Chapter 15: Business Continuity Planning

Question 1

What is Business Continuity Planning?

Answer 1

Assessing the risks to organizational processes and creating policies, plans, and procedurs to minimize the imapact those rigks might have on the orgamization if they were to occur.

Question 2

What happens if business continuity is broken?

Answer 2

Business processes have stopoed and the organization is in disaster mode, thus, disaster recovery planning takes over.

Question 3

What are the four main steps of BCP as defined by ISC2?

Answer 3

Project scope and planning,
business impact assessment
continuity planning
approval and implementaiton

Question 4

What does project scope and planning require?

Answer 4

structured analysis of the buisiness’s orgamization from a crisis planning point of view
Creation of a BCP team with senior management approval
Assessment of the resource savailablet o participate in BC ativities
Analysis of the legal and regularory landscape that governs response to a catastrophic event

Question 5

What areas should be considered in business orgamization analysis?

Answer 5

Operational departments that are responsiuble for core services the business provides to clients
Critical support services such as IT, plaint maintenance, and other groups responsible for upkeep of operational departmetns
Senior execs and other key inidividuals essential for the ongoing viability of the orgamization

Question 6

Who should be on the BCP team?

Answer 6

Representatives from each of the organization’s deparatments responsible for the core services
Representatives from the key support departments identified by org. analysis
IT representatives with technical experience in areas covered by the BCP
Security representatives with knowledge of the BCP process
Representatives from senior management

Question 7

What is a risk in selecting the BCP team?

Answer 7

Depending on the event, members of the BCP team may not be available in the event of a disaster.

Question 8

What do you have to consider in selecting an effective BCP team?

Answer 8

Balance representing different points of view with explosive personality differences.

Question 9

What is one important reason to include senior management representatives in the BCP process?

Answer 9

It can be required by laws or regulations.

Question 10

What is the marjor resource likely to be needed by the BCP plan during plan creation?

Answer 10

Time of the BCP team members.

Question 11

Why is it essential to include legal counsel in the BCP process?

Answer 11

Laws and regulations can place requirements on BCP.

Question 12

What is the difference between quantititative decision making and qualitiative?

Answer 12

Quant uses numbers and formulas, qual uses nonnumerical factors such as emotions, investor/customer confidence, workforce stability, and other concers.

Question 13

How do you set priorities in BCP?

Answer 13

Assign an asset value (AV), maximum tolerable downtime (MTD) or maximum tolerable outage (MTO), recovery time objective (RTO). The goal of BCP is to insure that the RTO isless than MTO.

Question 14

What are natural threats?

Answer 14

Violent storms/hurricanes/tornadoes/blizzards
Earthquakes
mudslides/avalanches
volcanoes

Question 15

What are man made threats?

Answer 15

terrorist acts/wars/civil unreast
theft/vandalism
fires/explosuions
prolonged power outages
building collapse
transportaion failures

Question 16

What is ARO?

Answer 16

Annualized Rate of Occurrence. The number of times a business expects a particular disaster to occur per year.

Question 17

What is Exposure Factor (EF)?

Answer 17

The percentage an asset is reduced in value in the event a loss happens.

Question 18

What is SLE?

Answer 18

Single Loss Expectancy. The monetary loss expected each time a loss event occurs for an asset.

Question 19

What nonmonetary impacts can interruptions have on a business?

Answer 19

Loss of goodwill among clients
Loss of employees to other jobs after a prolonged downtime
Social/ethical responsibilites to the communities
Negative publicity

Question 20

What are the subtasks in continuity development?

Answer 20

Strategy development
provisions and procsses
plan approval
plan implementation
training and education

Question 21

What are the four possible responses to a risk?

Answer 21

reduce, assign, accept, reject

Question 22

What is the most important activity in BCP?

Answer 22

Ensuring that the people within the orgamization are safe before, during, and after an emergency.

Question 23

What are the two areas that a BCP should address for each critical facility?

Answer 23

Hardening provisions and alternate sites.

Question 24

What are the two main methods of providing infrastructure protetion?

Answer 24

Physically hardening systems and alternative systems.

Question 25

What is essential to the success of the overall BCP effort?

Answer 25

Senior management approval and buy-in.

Question 26

Who should receive training on the plan?

Answer 26

Everyone who will be directly or indirectly involved in the plan should receive training on the overall plan and their specific responsibilities.

Question 27

What should the Risk Acceptance/Mitigation portion of a BCP cover?

Answer 27

For risks deemed acceptable, it should outline why and list potential future events that should trigger reconsideration.

For risks deemed unacceptable, it should outline risk amanagement provisions and proceesses that reduce the risk.

Question 28

What should emergency response guidelines include?

Answer 28

Immediate response procedures (security and safety, fire supporession, notification of emergency response agencies)
Who to notive (execs, BCP members, etc)
Secondary response procedures to take whilew aiting for the BCP team to assemble.

Question 29

How should a BCP be maintained?

Answer 29

As a living document. Older versions should be physically destroyed and replaced so there can be no confusion as to which version to use.