6.1 IS Business Continuity Plan Questions with solutions

6.1 IS Business Continuity Plan Questions with solutions What is the purpose of a business continuity plan? 1) Allows a business to continue operating 2) Restore business as quickly and efficiently as possible 3) Detect security threats and respond to them to reduce impact What are the seven steps that make up the Business Continuity Planning Process? 1) Develop contingency planning process 2) Conduct business impact analysis (what are our critical resources? What's the impact of damage? What's allowable time out?) 3) Implement/maintain preventative controls 4) Develop recovery strategies 5) Develop contingency plan 6) Plan testing, training, and exercises 7) Plan maintenance What is the relationship between IS BCP and overall Business Continuity and Disaster Recovery Strategy? IS BCP is a component of overall Business Continuity Strategy and must support it What is the most critical corrective control? BCP Business Impact Analysis A systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency What are the elements of BIA? 1) What's the mission for each business area? 2) What functions does each area carry out? 3) How much time does it take to perform the critical process cycles to perform each function? 4) What's the impact on business operations for each type of incident 5) Estimate amount of time that recovering from each type of incident is likely to take What are the benefits of BIA? 1) Increased understanding of impact 2) Facilitates response management 3) Increased awareness for response management In developing a response and recovery plan, what does the IS Manager need to do? 1) Oversee the development of response and recovery plan based on BIA and management approved recovery strategies 2) Identify the various teams involved 3) Plan the training of these teams 4) Figure out what resources are required for response and recovery What are the factors involved in selecting a recovery strategy? 1) Criticality of business process and applications that support it 2) Cost 3) Time required to recover 4) Security related considerations, such as exposure of valuable and/or sensitive information to unauthorized persons 5) Reliability What determines cost in relation to a recovery plan? Cost to prepare for disruptions and cost of recovery in the event of disruptions What are your options when dealing with a threat? 1) Eliminate the threat 2) Minimize likelihood of it occurring 3) Minimize the effects of it occurring 4) Transfer the risk What are types of offsite backup hardware facilities? 1) Hot sites 2) Warm sites 3) Cold sites 4) Mobile sites 5) Duplicate information processing facilities What criteria are alternate sites subject to? 1) Site must not be subject to the same natural disaster as primary site 2) Coordination of hardware/software strategies 3) Resources must be available 4) Agreement concerning the priority of adding applications (workloads) until all the recovery resources are fully utilized 5) Regular testing Reciprocal agreement Agreement between two organizations (or two internal business groups) with basically the same equipment/same environment that allows each one to recover at each other's site. What considerations should a response and recovery strategy be based on? 1) Interruption window 2) Recovery time objectives (RTO) 3) Recovery point objectives (RPO) 4) Services delivery objectives (SDO) 5) Maximum tolerable outages (MTO) RPO Recovery point objective. Earliest time data must be recovered; based on acceptable data loss. RTO Recovery Time Objective. Earliest time business must operate; based on acceptable downtime. The quicker the data must be recovered/business must operate, the... Higher the cost of recovery strategies Data mirroring Data mirroring refers to the real-time operation of copying data, as an exact copy, from one location to a local or remote storage medium. Data mirroring should be implemented as a recovery strategy when RPO is low Difference between data mirroring, backups, and reel backup in terms of RPO/RTO? Data mirroring - Low RPO Backup - Medium RPO Reel Backup - High RPO When preparing a business continuity plan, which of the following must be known to establish a recovery point objective (RPO)? The acceptable data loss in case of disruption in operations When looking for recovery alternatives, what can a company do to obtain an alternative? 1) Use a vendor or third party 2) Off the shelf 3) Credit agreement or emergency credit cards When using the 'Off the shelf' approach, a company should make sure 1) They are avoiding using hard to get equipment 2) Regularly updating equipment 3) Maintaining software compatibility to permit the operation of newer equipment 4) Make sure recovery plans have instructions on how the off the shelf equipment will be paid for A plan's call tree should include A prioritized list of contacts Reps from equipment/software vendors Supplies and equipment or services Recovery facilities, including hot site representative Offsite media storage facilities Recovery team Insurance company agents HR Law enforcement contacts In a BCP, who is the most important to contact? A prioritized contact list Redundant Array of Independent Disks (RAID) A data storage scheme that uses multiple hard drives to share or replicate data among the drives Offsite Library Physical facility where backup data and current copy of BCP is stored What is the responsibility of the offsite librarian? Maintain inventory and access to the library in an audit of a BCP, which finding is of most concern?