CISSP Certification Prep Test- Business Continuity

1. The term RTO means:

Return to order

Resumption time order

Recovery time objective

All applications need to be classified as to their time sensitivity for recovery even if those applications do not support business functions that are time-sensitive. For applications, this is commonly referred to as recovery time objective (RTO) or maximum tolerable downtime (MTD).

Explanation

All applications need to be classified as to their time sensitivity for recovery even if those applications do not support business functions that are time-sensitive. For applications, this is commonly referred to as recovery time objective (RTO) or maximum tolerable downtime (MTD).

2. A business continuity plan should be updated and maintained:

Immediately following an exercise.

Following a major change in personnel.

After installing new software.

All of the above.

The plan document and all related procedures will need to be updated after each exercise and after each material change to the production, IT, or business environment. The procedures should be reviewed every three months and the formal audit of the procedures should be conducted annually.

Explanation

The plan document and all related procedures will need to be updated after each exercise and after each material change to the production, IT, or business environment. The procedures should be reviewed every three months and the formal audit of the procedures should be conducted annually.

3. Which of the following methods is not acceptable for exercising the business continuity plan?

Table-top exercise.

Call exercise.

Simulated exercise.

Halting a production application or function.

Th e only difference between a simulated and an actual exercise is that the first rule of testing is the planner will never create a disaster by testing for one. The planner must make every effort to make certain that what is being tested will not impact the production environment whether business or technical.

Explanation

Th e only difference between a simulated and an actual exercise is that the first rule of testing is the planner will never create a disaster by testing for one. The planner must make every effort to make certain that what is being tested will not impact the production environment whether business or technical.

4. Which of the following is the primary desired result of any well-planned business continuity exercise?

Identifies plan strengths and weaknesses.

Satisfies management requirements.

Complies with auditor’s requirements.

Maintains shareholder confidence

After every exercise the planner conducts, the exercise results need to be published and action items identified to address the issues that were uncovered by the exercise. Action items should be tracked until they have been resolved and, where appropriate, the plan updated. It is very unfortunate when an organization has the same issue in subsequent tests simply because someone did not update the plan.

Explanation

After every exercise the planner conducts, the exercise results need to be published and action items identified to address the issues that were uncovered by the exercise. Action items should be tracked until they have been resolved and, where appropriate, the plan updated. It is very unfortunate when an organization has the same issue in subsequent tests simply because someone did not update the plan.

5. Which of the following terms best describes the effort to determine the consequence of disruptions that could result from a disaster?

Business impact analysis.

Risk analysis.

Risk assessment.

Project problem defi nition

The BIA is what is going to help the company decide what needs to be recovered and how quickly it needs to be recovered.

Explanation

The BIA is what is going to help the company decide what needs to be recovered and how quickly it needs to be recovered.

6. A key advantage of using a cold site as a recovery option is that it_______________________.

Is a less expensive recovery option.

Can be configured and made operational for any business function.

Is preconfigured for communications and can be customized for business functions.

Is the most available option for testing server and communications restorations.

Among the advantages of warm and cold sites are that they are less expensive and available for longer recoveries.

Explanation

Among the advantages of warm and cold sites are that they are less expensive and available for longer recoveries.

7. The reason to implement additional controls or safeguards is to:

Deter or remove the risk.

Remove the risk and eliminate the threat.

Reduce the impact of the threat.

Identify the risk and the threat.

Preventing a disaster is always better than trying to recover from one. If the planner can recommend controls to be put in place to prevent the most likely risks from having an impact on the organization’s ability to do business, then the planner will have fewer actual events to recover from.

Explanation

Preventing a disaster is always better than trying to recover from one. If the planner can recommend controls to be put in place to prevent the most likely risks from having an impact on the organization’s ability to do business, then the planner will have fewer actual events to recover from.

8. One of the advantages of a hot site recovery solution is:

Less expensive

Highly available

No downtime

No maintenance required

Among the advantages of internal or external hot sites are allows recovery to be tested, highly available, and the site can be operational within hours.

Explanation

Among the advantages of internal or external hot sites are allows recovery to be tested, highly available, and the site can be operational within hours.

9. If a company wants the most efficient restore from tape backup:

Full backup

Incremental backup

Partial backup

If a company wants the backup and recovery strategy to be as simple as possible, then it should only use full backups. They take more time and hard drive space to perform but they are the most efficient in recovery.

Explanation

If a company wants the backup and recovery strategy to be as simple as possible, then it should only use full backups. They take more time and hard drive space to perform but they are the most efficient in recovery.

10. Which phrase best defines a business continuity/disaster recovery plan?

A set of plans for preventing a disaster.

An approved set of preparations and sufficient procedures for responding to a disaster.

A set of preparations and procedures for responding to a disaster without management approval.

Adequate preparations and procedures for the continuation of all business functions.

d. Business continuity planning (BCP) and Disaster recovery planning (DRP) address the preparation, processes, and practices required to ensure the preservation of the business in the face of major disruptions to normal business operations.

Explanation

d. Business continuity planning (BCP) and Disaster recovery planning (DRP) address the preparation, processes, and practices required to ensure the preservation of the business in the face of major disruptions to normal business operations.

11. Regardless of industry, which element of legal and regulatory requirements are all industries subject to?

Sarbanes–Oxley

HIPAA

Prudent man rule

BS25999

Regulatory risk is clearly defined by the industry the organization is a part of. However, no matter what industry the planner is in, what is commonly referred to as the prudent man rule applies: exercise the same care in managing company affairs as in managing one’s own affairs.

Explanation

Regulatory risk is clearly defined by the industry the organization is a part of. However, no matter what industry the planner is in, what is commonly referred to as the prudent man rule applies: exercise the same care in managing company affairs as in managing one’s own affairs.

12. During the risk analysis phase of the planning, which of the following actions could manage threats or mitigate the effects of an event?

Modifying the exercise scenario.

Developing recovery procedures.

Increasing reliance on key individuals

Implementing procedural controls.

The third element of risk is mitigating factors. Mitigating factors are the controls or safeguards the planner will put in place to reduce the impact of a threat.

Explanation

The third element of risk is mitigating factors. Mitigating factors are the controls or safeguards the planner will put in place to reduce the impact of a threat.

13. Which of the following statements most accurately describes business impact?

Risk analysis and business impact analysis are two different terms describing the same project effort.

A business impact analysis calculates the probability of disruptions to the organization.

A business impact analysis is critical to the development of a business continuity plan.

A business impact analysis establishes the effect of disruptions on the organization.

All business functions and the technology that supports them need to be classified based on their recovery priority. Recovery time frames for business operations are driven by the consequences of not performing the function. The consequences may be the result of business lost during the down period; contractual commitments not met resulting in fines or lawsuits, lost goodwill with customers, etc.

Explanation

All business functions and the technology that supports them need to be classified based on their recovery priority. Recovery time frames for business operations are driven by the consequences of not performing the function. The consequences may be the result of business lost during the down period; contractual commitments not met resulting in fines or lawsuits, lost goodwill with customers, etc.

14. The elements of risk are as follows:

Natural disasters and man made disasters

Threats, assets and mitigating controls

Risk and business impact analysis

There are three elements of risk: threats, assets, and mitigating factors.

Explanation

There are three elements of risk: threats, assets, and mitigating factors.

15. The term disaster recovery commonly refers to:

The recovery of the business operations

The recovery of the technology environment

The recovery of the manufacturing environment

Th e recovery of the business and technology environments

Once computers became part of the business landscape, it quickly became clear that we could not return to our manual processes if our computers failed. If those computer systems failed, there were not enough people to do the work nor did the people in the business still have the skill to do it manually anymore. This was the start of the disaster recovery industry. Still today, the term “disaster recovery” or “DR” commonly means the recovery of the technology environment.

Explanation

Once computers became part of the business landscape, it quickly became clear that we could not return to our manual processes if our computers failed. If those computer systems failed, there were not enough people to do the work nor did the people in the business still have the skill to do it manually anymore. This was the start of the disaster recovery industry. Still today, the term “disaster recovery” or “DR” commonly means the recovery of the technology environment.

16. Which of the following statements best describe the extent to which an organization should address business continuity or disaster recovery planning?

Continuity planning is a significant corporate issue and should include all parts or functions of the company.

Continuity planning is a significant technology issue and the recovery of technology should be its primary focus.

Continuity planning is required only where there is complexity in voice and data communications.

Business continuity planning and Disaster recovery planning
involve the identifi cation, selection, implementation, testing, and updating of

Explanation

Business continuity planning and Disaster recovery planning
involve the identifi cation, selection, implementation, testing, and updating of

17. Business impact analysis is performed to identify:

The impacts of a threat to business operations.

The exposures to loss to the organization.

The impacts of a risk on the company.

The way to eliminate threats.

The business impact analysis is what is going to help the company decide what needs to be recovered and how quickly it needs to be recovered.

Explanation

The business impact analysis is what is going to help the company decide what needs to be recovered and how quickly it needs to be recovered.