
  1. Does a document conform to the document control standards?
  2. Has the plan been verifed by its owner?
  3. Does a BIA identify the MTPDs of all prioritised activities?
  4. Have the appropriate details (quantity, time frame, and source) of required resources for continuity and recovery of an activity been identifed?
  5. Have the recommended continuity and recovery solutions been agreed by top management?
  6. Does the business continuity plan have an agreed scope signed off by top management?
  7. Have any previous quality assurance reports been reviewed and actions or recommendations addressed?
33
Q

Outcome of Quality Assurance should be:

A

Improvement in way outputs from BC programme meet organization’s requirements and expectations.

34
Q

The performance appraisal process involves:

A
  1. Confirming individual’s role and responsibilities in BC
    programme.
  2. Defning appropriate measures for role, for example, objectives, measurement targets and standards.
  3. Defning success factors
  4. Incorporating measures in annual appraisals.
  5. Evaluating and reviewing performance against
    measures
  6. Producing performance scores.
  7. Providing a remedial action plan to remedy
    any shortfall in performance
35
Q

Performance appraisal Measures could include:

A
  1. Number of times scheduled plan maintenance dates were met.
  2. Percentage completion of the BIAs.
  3. Number of exercises undertaken as planned.
  4. Number of plans completed.
  5. Number of outstanding issues resulting from incidents, exercises, and audits.
  6. Expenditure against budget
36
Q

Outcomes of reviewing supplier performance include:

A
  1. Performance rating against service level agreements.
  2. Understanding of the supplier’s BC programme.
  3. Action plan for improving supplier performance.
  4. Increased readiness and assurance of prioritised supplier activities.
37
Q

Management review should include information

relating to the following:

A
  1. Status of actions from previous management reviews.
  2. Changes to the internal and external environment,
    if relevant to the organization’s BC programme.
  3. Information regarding performance of the programme
    including trends in audit findings and corrective
    actions, results or outcomes from self-assessment,
    quality assurance, performance appraisals, and supplier
    performance reviews.
  4. Opportunities for improvements.
  5. Results of exercising.
  6. Risks or issues not adequately addressed in the programme.
  7. Adequacy of the business continuity policy.

Good Practice Guidelines (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions