Domain 8 - Business Continuity and Disaster Recovery Planning Flashcards Preview

CISSP Exam Questions - 250q > Domain 8 - Business Continuity and Disaster Recovery Planning > Flashcards

Flashcards in Domain 8 - Business Continuity and Disaster Recovery Planning Deck (25):
1

4. The primary audience for the Business Impact Assessment is:

a. All levels of management concerned with continuity of time-critical business processes
b. The auditors
c. IT management
d. All employees

Explanation: Answer a is the correct answer, and is taken from the cited reference. Answer d is partially correct but is too broad in definition; management and selected employees will be in the audience, but not all employees. Answer b is incorrect because the BIA should have nothing to do with satisfying audit criticisms. Answer c is incorrect because it only focuses on one narrow group of management.

2

9. During the recovery plan development of the BCP/DRP development methodology, all activities except this one should be performed:

a. Document recovery planning team roles and responsibilities and assign tasks to specific team members
b. Identify and establish appropriate emergency operation center (EOC) locations
c. Define specific activities and tasks for the recovery of time-critical components for the operations under consideration
d. Perform a risk management review or assessment/analysis

Explanation: Answer d is the most correct answer meaning that during this phase of the methodology, risk assessment should not be performed, as it should have been done long before this. The other answers include activities that should take place during this phase.

3

13. Overall enterprise-wide responsibility for BCP/DRP ultimately rests with which individual(s):

a. The BCP/DRP manager
b. The Board of Directors and/or Executive Management
c. The IT director/manager
d. The internal auditor

Explanation: Answer b is the most correct answer. The others do have some degree of responsibility in the long run, however, overall final responsibilities rest, as always, with the Board of Directors and management.

4

14. The purpose of Business Continuity Plans are to:

e. Counteract interruptions to preserve business activities and to protect time-critical business processes
f. Mitigate disasters before they occur
g. Comply with audit requirements
h. Meet management by objective requirements

Explanation: Answer a is the correct answer, and is taken verbatim the cited reference. The other answers are incorrect because they are each too narrow. Answer b is incorrect because BCPs should be designed to help organizations recovery following an event, not to mitigate or avoid the event from happening. Answer c is incorrect because it is to narrow, although many plans are written for precisely this reason. Answer d is incorrect because it is simply wrong.

5

20. Emergency or Crisis Management Planning focuses primarily upon what goal:

a. Ensuring that all employees have a radio
b. Preparing to recapture lost data
c. Preparing to withstand a nuclear attack
d. Ensuring human security and life safety

Explanation: Answer d is the best answer given the amount of information in the question. Answers a, b and c are simply not appropriate.

6

23. Disaster Recovery Plans must focus primarily upon:

a. Recovery of all business functionality
b. Recovery of telecommunications circuits
c. Recovery of time-critical business processes
d. Recovery of IT technologies and communications network resources that support time-critical business processes

Explanation: Answer d is the correct answer, and is taken the cited reference. Answer a is incorrect because it defines technology focused DRPs as recovering too wide a scope of business functions. Answer b is incorrect because it focuses narrowly upon an IT (DRP) recovery plan component. Answer c is incorrect because it focuses on the goal of the BRP, not the DRP.

7

37. When selecting a recovery site for either DRP or BCP purposes, the facility should be located:

a. As close as possible to the primary site
b. In another state/country
c. Close enough to become operational quickly, but not too close to get hit with the same disaster
d. In the basement

Explanation: Answer c is the best answer given the amount of information in the question. Answers a and d are simply not appropriate. Answer b could be partially correct given a particular circumstance but answer c is more correct for this question.

8

78. Responsible senior management should formalize decisions and next step actions following their concurrence with business impact analysis results to:

a. Satisfy shareholder concerns
b. Satisfy audit requirements
c. Communicate precise recovery time objectives for prioritized business processes and supporting resources within the enterprise
d. Provide vendors with guidelines for providing recovery services to the enterprise

Explanation: Answer c is the correct answer, and is taken from the reference cited below. Answer a is incorrect because it is to narrow an audience and should not be relevant to shareholders at this time. Answer b is incorrect because the BIA should have nothing to do with satisfying audit criticisms. Answer d is incorrect because it only focuses on one narrow definition of what the BIA results should be used for.

9

100. Should the recovery time objective for an enterprises IT computer operations be 24 hours or less, the most appropriate recovery alternative would be a:

a. Cold site
b. Warm site
c. Hot site
d. Drop ship arrangement with an appropriate IT equipment manufacturer

Explanation: Answer c is the best answer given the amount of information in the question. Answer a and b are considered incorrect as the time requirement for recovery tends to be past the 24 hour mark. Answer d is incorrect for the same reason.

10

105. An enterprise-wide approach to BCP/DRP should include development of several types of plans that all together comprise a strong BCP/DRP function. The different types of plans are:

a. Business continuity plans for business operations; Disaster Recovery Plans for IT and communications; Offsite Data Storage Plans
b. Business continuity plans for business operations; Disaster Recovery Plans for IT and communications; Emergency Response/Crisis Management Plans for reacting to an emergency prior to recovery
c. Business continuity plans for business operations; Disaster Recovery Plans for IT and communications; Building evacuation plans
d. Business continuity plans for business operations; Disaster Recovery Plans for IT and communications; Media kits and communications plans

Explanation: Answer b is the correct answer. The others present types of plans that are really subcomponents of the Emergency Response/Crisis management plan.

11

114. The following a disruption, purpose of the recovery team management organization outlined within the BCPs/DRPs is to:

a. Develop recovery procedures to address the specific situation
b. Arrange for the press to visit the damaged location
c. Protect human life and to facilitate timely recovery of time-critical operational components in order to protect enterprise assets.
d. Go to the backup site and recover operations

Explanation: Answer c is the most correct answer. Answers a, and b are totally inappropriate, and answer d is only partially correct. Development of recovery procedures after the disaster is the wrong thing to do; they should have been developed prior to the event. Communication with the press must be centralized and controlled, not a job for individual recovery team personnel.

12

116. Reciprocal/mutual agreements for offsite backup are normally considered a poor recovery alternative because:

a. Auditors do not like this practice
b. Slow response to requests to recover operations
c. Network incompatibilities
d. Difficulties in keeping agreements, plans, and configurations managed and up-to-date

Explanation: Answer d is the best answer given the amount of information in the question. Answer a is simply not true. Answers b and c are potentially partially correct but too narrow a focus.

13

134. The traditional five phases of the BCP/DRP development methodology are;

a. Project scope and planning, business impact assessment, recovery alternative strategy development, recovery plan development, recovery plan testing and maintenance strategy development
b. Project scope and planning, risk management review, recovery plan development, plan testing and maintenance strategy development
c. Project scope and planning, recovery strategy development, recovery plan development, recovery plan testing and maintenance strategy development
d. Project scope and planning, business impact assessment, recovery plan development, risk management review

Explanation: Answer a is the correct answer. Answers b, c, and d are all methodology steps that are either out of order or are not primary methodology phase activities or are sub-phase activities.

14

168. The primary purpose of the Business Impact Assessment is to:

a. Create management awareness and support
b. Satisfy audit requirements
c. Identify and prioritize time-critical business processes and recovery time objectives
d. Provide a route map for resources that support business functions

Explanation: Answer c is the correct answer, and is taken from the cited reference. Answer a is incorrect because it is only one narrow definition of what the BIA should accomplish. Answer b is incorrect because the BIA should have nothing to do with satisfying audit criticisms. Answer c is incorrect because it only focuses on one narrow definition of what the BIA should accomplish.

15

186. Business Continuity Plans must focus primarily upon:

a. Recovery of all business functionality
b. Recovery of telecommunications circuits
c. Recovery of time-critical business processes and supporting resources
d. Recovery of IT Department offsite data files

Explanation: Answer c is the correct answer, and is taken from the reference cited below. The other answers are incorrect because they are each too narrow. Answer a is incorrect because it defines business continuity plans as recovering to wide a scope of business functions. Answers c and d are incorrect because they focus on IT (DRP) recovery planning specifics.

16

192. A Vital Records program is an essential prerequisite to a well-rounded BCP/DRP process implementation. All but one of the following should be considered for an effective vital records program:

a. Assignment of responsibility for identifying and backup up critical information
b. Maintenance of current inventories of information needed to recreate data
c. Storing critical data/information at an offsite backup location an appropriate distance from the primary site
d. Ensuring that all employees store critical vital records necessary for the execution of their job function at an offsite location such as their residence or in the trunk of their car

Explanation: Answer d is the obvious correct answer, under no circumstances should critical information be stored at a residence or in a private automobile as a matter of policy or practice of the enterprise. The answers to the remainder of the questions are all part of a Vital Records Program.

17

204. Understanding the breadth and scope of enterprise insurance coverage relative to potential recovery of losses sustained as the result of a disaster is an important component of the BCP/DRP equation. All but one of the following types of insurance coverage are relevant to BCP/DRP planning:

a. Business interruption
b. Media reconstruction
c. Medical
d. Extra-expense

Explanation: Answer c is the correct answer; Medical insurance coverage is really not of concern to the BCP/DRP program. The others types of insurance coverage are and should be understood.

18

216. The benefit of regularly testing business continuity plans and disaster recovery plans include all but one of the following:

a. To ascertain the level of discomfort recovery team members will sustain without complaint
b. To assess whether the written plans are accurate and up-to-date
c. To train recovery planning personnel in their roles and responsibilities
d. To satisfy audit criticisms or to ensure compliance with applicable laws or regulations

Explanation: Answer a is the most correct answer, this is obviously should not be a goal of testing, although this sometimes does occur. The other answers are benefits of testing recovery plans.

19

223. The Business Impact Assessment is also used as the primary input into the next phase of the BCP/DRP development methodology of:

a. Identifying recovery team members
b. Developing testing and maintenance objectives
c. Document recovery plans
d. Determining appropriate recovery strategies and resource needs

Explanation: Answer d is the correct answer, and is taken from the reference cited below. Answer a is incorrect as this activity takes place as part of the plan development phase. Answers b and c are incorrect because they are part of the development methodology to be addressed following this phase.

20

224. For BCP purposes, when determining business operations recovery strategies, the following should be considered except:
a. Distance to the backup facility
b. Time-critical business processes to be recovered
c. Recovery team members roles and responsibilities
d. Insurance coverage for replacement of the primary site equipment

Explanation: Answer d is the best answer as insurance coverage considerations should be postponed until after life safety issues and critical business operations have been recovered. Answers a, b, and c are all considerations when determining appropriate recovery strategies.

21

230. Offsite storage is another important component to the overall BCP/DRP process. Controls relative to storing data offsite include all but one of the following:

a. The offsite storage location is physically and environmentally secure
b. Record keeping of the movement of data/media to and from the offsite storage location provides an adequate audit trail
c. Data storage location(s) must be within three miles of the primary site
d. Only authorized personnel are allowed access to the offsite storage facility or have the ability to request transfer of data/media

Explanation: Answer c is the correct answer; there are no precise guidelines on how far the data/media must be stored relative to the primary location. The answers to the remainder of the questions are all part of an effective plan to control offsite backup.

22

234. The Business Impact Assessment quantifies and qualifies loss potential in terms of:

a. People, process, and technology
b. Financial (monetary) loss and Operational (customer service related) loss impact potentials
c. Communications network downtime
d. Overtime hour estimates

Explanation: Answer b is the correct answer, and is taken from the cited reference. Answer a is partially correct but is too broad in definition; management and selected employees will be in the audience, but not all employees. Answers b and d are partially correct but only focus on narrow definitions of what information the BIA should present.

23

238. During the recovery alternative strategy development phase of the BCP/DRP development methodology, all activities except this one should be performed:

a. Utilize BIA business process priorities to map to both IT and business operations support resources
b. Prepare cost estimates for acquisition of recovery resources required
c. Obtain senior management concurrence on acquiring appropriate recovery resources
d. Document recovery plans

Explanation: Answer d is the most correct answer meaning that during this phase of the methodology, recovery plan development should not be performed, but should be postponed until all arrangements have been made and management agreement and funding has been obtained. The other answers include activities that should take place during this phase.

24

245. Another important element of a well-rounded BCP/DRP process implementation is the development, testing, and maintenance of Emergency Response Procedures. All but one of the following should be considered for inclusion in an effective emergency response procedure:

a. Building evacuation plans
b. Bomb threat procedures
c. Earthquake evacuation plans and procedures
d. Detailed business impact assessment information on time-critical IT applications

Explanation: Answer d is the obvious correct answer, BIA information does not belong in emergency response procedures that should streamlined and posted throughout the enterprise facility(s). The answers to the remainder of the questions are all part of a Emergency Response Procedure document.

25

247. The written recovery plan (either BCP or DRP) should most correctly contain all of the following sections:

a. Recovery team structure; detailed activities and tasks for recovery of time-critical operations; EOC location; reporting structure; inventory information (hardware, software, data, space, communications, transportation, people, etc.)
b. Plan scope, assumption, approach; recovery team structure; detailed activities and tasks for recovery of time-critical operations; EOC location; reporting structure; inventory information (hardware, software, data, space, communications, transportation, people, etc.)
c. Plan scope, assumption, approach; recovery team structure; detailed activities and tasks for recovery of time-critical operations; EOC location; reporting structure; emergency response procedures
d. Plan scope, assumption, approach; recovery team structure; offsite backup location; EOC location; reporting structure; inventory information (hardware, software, data, space, communications, transportation, people, etc.)

Explanation: Answer b is the correct answer. The others present types of plans that are really subcomponents of the BCP/DRP formalized plans.