Module 5: Business Impact Analysis Flashcards
organization’s ability to adapt to disruptions and incidents in order to maintain continuous operations and to protect the organization’s assets
Business Resilience
Business Resilience: What should CISA candidates be aware of?
Alignment of:
1. Disaster Recovery Plan and Business Continuity Plan
2. DRP and BCP with the organization’s goals and risk tolerance
is a critical step in developing the business continuity strategy and the subsequent implementation of
the risk countermeasures
Business Impact Analysis
Business Impact Analysis: BIA is most important when developing what?
The business continuity plan
In what order does risk assessment and business impact analysis happen?
Risk Assessment first and then Business Impact Analysis
Business Impact Analysis: BIA is used to evaluate the critical processes only and not the IT components themselves (T or F)
False. It also take into consideration the it components supporting the processes
Business Impact Analysis: What do BIAs aim to determine?
- Time frames
- Priorities
- Resources
- Interdependencies
Business Impact Analysis: We don’t need to do a BIA if we have done an extensive Risk Assessment already because it will be redundant (T or F)
False. The rule of thumb is to double check always because less visible but vital components can be uncovered
Business Impact Analysis: What do you need to check when IT activities are outsourced?
- SLAs
- Warranties
- Terms and Conditions
Business Impact Analysis: To perform a BIA successfully what should one have?
- Understanding of the ORganization
- Understanding of Key Business Processes
- Understanding of IT resources used
Business Impact Analysis: To get a better understanding of the organization such as its IT resources and Key Business Processes, where can you get that information?
Risk Assessment results
Business Impact Analysis: BIA requires what, in terms of individuals?
- High level of senior management support
- Extensive Involvement of IT and End-user Personnel
Business Impact Analysis: To whom do you circulate the questionnaire?
- Key Users in IT
- End-User
Business Impact Analysis: What are the different approaches in performing BIA?
- Questionnaire
- Interview with key users only
- Interview with IT personnel and End Users
Business Impact Analysis: What type of auditing do these three approaches belong to?
Participative Auditing
Business Impact Analysis: What are the two cost factors to consider in a BIA?
- Downtime Costs
- Alternative Recovery Strategies
Business Impact Analysis: What is the relationship of downtime costs with time and cost?
It is positively sloping
Business Impact Analysis: Downtime costs flatten out at some point (T or F)
True. This signifies the moment where the business process stops working or it can no longer function
Business Impact Analysis: What is the relationship of alternative corrective measure with cost and time
It is downward sloping
Business Impact Analysis: The recovery cost has also many components most of which are flexible (T or F)
False, they are rigid-inelastic
Business Impact Analysis: Each possible strategy has a fixed cost (T or F)
True
Business Impact Analysis: Both Variable Costs and Fixed Costs depend on which strategy is implemented (T or F)
True
Business Impact Analysis: The curve of the sum is usually a? How can you find the optimal strategy using that curve?
U curve. The bottom of the u curve represents the lowest cost strategy
Criticality Analysis: What is the risk ranking based off?
Likelihood and Impact
Criticality Analysis: A critical classification’s tolerance to interruption is ____ and cost of interruption is ______
Very low; Very high
Criticality Analysis: Critical means that it can’t be performed unless replaced by ________
Identical capabilities
Criticality Analysis: Critical applications cannot be replaced by manual methods (T or F)
True
Criticality Analysis: This function can be performed manually but for a brief period only
Vital
Criticality Analysis: Vital operations must be restored within?
5 days or less
Criticality Analysis: This can be performed manually for an extended period of time
Sensitive
Criticality Analysis: Interruptions produce no cost to the company
Nonsensitive