Q Organizations practice contingency plans because it makes good business sense. Which of the following is the CORRECT sequence of steps involved in the contingency planning process?

1 Anticipating potential disasters2 Identifying critical functions3 Selecting contingency plan strategies4 Identifying the resources that support critical functions(a) 1, 2, 3, 4(b) 1, 3, 2, 4(c) 2, 1, 4, 3(d) 2, 4, 1, 3

D. 2, 4, 1, 3

Q What is the inherent limitations of a disaster recovery planning exercise?

(a)Inability to include all types of disasters(b)Assembling disaster management and recovery

teams(c) Developing early warning monitors that will trigger

alerts and response(d)Conducting periodic drills

A. Inability to include all types of disasters

Q Who would be primarily responsible for establishing organization-wide contingency plan?

(a)Chief information officer(b)Disaster recovery manager(c) The board of directors(d)Audit director

C. The board of directors

Q Disaster recovery plan protect against WHICH of the following?

(a)Physical losses(b)Economic losses(c) Equipment losses(d)Inventory losses

B. Economic losses

Q When senior management support for a DRP project has been obtained and resources have been authorized for the development of a disaster recovery document, the individuals who will do the actual writing of the plan should be selected on the basis of their:

(a)Technical knowledge of IS operating systems, databases and telecommunications

(b)Consulting background with hardware and software vendors

(c) Consulting experience with clients or customers in the same industry

(d)Broad perspective of the organization and ability to recognize all the possible consequences of a disasterD. Broad perspective of the organization and ability to recognize

all the possible consequences of a disaster

Q Emergency actions are taken at the incipient stage of a disaster with the objectives of preventing injuries or loss of life and of

(a) determining the extent of property damage(b)protecting evidence(c) preventing looting and further damage(d)mitigating the damage to avoid the need for

recovery

D. mitigating the damage to avoid the need for recovery

Q An organization’s disaster recovery plan SHOULD address early recovery of:

D. Processing in priority order, as defined by business management

A. All information system processes

B. All financial processing applications

C. Only those applications designated by the IS Manager

D. Processing in priority order, as defined by business management

Q Disaster recovery planning for a company’s computer system usually focuses on:

D. Alternative procedures to process transactions

A. Operations turnover procedures

B. Strategic long range planning

C. The probability that a disaster will occur

D. Alternative procedures to process transactions

Q Which of the following steps would an IS auditor normally perform FIRST in a security review?

B. Determine the risks/threats to the data center site

A. Evaluate physical access test results

B. Determine the risks/threats to the data center site

C. Review business continuity procedures

D. Test for evidence of physical access at suspect locations

Q What is the single MAJOR item that is often ignored during the development of a disaster recovery plan for an organization?

C. Functional user operations

A. Roles and responsibilities of DRP team members

B. Critical areas of threats and vulnerabilities

C. Functional user operations

D. Conducting risk or impact analysis

Q An organization is contemplating developing a computer related disaster recovery plan for the first time. The BEST practice would be to:

D. Follow a top-down approach

A. Follow a bottom up approach

B. Call other companies in the same industry

C. Call a commercial backup service provide

D. Follow a top-down approach

Q The BEST approach to maintaining a contingency plan in order to recover from computer related disaster would be to use a:

C. Combination of top-down and bottom up approaches

A. Top-down approach

B. Bottom up approach

C. Combination of top-down and bottom up approaches

D. Consultant directed approach

Q To develop a successful business continuity plan,end user involvement is critical during which of the following phases:

C. Business impact analysis(BIA)

A. Business recovery strategy

B. Detailed plan development

C. Business impact analysis (BIA)

D. Testing and maintenance

Q Which of the following disaster scenarios is NOT commonly considered during the development of disaster recovery and contingency planning?

D. Failure of the local telephone company

A. Network failure

B. Hardware failure

C. Software failure

D. Failure of the local telephone company

Q Which of the following can be called “the disaster recovery plan of the LAST resort”?

D. An insurance policy

A. A contract with a recovery center

B. A demonstration of the recovery center’s capabilities

C. A tour of the recovery center

D. An insurance policy

Q Which of the following tasks should be performed FIRST when preparing a Disaster Recovery Plan?

B. Perform a business impact analysis (BIA)

A. Develop a recovery strategy

B. Perform a business impact analysis(BIA)

C. Map software systems,hardware and network components

D. Appoint recovery teams with defined personnel,roles and hierarchy.

Q After completing the business impact analysis(BIA),what is the next step in the business continuity planning (BCP) process?

C. Develop recovery strategies

A. Test and maintain the plan

B. Develop a specific plan

C. Develop recovery strategies

D. Implement the plan.

Q During an audit of a business continuity plan,an IS auditor found that,although all departments were housed in the same building,each department had a separate business continuity plan.The IS auditor recommended that the business continuity plans be reconciled.Which of the following areas should be reconciled FIRST?

A. Evacuation plan

A. Evacuation plan

B. Recovery priorities

C. Backup storages

D. Call tree.

Q An IS auditor performing a review of the back-up processing facilities would be MOST concerned that:

(a)adequate fire insurance exists(b)regular hardware maintenance is performed(c) off-site storage of transaction and master files

exists(d)backup processing facilities are fully tested

C. off-site storage of transaction and master files exists

Q Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies?

(a)Developments may result in hardware and software incompatibility

(b)Resources may not be available when needed(c) The recovery plan cannot be tested(d)The security infrastructure in each company may

be different

A. Developments may result in hardware and software incompatibility

Q Which of the following is MOST important to have in a disaster recovery plan?

(a)Backup of compiled object programs(b)Reciprocal processing agreement(c) Phone contact list(d)Supply of special forms

A. Backup of compiled object programs

Q An IS auditor reviewing an organization's information systems DRP should verify that it is:

(a)tested every 6 months(b)regularly reviewed and updated(c) approved by the Chief Executive Officer (CEO)(d)communicated to every department head in the

organization

B. regularly reviewed and updated

Q The LEAST critical factor in estimating the maximum tolerable downtime during a disaster is:

(a)Availability of a cold site during the disaster(b)Time of the disaster(c) Applications affected by the disaster(d)Length of the disaster

A. Availability of a cold site during the disaster

Q During a disaster, which of the following application systems should be recovered FIRST?

(a)General ledger system(b)Supplies tracking system(c) Fixed asset system(d)Claims processing system

D. Claims processing system

Q Fire has swept through the premises of an organization’s computer room. The company has lost its entire computer system. The BEST thing the organization could have done is to:

(a)Plan for cold site arrangements(b)Plan for mutual agreements-negotiate with other

similar organizations to back each other(c) Plan for warm site arrangements since everything

was ready to go(d)Take daily backups to an off-site storage facilities

D. Take daily backups to an off-site storage facilities

Q Which of the following rationale is NOT a sound one? DRP should be tested:

(a)By simulation(b)In stages(c) In an unannounced manner(d)In actual use

D. In actual use

Q Most business continuity tests should:

(a)Be conducted at the same time as normal business operations.

(b)Address all system components.(c) Evaluate the performance of personnel.(d)Be monitored by the IS Auditor.

C. Evaluate the performance of personnel.

Q The MOST effective way to ascertain the hot-site vendor’s integrity in practices and priorities in the resource sharing area is to:

(a)Review all subscriber contracts with the hot-site vendors

(b)Observe an actual disaster at the hot-site vendor(c) Request a copy of the actual external audit report(d)Request the hot-site vendor’s compliance in writing

C. Request a copy of the actual external audit report

Q Which of the following is NOT true? A “cold-site” computer facility includes:

(a)Heat, humidity and air conditioning equipment(b)CPU and other computer equipment(c) Electrical power connections(d)Telecommunications connections

B. CPU and other computer equipment

Q What is a hot-site facility?

(a) A site with pre-installed computers, raised flooring, air conditioning, telecommunications and networking equipment, and UPS.

(b) A site in which space is reserved with pre-installed wiring and raised floors.

(c) A site with raised flooring, air conditioning, telecommunications, and networking equipment, and UPS.

(d) A site with ready made work space with telecommunications equipment, LANs, PCs, and terminals for work groups.

A. A site with pre-installed computers, raised flooring, air conditioning, telecommunications and networking equipment, and UPS.

Q Which of the following would an IS auditor consider to be MOST important to review when conducting a business continuity audit?

D. Media backups are performed on a timely basis and stored off-site

A. A hot site is contracted for and available as needed

B. A business continuity manual is available and current

C. Insurance coverage is adequate and premiums are current.

D. Media backups are performed on a timely basis and stored off-site

Q Which of the following business recovery strategies would require the LEAST expenditure of funds?

D. Reciprocal agreement

A. Warm site facility

B. Empty shell facility

C. Hot site subscription

D. Reciprocal agreement

Q An advantage of the use of HOT-SITE as a backup alternative is:

C. That “hot sites” can be made ready for operation with in short span of time

A. The cost associated with “hot sites” are low

B. That “hot sites” can be used for an extended amount of time

C. That “hot sites” can be made ready for operation with in short span of time

D. That “hot sites” do not require that equipment and systems software be compatible with the primary installations being backed up

Q Which of the following control concepts SHOULD be included in a comprehensive test of disaster recovery procedures?

C. Rotate recovery managers

A. Invite client participation

B. Involve all technical staff

C. Rotate recovery managers

D. Install locally stored backups

Q The MAIN purpose for periodically testing off-site hardware backup facilities is to:

C. Ensure the continued compatibility of the contingency facilities

A. Ensure the integrity of the data in the database

B. Eliminate the need to develop detailed contingency plans

C. Ensure the continued compatibility of the contingency facilities

D. Ensure that program and system documentation remains current

Q Losses can be minimized MOST effectively by using outside storage facilities to do which of the following?

A. Include current, critical information in backup files

A. Include current, critical information in backup files

B. Ensure that current documentation is maintained at the backup facility

C. Test backup hardware

D. Train personnel in backup procedures

Q The primary contingency strategy for application systems and data is regular backup and secure off-site storage. Which of the following decisions is LEAST important to address?

C. How often the backup is used

A. How often the backup is performed

B. How often the backup is stored off-site

C. How often the backup is used

D. How often the backup is transported

Q Which of the following is LEAST expensive in terms of providing backup computer facilities?

A. Mutual agreements

A. Mutual agreements

B. Shared facilities

C. Service bureaus

D. Companies own duplicate facilities

Q Which of the following is NOT an assumption made during the development of a disaster recovery and contingency plan?

C. All the less critical jobs need not be recovered

A. Testing and maintenance of the contingency plan should be continual

B. All resources and materials required to restore the processing capability at the backup recovery site should be obtainable off-site

C. All the less critical jobs need not be recovered

D. In a multi-site environment, a separate set of recovery plans should be developed for each computer center

Q Identify the item THAT demonstrate the ability of an organization to provide immediate, reliable and clear information during different types of disaster?

D. Drills and exercises

A. A comprehensive and written disaster recovery plan

B. A written plan with a well-organized table of contents and easy to follow instructions

C. A written plan that is approved by senior management and auditors

D. Drills and exercises

Q A hot site should be implemented as a recovery strategy when the:

A. Disaster tolerance is low

A. Disaster tolerance is low

B. recovery point objective(RPO) is high

C. recovery time objective(RTO) is high

D. Disaster tolerance is high

Q In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy:

C. Recovery point objective is low

A. Disaster tolerance is high

B. Recovery time objective is high

C. Recovery point objective is low

D. Recovery point objective is high

Q There is a debate over how often a disaster recovery plan should be tested. The frequency of testing SHOULD depend on:

B. The nature of data processing

A. An auditor’s recommendation

B. The nature of data processing

C. Budget allowances

D. Management opinion

Q Which of the following statements about backups is true?

C. Backups provide for continuity of operations

A. Backups are most important for mainframe computers

B. Lack of procedures is not a problem for conducting backups

C. Backups provide for continuity of operations

D. The types of data transfer does not matter for timely backups

THANKS