Chapter 3 Business Continuity Planning

Question 1

What is the process of maintaining business operations with reduced or restricted infrastructure capabilities or resources.

Answer 1

Business Continuity Planning

Question 2

What is the difference between BCP and DRP

Answer 2

Business Continuity Planning - strategic focused to continue business operations/processes.

Disaster Recovery Plan - tactical plan to transition to recovery site, backups, and implement fault tolerant systems.

Question 3

4 steps of the BCP process

Answer 3

Business Continuity Plan:

Project Scope and Planning
Business Impact Analysis
Continuity Planning
Approval and Implementation

Question 4

What is entailed by the organizational review

Answer 4

Business analysis of the organization to id all departments and individuals who have a stake in the BCP process.

• Senior executives/key individuals
• Critical support services
• Critical Security teams
• Operational departments that are responsible for the core services the business provides to its clients

Question 5

What is the limitation to giving the IT/security department sole responsibility over the BCP

Answer 5

No other operational or support departments are providing input and will not know how to implement the continuity processes when disaster strikes.

Question 6

Name examples of people you would want on the BCP team

Answer 6

• Core services Dept Org Reps
• Functional area representation
• Physical security and facility management
• Attorneys
• human resources
• public relations
• Senior Management representatives

Question 7

What are the three BCP phases after the Organizational Review is Complete

Answer 7

• Development
• Testing, Training, and Maintenance
• Implementation

Question 8

What is one metric that you can point to in order to demonstrate the cost of a loss?

Answer 8

ALE - Annualized Loss Expectancy

Question 9

Involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business.

Answer 9

Quantitative Impact Assessment

Question 10

Takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low).

Answer 10

Qualitative Impact Assessment

Question 11

What is the first step in the BIA from a quantitative perspective? Qualitative perspective?

Answer 11

Quantitative - Asset Valuation

Qualitative - ID Business priorities

Question 12

After you have conducted an asset valuation in the Business Impact Analysis (BIA), what is the next step in determining how much time the business function can tolerate a disruption before suffering irreparable harm?

Answer 12

Develop the maximum tolerable downtime (MTD)

Question 13

Amount of time in which you can feasibly recover the function in the event of a disruption.

Answer 13

Recovery Time Objective (RTO)

Question 14

What is the point in time before an incident where the org should be able to recover data from a critical business process?

Answer 14

Recovery Point Objective (RPO)

Question 15

What is the RPO of a function that is backed up every 20 minutes.

Answer 15

Recovery point objective - 20 minutes

Question 16

After the BCP team identifies all of the potential risks they estimate the likelihood of the risks materializing using which metric?

Answer 16

Annualized rate of occurrence. (ARO)

Question 17

he amount of damage that the risk poses to the asset, expressed as a percentage of the asset’s value.

Answer 17

The Exposure Factor

Question 18

The monetary loss expected each individual time risk materializes. You can compute this using the following formula:

Answer 18

Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)

Question 19

the monetary loss that the business expects to suffer as a result of the risk harming the asset during a typical year. The formula:

Answer 19

Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

Question 20

What are the two subtasks of continuity planning

Answer 20

Strategy development

Provisions and processes

Question 21

Describe Strategy development within continuity planning of the BCP

Answer 21

Determines which risks will be addressed by the business continuity plan.

Question 22

Describe the Provisions and process phase within continuity planning of the BCP and what are the three categories of assets that must be protected through BCP provisions and processes?

Answer 22

BCP designs specific procedures and mechanisms that will mitigate risks deemed unacceptable during the strategy development stage. People, Buildings/Facilities, Infrastructure

Question 23

Who approves the BCP ideally.

Answer 23

The highest executive possible - CEO if you can in order to demonstrate the importance of the plan to the entire organization.

Question 24

What document can the CEO sign to relay the importance of the BCP to the workforce?

Answer 24

Statement of Importance

Question 25

What document outlines the most important to the least important business functions from the business impact analysis?

Answer 25

Statement of priorities

Question 26

Risk acceptance/mitigation section of BCP contains the outcome of the strategy development portion of the BCP process. For risks that were deemed acceptable what would it describe?

Answer 26

Reason risk was acceptable

Future events that would warrant reconsideration of this determination

Question 27

Risk acceptance/mitigation section of BCP contains the outcome of the strategy development portion of the BCP process. For risks that were deemed unacceptable what would it describe?

Answer 27

risk management provisions and processes put in place to reduce risk to org’s continued viability.

Question 28

What does the vital records program list out

Answer 28

Identifies essential records that would be critical to rebuilding the organization.

Question 29

What are the emergency response guidelines

Answer 29

Outlines the org and individual responsible for immediate response to an emergency.

List of individuals to notify.

Question 30

How often should BCP team meet once the BCP is complete? What should be discussed?

Answer 30

Periodically to update BCP due to changes and review the results of the plan to ensure it still meets org needs.