Module 5: Business Impact Analysis

Question 1

organization’s ability to adapt to disruptions and incidents in order to maintain continuous operations and to protect the organization’s assets

Answer 1

Business Resilience

Question 2

Business Resilience: What should CISA candidates be aware of?

Answer 2

Alignment of:
1. Disaster Recovery Plan and Business Continuity Plan
2. DRP and BCP with the organization’s goals and risk tolerance

Question 3

is a critical step in developing the business continuity strategy and the subsequent implementation of
the risk countermeasures

Answer 3

Business Impact Analysis

Question 4

Business Impact Analysis: BIA is most important when developing what?

Answer 4

The business continuity plan

Question 5

In what order does risk assessment and business impact analysis happen?

Answer 5

Risk Assessment first and then Business Impact Analysis

Question 6

Business Impact Analysis: BIA is used to evaluate the critical processes only and not the IT components themselves (T or F)

Answer 6

False. It also take into consideration the it components supporting the processes

Question 7

Business Impact Analysis: What do BIAs aim to determine?

Answer 7

1. Time frames
2. Priorities
3. Resources
4. Interdependencies

Question 8

Business Impact Analysis: We don’t need to do a BIA if we have done an extensive Risk Assessment already because it will be redundant (T or F)

Answer 8

False. The rule of thumb is to double check always because less visible but vital components can be uncovered

Question 9

Business Impact Analysis: What do you need to check when IT activities are outsourced?

Answer 9

• SLAs
• Warranties
• Terms and Conditions

Question 10

Business Impact Analysis: To perform a BIA successfully what should one have?

Answer 10

1. Understanding of the ORganization
2. Understanding of Key Business Processes
3. Understanding of IT resources used

Question 11

Business Impact Analysis: To get a better understanding of the organization such as its IT resources and Key Business Processes, where can you get that information?

Answer 11

Risk Assessment results

Question 12

Business Impact Analysis: BIA requires what, in terms of individuals?

Answer 12

1. High level of senior management support
2. Extensive Involvement of IT and End-user Personnel

Question 13

Business Impact Analysis: To whom do you circulate the questionnaire?

Answer 13

1. Key Users in IT
2. End-User

Question 14

Business Impact Analysis: What are the different approaches in performing BIA?

Answer 14

1. Questionnaire
2. Interview with key users only
3. Interview with IT personnel and End Users

Question 15

Business Impact Analysis: What type of auditing do these three approaches belong to?

Answer 15

Participative Auditing

Question 16

Business Impact Analysis: What are the two cost factors to consider in a BIA?

Answer 16

1. Downtime Costs
2. Alternative Recovery Strategies

Question 17

Business Impact Analysis: What is the relationship of downtime costs with time and cost?

Answer 17

It is positively sloping

Question 18

Business Impact Analysis: Downtime costs flatten out at some point (T or F)

Answer 18

True. This signifies the moment where the business process stops working or it can no longer function

Question 19

Business Impact Analysis: What is the relationship of alternative corrective measure with cost and time

Answer 19

It is downward sloping

Question 20

Business Impact Analysis: The recovery cost has also many components most of which are flexible (T or F)

Answer 20

False, they are rigid-inelastic

Question 21

Business Impact Analysis: Each possible strategy has a fixed cost (T or F)

Answer 21

True

Question 22

Business Impact Analysis: Both Variable Costs and Fixed Costs depend on which strategy is implemented (T or F)

Answer 22

True

Question 23

Business Impact Analysis: The curve of the sum is usually a? How can you find the optimal strategy using that curve?

Answer 23

U curve. The bottom of the u curve represents the lowest cost strategy

Question 24

Criticality Analysis: What is the risk ranking based off?

Answer 24

Likelihood and Impact

Question 25

Criticality Analysis: A critical classification’s tolerance to interruption is ____ and cost of interruption is ______

Answer 25

Very low; Very high

Question 26

Criticality Analysis: Critical means that it can’t be performed unless replaced by ________

Answer 26

Identical capabilities

Question 27

Criticality Analysis: Critical applications cannot be replaced by manual methods (T or F)

Answer 27

True

Question 28

Criticality Analysis: This function can be performed manually but for a brief period only

Answer 28

Vital

Question 29

Criticality Analysis: Vital operations must be restored within?

Answer 29

5 days or less

Question 30

Criticality Analysis: This can be performed manually for an extended period of time

Answer 30

Sensitive

Question 31

Criticality Analysis: Interruptions produce no cost to the company

Answer 31

Nonsensitive