Chapter 8 - Business Continuity and Diaster Recovery Planning Flashcards
what phrase best defines a business continuity/disaster recovery plan? A. A set of plans for preventing a disaster B. An approved set of preparations and sufficient procedures for responding to a disaster C. A set of preparations and procedures for responding to a disaster without management approval D. The adequate preparations and procedures for the continuation of all organization functions
D. The adequate preparations and procedures for the continuation of all organization functions
Regardless of industry, which element of legal and regulatory requirements are all industries subject to? A. Sarbanes-Oxley B. HIPAA C. Due Diligence D. BS25999
C. Due Diligence/Care
Which of the following statements BEST describes the extent to which an organization should address business continuity/disaster recovery planning? s A. Continuity planning is a significant organizational issue and should include all parts or functions of the company B. Continuity planning is a significant technology issue and the recovery of technology should be its primary focus C. Continuity planning is required only where there is complexity in voice and data communications D. Continuity planning is a significant management issue and should include the primary functions specified by management
A. Continuity planning is a significant organizational issue and should include all parts or functions of the company
business impact analysis is performed to best identify: A. The impacts of a threat to the organization operation B. The exposures to loss to the organization C. The impacts of risk on the organization D. The cost efficient way to eliminate threats
B. The exposures to loss to the organization
During the risk analysis phase of planning, which of the following actions could best manage threats or mitigate the effects of an event? A. Modifying the exercise scenario B. Developing recovery procedures C. Increasing reliance on key individuals D. Implementing procedural controls
D. Implementing procedural controls
The best reason to implement additional controls or safeguards is to: A. deter or remove the risk B. identify and eliminate the threat C. reduce the impact of the threat D. identify the risk and the threat
C. reduce the impact of the threat
Which of the following statements best describes business impact analysis? A. Risk analysis and organization impact analysis are two different terms describing the same project effort B. A business impact analysis calculates the probability of disruptions to the organization C. A business impact analysis is critical to development of a business continuity plan D. A business impact analysis establishes the effect of disruptions on the organization
D. A business impact analysis establishes the effect of disruptions on the organization
The term disaster recovery refers to the recovery of: A. organization operations B. technology environment C. manufacturing environment D. personnel environments
B. technology environment
Which of the following terms best describes the effort to determine the consequences of disruptions that could result from a disaster? A. Business Impact Analysis B. Risk Analysis C. Risk Assessment D. Project Problem Definition
A. Business Impact Analysis
advantage of using a cold site as a recovery option
less expensive option
elements of risk
threats, assets, and mitigating controls
recovery time objective (RTO)
maximum time a servie or system can be unavailable
most efficient restore from tape back up is
full back up
advantage of hot recovery site
highly available
not acceptable for exercising the bcp
halting a production application or function
desired result of a well planned business continuity exercise
identifies strengths and weaknesses
bcp is best updated and maintained
during the configuration and change management process
most important for successful business continuity
senior leadership support
best alternate site approach if rto is two months
cold site
rpo is zero, what ensures requirement is met
raid 6 with a hot site alternate
Project initiation
Senior Management support; project scope; estimate resources; define timeline and deliverables
2 goals for senior leadership
execute mission and protecting organization
Risk from disaster
financial; reputation and regulatory
what to spend
probability of harm * magnitude = cost of protection
Title IX Implementing the 9/11 Commission Recommendation Act of 2007
10 Professional Practice Areas: Project Initiation and Management; Risk Evaluation and Control; Business Impact Analysis; Developing Business Continuity Strategies; Emergency Response and Operations; Developing and Implementing BCP; Awareness and Training Programs; Maintains and Exercises BCP; Public Relations & Crisis Communication; Coordination with Public Authorities
HIPAA
Requires data back up plan, a disaster recovery plan, and an emergency mode operations plan regarding privacy and portability of health insurance information
Sarbanes Oxley Section 404
Internal Control report for financial reporting - bcp not part of it since its in future
BIA
identify and prioritize critical organization functions; determine maximum tolerable downtime and other criteria - recovery time objective
Backups
Full; differential (need last full); incremental ( need full and preious incrementals)
Internal hot site
site standby ready
external hot site
equipment ready but environment must be rebuilt for recovery
warm site
partially configured but not actual computers; has cooling, cabling and networks. computers delivered at time of disaster
cold site
empty data center. all technology must be purchased at time of disaster
disaster recovery
process of restoring services from a contingency site
event management plan
needs to identify who is authorized to declare a disaster, how a declaration is done, and when the decision to declare is made, how it will be communicated to the teams that need to respond
procedures
should be reviewed every 3 months and the formal audit annually
