Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Chapter 3 Business Continuity Planning > Flashcards

Chapter 3 Business Continuity Planning Flashcards

1
Q

Business continuity planning (BCP)

A

involves assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur. BCP is used to maintain the continuous operation of a business in the event of an emergency situation. The goal of BCP planners is to implement a combination of policies, procedures, and processes such that a potentially disruptive event has as little impact on the business as possible.

BCP focuses on maintaining business operations with reduced or restricted infrastructure capabilities or resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

BCP process has four main steps

A
  1. Project scope and planning
  2. Business impact assessment
  3. Continuity planning
  4. Approval and implementation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Project Scope and Planning

A

provides the groundwork necessary to help identify potential members of the BCP team. Second, it provides the foundation for the remainder of the BCP process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

three distinct BCP phases

A

perform the four elements of the BCP process (project scope and planning, business impact assessment, continuity planning, and approval and implementation
testing, training, and maintenance phases of BCP will require some hardware and software commitments
conduct a full-scale implementation of the business continuity plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

the business impact assessment (BIA)

A

The BIA identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. The results of the BIA provide you with quantitative measures that can help you prioritize the commitment of business continuity resources to the various local, regional, and global risk exposures facing your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Quantitative decision-making

A

Quantitative decision-making involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Qualitative decision-making

A

Qualitative decision-making takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

BCP team identifying business priorities

A

BCP team should sit down and draw up a list of organization assets and then assign an asset value (AV) in monetary terms to each asset.
The second quantitative measure that the team must develop is the maximum tolerable downtime (MTD), sometimes also known as maximum tolerable outage (MTO). The MTD is the maximum length of time a business function can be inoperable without causing irreparable harm to the business.
the recovery time objective (RTO), for each business function. This is the amount of time in which you think you can feasibly recover the function in the event of a disruption. Once you have defined your recovery objectives, you can design and plan the procedures necessary to accomplish the recovery tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

natural threats/risks

A 
Violent storms/hurricanes/tornadoes/blizzards
Lightning strikes
Earthquakes
Mudslides/avalanches
Volcanic eruptions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Man-made threats/risks

A 
Terrorist acts/wars/civil unrest
Theft/vandalism
Fires/explosions
Prolonged power outages
Building collapses
Transportation failures
Internet disruptions
Service provider outages
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Service Organization Control (SOC) report

A

SOC-1 report, covers only internal controls over financial reporting. If you want to verify the security, privacy, and availability controls, you’ll want to review either an SOC-2 or SOC-3 report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The single loss expectancy (SLE) is the monetary loss that is expected each time the risk materializes

A

SLE equal to AV multiplied by EF.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The annualized loss expectancy (ALE) is the monetary loss that the business expects to occur as a result of the risk harming the asset over the course of a year

A

ALE equal to SLE multiplied by ARO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Continuity Planning

A

The first two phases of the BCP process (project scope and planning and the business impact assessment) focus on determining how the BCP process will work and prioritizing the business assets that must be protected against interruption. The next phase of BCP development, continuity planning, focuses on developing and implementing a continuity strategy to minimize the impact realized risks might have on protected assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Strategy development

A

bridges the gap between the business impact assessment and the continuity planning phases of BCP development. The BCP team must now take the prioritized list of concerns raised by the quantitative and qualitative resource prioritization exercises and determine which risks will be addressed by the business continuity plan. Fully addressing all the contingencies would require the implementation of provisions and processes that maintain a zero-downtime posture in the face of every possible risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Plan approval

A

the plan endorsed by the top executive in your business—the chief executive officer, chairperson, president, or similar business leader. This move demonstrates the importance of the plan to the entire organization and showcases the business leader’s commitment to business continuity. The signature of such an individual on the plan also gives it much greater weight and credibility in the eyes of other senior managers, who might otherwise brush it off as a necessary but trivial IT initiative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Plan implementation

A

The BCP team should get together and develop an implementation schedule that utilizes the resources dedicated to the program to achieve the stated process and provision goals in as prompt a manner as possible given the scope of the modifications and the organizational climate.

After all the resources are fully deployed, the BCP team should supervise the conduct of an appropriate BCP maintenance program to ensure that the plan remains responsive to evolving business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

BCP documentation

A

It ensures that BCP personnel have a written continuity document to reference in the event of an emergency, even if senior BCP team members are not present to guide the effort.
It provides a historical record of the BCP process that will be useful to future personnel seeking to both understand the reasoning behind various procedures and implement necessary changes in the plan.
It forces the team members to commit their thoughts to paper—a process that often facilitates the identification of flaws in the plan. Having the plan on paper also allows draft documents to be distributed to individuals not on the BCP team for a “sanity check.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Continuity Planning Goals

A

to ensure the continuous operation of the business in the face of an emergency situation. Other goals may also be inserted in this section of the document to meet organizational needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Statement of Importance

A

The statement of importance reflects the criticality of the BCP to the organization’s continued viability. This document commonly takes the form of a letter to the organization’s employees stating the reason that the organization devoted significant resources to the BCP development process and requesting the cooperation of all personnel in the BCP implementation phase.

21
Q

Statement of Priorities

A

The statement of priorities flows directly from the identify priorities phase of the business impact assessment. It simply involves listing the functions considered critical to continued business operations in a prioritized order. When listing these priorities, you should also include a statement that they were developed as part of the BCP process and reflect the importance of the functions to continued business operations in the event of an emergency and nothing more.

22
Q

Statement of Organizational Responsibility

A

The statement of organizational responsibility restates the organization’s commitment to business continuity planning and informs employees, vendors, and affiliates that they are individually expected to do everything they can to assist with the BCP process.

23
Q

Statement of Urgency and Timing

A

The statement of urgency and timing expresses the criticality of implementing the BCP and outlines the implementation timetable decided on by the BCP team and agreed to by upper management. The wording of this statement will depend on the actual urgency assigned to the BCP process by the organization’s leadership. If the statement itself is included in the same letter as the statement of priorities and statement of organizational responsibility, the timetable should be included as a separate document.

24
Q

Risk Assessment

A

The risk assessment portion of the BCP documentation essentially recaps the decision-making process undertaken during the business impact assessment. It should include a discussion of all the risks considered during the BIA as well as the quantitative and qualitative analyses performed to assess these risks. For the quantitative analysis, the actual AV, EF, ARO, SLE, and ALE figures should be included. For the qualitative analysis, the thought process behind the risk analysis should be provided to the reader.

25
Q

Risk Acceptance/Mitigation

A

contains the outcome of the strategy development portion of the BCP process. It should cover each risk identified in the risk analysis portion of the document and outline one of two thought processes.

For risks that were deemed acceptable, it should outline the reasons the risk was considered acceptable as well as potential future events that might warrant reconsideration of this determination.
For risks that were deemed unacceptable, it should outline the risk management provisions and processes put into place to reduce the risk to the organization’s continued viability.

26
Q

Vital Records Program

A

This document states where critical business records will be stored and the procedures for making and storing backup copies of those records.

One of the biggest challenges in implementing a vital records program is often identifying the vital records in the first place! As many organizations transitioned from paper-based to digital workflows, they often lost the rigor that existed around creating and maintaining formal file structures. Vital records may now be distributed among a wide variety of IT systems and cloud services. Some may be stored on central servers accessible to groups, whereas others may be located in digital repositories assigned to an individual employee.

27
Q

Emergency-Response Guidelines

A

The emergency-response guidelines outline the organizational and individual responsibilities for immediate response to an emergency situation. This document provides the first employees to detect an emergency with the steps they should take to activate provisions of the BCP that do not automatically activate. These guidelines should include the following:

Immediate response procedures (security and safety procedures, fire suppression procedures, notification of appropriate emergency-response agencies, etc.)
A list of the individuals who should be notified of the incident (executives, BCP team members, etc.)
Secondary response procedures that first responders should take while waiting for the BCP team to assemble

28
Q

business impact assessment process

A

five steps of the business impact assessment process are identification of priorities, risk identification, likelihood assessment, impact assessment, and resource prioritization.

29
Q

What is the first step that individuals responsible for the development of a business continuity plan should perform?

A. BCP team selection
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment

A

B. The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.

30
Q

Once the BCP team is selected, what should be the first item placed on the team’s agenda?

A. Business impact assessment
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment

A

B. The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.

31
Q

What is the term used to describe the responsibility of a firm’s officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization’s continued viability?

A. Corporate responsibility
B. Disaster requirement
C. Due diligence
D. Going concern responsibility

A

C. A firm’s officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.

32
Q

What will be the major resource consumed by the BCP process during the BCP phase?

A. Hardware
B. Software
C. Processing time
D. Personnel

A

D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

33
Q

What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment?

A. Monetary
B. Utility
C. Importance
D. Time

A

A. The quantitative portion of the priority identification should assign asset values in monetary units.

34
Q

Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year?

A. ARO
B. SLE
C. ALE
D. EF

A

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

35
Q

What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?

A. SLE
B. EF
C. MTD
D. ARO

A

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

36
Q

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?

A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000

A

B. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on the fact that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

37
Q

Referring to the scenario in question 8, what is the annualized loss expectancy?

A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000

A

D. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.

38
Q

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?

A. $750,000
B. $1.5 million
C. $7.5 million
D. $15 million

A

D. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.

39
Q

Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?

A. Resource prioritization
B. Likelihood assessment
C. Strategy development
D. Provisions and processes

A

C. The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.

40
Q

Which resource should you protect first when designing continuity plan provisions and processes?

A. Physical plant
B. Infrastructure
C. Financial resources
D. People

A

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization’s employees!

41
Q

Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment?

A. Loss of a plant
B. Damage to a vehicle
C. Negative publicity
D. Power outage

A

C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.

42
Q

Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?

A. 0.01
B. $10,000,000
C. $100,000
D. 0.10

A

B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

43
Q

Referring to the scenario in question 14, what is the annualized loss expectancy?

A. 0.01
B. $10,000,000
C. $100,000
D. 0.10

A

C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

44
Q

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization

A

C. In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

45
Q

What type of mitigation provision is utilized when redundant communications links are installed?

A. Hardening systems
B. Defining systems
C. Reducing systems
D. Alternative systems

A

D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

46
Q

What type of plan addresses the technical controls associated with alternate processing facilities, backups, and fault tolerance?

A. Business continuity plan
B. Business impact assessment
C. Disaster recovery plan
D. Vulnerability assessment

A

C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

47
Q

What is the formula used to compute the single loss expectancy for a risk scenario?

A. SLE = AV × EF
B. SLE = RO × EF
C. SLE = AV × ARO
D. SLE = EF × ARO

A

A. The single loss expectancy (SLE) is computed as the product of the asset value (AV) and the exposure factor (EF). The other formulas displayed here do not accurately reflect this calculation.

48
Q

Of the individuals listed, who would provide the best endorsement for a business continuity plan’s statement of importance?

A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager

A

C. You should strive to have the highest-ranking person possible sign the BCP’s statement of importance. Of the choices given, the chief executive officer is the highest ranking.

CISSP (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions