Embed Size (px)
Citation preview
Chapter 2: Strategies for
development of business continuity
plan
Business Continuity Management
1
Chapter 2:
Strategies for development of
business continuity plan
2
Agenda – Chapter 2
3
Chapter 2 – Strategies and Development of Business Continuity
• Pre Requisites in developing a Business Continuity Plan
• Phase 1 - Business Impact Analysis.
• Phase 2 - Risk Assessment and Methodology of Risk Assessment.
• Phase 3 – Development of BCP
• Phase 4 -Testing of BCP and DRP.
• Phase 5 -Training and Awareness.
Agenda – Chapter 2
4
Chapter 2 – Strategies and Development of Business Continuity
• Phase 6 - Maintenance of BCP and DRP.
• Incident Handling and Management.
• Invoking a DR Phase/BCP Phases
• Documentation - BCP Manual and BCM Policy.
• Data backup, Retention and Restoration practices.
• Backup and Recovery strategies.
• Types of Recovery and Alternative Sites.
• System Resiliency Tools and Techniques.
• Insurance and Types of Insurance.
Learning Objectives
5
How to design a Business Continuity Plan (BCP).
Performing risk assessment and designing tests for the BCP
Helps to perform a BCP Audit or providing consulting services on any/all aspects of
BCP
Introduction
6
Ability to weather losses caused by unexpected events depends on proper planning and execution of such plans.
Without a workable plan, unexpected events can cause severe damage to information resources and assets.
Businesses that don’t have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm.
A formal policy provides the authority and guidance necessary to develop an effective Business Continuity plan.
The Business Impact Analysis helps to identify and prioritize critical IT systems and components.
Prerequisites in development of a
BCP
The primary objectives of a BCP are to guide an organization in theevent of a disaster and to effectively re-establish critical businessoperations within the shortest possible period of time with minimalloss of data.
Pre requisite in developing a BCP include planning the project.
The goals of the planning the project are to assess current andanticipated vulnerabilities, define the requirements of the businessand IT, design and implement risk mitigation procedures, andprovide the organization with a plan that will enable it to reactquickly and efficiently at the time of a disaster.
7
Prerequisites in development of a BCP
Define the scope of the planning effort.
Develop a plan framework.
Assemble a project team or a steering committee andconduct awareness sessions.
8
Phases in Development of a BCP
Phase 1 –Business Impact
Analysis
Phase 2 – Risk Assessment
Phase 3 –Development of a
BCP`
Phase 4 –Testing of the
BCP
Phase 5 –Training and awareness to
the employees
Phase 6 –Maintenance of
the BCP
9
Phase 1 – Business Impact
Analysis
The business impact analysis establishes the needs of an organization for recoverability and sets the requirements for its recovery strategy and ultimately its recovery plan.
The business impact analysis also can be used to achieve other objectives within an organization.
The broad outline of a strategy should be apparent in BIA results.
10
Phase 1 – Business Impact Analysis
• BIA can be used to prioritize the recoverysequence of data, infrastructure
• A BIA can define the minimum operatingrequirements a business needs to recoveroperations following a disruption. These thingsinclude Information Technology resources, humancapital, etc.
• A BIA presents the value proposition forimplementing the appropriate level ofrecoverability.
Objectives of a BCP
11
BIA Definition
Business Impact Analysis is essentially a means of
systematically assessing the potential impacts resulting
from various unintended events or incidents.
Business Impact Analysis is a comprehensive and wider
focused approach to the risk analysis process.
12
Identify - organisational risks
Identify - critical business processes
Quantify - risks to critical business processes
Identify – inter-dependencies of critical business processes
Determine - maximum allowable downtime
Identify - resources required for recovery
Determine - impact in the event of a disaster
Tasks to be undertaken in BIA
13
Conducting a BIA
14
Stages Issues to be
considered• Threat attack identification and
prioritization
• Business unit analysis
• Attack success scenario development
• Potential damage assessment
• Subordinate plan classification
• Different business processes
• Critical information resources related
to critical business processes
• Critical recovery time period before
significant losses are incurred
Systems risk ranking
Phase 2 – Risk Assessment
Risk Assessment seeks to identifywhich business processes and relatedresources are critical to the business,what threats or exposures exist tocause an unplanned interruption ofbusiness processes, and what impactaccrues due to an interruption.
Risk Assessment is the systematic identification of all risks, their
investigation and grading relevant to each other and to the department, so that the management can be given a clear and full understanding of the
risks it faces.15
Natural
•Fire
•Flood
•Earthquake
Human
•Sabotage
•Malicious Code
•Operator error
Technological
•Hardware
Failure
•Data Corruption
•Telecom outage
•Power failure
Potential Risks
Natural
•Fire
•Cyclone
•Flood
Human
•Sabotage
•Malicious Code
•Operator error
Technological
•Hardware
Failure
•Data Corruption
•Telecom outage
•Power failure
Residual RisksIdentified Risks
Natural
•Fire
•Flood
•Earthquake
Human
•Sabotage
•Malicious Code
•Operator error
Technological
•Hardware
Failure
•Data
Corruption
•Telecom outage
•Power failure
Risk
Assessment
Security
Controls
•Management
Controls
•Operational
Controls
•Technical
Controls
Contingency
Plan
Scope
•Cyclone
•Operator
error
•Hardware
failure
•Data
corruption
Risk Assessment
16
Common Information
System outages
Full Disk
Disk Crash
Application Crash
System Crash
Network Failure
Power Failure
Data center wide failure
Building wide calamity
Large Scale Disaster
Identifying the Impact of Resource Unavailability
17
Risk Management Process
• The systems are reviewed for weaknesses that can be exploited and the likelihood of those being exploited.
Information Risk Assessment
Vulnerability Assessment
Likelihood Assessment
Impact Analysis
18
Risk Assessment
Components
Impact
Assessment
Threat
Assessment
Vulnerability
Assessment
19
Objectives of Risk Assessment
Critically prioritization
• RPO-Recovery point objective
• RTO- Recovery time objective
Estimating the critical recovery time period
SDO- Service Delivery Objective
20
Phases of Risk Assessment
Identify the risks that departments face;
Identify essential operations that must be restarted as quickly as possible after a disaster has taken place;
Identify cost-effective measures that could be introduced to prevent risks or lessen their impact and;
Provide an input for Risk Management.
All disaster events may not be anticipated or considered
21
Types of Threats
• Fire
• Flood
• Storm
• Lightning
• Power Failure
Natural
• Bomb
• Accidental
• Theft
• Strike
Deliberate
• Outrage
• Errors
• Disclosure
Accidental
22
Risk Assessment Methods• The ability of a company to cope with interruption of a business process
determines the TOLERANCE of the business process. The various business processes may be classified as Critical, Vital, Sensitive, Non critical
Risk Ranking
• A range of values is set for each of the following, Asset cost, likelihood of threat, vulnerability and assessment of the risk. Value ranges
• – Use the formulaRisk – (Asset Cost + Likelihood + Vulnerability)/3Then perform risk ranking
Formulae for comparing risks
• The risk will be determined by an algorithm, based on ascribing values to the risk that is based on the values already ascribed to the threat, vulnerability and impact.
Computer software
• Risk = Threat x Vulnerability x Impact
There is no universally appropriate formula for this
process, but it approximates to
23
Phase 3 – Development of BCP
24
Documentation BCP Manual
• BCP Policy
• BIA and Risk Assessment Report
• Aims, objectives, Activities
undertaken by each function
• BCP Manual
• Training Program
• Test plans
• Purpose of BCP
• TOC
• Disaster Definitions
• Objectives of the Plan
• Scope of the Plan
• Plan Approach/Recovery
Strategy
• Plan Administration
• Plan Management
• Disaster Notification and Plan
Notification Procedures
Phase 3 – Development of BCP
The plan should be documented and written in simple language, so that everyone in the organization and
related to the organization including, if necessary, third-party vendors etc.
understands it.
It should be a part of the plan to develop some important teams with
clear cut roles and responsibilities. E.g., BC Team, recovery Management team, Administration team, System Recovery
team, Hardware installation team, communication team etc.
25
Some Important TeamsBusiness Continuity Team
Recovery management team
Crisis management team
Hardware installation team
System recovery team
Communications team
User liaison team
Administration team
Facilities team
Damage Assessment Team
Application recovery team
Logistics team
Staff coordination team
Insurance team
26
Minimum Requirements of a BCP
Initiation procedures
Preliminary Damage Assessment
Put recovery site on standby
Assemble damage assessment team
Conduct Damage Assessment
Determining Strategy
Establish emergency command center
Assemble and brief recovery team
Notify recovery site
Arrange movement of backup materials
Notify impacted staff
Fire Insurance Claims
Detail procedures for recovery
Primary site operations
Return to normal operations
Post Recovery Reviews
27
28
29
Phase 4 – Testing of BCP
The Disaster Recovery Coordinator is responsible for testing of the disaster recovery plan at least annually to ensure the viability of the plan.
• Simulate the conditions of an ACTUAL Business Recovery situation.
• Determine the feasibility of the recovery process
• Identify deficiencies in the existing procedures
• Test the completeness of the business recovery information stored at the Offsite Storage Location.
• Train members of the disaster recovery teams
. The objectives of testing the disaster recovery plan are as follows:
30
Types of Test
Checklist Test
Structured Walk Through Test
Simulation Test
Parallel Test
Full Interruption Test
31
Testing Process
Initiate the Test
Develop the Test plan as per the
type of test decided
Perform the test
Evaluate the Test
Documentation of resultResult Analysis
32
Phase 5 – Training and Awareness
Purpose of training
• To train recovery ream participants who are required to execute plan segments in the event of a disaster.
• To train the management and key employees in disaster prevention and awareness and the need for disaster recovery planning.
User management must be aware of the basic recovery strategy; how the plan provides for rapid recovery of their information technology systems support structure.
33
Training and Awareness Methods
Walkthrough Session
Scenario Workshop
Live Test Simulation
34
Phase 6 – Maintenance of BCP
It is critical that existing change management processes are revised to take recovery planmaintenance into account.
Maintenance of the plans is critical to the success of an actual recovery.
BCM testing, maintenance and audit testify the enterprise BCM to prove the extent towhich its strategies and plans are complete, current and accurate; and Identifiesopportunities for improvement.
The BCM maintenance process demonstrate the documented evidence of the proactivemanagement and governance of the enterprise’s business continuity program; the keypeople who are to implement the BCM strategy and plans are trained and competent;
35
Maintenance of the BCP tasks
Determine the ownership and responsibility for maintaining the various BCP strategies within the enterprise;
Identify the BCP maintenance triggers to ensure that any organizational, operational, andstructural changes are communicated to the personnel who are accountable for ensuring thatthe plan remains up-to-date;
Determine the maintenance regime to ensure the plan remains up-to-date;
Determine the maintenance processes to update the plan; and
Implement version control procedures to ensure that the plan is maintained up-to-date.
36
Incident Handling and Management
Incident response (IR) is the set of procedures that commence when an incident is detected
Process of IRP includes
• Form IR planning team
• Develop IR policy
• Organize security incident response team
• Develop IR plan
• Develop IR procedures
• Training the Incident Response Team
• Testing the IR plan
• Selecting and maintaining tools used by the IRT
• Training users of the systems and procedures controlled by the organization
37
Reaction to the Incident
Trigger (circumstances that cause IR team activation and IR planinitiation) are to be defined.
What must be done to react to the particular situation are to beelaborated.
How to stop the incident if it is ongoing is also to be addressedalong with the way by which the Elimination of problem sourcecan be achieved.
38
Reaction to the incident - Post
Incident Classification
Collection of data under IRP
Reaction to the incidents
Incident Notification
Documenting the Incident
Incident Containment strategies
Recovering from the incident
The after action review
Incident Response Plan review and maintenance
39
Invoking a BCP/DRP Phase
40
Operating Teams
Contingency Planning Team
Incident Response Team
Disaster Recovery Team
Business Continuity
Team
41
Invoking a BCP
The plan should be approved by appropriate authority
• Plan Overview -This portion of the Disaster recovery plan should inform the user about the primary focus of this document like responding to disaster, restoring operations as quickly as possible and reducing the number of decisions which must be made when, and if, a disaster occurs.
• Plan Objectives -The overall objectives of this plan are to protect organization’s computing resources and employees, to safeguard the vital records of which Information Technology Systems and to guarantee the continued availability of essential Information Technology services.
42
Disaster Recovery Phases
Disaster Assessment
Disaster Recovery
Alternate Site/Data Centre
Return to Primary Site
43
Key disaster recovery activities
Activating the recovery plan
Notifying team leaders
Notifying key management
contacts
Redirecting information technology
service to an alternate location
Securing a new location for the
data center
Ordering and configuring replacement equipment
Reconfiguring the network
Reinstalling software and
data
Keeping management
informed
Keeping users informed
Keeping the public
informed
44
Risk Management Process
Residual risk
Evaluate existing controls or design new controls to reduce vulnerabilities to an acceptable level of risk
Once elements of risk have been established they are combined to form an overall view of risk
Assess threats and vulnerabilities and the likelihood of their occurrence
Identification and classification of information resources or assets that need protection
45
Classification of Critical Activities
46
Business Impact Analysis (BIA) will result in
Categorization of infrastructure and business function
Disaster scenariosfor various
disaster causes
Business Categorization
47
Business Categorization
Vital Essential Desirable
Business Categorization
48
• Loss of revenue
• Loss of reputation
• Decrease in customer satisfaction
• Loss of productivity (man-hours)
Parameters for business categorization
Disaster Scenarios
49
Disaster Scenarios
Major Minor Trivial Catastrophic
Disaster Scenarios
50
The scenario of disaster shall be decided with the matrix given below:
• X-axis - business impact of the infrastructure and business transaction as desirable (value=1), essential (value=2) or vital (value=3)
• Y-axis - likelihood of occurrence of the disaster on a three point scale (1-3)
Business impact
Lik
elih
ood
“ A sudden, unplanned calamitous event that interrupts an enterprise’s ability to function.”
“Disruption of Business operations that stops the organization from providing its critical & essential services caused by the absence of critical resources – Facilities, Communications, Power, Access to Information or People ”
What is a Disaster ?
Impact of Disasters
• Loss of revenue/cash flow, Large extraordinary expensesFinancial health
• Increased Competition, Key Differentiator is the Service Levels, Lost Customers don’t return
Service levels/ Customer Attitude
• Fewer key people due to downsizing, Profound impact of loss of productive servicesHuman resources
• Next to impossible to operate in manual mode, More info & faster, LAN & WAN cannot be down
Increasing use/dependence on Technology
• Penalties, Management responsibility if DR is not adequately planned
Liabilities for not providing services
Testing Process
Setting objectives
Defining the Boundaries
Scenario Test Criteria
AssumptionTest
Prerequisites Briefing session
Checklists
Analysing the test
Debriefing session
53
Disaster Recovery Team
General Responsibilities - is responsible for the overall coordination of the disaster recovery process from an Information Technology Systems perspective. The other team leaders report to this team during a disaster.
Administrative Responsibilities - The administrative function provides administrative support services to any team requiring this support. This includes the hiring of temporary help or the reassignment of other clerical personnel.
Supply Responsibilities - The supply function is responsible for coordinating the purchase of all needed supplies during the disaster recovery period. Supplies include all computing equipment and supplies, office supplies such as paper and pencils, and office furnishings.
54
Disaster Recovery Team
Public Relation Responsibilities - The public relations function will pass appropriate information about the disaster and associated recovery process to the public and to employees. Every effort should be made to give these groups reason to believe that TAMUCT is doing everything possible to minimize losses and to ensure a quick return to normalcy.
55
Disaster Recovery Team
Management TeamRecovery - The disaster recovery plan should contain Disaster Management Team Call Checklist. It should specify the contact information about Team leader as well as team members with the details on which functionality he/she can be contacted.
Tech Support Team - The disaster recovery plan should contain details about Technical support Team and its sub-teams like Hardware, Software, Network, Operations etc. and their respective responsibilities.
56
Disaster Recovery Team
Hardware Responsibilities - The responsibility of the Hardware Team is to acquire (along with the Facilities Team), configure and install servers and workstations for Organizational information Technology users.
Software Responsibilities - The responsibility of the Software Team is to maintain the systems software at the alternate site and reconstruct the system software upon returning to the primary site. In addition, the Software Team will provide technical support to the other teams.
57
Disaster Recovery Team
Network Responsibilities - The Network Team is responsible for preparing for voice and data communications to the alternate location data center and restoring voice and data communications at the primary site.
Operations Responsibilities - The Operations responsibilities include the daily operation of computer services and management of all backup tapes. When a disaster is declared, the team must secure the correct tapes for transport to the alternate location. Once operations are established at the alternate location, arrangements must be made with an offsite storage service.
Technical Call team support - The disaster recovery plan should contain Disaster Recovery Technical Support Team Call Checklist. It should specify the contact information about Team leader as well as team members with the details on which functionality he/she can be contacted.
58
Disaster Recovery Team
Facility Team - The disaster recovery plan should contain details about Facility Team and its sub-teams like Salvage team, new data center, new hardware team etc. and their respective responsibilities.
New Data Center Responsibilities - The New Data Center Team is responsible for locating the proper location for a new data center and overseeing the construction of it. This includes the environmental and security controls for the room.
New Hardware Responsibilities - The New Hardware Team is responsible for ordering replacement hardware for equipment damaged in the disaster and installing it in the new or rebuilt data center. Depending on the age of the damaged hardware, replacement may not be one-for-one.
59
Disaster Recovery Team
Resumption of normal activities - Once the threat has passed, equipment has been repaired or replaced or a new primary site has been built and stocked, the disaster recovery team will assess the situation, declare the disaster over and resume normal operations
60
Documentation of BCM
61
The business continuity policy;
The business continuity
management system;
The business impact analysis report;
The risk assessment report;
The aims and objectives of each
function;
The activities undertaken by each
function;
The business continuity strategies;
Documentation of BCM
The overall and specific incident management
plans;
The business continuity plans;
Change control, preventative action, corrective action,
document control and record control processes;
Local Authority Risk Register;
Exercise schedule and results;
Incident log; and
Training Program
62
BCP Policy
The BCM policy defines the processes of setting up activities for establishing a business continuity capability and the ongoing management and maintenance of the business continuity capability.
The set-up activities incorporate the specification, end-to-end design, build, implementation and initial exercising of the business continuity capability.
63
BCP Policy
The ongoing maintenance and management activities include
embedding business continuity within the enterprise, exercising plans
regularly, and updating and communicating them, particularly when there is significant change in
premises, personnel, process, market, technology or organizational structure.
64
BCP Policy - ObjectivesThe enterprise should consider defining the scope, BCM principles, guidelines and applicable standards for the enterprise. They should refer all relevant standards, regulations and policies that have to be included or can be used as benchmark.
Critical services and activities undertaken by the enterprise will be identified.
Plans will be developed to ensure continuity of key service delivery following a business disruption, which may arise from the loss of facilities, personnel, IT and/or communication or failure within the supply and support chains.
65
BCP Policy - Objectives
Invocation of incident management and business continuity plans can be managed.
Incident Management Plans & Business Continuity Plans are subject to ongoing testing, revision and updating as required.
Planning and management responsibility are assigned to members of the relevant senior management team.
66
BCP Manual
A BCP manual is a documented description of actions to be taken,
resources to be used and procedures to be followed before,
during and after an event that severely disrupts all or part of the
business operations.
A BCP Manual consists of the Business
Continuity Plan and the Disaster Recovery Plan.
67
Elements of BCP Manual
Purpose of the planOrganization of the
manualDisaster Definitions
Objectives of the BCP
Scope of the planPlan Approach and Recovery Strategy
Plan Administration Plan Management
Disaster Notification and
activation procedures
68
Data Backup Strategies
Dual Recording of Data
Periodic Dumping of Data
Logging input transactions
Logging changes to the data
69
Types of Backup
Full Back Up
Incremental Back Up
Mirror Back Up
70
Different Strategies
For LAN Systems
Eliminating Single point of Failure
Redundant cabling & devices
Remote Access
For Data Communication
Dial Up
Circuit Extensions
VSAT
On demand service from
carriers
71
Different Strategies for voice communications
Cellular Phone Back Up
Carries Call
Back Up PBX systems
72
Alternative Sites
Mirror Site
Hot Site
Cold Site
Warm Site
Offsite data protection
Mobile Site
73
Alternate Processing Facility Arrangements
74
Cold site
Hot site
Warm site
Reciprocal
agreement
Cold site
75
Organisation can tolerate some downtime
Cold site has all the facilities
Establish its own cold-site facility
Hot site
76
Organisation might need hot
site backup
Hardware and operations facilities
A hot site is expensive to
maintain
Shared with other
organisations
Warm site
77
A warm site provides an
intermediate level
Cold-site facilities in addition
Warm site might contain selected
peripheral equipment
Alternate Site selection criteria
78
Data Vaults
Backups are stored in purpose built vaults.
Types -
• Hybrid onsite vaulting
• Hybrid offsite vaulting
79
System Resiliency Tools
• Fault-tolerance is the property that enables a system (often computer-based) to continue operating properly in the event of the failure of (or one or more faults within) some of its components.
Fault Tolerance
• No single point of failure.
• No single point of repair.
• Fault isolation to the failing component.
• Fault containment to prevent propagation of the failure.
• Availability of reversion modes.
The basic characteristics
of fault tolerance require:
80
System Resiliency Tools
RAID (Redundant Array of Inexpensive
Disks)
Electronic Vaulting
Remote Journaling
Database Shadowing
81
Insurance
Policies are contracts that obligate the insurer to indemnify the policyholder or some third party from specific risks in return for the payment of a premium.
Adequate insurance coverage is a key consideration when developing a business recovery plan and performing a risk analysis.
Resources to be covered – Equipment, Facilities, Storage Media, Business Interruption, Extra Expenses, Valuable Papers, Accounts Receivable, Media Transportation, Malpractice errors
Types of Insurance
• First Party – Property Damages, Business Interruption
• Third Party – General Liability, Directors and Officers
82
Summary
Development of a Business Continuity Plan can be done with the support of BCP Policy existing in an organization. BCP Policy sets the scope of the plan.
Development involves planning BCP as a project, conducting a Business Impact Analyses, Risk Assessment, Testing of the BCP, providing training and awareness and continuous maintenance of the BCP Plan.
Contingency planning encompass Incident Management planning, Disaster recovery planning and Business Continuity planning.
The following hierarchy is generally followed for invoking a Business Continuity Plan:Incident Handling and ResponseDisaster Recovery Business Continuity
83
Summary
Business Continuity Management would contain the following minimum documents:Business Continuity Policy –This document the scope for the Business Continuity, Business Continuity Manual –This document contains the step by step process to achieve Business Continuity and details of relevant contacts.
Backup and Recovery Strategies, Types of Alternative Sites, system resiliency tools and techniques etc., are some strategies to be considered while developing a Business Continuity Plan.
Insurance and its types were discussed here. It is a mode of transferring the risk that arises due to the threats to the Business Continuity.
84
Questions
85
1. Which of the following control concepts should be
included in a complete test of disaster recovery procedures?
86
A. Rotate recovery managers.
B. Invite client participation
C. Involve all technical staff.
D. Install locally stored backup.
Answer: A
Recovery managers should be rotated to ensure the experience of the recovery plan is spread. Clients may be involved but not necessarily in every case. Not all technical staff should be involved in each test. Remote or off-site backup should always be used.
2. An advantage of the use of hot
sites as a backup alternative is:
87
A. The costs related with hot sites are low.
B. That hot sites can be used for a long amount of time.
C. That hot sites do not require that equipment and systems software be compatible with the primary installation being backed up.
D. That hot sites can be made ready for operation within a short span of time.
Answer: D
Hot sites can be made ready for operation normally within hours. However, the use of hot sites is expensive, should not be considered as a long-term solution and does require that equipment and systems software be compatible with the primary installation being backed up.
3. All of the following are security and control concerns associated with disaster recovery
procedures EXCEPT
88
A. Loss of audit trail.
B. Insufficient documentation of procedures.
C. Inability to restart under control.
D. Inability to resolve system deadlock.
Answer: D
The inability to resolve system deadlock is a control concern in the design of database management systems, not disaster recovery procedures. All of the other choices are control concerns associated with disaster recovery procedures.
4. Which of the following business recovery
strategies would require the least expenditure of
funds?
89
A. Warm site
B. Empty shell
C. Hot site
D. Reciprocal agreement
Answer: D
Reciprocal agreements are the least expensive because
they usually rely on a gentlemen's agreement between
two firms.
5. Which of the following is NOT a feature of an
uninterruptible power supply (UPS)?
90
A. It provides electrical supply to a computer in the event of a power failure.
B. It system is an external piece of equipment or can be built into the computer itself.
C. It should function to allow an orderly computer shutdown.
D. It uses a greater wattage into the computer to ensure enough power is available.
Answer: D
A UPS typically cleanses the power to ensure wattage into the computer remains consistent and does not damage the computer. All other answers are features of a UPS.
6. Which of the following would warranty a quick
continuity of operations when the recovery time window is
short?
91
A. A duplicated back-up in an alternate site
B. Duplicated data in a remote site
C. Transfer of data the moment a contingency occurs
D. A manual contingency procedure
Answer: D
A quick continuity of operations could be accomplished
when manual procedures for a contingency exist. Choices
A, B and C are options for recovery.
7. For which of the following applications
would rapid recovery be MOST crucial?
92
A. Point-of-sale
B. Corporate planning
C. Regulatory reporting
D. Departmental chargeback
Answer: A
A point-of-sale system is a critical online system that
when inoperable will jeopardize the ability of a company
to generate revenue and properly track inventory.
8. Which of the following principles must exist
to ensure the viability of a duplicate information processing facility?
93
A. The site is near the primary site to ensure quick and efficient recovery is achieved.
B. The workload of the primary site is monitored to ensure adequate backup is complete.
C. The site contains the most advanced hardware available from the chosen vendor.
D. The hardware is tested when it is established to ensure it is working properly
Answer: B
Resource availability must be assured. The workload of the site must be monitored to ensure that availability for emergency backup use is not impaired. The site chosen should not be subject to the same natural disaster as the primary site. In addition, a reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. Testing the site when established is essential, but regular testing of the actual backup data is necessary to ensure the operation will continue to perform as planned.
9. While reviewing the business continuity plan of an organization, the IS auditor observed that the organization's data
and software files are backed up on a periodic basis. Which
characteristic of an effective plan does this demonstrate?
94
A. Deterrence
B. Mitigation
C. Recovery
D. Response
Answer: B
An effective business continuity plan includes steps to mitigate the effects of a disaster. To have an appropriate backup plan, an organization should have a process capability established to restore data and files on a timely basis, mitigating the consequence of a disaster. An example of deterrence is when a plan includes installation of firewalls for information systems. An example of recovery is when a plan includes an organization's hot site to restore normal business operations.
10. As updates to an online order entry system are processed, the
updates are recorded on a transaction tape and a hard copy
transaction log. At the end of the day, the order entry files are backed up onto tape. During the backup procedure, the disk drive
malfunctions and the order entry files are lost. Which of the following
are necessary to restore these files?
95
A. The previous day's backup file and the current transaction tape
B. The previous day's transaction file and the current transaction tape
C. The current transaction tape and the current hardcopy transaction log
D. The current hardcopy transaction log and the previous day's transaction file
Answer: A
The previous day's backup will be the most current historical backup of activity in the system. The current day's transaction file will contain all of the day's activity. Therefore, the combination of these two files will enable full recovery up to the point of interruption
