Chapter 3

Question 1

Business Continuity Planning (BCP)

Answer 1

used to maintain the continuous operation of a business in the event of an emergency

Question 2

Difference between BCP and DRP

Answer 2

BC is strategic and high level - focused on business processes and operations. DR are more tactical and describe technical activities like recovery sites, backups, and fault tolerance.

Question 3

4 steps of business continuity

Answer 3

1. Project scope and planning
2. Business impact analysis
3. Continuity planning
4. Approval and implementation

Question 4

top priority of BCP and DRP

Answer 4

PEOPLE - don’t let them die

Question 5

Which step of BCP does this belong to?

Perform a structured review of the business’s organization from a crisis planning POV

Answer 5

1. Project Scope and Planning

Question 6

Which step of BCP does this belong to?

Create a BCP team with the approval of senior management.

Answer 6

1. Project scope and planning

Question 7

Which step of BCP does this belong to?

Assess the resources available to participate in BC activities

Answer 7

1. Project scope and planning

Question 8

Which step of BCP does this belong to?

Analyze the legal and regulatory landscape that governs an organization’s respond to a catastrophic event.

Answer 8

1. project scope and planning

Question 9

Which step of BCP does this describe?

Analyze the business organization to identify all departments and individuals who have a stake in the BCP process

Answer 9

2. Organizational Review

Question 10

What are four key departments to identify during the Organizational Review?

Answer 10

1. Operational departmets - core services
2. Critical support - maintain systems for operations
3. physical security teams - usually first responders
4. senior executives

Question 11

Why would a BCP team made of only the IT and security departments be a critical flaw?

Answer 11

other departments may not know about the plan until it is too late
plan may not take into account aspects critical to business ops

Question 12

critical roles filled by snr management in bcp

Answer 12

setting priorities, providing staff and financial resources, settling disputes

Question 13

Resource requirements should be assessed for three phases. Which are they?

Answer 13

1. BCP development - time and staff effort
2. BCP testing, training, and maintenance
3. BCP implementation - when disaster strikes

Question 14

Which step of BCP does this describe?

Identify business processes and tasks that are critical to an organization’s viability and threats to those resources

Answer 14

2. Business Impact Analysis

Question 15

Quantitative Impact Assessment

Answer 15

use numbers and formulas to reach a decision - often expressed in dollar value

Question 16

Qualitative Impact Analysis

Answer 16

uses non-numerical factors that are categorized (high, med, low)

Question 17

critical business functions

Answer 17

activities that if disrupted would jeopardize the organization’s ability to achieve its goal

Question 18

MTD/MTO

Answer 18

maximum tolerable downtime/maximum tolerable outage

length of time a business function can tolerate a disruption before suffering irreparable harm

Question 19

RTO

Answer 19

Recovery Time Objective

amount of time in which you think you can feasibly recover the function

Question 20

RPO

Answer 20

Recovery Point Objective

defines the point in time before the incident where the organization should be able to recover data from a critical business process

how much data the business will loose during an incident

Question 21

two types of risks

Answer 21

natural and person-made

Question 22

pandemics are an example of

Answer 22

natural risks

Question 23

fires can be examples of both

Answer 23

true

Question 24

transportation failures are examples of

Answer 24

human made risks

Question 25

risk identification is qualitative

Answer 25

true

Question 26

Exposure Factor (EF)

Answer 26

amount of damage the risk poses to an asset, percentage of asset's value

Question 27

Single Loss Expectancy (SLE)

Answer 27

monetary loss expected each time the risk materializes SLE=AV*EF

Question 28

Annualized Loss Expectancy (ALE)

Answer 28

monetary loss the business expects to suffer from a risk during a typical year ALE = SLE x ARO

Question 29

What step of BIA does this describe? prioritize the allocation of business continuity resources to the various risks identified.

Answer 29

resource prioritization (last step)

Question 30

If a risk has loss of life should it be prioritized higher than it's quantitative priority?

Answer 30

Yes

Question 31

Which phase of BCP does this describe? developing and implementing a continuity strategy

Answer 31

Continuity Planning

Question 32

Two subtasks in continuity planning

Answer 32

1. strategy development 2. provisions and processes

Question 33

Continuity of Operations Plan (COOP)

Answer 33

how the business will carry out critical functions beginning shortly after a disruption occurs and extending for up to one month of sustained ops

Question 34

Which part of continuity planning does this describe? determine which risks identified in the BIA will be addressed by the business continuity plan

Answer 34

strategy development

Question 35

Which part of continuity planning does this describe? design the procedures and mechanisms that will mitigate the unacceptable risks

Answer 35

provisions and processes

Question 36

3 categories of assets that much be protected

Answer 36

1. people 2. buildings/facilities 3. infrastructure

Question 37

Two areas that should be addressed for each facility

Answer 37

1. Hardening Provisions 2. Alternate Sites

Question 38

Hardening Provisions

Answer 38

protect existing facilities against identified risks ie fireproof walls

Question 39

2 areas to address for infrastructure

Answer 39

1. Physically Hardening Systems 2. Alternative Systems - redundancy

Question 40

If all IT systems are in the cloud, they do not need to be considered in BCP.

Answer 40

FALSE - the service providers should also have BCPs and contracts should have SLAs that are achievable by the vendor.

Question 41

Essential Components of the written BCP (11)

Answer 41

Continuity Planning Goals Statement of Importance Statement of Priorities Statement of Organizational Responsibility Statement of Urgency and Timing Risk Assessment Risk Acceptance/Mitigation Vital Records Program Emergency Response Guidelines Maintenance Testing/Exercises

Question 42

Statement of Priorities

Answer 42

listing the functions considered critical to business ops in prioritized order

Question 43

vital records program

Answer 43

states where critical business records will be stored and the procedures for making and storing backup copies of those records