CISSP Sybex Official Study Guide Chapter 3 Review Questions Flashcards
What is the first step that individuals responsible for the development of a business continuity plan should perform?
A. BCP team selection
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
B. Business organization analysis
Explanation:
The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
Once the BCP team is selected, what should be the first item placed on the team’s agenda?
A. Business impact assessment
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
B. Business organization analysis
Explanation:
The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (pp. 952-953). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 952). Wiley. Kindle Edition.
What is the term used to describe the responsibility of a firm’s officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization’s continued viability?
A. Corporate responsibility
B. Review and validation of the business organization analysis
C. Due diligence
D. Going concern responsibility
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
C. Due diligence
Explanation:
A firm’s officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
What will be the major resource consumed by the BCP process during the BCP phase?
A. Hardware
B. Software
C. Processing time
D. Personnel
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
D. Personnel
Explanation:
D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment?
A. Monetary
B. Utility
C. Importance
D. Time
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
A. Monetary
Explanation:
The quantitative portion of the priority identification should assign asset values in monetary units.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year?
A. ARO
B. SLE
C. ALE
D. EF
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 121). Wiley. Kindle Edition.
C. ALE
Explanation:
The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?
A. SLE
B. EF
C. MTD
D. ARO
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 122). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 122). Wiley. Kindle Edition.
C. MTD
Explanation:
The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?
A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 122). Wiley. Kindle Edition.
B. $2,700,000
Explanation:
B. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on the fact that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Referring to the scenario in question 8, what is the annualized loss expectancy?
A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 122). Wiley. Kindle Edition.
D. $135,000
Explanation:
This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an ALE of $135,000.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?
A. $750,000
B. $1.5 million
C. $7.5 million
D. $15 million
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 122). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 122). Wiley. Kindle Edition.
A. $750,000
Explanation:
This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an ALE of $750,000.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Martin recently completed a thorough quantitative risk assessment for his organization. Which one of the following risks is least likely to be adequately addressed by his assessment?
A. Downtime from data center flooding
B. Cost of recovery from denial of service attack
C. Reputational damage from data breach
D. Remediation costs from ransomware attack
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 122). Wiley. Kindle Edition.
C. Reputational damage from data breach
Explanation:
Quantitative risk assessments focus on financial measures of risk. This methodology is well-suited to assessing the impact of downtime and recovery/remediation costs. It is not well-suited to assessing less tangible risks, such as repetitional damage.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Which resource should you protect first when designing continuity plan provisions and processes?
A. Physical plant
B. Infrastructure
C. Financial resources
D. People
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 123). Wiley. Kindle Edition.
D. People
Explanation:
The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization’s employees!
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment?
A. Loss of a plant
B. Damage to a vehicle
C. Negative publicity
D. Power outage
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 123). Wiley. Kindle Edition.
C. Negative publicity
Explanation:
It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?
A. 0.01
B. $10,000,000
C. $100,000
D. 0.10
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 123). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 123). Wiley. Kindle Edition.
B. $10,000,000
Explanation:
The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 953). Wiley. Kindle Edition.
Referring to the scenario in question 14, what is the annualized loss expectancy?
A. 0.01
B. $10,000,000
C. $100,000
D. 0.10
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 123). Wiley. Kindle Edition.
C. $100,000
Explanation:
The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 954). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 954). Wiley. Kindle Edition.
