IS and Comm F - Disaster Recovery and Business Continuity Flashcards
In the annual review of the data center of a nationwide mortgage servicing company, the IA manager was concerned about the data center not having an adequate contingency plan. The audit manager was especially concerned because the data center was located close to a river that occasionally flooded and in the vicinity of a major railroad and a major highway. Mgmt acted on the internal auditor’s recommendation to prepare a contingency plan. The most critical aspect of the plan would be to provide for
continuation of mortgage servicing
Risk assessments, recovery plans for data systems, and implementation of safeguards are all components of
a disaster recovery plan
The disaster recovery plan for a firm’s data processing function should categorize systems according to their
priority
The best evidence that a contingency plan is effective is to have
successful testing of the plan
Due to the ever changing nature of LANs, a disaster recovery plan would require
frequent updating
Advances in disaster recovery systems has the _____ effect in driving the changes that are currently occurring in the workplace
least
Technological changes in the workplace are most affected by advances in
computer technology, computer applications, and computer availability
To prevent interruptions in IS operation, _______ and ______ controls are typically included in an organization’s disaster recovery plan
backup and downtime
A routine part of an organization’s disaster recover plan should require the ongoing prep of
backup files
The mgmt activity ___________ is essential to ensure continuity of operations in the event a disaster or catastrophe impairs IS processing
contingency planning
Cold site is
a location the provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization
Hot site is
a completely operational data processing facility configured to meet the user’s requirements that can be made available to a disaster-stricken organization on short notice
Closed loop verification is
a mechanism whereby one party verifies the purported identify of another party by requiring them to supply a copy of a token transmitted to that identity
Authentication validation is
a process of ensuring that proper parties are allowed to access the system
Segregation of control testing is
a policy to prevent individuals from accessing software or data without the collusion of another party
A company switches all processing to an alternate site and staff members report to the alternate site to verify that they are able to connect to all major systems and perform all core business processes from the alternate site. This is an example of
disaster recovery planning
The performance audit report of an IT department indicated that the dept lacked a DRP. The first step mgmt should take is
prepare a stmt of responsibilities for tasks included in a DRP
Fraud detection in a computer environment could be detected by
reviewing system access logs
Fraud prevention in a computer environment can be carried out by
data encryption and fraud-awareness training
Validity checks are
a way to ensure data entry input is correct
When an IT director collects the names and locations of key vendors, current hardware configuration, names of team members, an an alternative processing location, he is most likely preparing
a disaster recovery plan (DRP)
The best approach to avoid having a data center identified as a terrorist target is to
establish and maintain as low a profile as possible for the data center
An example of a procedure most likely to be included in a DRP is
to store duplicate copies of files in a location away from the computer center
Disaster plans must include all of the following factors:
- backup for programs and data
- alternative processing site
- off-site storage of backup
- identification of critical apps
- method for testing the plan
When a company decentralizes operations from HQ but doesn’t update their contingency plan that was in place prior to the decentralization, then the plan is likely to be out of date because of
changes in equipment, data, and software
An adequate DRP includes:
- regular testing with a simulated disaster
- a plan coordinator responsible for implementing the plan
- specific assignments for individuals and teams
- constant revision and improvement
A total interruption of processing throughout a distributed IT system can be minimized through the use of
fail-soft protection
Fail-soft protection is
the capability to continue processing at all sites except a nonfunctioning one
A copy of the accounting system data backup of year-end information should be stored at
a secure off-site location
A well developed DRP includes provisions for
minimizing disruptions and loss from a disaster as well as providing insurance to replace equipment and compensate for business interruptions
The DRP for an IT department should include
identification of critical applications
A DRP needs to include:
- recovery priorities
- insurance
- specific assignments for EE and depts
- backup facilities
- periodic testing of the recovery plan
- complete documentation of recovery plan (stored off site)
Each day after all processing is finished a bank performs a backup of its online deposit files and retains it for seven days. Copies of each day’s transaction files are not retained. This approach is
risky, in that restoring from the most recent backup file would omit subsequent transactions
Threat is
any event that could damage or harm an IS
Exposure is
the potential dollar loss that could result should a threat occur
Risk is
the likelihood of probability that a threat will actually occur
A nationwide mortgage servicing company is located near a river. Even through floodwaters might not reach the data center, being located adjacent to a river is associated with the risk that in the event of a significant flood
EE might be unable to report to work
With respect to backup procedures for master files that are magnetic tape as opposed to master files on magnetic disk:
a separate backup run is required for disk while the prior master on magnetic tape serves as a backup
Reciprocal processing agreement is
whereby each party agrees to allow another to use its site, facilities, resources, etc. after a disaster
A reciprocal processing agreement is least likely to be used in
online teleprocessing facilities
A reciprocal processing agreement is most often to be used for
small systems, large batch operations, and small batch operations
Good planning will help an organization restore computer operations after a processing outage. Good recovery planning should ensure that
backup/restart procedures have been built into job streams and programs
A disaster recovery alternate site configured to meet user data processing requirements, including the appropriate hardware, is called
a hot site
A hot site is _______ than a cold site
more costly
A disaster recovery alternate site that includes power, a/c, and support systems but does not have computers installed is called
a cold site
Cold site users
rely on their computer vendors for prompt delivery of equipment and software if an emergency occurs
A crucial aspect of recovery planning for the company is ensuring that _______ and _______ are incorporated in the plans because such changes have the potential to make the recovery plans inapplicable
organization and operational changes
A data and program backup procedure in which files are electronically transferred to a remote location is
electronic vaulting
A company’s mgmt is aware that is cannot foresee every contingency even with the best planning. Mgmt believes that a more thorough recovery plan increases the ability to resume operations quickly after an interruption and thus to
fulfill its obligations to customers
Warm site is
a data processing facility with the equipment to meet the user’s requirements that is not currently operational
A _____ site has been identified and maintained by the organization as a data processing disaster recovery site but has not been stocked with equipment
cold
A company has significant e-commerce presence and self-hosts its website. to assure continuity in the event of a natural disaster, the firm should adopt the
establishment of an off-site mirrored web server
An organization can have an arrangement with its computer hardware vendor to have a fully operational facility available that is configured to the user’s specific needs. This is best known as
a hot site
After a fire destroys the corporate HQ and largest manufacturing site, plans for _______ would help the organization ensure a timely recovery
business continuity
An effective DRP should address
damages, losses, and disruptions
______ is necessary to determine what would constitute a disaster for an organization
Risk analysis
Contingency planning strategies to react to a disaster include
- system backup analysis
- vendor supply agreement analysis
- contingent facility contract analysis
Companies face the following types of threats:
- strategic
- operating
- financial
- information
Strategic threat is
doing the wrong things
Operating threat is
doing the rights things but in the wrong way
Financial threat is
the loss, waste, or theft or financial resources or incurring inappropriate liabilities
Information threat is
incorrect input data, faulty or irrelevant stored info, an unreliable system, and incorrect or misleading reports
A hot site is best described by a
location that is equipped with a redundant hardware and software configuration
Objectives of disaster recovery do not include
performing regular preventive maintenance on key system components
Greater reliance of mgmt on IS increases the exposure to
business interruption
A large property insurance company has regional centers that customers call to report claims. Although the regional centers are not located in areas known to be prone to natural disasters, the company needs a disaster recovery plan that would restore call answering capacity in the event of a disaster or other extended loss of service. The best plan for restoring capacity in the event of a disaster would be to reroute call traffic to:
non-affected regional centers
