CHAPTER 8_Business Continuity and Disaster Recovery Flashcards

Question 1

Q

Explanation Bullets: The organization can take the following steps to better ensure the continuity of its outsourcing:

Answer

A

Make the ability of such companies to reliably assure continuity of products and services part of any work proposals.
Make sure that BCP is included in contracts with such companies, and that their responsibilities and levels of service are clearly spelled out.
Draw up realistic and reasonable service levels that the outsourced firm will meet during an incident.
If possible, have the outsourcing companies take part in BCP awareness programs, training, and testing.

Question 2

Q

Explanation Bullets: 2. Performed the BIA

Answer

A

Identified critical business functions, their resources, and MTD values
Identified threats and calculated the impact of these threats
Identified solutions
Presented findings to management

Question 3

Q

Explanation Bullets: • Management Practices:

Answer

A

Management Practices:

* Technical Practices:

Question 4

Q

Emphasis: executive succession planning

Answer

A

Organizations should already have executive succession planning in place. This means that if someone in a senior executive position retires, leaves the company, or is killed, the organization has predetermined steps to carry out to protect the company. The loss of a senior executive could tear a hole in the company’s fabric, creating a leadership vacuum that must be filled quickly with the right individual. The line-of-succes-sion plan defines who would step in and assume responsibility for this role. Many organizations have “deputy” roles. For example, an organization may have a deputy CIO, deputy CFO, and deputy CEO ready to take over the necessary tasks if the CIO, CFO, or CEO becomes unavailable.

Question 5

Q

Emphasis: Identify preventive controls

Answer

A

Identify preventive controls. Once threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner.

Question 6

Q

Explanations: Tertiary Sites

Answer

A

During the BIA phase, the team may recognize the danger of the primary backup facility not being available when needed, which could require a tertiary site. This is a secondary backup site, just in case the primary backup site is unavailable. The secondary backup site is sometimes referred to as a “backup to the backup.” This is basically plan B if plan A does not work out.

Question 7

Q

Emphasis: Standards and Best Practices

Answer

A

Standards and Best PracticesAlthough no specific scientific equation must be followed to create continuity plans, certain best practices have proven themselves over time. The National Institute of Standards and Technology (NIST) is responsible for developing best practices and standards as they pertain to U.S. government and military environments. It is common for NIST to document the requirements for these types of environments, and then everyone else in the industry uses their documents as guidelines. So these are “musts” for U.S. government organizations and “good to have” for other nongovernment entities.

Question 8

Q

Explanation Bullets: Business Continuity Planning

Preplanned procedures allow an organization to

Answer

A

Provide an immediate and appropriate response to emergency situations
Protect lives and ensure safety
Reduce business impact
Resume critical business functions
Work with outside vendors and partners during the recovery period
Reduce confusion during a crisis
Ensure survivability of the business
Get “up and running” quickly after a disaster

Question 9

Q

Emphasis: Develop the continuity planning policy statement

Answer

A

Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP, and that assigns authority to the necessary roles to carry out these tasks.

Question 10

Q

Emphasis: ISO 22301

Answer

A

• ISO 22301 Pending International Standard for business continuity management systems. The specification document against which organizations will seek certification.

Question 11

Q

Emphasis: recovery strategy stage

Answer

A

In the recovery strategy stage, the team approaches the information gathered during the BIA stage from a practical perspective. It has to figure out what the company needs to do to actually recover the items it has identified as being so important to the organization overall. In its business continuity and recovery strategy, the team closely examines the critical, agreed-upon business functions, and then evaluates the numerous recovery and backup alternatives that might be used to recover critical business operations.

Question 12

Q

Explanations: Human Resources

Answer

A

We have everything up and running now—where are all the people to run these systems?

Question 13

Q

Bullets: Strengths

Answer

A

Characteristics of the project team that give it an advantage over others

Question 14

Q

Explanation Bullets: The main parts of a risk assessment are:

Answer

A

Review the existing strategies for risk management
Construct a numerical scoring system for probabilities and impacts
Make use of a numerical score to gauge the effect of the threat
Estimate the probability of each threat
Weigh each threat through the scoring system
Calculate the risk by combining the scores of likelihood and impact of each threat
Get the organization’s sponsor to sign off on these risk priorities
Weigh appropriate measures
Make sure that planned measures that alleviate risk do not heighten other risks
Present the assessment’s findings to executive management

Question 15

Q

Emphasis: Enterprise-Wide BCP

Answer

A

Enterprise-Wide BCPThe agreed-upon scope of the BCP will indicate if one or more facilities will be included in the plan. Most BCPs are developed to cover the enterprise as a whole, instead of dealing with only portions of the organization. In larger organizations, it can be helpful for each department to have its own specific contingency plan that will address its specific needs during recovery. These individual plans need to be compatible with the enterprise-wide BCP.

Question 16

Q

Emphasis: BS 25999

Answer

A

• BS 25999 The British Standards Institute’s (BSI) standard for business continuity management (BCM). This BS standard has two parts:

Question 17

Q

Explanations: BCP Project Components

Answer

A

Before everyone runs off in 2,000 different directions at one time, let’s understand what needs to be done in the project initiation phase. This is the phase in which the company really needs to figure out what it is doing and why. So, after someone gets the donuts and coffee, let’s get down to business.

Question 18

Q

Explanations: Recovery Strategies

Answer

A

Up to this point, the BCP team has carried out the project initiation phase. In this phase, the team obtained management support and the necessary resources, laid out the scope of the project, and identified the BCP team. It also completed the BIA phase. This means that the committee carried out a risk assessment and analysis, which resulted in a report of the real risk level the company faces.

Question 19

Q

Explanations: Supply and Technology Recovery

Answer

A

At this point, the BCP team has mapped out the necessary business functions that need to be up and running and the specific backup facility option that is best for its organization. Now the team needs to dig down into the more granular items, such as backup solutions for the following:

Question 20

Q

Emphasis: Facility Recovery

Answer

A

Facility RecoveryDisruptions, in BCP terms, are of three main types: nondisasters, disasters, and catastrophes. A nondisaster is a disruption in service due to a device malfunction or failure. The solution could include hardware, software, or file restoration. A disaster is an event that causes the entire facility to be unusable for a day or longer. This usually requires the use of an alternate processing facility and restoration of software and data from offsite copies. The alternate site must be available to the company until its main facility is repaired and usable. A catastrophe is a major disruption that destroys the facility altogether. This requires both a short-term solution, which would be an offsite facility, and a long-term solution, which may require rebuilding the original facility.

Question 21

Q

Explanation Bullets: Warm and Cold Site Disadvantages

Answer

A

Operational testing not usually available

* Resources for operations not immediately available

Question 22

Q

Explanation Bullets: Hot Site Disadvantages

Answer

A

Very expensive

* Limited on hardware and software choices

Question 23

Q

Explanation Bullets: The initiation process for BCP might include the following:

Answer

A

Setting up a budget and staff for the program before the BCP process begins. Dedicated personnel and dedicated hours are essential for executing something as labor-intensive as a BCP.
Setting up the program would include assigning duties and responsibilities to the BCP coordinator and to representatives from all of the functional units of the organization.
Senior management should kick off the BCP with a formal announcement or, better still, an organization-wide meeting to demonstrate high-level support.
Awareness-raising activities to let employees know about the BCP program and to build internal support for it.
Establishment of skills training for the support of the BCP effort.
The start of data collection from throughout the organization to aid in crafting various continuity options.
Putting into effect “quick wins” and gathering of “low-hanging fruit” to show tangible evidence of improvement in the organization’s readiness, as well as improving readiness.

Question 24

Q

Emphasis: business interruption insurance

Answer

A

A company could also choose to purchase a business interruption insurance policy. With this type of policy, if the company is out of business for a certain length of time, the insurance company will pay for specified expenses and lost earnings. Another policy that can be bought insures accounts receivable. If a company cannot collect on its accounts receivable for one reason or another, this type of coverage covers part or all of the losses and costs.

Question 25

Q

Explanation Bullets: The BCP team needs to understand these different steps of the company’s most critical processes. The data are usually presented as a workflow document that contains the roles and resources needed for each process. The BCP team must understand the following about critical business processes:

Answer

A

Required roles
Required resources
Input and output mechanisms
Workflow steps
Required time for completion
Interfaces with other processes

Question 26

Q

Emphasis: business continuity plan (BCP)

Answer

A

A disaster recovery plan (DRP) is carried out when everything is still in emergency mode, and everyone is scrambling to get all critical systems back online. A business continuity plan (BCP) takes a broader approach to the problem. It can include getting critical systems to another environment while repair of the original facilities is under way, getting the right people to the right places during this time, and performing business in a different mode until regular conditions are back in place. It also involves dealing with customers, partners, and shareholders through different channels until everything returns to normal. So, disaster recovery deals with, “Oh my goodness, the sky is falling,” and continuity planning deals with, “Okay, the sky fell. Now, how do we stay in business until someone can put the sky back where it belongs?”

Question 27

Q

Supply and Technology Recovery : At this point, the BCP team has mapped out the necessary business functions that need to be up and running and the specific backup facility option that is best for its organization. Now the team needs to dig down into the more granular items, such as backup solutions for the following:

Answer

A

Network and computer equipment
Voice and data communications resources
Human resources
Transportation of equipment and personnel
Environment issues (HVAC)
Data and personnel security issues
Supplies (paper, forms, cabling, and so on)
Documentation

Question 28

Q

Explanation Bullets: Single points of failure, that is, concentrations of risk that threaten business continuity

Answer

A

Continuity risks from concentrations of critical skills or critical shortages of skills
Continuity risks due to outsourced vendors and suppliers
Continuity risks that the BCP program has accepted, that are handled elsewhere, or that the BCP program does not address

Question 29

Q

Emphasis: Conduct the business impact analysis (BIA)

Answer

A

Conduct the business impact analysis (BIA). Identify critical functions and systems and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and calculate risks.

Question 30

Q

Explanation Bullets: In the industry, HA is usually thought about only in technology terms, but remember that there are many things that an organization needs to keep functioning. Availability of each of the following items must be thought through and planned:

Answer

A

Facility
Cold, warm, hot, redundant, rolling, reciprocal sites
Infrastructure
Redundancy, fault tolerance
Storage
RAID, Storage Area Network (SAN), mirroring, disk shadowing, cloud
Server
Clustering, load balancing
Data
Tapes, backups, vaulting, online replication
Business processes
People

Question 31

Q

Emphasis: Maintain the plan

Answer

A

Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.

Question 32

Q

Emphasis: ISO/IEC 27031:2011

Answer

A

• ISO/IEC 27031:2011 Guidelines for information and communications technology readiness for business continuity. This ISO/IEC standard that is a component of the overall ISO/IEC 27000 series was covered in Chapter 2.

Question 33

Q

Emphasis: Business Process Recovery

Answer

A

Business Process RecoveryA business process is a set of interrelated steps linked through specific decision activities to accomplish a specific task. Business processes have starting and ending points and are repeatable. The processes should encapsulate the knowledge about services, resources, and operations provided by a company. For example, when a customer requests to buy a book via an organization’s e-commerce site, a set of steps must be followed, such as these:

Question 34

Q

Emphasis: full backup

Answer

A

The first step is to do a full backup, which is just what it sounds like—all data are backed up and saved to some type of storage media. During a full backup, the archive bit is cleared, which means that it is set to 0. A company can choose to do full backups only, in which case the restoration process is just one step, but the backup and restore processes could take a long time.

Question 35

Q

Emphasis: Develop the contingency plan

Answer

A

Develop the contingency plan. Write procedures and guidelines for how the organization can still stay functional in a crippled state.

Question 36

Q

Explanation Bullets: The process of drawing up a policy includes these steps:

Answer

A

Identify and document the components of the policy.
Identify and define policies of the organization that the BCP might affect.
Identify pertinent legislation, laws, regulations, and standards.
Identify “good industry practice” guidelines by consulting with industry experts.
Perform a gap analysis. Find out where the organization currently is in terms of continuity planning, and spell out where it wants to be at the end of the BCP process.
Compose a draft of the new policy.
Have different departments within the organization review the draft.
Put the feedback from the departments into a revised draft.
Get the approval of top management on the new policy.
Publish a final draft, and distribute and publicize it throughout the organization.

Question 37

Q

Explanation Bullets: Up until now, we have established management’s responsibilities as the following:

Answer

A

Committing fully to the BCP
Setting policy and goals
Making available the necessary funds and resources
Taking responsibility for the outcome of the development of the BCP
Appointing a team for the process

Question 38

Q

Explanations: Implementing Strategies

Answer

A

Once the strategies have been decided upon, the BCP team needs to document them and put them into place. This moves the efforts from a purely planning stage to an actual implementation and action phase.

Question 39

Q

Emphasis: Business Continuity Institute’s Good Practice Guidelines (GPG)

Answer

A

• Business Continuity Institute’s Good Practice Guidelines (GPG) BCM best practices, which are broken down into the following management and technical practices:

Question 40

Q

Emphasis: salvage team

Answer

A

The restoration team should be responsible for getting the alternate site into a working and functioning environment, and the salvage team should be responsible for starting the recovery of the original site. Both teams must know how to do many tasks, such as install operating systems, configure workstations and servers, string wire and cabling, set up the network and configure networking services, and install equipment and applications. Both teams must also know how to restore data from backup facilities. They also must know how to do so in a secure manner, one that ensures the confidentiality, integrity, and availability of the system and data.

Question 41

Q

Bullets: Weaknesses

Answer

A

Characteristics that place the team at a disadvantage relative to others

Question 42

Q

Explanation Bullets: The BCP team’s responsibilities are as follows:

Answer

A

Identifying regulatory and legal requirements that must be met
Identifying all possible vulnerabilities and threats
Estimating the possibilities of these threats and the loss potential
Performing a BIA
Outlining which departments, systems, and processes must be up and running before any others
Identifying interdependencies among departments and processes
Developing procedures and steps in resuming business after a disaster

Question 43

Q

Explanations: Risk Assessment

Answer

A

To achieve success, the organization should systematically plan and execute a formal BCP-related risk assessment. The assessment fully takes into account the organization’s tolerance for continuity risks. The risk assessment also makes use of the data in the BIA to supply a consistent estimate of exposure.

Question 44

Q

Explanation Bullets: The BCP team should carry out and address in the resulting plan the following interrelation and interdependency tasks:

Answer

A

Define essential business functions and supporting departments.
Identify interdependencies between these functions and departments.
Discover all possible disruptions that could affect the mechanisms necessary to allow these departments to function together.
Identify and document potential threats that could disrupt interdepartmental communication.
Gather quantitative and qualitative information pertaining to those threats.
Provide alternative methods of restoring functionality and communication.
Provide a brief statement of rationale for each threat and corresponding information.

Question 45

Q

Explanation Bullets: Organizations can keep the plan updated by taking the following actions:

Answer

A

Make business continuity a part of every business decision.
Insert the maintenance responsibilities into job descriptions.
Include maintenance in personnel evaluations.
Perform internal audits that include disaster recovery and continuity documentation and procedures.
Perform regular drills that use the plan.
Integrate the BCP into the current change management process.
Incorporate lessons learned from actual incidents into the plan.

Question 46

Q

Explanation Bullets: Warm and Cold Site Advantages

Answer

A

Less expensive
Available for longer timeframes because of the reduced costs
Practical for proprietary hardware or software use

Question 47

Q

Emphasis: redundant sites

Answer

A

Some companies choose to have redundant sites, or mirrored sites, meaning one site is equipped and configured exactly like the primary site, which serves as a redundant environment. The business-processing capabilities between the two sites can be completely synchronized. These sites are owned by the company and are mirrors of the original production environment. A redundant site has clear advantages: it has full availability, is ready to go at a moment’s notice, and is under the organization’s complete control. This is, however, one of the most expensive backup facility options, because a full environment must be maintained even though it usually is not used for regular production activities until after a disaster takes place that triggers the relocation of services to the redundant site. But expensive is relative here. If the company would lose a million dollars if it were out of business for just a few hours, the loss potential would override the cost of this option. Many organizations are subjected to regulations that dictate they must have redundant sites in place, so expense is not an issue in these situations.

Question 48

Q

Emphasis: Warm site

Answer

A

• Warm site A leased or rented facility that is usually partially configured with some equipment, such as HVAC, and foundational infrastructure components, but not the actual computers. In other words, a warm site is usually a hot site without the expensive equipment such as communication equipment and servers. Staging a facility with duplicate hardware and computers configured for immediate operation is extremely expensive, so a warm site provides an alternate facility with some peripheral devices.

Question 49

Q

Emphasis: functional analysis

Answer

A

A BIA (business impact analysis) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level. But how do we determine a classification scheme based on criticality levels?

Question 50

Q

Bullets: Responsibility

Answer

A

Each individual involved with recovery and continuity should have their responsibilities spelled out in writing to ensure a clear understanding in a chaotic situation. Each task should be assigned to the individual most logically situated to handle it. These individuals must know what is expected of them, which is done through training, drills, communication, and documentation. So, for example, instead of just running out of the building screaming, an individual must know that he is responsible for shutting down the servers before he can run out of the building screaming.

Question 51

Q

Explanation Bullets: The following provides a quick overview of the differences between offsite facilities:

Hot Site Advantages

Answer

A

Ready within hours for operation
Highly available
Usually used for short-term solutions, but available for longer stays
Annual testing available

Question 52

Q

Explanations: Software Backups

Answer

A

I have a backup server and my backed-up data, but no operating system or applications.

Question 53

Q

Explanation Bullets: 3. Identified and implemented preventive controls

Answer

A

Put controls into place to reduce the company’s identified risks
Bought insurance
Implemented facility structural reinforcements
Rolled out backup solutions for data
Installed redundant and fault-tolerant mechanisms

Question 54

Q

Explanation Bullets: Important issues need to be addressed before a disaster hits if a company decides to participate in a reciprocal agreement with another company:

Answer

A

How long will the facility be available to the company in need?
How much assistance will the staff supply in integrating the two environments and ongoing support?
How quickly can the company in need move into the facility?
What are the issues pertaining to interoperability?
How many of the resources will be available to the company in need?
How will differences and conflicts be addressed?
How does change control and configuration management take place?
How often can drills and testing take place?
How can critical assets of both companies be properly protected?

Question 55

Q

Explanation Bullets: Which types of preventive mechanisms should be put in place depends upon the results of the BIA, but they may include some of the following:

Answer

A

Fortification of the facility in its construction materials
Redundant servers and communications links
Redundant power lines coming in through different transformers
Redundant vendor support
Purchasing of insurance
Purchasing of uninterruptible power supplies (UPSs) and generators
Data backup technologies
Media protection safeguards
Increased inventory of critical equipment
Fire detection and suppression systems

Question 56

Q

Emphasis: cold site

Answer

A

Most companies use warm sites, which have some devices such as disk drives, tape drives, and controllers, but very little else. These companies usually cannot afford a hot site, and the extra downtime would not be considered detrimental. A warm site can provide a longer-term solution than a hot site. Companies that decide to go with a cold site must be able to be out of operation for a week or two. The cold site usually includes power, raised flooring, climate control, and wiring.

Question 57

Q

Explanation Bullets: A company needs to address several issues and ask specific questions when it is deciding upon a storage facility for its backup materials. The following provides a list of just some of the issues that need to be thought through before committing to a specific vendor for this service:

Answer

A

Can the media be accessed in the necessary timeframe?
Is the facility closed on weekends and holidays, and does it only operate during specific hours of the day?
Are the access control mechanisms tied to an alarm and/or the police station?
Does the facility have the capability to protect the media from a variety of threats?
What is the availability of a bonded transport service?
Are there any geographical environmental hazards such as floods, earthquakes, tornadoes, and so on that might affect the facility?
Is there a fire detection and suppression system?
Does the facility provide temperature and humidity monitoring and control?
What type of physical, administrative, and logical access controls are used?

Question 58

Q

Emphasis: failover

Answer

A

If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is “switched over” to a working system. For example, two servers can be configured to send each other heartbeat signals every 30 seconds. If server A does not receive a heartbeat signal from server B after 40 seconds, then all processes are moved to server A so that there is no lag in operations. Also, when servers are clustered, this means that there is an overarching piece of software monitoring each server and carrying out load balancing. If one server within the cluster goes down, the clustering software stops sending it data to process so that there are no delays in processing activities.

Question 59

Q

Emphasis: Work Recovery Time (WRT)

Answer

A

The Work Recovery Time (WRT) is the remainder of the overall MTD value. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with restoring data, testing processes, and then making everything “live” for production purposes.

Question 60

Q

Emphasis: Cold site

Answer

A

• Cold site A leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and flooring, but none of the equipment or additional services. A cold site is essentially an empty data center. It may take weeks to get the site activated and ready for work. The cold site could have equipment racks and dark fiber (fiber that does not have the circuit engaged) and maybe even desks. However, it would require the receipt of equipment from the client, since it does not provide any.

Question 61

Q

Bullets: Authority

Answer

A

In times of crisis, it is important to know who is in charge. Teamwork is important in these situations, and almost every team does much better with an established and trusted leader. Such leaders must know that they are expected to step up to the plate in a time of crisis and understand what type of direction they should provide to the rest of the employees. Clear-cut authority will aid in reducing confusion and increasing cooperation.

Question 62

Q

Emphasis: High availability (HA)

Answer

A

High availability (HA) is a combination of technologies and processes that work together to ensure that some specific thing is always up and running. The specific thing can be a database, a network, an application, a power supply, etc. Service providers have SLAs with their customers, which outline the amount of uptime they promise to provide and a turnaround time to get the item fixed if it does go down. For example, a hosting company can promise to provide 98 percent uptime for Internet connectivity. This means they are guaranteeing that at least 98 percent of the time, the Internet connection you purchase from them will be up and running. The hosting company knows that some things may take place to interrupt this service, but within your SLA with them, it promises an eight-hour turnaround time. This means if your Internet connection does go down, they will either fix it or provide you with a different connection within eight hours.

Question 63

Q

Emphasis: Recovery Time Objective (RTO)

Answer

A

The Recovery Time Objective (RTO) is the earliest time period and a service level within which a business process must be restored after a disaster to avoid unacceptable consequences associated with a break in business continuity. The RTO value is smaller than the MTD value, because the MTD value represents the time after which an inability to recover significant operations will mean severe and perhaps irreparable damage to the organization’s reputation or bottom line. The RTO assumes that there is a period of acceptable downtime. This means that a company can be out of production for a certain period of time (RTO) and still get back on its feet. But if the company cannot get production up and running within the MTD window, the company is sinking too fast to properly recover.

Question 64

Q

Emphasis: DRI International Institute’s Professional Practices for Business Continuity Planners

Answer

A

• DRI International Institute’s Professional Practices for Business Continuity Planners Best practices and framework to allow for BCM processes, which are broken down into the following sections:

Answer 65

A

Vulnerabilities for all of the organization’s most time-sensitive resources and activities
Threats and hazards to the organization’s most urgent resources and activities
Measures that cut the possibility, length, or effect of a disruption on critical services and products

Answer 66

A

Offsite LocationWhen choosing a backup facility, it should be far enough away from the original site so that one disaster does not take out both locations. In other words, it is not logical to have the backup site only a few miles away if the company is concerned about tornado damage, because the backup site could also be affected or destroyed. There is a rule of thumb that suggests that alternate facilities should be, at a bare minimum, at least 5 miles away from the primary site, while 15 miles is recommended for most low-to-medium critical environments, and 50 to 200 miles is recommended for critical operations to give maximum protection in cases of regional disasters.

Answer 67

A

Identify the company’s critical business functions.
Decide on information-gathering techniques: interviews, surveys, qualitative or quantitative questionnaires.
Identify resources these functions depend upon.
Calculate how long these functions can be without these resources.
Identify vulnerabilities and threats to these functions.
Calculate the risk for each different business function.
Develop backup solutions for resources based on tolerable outage times.
Develop recovery solutions for the company’s individual departments and for the company as a whole.

Answer 68

A

Danger to human life
Danger to state or national security
Damage to facility
Damage to critical systems
Estimated value of downtime that will be experienced

Answer 69

A

It is extremely important to know what is critical versus what is merely nice to have. Different departments provide different functionality for an organization. The critical departments must be singled out from the departments that provide functionality that the company can live without for a week or two. It is necessary to know which department must come online first, which second, and so on. That way, the efforts are made in the most useful, effective, and focused manner. Along with the priorities of departments, the priorities of systems, information, and programs must be established. It may be necessary to ensure that the database is up and running before working to bring the web servers online. The general priorities must be set by management with the help of the different departments and IT staff.

Answer 70

A

Business process recovery
Facility recovery
Supply and technology recovery
User environment recovery
Data recovery

Answer 71

A

Because the end users are usually the worker bees of a company, they must be provided a functioning environment as soon as possible after a disaster hits. This means that the BCP team must understand the current operational and technical functioning environment and examine critical pieces so they can replicate them.

Answer 72

A

Equipment malfunction or unavailable equipment
Unavailable utilities (HVAC, power, communications lines)
Facility becomes unavailable
Critical personnel become unavailable
Vendor and service providers become unavailable
Software and/or data corruption

Answer 73

A

A leader needs a team, so a BCP committee needs to be put together. Management and the coordinator should work together to appoint specific, qualified people to be on this committee. The team must comprise people who are familiar with the different departments within the company, because each department is unique in its functionality and has distinctive risks and threats. The best plan is when all issues and threats are brought to the table and discussed. This cannot be done effectively with a few people who are familiar with only a couple of departments. Representatives from each department must be involved with not only the planning stages but also the testing and implementation stages.

Answer 74

A

Back up data from the alternate site and restore it within the new facility.
Carefully terminate contingency operations.
Securely transport equipment and personnel to the new facility.

Answer 75

A

Implemented processes of getting the company up and running in the necessary time
Created the necessary teams
Developed goals and procedures for each team
Created notification steps and planned activation criteria
Identified alternate backup solutions

Answer 76

A

In a BCP setting, a risk assessment looks at the impact and likelihood of various threats that could trigger a business disruption. The tools, techniques, and methods of risk assessment include determining threats, assessing probabilities, tabulating threats, and analyzing costs and benefits.

Answer 77

A

Manually backing up systems and data can be time-consuming, error-prone, and costly. Several technologies serve as automated backup alternatives. Although these technologies are usually more expensive, they are quicker and more accurate, which may be necessary for online information that changes often.

Answer 78

A

Understanding the Organization FirstA company has no real hope of rebuilding itself and its processes after a disaster if it does not have a good understanding of how its organization works in the first place. This notion might seem absurd at first. You might think, “Well, of course a company knows how it works.” But you would be surprised at how difficult it is to fully understand an organization down to the level of detail required to rebuild it. Each individual may know and understand his or her little world within the company, but hardly anyone at any company can fully explain how each and every business process takes place.

Answer 79

A

Test the plan and conduct training and exercises. Test the plan to identify deficiencies in the BCP, and conduct training to properly prepare individuals on their expected tasks.

Answer 80

A

Why do we need to combine business continuity and security plans anyway?Response: They both protect the business, unenlightened one.

Answer 81

A

Fault tolerance is the capability of a technology to continue to operate as expected even if something unexpected takes place (a fault). If a database experiences an unexpected glitch, it can roll back to a known good state and continue functioning as though nothing bad happened. If a packet gets lost or corrupted during a TCP session, the TCP protocol will resend the packet so that system-to-system communication is not affected. If a disk within a RAID system gets corrupted, the system uses its parity data to rebuild the corrupted data so that operations are not affected.

Answer 82

A

Objective-to-task mapping
Resource-to-task mapping
Workflows
Milestones
Deliverables
Budget estimates
Success factors
Deadlines

Answer 83

A

Business units
Senior management
IT department
Security department
Communications department
Legal department

Answer 84

A

The BCP policy supplies the framework for and governance of designing and building the BCP effort. The policy helps the organization understand the importance of BCP by outlining BCP’s purpose. It provides an overview of the principles of the organization and those behind BCP, and the context for how the BCP team will proceed.

Answer 85

A

Damage assessment team
Legal team
Media relations team
Recovery team
Relocation team
Restoration team
Salvage team
Security team

Answer 86

A

Assigning Values to AssetsThe next step in the risk analysis is to assign a value to the assets that could be affected by each threat. This helps establish economic feasibility of the overall plan. As discussed in Chapter 2, assigning values to assets is not as straightforward as it seems. The value of an asset is not just the amount of money paid for it. The asset’s role in the company has to be considered, along with the labor hours that went into creating it if it is a piece of software. The value amount could also encompass the liability issues that surround the asset if it were damaged or insecure in any manner. (Review Chapter 2 for an in-depth description and criteria for calculating asset value.)

Answer 87

A

Elements that could contribute to the project’s success

Answer 88

A

It is great to write down very profound ideas and develop plans, but unless they are actually carried out and tested, they may not add up to a hill of beans. Once a continuity plan is developed, it actually has to be put into action. It needs to be documented and put in places that are easily accessible in times of crisis. The people who are assigned specific tasks need to be taught and informed how to fulfill those tasks, and dry runs must be done to walk people through different situations. The drills should take place at least once a year, and the entire program should be continually updated and improved.

Answer 89

A

High AvailabilityHigh availability (HA) is a combination of technologies and processes that work together to ensure that some specific thing is always up and running. The specific thing can be a database, a network, an application, a power supply, etc. Service providers have SLAs with their customers, which outline the amount of uptime they promise to provide and a turnaround time to get the item fixed if it does go down. For example, a hosting company can promise to provide 98 percent uptime for Internet connectivity. This means they are guaranteeing that at least 98 percent of the time, the Internet connection you purchase from them will be up and running. The hosting company knows that some things may take place to interrupt this service, but within your SLA with them, it promises an eight-hour turnaround time. This means if your Internet connection does go down, they will either fix it or provide you with a different connection within eight hours.

Answer 90

A

Since there is so much work in collecting, analyzing, and maintaining DRP and BCP data, using a product that automates these tasks can prove to be extremely helpful.

Answer 91

A

Disk shadowing is used to ensure the availability of data and to provide a fault-tolerant solution by duplicating hardware and maintaining more than one copy of the information. The data are dynamically created and maintained on two or more identical disks. If only disk mirroring is used, then each disk would have a corresponding mirrored disk that contains the exact same information. If shadow sets are used, the data can be stored as images on two or more disks.

Answer 92

A

As we have discussed so far, backup alternatives are needed for hardware, software, personnel, and offsite facilities. It is up to each company and its continuity team to decide if all of these components are necessary for its survival and the specifics for each type of backup needed.

Answer 93

A

Why do we need to combine business continuity and security plans anyway?Response: They both protect the business, unenlightened one.

Answer 94

A

The business continuity process is not integrated into the change management process.
Changes occur to the infrastructure and environment.
Reorganization of the company, layoffs, or mergers occur.
Changes in hardware, software, and applications occur.
After the plan is constructed, people feel their job is done.
Personnel turn over.
Large plans take a lot of work to maintain.
Plans do not have a direct line to profitability.

Answer 95

A

Maximum tolerable downtime and disruption for activities
Operational disruption and productivity
Financial considerations
Regulatory responsibilities
Reputation

Answer 96

A

NOTE Disk duplexing means there is more than one disk controller. If one disk controller fails, the other is ready and available.

Answer 97

A

Operations depend on manufacturing, manufacturing depends on R&D, payroll depends on accounting, and they all depend on IT.

Answer 98

A

Identifying and documenting single points of failure
Making a prioritized list of threats to the particular business processes of the organization
Putting together information for developing a management strategy for risk control, and for developing action plans for addressing risks
Documenting acceptance of identified risks, or documenting acknowledgment of risks that will not be addressed

Answer 99

A

Elements that could contribute to the project’s failure

Answer 100

A

This type of test is the most intrusive to regular operations and business productivity. The original site is actually shut down, and processing takes place at the alternate site. The recovery team fulfills its obligations in preparing the systems and environment for the alternate site. All processing is done only on devices at the alternate offsite facility.

Answer 101

A

• Hot site A facility that is leased or rented and is fully configured and ready to operate within a few hours. The only missing resources from a hot site are usually the data, which will be retrieved from a backup site, and the people who will be processing the data. The equipment and system software must absolutely be compatible with the data being restored from the main site and must not cause any negative interoperability issues. Some facilities, for a fee, store data backups close to the hot site. These sites are a good choice for a company that needs to ensure a site will be available for it as soon as possible. Most hot-site facilities support annual tests that can be done by the company to ensure the site is functioning in the necessary state of readiness.

Answer 102

A

The goal of disaster recovery is to minimize the effects of a disaster or disruption. It means taking the necessary steps to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner. This is different from continuity planning, which provides methods and procedures for dealing with longer-term outages and disasters. The goal of a disaster recovery plan is to handle the disaster and its ramifications right after the disaster hits; the disaster recovery plan is usually very information technology (IT)–focused.

Answer 103

A

Loss in reputation and public confidence
Loss of competitive advantages
Increase in operational expenses
Violations of contract agreements
Violations of legal and regulatory requirements
Delayed income costs
Loss in revenue
Loss in productivity

Brainscape's Knowledge GenomeTM

CHAPTER 8_Business Continuity and Disaster Recovery Flashcards

Brainscape's Knowledge Genome^TM