.15 - .20 Business Continuity Plan

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 9

Which of the following is the primary purpose of a business continuity plan?

To recover from a disaster

To test the business continuity plan

To develop the business continuity plan

To sustain business operations

Answer 9

To sustain business operations

The business continuity plan (BCP) objective is to ensure the organization’s sustained viability if unforeseen emergencies occur. BCP is used to sustain the continued operation of a business in the event of an emergency.

To recover from a disaster

To recover from a disaster is the purpose of the disaster recovery plan.

To test the business continuity plan

Testing and developing the business continuity plan are steps to create the business continuity plan.

To develop the business continuity plan
Testing and developing the business continuity plan are steps to create the business continuity plan.

Term: Business Continuity Plan (BCP)
A business continuity plan (BCP) is the documentation of a predetermined set of instructions or procedures that describe how an organization’s business functions will be sustained during and after a significant disruption.

Reference: 7113.15
A business continuity plan (BCP) aims to sustain business operations. The BCP objective is to ensure the organization’s sustained viability if unforeseen emergencies occur. BCP is used to sustain the continued operation of a business in the event of an emergency.

Contingency planning involves more than planning to move offsite after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operating in the event of large and small disruptions. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization.

Question 10

Which of the following ensures the greatest success in completing the development of business continuity and disaster recovery plans?

Assigning individual responsibility

Defining individual roles

Defining operational activities

Appointing a project manager with senior management support

Answer 10

Appointing a project manager with senior management support

Individuals responsible for the various business continuity and contingency planning activities must be held accountable for completing individual tasks. Core business process owners are responsible and accountable for meeting the milestones for developing and testing contingency plans for their core business processes. Appointing a project manager to plan, execute, monitor, correct, and report the progress to senior management will ensure the greatest possibility for success.

Assigning individual responsibility

Although important, they are not the greatest contributor to success in completing the development of business continuity and disaster recovery plans.

Defining individual roles

Although important, they are not the greatest contributor to success in completing the development of business continuity and disaster recovery plans.

Defining operational activities

Although important, they are not the greatest contributor to success in completing the development of business continuity and disaster recovery plans.

Relevant Terms
Business Continuity Plan (BCP)
Disaster Recovery Plan

Reference
7113.15
7113.17
7113.41

Question 11

The best contingency plan maintenance approach to ensure the currency of the plan is to incorporate it into:

software upgrades.

hardware upgrades.

revision procedures.

change management procedures.

Answer 11

change management procedures.

The contingency plan will become dated as time passes and as the resources used to support critical functions change. Responsibility for keeping the contingency plan current should be specifically assigned.

hardware upgrades.
software upgrades.
revision procedures.

Contingency plan maintenance can be incorporated into procedures for change management so that upgrades to hardware and software are reflected in the plan. In addition, change management practices will handle program revision procedures.

Relevant Terms
Change Management
Contingency Plan

Reference
7113.15
7113.20

Question 12

Which of the following is the correct sequence of events when surviving a disaster?

Respond, recover, plan, continue, and test

Plan, respond, recover, test, and continue

Respond, plan, test, recover, and continue

Plan, test, respond, recover, and continue

Answer 12

Plan, test, respond, recover, and continue

Plan: Disaster recovery or contingency plans should be established to prepare an organization to respond to disasters of any kind that might otherwise cause considerable loss to or total disruption of the organization’s functions and operations.

Test: The disaster recovery plan should be tested periodically using a fully developed test scenario, a simulated disaster, planned monitoring of results, and appraisal of the entire process with revisions and updates to the plan.

Respond: When a disaster occurs, the level and extent of the disaster must be immediately determined, and appropriate steps taken to safeguard lives and prevent further destruction or escalation of the disaster.

Recover: A preliminary damage assessment should be conducted, and the situation evaluated upon stabilization.
Continue: Based upon a full or partial recovery operation, the objective is to return to normal operation as soon as possible. Human safety is the most critical aspect while restoring service is a secondary objective.

Reference: 7113.20
Disaster recovery or contingency plans should be established to prepare an organization to respond to disasters of any kind that might otherwise cause considerable loss to or total disruption of the organization’s functions and operations. Every organization should have a written and tested plan with clear responsibilities assigned to employees for each phase of a disaster preparedness program (i.e., plan development, testing, recovery, and maintenance).

The disaster recovery planning process begins with the recognition by senior management that disaster recovery plan development and maintenance activities are integral to the cost of doing business.

The sequence of events to survive a disaster are plan, test, respond, recover, and continue.

Term: Disaster Recovery Plan
A disaster recovery plan (or business continuity plan) is the process, policies, and procedures of restoring operations critical to the resumption of business, including gaining access to data (records, hardware, software, etc.), communications, workspace, and other business processes.

Reference: 7113.41
The disaster recovery plan (DRP) is a component of the business continuity plan (BCP); it defines the restoration plan used to restore operations to a normal state. A single integrated plan is recommended to ensure that:

coordination between several plan elements supports response and recovery.
resources are used most effectively and efficiently.
reasonable assurance can be maintained that the enterprise will withstand a disruption.

Relevant Terms
Disaster Recovery Plan

Reference
7113.20
7113.41

Question 13

With respect to disaster recovery and business continuity, risk analysis is part of which of the following?

Recovery analysis

Cost-benefit analysis

Backup analysis

Business impact analysis

Answer 13

Business impact analysis

The risk analysis is usually part of the business impact analysis. It estimates both the functional and financial impact of a risk occurrence to the organization. It identifies the costs to reduce the risks to an acceptable level by establishing effective controls.

The other answer choices are incorrect as cost-benefit analysis, backup analysis, and recovery analysis are part of a business impact

Reference: 7113.18
Risk analysis is a prerequisite to a complete and meaningful disaster recovery planning program. Risk analysis is assessing threats to resources (assets) and determining the amount of protection necessary to adequately safeguard the resources (assets) so that vital systems, operations, and services can quickly resume to a normal status in case of a disaster.

Essentially, the risk analysis and evaluation process addresses the following actions:

Identify assets (e.g., hardware, software, data, facilities, documentation, and supplies).

Develop a list of potential threats and vulnerabilities (e.g., fire, flood, or tornado) with the frequency of their occurrences.

Correlate threats to assets.

Rank the threats based on their impact and risk.

Determine the effectiveness of existing risk mitigation controls.

Recommend cost-effective controls to reduce potential threats.

Once the threat is identified, and its impact is defined as well, the list should be reviewed, and threats classified as either acceptable or as risks that must be controlled. To determine the risk imposed by each threat, rank each threat, rank the asset’s criticality, and then evaluate them together. The decision on whether a risk should be tolerated or controlled rests solely with senior management—not the auditors.

Reference: 7113.23
The BIA (business impact analysis) is a critical step in establishing the business continuity strategy and executing the risk countermeasures and the business continuity plan (BCP). The first phase in any disaster recovery plan is to conduct a BIA. The BIA identifies the critical resources, processes, systems, and applications to the organization’s ongoing sustainability and threats to business priorities, processes, and resources. It evaluates the probability of each threat that may occur and the impact on the business and helps to determine the acceptable downtime for the business-critical processes and applications.

Relevant Terms
Business Continuity Plan (BCP)
Disaster Recovery Plan
Risk Assessment

Reference
7113.18
7113.23

Question 14

In developing a business continuity plan (BCP) for an organization, which of the following would be done first?

Roles and responsibilities of BCP team members

Critical areas of threats and vulnerabilities

Functional user operations

Conducting a business impact analysis (BIA)

Answer 14

Conducting a business impact analysis (BIA)

The BIA is a critical step in establishing the business continuity strategy and executing the risk countermeasures and the BCP. The first phase in any disaster recovery plan is to conduct a BIA. The BIA identifies the critical resources, processes, systems, and applications to the organization’s ongoing sustainability and threats to business priorities, processes, and resources.

The other answer choices are incorrect:

Most disaster recovery plans focus on data-processing functions, not other functions within the organization. IS management may assume that functional users will be responsible for their areas.

Identifying the critical areas of threats and vulnerabilities provides a basis for the development of the rest of the recovery plan.

With increased automation of business functions, a certain amount of coordination and planning are required between the IS management and the functional user management. As a result, team members’ roles and responsibilities are often defined, threats and vulnerabilities are analyzed, and impacts are analyzed and may not be documented.

Reference: 7113.15
A business continuity plan (BCP) aims to sustain business operations. The BCP objective is to ensure the organization’s sustained viability if unforeseen emergencies occur. BCP is used to sustain the continued operation of a business in the event of an emergency.

Contingency planning involves more than planning to move offsite after a disaster destroys a data center. It also addresses how to keep an organization’s critical functions operating in the event of large and small disruptions. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization.

Reference: 7113.23
The BIA (business impact analysis) is a critical step in establishing the business continuity strategy and executing the risk countermeasures and the business continuity plan (BCP). The first phase in any disaster recovery plan is to conduct a BIA. The BIA identifies the critical resources, processes, systems, and applications to the organization’s ongoing sustainability and threats to business priorities, processes, and resources. It evaluates the probability of each threat that may occur and the impact on the business and helps to determine the acceptable downtime for the business-critical processes and applications.

7113.15
7113.16
7113.20
7113.23

Question 15

Although both disaster recovery planning and security policies enhance the availability of information, these policies:

are separate with no substitution.

can be in one document.

are separate and diverse.

are separate but complementary.

Answer 15

are separate but complementary.

A comprehensive disaster recovery plan is separate from but complementary to the security policy document. The purpose of recovering planning and security policies is to allow a business to continue offering critical services and business operations in the event of a disruption and withstand an interruption to business activities.

The other answer choices are incorrect: Security policies are high-level statements that address senior management’s intent and direction. In comparison, the disaster recovery policy is more concerned with the disaster recovery plan specifications. Thus, they should be separated, but both items will go hand in hand and complete each other.

Reference: 7113.17
A prerequisite to a successful contingency plan is management commitment and approval. However, disaster recovery planning and security policies are separate but complementary.

The purpose of business continuity and disaster recovery is to allow a business to continue offering critical services and business operations in the event of a disruption and withstand an interruption to business activities. Computer backup facilities, disaster recovery, business resumption, or contingency planning problems and issues pose significant challenges and concerns to information systems (IS) management, senior management, functional user management, and audit management. The key issues are how to develop disaster recovery plans, how to test them, how to maintain them, and how to keep the continuity of operations.

The business continuity plan (BCP) and disaster recovery plan (DRP) can allow critical processes to resume in a disruption of normal business operations. Responsibility for the BCP remains with senior management, but the execution usually stays with the business units and the appropriate supporting units.

The BCP should undertake all functions and assets critical to continue as a viable operation immediately after encountering a disruption.

Relevant Terms
Disaster Recovery Plan
Security Policy

Reference
7113.17

Question 16

A large organization has developed a disaster recovery plan for several offices dispersed across a broad regional area. Which of the following is the most cost-effective test of the disaster recovery plan?

Full-interruption test

Structured walk-through

Regression test

Preparedness test

Answer 16

Preparedness test

Each local office/area executes this test to validate the adequacy of the preparedness of regional operations for disaster recovery.

The other answer choices are incorrect:

The full-interruption test is conducted after the preparedness test. In a full-interruption test, operations are shut down at the primary site and relocated to the recovery site following the recovery plan; this is the most rigorous form of testing. Full-interruption tests are difficult to arrange, expensive, and possibly disruptive.

In a structured walk-through (often referred to as a tabletop exercise) team members role-play a disaster scenario, execute the plan on paper, discuss their roles, review each step to evaluate its effectiveness, and discuss the appropriate responses to the disaster. This test is not sufficient to test the viability of the plan.

The regression test is used in software development and maintenance.

Reference
7113.20
7113.63

Question 17

Which of the following is the correct sequence of steps involved in the contingency planning process?

Anticipating potential disasters
Identifying critical functions
Selecting contingency plan strategies
Identifying the resources that support critical functions

1, 2, 3, 4

1, 3, 2, 4

2, 1, 4, 3

2, 4, 1, 3

Answer 17

2, 4, 1, 3

The correct sequence is 2, 4, 1, and 3. Contingency planning involves more than planning for an alternate offsite location after a disaster destroys the primary site. Contingency planning addresses how to keep an organization’s critical functions operating in the event of disruptions, both large and small. The broader perspective on contingency planning is based on the allocation of resources throughout an organization.

The correct sequence of steps is as follows:

Identifying the mission- or business-critical functions

Identifying the resources that support the critical functions

Anticipating potential contingencies or disasters

Selecting contingency planning strategies

Reference: 7113.16
The contingency planning process can be described in six steps:

Identifying the mission- or business-critical functions

Identifying the resources that support the critical functions

Anticipating potential contingencies or disasters

Selecting contingency planning strategies

Implementing the contingency strategies

Testing and revising the strategy

Relevant Terms
Contingency Plan
Disaster Recovery Plan

Reference
7113.15
7113.16

Question 18

A large e-commerce platform is being audited to ensure it meets its availability service commitments per the Trust Services Criteria (TSC). In a SOC 2® engagement, which of the following actions is most effective for the auditor to detect deficiencies in design and deviations in controls related to the service organization’s availability of service commitments?

Reviewing the financial records of the service organization

Assessing the quality of customer support provided by the services organization

Conducting interviews with internal teams of the service

Analyzing control documentation and conducting tests on system redundancy mechanisms

Answer 18

Analyzing control documentation and conducting tests on system redundancy mechanisms

This action involves examining control design and operational effectiveness to detect deficiencies and deviations in controls related to service availability. It assesses whether the organization’s documented controls and redundancy mechanisms align with its availability service commitments and whether they function as intended.

The other answer choices are incorrect:

Reviewing financial records is not directly related to detecting deficiencies in the design and deviations in the operation of controls for service availability. Financial records are more pertinent to financial controls and may not provide insights into availability controls.

Assessing customer support quality is valuable but primarily relates to customer service standards and may not directly address controls for service availability. Availability controls focus on system uptime and accessibility.

While conducting interviews with internal teams can provide valuable information, it is not the most effective action for detecting deficiencies in the design and deviations in the operation of availability controls. Interviews may complement the assessment but do not substitute for thoroughly examining control documentation and conducting tests on redundancy mechanisms more directly related to availability service commitments.

Term: SOC 2 Type 1 Report
In a SOC 2® Type 1 report, the service auditor provides an opinion as to whether the service organization’s description “fairly presents” the system that was designed and implemented, and whether the controls were suitably designed to meet the criteria as of a specified date.

Term: SOC 2 Type 2 Report
In a SOC 2® Type 2 report, the service auditor provides an opinion on whether the service organization’s description “fairly presents” the system that was designed and implemented; the controls were suitably designed to meet the criteria; the controls operated effectively during the specified period of time; and the service organization is in compliance with the commitments in its statement of privacy practices, if the report covers the privacy principle.

Term: Trust Services
Trust Services consist of professional attestation and advisory services based on principles and criteria that address the risk and opportunities of IT-enabled systems and privacy programs, including electronic commerce (e-commerce) systems. Trust Services principles and criteria are issued by the AICPA and the Canadian Institute of Chartered Accountants (CICA) and are organized into four broad areas: policies, communications, procedures, and monitoring.

Reference
7113.14

Question 19

In a SOC 2® engagement, what is the primary focus when assessing controls related to the availability of service commitments and system requirements?

Ensuring data confidentiality

Validating data accuracy

Verifying compliance with legal regulations

Evaluating system uptime

Answer 19

Evaluating system uptime

In a SOC 2 engagement, the primary focus when assessing controls related to availability service commitments and system requirements is evaluating system uptime and availability. Availability controls aim to ensure that systems and services are available and operational when needed by clients and users. Therefore, assessing and evaluating system uptime and availability is a central aspect of a SOC 2 examination.

The other answer choices are incorrect:

Ensuring data confidentiality is not the primary focus when assessing controls related to availability service commitments and system requirements in a SOC 2 engagement. While data confidentiality is important, the primary concern in this context is the availability and uptime of the systems and services.

Validating data accuracy is related to data integrity, one of the Trust Services Criteria in a SOC 2 examination. However, the primary focus of this question is on assessing controls related to availability service commitments and system requirements, which primarily concern the availability and uptime of systems rather than data accuracy.

Verifying compliance with legal regulations, while important for overall compliance and security, is not the primary focus when assessing controls related to availability service commitments and system requirements in a SOC 2 engagement. SOC 2 primarily evaluates controls that ensure systems and data availability, security, and processing integrity.

Relevant Terms
Availability (Trust Services Criteria)
SOC 2 Type 1 Report
SOC 2 Type 2 Report
System and Organization Controls (SOC) Reports

Reference
7113.14

Question 20

A prerequisite to a successful contingency plan is:

independent audits.

legal reviews.

security reviews.

management approvals.

Answer 20

management approvals.

A prerequisite to a successful contingency plan is management commitment and approval. A successful contingency plan needs management funding and support.

The other answer choices are incorrect: An independent audit and a security review of the plan can validate the soundness of the proposed contingency strategy. Similarly, a legal review can ensure that the plans comply with government regulations and that those liabilities and exposures are adequately addressed.

Relevant Terms
Contingency Plan

Reference
7113.17